# Fair and Secure Multi-Party Computation with Cheater Detection

## Abstract

**:**

## 1. Introduction

#### Organization

## 2. Related Work

**Cheater Detection.**Detecting cheaters on the Internet has been an important issue, such as astroturfing detection [13,14,15], and a diversity of techniques concerning this matter have been proposed so far. Several studies have been carried out on cheater detection in secret sharing schemes [16,17,18,19]. The results of these techniques are only applicable to secret sharing schemes and thus may not be used to verify the correctness of the new shares computed by secure multi-party computation (SMC) protocol. Several SMC protocols that can detect malicious parties have been proposed so far. Damgård and Orlandi proposed an SMC protocol where every party broadcasts the computed final shares and checks its commitments following the computation of its own final shares [10]. Baum et al. proposed an SMC protocol with an additional audit algorithm [20]. Since the SPDZ protocol was proposed, several SMC protocols have been built on top of the SPDZ protocl to achieve cheater detection and identification [21,22]. Furthermore, there have been efforts to improve the efficiency of SMC protocols with identifiable abort [23]. However, neither of these protocols can prevent malicious parties from learning the final result of computation, whereas honest parties may not. In other words, malicious parties can only be detected following the broadcast of the final shares or the reconstruction of the final output. In such a case, a malicious party can broadcast an incorrect value and obtain all correct final shares of the honest parties as well as its own. The malicious party would then be the only one that can reconstruct the correct output of the computation.**Fair and Secure Multi-party Computation.**It is known that any functionality can be fairly computed in the case of honest majority [24,25,26,27]. However, fairness is impossible to be guaranteed with corrupted majority [28]. Consequently, a number of definitions of security do not consider fairness, even in a Universal Composability (UC) framework, or only consider partial fairness [29,30,31,32]. To overcome this impossibility result, a few approaches to achieve fairness have been proposed. The gradual release approach makes parties take turns releasing their outputs in each round [33,34,35]. However, this approach is still somewhat unfair. Another approach involves employing semi-trusted third parties or physical assumptions [36,37,38]. As part of this approach, a technique using Bitcoin has been proposed [39,40]. It was recently shown that fair, secure, multi-party computation can be achieved by applying a multi-party fair exchange protocol to any SMC protocol [41]. Moreover, several results have been insisted on the possibility of utilizing reputation systems [42], public bulletin boards [43], and trusted hardware [44] to achieve fairness.**Secure Multi-party Computation in Smart Grid.**A number of studies on privacy-preserving aggregation of information for metering or billing have been conducted [45,46,47,48,49,50]. SMC techniques have recently been applied to smart grids to preserve user privacy [7,8]. The protocol proposed in [7] can be applied to smart grids but requires that all participating parties decrypt the final output together in an interactive manner. In [8], Clark and Hopkinson proposed an optimized SMC protocol called transferable multi-party computation (T-MPC) for smart grid networks. To improve efficiency and scalability, T-MPC allows small groups of users to compute the local results of sub-functions. However, it is unable to detect malicious parties and guarantee fairness at the same time.**Implementations of Secure Multi-party Computation.**Implementation and compiler design of SMC is an active area of research. In the early days of research, compilers were developed that convert code written in a high-level language called secure function definition language (SFDL) into a circuit representation (e.g., FairplayMP [3], VIFF [5], SEPIA [6]). Since then, research has been underway for implementations that are more suitable for real-world applications, that is, fast enough to evaluate complex functions and large data sets. For secure two-party computation, most protocols have been designed using circuit garbling [51], such as ABY [52], EzPC [53], and ABY2.0 [54]. For true multi-party computation, a variety of compilers that execute SMC in arbitrary functions have been developed, and representative examples include PICCO [55,56] and MP-SPDZ [57].

#### Contributions

## 3. Preliminaries

#### 3.1. Secure Multi-Party Computation

#### 3.1.1. Addition

#### 3.1.2. Multiplication

#### 3.2. Public-Key Broadcast Encryption

**Setup****(n).**- Takes as input the number of receivers n and outputs a public key $PK$ as well as n private keys ${d}_{1},\dots ,{d}_{n}$.
**Encrypt****(S, PK).**- Takes a subset $S\subseteq \{1,\dots ,n\}$ and a public key $PK$ as input, and outputs a pair $(Hdr,K)$, where $Hdr$ is the header and $K\in \mathcal{K}$ is a message encryption key. We often refer to $Hdr$ as the broadcast ciphertext.Let M be a message to be broadcasted to set S and ${C}_{M}$ be the encryption of M under symmetric key K. A sender broadcasts $(S,Hdr,{C}_{M})$ to users in S, where the pair $(S,Hdr)$ is often called the full header and ${C}_{M}$ is often called the broadcast body.
**Decrypt****(**${\mathit{d}}_{\mathit{i}},\mathit{S},\mathit{Hdr},\mathit{PK}$**).**- Takes as input private key ${d}_{i}$ for user i, a subset $S\in \{1,\dots ,n\}$, a header $Hdr$, and the public key $PK$. If user i is in S, the algorithm outputs the message encryption key $K\in \mathcal{K}$, which is used to decrypt broadcast body ${C}_{M}$ and obtain message M.

#### 3.3. Non-Interactive Zero Knowledge

**Prove.**- Takes as input $(x,w)$ if $(x,w)\notin R$ outputs ⊥. Otherwise, it outputs $(x,\pi )$, where $\pi $ is proof of the statement that $(x,w)\in R$.
**Verify.**- Takes as input $(x,\pi )$ and outputs 1 to accept the proof. Otherwise, it outputs 0.

#### 3.4. Universally Composable Security

**A**. The notion of emulation in the UC framework is considerably stronger than that in the real–ideal security model because the adversarial entity, called the environment

**Z**, is additionally adopted. The environment

**Z**generates the inputs of all parties, reads all outputs, and interacts with the adversary

**A**in an arbitrary manner throughout the computation. A protocol is said to securely realize a given ideal functionality $\mathcal{F}$ if, for any adversary

**A**, there exists an “ideal-process adversary”

**S**such that no environment

**Z**can tell whether it is interacting with

**A**and parties executing the protocol, or with

**S**and parties interacting with $\mathcal{F}$ in the ideal process. In a sense,

**Z**here serves as an “interactive distinguisher” between a run of the protocol in the real world and the process with access to $\mathcal{F}$ in the ideal world. In summary, a protocol is UC secure if, for every real-world adversary

**A**, there exists an ideal-world adversary (simulator)

**S**such that the environment

**Z**cannot distinguish between a real execution with

**A**and an ideal execution with

**S**.

## 4. Definitions

#### 4.1. Notation

**Definition**

**1.**

#### 4.2. UC-Secure Fair Multi-Party Computation

**Real World:**Let P be a set of n parties, $P={P}_{C}\bigcup {P}_{H}$. It consists of an adversary

**A**that compromises the set ${P}_{C}$ of $m(m<n)$ corrupted parties, the set ${P}_{H}$ of remaining honest parties, and a server that detects malicious behavior during the execution of the protocol. The pair of outputs of the honest parties $\in {P}_{H}$ and

**A**in the real execution of the protocol $\pi $, employing the server, is denoted by ${\mathrm{REAL}}_{\pi ,\mathbf{Server},\mathbf{A}\left(aux\right),\mathbf{Z}}(\lambda ,z,{x}_{1},{x}_{2},\dots ,{x}_{n})$, where ${\left\{{x}_{i}\right\}}_{1\le i\le n}$ are the private inputs of each party, $aux$ is an auxiliary input of

**A**, $\lambda $ is the security parameter, and z is the input of the environment.

**Ideal World:**It consists of an adversary

**S**that controls the set ${P}_{C}$, the set ${P}_{H}$ of remaining honest parties, and the ideal functionality $\mathcal{F}$ (not the server). $\mathcal{F}$ receives inputs ${\left\{{x}_{i}\right\}}_{\{i\in {P}_{C}\}}$ or the message $\mathrm{ABORT}$ from

**S**and ${\left\{{x}_{j}\right\}}_{\{j\in {P}_{H}\}}$ from the honest parties.

- If the inputs are invalid or
**S**sends the message $\mathrm{ABORT}$, $\mathcal{F}$ sends ⊥ to all parties and halts. - Otherwise, $\mathcal{F}$ computes $\varphi ({x}_{1},\dots ,{x}_{n})=\left(\right)open="("\; close=")">{\varphi}_{1}({x}_{1},\dots ,{x}_{n}),\dots ,{\varphi}_{n}({x}_{1},\dots ,{x}_{n})$. Let ${\varphi}_{i}={\varphi}_{i}({x}_{1},\dots ,{x}_{n})$ be the i-th output. Then, $\mathcal{F}$ sends ${\left\{{\varphi}_{i}\right\}}_{\{i\in {P}_{C}\}}$ to
**S**and ${\left\{{\varphi}_{j}\right\}}_{\{j\in {P}_{H}\}}$ to the corresponding honest parties.

**S**, where $\mathcal{F}$ computes $\varphi $, is denoted by ${\mathrm{IDEAL}}_{\mathcal{F},\mathbf{S}\left(aux\right),\mathbf{Z}}(\lambda ,z,{x}_{1},{x}_{2},\dots ,{x}_{n})$, where ${x}_{1},{x}_{2},\dots ,{x}_{n}$, $aux,\lambda $, and z are as above.

**Definition**

**2 (UC-secure Fair Multi-party Computation).**

**fairly and securely**if, for every non-uniform PPT real-world adversary

**A**attacking π, there exists a non-uniform PPT ideal world simulator

**S**such that for every ${x}_{1},{x}_{2},\dots ,{x}_{n}$, $\lambda \in {\{0,1\}}^{\ast}$, the environment

**Z**with input z cannot distinguish between a real execution with

**A**and an ideal execution with

**S**:

## 5. FSMC Protocol with Cheater Detection

**Prove**with the following relation R:

#### 5.1. Setup

#### 5.2. Offline Phase

**Setup**, the values to be used for commitments are generated. These values are used in

**Compute.Send**in the online phase to generate commitments and

**Output**in the online phase to verify them. In

**RandomValues**, the values used to divide each party’s secret into shares are generated. These values are used in the

**Input**of the online phase. In

**Triples**, the multiplication triples and their commitments are generated. The multiplication triples are used in

**Compute.Multiply**in the online phase to compute multiplications with minimal interaction. The commitments are used in

**Output**in the online phase to detect malicious parties.

#### 5.3. Online Phase

**Initialize**, the parties obtain some pre-computed values through the functionalities, which are subsequently used to calculate a predefined circuit during the online phase of this protocol. Furthermore, the server obtains the commitments through the functionality which are used to detect malicious parties. In

**Input**, each party creates the initial shares of its secret value and sends them to the other parties. Each party also obtains the shares of every other party. In

**Compute**, all parties calculate the circuit and send the encrypted final shares, which are used to reconstruct the output of the computation, to the server. They also create some additional values to guarantee the fairness of this protocol. In

**Output**, the server checks the validity of the final shares sent by all parties. If there is no malicious party, the server sends all encrypted final shares to each party. Otherwise, the server notifies the honest parties of the existence of the malicious party.

## 6. Security in the Online Phase

**A**, there exists a simulator ${\mathcal{S}}_{ONLINE}$ that makes protocol ${\prod}_{FSMC}$ indistinguishable from the functionality ${\mathcal{F}}_{SMC}$ to the polynomial–time environment

**Z**.

**Theorem**

**1.**

**Proof.**

**Z**. For

**Initialize**, the simulator and the corrupted parties perform the same steps as in ${\prod}_{FSMC}$. During

**Input**, the corrupted parties execute

**Input**in ${\prod}_{FSMC}$ while a simulator simulates the honest parties with their inputs set to 0. The simulator extracts the input values of the corrupted parties from ∏ and sends them to ${\mathcal{F}}_{SMC}$. Moreover, the honest parties send their input values to ${\mathcal{F}}_{SMC}$. In view of environment

**Z**, since the shares of each party’s input value are uniformly random and do not reveal any information regarding the input values, this stage,

**input**, is indistinguishable from real execution.

**Compute**, the simulator and the corrupted parties execute

**Compute.Add**and

**Compute.Multiply**in the same manner as in ${\prod}_{FSMC}$. For

**Compute.send**, the simulator generates final shares of the simulated honest parties for ∏ as follows: first, the simulator computes the output of ∏, ${y}^{\prime}$, using all inputs from both corrupted and honest parties for ∏. Second, for any party ${P}_{i}$ of the simulated honest parties, it modifies the final share of ${P}_{i}$ by adding the value $(y-{y}^{\prime})$. For all honest parties except ${P}_{i}$, the simulator keeps their final values intact. The distribution of the shares of simulated honest parties is the same as in a real execution of the protocol. Finally, the simulator executes Step 1 of

**Compute.send**in ${\prod}_{FSMC}$ with the modified final shares of the simulated honest parties. The corrupted parties execute the same steps as in

**Compute.send**in ${\prod}_{FSMC}$. Furthermore, if

**Z**decides to stop the execution, a simulator ${\mathcal{S}}_{ONLINE}$ forwards this to the ideal functionality ${\mathcal{F}}_{SMC}$. As in the real execution,

**Z**will not obtain any additional information.

**Output**, the simulator acts as a server in the real world. It executes

**Output**in ${\prod}_{FSMC}$ with the corrupted parties. The simulator performs Steps 1 to 3 with values sent from the corrupted parties in

**Compute.Send**. For Step 4, if any failures occur in Steps 2 or 3, the simulator outputs ⊥. Otherwise, it sends the ciphertexts of all final shares in ∏ to the corrupted parties.

**A**can cheat is negligible in real protocol execution. If

**A**is able to generate a commitment with a random value, R, which can pass the verification, this random value is verified as a correct value in the

**Output**stage. Following this, if

**A**generates the ciphertext of R and the non-interactive zero-knowledge proof with respect to the ciphertext, the server has no choice but to verify R as a correct final share. However, since the DLP is hard in G, it is nearly impossible for

**A**to generate faulty commitments that can pass verification. Therefore, the probability that

**A**can cheat in real protocol execution is negligible. □

## 7. Application

#### 7.1. Applying FSMC Protocol to the Smart Grid

#### 7.1.1. System Setup

**Step 1.**Choose $g\in G$ and $s\in {\mathbb{Z}}_{p}^{\ast}$. Set $h={g}^{s}$ and send $g,h$ to every $S{M}_{i}$. These values are used to compute commitment.**Step 2.**Choose uniformly random ${\mathbf{r}}_{i}\leftarrow {\mathbb{Z}}_{p}^{n}$ and send these values to each $S{M}_{i}$. These values are used to share the secret input of each $S{M}_{i}$.**Step 3.**Choose ${a}_{i},{b}_{i},{c}_{i}\in {\mathbb{Z}}_{p}^{m}$ such that $a=b\xb7c$, where $a={\sum}_{j=1}^{n}{a}_{i},b={\sum}_{j=1}^{n}{b}_{i},$ and $c={\sum}_{j=1}^{n}{c}_{i}$. Send the triple $({a}_{i},{b}_{i},{c}_{i})$ to each $S{M}_{i}$. These values are used as multiplication triples.**Step 4.**Create the commitments of the multiplication triples, $[Com\left({a}_{i}\right),Com\left({b}_{i}\right),$$Com\left({c}_{i}\right)]$ and send them to $GW$. These are used to detect malicious $S{M}_{i}$ in the Secure Data Retrieval phase. $(Com\left(x\right)=\left(\right)open="("\; close=")">{g}^{x}{h}^{r}$ where r is a random value).

#### 7.1.2. User Data Sharing

**Step 1.**$\u27e6r\u27e7$ is privately opened as r to $S{M}_{i}$, where $\u27e6\mathbf{r}\u27e7\leftarrow $$({\mathbf{r}}_{1},\dots ,{\mathbf{r}}_{n})$.**Step 2.**Broadcast ${\u03f5}_{i}={x}_{i}-r$, where ${x}_{i}$ is the metering data for each $S{M}_{i}$.**Step 3.**Compute $\u27e6{x}_{i}\u27e7=\u27e6r\u27e7+{\u03f5}_{i}$ locally, where $\u27e6{x}_{i}\u27e7$ is the share of ${x}_{i}$ for each $S{M}_{i}$.**Step 4.**Create the commitments of all shares, $Com\left(\right)open="("\; close=")">\u27e6{x}_{i}\u27e7$, and send them to $GW$. These commitments are used to detect malicious $S{M}_{i}$ in the Secure Data Retrieval phase.

#### 7.1.3. Privacy-Preserving Data Aggregation

**Step 1.**Run**Compute.Add**and**Compute.Multiply**in ${\prod}_{FSMC}$ to compute the final share of the output for computation.**Step 2.**Encrypt the final share using a PKBE scheme under the recipient set, including all $S{M}_{i}(i\in n)$, and the $utility$ in a local area.**Step 3.**Create the commitments and the non-interactive zero-knowledge proof as in**Compute.Send**of ${\prod}_{FSMC}$. Send them to $GW$.

**Step 1**, each $S{M}_{i}$ computes the final share for the output of the pre-defined computation. The final share of any statistical function, not merely the sum or the standard deviation, can be computed. In

**Step 2**, each $S{M}_{i}$ encrypts the final share. Since the ciphertexts of the final shares are encrypted under the recipient set, including all the $S{M}_{i}(i\in n)$ and the $utility$ only, $GW$ is unable to obtain any information regarding the final shares. In

**Step 3**, each $S{M}_{i}$ creates the values used to detect the malicious $S{M}_{j}$ in the Secure Data Retrieval phase and guarantee the fairness of the protocol.

#### 7.1.4. Secure Data Retrieval

**Step 1.**Follow Step 1 of**Output**in ${\prod}_{FSMC}$ to verify the commitments sent from each $S{M}_{i}$.**Step 2.**Verify the non-interactive zero-knowledge proof sent from each $S{M}_{i}$.**Step 3.**- –
- If all verifications yield true, send all ciphertexts sent from each $S{M}_{i}$ in the Privacy-preserving Data Aggregation phase to all $S{M}_{i}(i\in n)$ and the $utility$ in a local area.
- –
- Otherwise, notify each honest $S{M}_{i}$ of malicious $S{M}_{j}(j\ne i)$s identities.

**Step 1.**- –
- If there is no malicious $S{M}_{i}$, decrypt the ciphertexts from $GW$ and reconstruct the output using the final shares.
- –
- Otherwise, restart the protocol from the beginning excluding malicious $S{M}_{j}$.

#### 7.2. Analysis

#### 7.2.1. Improving Efficiency (in terms of **Average**)

**Secure Data Retrieval**In order to detect the malicious $S{M}_{j}$, $GW$ executes the following steps:- –
**Step 1.**Follow Step 1 of**Output**in ${\prod}_{FSMC}$ to verify the commitments sent from each $S{M}_{i}$.- –
**Step 2.**Verify the non-interactive zero-knowledge proof sent by each $S{M}_{i}$.- –
**Step 3.**- ∗
- If all verification outputs are true, send all ciphertexts sent by each $S{M}_{i}$ in the Privacy-preserving Data Aggregation phase to all $S{M}_{i}(i\in n)$ and the $utility$ in a local area.
- ∗
- Otherwise, notify each honest $S{M}_{i}$ of the identities of the malicious $S{M}_{j}(j\ne i)$s.

If there is no malicious $S{M}_{j}$, each $S{M}_{i}$ decrypts the ciphertexts sent by $GW$ and reconstructs the average by adding all final shares. If there exists at least one malicious $S{M}_{j}$, each honest $S{M}_{i}$ executes the following steps:(Let ${P}_{C}$ be the set of identities of the malicious $S{M}_{j}$.)- –
**Step 1.**Compute ${s}_{i}^{\prime}=n\xb7{s}_{i}-{\sum}_{j\in {P}_{C}}{x}_{j,i}+{\sum}_{j\in {P}_{C}}{x}_{i,j}$, where ${s}_{i}$ is a final share of $S{M}_{i}$ computed prior to detection and ${x}_{j,i}$ is an initial share that $S{M}_{j}$ assigned to $S{M}_{i}$.- –
**Step 2.**Set the new final share ${s}_{i}^{\u2033}=\frac{1}{n-k}\xb7{s}_{i}^{\prime}$, where $k=|{P}_{C}|$.- –
**Step 3.**Create the commitment of its new final share, ${s}_{i}^{\u2033}$, and the non-interactive zero-knowledge proof as in**Compute.Send**of ${\prod}_{FSMC}$. Send these to $GW$.

This phase should be repeated until no malicious party exists. Once $GW$ detects a malicious $S{M}_{j}$, each honest $S{M}_{i}$locally executes additional computations to generate the new final share. From the previously computed final share, each honest $S{M}_{i}$ removes shares ${x}_{j,i}$, which were provided by the malicious $S{M}_{j}$, and adds shares ${x}_{i,j}$, provided to the malicious $S{M}_{j}$. Since the parts related to the malicious $S{M}_{j}$ are removed through this process, the new final share ${s}_{i}^{\u2033}$ is correct for all honest $S{M}_{i}$.

**Initialize**,

**Input**, and

**Compute**phase are the same as in the original protocol ${\prod}_{FSMC}$. Figure 9 represents the

**Output**phase in the enhanced version of the FSMC protocol for computing the average.

#### 7.2.2. Efficiency Analysis

**One detection: k malicious users**In this case, we compare the computational overhead of two protocols when detection occurs only once and k malicious $S{M}_{j}$ are detected. The number of generating commitments and computing addition operations are listed in Table 1, where n is the number of smart meters. According to the experimental results, a single addition operation in ${\mathbb{Z}}_{p}$ and a single commitment generation cost 0.0004 ms $\left({\mathcal{T}}_{add}\right)$ and 397.3102 ms $\left({\mathcal{T}}_{com}\right)$, respectively. Since the User Data Sharing phase is not required during re-computation in the enhanced version of the protocol, only the Privacy-preserving Data Aggregation phase influences the computational cost of the enhanced version.The computational cost of original protocol depends on both k and n. We show the variation in computational overhead in terms of both k and n in Figure 10a. Given that n is fixed, the greater the value of k, the smaller the computational cost of the protocol. On the contrary, computational cost of the enhanced version of the protocol depends only on k. We thus depict the difference in computational overhead between two protocols in terms of k in Figure 10b, given that n = 1000. From the figure, we see that the enhanced version is more efficient until k becomes approximately 999.99. This means that the enhanced version of the protocol is more efficient than the original one, excluding the case where all smart meters are detected as malicious.

**One malicious user: k detection**In this case, we compare the computation overhead of two protocols when detection occurs k times and one malicious $S{M}_{j}$ is detected at a time. The number of generating commitments and computing addition operations is listed in Table 2, where n is the number of smart meters. (As above, ${\mathcal{T}}_{add}$ = 0.0004 ms and ${\mathcal{T}}_{com}$ = 397.3102 ms.)We show the variation in computational costs of the original protocol in terms of both k and n in Figure 11a, where detection occurs k times and only one malicious $S{M}_{j}$ is detected at a time. Given that n is fixed, the greater the value of k, the greater the computational cost of the protocol. On the contrary, computational cost of the enhanced version of the protocol depends only on k. We thus depict the difference in computational overhead between two protocols in terms of k in Figure 11b, given that n = 1000. From the figure, we see that the enhanced version of the protocol is more efficient than the original one in all cases.

## 8. Conclusions and Future Research Directions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Naor, M.; Pinkas, B.; Sumner, R. Privacy Preserving Auctions and Mechanism Design. In Proceedings of the 1st ACM Conference on Electronic Commerce, Denver, CO, USA, 3–5 November 1999; EC’99. pp. 129–139. [Google Scholar]
- Bogetoft, P.; Christensen, D.; Damgård, I.; Geisler, M.; Jakobsen, T.; Krøigaard, M.; Nielsen, J.; Nielsen, J.; Nielsen, K.; Pagter, J.; et al. Secure Multiparty Computation Goes Live. In Financial Cryptography and Data Security; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5628, pp. 325–343. [Google Scholar]
- Ben-David, A.; Nisan, N.; Pinkas, B. FairplayMP: A system for secure multi-party computation. In Proceedings of the 15th ACM Conference on Computer and Communications Security, New York, NY, USA, 27–31 October 2008; pp. 257–266. [Google Scholar]
- Bogdanov, D.; Laur, S.; Willemson, J. Sharemind: A framework for fast privacy-preserving computations. In European Symposium on Research in Computer Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 192–206. [Google Scholar]
- Damgård, I.; Geisler, M.; Krøigaard, M.; Nielsen, J.B. Asynchronous multiparty computation: Theory and implementation. In International Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; pp. 160–179. [Google Scholar]
- Burkhart, M.; Strasser, M.; Many, D.; Dimitropoulos, X. SEPIA: Privacy-preserving aggregation of multi-domain network events and statistics. Network
**2010**, 1, 15–32. [Google Scholar] - Peter, A.; Tews, E.; Katzenbeisser, S. Efficiently Outsourcing Multiparty Computation Under Multiple Keys. IEEE Trans. Inf. Forensics Secur.
**2013**, 8, 2046–2058. [Google Scholar] [CrossRef] [Green Version] - Clark, M.; Hopkinson, K. Transferable Multiparty Computation With Applications to the Smart Grid. IEEE Trans. Inf. Forensics Secur.
**2014**, 9, 1356–1366. [Google Scholar] [CrossRef] - Kerschbaum, F. Adapting Privacy-Preserving Computation to the Service Provider Model. In Proceedings of the CSE’09, International Conference on Computational Science and Engineering, Vancouver, BC, Canada, 29–31 August 2009; Volume 3, pp. 34–41. [Google Scholar]
- Damgård, I.; Orlandi, C. Multiparty Computation for Dishonest Majority: From Passive to Active Security at Low Cost. In Advances in Cryptology-CRYPTO 2010; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6223, pp. 558–576. [Google Scholar]
- Hirt, M.; Tschudi, D. Efficient General-Adversary Multi-Party Computation. In Advances in Cryptology-ASIACRYPT 2013; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8270, pp. 181–200. [Google Scholar]
- Damgård, I.; Pastro, V.; Smart, N.; Zakarias, S. Multiparty Computation from Somewhat Homomorphic Encryption. In Advances in Cryptology-CRYPTO 2012; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7417, pp. 643–662. [Google Scholar]
- Peng, J.; Choo, R.K.K.; Ashman, H. Astroturfing detection in social media: Using binary n-gram analysis for authorship attribution. In Proceedings of the 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, 23–26 August 2016; pp. 121–128. [Google Scholar]
- Mahbub, S.; Pardede, E.; Kayes, A.; Rahayu, W. Controlling astroturfing on the internet: A survey on detection techniques and research challenges. Int. J. Web Grid Serv.
**2019**, 15, 139–158. [Google Scholar] [CrossRef] - Mahbub, S.; Pardede, E.; Kayes, A. Detection of Harassment Type of Cyberbullying: A Dictionary of Approach Words and Its Impact. Secur. Commun. Netw.
**2021**, 2021. [Google Scholar] [CrossRef] - Cabello, S.; Padro, C.; Saez, G. Secret Sharing Schemes with Detection of Cheaters for a General Access Structure. Des. Codes Cryptogr.
**2002**, 25, 175–188. [Google Scholar] [CrossRef] - Araki, T. Efficient (k,n) Threshold Secret Sharing Schemes Secure Against Cheating from n–1 Cheaters. In Information Security and Privacy; Lecture Notes in Computer Science; Pieprzyk, J., Ghodosi, H., Dawson, E., Eds.; Springer: Berlin/Heidelberg, Germany, 2007; Volume 4586, pp. 133–142. [Google Scholar]
- Harn, L.; Lin, C. Detection and identification of cheaters in (t, n) secret sharing scheme. Des. Codes Cryptogr.
**2009**, 52, 15–24. [Google Scholar] [CrossRef] - Obana, S. Almost Optimum t-Cheater Identifiable Secret Sharing Schemes. In Advances in Cryptology-EUROCRYPT 2011; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2011; Volume 6632, pp. 284–302. [Google Scholar]
- Baum, C.; Damgård, I.; Orlandi, C. Publicly Auditable Secure Multi-Party Computation. In Security and Cryptography for Networks; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2014; Volume 8642, pp. 175–196. [Google Scholar]
- Spini, G.; Fehr, S. Cheater detection in SPDZ multiparty computation. In International Conference on Information Theoretic Security; Springer: Berlin/Heidelberg, Germany, 2016; pp. 151–176. [Google Scholar]
- Cunningham, R.; Fuller, B.; Yakoubov, S. Catching MPC cheaters: Identification and openability. In International Conference on Information Theoretic Security; Springer: Berlin/Heidelberg, Germany, 2017; pp. 110–134. [Google Scholar]
- Baum, C.; Orsini, E.; Scholl, P.; Soria-Vazquez, E. Efficient constant-round MPC with identifiable abort and public verifiability. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2020; pp. 562–592. [Google Scholar]
- Goldreich, O.; Micali, S.; Wigderson, A. How to Play ANY Mental Game. In Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, New York, NY, USA, 25–27 May 1987; STOC’87. pp. 218–229. [Google Scholar]
- Ben-Or, M.; Goldwasser, S.; Wigderson, A. Completeness Theorems for Non-cryptographic Fault-tolerant Distributed Computation. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 2–4 May 1988; STOC’88. pp. 1–10. [Google Scholar]
- Chaum, D.; Crépeau, C.; Damgard, I. Multiparty Unconditionally Secure Protocols. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 2–4 May 1988; STOC’88. pp. 11–19. [Google Scholar]
- Rabin, T.; Ben-Or, M. Verifiable Secret Sharing and Multiparty Protocols with Honest Majority. In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, 14–17 May 1989; STOC’89. pp. 73–85. [Google Scholar]
- Cleve, R. Limits on the Security of Coin Flips when Half the Processors Are Faulty. In Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, Berkeley, CA, USA, 28–30 May 1986; STOC’86. pp. 364–369. [Google Scholar]
- Beaver, D.; Goldwasser, S. Multiparty Computation with Faulty Majority. In Advances in Cryptology-CRYPTO 1989; Lecture Notes in Computer Science; Springer: New York, NY, USA, 1990; Volume 435, pp. 589–590. [Google Scholar]
- Goldwasser, S.; Levin, L. Fair Computation of General Functions in Presence of Immoral Majority. In Advances in Cryptology-CRYPTO 1990; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1991; Volume 537, pp. 77–93. [Google Scholar]
- Fitzi, M.; Gottesman, D.; Hirt, M.; Holenstein, T.; Smith, A. Detectable Byzantine Agreement Secure Against Faulty Majorities. In Proceedings of the Twenty-First Annual Symposium on Principles of Distributed Computing, Monterey, CA, USA, 21–24 July 2002; PODC’02. pp. 118–126. [Google Scholar]
- Goldwasser, S.; Lindell, Y. Secure Computation without Agreement. In Distributed Computing; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2508, pp. 17–32. [Google Scholar]
- Even, S.; Goldreich, O.; Lempel, A. A Randomized Protocol for Signing Contracts. Commun. ACM
**1985**, 28, 637–647. [Google Scholar] [CrossRef] - Boneh, D.; Naor, M. Timed Commitments. In Advances in Cryptology-CRYPTO 2000; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1880, pp. 236–254. [Google Scholar]
- Garay, J.; MacKenzie, P.; Prabhakaran, M.; Yang, K. Resource Fairness and Composability of Cryptographic Protocols. In Theory of Cryptography; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 3876, pp. 404–428. [Google Scholar]
- Asokan, N.; Shoup, V.; Waidner, M. Optimistic fair exchange of digital signatures. In Advances in Cryptology-EUROCRYPT’98; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1998; Volume 1403, pp. 591–606. [Google Scholar]
- Cachin, C.; Camenisch, J. Optimistic Fair Secure Computation. In Advances in Cryptology-CRYPTO 2000; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2000; Volume 1880, pp. 93–111. [Google Scholar]
- Lepinski, M.; Micali, S.; Peikert, C.; Shelat, A. Completely Fair SFE and Coalition-safe Cheap Talk. In Proceedings of the Twenty-third Annual ACM Symposium on Principles of Distributed Computing, St. John’s, NL, Canada, 25–28 July 2004; PODC’04. pp. 1–10. [Google Scholar]
- Andrychowicz, M.; Dziembowski, S.; Malinowski, D.; Mazurek, L. Secure Multiparty Computations on Bitcoin. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 18–21 May 2014; SP ’14. pp. 443–458. [Google Scholar]
- Bentov, I.; Kumaresan, R. How to Use Bitcoin to Design Fair Protocols. In Advances in Cryptology-CRYPTO 2014; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8617, pp. 421–439. [Google Scholar]
- Kılınç, H.; Küpçü, A. Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation. In Topics in Cryptology-CT-RSA 2015; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2015; Volume 9048, pp. 330–349. [Google Scholar]
- Asharov, G.; Lindell, Y.; Zarosim, H. Fair and Efficient Secure Multiparty Computation with Reputation Systems. In Advances in Cryptology-ASIACRYPT 2013; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8270, pp. 201–220. [Google Scholar]
- Choudhuri, A.R.; Green, M.; Jain, A.; Kaptchuk, G.; Miers, I. Fairness in an unfair world: Fair multiparty computation from public bulletin boards. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 719–728. [Google Scholar]
- Paul, S.; Shrivastava, A. Efficient fair multiparty protocols using Blockchain and trusted hardware. In International Conference on Cryptology and Information Security in Latin America; Springer: Berlin/Heidelberg, Germany, 2019; pp. 301–320. [Google Scholar]
- Li, F.; Luo, B.; Liu, P. Secure Information Aggregation for Smart Grids Using Homomorphic Encryption. In Proceedings of the 2010 First IEEE International Conference on Smart Grid Communications (SmartGridComm), Gaithersburg, MD, USA, 4–6 October 2010; pp. 327–332. [Google Scholar]
- Kursawe, K.; Danezis, G.; Kohlweiss, M. Privacy-Friendly Aggregation for the Smart-Grid. In Privacy Enhancing Technologies; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2011; Volume 6794, pp. 175–191. [Google Scholar]
- Lu, R.; Liang, X.; Li, X.; Lin, X.; Shen, X. EPPA: An Efficient and Privacy-Preserving Aggregation Scheme for Secure Smart Grid Communications. IEEE Trans. Parallel Distrib. Syst.
**2012**, 23, 1621–1631. [Google Scholar] - Yang, L.; Xue, H.; Li, F. Privacy-preserving data sharing in Smart Grid systems. In Proceedings of the 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm), Venice, Italy, 3–6 November 2014; pp. 878–883. [Google Scholar]
- Mustafa, M.A.; Cleemput, S.; Aly, A.; Abidin, A. An MPC-based protocol for secure and privacy-preserving smart metering. In Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Turin, Italy, 26–29 September 2017; pp. 1–6. [Google Scholar]
- Mustafa, M.A.; Cleemput, S.; Aly, A.; Abidin, A. A secure and privacy-preserving protocol for smart metering operational data collection. IEEE Trans. Smart Grid
**2019**, 10, 6481–6490. [Google Scholar] [CrossRef] [Green Version] - Yao, A.C.C. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science (sfcs 1986), Toronto, ON, Canada, 27–29 October 1986; pp. 162–167. [Google Scholar]
- Demmler, D.; Schneider, T.; Zohner, M. ABY-A Framework for Efficient Mixed-Protocol Secure Two-Party Computation; NDSS: San Diego, CA, USA, 11 February 2015. [Google Scholar]
- Chandran, N.; Gupta, D.; Rastogi, A.; Sharma, R.; Tripathi, S. EzPC: Programmable and efficient secure two-party computation for machine learning. In Proceedings of the 2019 IEEE European Symposium on Security and Privacy (EuroS&P), Stockholm, Sweden, 17–19 June 2019; pp. 496–511. [Google Scholar]
- Patra, A.; Schneider, T.; Suresh, A.; Yalame, H. ABY2. 0: Improved mixed-protocol secure two-party computation. In Proceedings of the 30th {USENIX} Security Symposium ({USENIX} Security 21), Virtual Event, 11–13 August 2021. [Google Scholar]
- Zhang, Y.; Steele, A.; Blanton, M. PICCO: A general-purpose compiler for private distributed computation. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 4–8 November 2013; pp. 813–826. [Google Scholar]
- Zhang, Y.; Blanton, M.; Almashaqbeh, G. Implementing support for pointers to private data in a general-purpose secure multi-party compiler. ACM Trans. Priv. Secur. (TOPS)
**2017**, 21, 1–34. [Google Scholar] [CrossRef] - Keller, M. MP-SPDZ: A versatile framework for multi-party computation. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, 9–13 November 2020; pp. 1575–1590. [Google Scholar]
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Goldreich, O.; Micali, S.; Wigderson, A. How to play any mental game, or a completeness theorem for protocols with honest majority. In Providing Sound Foundations for Cryptography: On the Work of Shafi Goldwasser and Silvio Micali; Association for Computing Machinery: New York, NY, USA, 2019; pp. 307–328. [Google Scholar]
- Beaver, D. Efficient multiparty protocols using circuit randomization. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1991; pp. 420–432. [Google Scholar]
- Naor, D.; Naor, M.; Lotspiech, J. Revocation and tracing schemes for stateless receivers. In Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2001; pp. 41–62. [Google Scholar]
- Dodis, Y.; Fazio, N. Public key broadcast encryption for stateless receivers. In ACM Workshop on Digital Rights Management; Springer: Berlin/Heidelberg, Germany, 2002; pp. 61–80. [Google Scholar]
- Groth, J.; Ostrovsky, R.; Sahai, A. Perfect Non-interactive Zero Knowledge for NP. In Advances in Cryptology-EUROCRYPT 2006; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4004, pp. 339–358. [Google Scholar]
- Canetti, R. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, Washington, DC, USA, 14–17 October 2001; pp. 136–145. [Google Scholar]
- Pedersen, T. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Advances in Cryptology-CRYPTO 1991; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1992; Volume 576, pp. 129–140. [Google Scholar]
- pbc Library. 2012. Available online: https://crypto.stanford.edu/pbc/ (accessed on 15 March 2021).
- gmp Library. 2014. Available online: https://gmplib.org (accessed on 15 March 2021).

**Figure 8.**Simple example of the protocol in Section 7.1.

Original Protocol | Enhanced Version | |
---|---|---|

Input | $(n-k)\times {\mathcal{T}}_{com}$ | - |

(commitment) | ||

Compute | $(n-k)\times {\mathcal{T}}_{add}$ | $2k\times {\mathcal{T}}_{add}$ |

(addition) |

Original Protocol | Enhanced Version | |
---|---|---|

Input | $\left(\right)open="\{"\; close="\}">nk-\frac{1}{2}k(k+1)$ | - |

(commitment) | ||

Compute | $\left(\right)open="\{"\; close="\}">nk-\frac{1}{2}k(k+1)$ | $2k\times {\mathcal{T}}_{add}$ |

(addition) |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Seo, M.
Fair and Secure Multi-Party Computation with Cheater Detection. *Cryptography* **2021**, *5*, 19.
https://doi.org/10.3390/cryptography5030019

**AMA Style**

Seo M.
Fair and Secure Multi-Party Computation with Cheater Detection. *Cryptography*. 2021; 5(3):19.
https://doi.org/10.3390/cryptography5030019

**Chicago/Turabian Style**

Seo, Minhye.
2021. "Fair and Secure Multi-Party Computation with Cheater Detection" *Cryptography* 5, no. 3: 19.
https://doi.org/10.3390/cryptography5030019