HE/MPC-Based Scheme for Secure Computing LCM/GCD and Its Application to Federated Learning

Abstract

Federated learning promotes the development of cross-domain intelligent applications under the premise of protecting data privacy, but there are still problems of sensitive parameter information leakage of multi-party data temporal alignment and resource scheduling process, and traditional symmetric encryption schemes suffer from low efficiency and poor security. To this end, in this paper, based on the modified NTRU-type multi-key fully homomorphic encryption scheme, an asymmetric algorithm, a secure computation scheme of multi-party least common multiple and greatest common divisor without full set under the semi-honest model is proposed. Participants strictly follow the established process. Nevertheless, considering that malicious participants may engage in poisoning attacks such as tampering with or uploading incorrect data to disrupt the protocol process and cause incorrect results, a scheme against malicious spoofing is further proposed, which resists malicious spoofing behaviors and not all malicious attacks, to verify the correctness of input parameters or data through hash functions and zero-knowledge proof, ensuring it can run safely and stably. Experimental results show that our semi-honest model scheme improves the efficiency by 39.5% and 45.6% compared to similar schemes under different parameter conditions, and it is able to efficiently process small and medium-sized data in real time under high bandwidth; although there is an average time increase of 1.39 s, the anti-malicious spoofing scheme takes into account both security and efficiency, achieving the design expectations.

1. Introduction

In recent years, breakthroughs in machine learning (ML) [1] technology have driven intelligent transformations in areas such as healthcare [2], finance [3], and internet of things [4]. However, the traditional centralized training model, which relies on data aggregation, faces increasing privacy breaches and compliance risks, raising significant concerns about data privacy and security in the industry. In the field of information science, the need to protect sensitive data while enabling collaborative analysis has become a central challenge. Federated learning (FL) [5,6], as a distributed machine learning paradigm, has become a mainstream solution for privacy-sensitive scenarios by enabling multiple participants to jointly train global models without sharing local data through the collaborative mechanism of “data stay local, model move”.

Temporal alignment of multi-party data and resource scheduling of heterogeneous devices are two crucial issues in practical applications of federated learning. Mathematically speaking, the timing alignment of multi-party data can be cleverly transformed into the problem of computing the least common multiple (LCM). The data acquisition time windows of different participants often differ. In order to achieve global synchronization, effective integration, and analysis of data from all participants on a uniform time scale, as well as accurate alignment, it is needed to find a suitable time interval that is divisible by the data acquisition periods of all participants, which is precisely LCM of the data acquisition periods. On the other hand, resource scheduling for heterogeneous devices can be analogized to the problem of computing the greatest common divisor (GCD). Different devices show obvious heterogeneity due to the differences in hardware configuration, computation capability, storage capacity, etc. When performing resource scheduling, a reasonable strategy needs to be found so that each device can allocate resources within a reasonable range to achieve stable and optimized overall system performance. This is like finding a maximum common resource allocation unit that can maximize the resource demand of each device without causing waste or imbalance of resources, which is actually the GCD of the resource demand of each device.

Currently, some federated learning scenarios use timestamp synchronization for temporal alignment, where the participating parties synchronize their local clocks via network time protocol to ensure the consistency of data timestamps [7]. There are also approaches based on fixed time window, where a uniform time window is set and all parties collect and process data within that window. However, timestamp synchronization relies on network time sources, and network latency and clock drift can affect synchronization accuracy. The fixed time window approach lacks flexibility and can lead to data loss or redundancy if the window is not set appropriately. In addition, if information such as timestamps is improperly transmitted or stored during the synchronization process, it may disclose the time pattern of data generation, indirectly leading to privacy leakage. Although methods based on exchangeable encryption and homomorphic encryption can effectively protect data privacy, the following challenges still exist:

(1) Computational efficiency issues. The encryption and decryption processes of traditional methods incur large computational overheads, which reduces the efficiency of data temporal alignment. For example, in the ALIGN framework proposed by Gao et al. [8], the steps of encryption, blinding, and intersection require a large amount of computational resources, which may affect the overall performance of federated learning.

(2) Risk of semi-trusted third party. Methods based on a semi-trusted third party rely on trustworthiness. If the third party is attacked or untrustworthy, then data privacy may be at risk. In addition, the presence of third party may introduce new security vulnerabilities, e.g., the third party may leak data or be exploited by an attacker to gain access to data [9].

(3) Security problem. There exists a class of scenarios for federated learning where a malicious client tampers with the local training cycle through poisoning attacks in order to disrupt global model training, aggregation, and optimization. In addition, symmetric encryption algorithms use the same key for encryption and decryption. Once the key is leaked, there is a serious risk to data privacy. Moreover, its security depends on the key length. If it is not set properly, it is easy to be cracked by brute force.

Aiming at the above problems, we introduce secure multi-party computation (MPC) [10] to optimize encryption technique and a multi-party privacy collaboration scheme of LCM and GCD for FL, which improves data security and computational efficiency by reducing computational complexity and communication overhead. Our main contributions are as follows:

(1) Assuming that all participants involved execute protocol in accordance with the established process, although they may attempt to infer additional information from the information obtained through the exchange, they will not disrupt the normal operation of the agreement. Thus, based on modified NTRU-type multi-key fully homomorphic encryption (M-MKFHE) scheme [11], this paper designs secure computation protocols of multi-party LCM/GCD under the semi-honest models (lightweight, with a focus on efficiency) and proves their security by a simulation paradigm [12].

(2) Considering that clients may suffer from poisoning attacks [13,14] in real applications, i.e., some malicious clients influence the training and aggregation of global models by tampering uploaded local model parameters and provide incorrect ciphertext or use false secret key for the semi-honest protocol. For specific malicious spoofing behaviors (not all malicious attacks), combining the zero-knowledge proof (ZKP) [15,16] system and the hash function, this paper designs secure computation protocols of multi-party LCM/GCD against malicious spoofing (focus on improving safety while ensuring a certain level of efficiency) and proves their security by real/ideal model paradigm [12].

(3) To systematically evaluate the performance advantages and practical applicability of our scheme, this paper designs and implements a series of comparative experiments. Specifically, by introducing multi-dimensional experimental parameters and conducting multiple sets of control experiments, we conduct a quantitative analysis of our scheme’s execution time in a controlled experimental environment. The experiments focus on examining delay time during model training, verifying its feasibility and adaptability in actual deployment.

The paper is organized as follows: Section 2 presents the current status of research and related work; Section 3 introduces preliminary knowledge, including modified NTRU-type multi-key fully homomorphic encryption scheme, zero-knowledge proof, and other cryptography-related knowledge; Section 4 proposes the semi-honest model protocol and proves its security through a simulation paradigm; Section 5 researches and analyzes the semi-honest model protocol, designs the protocols against malicious spoofing, and proves its security through real/ideal model paradigm; Section 6 performs systematic testing of this paper’s protocols; Section 7 provides a theoretical evaluation of our scheme in terms of complexity and discusses and analyzes the experimental results; Section 8 contains a conclusion and future work.

2. Related Work

2.1. Secure Multi-Party Computation Protocol

The concept of MPC was first proposed by Prof. Yao, highlighting how multiple untrusted participants can collaborate in computation under the premise that private information will not be disclosed. After decades of development, the problems that can be solved by secure multi-party computation have been further expanded, including secure scientific computation [17,18,19], secure statistical analysis [20,21,22], secure geometric computation [23,24], and so on.

This paper transforms the computation of LCM and GCD for multi-source data into solutions for maximum and minimum value, respectively. Zhang et al. [25] aimed to collect data sensed by different users’ cell phones and calculate the minimum value of that data while ensuring its security. However, there is an obvious drawback in this scheme: it requires a trusted third party (TTP) [26] to generate the user secret key, which makes it ineffective against collusion between the user and the third party. Dou et al. [27] proposed a secure computation scheme for the minimax problem based on the ElGamal encryption algorithm, but the process design flaws led to higher communication complexity. Li et al. [28] constructed a secure computation protocol of minimum value suitable for cloud environment by utilizing the 0–1 encoding principle and a multi-key NTRU fully homomorphic encryption scheme [29], which can securely compute the maximum value through changing encoding method and the arrangement order of the full set. Based on the Paillier cryptosystem, Yang et al. [30] designed a protocol that calculates the maximum and minimum values of a set of secure data at one time. However, the protocol does not use joint decryption, which makes it difficult to resist the risk of collusion attacks by the decryption key holders, resulting in security concerns. Li et al. [31] proposed a protocol which is able to compute the maximum and minimum values simultaneously under the malicious model, which is more secure. However, since the protocol is constructed based on the Lifted ElGamal threshold encryption algorithm [32], it leads to an overall low efficiency. Based on the threshold NTRU encryption algorithm, combined with vector coding and ciphertext re-randomization techniques, Li et al. [33] proposed a secure multi-party computation protocol under the semi-honest model, which achieves simultaneous computation of the maximum, minimum, and difference of multi-party datasets, but it lacks considerations for active attacks by malicious participants. Lu et al. [34] proposed a novel quantum secure multi-party extremum protocol based on a d-dimensional quantum system. The coding method of the system adopts a random coding mechanism that allows quantum states to switch between computational basis and Fourier basis and significantly improves the security through randomly decoy quantum bit and the one-time pad technique, which enables the protocol to compute the maximum and minimum values under unconditional security and supports the direct computation of extremum sum and difference without disclosing specific values to adapt to complex application scenarios. However, the protocol relies on a semi-honest third party (TP) for initialization and computation which may become a security vulnerability if TP is attacked or not fully trusted. Najarkolaei et al. [35] broke through the complexity bottleneck of traditional secure comparison protocols by encoding private inputs into partition vectors and zero-coded vectors, transforming numerical comparison into vector operation, and proposed an n-party comparison scheme under unconditional security based on Shamir secret sharing, which achieves information-theoretical security and supports secure computation of non-polynomial functions such as maximum and minimum values. Nevertheless, its security relies on semi-honest assumptions and threshold conditions and does not consider the defense mechanism against malicious nodes. Park [36] proposed an unconditionally secure privacy-preserving maximum/minimum computation protocol for large-scale dataset processing by bit-by-bit parallel computation (processing from highest to lowest bit) utilizing Shamir secret sharing technique. Observation of experimental results reveals that as the number of participants increases, communication overhead is higher and computational cost is elevated. Li et al. [37] transformed the data into quantum states at the encoding stage and utilized quantum one-time pad (QOTP) encryption combined with a simplified Toffoli gate homomorphic evaluation circuit to propose a secure multi-party maximum/minimum computation protocol based on quantum homomorphic encryption, which allows participants to delegate servers to compute encrypted data. However, the key generation and result publication rely on specific participants, which may leak all the keys or forge the results if they are malicious or compromised, which becomes a security weakness.

Currently, a small number of MPC protocols exist for directly solving the datasets LCM and GCD. Liu [38] designed secure computation protocols for multi-party LCM and GCD using the NTRU multi-key fully homomorphic encryption algorithm, limited by the full-set restriction, which obviously does not match the practical applications and cannot resist malicious adversary attacks. Yang et al. [39], by using the private substitution method based on probabilistic encryption scheme, further gave secure computation protocol for LCM through the idea of secure computation maximization with the help of threshold decryption cryptosystem. As the participants in the protocol need to perform the private substitution process sequentially, there may be malicious data tampering behavior, and the “wheel-type” execution process obviously leads to inefficiency. Liu et al. [40] improved the Shor’s period-finding algorithm by extending the Knill method, transformed the multi-party set union problem into LCM computation problem, and proposed an efficient quantum multi-party private set union protocol. But it is limited to applications in large-scale data. Li et al. [41] proposed a novel quantum secure multi-party LCM protocol that verifies the legitimacy of participants’ inputs directly through random linear combinations and quantum zero-knowledge proof for non-zero multiple (NZMZKP) without first computing LCM, which solves the problem of information leakage and high resource consumption due to computing LCM in a traditional scheme, but it relies on a semi-honest TP for generating and distributing quantum states and verification results, which has security vulnerabilities.

2.2. Federated Learning Scheme Based on Secure Multi-Party Computation

Currently, many scholars indeed combine MPC with secure federated learning (SFL).

Fan et al. [42] proposed a novel SFL system called ByzSFL which is based on homomorphic encryption (HE) (Paillier cryptosystem/Cheon–Kim–Kim–Song (CKKS) scheme) combined with a zk-SNARKs and adopts a dual-server architecture: a computing server (which only processes ciphertext aggregation and has no decryption key) and an encryption server (which holds the decryption key, generates gradients, and updates the model). It aims to solve the problem of traditional SFL relying on homomorphic encryption for protection, but complex encryption operations cannot support advanced Byzantine fault tolerance mechanisms.

Kokaj et al. [43] proposed a solution to the backdoor attack problem in split learning based on the CKKS scheme using a two-stage defense: (1) two-end ZKP verification of computational integrity and (2) discrete cosine transform (DCT) detection of parameter anomalies and rollback mechanism.

Zhang et al. [44] proposed a novel functional encryption (FE) scheme—PIM-MCFE based on learning with error (LWE) assumption and introducing a split decryption mechanism. They further combined plaintext packaging techniques (gradient quantization and batch encryption) to protect intermediate models in FL.

Tian et al. [45] proposed a lattice-based distributed threshold additive homomorphic encryption (DTAHE) based on a BFV encryption algorithm and Shamir secret sharing (SS) combined with a noise sharing mechanism. To defend against active adversary attacks, they introduced smart contract and certificate authorities, which greatly improved security.

For a summary of above schemes, please see Appendix A.1,

Table A1. MPC-for-FL scheme.

Reference	Description	Encryption Scheme	Asymptotic Cost
Fan et al. [42]	An SFL systyem based on HE and combined with zk-SNARKs	Paillier cryptosystem	$O(\alpha ·\left(n+k^2\right))$
		CKKS scheme	$O(\alpha ·N\log N·(\mathcal{L}+n\left)\right)$
Kokaj et al. [43]	A scheme based on CKKS scheme and combined with ZKP	CKKS scheme	$O(d·N\log N·\mathcal{L}+G$ $+\alpha \log \alpha )$
Zhang et al. [44]	A novel FE scheme based on LWE and applied to protect intermediate models in FL	PIM-MCFE scheme based on LWE	$O(n^2+n\lambda +{\lambda }^2/\mathcal{B})$
Tian et al. [45]	A lattice-based DTAHE based on BFV encryption algorithm and Shamir SS, applied to secure aggregation in FL	BFV encryption algorithm	$O(N{n}^2+n\beta N\log N)$ (Basic protocol)
			$O(n+N{n}^2+n\beta N\log N)$ (Enhanced protocol)

. The specific definitions of notations used in this section and the following sections can be found in Appendix A.2,

Table A2. Notation and definition.

Notation	Definition
$\alpha$	The number of model parameters
$\lambda$	Security parameter
$b$	Length in binary
$d$	Data dimension
$k$	Key length
$l$	Potential of full set
$m$	Assignment ranges agreed upon by participants
$n$	Number of participants
$s$	Number of primes in the expansion of the fundamental theorem of arithmetic
$\mathcal{B}$	Packaging size
$\mathcal{L}$	Multiplication depth
$G$	The number of circuit constraints
$K$	Security threshold
$N$	Polynomial degree

.

Compared with the schemes listed in Table A1, our scheme has three significant advantages: First, it does not rely on external servers, thereby avoiding security vulnerabilities that may arise from third party intervention, and it strictly adheres to the core design concept of MPC. Second, at the encryption algorithm level, the scheme adopts a modified NTRU-type multi-key fully homomorphic encryption scheme based on a prime cyclotomic polynomial ring. By expanding the dimension of ciphertext polynomial and integrating modulus-switching technology, it effectively simplifies the key-switch process during encrypted operations, significantly enhancing computational efficiency; Third, to address spoofing behavior by malicious participants, the Ligero ZKP system is introduced during the information verification phase. This system can be constructed based on any collision-resistant hash function and does not rely on a trusted setup, further optimizing the efficiency of the verification process.

3. Preliminary Knowledge

3.1. Modified NTRU-Type Multi-Key Fully Homomorphic Encryption

Che et al. [11] applied the prime cyclotomic polynomial ring to the previous NTRU-type multi-key fully homomorphic encryption (MKFHE) schemes and combined a modulus-switching technique, constructing a leveled NTRU-type MKFHE scheme without key-switching operations (M-MKFHE). The details are as follows.

Given security parameter $\lambda$, parameter $n=n\left(\lambda \right)$, and prime integer $p=p\left(\lambda \right)$, the prime cyclotomic polynomial ring $R=\mathbb{Z}\left(x\right)/x^{n-1}+x^{n-2}+\cdots +1$ and $R_q=R/qR$. The error distribution on $R$ is $\chi$ with an upper bound of $B=B\left(\lambda \right)$. Define a series of decreasing modulus $q_0>q_1>\cdots >q_L$ and let $B\le q_L,i\in \{\mathrm{0,1},\cdots ,L\},l_i=⌈\mathit{log}{q}_i⌉$.

$M-MKFHE.KeyGen(1^n,1^{\lambda })$: Pick $g^{\left(i\right)},f^{\prime \left(i\right)}\leftarrow \chi$; let $f^{\left(i\right)}=2f^{\prime \left(i\right)}+1$ such that $f^{\left(i\right)}\equiv 1\hspace{0.33em}\mathrm{m}\mathrm{o}\mathrm{d}\hspace{0.33em}2$ and $f^{\left(i\right)}$ invertible on $R_{q_i}$; if it is not reversible, then re-pick $f^{\prime \left(i\right)}\leftarrow \chi$. Let $h^{\left(i\right)}=2g^{\left(i\right)}{R}_{q_i}$, then $pk=h_0\in R_{q_0},sk=f_0\in R_{q_0}$; output $pk=h_0\in R_{q_0},sk=f_0\in R_{q_0}$.

$M-MKFHE.Enc\left(pk,m_0\right)$: Pick vectors $\tilde{s},\tilde{e}\leftarrow {\chi }^{l_0}$ and encrypt plaintext vector $\overline{m}=\left(m_0,2^{d+1}{m}_0,\cdots \right.,2^{l_0-1}{m}_0)$ by public key $pk$. Output cyphertext vector $\tilde{c}=h_0\tilde{s}+2\tilde{e}+\overline{m}\in R_{q_0}^{l_0}$.

$M-MKFHE.Dec(s{k}_1,s{k}_2,\cdots ,s{k}_N,{\tilde{c}}^{\left(i\right)})$: Pick the first term ${\tilde{c}}_1^{\left(i\right)}\in R_{q_i}$ of ciphertext vector ${\tilde{c}}^{\left(i\right)}\in R_{q_i}^{l_i}$ such that $u=\left({sk}_1{sk}_2{\cdots sk}_N\right)·{\tilde{c}}_1^{\left(i\right)}\in R_{q_i}$. Output $m^{\prime }=u mod 2$.

$M-MKFHE.Eval.Mult({\tilde{c}}_1^{\left(i\right)},{\tilde{c}}_2^{\left(i\right)})$: Given two ciphertext vectors ${\tilde{c}}_1^{\left(i\right)},{\tilde{c}}_2^{\left(i\right)}\in R_{q_i}^{l_i}$, the corresponding public key sets are $K_1$ and $K_2$. Let $K=K_1\cup K_2=\left\{p{k}_1,p{k}_2,\cdots ,p{k}_r\right\}\left(N\le r\le 2N\right)$ and compute ${\tilde{c}}_{mult}^{\left(i\right)}=BitD\left({\tilde{c}}_1^{\left(i\right)}\right)·{\tilde{c}}_2^{\left(i\right)}\in R_{q_i}^{l_i}$ and ${\widetilde{\stackrel{~}{c}}}_{mult}^{\left(i+1\right)}=\left(q_{i+1}/q_i\right)\cdot {\tilde{c}}_{mult}^{\left(i\right)}\left(mod\hspace{0.33em}2\right)\in R_{q_{i+1}}^{l_i}$. Output cyphertext vector ${\tilde{c}}_{mult}^{\left(i+1\right)}=DT(l_i,l_{i+1},{\widetilde{\stackrel{~}{c}}}_{mult}^{\left(i+1\right)})\in R_{q_{i+1}}^{l_{i+1}}$.

Decrypting homomorphic multiplication operations: ${\tilde{c}}_{mult}^{\left(i\right)}{F}_K^{\left(i\right)}=F_K\cdot Pof2\left(m_1·m_2\right)+{\tilde{e}}_{mult}$, where $F_K^{\left(i\right)}$ is the joint decryption secret key polynomial for any layer $i$ operation decryption and ${\tilde{e}}_{mult}$ is the noise vector generated by homomorphic multiplication operation. Take the first one to decrypt correctly.

Theorem 1. 

The M-MKFHE scheme is IND-CPA safe if the parameter $\left(\lambda ,n,\chi ,q\right)$ is chosen so that the difficulty assumption holds for ${DSPR}_{\varphi ,q,\chi }$ and ${RLWE}_{\varphi ,q,\chi }$ problems.

Proof of Theorem 1. 

The detailed proof process is described in Section 4.1 of Reference [11]. □

3.2. Definition of Security for Semi-Honest Model

The semi-honest model is a standard model in MPC, where participants abide by the protocol but retain all intermediate information from the execution and in doing so try to infer the private data of other participants.

Assuming that participants Mike and John securely compute function $f=(f_1,f_2):{\{0,1\}}^{\mathrm{*}}\times {\{0,1\}}^{\mathrm{*}}\to {\{0,1\}}^{\mathrm{*}}\times {\{0,1\}}^{\mathrm{*}}$, let $\pi$ represent the agreement between the two parties. On input $(x,y)$, executing agreement $\pi$ yields a sequence of information denoted as ${view}_i^{\pi }(x,y)=(x,r_i,e_i^1,\cdots ,e_i^t)$, where $i$ represents the $i$th participant, $r_i$ represents random number $r_i$ generated by participant, and $e_i^j$ represents the $j$th message received by participant $P_i$.

Definition 1. 

The security of a semi-honest model.

If there exist probabilistic polynomial time algorithms $S_1$ and $S_2$ such that ${\left\{S_1\right(x,f_1(x,y)\left)\right\}}_{x,y}\stackrel{c}{\equiv }{\left\{{view}_1^{\pi }\right(x,y\left)\right\}}_{x,y}$, ${\left\{S_2\right(y,f_2(x,y)\left)\right\}}_{x,y}\stackrel{c}{\equiv }{\left\{{view}_2^{\pi }\right(x,y\left)\right\}}_{x,y}$, it can be proved that the protocol is secure under the semi-honest model, where $\stackrel{c}{\equiv }$ denotes computationally indistinguishable. This method of proof is called a simulation paradigm [12].

3.3. Definition of Security for a Malicious Model

Malicious models are usually based on semi-honest models to improve design [12]. Currently, the commonly used proof method is a real-ideal model paradigm, i.e., the protocol has the same security as under the ideal model.

Ideal protocol: Mike and John have data $a$ and $b$, respectively, and both compute function $f(a,b)=\left(f_1\right(a,b),f_2(a,b\left)\right)$ with the help of a trusted third party (TTP) in order to obtain the objective results $f_1(a,b)$ and $f_2(a,b)$ without disclosing private data. If one party is a malicious participant and terminates the protocol after obtaining the target results, the TTP sends termination symbol $\perp$ to the other party.

Definition 2. 

The security of a malicious model.

Assuming that there exists an arbitrary acceptable $A=(A_1,A_2)$ in a real protocol, if a corresponding acceptable $B=(B_1,B_2)$ can be found in ideal protocol such that

$$\left\{{IDEAL}_{F,B}\left(x,y\right)\right\}\stackrel{c}{\equiv }\left\{{REAL}_{\Pi ,A}\left(x,y\right)\right\},$$

it can be proven to be secure under the malicious model. More details are available in Reference [12].

3.4. Threat Model

In the privacy-preserving multi-party collaboration protocol considered in this paper, n participants must collaborate to execute the protocol process. In the initial phase, all participants execute the M-MKFH scheme to complete the distribution of their respective public and secret keys. Subsequently, each participant maps their private input data to a target vector according to specific encoding rules based on the protocol objectives and encrypts it using public key. Through a series of secret operations based on multiplicative homomorphism, an aggregated ciphertext is generated. Finally, by jointly decrypting using each party’s private key, the expected computational result of the protocol can be obtained.

Semi-Honest Model: In this model, we assume that all participants strictly adhere to the protocol process. Although participants may attempt to infer additional information during interactions, they do not deviate from the protocol steps or compromise the correctness of computational results. This model focuses on the execution efficiency, with detailed protocol design outlined in Section 4.

Malicious Model: Unlike the semi-honest model, the malicious model involves malicious participants who engage in various malicious active attacks to seek unfair advantages. This paper’s solution primarily addresses malicious spoofing behaviors such as tampering with ciphertext, forging information, or providing incorrect keys. The core lies in using the hash function to generate authentication information and combining ZKP to verify the correctness and integrity of transmitted data or information. This mechanism can effectively detect malicious behavior and promptly abort the protocol upon detecting an attack, thereby safeguarding the legitimate rights and interests of honest participants. Therefore, while prioritizing overall security, this model also strives to maintain a certain level of performance. The specific protocol design is detailed in Section 5.

3.5. Zero-Knowledge Proof

Zero-knowledge proof (ZKP) [15] is a method of proving a statement to be true to a verifier without disclosing any additional information. It is an interactive proof process that usually involves two main actors: the prover and the verifier. The prover is responsible for presenting the proof, while the verifier tests the proof. If the prover knows a secret piece of information, they can prove this through a series of interactions without having to reveal the secret to the verifier.

Considering the real-time needs of FL for data processing and transmission, subsequent design of the malicious spoofing-resistant MPC protocol used Ligero [16], an efficient interactive zero-knowledge proof system combining an MPC protocol and efficient coding techniques that requires no trusted setup. The process is shown below:

(1) Circuit coding: Encode circuit line values into a Reed–Solomon code matrix.

(2) Generating ZKIPCP: Construct interactive PCP via Test-Interleaved, linear/quadratic constraint tests.

(3) Converting to ZK argument: Convert to ZK argument: (a) Interactive: Merkle-tree submission in response to a query; (b) Non-interactive: The Fiat–Shamir transform generates a single proof.

(4) Validation: Checking the consistency of linear combinations and local queries.

4. Semi-Honest Model Scheme

This section focuses on the basic problems solved by semi-honest model protocols, describes design idea, and proves protocol security. It should be noted that the semi-honest model protocol proposed in Section 4 is intended to prevent malicious spoofing (e.g., tampering with or uploading false information, providing incorrect keys, etc.) and not all malicious attacks.

4.1. The MPC Protocol of Multi-Party LCM Under the Semi-Honest Model

Problem description: Suppose there are $n(n\ge 2)$ participants $P_i(1\le i\le n)$, each with data $x_i$. They wish to calculate LCM securely without disclosing respective data.

Design idea: Participants jointly agree on the upper security threshold $k$. Assume that there exists a number $x_i$ whose fundamental theorem of arithmetic expands to $x_i=p_1^{{\alpha }_{i1}}·p_2^{{\alpha }_{i2}}\cdots p_s^{{\alpha }_{is}}\left({\alpha }_{is}\ge 0\right)$. Select exponential part of vector ${\alpha }_i=\left({\alpha }_{i1},\cdots ,{\alpha }_{is}\right)$ and transform it into vector $A_i=\left[\right({\alpha }_{i{1}_1},\cdots ,{\alpha }_{i{1}_k}),\cdots ,({\alpha }_{i{s}_1},\cdots ,{\alpha }_{i{s}_k}\left)\right]$, where ${\alpha }_{{ij}_t}=\left\{\begin{array}{c}1,t\ge {\alpha }_{ij}\\ 0,t<{\alpha }_{ij}\end{array}\right.\left(1\le t\le k,1\le j\le s\right)$. Multiply the components of vector $A_i$ to obtain joint vector $A=\prod _{i=1}^n{A}_i=\left[\right(\prod _{i=1}^n{\alpha }_{i{1}_1},\cdots ,\prod _{i=1}^n{\alpha }_{i{1}_k}),\cdots ,(\prod _{i=1}^n{\alpha }_{i{s}_1},\cdots ,\prod _{i=1}^n{\alpha }_{i{s}_k}\left)\right]=(A^1,\cdots ,A^s)$. Looking at the components of vector $A$, the subscript of the first $\mathrm{o}\mathrm{n}\mathrm{e}$ from left to right is maximum of component of the group. Until the $s$th group is taken, its LCM can be obtained by reduction according to the fundamental theorem of arithmetic (the workflow is shown in Figure 1).

4.2. Correctness Analysis

(1) Protocol 1 utilizes the fundamental principle in number theory that any natural number greater than one can be uniquely represented as a product of primes and transforms the problem of calculating LCM into one that is realized by solving maximum on the exponent of prime factorization of the fundamental theorem of arithmetic, which optimizes the calculation process and avoids the complexity of multiplying large numbers.

(2) Steps 3–5, using the multiplicative homomorphism of the M-MKFHE scheme, i.e., $E\left(A\right)\times E\left(B\right)=E(A\times B)$, realizes that multiplication between ciphertexts is equivalent to the multiplication of their corresponding plaintexts.

(3) Since Protocol 1 is designed using the M-MKFHE scheme, decryption requires $n$ participants jointly. It is not possible to obtain other participants’ private information by decrypting only one’s own secret key. In addition, even if $n-1$ participants $P_1,\cdots ,P_{n-1}$ wish to collude in order to obtain private data of $P_n$, they cannot decrypt cyphertext due to the encryption scheme properties.

Protocol 1. The MPC protocol of multi-party LCM under the semi-honest model.

Input: Private data $x_i$ of participant $P_i$. Output: $lcm(x_1,\cdots ,x_n)$. Preparation: Participants jointly agree on $k$. Running M-MKFHE scheme and $M-MKFHE.KeyGen(1^n,1^{\lambda })$ algorithm, participant $P_i$ generates public/secret key ${pk}_i/{sk}_i$ and publishes ${pk}_i$. Start: (1) Participant $P_i$ represents $x_i$ in form of the fundamental theorem of arithmetic $x_i=p_1^{{\alpha }_{i1}}\cdots p_s^{{\alpha }_{is}}$, taking out exponential part of it to form vector ${\alpha }_i$. (2) $P_i$ represents vector ${\alpha }_i$ as vector $A_i$ according to encoding rule ${\alpha }_{i{j}_t}=\left\{\begin{array}{c}1,t\ge {\alpha }_{ij}\\ 0,t<{\alpha }_{ij}\end{array}\right.$, and encrypts $A_i$ using public key ${pk}_i$ to obtain $C_i=\left\{\right[E\left({\alpha }_{i{1}_1}\right),\cdots ,E\left({\alpha }_{i{1}_k}\right)],\cdots ,[E\left({\alpha }_{i{s}_1}\right),\cdots ,E\left({\alpha }_{i{s}_k}\right)\left]\right\}$. (3) $P_1$ sends $C_1$ to $P_2$. (4) $P_2$ computes the product between components of $C_1$ and $C_2$, i.e., $C_1\times C_2$, denoted as $C_2^{\prime }$, and sends it to $P_3$, and so on until $P_{n-1}$. (5) $P_n$ calculates the product between components of $C_{n-1}^{\prime }$ and $C_n$, denoted $C,$ and announces it. (6) All participants jointly decrypt $C$ using joint secret key $F_K={sk}_1{sk}_2\cdots {sk}_n$ to obtain vector $D=\left(d^1,\cdots ,d^s\right)=\left[\right(d^{11},\cdots ,d^{1k}),\cdots ,(d^{s1},\cdots ,d^{sk}\left)\right]$. Looking at the components of vector $D$, the subscript of the first $\mathrm{o}\mathrm{n}\mathrm{e}$ from left to right is the maximum value of component of the group. Until the $s$th group is taken, the LCM can be obtained by reduction according to the fundamental theorem of arithmetic. (7) Outputting $lcm(x_1,\cdots ,x_n)$. End.

4.3. Security Proof

Theorem 2. 

Protocol 1 is secure under the semi-honest model.

Proof of Theorem 2. 

The participants in Protocol 1 are all of equal status, so it is sufficient to consider only the largest set of colluding attackers. If protocol is secure for the largest set of colluding attackers, then it is also secure for the set of colluding attackers consisting of any subset of the largest set of colluding attackers, so it is sufficient to prove that all the information in Protocol 1 is secure for the largest set of colluding attackers. Assume that $P_1$ is honest and the maximal set of colluding attackers is $I=\left\{P_2,\dots ,P_n\right\}$. During the execution of Protocol 1, ${view}_I^{\pi }(x_1,\dots ,x_n)=\left\{\right(x_2,\dots ,x_n),(r_2,\dots ,r_n),C,D,f_I(x_1,\dots ,x_n\left)\right\}$, where $r_2,\dots ,r_n$ denotes the set of random numbers used by the participants $P_2,\dots ,P_n$ to encrypt data; $C$ denotes the final ciphertext; $D$ denotes the decryption vector; and $f_I(x_1,\dots ,x_n)$ denotes the result obtained by the joint execution of function $f(x_1,\dots ,x_n)$ by colluders $I=\{P_2,\dots ,P_n\}$.

Construct simulator $S$ to perform the following process:

(1) $S$ runs M-MKFHE scheme to generate ${pk}_i$ and ${sk}_i$.

(2) $S$ receives input $(I,(x_2,\dots ,x_n),f_I(x_1,\dots ,x_n\left)\right)$ and picks an arbitrary $x_1^{\prime }$ such that $f_I(x_1,\dots ,x_n)=f_I(x_1^{\prime },x_2,\dots ,x_n)$ holds.

(3) $S$ constructs $x_1^{\prime }$ as vector $A_1^{\prime }$, encrypts it to obtain ciphertext $C_1^{\prime }$, and obtains final ciphertext $C^{\prime }$ according to Protocol 1 process.

(4) $S$ decrypts $C^{\prime }$ to obtain $D^{\prime }$.

Let $S\left(\right(x_2,\dots ,x_n),f_I(x_1,\dots ,x_n\left)\right)=\left\{\right(x_2,\dots ,x_n),(r_2^{\prime },\dots ,r_n^{\prime }),C^{\prime },D^{\prime },f_I(x_1^{\prime },x_2,\dots ,x_n\left)\right\}$ in simulator $S$ execution.

According to the semantic security of M-MKFHE scheme, there are $C\stackrel{c}{\equiv }{C}^{\prime },D\stackrel{c}{\equiv }{D}^{\prime },\left(r_2,\dots ,r_n\right)\stackrel{c}{\equiv }(r_2^{\prime },\dots ,r_n^{\prime })$. Also, due to $f_I\left(x_1^{\prime },x_2,\dots ,x_n\right)=f_I\left(x_1,x_2,\dots ,x_n\right)$, obtain $\left\{{view}_I^{\pi }\left(x_1,\dots ,x_n\right)\right\}\stackrel{c}{\equiv }\left\{S\right(I,(x_2,\dots ,x_n),f_I(x_1,\dots ,x_n)\}$.

Therefore, Protocol 1 is secure under the semi-honest model and enables resistance to $n-1$ collusion. □

4.4. The MPC Protocol of Multi-Party GCD Under the Semi-Honest Model

Problem description: Suppose there are $n$ participants $P_i$, each with data $x_i$. They wish to calculate GCD securely without disclosing their respective data.

Design idea: The GCD protocol is basically the same as the LCM protocol principle; the difference is the encoding rule for transformation of vector ${\beta }_i$ into vector $B_i$ is ${\beta }_{{ij}_t}=\left\{\begin{array}{c}0,t>{\beta }_{ij}\\ 1,t\le {\beta }_{ij}\end{array}\right.$. Looking at the components of vector $B$, the subscript of the first one from right to left is the minimum of the component of the group.

Given that Protocol 2 and Protocol 1 only differ in encoding rules, their correctness and security are both guaranteed.

Protocol 2. The MPC protocol of multi-party GCD under the semi-honest model.

Input: Private data $x_i$ of participant $P_i$. Output: $gcd(x_1,\dots ,x_n)$. The encoding rule for Step 2 of Protocol 2 is changed to ${\beta }_{{ij}_t}=\left\{\begin{array}{c}0,t>{\beta }_{ij}\\ 1,t\le {\beta }_{ij}\end{array}\right.$. In Step 6, the first one is found from right to left in each component of the plaintext vector. The operations in other steps remain consistent with Protocol 1. End.

5. Resistant Malicious Spoofing Scheme

This section focuses on the potential malicious spoofing behaviors (e.g., tampering with or uploading false information, providing incorrect keys, etc., and not all malicious attacks) in practical application of semi-honest model protocols, predetermines the preventive measures to be taken, designs corresponding protocols, and proves their security.

5.1. Solution Idea

Our semi-honest model scheme is based on the assumption that participants are honest in uploading parameter information. However, in display applications, there is no lack of malicious participants that may take various means to break the protocol, including but not limited to behaviors such as providing incorrect inputs and tampering with data. Therefore, there is a need to analyze the possible malicious attacks in semi-honest model protocols and to design protocols against malicious spoofing by constructing secure safeguards using cryptographic techniques such as ZKP or number-theoretic methods so as to ensure the security and efficiency of the protocols.

Protocol 1 may have the following malicious attacks:

(1) Step 2, where participants encrypt private data, may have the malicious behavior of tampering with the data. In Steps 3–5, the participant transmits or publishes the encrypted data; therefore, they may have the malicious behavior of providing false data. For such malicious spoofing behaviors, additional validation mechanisms can be designed to ensure that all participants offer error-free data information.

(2) Step 6, the process of joint decryption by the participants, may have the malicious behavior of providing a wrong secret key to corrupt the decryption result. The verification of the authenticity of secret key can be achieved with the help of the hash function and ZKP.

With the help of the ZKP system and the hash function, this paper designs a secure computation protocol of multi-party LCM/GCD that is resistant to malicious spoofing (the workflow is shown in Figure 2).

5.2. Correctness Analysis

(1) In Step 4 of Protocol 3, the multiplicative homomorphism of the M-MKFHE scheme is utilized to realize multiplication operation between the components of ciphertext. In addition, this step is operated jointly by all participants, instead of the “wheel-type” process of the semi-honest model protocol, which ensures fairness to a certain extent.

(2) In Steps 3 and 5, in order to stop malicious participants from entering incorrect information to corrupt the results, each participant needs to verify that their public key ${pk}_i$ and cyphertext vector $C_i$ are correct and error-free through the ZKP system, i.e., there is no spoofing. Since $C_i={pk}_i·{\tilde{s}}_i+2{\tilde{e}}_i+A_i$, it is required to verify that $Hash({sk}_i(C_i-A_i)/{pk}_i)={HS}_i=Hash({sk}_i({\tilde{s}}_i+{\displaystyle \frac{2{\tilde{e}}_i}{{pk}_i}}))$.

(3) Since Protocol 3 is designed using the M-MKFHE scheme, decryption requires joint decryption by n participants, and probabilistic encryption is inherently self-blinding, it is not possible to obtain other participants’ private information by decrypting only one’s own secret key. In addition, even if $n-1$ participants $P_1,\cdots ,P_{n-1}$ wish to collude in order to obtain the private data of participant $P_n$, they cannot decrypt cyphertext by colluding due to the properties of the encryption scheme.

Protocol 3. The MPC protocol of multi-party LCM against malicious spoofing.

Input: Private data $x_i$ of participant $P_i$. Output: Least common multiple $lcm(x_1,\cdots ,x_n)$. Preparation: Participants jointly agree on the upper security threshold $k$. Running M-MKFHE scheme and $M-MKFHE.KeyGen\left(1^n,1^{\lambda }\right)$ algorithm, participant $P_i$ generates public/secret key ${pk}_i/{sk}_i$, respectively, and publishes ${pk}_i$. Start: (1) Participant $P_i$ represents secret data $x_i$ in form of the fundamental theorem of arithmetic $x_i=p_1^{{\alpha }_{i1}}\cdots p_s^{{\alpha }_{is}}$, taking out exponential part of it to form vector ${\alpha }_i=({\alpha }_{i1},\cdots ,{\alpha }_{is})$. (2) $P_i$ represents vector ${\alpha }_i$ as vector $A_i=\left[\right({\alpha }_{i{1}_1},\cdots ,{\alpha }_{i{1}_k}),\cdots ,({\alpha }_{i{s}_1},\cdots ,{\alpha }_{i{s}_k}\left)\right]$ according to encoding rule ${\alpha }_{i{j}_t}=\left\{\begin{array}{c}1,t\ge {\alpha }_{ij}\\ 0,t<{\alpha }_{ij}\end{array}\right.$. (3) $P_i$ picks vectors ${\tilde{s}}_i,{\tilde{e}}_i\leftarrow {\chi }^{l_0}$ and encrypts vector $A_i$ to obtain cyphertext vector $C_i$. (4) $P_i$ computes ${HS}_i=Hash({sk}_i({\tilde{s}}_i+{\displaystyle \frac{2{\tilde{e}}_i}{{pk}_i}}))$ and publishes it. (5) All participants perform homomorphic multiplication operations on $C_i$ jointly to obtain vector $C=C_1·C_2\cdots C_n$. (6) $P_i$ runs the Ligero ZKP system to validate whether $Hash\left({sk}_i\right(C_i-A_i)/{pk}_i)$ is equal to ${HS}_i$. If everyone passes, next step is initiated; if one person fails, the protocol is aborted. (7) All participants construct joint decryption secret key $F_K={sk}_1{sk}_2\cdots {sk}_n$ to decrypt vector $C$ and obtain plaintext vector $D$. (8) Participant $P_i$ looks at the components of vector $D$ and the subscript of the first one from left to right is the maximum value of the component of the group. Until the $s$th group is taken, its LCM can be obtained by reduction according to the fundamental theorem of arithmetic. (9) Outputting LCM $lcm(x_1,\cdots ,x_n)$. End.

5.3. Security Proof

Theorem 3. 

Protocol 3 (denoted as $\Pi$) enables to compute multi-party LCM securely and resists malicious spoofing.

Proof of Theorem 3. 

The participants in Protocol 3 are all of equal status, so it is sufficient to consider only the largest set of colluding attackers. If this protocol is secure with respect to the maximal set of colluding attackers, then it is also secure with respect to the set of colluding attackers consisting of any subset of the maximal set of colluding attackers.

Assume that $P_1$ is secure and the maximal set of colluding attackers is $O=\left\{P_2,\cdots ,P_n\right\}$. It is sufficient to prove that any probabilistic time polynomial algorithmic strategy $A$ adopted by an attacker with all participants in control $O$ in the real protocol is able to find a counterpart of the admissible probabilistic time polynomial algorithmic strategy $B$ in the ideal protocol, in which it holds that ${\left\{{IDEAL}_{f,O,B\left(z\right)}\left(\stackrel{-}{x}\right)\right\}}_{\stackrel{-}{x},z}\stackrel{c}{\equiv }\{{REAL}_{\Pi ,O,A(z)}{(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}$.

If the protocol aborts at Step 6, it is secure because the public key and ciphertext vector $E(A_i)$ both originate from each participant itself, and vector $C$ generated by joint computation does not leak data information.

First, any $A$ in the real protocol is transformed into its counterpart $B$ in the ideal protocol. Consider $O$ as a whole with input $\stackrel{-}{x}=(x_1,A(x_2,\cdots ,x_n))$, i.e., the colluder’s input in the real protocol depends on the colluding attacker’s strategy $A$. If at Step 5 of the protocol $P_1$ discovers the existence of hash provided by $P_i\in O$ that cannot be verified through bit commitment, the protocol is aborted. Since $P_1$ cannot obtain the correct $f(\stackrel{-}{x})$, it can only output $\perp$, but the malicious participant may have obtained the correct $f(\stackrel{-}{x})$.

The output of the attacker depends on the strategy it adopts, so its output is $A({\stackrel{-}{x}}_o,O,r,z,C,{HS}_i,f(\stackrel{-}{x}))$ with ${\left\{{REAL}_{\Pi ,O,A\left(z\right)}(\stackrel{-}{x})\right\}}_{\stackrel{-}{x},z}=\{A({\stackrel{-}{x}}_o,O,r,z,C,{HS}_i,f(\stackrel{-}{x})),\perp \}$.

If the protocol is not aborted, $P_1$ obtains and outputs $f(\stackrel{-}{x})$. $O$ obtains $f(\stackrel{-}{x})$ and its output depends on the strategy adopted and the information obtained by the process, i.e., $A({\stackrel{-}{x}}_o,O,r,z,C,{HS}_i,f(\stackrel{-}{x}))$ with ${\left\{{REAL}_{\Pi ,O,A\left(z\right)}(\stackrel{-}{x})\right\}}_{\stackrel{-}{x},z}=\{A({\stackrel{-}{x}}_o,O,r,z,C,{HS}_i,f(\stackrel{-}{x})),f(\stackrel{-}{x})\}$.

In the ideal protocol, $P_1$ provides TTP with its own data $x_1$. $B$ sends ${\stackrel{-}{x}}_o$ to $A$, obtains $A\left({\stackrel{-}{x}}_o\right),$ and sends it to TTP. TTP calculates $f(\stackrel{-}{x})=f(x_1,A({\stackrel{-}{x}}_o))$ and sends it to $B$.

$B$ randomly selects an ${x_1}^{\prime }$ such that $f({x_1}^{\prime },A({\stackrel{-}{x}}_o))=f(x_1,A({\stackrel{-}{x}}_o))$ holds. $B$ executes the protocol using ${x_1}^{\prime }$ and $O$, providing the ciphertext vector $C_1^{\prime }$ corresponding to ${x_1}^{\prime }$ and ${HS}_i^{\prime }$ required for the ZKP system.

If there is a colluding attacker thag fails the bit commitment in real protocol execution, $B$ does not allow TTP to send the result to $P_1$, which outputs $\perp$. Conversely, $P_1$ outputs $f(\stackrel{-}{x})$.

In either case, $B$ calls $A$ with $({\stackrel{-}{x}}_o,O,r,z,C_1^{\prime },{HS}_i^{\prime },f(\stackrel{-}{x}))$, i.e., the output is $A({\stackrel{-}{x}}_o,O,r,z,C_1^{\prime },{HS}_i^{\prime },f(\stackrel{-}{x}))$. If the protocol is aborted, ${\{{IDEAL}_{f,O,B(z)}(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}=\{A({\stackrel{-}{x}}_o,O,r,z,C_1^{\prime },{HS}_i^{\prime },f(\stackrel{-}{x})),\perp \}$. If the protocol execution is complete, ${\{{IDEAL}_{f,O,B(z)}(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}=\{A({\stackrel{-}{x}}_o,O,r,z,C_1^{\prime },{HS}_i^{\prime },f(\stackrel{-}{x})),f(\stackrel{-}{x})\}$.

By comparing ${\{{REAL}_{\Pi ,O,A(z)}(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}$ and ${\{{IDEAL}_{f,O,B(z)}(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}$, we can see that the output of $P_1$ is the same. It is sufficient to show that $A({\stackrel{-}{x}}_o,O,r,z,C_1,{HS}_i,f(\stackrel{-}{x}))$ and $A({\stackrel{-}{x}}_o,O,r,z,C_1^{\prime },{HS}_i^{\prime },f(\stackrel{-}{x}))$ are computational indistinguishable.

$C_1$ and $C_1^{\prime }$ are ciphertexts encrypted by the M-MKFHE scheme, semantically secure, hence $E(A_1)\stackrel{c}{\equiv }{E(A_1)}^{\prime }$. ${HS}_1$ and ${HS}_1^{\prime }$ are hash values of ${\tilde{s}}_i+2{\tilde{e}}_i/{pk}_i$ and ${{\tilde{s}}_i}^{\prime }+2{{\tilde{e}}_i}^{\prime }/{{pk}_i}^{\prime }$, hence ${HS}_1\stackrel{c}{\equiv }{HS}_1^{\prime }$. It further follows that ${\{{IDEAL}_{f,O,B(z)}(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}\stackrel{c}{\equiv }\{{REAL}_{\Pi ,O,A(z)}{(\stackrel{-}{x})\}}_{\stackrel{-}{x},z}$.

Thus, Protocol 3 enables secure computation of multi-party LCM and resists malicious spoofing. It is important to note here that Protocol 3 and Protocol 4 below address the problem of spoofing behavior by malicious adversaries, not resistance to all malicious attacks, which can be said to be a protocol under the incomplete malice model. □

Theorem 4. 

The M-MKFHE scheme, collision-resistant hash function, and Ligero ZKP system together ensure that Ligero proof’s soundness error does not undermine the overall ZKP soundness in this paper.

Proof of Theorem 4. 

First, the M-MKFHE scheme satisfies IND-CPA security. That is, for any probabilistic polynomial-time (PPT) adversary, the advantage of distinguishing between two ciphertexts corresponding to two plaintexts is negligible. Formally, for all PPT adversaries $\mathcal{A}$, there exists a negligible function $negl(\lambda )$ ($\lambda$ is security parameter) such that $\left|Pr\left[\mathcal{A}\left(pk,Enc\left(pk,m_0\right)\right)=1\right]-Pr\left[\mathcal{A}\left(pk,Enc\left(pk,m_1\right)\right)=1\right]\right|\le negl(\lambda )$. Second, the Ligero ZKP system (the following is abbreviated as Ligero) soundness error is ${ϵ}_{Ligero}=O({\displaystyle \frac{e+6}{{\left|\mathbb{F}\right|}^{\sigma }}}+{(1-{\displaystyle \frac{e}{n}})}^t+5{({\displaystyle \frac{e+2k}{n}})}^t)$, where $e<d/4$, $d$ is the minimum distance of the Reed–Solomon code, $\sigma$ is the repetition parameter, and $t$ is the query parameter. For sufficiently large $\left|\mathbb{F}\right|$ and $t$, ${ϵ}_{Ligero}$ is negligible in the security parameter $\lambda$. Finally, the hash function (e.g., SHA-256) used in Ligero ensures that it is computationally infeasible to find two distinct inputs with the same hash output, which is critical for the binding property of Merkle trees in the protocol. Next, we prove the soundness of Protocol 3, i.e., a malicious prover cannot convince the verifier of a false statement except with negligible probability. This requires bounding the probability that (1) Ligero’s proof is invalid (limited by its soundness error ${ϵ}_{Ligero}$); (2) the M-MKFHE ciphertexts are incorrectly formed (excluded by the IND-CPA security).

Step 1: Bounding Ligero’s soundness error. Ligero’s soundness error ${ϵ}_{Ligero}$ is designed to be negligible for appropriate parameter choices.

• Choose the field size $\left|\mathbb{F}\right|=2^{\mathsf{\Omega }(\lambda )}$, repetition parameter $\sigma =\mathsf{\Omega }(\lambda )$, and query parameter $t=\mathsf{\Omega }\left(\lambda \mathrm{l}\mathrm{o}\mathrm{g}n\right)$.
• According to LEMMA 4.10. in Reference [16], ${ϵ}_{\mathit{Ligero}}\le {\displaystyle \frac{e+6}{2^{\Omega \left({\lambda }^2\right)}}}+{\left(1-{\displaystyle \frac{e}{n}}\right)}^{\Omega \left(\lambda logn\right)}+5{({\displaystyle \frac{e+2k}{n}})}^{\Omega (\lambda logn)}$, which is negligible.

Step 2: Reducing to M-MKFHE’s security. Assume for contradiction that there exists a malicious prover $P^{*}$ that breaks the overall ZKP soundness with non-negligible probability $ϵ$. Construct a reduction $\mathcal{B}$ that breaks M-MKFHE’s IND-CPA security or the hash function’s collision resistance.

• Case 1: Ligero’s proof is valid but the statement is false. By Ligero’s soundness, this occurs with probability ≤ ${ϵ}_{\mathit{Ligero}}$ (negligible).
• Case 2: The M-MKFHE ciphertexts are invalid. If $P^{*}$ produces invalid M-MKFHE ciphertexts (e.g., inconsistent with the plaintexts), $\mathcal{B}$ can use this to distinguish between encryptions of $m_0$ and $m_1$ in the IND-CPA game, contradicting M-MKFHE’s semantic security.
• Case 3: Hash collision. If $P^{*}$ manipulates the Merkle tree commitments in Ligero, this implies a hash collision, contradicting the collision resistance of the hash function.

Step 3: Combining errors. The total soundness error of Protocol 3 is the sum of

• Ligero’s soundness error ${ϵ}_{\mathit{Ligero}}$ (negligible);
• The probability of breaking M-MKFHE’s IND-CPA security (negligible);
• The probability of a hash collision (negligible).

By the union bound, the total error is negligible in $\lambda$.

In summary, Ligero ZKP system’s soundness error is explicitly bounded by its parameters and is negligible for appropriate choices of $\mid \mathbb{F}\mid$, $\sigma$, and $t$. Combined with M-MKFHE’s semantic security and the hash function’s collision resistance, the overall ZKP soundness is preserved. Thus, Ligero’s soundness error does not undermine the security of Protocol 3. □

Protocol 1 and Protocol 3 adopt the M-MKFHE scheme, which inherits the quantum-resistant properties of the original NTRU cryptosystem. NTRU is included in the fourth round of candidate standards by the NIST PQC project, demonstrating its reliability as a quantum-safe primitive. The security of NTRU relies on difficult problems on lattices (such as SVP, RLWE and DSPR), unlike classical public-key cryptosystems like RSA or ECC, which are vulnerable to attacks by Shor’s algorithm on quantum computers. Lattice-based problems have not yet been effectively broken under the quantum computing model. This fundamental property ensures the quantum resistance of the M-MKFHE scheme.

Specifically, the security of the M-MKFHE scheme is based on the difficulty assumptions of the ${DSPR}_{\varphi ,q,\chi }$ and ${RLWE}_{\varphi ,q,\chi }$ problems (as described in Theorem 1), which are grounded in lattice theory and cannot be efficiently solved by currently known quantum algorithms. These assumptions underpin the scheme’s indistinguishability under chosen-plaintext attacks, i.e., IND-CPA security.

5.4. The MPC Protocol of Multi-Party GCD Against Malicious Spoofing

The MPC protocol of multi-party GCD against malicious spoofing (i.e., Protocol 4) is based on Protocol 2 and is analogous to Protocol 3. Simply add the corresponding hash function computation and ZKP verification process, and its security can be guaranteed by Protocol 3 in the same way.

6. Performance Analysis

This section tests the performance of our protocols. First, multiple comparison experiments with different parameters are conducted with the existing research schemes. Second, simulations are conducted to test the performance in real applications to confirm its practicality and feasibility.

6.1. Computational Complexity Analysis

Reference [27] presented a secure protocol of computing multi-party minimum.; the computational complexity is $n+3nl+l$ modular exponentiation operations. Reference [30] presented a secure protocol of computing multi-party maximum and minimum simultaneously; the computational complexity is $n+2l+2nl$ modular exponentiation operations. Reference [33] presented an MPC protocol of computing maximum and minimum simultaneously. Encryption requires $2ln$ modular multiplication operations and decryption requires $ln$ modular multiplication operations, so the computational complexity is $3ln$ modular multiplication operations. Reference [35] presented a secure protocol of computing multi-party maximum; the computational complexity is $(n-1)(5b+2)$ modular multiplication operations. Protocol 4.2 in Reference [38] is an MPC protocol of multi-party LCM. Encryption requires $2lsn$ modular multiplication operations and decryption requires $lsn$ modular multiplication operations, so the computational complexity is $3lsn$ modular multiplication operations. Protocol 4.3 in Reference [38] is an MPC protocol of multi-party GCD, only its encoding method is different from Protocol 4.2 in Reference [38], so the computational complexity is $3lsn$ modular multiplication operations. Reference [39] presented an MPC protocol of multi-party LCM. $n$ participants jointly generate the public key which requires $n$ modular exponentiation operations. Encryption requires $2msn$ modular exponentiation operations and decryption requires $msn$ modular exponentiation operations, so the computational complexity is $n+3msn$ modular exponentiation operations.

In this paper, Protocol 1 and Protocol 2 are MPC protocols of multi-party LCM and GCD under the semi-honest model, respectively. Encryption requires $ksn$ polynomial multiplication operations and decryption requires $ksn$ polynomial multiplication operations, so the computational complexity is $2ksn$ polynomial multiplication operations. Protocol 3 and Protocol 4 are MPC protocols of multi-party LCM and GCD against malicious spoofing, respectively. Encryption requires $ksn$ polynomial multiplication operations and decryption requires $ksn$ polynomial multiplication operations, and running Ligero ZKP system to validate the hash value by participants requires $sn\mathit{log}N$ polynomial multiplication operations, so the computational complexity is $sn(2k+\mathit{log}N)$ polynomial multiplication operations.

6.2. Communication Complexity Analysis

In this subsection, we quantify communication complexity in terms of communication rounds.

Reference [27] requires $3(n-1)$ rounds of communication complexity. Reference [30] requires $3(n-1)$ rounds of communication complexity. Reference [33] requires $3(n-1)$ rounds of communication complexity. Reference [35] requires $3(n-1)$ rounds of communication complexity. Protocol 4.2 in Reference [38] requires $2n$ rounds of communication complexity. Protocol 4.3 in Reference [38] requires $2n$ rounds of communication complexity. Reference [39] requires $3(n-1)$ rounds of communication complexity.

Protocol 1 and Protocol 2 in the paper encrypt and decrypt data. Each process requires $n-1$ rounds of communication complexity, so $2(n-1)$ rounds of communication complexity are needed. Protocol 3 and Protocol 4 encrypt and decrypt data, each requiring $n-1$ rounds of communication complexity. The Ligero ZKP system validation data require two rounds of communication complexity. Thus, Protocol 3 and Protocol 4 require $4n-2$ rounds of communication complexity. The protocol performance analysis is shown in Appendix A.3,

Table A3. Protocol performance analysis.

Reference	Function	Computational Complexity	Communication Complexity	Cyphertrext or Polynomial Coefficients Number	Security Model
Reference [27]	MIN	$n+3nl+l$ modular exponentiation operations	$3(n-1)$	254 byte (cyphertext)	Semi-honest model
Reference [30]	MAX/ MIN	$n+2l+2nl$ modular exponentiation operations	$3(n-1)$	198 byte (cyphertext)	Semi-honest model
Reference [33]	MAX/ MIN	$3ln$ modular multiplication operations	$3(n-1)$	223 byte (polynomial coefficients)	Semi-honest model
Reference [35]	MAX/ MIN	$(n-1)(5b+2)$ modular multiplication operations	$3(n-1)$	314 byte (polynomial coefficients)	Semi-honest model
Protocol 4.2 in Ref. [38]	LCM	$3lsn$ modular multiplication operations	$2n$	688 byte (polynomial coefficients)	Semi-honest model
Protocol 4.3 in Ref. [38]	GCD	$3lsn$ modular multiplication operations	$2n$	690 byte (polynomial coefficients)	Semi-honest model
Reference [39]	LCM	$n+3msn$ modular exponentiation operations	$3(n-1)$	524 byte (cyphertext)	Semi-honest model
Protocol 1	LCM	$2ksn$ polynomial multiplication operations	$2(n-1)$	512 byte (polynomial coefficients)	Semi-honest model
Protocol 2	GCD	$2ksn$ polynomial multiplication operations	$2(n-1)$	513 byte (polynomial coefficients)	Semi-honest model
Protocol 3	LCM	$sn(2k+\mathit{log}N)$ polynomial multiplication operations	$4n-2$	780 byte (polynomial coefficients)	Resist malicious spoofing
Protocol 4	GCD	$sn(2k+\mathit{log}N)$ polynomial multiplication operations	$4n-2$	812 byte (polynomial coefficients)	Resist malicious spoofing

.

6.3. Experiment Test

We run the experiment on AMD EPYC 9754 2.25 GHz, 512GB RAM. We implement our scheme in Python 3 using pycryptodomex, zksk, and tensorflow-federated library.

The core idea of our multi-party collaboration schemes of LCM and GCD is to compute maximum (max)/minimum (min) in the expansion of the fundamental theorem of arithmetic, and thus it is particularly important to compare with the most recent MPC protocols of multi-party max/min. Because testing the efficiency of computing multi-party needs to be secure, Protocol 1 and Protocol 3 of this paper do not need to consider the number of prime terms in the expansion of fundamental theorem of arithmetic $s$; thus, the computational complexity of Protocol 1 and Protocol 3 are $2kn$ polynomial multiplication operations and $n(2k+\mathit{log}N)$ polynomial multiplication operations, respectively. What needs attention are $l$ and $k$, which act as the potential of a full set.

Test 1: We set simulation experiment tests with execution time of protocols to compute the best value (Reference [27], Reference [30], Reference [33], Reference [35], Protocols 1 and 3 in this paper), where the variable is the number of participants $n$. We set $n=4,8,12,16,20,24$. Fix $b=24$, $k=l=50$ and $N=128$. The experimental test is performed 100 times and computation is carried out to determine averaged results, which are shown in Figure 3a. Another batch of simulation experiments tests the execution time of protocols for computing the maximum when the variable is a potential of a full set $l$. We set $l=50,60,70,80,90,100$. We fix $b=24$, $n=12$ and $N=128$. The experimental process is the same as above and the results are shown in Figure 3b.

By analyzing computational complexity and observing

Table 1. Summary for our scheme.

Scheme	Method	Security Model	Performance	Applicable Scenario
Protoocl 1	M-MKFHE scheme	Semi-honest model	Improved by 39.5% and 45.6% under different comditions	High real-time performance, high efficiency requirement
Protocol 3	M-MKFHE scheme Ligero ZKP system Hash function	Resistance against malicious spoofing	Only 1.39 s added to Protocol 1	High security while maintaining certain efficiency

, it can be found that the parameters affecting performance of protocols of Reference [38], Reference [39], and our scheme can be regarded as having the same role, to some extent. Therefore, the following experiments make $m=l=k$ and $s=8$. Since $s$ is the number of primes in the expansion of the fundamental theorem of arithmetic, when $s=8$, i.e., the first ten prime numbers are taken, each of which has a size of at least $2\times 3\times 5\times 7\times 11\times 13\times 17\times 19=9699690$.

Test 2: The set of simulation experiments tests execution time of LCM protocols (Protocol 4.2 in Reference [38], Reference [39], Protocols 1 and 3 in this paper), where the variable is the number of participants $n$. We set $n=4,8,12,16,20,24$. We fix $m=l=k=30$ and $N=128$. The experimental test is performed 100 times and computation ia carried out to obtain averaged results, which are shown in Figure 4a. Another batch of simulation experiments tests execution time of LCM protocols when the variable is parameter value $k$. We set $k=10,20,30,40,50,60$. We fix $n=12$ and $N=128$. The experimental process is the same as above and the results are shown in Figure 4b.

Test 3: The set of simulation experiments tests execution time of GCD protocols (Protocol 4.3 in Reference [38], Reference [39], Protocols 2 and 4 in this paper), where the variable is the number of participants $n$. We set $n=4,8,12,16,20,24$. We fix $m=l=k=30$ and $N=128$. The experimental test is performed 100 times and computation is carried out to determine averaged results, which are shown in Figure 5a. Another batch of simulation experiments tests execution time of GCD protocols when the variable is parameter value $k$. We set $k=10,20,30,40,50,60$. We fix $n=12$ and $N=128$. The experimental process is the same as above and the results are shown in Figure 5b.

Test 4: In practical applications, bandwidth, data size, and other objective factors affect the processing efficiency of the protocol, which in turn affects model training. Therefore, we fix $n=8$ and $N=256$. The simulation experiments test the protocol delay time with bandwidth and data size, respectively. The experimental test is performed 100 times and computation is performed to obtain averaged results. Since LCM protocols and GCD protocols differ only in encoding rules, LCM protocols are used as the test subject. The trend of protocol delay time with bandwidth is shown in Figure 6a. The trend of protocol delay time with data size is shown in Figure 6b.

7. Discussion

Given that LCM protocols and GCD protocols differ only in the encoding rule, the LCM protocols (i.e., Protocol 1 and Protocol 3) are used below to refer to this paper’s scheme instead.

As shown in Table A3, the complexity analysis comparing existing reference schemes with our scheme demonstrates significant advantages in both computational and communication complexity. Specifically, the computational complexity of our semi-honest model protocols is markedly lower than those of References [38,39], both in terms of numerical magnitude and operational scale. Concurrently, the communication complexity is optimized and the number of polynomial coefficients is significantly reduced. However, the computational and communication complexity of our protocols against malicious spoofing are correspondingly increased due to the additional operations and communication rounds required for the verification processes.

As illustrated in Figure 3, which shows the execution time variation trends of our protocols and comparative schemes for computing the most value simultaneously, Protocol 1 achieves an average efficiency improvement of 35.2% under the condition of fixing the potential of full set. Conversely, when the number of participants is fixed, the efficiency improvement averages 30.1%. This discrepancy arises because operational efficiency of the protocol is partially influenced by the potential of a full set, leading to relatively lower optimization gains in the latter scenario.

Figure 4 depicts the execution time variation trends of our protocols and comparative schemes for simultaneous computing LCM. Protocol 1 achieves an average efficiency gain of 39.5% under the condition of fixing parameter values $k$ and 45.6% under the condition of fixing participant number. Although Protocol 3 exhibits the longest execution time, with an average increase of 1.39 s compared to Protocol 1, this trade-off is justified by its enhanced security guarantees, which are particularly critical for scenarios with stringent security requirements aligning with the design expectations. Analysis of the execution time trend lines reveals that Protocol 1 maintains stable and efficient performance when the security threshold $k$ is 10–30. However, it is noteworthy that in the first three experimental groups with predefined parameters $s=8$ and $k=30$, the data processed per party in Protocol 1 generally exceed 9,699,690 under normal conditions. Furthermore, for Protocol 3, when the number of participants $n\ge 8$ and the security threshold $k\ge 20$, the execution time exhibits a pronounced non-linear escalation, deviating from its previous linear growth pattern.

Figure 6 shows the delay time trend graph of this paper’s protocol under different conditions. Observation of Figure 6a reveals that both Protocol 1 and Protocol 3 show a significant decreasing trend in delay with the increase in bandwidth. However, a closer look at the error line reveals that Protocol 1 has less error at high bandwidth, while Protocol 3 still has some degree of error. Observing Figure 6b, it can be seen that the delay time of Protocol 1 shows a slow rising trend with the increase in data size, and it rises significantly after reaching the threshold size of 512 bits, which has better scalability; the delay time of Protocol 3 shows an increase in 256 bits of data. In summary, it can be seen that Protocol 1 has the advantage of processing data up to 512 bits under the bandwidth of 255 Mbps–1.5 Gbps, and it is suitable for scenarios with higher real-time requirements. The higher the bandwidth, the better the performance; Protocol 3 is limited by its processing overhead, and therefore pays more attention to security or robustness and can process no more than 256 bits of data under the bandwidth of 255 Mbps–1.5 Gbps, applicable to security requirements of more complicated scenarios.

Based on the analysis of experimental results, the following conclusions can be drawn regarding the scalability limits of Protocol 1 and Protocol 3:

• Scalability limits of Protocol 1

Data size limitation: Protocol 1 has a clear scalability threshold in terms of data size. Although it can efficiently process up to 512 bits of data, performance degrades significantly when the data size exceeds 512 bits. This establishes 512 bits as the practical upper limit for efficient operation under typical bandwidth conditions (255 Mbps–1.5 Gbps).

Parameter limitation: Within the security threshold $k$ of 10–30, Protocol 1 demonstrates excellent stability and efficiency. Under fixed $k$, its scalability in terms of the number of participants remains robust. However, if $k$ is significantly higher than 30, accompanied by a large $s$, there may be potential computational or memory bottlenecks.

Bandwidth dependency: Its scalability in terms of delay time is positively affected by bandwidth. Performance scales well with increasing bandwidth, making it suitable for high-bandwidth environments where larger data volumes or numbers of participants can be accommodated within the 512-bit data limit.

• Scalability limits of Protocol 3

Data size limitation: Compared to Protocol 1, Protocol 3 has significantly lower tolerance for data size, with delay time increasing significantly even at 256 bits of data. This establishes 256 bits as the strict practical efficiency limit under typical bandwidth conditions (255 Mbps–1.5 Gbps). Expansion beyond this point becomes impractical due to the sharp increase in delay time.

Participant number and parameter limitation: Protocol 3 has critical scalability limitations in terms of participant number and security threshold $k$. When $n\ge 8$ and $k\ge 20$, the execution time transitions from a linear growth pattern to a significant non-linear surge. This indicates that the computational and communication overhead becomes excessively high beyond this combination threshold, severely limiting its scalability in larger-scale deployment.

Bandwidth sensitivity limitation: Although delay time decreases with increasing bandwidth, Protocol 3 maintains a certain error rate even at higher bandwidth (compared to Protocol 1). This indicates that simply increasing bandwidth is insufficient to overcome its inherent scalability limitation, and that the introduction of optimization mechanisms should be considered.

8. Conclusions and Future Work

8.1. Conclusions

This study is based on the M-MKFHE scheme and presents a secure computation scheme of multi-party LCM/GCD under the semi-honest model to securely realize multi-party data privacy collaboration. For potential spoofing behaviors, a secure computation scheme against malicious spoofing is proposed by combining the hash function and the Ligero zero-knowledge proof system. The experimental results show that our semi-honest model scheme improves efficiency by 39.5% and 45.6% compared to the existing schemes under different parameter comparisons. It is also able to process small- and medium-sized data efficiently and in real time under high bandwidth. The anti-malicious spoofing scheme improves time consumption compared to the semi-honest model scheme, but it takes into account both the security and the efficiency and achieves the expected design effect. For specific results, please refer to Table 1.

8.2. Future Work

In the future, we will try to introduce techniques such as sparsification, block processing, and blooming filters to further improve the protocol operation efficiency and explore more efficient and secure privacy computation mechanisms or frameworks in federated learning. Building upon this, our future work will focus on (1) quantitatively analyzing and optimizing the combined impact of sparsification, block processing, and bloom filters on communication, computation, and storage overhead, potentially incorporating adaptive strategies; (2) strengthening security guarantees under a stronger malicious model (e.g., backdoor attacks, distributed denial-of-service attacks, etc.) and minimizing potential side-channel leaks; (3) investigating the integration of our approach with advanced cryptographic primitives for potential synergistic benefits; (4) enhancing the protocol’s generality for broader aggregation functions, scalability for large-scale deployments, and seamless integration with mainstream FL frameworks (e.g., TFF, FATE); (5) addressing practical challenges like device heterogeneity, communication unreliability, and client dropouts to ensure robust performance in real-world edge environments.