A Blockchain-Based Secure Multi-Party Computation Scheme with Multi-Key Fully Homomorphic Proxy Re-Encryption

: At present, secure multi-party computing is an effective solution for organizations and institutions that want to derive greater value and benefit from the collaborative computing of their data. Most current secure multi-party computing solutions use encryption schemes that are not resistant to quantum attacks, which is a security risk in today’s quickly growing quantum computing, and, when obtaining results, the result querier needs to collect the private keys of multiple data owners to jointly decrypt them, or there needs to be an interaction between the data owner and the querier during the decryption process. Based on the NTRU cryptosystem, which is resistant to quantum computing attacks and has a simple and easy-to-implement structure, and combined with multi-key fully homomorphic encryption (MKFHE) and proxy re-encryption, this paper proposes a secure multi-party computing scheme based on NTRU-type multi-key fully homomorphic proxy re-encryption in the blockchain environment, using the blockchain as trusted storage and a trusted execution environment to provide data security for multi-party computing. The scheme meets the requirements of being verifiable, conspiracy-proof, individually decryptable by the querier, and resistant to quantum attacks.


Introduction
With the rapid development of communication technology and the steady advancement of global information, data information owned by organizations or individuals can generate great value and wealth through communication and integration.To make full use of the value of data to obtain greater benefits, data interaction, and sharing, information integration and utilization between different institutions and organizations have become urgent needs, among which collecting data from all parties for collaborative computing is a typical scenario.Participants want to protect the security of data, protect the privacy of all parties, and ensure the fairness of computing in the process of data collection and use.The proposal and development of secure multi-party computation (SMPC) [1] provide an effective solution and technical support for the above requirements.In order to protect the privacy of all parties and the security of their private data during the use of secure multi-party computation, it is necessary to continuously improve the secu-final result of the computation.Specifically, SMPC protects the privacy of each participant by means of the secret data held by the participants for P , = 1, … , n separate secret inputs held by , = 1, … , n, in order to jointly compute a common function with the values of ( , , … , ) = ( , , … , ).Throughout the computation process, the participant's P cannot learn anything other than the result of the computation and their own secret inputs ( , ).The participants are not privy to any information other than the result of the computation and their own secret input.
Fully homomorphic encryption is an encryption algorithm that allows direct manipulation of encrypted data, which has the property that the result of the direct manipulation of the ciphertext is the same as the result of manipulating the plaintext first and then encrypting it, a property that allows it to be applied in outsourced computing scenarios.Multi-key fully homomorphic encryption (MKFHE) was first proposed by A. López-Alt et al. [3], who used a modified NTRU scheme to construct an MFHE scheme.Multi-key fully homomorphic encryption is an encryption method that can process data encrypted and uploaded by multiple different keys, breaking the restriction that homomorphic encryption can only process data encrypted by the same key, but, in the decryption method, the resultant querier needs to collect the private keys of multiple data owners to jointly decrypt the data or interaction between the data owner and the querier is required during the decryption process.To address the above issues, S. Yasuda et al. [4] proposed multikey homomorphic proxy re-encryption (MKH-PRE).The MKH-PRE scheme allows the data owner to encrypt the data with its own public key for multi-key homomorphic computation, as well as allowing the ciphertext obtained from the homomorphic computation to be proxy re-encrypted, converting the resultant ciphertext into a new ciphertext that can only be decrypted by the resultant querier.The advantage of the NTRU cryptosystem is that it is resistant to quantum attacks, and the NTRU-based scheme is a much easier way to generate secret keys, using only modulo multiplication and modulo inverse operations, with a simple structure that is easy to implement.It can be used not only to construct NTRU-based MKFHEs but also to construct proxy re-encryption schemes that transform ciphertext into data that can be decrypted with a querier key.

Motivation and Contribution
The encryption schemes used in most current secure multi-party computing schemes are not resistant to quantum attacks, which is currently a security risk with the rapid development of quantum computing, and the SMPC scheme that uses MKFHE cannot be decrypted separately by the querier when obtaining the computation results.Therefore, it is necessary to design a secure multi-party computing scheme that is resistant to quantum attacks and can be decrypted individually by the querier.
The main research contributions of this paper are as follows: 1.A secure multi-party computation scheme based on NTRU-type [5] multi-key fully homomorphic encryption proxy re-encryption is proposed.The use of proxy re-encryption solves the problem that the multi-key homomorphic encryption scheme cannot be decrypted separately when the result is obtained, and the data owner can go offline after encrypting the uploaded data and does not have to stay online during secure multi-party computation.2. A scheme combining the blockchain with an NTRU multi-key fully homomorphic encryption agent re-encryption secure multi-party computing scheme is proposed.The decentralized, transparent, and non-tamper characteristics of the blockchain are utilized to achieve the traceability and verifiability of the scheme and prevent collusion of the participants.3. The security proof and comparison with other solutions demonstrate that this secure multi-party computing solution meets the requirements of being independent of trusted third parties, verifiable, privacy-protected, collusion-proof, individually decryptable by the querier, and resistant to quantum attacks.

Paper Structure
The rest of this paper is organized as follows: Section 2 presents related works.Section 3 describes the scheme model, the steps of the scheme operation, the algorithms involved, and the security model used.Section 4 proves the security of the scheme.Section 5 compares the scheme with other relevant SMPC schemes.The conclusion is provided in Section 6.

Related Work
YAO first proposed a two-party secure computation method in [6] using the "millionaire problem".Goldreich and others extended the two-party computation model to a basic multi-party computation model [7].Using this as a starting point, the security of SMPC schemes has been a concern.To provide a trusted execution environment for SMPC, some researchers have chosen to perform secure multi-party computing through trusted third parties, such as Wu Y et al. who constructed a generic server-assisted secure multi-party computing protocol for secure execution of collaborative computing tasks in cloud computing [8].However, trusted third parties are vulnerable to attacks forming a single point of failure and also have the potential to be complicit with malicious parties.
Researchers found that blockchains can provide a more secure execution environment for SMPC.The open, transparent, and tamper-evident nature of blockchain can provide a means of verification and traceability for SMPC, and the incentive mechanism can effectively prevent complicity from occurring.H. Gao et al. proposed a BFR-MPC scheme in combination with the blockchain [9] that encourages all participants to cooperate through an incentive mechanism and maintains a public reputation system in the scheme, in which honest participants gain more and more benefits while corrupt participants are increasingly punished.Y. Yang et al. proposed Block-SMPC, a blockchain-based SMPC scheme [10], which ensures data integrity and authentication by using the blockchain, introduces a multi-party computer system based on homomorphic encryption, and improves privacy security by separating the authority of homomorphic keys and ciphertexts.Liu et al. proposed a secure multi-party computing protocol, BPLSM, for ubiquitous data privacy protection in combination with blockchain technology [11].It achieves on-chain signature verification, a guarantee of commitment, the correctness of encrypted values and address hiding, and off-chain combined transaction commitment using the property of Pederson's additive homomorphism to construct a secure multi-party computation scheme that can sign different messages in combination with the Schnorr protocol.
The secure multi-party computation scheme in the above study improves the security of SMPC with the help of blockchain features, but the scheme cannot be decrypted separately by the querier when obtaining the computation result.In order to meet the requirement of being able to carry out decryption individually, T. Wang et al. [12] proposed a secure, high-performance sharing and multi-party computing model by combining the features of the blockchain, based on a combination of on-chain storage and off-chain storage, and, in this storage environment, data are shared by using proxy re-encryption.However, most of the encryption algorithms involved in the above scheme are based on large integer decomposition or discrete logarithm difficulty problems, which do not have the ability to resist quantum attacks.
To solve these problems, this paper proposes a secure multi-party computing scheme based on a multi-key homomorphic proxy re-encryption scheme and an NTRU-based MKFHE scheme [13,14] with resistance to quantum attacks in the blockchain environment.

System Model
The system consists of several components: the data owner, the data querier (in general, the data owner, but possibly also the authorized user), the computation network, the SMPC contract, the InterPlanetary File System (IPFS) [15], and the blockchain.The system architecture is shown in Figure 1.The functions of each part of the system are as follows: As the data provider of secure multi-party computation, the data owner owns the original data as the input of the computation.To ensure the privacy and data security of all parties, the data must be encrypted by the data owner before being used as the input of the computation.

Result inquirer
As the receiver of the computation result, the result inquirer is generally the data owner or the authorized user who does not provide the data.With the support of the proxy re-encryption algorithm, the result inquirer can decrypt the encrypted computation result through their own private key and obtain the calculation result.

 Blockchain
The blockchain participates in the process as a trusted storage and execution environment.This scheme provides resistance to quantum attacks through proxy re-encryption to enable the result querier to decrypt the ciphertext result alone.At the same time, open, transparent, and untampered information stored on the blockchain can be verified as proof.

 IPFS
IPFS is used to store encrypted raw data as off-chain storage to save storage space.A Bloom filter [16] generates index values, and then IPFS uploads the data keywords, index values, and storage address to the blockchain.SMPC nodes look up the data storage address on the blockchain and then download the encrypted data from IPFS to local storage for calculation.

 SMPC Contracts
Data owners, data inquirers, and SMPC nodes need to register with the SMPC contract before the calculation begins.Participants (SMPC nodes or users) pay a deposit to the SMPC contract, and the SMPC contract returns a unique ID to the registrant.The data inquirers send their public keys to the SMPC contract, which generates the proxy re-encryption key.The computation function in the contract is agreed upon in advance by the participants of the secure multi-party calculation so that the code can be written and deployed on the blockchain platform to automatically trigger the execution of the agreed computation without human intervention.

Computing networks
The SMPC computing network undertakes the task of data calculation.It queries the corresponding encrypted data on IPFS as the input and performs the calculation on the encrypted data consistently with the agreed calculation function according to the SMPC contract.The obtained encryption results are sent to each data interrogator after the agent re-encryption operation.

Program Steps
The steps in the operation of the system are shown in Figure 2.
1. Initially, the data owner, the data querier, and the SMPC node register with the SMPC contract, which distributes a unique ID to each registered node, while the SMPC node pays a deposit to the contract.2. The data owner generates keywords for the original data to be involved in the operation and then encrypts the data to be involved in the operation with its own public key and uploads them to IPFS, where a Bloom filter generates the index value of the encrypted data.The data owner uploads the keywords generated from the original data and the storage address of the encrypted data.3. The computing network node interacts with the blockchain by querying keywords, querying the corresponding block to obtain the storage address of the required encrypted information, and obtaining the encrypted data from the IPFS data storage address for calculation.4. The data querier sends its public key to the SMPC contract, and the ciphertext result after the homomorphic calculation is converted into the ciphertext result encrypted by the data querier's public key through the NTRU proxy re-encryption algorithm.
To obtain the final calculation result, the data querier only needs to decrypt the calculation result returned by the computing network with its own private key.The contract is carried out in a sandbox isolation environment, and the blockchain rewards or deducts the deposit based on whether the node is honest or not.  5.At the end of the calculation, the blockchain validation node checks whether any dishonest nodes have committed mischief before or after the calculation process.If this does not happen, the deposit of each node will be returned as is; if this happens, the deposit of the honest node will be returned, and the deposit of the dishonest node will be deducted and distributed as a reward to the honest node as a punishment.
In order to enable the nodes in the scheme to reach consensus quickly while ensuring security during the operation, the Score Grouping-practical Byzantine fault-tolerant (SG-PBFT) consensus algorithm, which is based on a modified version of the practical Byzantine fault-tolerant (PBFT) algorithm [17] proposed in the literature [18], is used in the scheme.
The SG-PBFT sets the initial score of N sequential random nodes as 100 points and divides them into a consensus node set and a candidate node set.The consensus node executes the consensus process, while the candidate node does not participate in the consensus process and only receives the consensus results.The primary node is selected by p = vmodCN.CN represents the agreed number of nodes.When the primary node p is attacked or fails, the view v will be changed, and the recalculated primary node will replace it.
When the nodes reach a consensus, the master node will send the confirmed results to all consensus nodes and update the score of the node.If the result of the node is consistent with the consensus result, one point will be added.Otherwise, five points will be deducted.The m nodes with the lowest score will be removed from the consensus node set and attached to the end of the candidate node set.The m nodes with the highest score in the candidate set will be added to the consensus node set and renumbered.
The SG-PBFT renumbers and adjusts nodes after each agreement is reached.This ensures that the identity of the primary node is hidden and therefore resistant to distributed denial of service (DDoS) attacks.In the SG-PBFT, even if all malicious nodes join together, they can only send no more than 1/3 of the total number of messages.Malicious nodes cannot reach a consensus, therefore the SG-PBFT can resist selective attacks.The SG-PBFT operating process is shown in Figure 3.The "x" on the line indicates that the node is a failed node.

Algorithm Construction
The algorithms in the scheme are divided into four parts: the initialization algorithm, the key generation algorithm, the multi-key homomorphic encryption algorithm, and the proxy re-encryption algorithm.The operations in the scheme are all performed on the ring = ℤ[X]/ ( ), over which is a prime number, and Φ ( ) is a partitioned circle polynomial of the degree = ( ).Let = / .

 Initialization algorithm
Setup(1 ) ⟶ : Enter the security parameters' to generate ring learning with errors (RLWE) [19] with dimension n, the plaintext modulus , the ciphertext modulus , and the ring distribution over the ring , .Vector and matrix are extracted randomly on the uniform distributions ( ) and ( × ) of ring R, respectively, and then a common parameter = ( , , , , , , ) is output.The public parameter is used as the input to the key generation algorithm for the generation of keys by the data owner and the result querier in addition to the generation of the computational key in the multi-key homomorphic encryption algorithm.

Key generation algorithm
KeyGen( ) ⟶ ( , ): Randomly select , in the distribution ; it is required that the extracted is reversible in .Calculate = + 1(mod ), ∈ , and let = (mod ).The error vector is randomly selected from the distribution , and

Candidate Nodes Set
= − + (mod ) is calculated.Set = ( , 1) ∈ × , randomly select the error vector from the distribution , and calculate g= − + (mod ) ∈ .Output the private key = and the public key = ( , , ).The data owner and the result querier generate their respective public key and private key by means of a key generation algorithm.

Multi-key homomorphic encryption algorithm
The components of the multi-key homomorphic encryption algorithm include the computational key generation algorithm EvkGen, the encryption algorithm Enc, the ciphertext extension algorithm CtxtExtend, and the homomorphic computation algorithm Eval.
EvkGen( , , ) → : Randomly select s in the distribution , randomly select , , in the distribution , calculate = + + (mod ) and = + + (mod ), and output the computation key . The computational key generation algorithm EvkGen generates the computational key using the public parameters, the public key of the data owner, and the private key .
Enc( , ) ⟶ : Randomly selects , in the distribution , set δ = ⌊ / ⌋, and compute the ciphertext = + + δ (mod ).The data owner uses the encryption algorithm Enc to encrypt the data they need to participate in the operation and then generates a cipher text and uploads it to IPFS.

Security Model
The scheme uses the definition of security from the literature [5] for the MKH-PRE scheme.The definition designs an IND-CPA security game between a challenger and an adversary .The re-encryption process is represented using a directed acyclic graph, such that is the set of edges in the re-encryption graph.During the game, the adversary can initiate an interrogation of the challenger about the re-encryption key generation based on the re-encryption graph.The formal definition of a secure game is as follows:


Preparation phase The challenger sends the generated public parameters Setup(1 ) → to the adversary .
Generate honest keys.The number of honest keys received by the challenger from is , and the challenger generates ( , ), = 1, … , and sends the to .Let be the set of honest public keys.
Generate non-honest keys.The number of non-honest keys received by the challenger from is , and the challenger generates ( , ), = 1, … , and sends the to .Let be the set of non-honest public keys.

Inquiry phase
The adversary can initiate a polynomial inquiry of any order.Generate the re-encryption key.sends ( , ) to the challenger.If , ∈ , and there is a directed acyclic graph = ( , ∪ ( , )), then the challenger adds ( , ) to and sends the generated re-encryption key for i to j RKGen( , ) → → to ; otherwise, ⊥ is returned.
Re-encryption. sends ( , , ) to the challenger.If , ∈ , and = , the challenger returns ⊥.Otherwise, the challenger sends a ciphertext re-encrypted with the j's public key sent to ; otherwise, ⊥ is returned.
can only initiate a challenging inquiry once.


Judgment phase.
outputs one bit ∈ {0,1}.In this game, the advantage of adversary is defined as If, for any probabilistic polynomial time adversary there is then, the scheme is IND-CPA safe.

Proof of Safety
Here, we demonstrate the safety of the MKH-PRE scheme.If the RLWE assumption, the decisional small polynomial ratio (DSPR) [20] assumption, and the cyclic safety assumption are difficult, then the MKHE scheme in this paper is IND-CPA safe.
The security of the PRE process is considered below.Here, we demonstrate the security of the PRE process through an IND-CPA security game between a challenger and an adversary .
is an adversary in arbitrary probabilistic polynomial time, which has access to the re-encryption key generation and evolution RKGen and the re-encryption oracle machine ReEnc and can only initiate queries for generating re-encryption keys based on the re-encryption graph.Consider the following set of security games: Game 0. The IND-CPA safe game was defined in the previous section.Assuming = {1, … , }, = { + 1, … , }.According to the topological order determined by the re-encryption graph, if < , then there are no edges from to , i.e., can only be initiated in the > case of a re-encryption key → of the query.Divide Game k, = 1, … , , into two categories, Game. 1 k and Game. 2 k.Game. 1 k.When initiates a query to generate an honest key, for all < , the challenger randomly draws and in the uniform distributions and , respectively, to generate the public key; for all < ≤ , the challenger generates the public key by KeyGen( ) ⟶ ( , ).The rest of the operation is the same as Game. 2 k-1.
Game. 2 k.When A initiates the query to generate the re-encryption key, the challenger generates the re-encryption key → by drawing a random matrix from × for all < ≤ ; for < , ≤ , the challenger generates the re-encryption key by RKGen( , ) → → .The rest of the operation is the same as Game. 2 k.Game End.When initiates a challenge query, the challenger generates the ciphertext through random sampling, and the rest of the operation is the same as Game. 2 N.
The strengths of in each game are assessed separately as follows: Because Game 0 is an IND-CPA safe game of the original MKH-PRE scheme, In Game. 1 k, the re-encryption key → generated by the challenger satisfies → = → = , + (mod ) when < , where is randomly selected in the uniform distribution of {0,1} × and ≥ 2log + 2λ.Since and are randomly selected from the uniform distribution when < , = + ⊗ is also subject to the uniform distribution.According to the residual hash lemma, H and X are subject to uniform distributions, so and are statistically indistinguishable from a matrix randomly drawn from a uniform distribution.The results show that → is statistically indistinguishable from the random matrix extracted from the uniform distribution, meaning that Game. 1 k and Game. 2 k are statistically indistinguishable.Therefore, there is

Figure 2 .
Figure 2. Timing diagram of system operation.