An Intelligent Semi-Honest System for Secret Matching against Malicious Adversaries

Abstract

With natural language processing as an important research direction in deep learning, the problems of text similarity calculation, natural language inference, question and answer systems, and information retrieval can be regarded as text matching applications for different data and scenarios. Secure matching computation of text string patterns can solve the privacy protection problem in the fields of biological sequence analysis, keyword search, and database query. In this paper, we propose an Intelligent Semi-Honest System (ISHS) for secret matching against malicious adversaries. Firstly, a secure computation protocol based on the semi-honest model is designed for the secret matching of text strings, which adopts a new digital encoding method and an ECC encryption algorithm and can provide a solution for honest participants. The text string matching protocol under the malicious model which uses the cut-and-choose method and zero-knowledge proof is designed for resisting malicious behaviors that may be committed by malicious participants in the semi-honest protocol. The correctness and security of the protocol are analyzed, which is more efficient and has practical value compared with the existing algorithms. The secure text matching has important engineering applications.

1. Introduction

In recent years, deep learning (DL) has been widely used in the field of data processing, including functions such as image classification, target detection, image segmentation, and 3D reconstruction in the field of vision. The study of natural language processing problems is an important area of DL research. For example, news consulting application (APP) platforms push the news and content people want to read; social platforms filter and process some text information such as malicious comments and uncivilized posts; etc. Using algorithms related to natural language processing can greatly increase the efficiency of text-searching-related work.

Text matching (TM) is a fundamental and important research direction in the field of natural language processing, and the research on TM can be applied to several natural language processing tasks [1]. For example, in the task of information retrieval, the similarity between the text of a query and the text of a web page can be calculated to find the best matching web page [2,3,4,5,6,7,8]; in the task of machine translation, text similarity can be calculated from one language and another language, and the matching value can be used as an evaluation criterion [9,10,11,12,13,14,15,16,17]; in the task of automatic question and answer, TM between questions and candidate answers can be performed to obtain a matching score and select the correct answer [18]; the algorithms for TM can also be used in several fields such as dialogue systems and retelling problems.

In the process of text matching, privacy protection [19] has become the focus of natural language processing. In view of this problem, the secure multi-party computation can ensure that text strings can be matched under the condition of confidentiality. Secure multi-party computation [20] (MPC) is an important branch of cryptography which aims to solve the problem of cooperative computing between a group of malicious parties on the premise of protecting private data. In the whole process of the implementation of the calculation agreement, data calculation can be completed without relying on a third party, and the participants can only obtain the calculation results and not the private data of other participants. Most of the existing string matching protocols can only implement approximate string matching, string matching algorithm in plaintext, exact matching in plaintext, and Bloom Filter-based string matching in cloud computing. However, their computational complexity and communication complexity are relatively high. Based on the limitations of the existing secure text matching such as high computational complexity and low efficiency, we propose a new method to solve the text matching problem securely. The method has short cipher text length, as well as lower communication and computation complexity. It is more advantageous in solving the secure text matching problem.

The current research on the secure matching of text strings includes algorithmic improvement of secure text matching (STM) [21,22], approximate matching based on Bloom Filter [23,24,25,26], exact matching [27,28,29,30,31,32,33,34,35,36], and string equality problems [37,38,39]. In STM, keyword matching is a very common and important field. The keyword is the pattern string, and, since it finds all the positions in the text string where the pattern string appears, the algorithm to solve such problems is called the string pattern matching algorithm. Zhang, K.X. et al. [27] designed a new encoding method to handle the STM problem by hiding the confidential data of each participant in a vector and designed a secure determination protocol for string pattern matching under semi-honest model using the Paillier homomorphic encryption algorithm. Luo, Y.L. et al. [36] encoded each character as a corresponding binary number in the ASCII code and encrypted it with the ElGamal encryption algorithm, but the computational complexity was high. Luo, Y.L. et al. [36] used the Goldwasser–Micali homomorphic encryption algorithm to design a string pattern matching protocol and calculated each character with the binary number XOR; this method has a relatively high computational complexity. Another protocol in Luo, Y.L. et al. [36] used a symmetric cryptography algorithm for the STM problem, which is no longer secure once the key is leaked. Yasuda, M. et al. [38] used a homomorphic encryption scheme and a new data packing technique to encapsulate binary data into a single ciphertext on the ring space and determine whether the string matches by calculating multiple Hemming distances of the ciphertext. This improves the efficiency, but this method can only perform a single pattern matching (that is, the pattern string can only appear once in the text).

In this paper, given that the elliptic curve cryptosystem (ECC) is widely used by its short key, we propose an Intelligent Semi-Honest System (ISHS) for secret matching against malicious adversaries, and its computational efficiency and security are analyzed.

The contributions are as follows:

(1)

First, an encoding method applicable to ECC encryption is proposed, which is simpler and more efficient.

(2)

A text string fuzzy matching protocol based on semi-honest model is designed and its correctness is analyzed.

(3)

By means of cryptographic tools such as the zero-knowledge proof and cut-and-choose methods, the modified STM protocol is resistant to malicious attacks that may be committed by malicious participants under the semi-honest model protocol. The security of the protocol is proved using the real/ideal model paradigm, and the efficiency of the protocol is analyzed by experimental simulations.

The rest of the paper is organized as follows: Section 2 introduces some basic tools needed to construct secure protocols, string encoding rules, and security definitions of protocols; Section 3 constructs a secure string pattern matching protocol under the semi-honesty and analyzes its correctness; Section 4 constructs an MPC protocol for string pattern matching under the malicious model and analyzes and proves the security of the protocol under the malicious model; Section 5 analyzes the performance of the protocol and introduces its engineering applications; Section 6 concludes this paper.

2. Related Work

2.1. Text String Encoding

Coding rules: Assuming the full set $U=\{a,b,\dots ,z\}=\{11,12,\dots ,36\}$, each character is represented by its corresponding two decimal digits. For example, character $a$ is denoted as 11, character $b$ is denoted as 12, and so on, and character $z$ is denoted as 36.

Comparison rules: To determine whether string $S_B$ is a substring of string $S_A$, a total of $n-m+1$ times of cyclic calculation is required. If at least one of the $n-m+1$ alignments results in 0, $S_B$ is a substring of $S_A$. In addition, string $S_A$ has a total of $n-m+1$ substrings of length $m$. Therefore, determination of whether $S_B$ is a substring of $S_A$ can be converted to the problem of whether $n-m+1$ substrings of string $S_A$ are equal to $S_B$. For the convenience of description, binary predicates are defined as follows:

$$P\left(S_A,S_B\right)=\left\{\begin{array}{l}0, \mathrm{Match}\\ 1, \mathrm{Not} \mathrm{match}\end{array}\right..$$

(1)

For example: Alice has string $S_A=acdbc$ generating vector A = (11,13,14,12,13) according to the encoding rules. Bob has string $S_B=ac$ generating vector B = (11,13) according to the coding rules for calculation. The details are shown in

Table 1. Examples of strings and encoding.

Alice’s String	Code	Bob’s String	Code	Operation Result
ac	(11,13)	ac	(11,13)	0
cd	(13,14)			1
db	(14,12)			1
bc	(12,13)			1

.

2.2. Elliptic Curve Cryptography

Elliptic curve cryptography (ECC) is a public key encryption algorithm based on the elliptic curve in mathematics [40]; for example, y² = x³ + ax + b represents an elliptic curve and satisfies constraint 4a³ + 27b² ≠ 0.

The ECC encryption and decryption process is as follows:

(1)

Select an elliptical curve $E_P\left(a,b\right)$, and take a point on the elliptic curve as the base point $P$.

(2)

Select a large number $k$ as the private key, and generate the public key $Q=kP$.

Encryption: choose a random number $r$, encode the plaintext as a point $M$, calculate ciphertext $C$. The ciphertext is a point pair, that is, $C=\left(rP,M+rQ\right)$. The negative element operation for elliptic curves is $E\left(x,-y\right)=E\left(x,-y\mathrm{mod}p\right)=E\left(x,p-y\right)$.

(3)

Decryption: $M+rQ-k\left(rP\right)=M+r\left(kP\right)-k\left(rP\right)=M$; calculate $m$ from $M$.

Homomorphic addition operation:

Set two ciphertexts, $C_1=\left(r_{1}P,M_1+r_{1}Q\right)$ and $C_2=\left(r_{2}P,M_2+r_{2}Q\right)$, then

$E\left(C_1+C_2\right)=\left(\left(r_1+r_2\right)P,\left(M_1+M_2\right)+\left(r_1+r_2\right)Q\right)=M_1+M_2$.

2.3. Cut-and-Choose Method

The cut-and-choose method [41] is an important cryptographic tool that is used in most malicious model protocols. The cut-and-choose method involves one party constructing and sending a large number of circuits and the other party randomly selecting half of the circuits and asking the other party to open the circuits to check their correctness, and then performing a secure computation on the other half of the circuits that are not opened. For example:

Input:

(1)

Alice input vector ${\overrightarrow{x}}_i,i=1,2,\dots ,\mathcal{l}$. Each vector is composed of $s$ pairs, that is, ${\overrightarrow{x}}_i=〈\left(x_0^{i,1},x_1^{i,1}\right)\left(x_0^{i,2},x_1^{i,2}\right),\dots ,\left(x_0^{i,s},x_1^{i,s}\right)〉$. There are $l$ vectors. Enter $s$ to check if the value of $X_1,X_2,\dots ,X_s$ is in ${\left\{0,1\right\}}^n$.

(2)

Bob enters ${\sigma }_1,{\sigma }_2,\dots ,{\sigma }_l\in \left\{0,1\right\}$ and a set of parameters $\zeta \subseteq \left[s\right]$.

Output:

(1)

Receiver R obtains the $j$th pair in vector ${\overrightarrow{x}}_i$, that is, $\left(x_0^{i,j},x_1^{i,j}\right)$;

(2)

The receiver R obtains ${\sigma }_i$ from each pair of vectors ${\overrightarrow{x}}_i$, that is, $〈x_{{\sigma }_i}^{i,1},x_{{\sigma }_i}^{i,2},\dots ,x_{{\sigma }_i}^{i,s}〉$, among them $i=1,2,\dots ,\mathcal{l}$, $j\in \zeta$, $k\notin \zeta$. The receiver outputs $X_k$.

2.4. Security under the Malicious Model

The malicious model [42] is a more pervasive model for secure multi-party computation (MPC). However, MPC protocols under the malicious model should block or detect the behaviors of malicious participants and are thus more difficult to design than MPC protocols under the semi-honest model. To prove that an MPC protocol is secure under the malicious model, it must be proved that it satisfies the security definition under the malicious model, that is, if the real protocol can achieve the same security as the ideal protocol, then the protocol is secure. The proof method is called the real/ideal model paradigm.

Ideal protocol: $P_1$ and $P_2$ have private data $x$ and $y$, respectively, and $P_1$ and $P_2$ want to jointly compute function $f(x,y)=(f_1(x,y),f_2(x,y))$. The computation process requires a Trusted Third Party (TTP). Finally, both parties obtain the results, $f_1(x,y)$ and $f_2(x,y)$, respectively. The concrete implementation process is as follows:

(1)

$P_1$ and $P_2$ send $x$ and $y$ to TTP, respectively. If $P_i(i=1,2)$ is honest, the correct data are sent to TTP. If $P_i$ is malicious, it may send false input $x’$ or $y’$ based on the private data, or it may refuse to execute the protocol. However, such cases affect the calculation results, and should not be considered.

(2)

If TTP receives $x$ and $y$ and calculates $f(x,y)$, send $f_1(x,y)$ to $P_1$, and send $f_2(x,y)$ to $P_2$.

In the ideal protocol, $P_1$ and $P_2$ do not receive any information from each other except for obtaining $f_i(x,y)(i=1,2)$. The ideal protocol is the most secure. If the protocol designed under the malicious model can also achieve the same security as the ideal protocol, the real protocol can be considered secure. In addition, the malicious model requires at least one of the parties to be honest, and there does not exist a protocol that is secure even if all participants are malicious adversaries.

In the ideal model, the participant has auxiliary information $z$. The process of calculating strategy $\overline{B}$ jointly with $F(x,y)$ is denoted as $IDEA{L}_{F,\overline{B}(z)}(x,y)$. A random number $r$ is chosen, and $IDEA{L}_{F,\overline{B}(z)}(x,y)=\gamma (x,y,z,r)$, where $\gamma (x,y,z,r)$ is defined as follows:

(1)

If $P_1$ is honest, there is

$$\gamma (x,y,z,r)=(f_1(x,y’),B_2(y,z,r,f_2(x,y’))),$$

(2)

among them $y’=B_2(y,z,r)$.

(2)

If $P_2$ is honest, there is

$$\gamma (x,y,z,r)=\left\{\begin{array}{cc}(B_1(x,z,r,f_1(x’,y),\perp ),\perp ),& if\begin{array}{cc}& \end{array}{B}_1(x,z,r,f_1(x’,y))=\perp \\ (B_1(x,z,r,f_1(x’,y)),f_2(x’,y)),& \mathrm{otherwise}\end{array}\right..$$

(3)

In both Formulas (2) and (3), there is $x’=B_1(x,z,r)$.

Definition 1. 

Security of MPC protocols under the malicious model

Let $F$ ${\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^{*}\times {\{0,1\}}^{*}$ be a probability polynomial time function. Remember the output sequence messages generated by $A_1(y,z)$ and interaction in the process $A_2(y,z)$ of $REA{L}_{\Pi ,\stackrel{—}{A}(z)}(x,y)$ executing protocol with strategy $\overline{A}$ in the case of auxiliary input  $z$; $\stackrel{—}{A}=(A_1,A_2)$ represents the probabilistic polynomial time algorithm constructed in the real model. The private information owned by both parties is $x$ and $y$, respectively.

If for any acceptable strategy $\stackrel{—}{A}=(A_1,A_2)$ in the real protocol, an acceptable strategy $\stackrel{—}{B}=(B_1,B_2)$ in the ideal protocol can be found. It satisfies

$${\{IDEA{L}_{F,\stackrel{—}{B}(z)}(x,y)\}}_{x,y,z}\stackrel{c}{\equiv }{\{REA{L}_{\Pi ,\stackrel{—}{A}(z)}(x,y)\}}_{x,y,z};$$

(4)

then, the protocol securely calculates function $F$.

3. Secure Text Matching Protocol under the Semi-Honest Model

Problem description: Secure text matching is performed to determine whether one string is a substring of another string. Alice has string $S_A$ of length $n$ and Bob has string $S_B$ of length $m\left(m\le n\right)$. Both parties want to know whether $S_B$ is a substring of $S_A$ without revealing other information.

Solution idea: The first element of string $S_A$ and $m-1$ adjacent elements is selected to form substring $s_{a1}$ with the length of $m$. The character elements in $s_{a1}$ and $S_B$ are subject to ECC addition homomorphism to determine whether $s_{a1}$ and $S_B$ are equal. If the two strings are equal, the result is 0. Therefore, determination of whether substring $s_{a1}$ is equal to $S_B$ requires $m$ comparisons. If the result of $m$ comparisons is 0, then substring $s_{a1}$ is equal to string $S_B$. The above operation is a circular calculation. The function of the $i$th cycle calculation is to select the $i$th element and the $m-1$ elements following it in string $S_A$, and then compose substring $s_{a1}$ of length $m$ to compare with string $S_B$. Therefore, to determine whether string $S_B$ is a substring of string $S_A$, a total of $n-m+1$ times of cyclic calculation is required, as shown in Figure 1.

If the result of at least one in $n-m+1$ comparison rounds is 0, then $S_B$ is a substring of $S_A$ and string $S_A$ has a total of $n-m+1$ substrings of length $m$. Therefore, determining whether $S_B$ is a substring of $S_A$ can be converted to the problem of $n-m+1$ substrings of string $S_A$ are equal to $S_B$.

Encoding method: Assuming the full set $U=\{a,b,\dots ,z\}=\{11,12,\dots ,36\}$, each character is represented by its corresponding two decimal digits (for example, character a is represented as 11). Alice has string $S_A=a_1{a}_2\cdots a_n\in U$. According to the coding method between the elements in string $S_A$ and the elements in the full set $U$, $S_A$ is transformed into vector $A=(a_1’,a_2’,\dots ,a_n’)$. Bob has string $S_B=b_1{b}_2\cdots b_m\in U$. Similarly, $S_B$ can be transformed into vector $B=(b_1’,b_2’,\cdots b_m’)$ according to the encoding method. Bob takes $m$ elements $A’=(a_i^{’},a_{{}_{i+1}}^{’},\dots ,a_{i+m-1}^{’})$ in vector $A$ in order from left to right and performs the ECC homomorphic addition with the elements in vector $B$. If $S_B$ is a substring of $S_A$, then there is at least one zero vector in the result of the calculation, and all elements in that vector sum to 0.

Correctness analysis:

(1)

In step (4), each $i\in \left[1,n-m+1\right]$ is calculated. Bob selects the $i$th character and the $m-1$ characters after it from $S_A$ to form a substring with the length of $m$ and performs a homomorphic calculation with the elements in $E\left(B\right)$ to obtain cycle $E\left({\omega }_i\right)={\displaystyle \prod {}_{j=1}^{m}E\left({a^{\prime }}_{i+j-1}\right)*E\left(N-{b^{\prime }}_j\right)}$. A total of $n-m+1$ rounds are required.

(2)

In Step (6), Alice decrypts calculation result $E\left(W\right)$ to obtain set $W$. If one of the decryption results in set $W$ is 0, it means that $S_B$ is a substring of $S_A$. If otherwise, it is not.

(3)

Bob randomly selects $s\in \{0,1\}$ and random number $r_{ij}$ when encrypting the string, the purpose of which is to keep the data secure and prevent negative numbers during the ECC additive homomorphism calculation.

In Protocol 1, the STM protocol based on the semi-honest model is secure because the participants can follow the rules to execute the protocol. However, in real life, it is necessary to design STM protocols under the malicious model because participants may display some malicious behaviors.

Protocol 1 STM protocol of two strings under the semi-honest model.

Input: Alice and Bob’s respective strings are $S_A=a_1{a}_2\cdots a_n$, $S_B=b_1{b}_2\cdots b_m$, $\left(m\le n\right)$ Output: $P(S_A,S_B)=\left\{\begin{array}{l}0, S_B\subseteq S_A\\ 1, S_B\not\subset S_A\end{array}\right.$. Alice selects elliptic curve $E_p$, base point $G$ and private key $k$, calculates $kG=K$, obtains public key $K$, and sends $E_p(a,b)$, public key $K$ and $G$ to Bob. Alice transforms $S_A$ into $A=(a_1’,a_2’,\dots ,a_n’)$ according to the encoding method and encodes $a_i’(i\in 1,2,\dots ,n)$ to points $M_i(1\le i\le n)$ of elliptic curve $E_p$ one by one. Alice chooses $n$ random numbers $r_{ai}(i\in 1,2,\dots ,n)$ and uses public key $K$ to encrypt each element $M_i$ separately, that is, she calculates $E(M_i)=(C_{a1i},C_{a2i})$ corresponding to each element $M_i$ where $C_{a1i}=M_i+r_{ai}K,C_{a2i}=r_{ai}G$ to obtain ciphertext $E(A)=(E(M_1),E(M_2),\dots ,E(M_n))$ and sends $E(A)$ to Bob. Bob obtains vector $B=(b_1’,b_2’,\cdots b_m’)$ according to $S_B$ and set $U$ according to the encoding. He encodes $b_i’(i\in 1,2,\dots ,m)$ one by one to point $N_i(1\le i\le m)$ of elliptic curve $E_p$. Bob chooses $m$ random numbers $r_{bi}(i\in 1,2,\dots ,m)$ and uses public key $K$ to encrypt each element $N_i$ separately, that is, he calculates $E(N_i)=(C_{b1i},C_{b2i})$ corresponding to each element $N_i$ where $C_{b1i}=N_i+r_{bi}K,C_{b2i}=r_{bi}G$ to obtain ciphertext $E(B)=(E(N_1),E(N_2),\dots ,E(N_m))$. Bob randomly selects $s\in \{0,1\}$ and a random number $r_{ij}$, which is calculated for each $i$ as follows: $E({\omega }_i)=\left\{\begin{array}{l}{\displaystyle {\prod }_{j=1}^m{\left(E\left({a^{\prime }}_{i+j-1}\right)\times E\left(N-{b^{\prime }}_j\right)\right)}^{r_{ij}}, s=0}\\ {{\displaystyle {\prod }_{j=1}^m\left(E\left(N-{a^{\prime }}_{i+j-1}\right)\times E\left({b^{\prime }}_j\right)\right)}}^{r_{ij}}, \mathrm{s}=1\end{array}\right.$. Bob obtains $E\left(W\right)=\left\{E\left({\omega }_1\right),E\left({\omega }_2\right),\cdot \cdot \cdot ,E\left({\omega }_{n-m+1}\right)\right\}$ after $n-m+1$ cycles of calculation and sends $E(W)$ to Alice. Alice decrypts $E(W)$ with her private key $k$ to obtain set $W$. If there is at least one element of 0 in set $W$, then output $P(S_A,S_B)=0$ and string $S_B$ is a substring of $S_A$; otherwise, output $P(S_A,S_B)=1$ and string $S_B$ is not a substring of $S_A$. The Protocol ends.

Advantages and Disadvantages: The advantage of the protocol under the semi-honest model is that its computation requires fewer steps which is less computationally intensive. It also has fewer communication rounds, which makes it faster. However, its disadvantage is that it cannot resist malicious adversary attacks, and in case of malicious behavior, the protocol under the semi-honest model becomes insecure. Therefore, it is necessary to design protocols under the malicious model.

4. Secure Text Matching Protocol under the Malicious Model

Designing MPC protocols based on the malicious model usually involves designing countermeasures based on malicious behaviors that may be committed by malicious participants in the semi-honest model protocol so that malicious adversaries cannot commit malicious behaviors or be detected.

The first thing to understand is that there are malicious behaviors that cannot be prevented in an ideal model, and also cannot be prevented in a malicious model either. The specific behaviors include three types: (1) participants input wrong data; (2) participants refuse to participate in the protocol; (3) participants stop the protocol midway after receiving the information they want.

Possible malicious acts in Protocol 1 include (as shown in Figure 2):

(1)

In Protocol 1, Alice has public key K and private key k while Bob only has public key K. Moreover, the final result is only decrypted unilaterally by Alice, which is unfair to Bob. The solution countermeasure is that both participants can perform decryption.

(2)

In Steps 2 and 3 of Protocol 1, the ciphertext sent by Alice and Bob to Bob may be incorrect. In this case, neither party can obtain the correct results. The solution is to use the cut-and-choose method and zero-knowledge proof to avoid such situations.

(3)

In Step 6 of Protocol 1, Alice tells Bob the wrong result after decryption, making Bob obtain the wrong conclusion. The solution countermeasure is that Bob and Alice ask for equal status and generate their respective public and private keys at the same time.

4.1. Specific Protocols

To prevent these malicious behaviors and to design a protocol that is secure, fair, and can provide correct conclusions under the malicious model, in this paper, Protocol 1 cryptography and other tools are used to block possible malicious behavior; in addition, the final result is calculated by both sides simultaneously.

4.2. Correctness Analysis

(1)

In Step (4), Alice and Bob use their private keys $k_1$ and $k_2$ to decrypt sets $W$ and $B$.

(2)

$\left(c_{a1}^i,c_{a2}^i\right)$ and $\left(c_{b1}^i,c_{b2}^i\right)$ published in Step (5) do not disclose information, because random numbers were added to each.

(3)

In Step (7), Alice and Bob calculate, respectively,

$$\begin{gathered} c_b=a\left(c_{b2}^j-c_{b1}^j-W+K_2\right)=a\left(B+f_{j}B+bG-f_{j}B-K_2-W+K_2\right)=a\left(B-W\right)+abG, \\ {c}_a=b\left(c_{a2}^i-c_{a1}^i-B+K_1\right)=b\left(W+d_{i}W+aG-d_{i}W-K_1-B+K_1\right)=b\left(W-B\right)+abG. \end{gathered}$$

Then, Alice and Bob send $c_b+P_1$ and $c_a+P_2$ to each other, respectively.

(4)

In Step (5), if $a_i$ is chosen by Alice as the wrong random number, Bob did not select the wrong random number $a_i$ out of the $\raisebox{1ex}{$t$}\!\left/ \!\raisebox{-1ex}{$2$}\right.$ selected, that is, no wrong random number $a_i$ was detected. In the following Step (7), it is selected by Bob, and Bob finally calculates the wrong result. If Alice performs malicious behavior using the above method, the case where this malicious behavior is performed with the maximum probability of success is when Alice mixes $t$ random numbers $a_i$ with 1 wrong $a_i$ such that malicious behavior is performed with the maximum probability of success, and in this case, the probability of deception success is $\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$t$}\right.$. If $t=20$, the probability of successful spoofing in this case is $\frac{C_{19}^{10}}{C_{20}^{10}}\times \frac{1}{10}=\frac{1}{200}$. However, if Alice mixes 10 wrong $a_i$, in this case, the probability of successful spoofing is $\frac{C_{10}^{10}}{C_{20}^{10}}\times \frac{1}{2}= 2.7\times {10}^{-7}$; the probability of success is smaller or even negligible. Alice is detected in subsequent verification if more than $\raisebox{1ex}{$t$}\!\left/ \!\raisebox{-1ex}{$2$}\right.$ wrong random numbers $a_i$ are mixed in $t$ random numbers. Therefore, this malicious behavior is secure.

(5)

The result Alice and Bob finally obtain in Step (10) is correct because of the following factors:

• After Alice uses the zero-knowledge proof to verify that Bob sent $m_b$ correctly, the answer is correct by calculating $m_b-av$, that is,

  $$m_b-av=m_b-ab{K}_2=k_2{c}_b-ab{k}_{2}G=k_{2}a\left(B-W\right)+k_{2}abG-ab{k}_{2}G=k_{2}a\left(B-W\right).$$
  After Bob uses the zero-knowledge proof to verify that Alice sent $m_a$ correctly, the answer is correct by calculating $m_a-bu$, that is,

  $$m_a-bu=m_a-ba{K}_1=k_1{c}_a-ab{k}_{1}G=k_{1}b\left(W-B\right)+k_{1}abG-ab{k}_{1}G=k_{1}b\left(W-B\right).$$

(6)

In Step (11), Alice and Bob each decode the set of ciphertexts $W$ and $B$. There is no leakage in the computation process between the two parties.

(7)

No secure data are leaked throughout the process, and both parties are able to arrive at their results, avoiding the unfairness of one party telling the other the results.

4.3. Proof of Security

For MPC protocols under malicious models, widely accepted real/ideal model paradigms are used to prove the security of the protocols.

Theorem 1. 

The STM protocol (Protocol 2) is secure under the malicious model.

Protocol 2 STM protocol of two strings under the malicious model.

Input: Alice and Bob’s respective strings are $S_A=a_1{a}_2\cdots a_n$ and $S_B=b_1{b}_2\cdots b_m$, $\left(m\le n\right)$. Output: $P(S_A,S_B)=\left\{\begin{array}{l}0, S_B\subseteq S_A\\ 1, S_B\not\subset S_A\end{array}\right.$. Alice and Bob jointly choose elliptic curve $E_P$ and base point $G$. Alice and Bob choose their private keys $k_1,k_2\left(k_1,k_2>0\right)$ and random numbers $a$ and $b$, respectively; then, Alice and Bob compute their respective public keys $K_1=k_{1}G,K_2=k_{2}G$ and $u=a{K}_1,v=b{K}_2$; finally, Alice and Bob exchange $\left(K_1,u\right)$ and $\left(K_2,v\right)$. Alice transforms $S_A$ into $A=(a_1’,a_2’,\dots ,a_n’)$ according to the encoding and encodes $a_i’(i\in 1,2,\dots ,n)$ to points $M_i^a(1\le i\le n)$ of elliptic curve $E_p$ one by one. Alice chooses $n$ random numbers $r_{ai}(i\in 1,2,\dots ,n)$ and uses public key $K_1$ to encrypt each element $M_i^a$ separately, that is, she calculates $E(M_i^a)=(C_{a1i}^a,C_{a2i}^a)$ corresponding to each element $M_i^a$, where $C_{a1i}^a=M_i^a+r_{ai}{K}_1,C_{a2i}^a=r_{ai}G$, to obtain ciphertext $E(A)=(E(M_1^a),E(M_2^a),\dots ,E(M_n^a))$ and sends $E(A)$ to Bob. Bob transforms $S_B$ into $B=(b_1’,b_2’,\cdots b_m’)$ according to the encoding and encodes $b_i’(i\in 1,2,\dots ,m)$ to points $N_i^b(1\le i\le m)$ of elliptic curve $E_p$ one by one. Alice chooses $m$ random numbers $r_{bi}(i\in 1,2,\dots ,m)$ and uses public key $K_2$ to encrypt each element $N_i^b$ separately, that is, she calculates the $E(N_i^b)=(C_{b1i}^b,C_{b2i}^b)$ corresponding to each element $N_i^b$, where $C_{b1i}^b=N_i^b+r_{bi}K,C_{b2i}^b=r_{bi}G$, to obtain ciphertext $E(B)=(E(N_1^b),E(N_2^b),\dots ,E(N_m^b))$ and sends $E(B)$ to Alice. Bob selects the coordinates of length $m$ from the first coordinate according to the ciphertext set sent by Alice and obtains set $E\left(W\right)$, that is, $E\left(W\right)=\left\{E\left({\omega }_1\right),E\left({\omega }_2\right),\cdot \cdot \cdot ,E\left({\omega }_{n-m+1}\right)\right\}$, after $n-m+1$ rounds of calculation. Then, he permutes the components in $E\left(W\right)$ randomly, which is still $E\left(W\right)$ after permutation, and sends them to Alice, who decrypts $E\left(W\right)$ using private key $k_1$ to obtain set $W$. Alice chooses $t$ random numbers $d_i\left(0\le \mathrm{i}\le t\right)$ and calculates $\left(c_{a1}^i,c_{a2}^i\right)=\left(d_{i}W+K_1,W+d_{i}W+aG\right)$. Bob chooses $t$ random numbers $f_i\left(0\le i\le t\right)$ and calculates $\left(c_{b1}^i,c_{b2}^i\right)=\left(f_{i}B+K_2,B+f_{i}B+bG\right)$. Finally, Alice and Bob exchange $\left(c_{a1}^i,c_{a2}^i\right)$ and $\left(c_{b1}^i,c_{b2}^i\right)$. With the cut-and-choose method, Alice randomly selects $t/2$ groups $\left(c_{b1}^i,c_{b2}^i\right)$ from the $t$ groups sent by Bob and announces them, asking Bob to announce the corresponding $f_{i}B$. Alice verifies the received data: $f_{i}B+K_2=c_{b1}^i$. Verification passes and continues; otherwise, the protocol is terminated. Bob randomly selects $t/2$ groups $\left(c_{a1}^i,c_{a2}^i\right)$ from the $t$ groups sent by Alice and announces them, asking Alice to announce the corresponding $d_{i}W$. Bob verifies the received data: $d_{i}W+K_1=c_{a1}^i$. Verification passes and the protocol continues; otherwise, the protocol is terminated. Alice and Bob choose random $\left(c_{b1}^j,c_{b2}^j\right)$ and $\left(c_{a1}^j,c_{a2}^j\right)$ from the remaining $\left(c_{b1}^i,c_{b2}^i\right)$ and $\left(c_{a1}^i,c_{a2}^i\right)$, respectively, while Alice chooses to pick two random numbers $a,p_1$ and Bob picks two random numbers $b,p_2$. Alice computes $c_b=a\left(c_{b2}^j-c_{b1}^j-W+K_2\right)=a\left(B-W\right)+abG$, $P_1=p_{1}G$, ${\lambda }_b=p_1{K}_2$ and Bob computes $c_a=b\left(c_{a2}^i-c_{a1}^i-B+K_1\right)=b\left(W-B\right)+abG$, $P_2=p_{2}G$, ${\lambda }_A=p_2{K}_1$. Alice and Bob then send $c_b+P_1$ and $c_a+P_2$ to each other. After each participant receives a message from the other, Alice computes ${\theta }_a=k_1\left(c_a+P_2\right)$ and $m_a=k_1{c}_a$ and sends them to Bob; Bob computes ${\theta }_b=k_2\left(c_b+P_1\right)$ and $m_b=k_2{c}_b$ and sends them to Alice. Alice uses zero-knowledge proof to verify that the $m_b$ sent by Bob is correct, that is, to prove that Bob did indeed multiply his private key $k_2$ with his own $c_b$ to obtain $m_b$, that is, to determine whether $m_b={\theta }_b-{\lambda }_b$ holds. Bob uses zero-knowledge proof to verify that the $m_a$ sent by Alice is correct, that is, to prove that Alice did indeed multiply his private key $k_1$ with his own $c_a$ to obtain $m_a$, that is, to determine whether $m_a={\theta }_a-{\lambda }_a$ holds. The party that does not pass is the malicious participant. Alice can obtain $k_{2}a\left(B-W\right)$ by computing $m_b-av$, and if $k_{2}a\left(B-W\right)=0$, then $B=W$; Bob can obtain $k_{1}b\left(W-B\right)$ by computing $m_a-bu$, and if $k_{1}b\left(W-B\right)=0$, then $B=W$. If $B=W$, it proves that the results sought by both parties are correctly the same; otherwise, the protocol is terminated. Finally, Alice and Bob decode set $W$ and set $B$, respectively. If there is at least one element of 0 in the two sets, then string $S_B$ is a substring of $S_A$, If neither set has an element of 0, then string $S_B$ is not a substring of $S_A$ at this point. The Protocol ends.

Proof. 

To prove that Protocol 2 is secure under the malicious model, it is sufficient to show that the participants transform the acceptable policy pair $\stackrel{—}{A}=(A_1,A_2)$ into the corresponding policy pair $\stackrel{—}{B}=(B_1,B_2)$ in the ideal protocol during the execution of Protocol 2 so that the output messages of $A_1$ and $A_2$ are indistinguishable from those of $B_1$ and $B_2$ when Protocol 2 is executed. Since the case where both parties are malicious participants is considered, it is assumed that one party is honest and the other dishonest. The discussion is divided into two cases (here, $A_1,B_1$ and $A_2,B_2$ for Alice and Bob, respectively). □

Case 1: $A_1$ is honest, $A_2$ is dishonest. $A_1$ honestly executes Protocol 2; then

$$REA{L}_{\stackrel{—}{A}}(W,B)=\{FW,A_2(B),A_2(C_{a1}^i,C_{a2}^i),m_a,S\},$$

(5)

where message sequence received by zero-knowledge proof $A_2$ is denoted as $S$.

$A_1$ is honest. In this case, $B_1$ is determined by $A_1$ and $B_1$ implements the protocol according to the protocol steps. It is necessary to transform the real protocol adversary $A_2$ into the ideal protocol malicious adversary $B_2$, in other words, to find an acceptable strategy pair $\stackrel{—}{B}=(B_1,B_2)$ under the ideal model so that its output is indistinguishable from the calculation of $REA{L}_{{}_{\stackrel{—}{A}(W,B)}}$ (in addition, the decision of $B_2$ depends on the behavior of $A_2$).

Ideally, $B_1$ sends a real $W$ to the TTP (when $B_1$ receives the message and allows the TTP to send a message to $B_2$). $B_2$ is dishonest and the message it sends to TTP depends on $A_2$’s policy. In summary, it is known that $B_2$ sends $A_2(B)$ to TTP, and TTP sends $F(W,A_2(B))$ to $B_2$ ($B_1$ will also obtain this result) $B_2$ to use $F(W,A_2(B))$ to obtain $vie{w}_{B_2}^{}(W,A_2(B))$, which is indistinguishable from $vie{w}_{A_2}^{}(W,A_2(B))$ obtained by $A_2$ in the real case given to $A_2$ to obtain the output of $A_2$.

$B_2$ selected $W^{\prime }$ to satisfy $F(W^{\prime },A_2(B))=F(W,A_2(B))$, that is, with $W^{\prime }$ assumed to be the input of $A_1$ with $A_2$ to execute Protocol 2, the protocol execution process $B_2$ can obtain the corresponding message sequence $S’$. In this case, the protocol execution can be completed.

$$IDEA{L}_{\stackrel{—}{B}}(W,B)=\{F(W,A_2(B)),A_2(C_{a1}^{i’},C_{a2}^{i’}),m_a’,S’\}.$$

(6)

Since the ideal protocol and the real protocol use the same encryption, $(C_{a1}^i,C_{a2}^i)\stackrel{c}{\equiv }(C_{a1}^{i’},C_{a2}^{i’})$, $m_a’\stackrel{c}{\equiv }{m}_a$ are guaranteed; the zero-knowledge proof, in turn, guarantees $S’\stackrel{c}{\equiv }S$. Therefore,

$$\{IDEA{L}_{\stackrel{—}{B}}(W,B)\}\stackrel{c}{\equiv }\{REA{L}_{\stackrel{—}{A}}(W,B)\}.$$

(7)

Case 2: $A_2$ is honest and $A_1$ is dishonest. There are two scenarios:

(1)

$A_1$ does not publish the result or ignores the TTP (considered as $A_1$ aborting the protocol), and the TTP sends $\perp$ to $A_2$, then

$$REA{L}_{\stackrel{—}{A}}(W,B)=\{A_1(C_{b1}^i{C}_{b2}^i),m_b,S,\perp \}.$$

(8)

(2)

Conversely, TTP sends $F(A_1(W),B)$ to $A_2$, then

$$REA{L}_{\stackrel{—}{A}}(W,B)=\{A_1(C_{b1}^i{C}_{b2}^i),m_b,S,F(A_1(W),B)\},$$

(9)

where the sequence of messages received by $A_1$ during the zero-knowledge proof is denoted as $S$.

If $A_2$ is honest, the adversary $A_1$ is simply transformed in the real model into the ideal adversary $B_1$. That is, to prove that $A_1$ is indistinguishable from $B_1$, a set of strategy pairs $\stackrel{—}{B}=(B_1,B_2)$ should be found in the ideal model such that their output satisfies the indistinguishability computed with $REA{L}_{\stackrel{—}{A}(Q_1,Q_2)}$.

If $A_1$ is dishonest and $B_1$’s strategy for treating the TTP depends on $A_1$’s behavior, the message it would send to TTP is $A_1(W)$ and $F(A_1(W),B)$ is the message it would receive from TTP. Ideally, $B_1$ uses $F(A_1(W),B)$ to manage to obtain $vie{w}_{B_1}^{}(A_1(W),B)$ that satisfies the $vie{w}_{A_1}^{}(A_1(W),B)$ computation indistinguishable from the one obtained by $A_1$ in the actual protocol, which is given to $A_1$ to obtain the $A_1$ output. Protocol 2 is allowed to be executed by $B_1$ with $A_1$ using $B^{\prime }$ satisfying $F(A_1(W),B^{\prime })=F(A_1(W),B)$ as the input value.

During the execution of the protocol, the corresponding message sequence $S’$ is available to $B_1$, and it corresponds to the existence of the following two cases:

(1)

In the ideal model, when $B_1$ informs TTP not to send calculation results to $B_2$, it is determine that

$$IDEA{L}_{\stackrel{—}{B}}(W,B)=\{A_1(C_{b1}^{i’},C_{b2}^{i’}),m_b’,S’,\perp \}.$$

(10)

(2)

Conversely, there are

$$IDEA{L}_{\stackrel{—}{B}}(W,B)=\{A_1(C_{b1}^{i’}{C}_{b2}^{i’}),m_b’,S’,F(A_1(W),B)\}.$$

(11)

In these two cases, the output of $A_2$ and $B_2$ in the actual protocol and the ideal protocol are the same, while the ideal protocol and the actual protocol adopt the same ECC encryption algorithm, so $(C_{1b}^i,C_{2b}^i)\stackrel{c}{\equiv }(C_{1b}^{i’},C_{2b}^{i’})$, $m_b^{’}\stackrel{c}{\equiv }{m}_b$ and the zero-knowledge proof can guarantee $S’\stackrel{c}{\equiv }S$. Then,

$$\{IDEA{L}_{\stackrel{—}{B}}(W,B)\}\stackrel{c}{\equiv }\{REA{L}_{\stackrel{—}{A}}(W,B)\}.$$

(12)

In summary, Protocol 2 is secure under the malicious model.

4.4. Characteristics of the Protocol

The ECC encryption algorithm can prevent attacks better than other current encryption algorithms, so the secure text matching method proposed in this paper is more secure and resistant to malicious attacks; the key length of the encryption algorithm used in this paper is short, so the protocol in this paper obtains the same result as other encryption algorithms with less computation, which improves efficiency. Meanwhile, the protocol in this paper achieves exact matching of strings. It provides a new method to solve the pattern matching problem. Although the protocol proposed in this paper has advantages over other protocols, it is targeted at the condition of two parties. If it is used in the multi-party condition, then the computational complexity and communication complexity of the protocol will increase. Therefore, the protocol in this paper will have limitations in the multi-party condition.

5. Performance Analysis

The performance of the protocols is elaborated by comparing Protocol 1 and Protocol 2 with the existing schemes through computational complexity and communication complexity analysis.

5.1. Computational Complexity

Zhang, K.X. et al. [27] designed an STM protocol based on the Paillier encryption algorithm which has the complexity of $m+\frac{3}{2}\left(2n+1\right){\log }_{2}N$ modulo multiplication operations. Luo, Y.L. et al. [32] designed an STM protocol based on the ElGamal encryption algorithm which has a computational complexity of

$mn\left[\left(2nk+1\right){\log }_{2}p+nk-1\right]$ modulo multiplication operations (where $n$ is the number of characters of strings $A$ and $B$, and $k$ is the number of binary bits of $ASCII$ values corresponding to each character of strings $A$ and $B$). Kang, J. et al. [36] designed an STM protocol based on the Goldwasser–Micali encryption algorithm which has a computational complexity of $mn\left(5nk+nk{\log }_{2}p\right)$ modulo multiplication operations.

The computational complexity of Protocol 1 in this paper mainly consists of $n$ ECC encryption calculations for Alice, one time ECC decryption calculation for Bob, and a total of $mn$ modulo multiplication operations. During the implementation of Protocol 2, the computational complexity consists of Alice performing $n$ encryption operations and one time ECC decryption algorithm and Bob performing $m$ encryption operations and one time decryption algorithm for a total of $2mn$ modulo multiplication operations.

For comparison, it is shown in

Table 2. Performance Comparison.

Protocol	Computational Complexity	Communication Complexity	Anti-Malicious Adversaries
Zhang, K.X. et al. [27]	$m+\frac{3}{2}\left(2n+1\right){\log }_{2}N$	2	×
Luo, Y.L. et al. [32]	$mn\left[\left(2nk+1\right){\log }_{2}p+nk-1\right]$	$m{n}^2+mn$	×
Kang, J. et al. [36]	$mn\left(5nk+nk{\log }_{2}p\right)$	$2mn$	×
Protocol 1	$mn$	$n-m+1$	×
Protocol 2	$2mn$	$2\left(n-m+1\right)$	√

×: Cannot resist a malicious adversary; √: Can resist malicious adversaries.

that the proposed Protocol 1 and Protocol 2 are more efficient than the existing protocols.

5.2. Communication Complexity

The communication complexity is usually measured using the number of communication rounds. The method proposed by Zhang, K.X. et al. [27] requires two rounds of communication, the one by Luo, Y.L. et al. [32] requires $m{n}^2+mn$ rounds, and the one proposed by Kang, J. et al. [36] requires $2mn$ rounds. In this paper, up to $n-m+1$ rounds of communication are performed in Protocol 1, and a total of $2\left(n-m+1\right)$ rounds of communication are performed in Protocol 2. Table 2 shows the overall performance comparison of each protocol.

By comparison, with a small difference in the number of communication rounds, Protocol 1 and Protocol 2 choose the simple and fast ECC encryption algorithm to improve efficiency, and Protocol 2 prevents malicious behavior and is more widely used.

5.3. Experimental Simulation

To obtain a visual comparison of the complexity of each protocol, the protocols in references [27,32,36] and Protocol 2 in this paper are simulated experimentally. The experimental environment is as follows: processor Intel(R) Core(TM) i5-8300H @ 2.30 GHz, 12 GB of RAM, Windows 10 (64 bit) operating system in PyCharm 2020.3.2 with Python language.

In the STM protocols, Zhang, K.X. et al. [27], Luo, Y.L. et al. [32], and Kang, J. et al. [36] all use homomorphic encryption algorithms, so the execution time is used through simulation experiments to compare efficiency.

This experiment takes string $S_A$ and string $S_B$ as examples and sets the length of string $S_A$ as $n=26$. The length of string $S_B$ as $m$ in the order of 1, 2, …, 20, for each $m$ is tested 1000 times in the simulation experiment, and the average value of the protocol execution time (ignoring the preprocessing time in the protocol) is counted. Figure 3 shows the comparison of the time consumption of each protocol with increasing modulus for the protocols of Zhang, K.X. et al. [27], Luo, Y.L. et al. [32], Protocol 2 of Kang, J. et al. [36], and Protocol 2 of this paper. The average time consumed for each protocol is calculated separately at 128, 256, 512, and 1024 bit moduli, where the vertical coordinate indicates the time consumed (s) and the horizontal coordinate indicates the different modulus (bit). From Figure 3, it can be seen that Protocol 2 consumes less time than the protocols in Zhang, K.X. et al. [27], Luo, Y.L. et al. [32], and Kang, J. et al. [36] at different modules.

The protocols that were analyzed are the following: the protocol designed based on the Paillier encryption algorithm in Zhang, K.X. et al. [27], the protocol designed based on the ElGamal encryption algorithm in Luo, Y.L. et al. [32], the protocol designed based on the GM encryption algorithm in Kang, J. et al. [36], and the protocol designed based on the ECC encryption algorithm in Protocol 2 of this paper. Therefore, when conducting experiments, we took the modulus of the ElGamal encryption algorithm, Goldwasser–Micali encryption algorithm, Paillier encryption algorithm, and ECC encryption algorithm which are 1024 bits, and the selected random number length is 64 bits. Figure 4 shows the variation pattern of the execution time of string pattern matching with the growth of the number of string characters for the protocols.

From Figure 4, it can be seen that there is a significant reduction in the computational complexity of Protocol 2 in this paper as the string length $m$ increases, so Protocol 2 is efficient and more widely used.

5.4. Engineering Applications

Applications of TSM permeate many aspects of real life. In addition, the research on MPC of TSM has important practical applications in privacy computing, deep learning, and machine learning. The following are some specific application scenarios.

(1)

The technology of keyword search encryption can be applied in the blockchain. That is, users input keywords, and the system returns data with a similar matching degree. Using blockchain to store the key data completed by segmentation, the encrypted data can be stored in the cloud server, while the data identifier of the encrypted data can be sent to the cloud server and the blockchain, respectively, because the blockchain cannot be tampered with, even if a malicious user modifies the data information in the cloud server. However, its record identifier is in the blockchain, and the service can be stopped when the data are obtained, which can ensure the security of the data. It also adopts an additive homomorphic encryption algorithm to ensure security when the key is distributed. As shown in Figure 5:

(2)

Smart grid in edge computing. The power grid generates a large amount of sampling data, and the collection, transmission, and preservation of grid sampling data require large amounts of bandwidth and storage resources, while centralized storage may also cause leakage of user privacy information. With the rise of edge computing, grid terminals can better support local real-time intelligent business processing. Locally collected raw data can be executed at the edge for initial analysis; only useful data are transmitted to the cloud, thus reducing the network burden, lowering transmission costs, and ensuring data privacy and security. The multi-keyword ciphertext retrieval scheme suitable for power data achieves precise matching of multi-keyword search and record collection index and returns the list of search results to the users. As shown in Figure 6:

6. Summary

This paper solves the problem of secure text matching in the field of natural language processing. We proposed an Intelligent Semi-Honest System (ISHS) for secret matching against malicious adversaries. Firstly, a new encoding method is designed which can encode text strings as numbers, and an MPC protocol under the semi-honest model is designed in combination with the ECC encryption algorithm. An MPC protocol for text matching under malicious models is designed using cut-and-choose method and zero-knowledge proof to resist malicious behaviors that may be committed by malicious participants in the semi-honest protocol. The security of the protocol is demonstrated using the real/ideal model paradigm, and the computational complexity and communication complexity are efficient compared with the existing protocols, providing an effective solution to the text matching problem in the fields of deep learning and natural language processing. The secure text matching has important application value in engineering. In the future, we will further investigate secure string matching protocols with wildcards that are resistant to malicious adversaries, as well as secure string matching protocols with multiple participants.