#
Practical and Provably Secure Distributed Aggregation: Verifiable Additive Homomorphic Secret Sharing^{ †}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

**Our Contribution.**We address the problem of computing joint additions with privacy and security guarantees as the main requirements. More precisely, we treat the problem of verifiable multi-client aggregation that involves the following parties: (i) n clients, which hold secret inputs ${x}_{1},{x}_{2},\dots ,{x}_{n}$, respectively; (ii) m untrusted servers to whom the sum computation is outsourced; and, (iii) any verifier that would like to confirm that the computed sum is correct. We present, for the first time, three concrete constructions of verifiable additive homomorphic secret sharing (VAHSS).

**Organization.**Section 2 gives an overview about the current state-of-the-art in homomorphic secret sharing and verifiable computation. Later, Section 3 provides the background on verifiable homomorphic secret sharing and definitions that are necessary for the rest of the paper. We provide our VHSS constructions in Section 4. Furthermore, in Section 5 we give a theoretical analysis of the costs for the constructions and provide details of our implementation results. We present a discussion about the constructions and their costs in Section 6. Finally, we provide our final considerations in Section 7.

## 2. Related Work

**Homomorphic Secret Sharing.**The key idea of threshold secret sharing schemes [7] is the ability to split a secret x into multiple shares (denoted by, for example, ${x}_{1},{x}_{2},\dots ,{x}_{m}$) while maintaining the following properties: (i) any subset greater than the threshold number of shares is enough to reconstruct the secret x, and (ii) any smaller subset allows no inference of information related to the secret x. Homomorphic secret sharing (HSS) [8] can be seen as the secret-sharing analog of homomorphic encryption. In particular, HSS is employed in order to locally evaluate functions on shares of secret inputs (or just one input), by appropriately combining locally computed values with the shares of the secret(s) as input. At the same time, an HSS system ensures that the shares of the output are short. The first instance of additive HSS that is considered in the literature [9] is computed in some finite Abelian group. Nevertheless, HSS gives no guarantee that the computed result is correct i.e., no verifiability is provided.

**Verifiable Function Secret Sharing.**To better realize function secret sharing (FSS) [10], one can consider it as a natural extension of distributed point functions (DPF). More precisely, FSS is a method to create shares for a function f, coming from a given function family $\mathcal{F}$, that are additively combined to give f. To visualize this, consider m functions ${f}_{1},\dots ,{f}_{m}$, as described by the corresponding keys ${k}_{1},\dots ,{k}_{m}$. These functions are the shares of f, such that $f\left(x\right)={f}_{1}\left(x\right)+\dots +{f}_{m}\left(x\right)$, for any input x. The notion of verifiable FSS (VFSS) [11] is introduced by Boyle et al. In particular, VFSS consists of interactive protocols that verify the consistency of some function $f\in \mathcal{F}$ with keys $({k}_{1}^{*},\dots ,{k}_{m}^{*})$, which are generated by a potentially malicious user. However, VFSS [11] is applicable in the setting of multiple servers and one client. On the contrary, VHSS can be applied when multiple clients (multi-input) outsource the joint computation to multiple servers. Moreover, in VFSS, verification refers to confirming that the shares ${f}_{1},\dots ,{f}_{m}$ are consistent with some f; while, in VHSS, the goal of the verification is to ensure that the final result is correct.

**Publicly Auditable Secure Multi-party Computation.**Secure multi-party computation (MPC) protocols are linked with outsourced computations. In MPC protocols [12,13,14], non-interactive zero-knowledge (NIZK) proofs are generally used in order to achieve public verifiability. Baum et al. [15] introduced the notion of publicly auditable MPC protocols that are applicable when multiple clients and servers are involved. Given that publicly auditable MPC is based on the SPDZ protocol [12,13] and NIZK proofs, while it also employs Pedersen commitments (for enhancing each shared input x), it can be viewed as a generalization of the classic formalization of secure function evaluation. In the work of Baum et al. [15], anyone that has access to the published (in a bulletin board) transcript of the protocol can confirm that the computed result is correct (correctness property); while, the protocol provides privacy guarantees and requires at least one honest party. We should note that publicly auditable MPC protocols are very expressive regarding the class of functions being computed, but they often require heavy computations. To formalize auditable MPC, an extra non-corruptible party is introduced in the standard MPC model, namely the auditor. On the other hand, in VAHSS, we do not require any additional non-corruptible party as well as we do not employ expensive cryptographic primitives, such as NIZK proofs.

## 3. Preliminaries

**PartialProof**algorithm is performed by either the clients or the servers. We added the $\mathbf{Setup}$ algorithm to allow for the generation of keys and we modified the $\mathbf{PartialProof}$ algorithm accordingly to allow the different scenarios.

**Definition**

**1**(Verifiable Homomorphic Secret Sharing (VHSS)).

**Setup**,

**ShareSecret**,

**PartialEval**,

**PartialProof**,

**FinalEval**,

**FinalProof**,

**Verify**), which are defined as follows:

- $(pp,sk)\leftarrow $
**Setup**(${1}^{\lambda}$): On input ${1}^{\lambda}$, where λ is the security parameter, a secret key $sk$, to be used by a client, and some public parameters $pp$. - $({\mathsf{share}}_{i1},\dots ,{\mathsf{share}}_{im},{\tau}_{i})\leftarrow $
**ShareSecret**(${1}^{\lambda},i,{\mathit{x}}_{i}$): The algorithm takes as input ${1}^{\lambda}$, $i\in \{1,\dots ,n\}$ which is the index for the client ${c}_{i}$ and ${\mathit{x}}_{i}$ which denotes a vector of one (i.e., ${x}_{i}\in \mathcal{X}$) or more secret values that belong to each client and should be split into shares. The algorithm outputs m shares ${\mathsf{share}}_{ij}$ (denoted also by ${x}_{ij}\in \mathcal{X}$ when ${\mathit{x}}_{i}={x}_{i}$) for each server ${s}_{j}$, as well as, if necessary, a publicly available value ${\tau}_{i}$ (${\tau}_{i}$, when computed, can be included in the list of public parameters $pp$) related to the secret ${x}_{i}$. - ${y}_{j}\leftarrow $
**PartialEval**($j,({x}_{1j},{x}_{2j},\dots ,{x}_{nj})$): On input $j\in \{1,\dots ,m\}$, which denotes the index of the server ${s}_{j}$, and ${x}_{1j},{x}_{2j},\dots ,{x}_{nj}$, which are the shares of the n secret inputs ${x}_{1},\dots ,{x}_{n}$ that the server ${s}_{j}$ has, the algorithm**PartialEval**outputs ${y}_{j}\in \mathcal{Y}$. - ${\sigma}_{k}\leftarrow $
**PartialProof**($sk,pp,{secret}_{values},k$): on input, the secret key $sk$, public parameters $pp$, secret values (based on which the partial proofs are generated), denoted by ${\mathit{secret}}_{\mathit{values}}$; and, the corresponding index k (where k is either i or j), a partial proof ${\sigma}_{k}$ is computed. Note that k is a variable; thus, $k=i$ when**PartialProof**generates proofs per client or $k=j$ if it generates proofs per server. - $y\leftarrow $
**FinalEval**$({y}_{1},{y}_{2},\dots ,{y}_{m})$: On input ${y}_{1},{y}_{2},\dots ,{y}_{m}$, which are the shares of $f({x}_{1},{x}_{2},\dots ,{x}_{n})$ that the m servers compute, the algorithm**FinalEval**outputs y, the final result for $f({x}_{1},{x}_{2},\dots ,{x}_{n})$. - $\sigma \leftarrow $
**FinalProof**($pp,{\sigma}_{1},\dots ,{\sigma}_{\left|k\right|}$): on input public parameters $pp$ and the partial proofs ${\sigma}_{1},{\sigma}_{2},\dots ,{\sigma}_{\left|k\right|}$, the algorithm**FinalProof**outputs σ, which is the proof that y is the correct value. Note that $\left|k\right|=n$, if the partial proofs are computed per client or $\left|k\right|=m$, if they are computed per server. - $0/1\leftarrow $
**Verify**($pp,\sigma ,y$): On input the final result y, the proof σ, and, when needed, public parameters $pp$, the algorithm**Verify**outputs either 0 or 1.

**Correctness, Security, Verifiability.**The algorithms (

**Setup**,

**ShareSecret**,

**PartialEval**,

**PartialProof**,

**FinalEval**,

**FinalProof**, and

**Verify**) should satisfy the following correctness, verifiability, and security requirements:

**Correctness**: for any secret input ${x}_{1},\dots ,{x}_{n}$, for all m-tuples in the set ${\{({\mathsf{share}}_{i1},\dots ,{\mathsf{share}}_{im}),{\tau}_{i}\}}_{i=1}^{n}$ coming from $\mathbf{ShareSecret}$, for all ${y}_{1},\dots ,{y}_{m}$ computed by $\mathbf{PartialEval}$, ${\sigma}_{1},\dots ,{\sigma}_{\left|k\right|}$ computed from $\mathbf{PartialProof}$, and for y and $\sigma $ generated by $\mathbf{FinalEval}$ and $\mathbf{FinalProof}$, respectively, the scheme should satisfy the following correctness requirement:$$Pr\left[\begin{array}{c}\mathbf{Verify}(pp,\sigma ,y)=1\hfill \end{array}\right]=1.$$**Verifiability**: let T be the set of corrupted servers with $\left|T\right|\u2a7dm$ (note that, for $\left|T\right|=m$, the verifiabililty property holds; however, we do not have a secure system). Denote, by $\mathcal{A}$, any PPT adversary and consider n secret inputs ${x}_{1},\dots ,{x}_{n}\in \mathbb{F}$. Any PPT adversary $\mathcal{A}$ who controls the shares of the secret inputs for any j, such that ${s}_{j}\in T$ can cause a wrong value to be accepted as $f({x}_{1},{x}_{2},\dots ,{x}_{n})$ with negligible probability.We define the following experiment ${\mathbf{Exp}}_{\mathrm{VHSS}}^{\mathrm{Verif}.}({x}_{1},\dots ,{x}_{n},T,\mathcal{A}):$- 1.
- For all $i\in \{1,\dots ,n\}$, generate $({\mathsf{share}}_{i1},\dots ,{\mathsf{share}}_{im},{\tau}_{i})\leftarrow $
**ShareSecret**(${1}^{\lambda},i,{\mathit{x}}_{i}$) and publish ${\tau}_{i}$. - 2.
- For all j, such that ${s}_{j}\in T$, give $\left(\begin{array}{c}{\mathsf{share}}_{1j}\\ {\mathsf{share}}_{2j}\\ \vdots \\ {\mathsf{share}}_{nj}\end{array}\right)$ to the adversary.
- 3.
- For the corrupted servers ${s}_{j}\in T$, the adversary $\mathcal{A}$ outputs modified shares ${{y}_{j}}^{\prime}$ and ${{\sigma}_{k}}^{\prime}$. Subsequently, for j, such that ${s}_{j}\notin T$, we set ${{y}_{j}}^{\prime}=\mathbf{Partial}$-$\mathbf{Eval}(j,({x}_{1j},\dots ,{x}_{nj}))$ and ${{\sigma}_{k}}^{\prime}=\mathbf{PartialProof}(sk,pp,{\mathrm{secret}}_{\mathrm{values}},k).$ Note that we consider modified ${{\sigma}_{k}}^{\prime}$ only when computed by the servers.
- 4.
- Compute the modified final value ${y}^{\prime}=\mathbf{FinalEval}({{y}_{1}}^{\prime},{{y}_{2}}^{\prime},\dots ,{{y}_{m}}^{\prime})$ and the modified final proof ${\sigma}^{\prime}=\mathbf{FinalProof}(pp,{\sigma}_{1}^{\prime},\dots ,{\sigma}_{\left|k\right|}^{\prime})$.
- 5.
- If ${y}^{\prime}\ne f({x}_{1},{x}_{2},\dots ,{x}_{n})$ and $\mathbf{Verify}(pp,{\sigma}^{\prime},{y}^{\prime})=1$, then output 1 else 0.

We require that for any n secret inputs ${x}_{1},{x}_{2},\dots ,{x}_{n}\in \mathbb{F}$, any set T of corrupted servers and any PPT adversary $\mathcal{A}$ it holds:$$Pr[{\mathbf{Exp}}_{\mathrm{VHSS}}^{\mathrm{Verif}.}({x}_{1},{x}_{2},\dots ,{x}_{n},T,\mathcal{A})=1]\le \epsilon ,\mathrm{for}\phantom{\rule{4.pt}{0ex}}\mathrm{some}\phantom{\rule{4.pt}{0ex}}\mathrm{negligible}\phantom{\rule{4.pt}{0ex}}\epsilon .$$**Security**: let T be the set of the corrupted servers with $\left|T\right|<m$. Consider the following semantic security challenge experiment:- 1.
- The adversary ${\mathcal{A}}_{1}$ gives $(i,{x}_{i},{x}_{i}^{\prime})\leftarrow {\mathcal{A}}_{1}\left({1}^{\lambda}\right)$ to the challenger, where $i\in \left[n\right]$, ${x}_{i}\ne {x}_{i}^{\prime}$ and $|{x}_{i}|=|{x}_{i}^{\prime}|$.
- 2.
- The challenger picks a bit $b\in \{0,1\}$ uniformly at random and computes $({\widehat{\mathsf{share}}}_{i1},\dots ,{\widehat{\mathsf{share}}}_{im},{\widehat{\tau}}_{i})\leftarrow \mathbf{ShareSecret}({1}^{\lambda},i,{\hat{\mathit{x}}}_{i})$ where the secret input ${\hat{\mathit{x}}}_{i}=\{\begin{array}{c}{x}_{i},\mathrm{if}\phantom{\rule{4.pt}{0ex}}b=0\hfill \\ {x}_{i}^{\prime},\mathrm{otherwise}\hfill \end{array}$.
- 3.
- Given the shares from the corrupted servers T and ${\widehat{\tau}}_{i}$, the adversary distinguisher outputs a guess ${b}^{\prime}\leftarrow \mathcal{D}({\left({\widehat{\mathsf{share}}}_{ij}\right)}_{j\mid {s}_{j}\in T},{\widehat{\tau}}_{i})$.

Let $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T):=Pr[b={b}^{\prime}]-1/2$ be the advantage of $\mathcal{A}=\{{\mathcal{A}}_{1},\mathcal{D}\}$ in guessing b in the above experiment, where the probability is taken over the randomness of the challenger and of $\mathcal{A}$. A VHSS scheme is t-secure if, for all $T\subset \{{s}_{1},\dots ,{s}_{m}\}$ with $\left|T\right|\le t$, and all PPT adversaries $\mathcal{A}$, it holds that $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T)\le \epsilon \left(\lambda \right)$ for some negligible $\epsilon \left(\lambda \right)$.

**Definition**

**2**

- $\mathit{HKeyGen}({1}^{\lambda},k)$ takes as input the security parameter λ and an upper bound k for the number of messages that can be signed in each dataset. It outputs a secret signing key $sk$ and a public key $vk$. The public key defines a message space $\mathit{M}$, a signature space $\mathcal{S}$, and a set $\mathcal{F}$ of admissible linear functions, such that any $f:{\mathcal{M}}^{n}\mapsto \mathcal{M}$ is linear.
- $\mathit{HSign}(sk,fid,{m}_{i},i)$ algorithm takes as input the secret key $sk$, a dataset identifier $fid$, and the i-th message ${m}_{i}$ to be signed, and outputs a signature ${\sigma}_{i}$.
- $\mathit{HVerify}(vk,fid,m,\sigma ,f)$ algorithm takes as input the verification key $vk$, a dataset identifier $fid$, a message m, a signature σ and a function f. It outputs either 1 if the signature corresponds to the message m or 0 otherwise.
- $\mathit{HEval}(vk,fid,f,{\sigma}_{1},\dots ,{\sigma}_{n})$ algorithm takes as input the verification key $vk$, a dataset identifier $fid$, a function $f\in \mathcal{F}$, and a tuple of signatures ${\sigma}_{1},\dots ,{\sigma}_{n}$. It outputs a new signature σ.

**Definition**

**3**

- 1.
- One-way: it is computationally hard to compute ${h}^{-1}\left(x\right)$.
- 2.
- Collision-free: it is computationally hard to find $x,y\in {\mathbb{F}}^{N}(x\ne y)$, such that $h\left(x\right)=h\left(y\right)$.
- 3.
- Homomorphism: for any $x,y\in {\mathbb{F}}^{N}$, it holds $h(x\circ y)=h\left(x\right)\circ h\left(y\right)$, where $\u201c\circ \u201d$ is either $\u201c+\u201d$ or $\u201c\xb7\u201d$.

**Definition**

**4**(Pseudorandom Function (PRF))

**.**

## 4. Verifiable Additive Homomorphic Secret Sharing

#### 4.1. Construction of VAHSS Using Homomorphic Hash Functions

- 1.
**ShareSecret**(${1}^{\lambda},i,{x}_{i}$): for elements ${\left\{{a}_{i}\right\}}_{i\in \{1,\dots ,t\}}\in \mathbb{F}$ selected uniformly at random, pick a t-degree polynomial ${p}_{i}$ of the form ${p}_{i}\left(X\right)={x}_{i}+{a}_{1}X+{a}_{2}{X}^{2}+\dots +{a}_{t}{X}^{t}$. Notice that the free coefficient of ${p}_{i}$ is the secret input ${x}_{i}$. Let $H:x\mapsto {g}^{x}$ (with g a generator of the multiplicative group of $\mathbb{F}$) be a collision-resistant homomorphic hash function [3]. Let ${R}_{i}$ be the output of a pseudorandom function (PRF) $F:{\{0,1\}}^{{l}_{1}}\times {\{0,1\}}^{{l}_{2}}\mapsto \mathbb{F}$ where ${R}_{i}={F}_{k}(i,fil{e}_{i})$ for a key $k\in {\{0,1\}}^{{l}_{1}}$ given to the clients and a timestamp $fil{e}_{i}$ associated with client i such that $(i,fil{e}_{i})\in {\{0,1\}}^{{l}_{2}}$. For $i=n$, we require $\mathbb{F}\ni {R}_{n}=\varphi \left(N\right)\lceil {\textstyle \frac{{\sum}_{i=1}^{n-1}{R}_{i}}{\varphi \left(N\right)}}\rceil -{\sum}_{i=1}^{n-1}{R}_{i}$. Subsequently, compute ${\tau}_{i}=H({x}_{i}+{R}_{i})$, define ${x}_{ij}={\lambda}_{ij}{p}_{i}\left({\theta}_{ij}\right)$ (given thanks to the Equation (1)) and output $({x}_{i1},{x}_{i2},\dots ,{x}_{im},{\tau}_{i})=({\lambda}_{i1}\xb7{p}_{i}\left({\theta}_{i1}\right),\dots ,{\lambda}_{im}\xb7{p}_{i}\left({\theta}_{im}\right),H({x}_{i}+{R}_{i})$).- 2.
**PartialEval**($j,({x}_{1j},{x}_{2j},\dots ,{x}_{nj})$): given the j-th shares of the secret inputs, compute the sum of all ${x}_{ij}={\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$ for the given j and $i\in \left[n\right]$. Output ${y}_{j}$ with ${y}_{j}={\lambda}_{1j}\xb7{p}_{1}\left({\theta}_{1j}\right)+\dots +{\lambda}_{nj}\xb7{p}_{n}\left({\theta}_{nj}\right)={\sum}_{i=1}^{n}{\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$.- 3.
**PartialProof**($j,({x}_{1j},{x}_{2j},\dots ,{x}_{nj})$): given the j-th shares of the secret inputs, compute and output the partial proof ${\sigma}_{j}={g}^{{\sum}_{i=1}^{n}{x}_{ij}}={g}^{{y}_{j}}=H\left({y}_{j}\right)$.- 4.
**FinalEval**(${y}_{1},{y}_{2},\dots ,{y}_{m}$): add the partial sums ${y}_{1},\dots ,{y}_{m}$ together and output y (where $y={y}_{1}+\dots +{y}_{m}$).- 5.
**FinalProof**(${\sigma}_{1},\dots ,{\sigma}_{m}$): given the partial proofs ${\sigma}_{1},{\sigma}_{2},\dots ,{\sigma}_{m}$, compute the final proof $\sigma ={\prod}_{j=1}^{m}{\sigma}_{j}$. Output $\sigma $.- 6.
**Verify**(${\tau}_{1},\dots ,{\tau}_{n},\sigma ,y$): check whether $\sigma ={\prod}_{i=1}^{n}{\tau}_{i}\wedge {\prod}_{i=1}^{n}{\tau}_{i}=H\left(y\right)$ holds. Output 1 if the check is satisfied or 0 otherwise.

**Correctness**: In order to prove the correctness of this construction, we need to prove that $Pr\left[\begin{array}{c}\mathbf{Verify}({\tau}_{1},\dots ,{\tau}_{n},\sigma ,y)=1\hfill \end{array}\right]=1.$ By construction it holds that:$$\begin{array}{cc}\hfill y& =\sum _{j=1}^{m}{y}_{j}=\sum _{j=1}^{m}\sum _{i=1}^{n}{\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)=\sum _{i=1}^{n}\sum _{j=1}^{m}{\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)=\sum _{i=1}^{n}{p}_{i}\left(0\right)=\sum _{i=1}^{n}{x}_{i}\hfill \end{array}$$Additionally, by construction, we have:$$\begin{array}{cc}\hfill \sigma & =\prod _{j=1}^{m}{\sigma}_{j}=\prod _{j=1}^{m}H\left({y}_{j}\right)=\prod _{j=1}^{m}{g}^{{y}_{j}}={g}^{{\sum}_{j=1}^{m}{y}_{j}}={g}^{y}=H\left(y\right)\hfill \end{array}$$$$\begin{array}{cc}\hfill \mathrm{and}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\prod _{i=1}^{n}{\tau}_{i}& =\prod _{i=1}^{n}{g}^{{x}_{i}+{R}_{i}}={g}^{{\sum}_{i=1}^{n}{x}_{i}}{g}^{{\sum}_{i=1}^{n}{R}_{i}}={g}^{{\sum}_{i=1}^{n}{x}_{i}}{g}^{{\sum}_{i=1}^{n-1}{R}_{i}+{R}_{n}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={g}^{{\sum}_{i=1}^{n}{x}_{i}}{g}^{\varphi \left(N\right)\lceil {\textstyle \frac{{\sum}_{i=1}^{n-1}{R}_{i}}{\varphi \left(N\right)}}\rceil}={g}^{{\sum}_{i=1}^{n}{x}_{i}}={g}^{{x}_{1}+\dots +{x}_{n}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \stackrel{see\phantom{\rule{4pt}{0ex}}Equation\phantom{\rule{3.33333pt}{0ex}}\left(2\right)}{=}{g}^{y}=H\left(y\right)\hfill \end{array}$$Combining the last two results, we get that $\sigma ={\prod}_{i=1}^{n}{\tau}_{i}\wedge {\prod}_{i=1}^{n}{\tau}_{i}=H\left(y\right)$ holds. Therefore, the algorithm**Verify**outputs 1 with probability 1.**Security**: See [17] for a proof that the selected hash function H of our construction is a secure collision-resistant hash function under the discrete logarithm assumption.We will now prove that $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T)\le \epsilon \left(\lambda \right)$ for some negligible $\epsilon \left(\lambda \right)$.

**Proof.**

**Game 0**: consider $m-1$ corrupted servers. Subsequently, $\left|T\right|=m-1$. Without a loss of generality, let the first $m-1$ servers be the corrupted ones. Therefore, the adversary $\mathcal{A}$ has $(m-1)n$ shares from the corrupted servers and no additional information.

**Game 1**: consider that the adversary holds the same shares ${\sum}_{j=1}^{m-1}{\widehat{\mathsf{share}}}_{ij}$ and ${\widehat{\tau}}_{i}$ is now a truly random value.

**Game 0**and

**Game 1**are computationally indistinguishable due to the security of the PRF. Thus, any PPT adversary has the probability $1/2$ to decide whether ${\widehat{x}}_{i}$ is ${x}_{i}$ or ${{x}_{i}}^{\prime}$ and so, $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T)\le \epsilon \left(\lambda \right)$ for some negligible $\epsilon \left(\lambda \right)$. □

**Verifiability**: In this construction, for $y={x}_{1}+{x}_{2}+\dots +{x}_{n}$, if ${y}^{\prime}\ne {x}_{1}+\dots +{x}_{n}$ and $\mathbf{Verify}({\tau}_{1},\dots ,{\tau}_{n},{\sigma}^{\prime},{y}^{\prime})=1$, then the verifiability follows:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \mathbf{Verify}({\tau}_{1},\dots ,{\tau}_{n},{\sigma}^{\prime},{y}^{\prime})=1\Rightarrow {\sigma}^{\prime}=\prod _{i=1}^{n}{\tau}_{i}\wedge \prod _{i=1}^{n}{\tau}_{i}=H\left({y}^{\prime}\right)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \Rightarrow \prod _{i=1}^{n}{\tau}_{i}=H\left({y}^{\prime}\right)\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}(\mathrm{see}\phantom{\rule{4.pt}{0ex}}\mathrm{Equation}\phantom{\rule{4.pt}{0ex}}\left(3\right))\Rightarrow H\left(y\right)=H\left({y}^{\prime}\right)\hfill \end{array}$$$$Pr[{\mathbf{Exp}}_{\mathrm{VHSS}}^{\mathrm{Verif}.}({x}_{1},\dots ,{x}_{n},T,\mathcal{A})=1]\le \epsilon ,\phantom{\rule{4.pt}{0ex}}\mathrm{as}\phantom{\rule{4.pt}{0ex}}\mathrm{desired}.$$

#### 4.2. Construction of VAHSS with Linear Homomorphic Signatures

- 1.
**Setup**(${1}^{k},N$): let N be the product of two safe primes each one of length ${k}^{\prime}/2$. This algorithm chooses two random (safe) primes $\widehat{p},\widehat{q}$ each one of length $k/2$, such that $gcd(N,\varphi (\hat{N}))=1$ with $\hat{N}=\widehat{p}\xb7\widehat{q}$. Subsequently, the algorithm chooses $g,{g}_{1},{h}_{1},\dots ,{h}_{n}$ in ${\mathbb{Z}}_{\hat{N}}^{*}$ at random. Subsequently, it chooses some (efficiently computable) injective function $H:{\{0,1\}}^{*}\mapsto {\{0,1\}}^{l}$ with $l<{k}^{\prime}/2$. It outputs the public key $vk=(N,H,\hat{N},g,{g}_{1},{h}_{1},\dots ,{h}_{n})$ to be used by any verifier; and, the secret key $sk=(\widehat{p},\widehat{q})$ to be used for signing the secret values.- 2.
**ShareSecret**(${1}^{\lambda},i,{x}_{i}$): for elements ${\left\{{a}_{i}\right\}}_{i\in \{1,\dots ,t\}}\in \mathbb{F}$ selected uniformly at random, pick a t-degree polynomial ${p}_{i}$ of the form ${p}_{i}\left(X\right)={x}_{i}+{a}_{1}X+{a}_{2}{X}^{2}+\dots +{a}_{t}{X}^{t}$. Notice that the free coefficient of ${p}_{i}$ is the secret input ${x}_{i}$. Subsequently, define ${x}_{ij}={\lambda}_{ij}{p}_{i}\left({\theta}_{ij}\right)$ (given using the Equation (1)) and output $({x}_{i1},{x}_{i2},\dots ,{x}_{im})={\lambda}_{i1}\xb7{p}_{i}\left({\theta}_{i1}\right),{\lambda}_{i2}\xb7{p}_{i}\left({\theta}_{i2}\right),\dots ,{\lambda}_{im}\xb7{p}_{i}\left({\theta}_{im}\right))$.- 3.
**PartialEval**($j,({x}_{1j},{x}_{2j},\dots ,{x}_{nj})$): given the j-th shares of the secret inputs, compute the sum of all ${x}_{ij}={\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$ for the given j and $i\in \left[n\right]$. Output ${y}_{j}$ with ${y}_{j}={\lambda}_{1j}\xb7{p}_{1}\left({\theta}_{1j}\right)+\dots +{\lambda}_{nj}\xb7{p}_{n}\left({\theta}_{nj}\right)={\sum}_{i=1}^{n}{\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$.- 4.
**PartialProof**($sk,vk,fid,{x}_{i,R},i$): Parse the verification key $vk$ to get $N,H,$$\hat{N}$, $g,{g}_{1}$ and ${h}_{1},\dots ,{h}_{n}$. For the (efficiently computable) injective function H that is chosen from**Setup**, map $fid$ to a prime: $H\left(fid\right)\mapsto e$. We denote the i-th vector of the canonical basis on ${\mathbb{Z}}^{n}$ by ${e}_{i}$. Choose random elements ${s}_{i}$ and solve, using the knowledge for $\widehat{p}$ and $\widehat{q}$, the equation: ${x}^{eN}={g}^{{s}_{i}}{\prod}_{j=1}^{n}{{h}_{j}}^{{{f}_{j}}^{\left(i\right)}}{g}_{1}^{{x}_{i,R}}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\hat{N}$, where ${{f}_{j}}^{\left(i\right)}$ denotes the j-th coordinate of the vector ${f}^{\left(i\right)}$. Notice that, for our function ${e}_{i}$, the equation becomes ${x}^{eN}={g}^{{s}_{i}}{h}_{i}{g}_{1}^{{x}_{i,R}}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\hat{N}$. Set $\tilde{{x}_{i}}=x$. Output ${\sigma}_{i}$, where ${\sigma}_{i}=(e,{s}_{i},fid,\tilde{{x}_{i}})$ is the signature for ${x}_{i}$ w.r.t. the function ${f}^{\left(i\right)}={e}_{i}$.- 5.
**FinalEval**(${y}_{1},{y}_{2},\dots ,{y}_{m}$): add the partial sums ${y}_{1},\dots ,{y}_{m}$ together and output y (where $y={y}_{1}+\dots +{y}_{m}$).- 6.
**FinalProof**($vk,\widehat{f},{\sigma}_{1},{\sigma}_{2},\dots ,{\sigma}_{n}$): given the public verification key $vk$, the signatures ${\sigma}_{1},\dots ,{\sigma}_{n}$, let $\widehat{f}=({\alpha}_{1},\dots ,{\alpha}_{n})$. Define ${f}^{\prime}=({\sum}_{i=1}^{n}{\alpha}_{i}{f}^{\left(i\right)}-f)/eN$, where $f={\sum}_{i=1}^{n}{\alpha}_{i}{f}^{\left(i\right)}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}eN$. Set $s={\sum}_{i=1}^{n}{\alpha}_{i}{s}_{i}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}eN$, ${s}^{\prime}=({\sum}_{i=1}^{n}{\alpha}_{i}{s}_{i}-s)/eN$ and $\tilde{x}={\textstyle \frac{{\prod}_{i=1}^{n}{\tilde{{x}_{i}}}^{{\alpha}_{i}}}{{g}^{{s}^{\prime}}{\prod}_{j=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}}}}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\hat{N}$. For $\widehat{f}=(1,\dots ,1)$, compute $\tilde{x}={\textstyle \frac{{\prod}_{i=1}^{n}\tilde{{x}_{i}}}{{g}^{{s}^{\prime}}{\prod}_{j=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}}}}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\hat{N}$. Output $\sigma $ where $\sigma =(e,s,fid,\tilde{x})$.- 7.
**Verify**($vk,f,\sigma ,y$): compute $e=H\left(fid\right)$. Check that $y,s\in {\mathbb{Z}}_{eN}$ and ${\tilde{x}}^{eN}={g}^{s}{\prod}_{j=1}^{n}{{h}_{j}}^{{f}_{j}}{g}_{1}^{y}$ holds. Output: 1 if all checks are satisfied or 0 otherwise.

**Setup**and hold their secret value ${x}_{1},\dots ,{x}_{n}$, respectively. Each client runs $\mathbf{ShareSecret}$ to split its secret value ${x}_{i}$ into m shares and $\mathbf{PartialProof}$ in order to produce the partial signature (for the secret ${x}_{i}$) ${\sigma}_{i}$. The values ${\sigma}_{i}$’s are not generated by the servers, since, in that case, malicious compromised servers would not be detected. Subsequently, each client distributes the shares to each of the m servers and publishes ${\sigma}_{i}$. Each server ${s}_{j}$ computes and publishes the partial function value ${y}_{j}$ by running $\mathbf{PartialEval}$. Any verifier is able to get the function value $y=f({x}_{1},\dots ,{x}_{n})$ from the $\mathbf{FinalEval}$ and the proof $\sigma $ from the $\mathbf{FinalProof}$. The $\mathbf{Verify}$ algorithm outputs 1 if and only if $y={x}_{1}+\dots +{x}_{n}$. Table 2 reports an illustration of our solution.

**Correctness**: To prove the correctness of our construction, we need to prove that $Pr\left[\begin{array}{c}\mathbf{Verify}(vk,f,\sigma ,y)=1\hfill \end{array}\right]=1.$ It holds that:$$\begin{array}{cc}\hfill {\tilde{x}}^{eN}& ={\left({\textstyle \frac{{\prod}_{i=1}^{n}\tilde{{x}_{i}}}{{g}^{{s}^{\prime}}{\prod}_{i=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}}}}\right)}^{eN}={\textstyle \frac{{\prod}_{i=1}^{n}{\tilde{{x}_{i}}}^{eN}}{{g}^{{s}^{\prime}eN}{\prod}_{i=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}eN}}}={\textstyle \frac{{\prod}_{i=1}^{n}({g}^{{s}_{i}}{\prod}_{j=1}^{n}{{h}_{j}}^{{{f}_{j}}^{\left(i\right)}}{g}_{1}^{{x}_{i,R}})}{{g}^{{s}^{\prime}eN}{\prod}_{i=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}eN}}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={\textstyle \frac{{g}^{{\sum}_{i=1}^{n}{s}_{i}}}{{g}^{{s}^{\prime}eN}}}\xb7{\textstyle \frac{{\prod}_{i=1}^{n}{\prod}_{j=1}^{n}{{h}_{j}}^{{{f}_{j}}^{\left(i\right)}}}{{\prod}_{i=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}eN}}}\xb7{{g}_{1}}^{{\sum}_{i=1}^{n}{x}_{i,R}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& ={\textstyle \frac{{g}^{{\sum}_{i=1}^{n}{s}_{i}}}{{g}^{{s}^{\prime}eN}}}\xb7{\textstyle \frac{{\prod}_{i=1}^{n}{\prod}_{j=1}^{n}{{h}_{j}}^{{{f}_{j}}^{\left(i\right)}}}{{\prod}_{i=1}^{n}{{h}_{j}}^{{f}_{j}^{\prime}eN}}}\xb7{{g}_{1}}^{{\sum}_{i=1}^{n}{x}_{i}}\xb7{{g}_{1}}^{{\sum}_{i=1}^{n}{R}_{i}}\hfill \end{array}$$$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \stackrel{see\phantom{\rule{4pt}{0ex}}Equation\phantom{\rule{3.33333pt}{0ex}}\left(3\right)}{=}{g}^{{\sum}_{i=1}^{n}{s}_{i}-{s}^{\prime}eN}\prod _{j=1}^{n}{{h}_{j}}^{{\sum}_{i=1}^{n}{{f}_{j}}^{\left(i\right)}-{f}_{j}^{\prime}eN}{{g}_{1}}^{{\sum}_{i=1}^{n}{x}_{i}}={g}^{s}\prod _{j=1}^{n}{{h}_{j}}^{{f}_{j}}{{g}_{1}}^{{\sum}_{i=1}^{n}{x}_{i}}\hfill \end{array}$$Thanks to the Equation (2), it also holds that $y={\sum}_{i=1}^{n}{x}_{i}$. Subsequently, ${\tilde{x}}^{eN}={g}^{s}\xb7{\prod}_{j=1}^{n}{{h}_{j}}^{{f}_{j}}\xb7{{g}_{1}}^{y}$ and, thus, $\mathbf{Verify}(vk,\sigma ,y,f)=1$ with probability 1.**Security**: The security of the signatures easily results from the original signature scheme that was proposed by Catalano et al. [16]. Moreover, $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T)\le \epsilon \left(\lambda \right)$ for some negligible $\epsilon \left(\lambda \right)$ as we have proven in the Section 4.1. We should note that, since in this construction no ${\tau}_{i}$ values are incorporated, the arguments related to the pseudorandomness of ${\tau}_{i}$ are not necessary.**Verifiability**: Verifiability is by construction straightforward since the final signature $\sigma \leftarrow \mathbf{FinalProof}(vk,\widehat{f},{\sigma}_{1},\dots ,{\sigma}_{n})$ is obtained using the correctly computed (by the clients) ${\sigma}_{1},\dots ,{\sigma}_{n}$ and, thus, ${\sigma}^{\prime}=\sigma $ in this case. Therefore, if ${y}^{\prime}\ne {x}_{1}+\dots +{x}_{n}$ while $y={x}_{1}+\dots +{x}_{n}$ and $\mathbf{Verify}(vk,{\sigma}^{\prime},{y}^{\prime},f)=1$, then:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \mathbf{Verify}(vk,{\sigma}^{\prime},{y}^{\prime},f)=1\Rightarrow \mathbf{Verify}(vk,\sigma ,{y}^{\prime},f)=1\hfill \\ \hfill \Rightarrow & {\tilde{x}}^{eN}={g}^{s}\prod _{j=1}^{n}{{h}_{j}}^{{f}_{j}}{g}_{1}^{{y}^{\prime}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}(\mathrm{see}\phantom{\rule{4.pt}{0ex}}\mathrm{Equation}\phantom{\rule{4.pt}{0ex}}\phantom{\rule{4.pt}{0ex}}(4))\hfill \\ \hfill \Rightarrow & {g}^{s}\prod _{j=1}^{n}{{h}_{j}}^{{f}_{j}}{g}_{1}^{{\sum}_{i=1}^{n}{x}_{i}}={g}^{s}\prod _{j=1}^{n}{{h}_{j}}^{{f}_{j}}{g}_{1}^{{y}^{\prime}}\Rightarrow \sum _{i=1}^{n}{x}_{i}={y}^{\prime}\hfill \end{array}$$Therefore, $Pr[{\mathbf{Exp}}_{\mathrm{VHSS}}^{\mathrm{Verif}.}({x}_{1},\dots ,{x}_{n},T,\mathcal{A})=1]\le \epsilon .$

#### 4.3. Construction of VAHSS with Threshold Signature Sharing

- 1.
**Setup**(${1}^{k},N$): Let $N=p\xb7q$ be the RSA modulus, such that $p=2{p}^{\prime}+1$ and $q=2{q}^{\prime}+1$, where ${p}^{\prime},{q}^{\prime}$ are large primes. Choose the public RSA key ${e}_{i}$, such that ${e}_{i}\gg \left(\genfrac{}{}{0pt}{}{n}{\mathfrak{t}}\right)$ and then pick the private RSA key ${d}_{i}$, so that ${e}_{i}{d}_{i}\equiv 1\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}\left({p}^{\prime}{q}^{\prime}\right)$. Output the public key ${e}_{i}$ and the private key ${d}_{i}$.- 2.
**ShareSecret**(${1}^{\lambda},i,{x}_{i},{d}_{i},$): for elements ${\left\{{a}_{i}\right\}}_{i\in \{1,\dots ,t\}}\in \mathbb{F}$ selected uniformly at random, pick a t-degree polynomial ${p}_{i}$ of the form ${p}_{i}\left(X\right)={x}_{i}+{a}_{1}X+{a}_{2}{X}^{2}+\dots +{a}_{t}{X}^{t}$. Notice that the free coefficient of ${p}_{i}$ is the secret input ${x}_{i}$. Subsequently, define ${x}_{ij}={\lambda}_{ij}{p}_{i}\left({\theta}_{ij}\right)$ (given thanks to the Equation (1)). Let ${\mathcal{A}}_{i}$ be an $m\times \mathfrak{t}$ full-rank public matrix with elements from $\mathbb{F}={{\mathbb{Z}}_{r}}^{*}$ for a prime r. Let $\mathit{d}={({d}_{i},{r}_{2},\dots ,{r}_{\mathfrak{t}})}^{\u22ba}$ be a secret vector from ${\mathbb{F}}^{\mathfrak{t}}$, where ${d}_{i}$ is the private RSA key and ${r}_{2},\dots ,{r}_{\mathfrak{t}}\in \mathbb{F}$ are randomly chosen. Let ${\mathsf{a}}_{ij}$ be the entry at the i-th row and j-th column of the matrix ${\mathcal{A}}_{i}$. For all $j\in \left[m\right]$, set ${\omega}_{ij}={\mathsf{a}}_{j1}{d}_{i}+{\mathsf{a}}_{j2}{r}_{2}+\dots +{\mathsf{a}}_{j\mathfrak{t}}{r}_{\mathfrak{t}}\in \mathbb{F}$ to be the share that is generated from the client ${c}_{i}$ for the server ${s}_{j}$. It is now formed an $m\times \mathfrak{t}$ system ${\mathcal{A}}_{i}\mathit{d}={\omega}_{\mathit{i}}$. Let $H:{x}_{i}\mapsto {g}^{{x}_{i}}$ (with g a generator of the multiplicative group of $\mathbb{F}$) be a collision-resistant homomorphic hash function [3]. Let ${R}_{i}$ be randomly selected values, as described in the Section 4.1. Output the public matrix ${\mathcal{A}}_{i}$, the (${x}_{i}$’s) shares $({x}_{i1},{x}_{i2},\dots ,{x}_{im})={\lambda}_{i1}\xb7{p}_{i}\left({\theta}_{i1}\right),{\lambda}_{i2}\xb7{p}_{i}\left({\theta}_{i2}\right),\dots ,{\lambda}_{im}\xb7{p}_{i}\left({\theta}_{im}\right))$, the shares of the private key ${\omega}_{\mathit{i}}=({\omega}_{i1},\dots ,{\omega}_{im})$, and $H({x}_{i}+{R}_{i})$.- 3.
**PartialEval**($j,({x}_{1j},{x}_{2j},\dots ,{x}_{nj})$): given the j-th shares of the secret inputs, compute the sum of all ${x}_{ij}={\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$ for the given j and $i\in \left[n\right]$. Output ${y}_{j}$ with ${y}_{j}={\lambda}_{1j}\xb7{p}_{1}\left({\theta}_{1j}\right)+\dots +{\lambda}_{nj}\xb7{p}_{n}\left({\theta}_{nj}\right)={\sum}_{i=1}^{n}{\lambda}_{ij}\xb7{p}_{i}\left({\theta}_{ij}\right)$.- 4.
**PartialProof**(${\omega}_{\mathbf{1}},\dots ,{\omega}_{\mathit{n}},H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),{\mathcal{A}}_{1},\dots ,{\mathcal{A}}_{n},N$): For all $i\in \left[n\right]$, run the algorithm ${\mathbf{PartialProof}}_{i}({\omega}_{\mathit{i}},H({x}_{i}+{R}_{i}),{\mathcal{A}}_{i},i,N)$, where:- ${\mathbf{PartialProof}}_{i}({\omega}_{\mathit{i}},H({x}_{i}+{R}_{i}),{\mathcal{A}}_{i},i,N)$: Let $S=\{{s}_{1},{s}_{2},\dots ,{s}_{\mathfrak{t}}\}$ be the coalition of $\mathfrak{t}$ servers ($\mathfrak{t}<m$) (w.l.o.g. take the first $\mathfrak{t}$), forming the system ${\mathcal{A}}_{iS}\mathit{d}={\omega}_{\mathit{iS}}$. Let the $\mathfrak{t}\times \mathfrak{t}$ adjugate matrix of ${\mathcal{A}}_{iS}$ be:$${\mathcal{C}}_{iS}=\left[\begin{array}{cccc}{c}_{11}& {c}_{21}& \dots & {c}_{\mathfrak{t}1}\\ \vdots & \vdots & \ddots & \vdots \\ {c}_{1\mathfrak{t}}& {c}_{2\mathfrak{t}}& \dots & {c}_{\mathfrak{t}\mathfrak{t}}\end{array}\right]$$
- Denote the determinant of ${\mathcal{A}}_{iS}$ by ${\mathsf{\Delta}}_{iS}$. It holds that:$${\mathcal{A}}_{iS}{\mathcal{C}}_{iS}={\mathcal{C}}_{iS}{\mathcal{A}}_{iS}={\mathsf{\Delta}}_{iS}{\mathbb{I}}_{\mathfrak{t}}$$

**PartialProof**outputs ${\sigma}_{\mathbf{1}},\dots ,{\sigma}_{\mathit{n}}$.- 5.
**FinalEval**(${y}_{1},{y}_{2},\dots ,{y}_{m}$): add the partial sums ${y}_{1},\dots ,{y}_{m}$ together and output y (where $y={y}_{1}+\dots +{y}_{m}$).- 6.
**FinalProof**(${e}_{1},\dots ,{e}_{n},H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),{\sigma}_{\mathbf{1}},\dots ,{\sigma}_{\mathit{n}},N$): for all $i\in \{1,\dots ,n\}$ run the algorithm ${\mathbf{FinalProof}}_{i}({e}_{i},H({x}_{i}+{R}_{i}),{\sigma}_{\mathit{i}},N$) where:- ${\mathbf{FinalProof}}_{i}({e}_{i},H({x}_{i}+{R}_{i}),{\sigma}_{\mathit{i}},N$): Combine the partial signatures by computing $\overline{{\sigma}_{i}}={\prod}_{j\in S}^{}{\sigma}_{ij}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}N.$ Compute ${\sigma}_{i}={\overline{{\sigma}_{i}}}^{{\alpha}_{i}}H{({x}_{i}+{R}_{i})}^{{\beta}_{i}}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}N$ with ${\alpha}_{i},{\beta}_{i}$ integers, such that$$2{\mathsf{\Delta}}_{iS}{\alpha}_{i}+{e}_{i}{\beta}_{i}=1.$$
- Output ${\sigma}_{i}$, i.e., the signature that corresponds to the secret ${x}_{i}$.

**FinalProof**outputs $\sigma ={\prod}_{i=1}^{n}{{\sigma}_{i}}^{{e}_{i}}$.- 7.
**Verify**($H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),\sigma ,y$): check whether $\sigma ={\prod}_{i=1}^{n}H({x}_{i}+{R}_{i})\wedge H\left(y\right)={\prod}_{i=1}^{n}H({x}_{i}+{R}_{i})$ holds. Output 1 if the check is satisfied or 0 otherwise.

**Correctness**: to prove the correctness of our construction, we need to prove that $Pr\left[\begin{array}{c}\mathbf{Verify}(H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),\sigma ,y)=1\hfill \end{array}\right]=1.$ For convenience, here, denote $H({x}_{i}+{R}_{i})$ by ${H}_{i}$. By construction:$$\begin{array}{cc}\hfill \sigma & =\prod _{i=1}^{n}{{\sigma}_{i}}^{{e}_{i}}=\prod _{i=1}^{n}{({\overline{{\sigma}_{i}}}^{{\alpha}_{i}}{H}_{i}^{{\beta}_{i}})}^{{e}_{i}}=\prod _{i=1}^{n}{(\prod _{j\in S}^{}{{\sigma}_{ij}}^{{\alpha}_{i}}{H}_{i}^{{\beta}_{i}})}^{{e}_{i}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& =\prod _{i=1}^{n}{({H}_{i}^{{\beta}_{i}}\prod _{j\in S}^{}{H}_{i}^{2{c}_{j1}{\omega}_{ij}{\alpha}_{i}})}^{{e}_{i}}=\prod _{i=1}^{n}{H}_{i}^{{\beta}_{i}{e}_{i}}{H}_{i}^{{\sum}_{j\in S}^{}2{c}_{j1}{\omega}_{ij}{\alpha}_{i}{e}_{i}}\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \stackrel{see\phantom{\rule{4pt}{0ex}}Equation\phantom{\rule{3.33333pt}{0ex}}\left(5\right)}{=}\prod _{i=1}^{n}{H}_{i}^{{\beta}_{i}{e}_{i}}{H}_{i}^{2{\mathsf{\Delta}}_{iS}{d}_{i}{\alpha}_{i}{e}_{i}}=\prod _{i=1}^{n}{H}_{i}^{2{\mathsf{\Delta}}_{iS}{\alpha}_{i}+{\beta}_{i}{e}_{i}}(\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}N)\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \stackrel{see\phantom{\rule{4pt}{0ex}}Equation\phantom{\rule{3.33333pt}{0ex}}\left(6\right)}{=}\prod _{i=1}^{n}{H}_{i}=\prod _{i=1}^{n}H({x}_{i}+{R}_{i})\phantom{\rule{4.pt}{0ex}}\mathrm{and}\phantom{\rule{4.pt}{0ex}}\mathrm{also},\hfill \end{array}$$$$\begin{array}{cc}\hfill \prod _{i=1}^{n}H({x}_{i}+{R}_{i})& =\prod _{i=1}^{n}{g}^{{x}_{i}+{R}_{i}}\stackrel{see\phantom{\rule{4pt}{0ex}}Equation\phantom{\rule{3.33333pt}{0ex}}\left(3\right)}{=}H\left(y\right)\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\hfill \end{array}$$Therefore, $\mathbf{Verify}(H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),\sigma ,y)=1$ with probability 1, as desired.**Security**: the security of the signatures follows from the fact that the threshold signature scheme, which is employed in our construction, is secure, for $\left|T\right|\le \mathfrak{t}-1$, under the static adversary model given that the standard RSA signature scheme is secure [6]. Additionally, for $\left|T\right|\le m-1$, $\mathrm{Adv}({1}^{\lambda},\mathcal{A},T)\le \epsilon \left(\lambda \right)$ for some negligible $\epsilon \left(\lambda \right)$, as we have proven in Section 4.1. Therefore, our construction is secure for $\left|T\right|\le min\{\mathfrak{t}-1,m-1\}$.**Verifiability**: for $\mathbf{Verify}(H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n}),{\sigma}^{\prime},{y}^{\prime})=1$ and ${y}^{\prime}\ne y$ we have:$$\begin{array}{cc}\hfill \phantom{\rule{1.em}{0ex}}& \mathbf{Verify}(H({x}_{1}+{R}_{1}),\dots ,H({x}_{n}+{R}_{n})),{\sigma}^{\prime},{y}^{\prime})=1\hfill \\ \hfill \phantom{\rule{1.em}{0ex}}& \Rightarrow {\sigma}^{\prime}=\prod _{i=1}^{n}H({x}_{i}+{R}_{i})\wedge H\left({y}^{\prime}\right)=\prod _{i=1}^{n}H({x}_{i}+{R}_{i})\hfill \\ \hfill \Rightarrow & H\left({y}^{\prime}\right)=\prod _{i=1}^{n}H({x}_{i}+{R}_{i})\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}(\mathrm{see}\phantom{\rule{4.pt}{0ex}}\mathrm{Equation}\phantom{\rule{4.pt}{0ex}}\phantom{\rule{4.pt}{0ex}}(7))\Rightarrow H\left({y}^{\prime}\right)=H\left(y\right)\hfill \end{array}$$$$Pr[{\mathbf{Exp}}_{\mathrm{VHSS}}^{\mathrm{Verif}.}({x}_{1},\dots ,{x}_{n},T,\mathcal{A})=1]\le \epsilon .$$

## 5. Evaluation

#### 5.1. Theoretical Analysis

**PartialEval**algorithm in the table, this number represents the amount of operations that are required from each server that executes the

**PartialEval**algorithm.

**Sharesecret**algorithm, each client generates m shares that are related to its secret inputs. Below, we present in detail how we calculate the cost for the client to compute these m shares. Each client needs m polynomial evaluations (denoted by ${P}_{eval}$) as well as the computation of the Lagrange coefficients (denoted by ${L}_{coeff}$), as shown in Equation (1). We consider Horner’s method [19] to calculate ${P}_{eval}$, which gives t multiplications and t additions for a polynomial of degree t, as in our constructions. Furthermore, ${L}_{coeff}$ requires 2 multiplications, 1 computation of inverse, and 1 addition (in $\mathbb{F}$) for each factor out of $m-1$. One additional multiplication is needed in order to form the right hand side of Equation (1). Therefore, the cost for generating m secret shares can be demonstrated, as follows:

**Sharesecret**algorithm costs. Let us now present the tables that summarize the cost of our constructions. In parentheses, we display by whom the algorithm is executed. Whenever not specified, the algorithm can be run from any verifier. Table 4 illustrates the costs for the VAHSS construction while using homomorphic hash functions (also found as VAHSS-HSS). Observe that there is no

**Setup**algorithm in this construction. Table 5 shows the number of operations required in the VAHSS construction while using linear homomorphic signatures (also found as VAHSS-LHS). Finally, Table 6 gives the costs of the VAHSS construction while using threshold signature sharing (found also as VAHSS-TSS). Observe that the same variables are used to show the theoretical results. However, note that $\mathfrak{t}$ appears in the VAHSS-TSS construction for the first time, denoting a different number than the threshold t that is used for generating shares of the secret inputs. Moreover, the algorithms are executed from either a client or server, depending on the construction presented.

**ShareSecret**algorithm is always run by the clients. In this respect, the VAHSS-HSS and VAHSS-LHS constructions slightly differ, since a client needs to produce some additional public values in the VAHSS-HSS case. The VAHSS-TSS is more expensive, since the client also generates shares of its private RSA key. Furthermore, as we have mentioned, VAHSS-HSS requires no

**Setup**, thus, it is computationally less expensive than the other two constructions from the client’s side. Subsequently, we can observe that the

**PartialEval**and

**FinalEval**algorithms are always run by the servers and are expected to have the same computational cost. The

**PartialProof**algorithm is run either by the servers or the clients. In the VAHSS-HSS construction, the computation is low and is made by the servers, while, in the VAHSS-LHS, the execution is made by the clients and it is also low-cost. In the VAHSS-TSS solution,

**PartialProof**is run by a coalition of servers and the cost depends on the amount of the servers that can be considered in the computation. Next,

**FinalProof**is quite practical in all cases, but it is not particularly comparable since there are several parameters that can affect this cost. Finally, the verification process (

**Verify**) has the same computational cost for the first and third construction, while it is slightly heavier for the VAHSS-LHS construction.

#### 5.2. Prototype Analysis

**Sharesecret**,

**PartialEval**, and

**PartialProof**costs are represented by their median values. For instance, for the

**Sharesecret**algorithm, each client generates a random polynomial to be used for the shares’ generation and, since we consider 500 clients, we need to take into account their different costs. Thus, we get all of the timings and sort them in order to obtain the 250th element of the list. Similarly, we also obtain the median values for

**PartialEval**and

**PartialProof**. Table 7 illustrates the time in microseconds for 500 clients for the three different constructions.

**PartialEval**and

**PartialProof**algorithms in each of our constructions. More precisely, Figure 2a shows the VAHSS-HSS case, Figure 2b demonstrates the VAHSS-LHS case, while the VAHSS-TSS case is depicted in Figure 2c. The graphs show how the timing changes depending on the number of clients participating in the computation. Next, Figure 3 shows the time that is required for computing the

**Finalproof**in each of the constructions, representing again how the performance varies according to a different amount of clients. Finally, Figure 4 shows the timing for executing the

**Verify**algorithm given the outputs from each server and from the clients. We remind the reader that anyone may run the

**Verify**algorithm in order to check the correctness of the resulted y value and obtain y itself.

## 6. Discussion

**PartialEval**) and the partial proofs (

**PartialProof**) are generated and who performs each computation. For instance, in the VAHSS-HSS construction, clients are only needed to execute the

**Sharesecret**algorithm for generating m shares, and the rest of the computations (required to produce the sum y and the proof $\sigma $) are performed by the servers. Nevertheless, the VAHSS-LHS construction requires that each client deals with the

**Setup**,

**ShareSecret**, and

**PartialProof**algorithms. In fact, in this case, the clients are the ones that generate the partial proofs instead of the servers, utilizing their private RSA key. Moreover, in the VAHSS-TSS construction, the client runs the

**Setup**and

**ShareSecret**, while the servers deal with the execution of the other algorithms. Additionally, the VAHSS-TSS solution is based on a threshold signature sharing scheme and, as a result, a coalition of servers is required to perform the

**PartialProof**algorithm; not all of the m servers are needed.

**Application scenarios:**Mobile phones, wearables, and other Internet-of-Things (IoT) devices are all connected to distributed network systems. These devices generate a lot of data that often need to be aggregated to compute statistics, or even employed for user modeling and personalization of clients/users. For instance, a direct application of our constructions could be the measurement of electricity consumption (as well as water or gas consumption) in a specific region. More precisely, if we consider that each household in a specific region has an electricity consumption that is equal to ${x}_{i}$, then, by employing our proposed constructions, the electricity production company could check what is the required energy consumption (by computing the sum ${\sum}_{i=1}^{n}{x}_{i}$, where n denotes the number of households) in that specific region and adjust the electricity production accordingly. Furthermore, by employing the verifiability property, the electricity consumption company can detect possible leaks of faults in how the electrical energy is handled. In our prototype, we use the data on the consumption of electricity and, more precisely, the UC Irvine machine learning repository. Because this is one of the most representative settings, all three constructions are suitable to be employed in this application, depending on the resources of the employed sensors/clients in different households. If we consider that multiple companies are collaborating in this aggregation process, then the collected data could be aggregated by multiple servers that collaborate or not.

## 7. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Tsaloli, G.; Mitrokotsa, A. Sum It Up: Verifiable Additive Homomorphic Secret Sharing. In Information Security and Cryptology—ICISC 2019; Seo, J.H., Ed.; Springer International Publishing: Cham, Switzerland, 2020; pp. 115–132. [Google Scholar]
- Tsaloli, G.; Liang, B.; Mitrokotsa, A. Verifiable Homomorphic Secret Sharing. In Proceedings of the 12th International Conference on Provable Security, ProvSec 2018, Jeju, Korea, 25–28 October 2018; pp. 40–55. [Google Scholar] [CrossRef]
- Yao, H.; Wang, C.; Hai, B.; Zhu, S. Homomorphic Hash and Blockchain Based Authentication Key Exchange Protocol for Strangers. In Proceedings of the International Conference on Advanced Cloud and Big Data (CBD), Lanzhou, China, 12–15 August 2018; pp. 243–248. [Google Scholar] [CrossRef]
- Krohn, M.; Freedman, M.; Mazieres, D. On-the-fly verification of rateless erasure codes for efficient content distribution. In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 12 May 2004; pp. 226–240. [Google Scholar] [CrossRef]
- Catalano, D.; Marcedone, A.; Puglisi, O. Authenticating Computation on Groups: New Homomorphic Primitives and Applications. In Advances in Cryptology—ASIACRYPT 2014; Sarkar, P., Iwata, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; pp. 193–212. [Google Scholar]
- Bozkurt, İ.N.; Kaya, K.; Selçuk, A.A. Practical Threshold Signatures with Linear Secret Sharing Schemes. In Progress in Cryptology—AFRICACRYPT 2009; Preneel, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2009; pp. 167–178. [Google Scholar]
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Boyle, E.; Gilboa, N.; Ishai, Y. Group-Based Secure Computation: Optimizing Rounds, Communication, and Computation. In Advances in Cryptology—EUROCRYPT 2017; Springer International Publishing: Cham, Switzerland, 2017; Volume 10211, pp. 163–193. [Google Scholar] [CrossRef]
- Benaloh, J.C. Secret sharing homomorphisms: Keeping shares of a secret secret. In Conference on the Theory and Application of Cryptographic Techniques; Springer: Berlin, Germany, 1987. [Google Scholar]
- Boyle, E.; Gilboa, N.; Ishai, Y. Function Secret Sharing. In Advances in Cryptology—EUROCRYPT 2015; Springer: Berlin, Germany, 2015; Volume 9057, pp. 337–367. [Google Scholar] [CrossRef]
- Boyle, E.; Gilboa, N.; Ishai, Y. Function Secret Sharing: Improvements and Extensions. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security—CCS’16, Vienna, Austria, 24–28 October 2016; pp. 1292–1303. [Google Scholar] [CrossRef][Green Version]
- Damgård, I.; Pastro, V.; Smart, N.; Zakarias, S. Multiparty Computation from Somewhat Homomorphic Encryption. In Advances in Cryptology—CRYPTO 2012; Safavi-Naini, R., Canetti, R., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 643–662. [Google Scholar]
- Damgård, I.; Keller, M.; Larraia, E.; Pastro, V.; Scholl, P.; Smart, N.P. Practical Covertly Secure MPC for Dishonest Majority—Or: Breaking the SPDZ Limits. In Computer Security—ESORICS 2013; Crampton, J., Jajodia, S., Mayes, K., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; pp. 1–18. [Google Scholar]
- Boyle, E.; Garg, S.; Jain, A.; Kalai, Y.T.; Sahai, A. Secure Computation against Adaptive Auxiliary Information. In Advances in Cryptology—CRYPTO 2013; Canetti, R., Garay, J.A., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; pp. 316–334. [Google Scholar]
- Baum, C.; Damgård, I.; Orlandi, C. Publicly Auditable Secure Multi-Party Computation. In Security and Cryptography for Networks; Abdalla, M., De Prisco, R., Eds.; Springer International Publishing: Cham, Switzerland, 2014; pp. 175–196. [Google Scholar]
- Catalano, D.; Fiore, D.; Warinschi, B. Efficient Network Coding Signatures in the Standard Model. In Public Key Cryptography—PKC 2012; Fischlin, M., Buchmann, J., Manulis, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 680–696. [Google Scholar]
- Bellare, M.; Goldreich, O.; Goldwasser, S. Incremental Cryptography: The Case of Hashing and Signing. In Advances in Cryptology—CRYPTO ’94; Desmedt, Y.G., Ed.; Springer: Berlin/Heidelberg, Germany, 1994; pp. 216–233. [Google Scholar]
- Schabhüser, L.; Butin, D.; Buchmann, J. Context Hiding Multi-key Linearly Homomorphic Authenticators. In Topics in Cryptology—CT-RSA 2019; Matsui, M., Ed.; Springer International Publishing: Cham, Switzerland, 2019; pp. 493–513. [Google Scholar]
- Dorn, W.S. Generalizations of Horner’s rule for polynomial evaluation. IBM J. Res. Dev.
**1962**, 6, 239–245. [Google Scholar] [CrossRef]

**Figure 2.**Time for

**PartialEval**and

**PartialProof**in our constructions. (

**a**) Time for

**PartialEval**and

**PartialProof**in VAHSS-HSS. (

**b**) Time for

**PartialEval**and

**PartialProof**in VAHSS-LHS. (

**c**) Time for

**PartialEval**and

**PartialProof**in VAHSS-TSS.

**Figure 3.**Time for

**FinalProof**in our constructions. (

**a**) Time for the

**FinalProof**algorithm in VAHSS-HSS. (

**b**) Time for the

**FinalProof**algorithm in VAHSS-LHS. (

**c**) Time for the

**FinalProof**algorithm in VAHSS-TSS.

**Figure 4.**Time for running

**Verify**for each of our constructions. (

**a**) Time for the

**Verify**algorithm in VAHSS-HSS. (

**b**) Time for the

**Verify**algorithm in VAHSS-LHS. (

**c**) Time for the

**Verify**algorithm in VAHSS-TSS.

Secret Inputs (Held by the Clients) | Servers | Public Values | |||
---|---|---|---|---|---|

${\mathit{s}}_{1}$ | ${\mathit{s}}_{2}$ | ⋯ | ${\mathit{s}}_{\mathit{m}}$ | ||

${x}_{1}$ | ${x}_{11}$ | ${x}_{12}$ | ⋯ | ${x}_{1m}$ | ${\tau}_{1}$ |

${x}_{2}$ | ${x}_{21}$ | ${x}_{22}$ | ⋯ | ${x}_{2m}$ | ${\tau}_{2}$ |

⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ |

${x}_{n}$ | ${x}_{n1}$ | ${x}_{n2}$ | ⋯ | ${x}_{nm}$ | ${\tau}_{n}$ |

Partial sums | ${y}_{1}$ | ${y}_{2}$ | ⋯ | ${y}_{m}$ | Total Sum: y |

Partial proofs | ${\sigma}_{1}$ | ${\sigma}_{2}$ | ⋯ | ${\sigma}_{m}$ | Final Proof: $\sigma $ |

Secret Inputs (Held by the Clients) | Servers | Public Values | |||
---|---|---|---|---|---|

${\mathit{s}}_{1}$ | ${\mathit{s}}_{2}$ | ⋯ | ${\mathit{s}}_{\mathit{m}}$ | $\mathit{v}\mathit{k}$ | |

${x}_{1}$, $sk$ | ${x}_{11}$ | ${x}_{12}$ | ⋯ | ${x}_{1m}$ | ${\sigma}_{1}$ |

${x}_{2}$, $sk$ | ${x}_{21}$ | ${x}_{22}$ | ⋯ | ${x}_{2m}$ | ${\sigma}_{2}$ |

⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ |

${x}_{n}$, $sk$ | ${x}_{n1}$ | ${x}_{n2}$ | ⋯ | ${x}_{nm}$ | ${\sigma}_{n}$ |

Partial sums (public) | ${y}_{1}$ | ${y}_{2}$ | ⋯ | ${y}_{m}$ | Final proof (public) |

Total sum (public) | y | $\sigma $ |

Secret Inputs (Held by the Clients) | Public Values | Servers | ||||
---|---|---|---|---|---|---|

${\mathit{s}}_{1}$ | ${\mathit{s}}_{2}$ | ⋯ | ${\mathit{s}}_{\mathit{m}}$ | $\{{\mathit{s}}_{{\mathit{j}}_{1}},\mathit{\dots},{\mathit{s}}_{{\mathit{j}}_{\mathfrak{t}}}\}$ | ||

${x}_{1}$, ${d}_{1}$ | $H({x}_{1}+{R}_{1}),{e}_{1},{\mathcal{A}}_{1}$ | ${x}_{11}$, ${\omega}_{11}$ | ${x}_{12}$, ${\omega}_{12}$ | ⋯ | ${x}_{1m}$, ${\omega}_{1m}$ | ${\sigma}_{\mathbf{1}}$ |

${x}_{2}$, ${d}_{2}$ | $H({x}_{2}+{R}_{2}),{e}_{2},{\mathcal{A}}_{2}$ | ${x}_{21}$, ${\omega}_{21}$ | ${x}_{22}$, ${\omega}_{22}$ | ⋯ | ${x}_{2m}$, ${\omega}_{2m}$ | ${\sigma}_{\mathbf{2}}$ |

⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ |

${x}_{n}$, ${d}_{n}$ | $H({x}_{n}+{R}_{n}),{e}_{n},{\mathcal{A}}_{n}$ | ${x}_{n1}$, ${\omega}_{n1}$ | ${x}_{n2}$, ${\omega}_{n2}$ | ⋯ | ${x}_{nm}$, ${\omega}_{nm}$ | ${\sigma}_{\mathit{n}}$ |

Partial sums (public) | ${y}_{1}$ | ${y}_{2}$ | ⋯ | ${y}_{m}$ | Final proof (public) | |

Total sum (public) | y | $\sigma $ |

**Table 4.**Number of operations of the VAHSS based on homomorphic hash functions (VAHSS-HSS) construction.

Operation | Addition | Multiplication | Exponentiation | Random Sampling | |
---|---|---|---|---|---|

Algorithm | |||||

ShareSecret (client) | $mt+m-1$ | − | $mt+m$ | $m-1$ | |

PartialEval (server) | $n-1$ | − | − | − | |

PartialProof (server) | $n-1$ | − | 1 | − | |

FinalEval | $m-1$ | − | − | − | |

FinalProof | − | $m-1$ | − | − | |

Verify | − | $n-1$ | 1 | − |

**Table 5.**Number of operations of the VAHSS based on linear homomorphic signatures (VAHSS-LHS) construction.

Operation | Addition | Multiplication | Exponentiation | Inverse Computation | Random Sampling | |
---|---|---|---|---|---|---|

Algorithm | ||||||

Setup (client) | − | − | − | − | $n+2$ | |

ShareSecret (client) | $mt+m-2$ | $mt+m-1$ | $m-2$ | − | − | |

PartialEval (server) | $n-1$ | − | − | − | − | |

PartialProof (client) | − | 3 | 4 | 1 | 1 | |

FinalEval | $m-1$ | − | − | − | − | |

FinalProof | n | $n+1$ | 1 | − | − | |

Verify | − | $n+1$ | 3 | − | − |

**Table 6.**Number of operations of the VAHSS based on threshold signature sharing (VAHSS-TSS) construction.

Operation | Addition | Multiplication | Exponentiation | Inverse Computation | Random Sampling | |
---|---|---|---|---|---|---|

Algorithm | ||||||

Setup (client) | − | − | − | 1 | 1 | |

ShareSecret (client) | $mt+m\mathfrak{t}-1$ | $mt+m\mathfrak{t}+m-1$ | $m-1$ | − | 1 | |

PartialEval (server) | $n-1$ | − | − | − | − | |

PartialProof (server) | − | $2\mathfrak{t}$ | $\mathfrak{t}$ | − | − | |

FinalEval | $m-1$ | − | − | − | − | |

FinalProof (server) | $\mathfrak{t}+n-2$ | $n+2$ | − | − | ||

Verify | − | $n-1$ | 1 | − | − |

Construction | VAHSS-HSS | VAHSS-LHS | VAHSS-TSS | |
---|---|---|---|---|

Algorithm | ||||

Setup | 0 ${}^{1}$ | 2540 | 310 | |

Sharesecret | 300 | 298 | 299 | |

PartialEval | 58 | 47 | 76 | |

PartialProof | 49 | 1072 | 24,293 | |

FinalEval ${}^{2}$ | 479 | 979 | 882 | |

Final Proof | 550 ${}^{3}$ | 537 | 17,192 | |

Verify | 147 | 9091 | 294 |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Tsaloli, G.; Banegas, G.; Mitrokotsa, A. Practical and Provably Secure Distributed Aggregation: Verifiable Additive Homomorphic Secret Sharing. *Cryptography* **2020**, *4*, 25.
https://doi.org/10.3390/cryptography4030025

**AMA Style**

Tsaloli G, Banegas G, Mitrokotsa A. Practical and Provably Secure Distributed Aggregation: Verifiable Additive Homomorphic Secret Sharing. *Cryptography*. 2020; 4(3):25.
https://doi.org/10.3390/cryptography4030025

**Chicago/Turabian Style**

Tsaloli, Georgia, Gustavo Banegas, and Aikaterini Mitrokotsa. 2020. "Practical and Provably Secure Distributed Aggregation: Verifiable Additive Homomorphic Secret Sharing" *Cryptography* 4, no. 3: 25.
https://doi.org/10.3390/cryptography4030025