Research Article Two-Cloud-Servers-Assisted Secure ...downloads.hindawi.com/journals/tswj/2014/413265.pdf · Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty

Research ArticleTwo-Cloud-Servers-Assisted Secure OutsourcingMultiparty Computation

Yi Sun1 Qiaoyan Wen1 Yudong Zhang2 Hua Zhang1 Zhengping Jin1 and Wenmin Li1

1 State Key Laboratory of Networking and Switching Technology Beijing University of Posts and TelecommunicationsBeijing 100876 China

2 Brain Image Processing Columbia University New York NY 10032 USA

Correspondence should be addressed to Yi Sun sybuptbupteducn

Received 19 February 2014 Accepted 13 April 2014 Published 28 May 2014

Academic Editors A Mine and B Sun

Copyright copy 2014 Yi Sun et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

We focus on how to securely outsource computation task to the cloud and propose a secure outsourcing multiparty computationprotocol on lattice-based encrypted data in two-cloud-servers scenario Our main idea is to transform the outsourced datarespectively encrypted by different usersrsquo public keys to the ones that are encrypted by the same two private keys of the two assistedservers so that it is feasible to operate on the transformed ciphertexts to compute an encrypted result following the function to becomputed In order to keep the privacy of the result the two servers cooperatively produce a custom-made result for each user thatis authorized to get the result so that all authorized users can recover the desired result while other unauthorized ones includingthe two servers cannot Compared with previous research our protocol is completely noninteractive between any users and bothof the computation and the communication complexities of each user in our solution are independent of the computing function

1 Introduction

Secure multiparty computation (SMC) [1ndash7] is dedicatedto computing a certain function among a set of mutuallydistrusted participants on their private inputs without reveal-ing private information Informally speaking assuming thatthere are 119898 participants 119875

1 1198752 119875

119898 each of them has

a private number respectively 1199091 1199092 119909

119898 They want to

cooperate to compute the function 119910 = 119891(1199091 1199092 119909

119898)

without revealing 119909119894of 119875119894to other parties 119875

119895 119895 = 119894 119894 119895 isin

1 119898 as well as guaranteeing that any unauthorizedones cannot get the result 119910 In the past researchers mainlyfocused on designing the style of secure multiparty com-putation protocols by which users themselves cooperativelyaccomplish the function evaluation through their internalinteractions [1 3 8ndash11]The computation and communicationcomplexities always depend polynomially on the complexityof the function to be computed Therefore users suffer fromthe heavy overload of these protocols

The emergence of the cloud [12 13] inspires users toapply the powerful computing ability of the cloud to helpthem to conduct complicated computations that is secure

outsourcing computation [14ndash18] to the cloud They expectthat the cloud can independently complete any functioncomputation on their outsourced data although the data hasbeen encrypted by their own keys for security Moreover thefinal result should be kept private to the cloud even though itis the cloud that conducts all of the computations about thecomputing function In this way users only need to encrypttheir data and decrypt the returnedmessage to get the desiredresult All computations about the computing function are inthe charge of the cloudThere are no interactions between anyusers and the computation and communication complexitiesof each user are independent of the computing functionHowever this expectation is proven to be impossible in thesingle cloud server setting due to the impossibility of programobfuscation [19] Therefore in this paper we try to realize itby introducing one more cloud server to the original modeldescribed above More precisely we consider the followingscenario

There are 119898 + 2 distrusted parties including 119898 usersand two cloud servers in our system We assume that all ofthem act semihonestly The 119898 users 119875

1 1198752 119875

119898 with each

having a private input respectively 119909119894 as well as a pair of

Hindawi Publishing Corporatione Scientific World JournalVolume 2014 Article ID 413265 7 pageshttpdxdoiorg1011552014413265

2 The Scientific World Journal

public-private keys (119901119896119894 119904119896119894) 119894 = 1 119898 encrypt their

respective private inputs by their own public keys and thenupload the ciphertexts of the inputs to a cloud server Theywant to obtain the value 119910 = 119891(119909

1 1199092 119909

119898) even if they

may not be aware of what the computing function 119891(sdot) isby applying two cloud servers to operate on the outsourcedencrypted data without revealing 119909

1 1199092 119909

119898and the result

119910In this paper we study the outsourcing computation

problem in multiple users-two-cloud-servers scenario andpropose a two-cloud-servers-assisted secure outsourcingmultiparty computation protocol to compute any functionon lattice-based encrypted data under multiple keys of theusers Herein we apply one cloud server called the storing-cloud (SC) to store the outsourced data encrypted by usersand make a midtransformation to these ciphertexts oncesome function begins to be computed We call the othercloud server the computing-cloud (CC) It is responsible fortransforming the midtransformed ciphertexts by SC to theones that are blinded by the same two private keys of thetwo assisted cloud servers so that CC can further compute119910 following the function on the ciphertexts Finally in orderto protect the result the two servers cooperatively produce acustom-made result for each user Compared with previoussolutions our protocol has the following three advantages

(1) Our protocol is completely noninteractive betweenany users

(2) The cloud is to do all of the computations relatedto the computing function while users would donothing except for encrypting their private inputs anddecrypting the returned result

(3) The computation and communication complexitiesof each user in our solution are independent of thecomputing function

OrganizationThe rest of this paper is organized as follows InSection 2 we briefly give an overview of some recent relatedworks Herein we consider the problems in secure outsourc-ing computation from the point of view of the users andthe cloud servers respectively and then rationally constructour protocol in the multiple users-two-cloud-servers settingIn Section 3 we briefly introduce a lattice-based encryptionscheme and the securitymodel and then present our protocolin Section 4 in detail In Section 5 we analyze the proposedprotocol in detail and give a strict proof based on real-idealsimulation paradigm Finally we summarize our work of thispaper in the last section

2 Related Works

According to previous research there are many problems tobe considered when outsourcing private data for functioncomputation to the cloudWe discuss the difficulties in secureoutsourcing computation to the cloud from the following twoaspects

(1) To Users Privacy of the Inputs and Results In secure out-sourcing computation users have to contribute their private

data as the inputs of the function while not participating inthe computation processMoreover all parties of the protocolincluding all users and cloud servers are mutually distrustedTherefore users would not like to submit their private datato the cloud Allowing for security a usual solution is toencrypt the private data before outsourcing them to the cloudAnd there are some basic encryptionmodels according to theencryption keys that users used

In 2009 Gentry [20] presented a model where all usersuse a joint public key to encrypt their own private inputswhile sharing the private key Therein the cloud cannotobtain the inputs or the result because they are protected bythe encryption scheme while the cloud does not have theprivate key However users have to participate in anotherinteractive protocol to firstly recover the private key and thenachieve the desired result The processes producing a jointpublic key sharing the private key and jointly recoveringthe result by their shared private key bring large number ofadditional interactions among users which is contrary to ourexpectation that we want to design a secure protocol with theleast communications Encrypting private data by the jointpublic key is not so satisfactory either In cloud outsourcingscenario it means that there are no interactions among theusers whatsoever and the least two rounds of inevitable inter-actions between the user and the cloud server sending out theinputs and receiving the result Therefore we look forwardto a protocol with the least communications as well as lowcomputations and high security A recent work by Asharov etal [21] proposes a schemewhere users utilize their ownpublickeys to encrypt their inputs respectively and guarantee thatthe cloud can succeed in computing the function on theirprivate inputs by computing on the ciphertexts of the inputsencrypted under different keys Although users still haveto interact to obtain the result in the last step encryptingrespective input by the public key of each user is the bestencryption model so far

As to the privacy of the result in 2011 Halevi et al [22]proposed a noninteractive protocol to securely realize out-sourcing computation Therein the server is entitled to learnthe result However the computing result may be the vitalinformation to the users in some scenario and so it cannotbe revealed to others Hence besides the security of the inputsdiscussed above usersmust consider the security of the resultwhen constructing protocols It should guarantee that anyunauthorized users are not able to get the result althoughthey may contribute their inputs and the cloud servers arenot able to get the result although the result is computed bythem To this aspect [20] has already protected the result bya joint public key of the users However this method is stillnot satisfactory since each authorized user is also not able toget it individually

(2) To Cloud Servers Feasibility of Operating on EncryptedInputs As discussed above users would like to upload theencrypted inputs under their respective public keys to thecloud server rather than the original inputs Therefore thecloud servers whose task is to compute a function on usersrsquoprivate inputs would only obtain the ciphertexts of theinputsThatmeans that the cloud has to compute the function

The Scientific World Journal 3

(i) KeyGen(1119896) sample a ring element vector 119886 larr 119877119899

119902and a ring element 119904 from the

distribution 120594 denoted as 119904 larr 120594 a ring element vector 119909 from the distribution 120594119899 denotedas 119909 larr 120594

119899 Then the private key is 119904119896 = 119904 the public key is 119901 = 119886119904 + 2119909 isin 119877119899119902

(ii) Enc(119901119896119898) sample 119890 larr 120594119899 and compute 119888

0= ⟨119901 119890⟩ + 119898 isin 119877

119902and 1198881= ⟨119886 119890⟩ isin 119877

119902 Output

the ciphertext 119888 = (1198880 1198881) isin 1198772

119902

(iii) Dec(119904119896 119888) compute 120583 = 1198880minus 1198881119904 isin 119877119902and output1198981015840 = 120583(mod2)

Algorithm 1

on usersrsquo private inputs through performing correspondingcomputations on the ciphertexts of the inputs encrypted bydifferent public keys of users As we know fully homomor-phic encryption (FHE) [20 23] can operate on the ciphertextsof the inputs to compute the desired result produced by theinputs But the usual FHE schemes are single-key schemesin the sense that they only can perform computations onciphertexts encrypted under the same key It is not feasibleto conduct computations on the ciphertexts encrypted underdifferent keys In order to solve this problem Lopez-Alt et al[24] propose a new FHE called multikey fully homomorphicencryption (MFHE) which has applied the techniques ofbootstrapping modulus reduction and relinearization tooperate on the ciphertexts of the inputs encrypted by mul-tiple unrelated keys When outsourcing private data to thecloud user can firstly encrypt it by its own key by applyingMFHE It is indeed the optimal solution from the point ofview of the feasibility of ciphertexts and the privacy of inputsHowever as we mentioned before it is still not satisfactorybecause users need to evaluate the decryption key and thenuse it to recover the result interactively by participating inanother SMC protocol

In fact according to [19] it is proved that it is indeedimpossible to construct a completely noninteractive protocolin the single server setting due to the impossibility of programobfuscation Hence if we want to obtain a secure protocolwith complete noninteraction of users in outsourcing com-putation we need at least two cloud servers

In brief allowing for the privacy of inputs and resultsfrom the perspective of users as well as the feasibility of oper-ating on the outsourced encrypted data from the perspectiveof the cloud servers if we want to construct a completelynoninteractive secure outsourcing multiparty computationprotocol where the computation and communication com-plexities of each user are independent of the computingfunction we have the following conclusions

(1) All private data should be encrypted by the ownersthemselves using their respective public keys beforeoutsourcing to the cloud servers

(2) The returned messages for each user should be dif-ferent so that all authorized users can recover thefinal result by their respective private key but theunauthorized ones cannot

(3) It is reasonable to consider it in two-cloud-serversscenario

3 Preliminaries

31 Lattice-Based Encryption Since the privacy of the inputsand the computation complexity of each user depend onthe encryption algorithm that the user used an encryptionschemeoutstanding in both security and efficiency is the rightone that users want to adopt Hence lattice-based encryptionwhich is against quantum attacks and is much more efficientthan RSA and even the elliptic curve cryptosystem becomesthe first choice of rational users Herein we will show how thetwo cloud servers deal with the outsourced data encrypted bythe lattice-based public key encryption scheme proposed in[24 25] (denoted as LE scheme in this paper) Specifically werecall it as follows

Notations Let 119896 be the security parameter Then the LEscheme is parameterized by a prime 119902 = 119902(119896) a degree 119899polynomial 119891(119909) isin Z[119909] and an error distribution 120594 overthe ring119877

119902= Z119902[119909]⟨119891(119909)⟩The parameters 119899119891 119902 and120594 are

public It assumes that given the security parameter 119896 thereare polynomial-time algorithms that output 119891 and 119902 and asample from the error distribution 120594

The LE encryption scheme consists of the following threealgorithms KeyGen(sdot) Enc(sdot) and Dec(sdot) (Algorithm 1)

In [24] they apply the techniques of bootstrapping mod-ulus reduction and relinearization to realize and to operateon the ciphertexts of the inputs encrypted by multiple unre-lated keys Therein they have obtained a secure outsourcingmultiparty computation protocol on lattice-based encrypteddata under multiple keys of users in one server scenarioHowever it is not satisfactory because the interaction in thedecryption stage is still inevitable

In this paper based on this encryption scheme we con-sider the outsourcing problem in two-cloud-servers scenarioand succeed to construct a secure noninteractive outsourcingprotocol that achieves the least computation and communi-cation complexities for users

32 SecurityModel In this paper wewill discuss our protocolin the semihonest model and analyze its security using thereal-ideal paradigm [5]

Firstly in the ideal world the computation of the func-tionality F on usersrsquo private inputs is conducted by anadditional trusted party that receives 119909

119894from user 119875

119894 119894 =

1 2 119898 and returns the result 119891(1199091 1199092 119909

119898) to the

authorized users 119875119905 while other unauthorized parties do not

get any output Hence in the ideal world all usersrsquo private


Parties authorized to get the result

Parties unauthorized to get the result

Encrypted data of P

Custom-made ciphertext of the outputfor the authorized party P

Two assisted cloud serversUsers

c1

ct

ci

ci

yt

yt

yt

cm

P1 1 r

Pt t r

m rmP

y = f(x1 xm)

i

c998400i

c998400i

c998400998400i

t isin 1 m t

⨁

⨂

SC ri ksc CC kcc

Figure 1 Framework of our construction

inputs are well protected and only authorized users are ableto learn about the result However there is no trusted partyin the real world and so all parties have to run a protocolΠ to get the desired result During executing the protocol Πall parties act semihonestly following the protocol but makeeffort to gain more information about other partiesrsquo inputsintermediate results or overall outputs by the transcripts ofthe protocol An adversary can corrupt a party to receive allmessages directed to it and control the messages to be sentout from it

Herein we denote the joint output of the ideal worldadversary S and the outputs of the remaining parties inan ideal execution for computing the functionality F withinputs = (119909

1 1199092 119909

119898) as IDEALFS() the joint

output of the real world adversary A and the outputs ofthe remaining parties in an execution of protocol Π withinputs = (119909

1 1199092 119909

119898) as REAL

ΠA() Then we saythat protocol Π securely realizes functionalityF if for everyreal adversary A corrupting any parties and possibly thecloud servers there exists an ideal world adversary S withblack-box access to A such that for all input vectors IDEALFS()

119888

asymp REALΠA()

4 Our Result

We consider the secure outsourcing computation problemin the multiple users-two-cloud-servers scenario describedas follows There are 119898 + 2 parties including 119898 users and 2noncolluding cloud servers one is called the storing-cloud(SC) and the other is called the computing-cloud (CC) Eachuser 119875

119894has a private input denoted as 119909

119894and a pair of public-

private keys (119901119896119894 119904119896119894) while sharing a private random 119903

119894with

SC that has a private number 119896sc CC has a private number119896cc Users want to outsource the task of computing function119891(sdot) on usersrsquo private inputs to the two cloud servers Theyonly provide the ciphertexts of the private data encrypted bya lattice-based encryption schemeunder their different publickeys and require the cloud servers to give the authorizedusers the result while keeping the security of the inputsWhat is more users wish that the cloud servers take chargeof all of the computations related to the function 119891(sdot) andthat there is noninteraction of users whatsoever so that thecomputation and communication complexities of each userare independent of the function to be computed Herein wedeem that the two rounds of inevitable communications anda request from a user to the cloud servers for computingfunction 119891(sdot) are the three basic rounds of communication inthis paper Then for each user they expect that there are noother interactions at all between any user-to-user or user-to-server except the three basic rounds of communication Fur-thermore the computation complexity of each user dependson the encryption scheme it has used The framework of ourconstruction can be illustrated in Figure 1

In this following section we formally propose our solu-tion denoted as protocol Π for convenience in detail andthen analyze its security using the real-ideal paradigm in thesemihonest model

Without loss of generality we represent the function 119891(sdot)to be computed by means of arithmetic circuitC

119891consisting

of any number of addition gates and 119897 multiplication gateswhere each gate has two input wires and one output wireThen any functionality can be reduced to the two basicoperations addition andmultiplication over two inputs Ourconstruction can be summarized in Algorithm 2


Protocol 120587 Two cloud servers-assisted secure outsourcing computation protocolSetupFor 119894 = 1 2 119898 sample a ring element vector 119886

119894larr 119877119899

119902 a ring element 119904

119894larr 120594 and a ring

element vector 119909119894larr 120594119899 Then the private key of 119875

119894is 119904119896119894= 119904119894 the public key of 119875

119894is

119901119894= 119886119894119904119894+ 2119909119894isin 119877119899

119902 And then 119875

119894shares a private random 119903

119894with SC that has a private

number 119896sc CC has a private number 119896cc As a preparation user 119875119894 firstly sends 119903119894 sdot 119904119894 to CCCC computes 119896cc sdot 119903119894 sdot 119904119894 and then sends it back to SC Then SC can obtain 119896cc sdot 119904119894 byremoving 119903

119894

UploadFor 119894 = 1 2 119898 each user 119875

119894encrypts its own private input 119909

119894by the LE scheme Firstly 119875

119894

samples 119890119894larr 120594119899 and computes 119888119894

0= ⟨119901119894 119890119894⟩ + 119909119894isin 119877119902and 1198881198941= ⟨119886119894 119890119894⟩ isin 119877

119902 Then it

outputs the ciphertext 119888119894= (119888119894

0 119888119894

1) isin 119877

2

119902

Outsourcing ComputationAfter receiving all ciphertexts of the private inputs from users SC stores all ciphertexts andexecutes a midtransformation to the outsourced data when computing some function 119891(sdot)After that CC further transforms the midtransformed ciphertexts and then computes thefunction 119891(sdot) following the circuitC

119891that consisted of addition gates and multiplication gates

(1) MidtransformingFirstly SC midtransforms the ciphertexts encrypted by usersrsquo own keys as 119888

119894rarr 119888119894

1015840 where119888119894

1015840= (119888119894

0

1015840

119888119894

1

1015840

) = (119896sc sdot 119888119894

0 119896sc sdot (119896cc sdot 119904119894) sdot 119888

119894

1) and sends 119888

119894

1015840 to CC

(2) ComputingAfter receiving 119888

119894

1015840 CC further transforms 119888119894

1015840 to 119888119894

10158401015840= (119896cc sdot 119896sc sdot 119888

119894


119894

1)

Denote 119896 = 119896sc sdot 119896cc then 11988811989410158401015840= (119888119894

0

10158401015840

119888119894

1

10158401015840

) = (119896 sdot 119888119894

0 119896 sdot 119904119894sdot 119888119894

1) CC then computes the

ciphertext of the result by the transformed ciphertexts of usersrsquo private inputsAdd For each addition gate 119888

119894

10158401015840oplus 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) oplus (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 119896 sdot (119909119894+ 119909119895)

Mul For each multiplication gate 119888119894

10158401015840otimes 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) otimes (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 1198962sdot (119909119894times 119909119895)

(3) Producing Custom-Made ResultAfter computing gate by gate following the circuitC

119891 CC obtains the intermediate result

encrypted by the private numbers of the two assisted cloud servers SC and CC that is1199101015840= 119896119897+1

sdot 119910 = 119896sc119897+1

sdot 119896cc119897+1

sdot 119910 where 119910 = 119891 (1199091 1199092 119909

119898) and 119897 is the number of the

multiplication gates ofC119891 To produce a custom-made result for each user CC firstly sends

1199101015840 to SC SC removes 119896119897+1sc and adds 119903

119905to compute 119910

119905

1015840= 119903119905sdot 119896119897+1

cc sdot 119910 and then sends 119910119905

1015840 backto CC CC finally removes 119896119897+1cc to produce the custom-made ciphertext 119910

119905= 119903119905sdot 119910 and sends

it to the authorized party 119875119905 119905 isin 1 2 119898

OutputFor each authorized party 119875

119905 119905 isin 1 2 119898 it obtains the result 119910 by removing 119903

119905

Algorithm 2

In setup each user 119875119894invokes KeyGen(1119896) to compute its

public-private keys (119901119896119894 119904119896119894) At the same time each119875

119894selects

a random 119903119894and sends it to SC via secure channels while

SC and CC respectively choose private numbers 119896sc and 119896ccAssuming that all usersrsquo private data 119909

119894 119894 = 1 2 119898 are

the real inputs of function119891(sdot) then each 119875119894sends 119903

119894sdot 119904119894to CC

CC further computes 119896cc sdot 119903119894 sdot 119904119894 and sends it to SC After that119875119894submits the ciphertext 119888

119894of the private input 119909

119894encrypted

by its own public key 119901119894to SC in the upload process

In computation process SCfirstlymidtransforms the out-sourced data which are encrypted by different keys of usersand CC further transforms the midtransformed ciphertextsto the ones that are blinded by the same private numbers ofthe two servers so that CC can operate on the ciphertexts to

compute 119891(sdot) Specifically for additionmultiplication gateCC can easily get the result by (11988811989410158401015840

1minus 11988811989410158401015840

0) oplus (119888

11989510158401015840

1minus 11988811989510158401015840

0) =

119896 sdot (119909119894+ 119909119895) and (11988811989410158401015840

1minus 11988811989410158401015840

0) otimes (119888

11989510158401015840

1minus 11988811989510158401015840

0) = 119896

2sdot (119909119894times 119909119895)

Computing gate by gate following the circuit C119891 CC can

obtain the intermediate result 1199101015840 = 119896119897+1 sdot 119910 = 119896119897+1sc sdot 119896119897+1

cc sdot 119910In order to guarantee that only the authorized user can get

the final result SC and CC cooperatively produce a custom-made result for each authorized user as follows (Herein weassume that 119875

119905 119905 isin 1 2 119898 is authorized to get the

result) Firstly CC sends 1199101015840 to SC SC removes 119896119897+1sc and adds119903119905to compute 1199101015840

119905= 119903119905sdot 119896119897+1

cc sdot 119910 and then sends 1199101015840119905back to CC

CCfinally removes 119896119897+1cc to obtain the custom-made ciphertext119910119905= 119903119905sdot 119910 and sends it to 119875

119905


In the last process the authorized user 119875119905obtains the

result 119910 by removing 119903119905from 119910

119905

5 Analysis

From the protocol described above the correctness is obviousdue to the homomorphic properties of the transformedciphertexts We will have a detailed discussion on its secu-rity Note that before the actual computations which areperformed by SC and CC there are setup and uploadprocessesWe will individually illustrate their security at firstAfterwards we will prove the security of the core of ourprotocol that is the outsourcing computation process in thereal-ideal framework Finally from the composition theorem[5] we can conclude that our protocol is secure

Theorem 1 Protocol Π is secure as long as the LE scheme issecure and SC and CC are noncolluding

Proof Firstly we look at the setup and upload processesindividually

In setup each user respectively encrypts its private inputby its own public key which is produced by invoking asemantically secure LE scheme The security of this processis obvious Afterwards 119875

119894sends 119903

119894sdot 119904119894to CC and CC sends

119896cc sdot 119903119894 sdot 119904119894 to SC Herein 119875119894rsquos private key 119904119894 is protected by theblinding factors 119903

119894which is private to119875

119894and SC and 119896cc which

is private to CC Therefore the private keys of users will notbe revealed in this process

In upload users outsource the encrypted data to SC Sincethe LE scheme is semantically secure given two ciphertexts119888119894(1198981) 119888119894(1198982) of the two plaintexts 119898

1 1198982uploaded by 119875

119894

it is computationally infeasible for SC to distinguish the twociphertexts Hence users can store their encrypted data in SCsecurely

In outsourcing computation process SC firstly midtrans-forms 119888

119894to 1198881015840

119894and sends 1198881015840

119894to CC It is obvious that it is

secure since SC blinds the midtransformed ciphertext 1198881015840119894by

the private number 119896sc which is secret to CC As to the coreof the computation process we will discuss the security inthe real-ideal framework From the security definition wesay that protocol Π is secure if all adversarial behavior in thereal world can be simulated in the ideal model where thereexists an additional trusted party to perform all computationsrelated to the function 119891(sdot) to be computed We assume thatthere is a simulator S in the ideal world and then prove thatit can simulate the semihonest adversaryA that exists in thereal execution Since CC is able to independently completeaddition andmultiplication operations we only need to provethatAdd andMul are secure against the semihonest adversaryA corrupting CC We prove this as follows

Simulator S RunA on input119888S(1198981) 119888S(1198982)Firstly S computes

119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA

Secondly A sends two ciphertexts 119888S(119898lowast

1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)

and returns 119888S(119898lowast

1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA

Finally S outputs whatA outputsNow we can prove the security of Add and Mul algo-

rithms by contradiction Firstly we assume that the view ofthe adversary A in the real world is distinguishable fromthe view simulated by the simulator S Then we could findan algorithm to distinguish the ciphertexts encrypted by theLE encryption scheme which is contrary to our assumptionthat the LE is semantically secure Hence the view of theadversary A in the real world is indistinguishable from theview simulated by the simulator S That is

IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)

Therefore the two algorithms Add and Mul are secureFurthermore from the composition theorem [5] we canconclude that our protocol is secure as long as the LE schemeis secure and SC and CC are noncolluding in semihonestscenario

6 Conclusion

Only contributing the encrypted forms of their private inputsunder their own public keys to gain the desired result ofsome function on the private inputs via powerful cloud withminimal computations and communications is the optimalmethod especially when users want to compute some com-plex function In this paper we introduce two noncolludingcloud servers to construct a secure outsourcing multipartycomputation protocol on lattice-based encrypted cloud dataunder multiple keys in semihonest scenario All computa-tions related to the computing function are in the charge ofthe two cloud serversTherefore the computation complexityof each user only depends on the encryption scheme it hasused What is more the communication complexity of eachuser is also independent of the function to be computed andthere is no interaction of users whatsoever any more

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper

Acknowledgments

This work is supported by the NSFC (Grants nos 6130018161272057 61202434 61170270 61100203 and 61121061) andthe Fundamental Research Funds for the Central Universities(Grants nos 2012RC0612 and 2011YB01)


References

[1] A C Yao ldquoProtocols for secure computationsrdquo in Proceedings ofthe 23rd Annual IEEE Symposium on Foundations of ComputerScience pp 160ndash164 Chicago Ill USA 1982

[2] Y Lindell and B Pinkas ldquoA proof of security of yaorsquos protocolfor two-party computationrdquo Journal of Cryptology vol 22 no2 pp 161ndash188 2009

[3] O S Goldreich S Mical and A Wigderson ldquoHow to play anymental gamerdquo in Proceedings of the nineteenth annual ACMsymposium on Theory of computing (STOC rsquo87) pp 218ndash229New York NY USA 1987

[4] O S Goldreich ldquoSecure multiparty computationrdquo ManuscriptPreliminary version 1998

[5] O S Goldreich Foundations of Cryptography Volume 2 BasicApplications Cambridge University press 2004

[6] M M Prabhakaran and A Sahai Eds Secure Multiparty Com-putation IOS Press 2013

[7] R Fagin M Naor and P Winkler ldquoComparing informationwithout leaking itrdquoCommunications of the ACM vol 39 pp 77ndash85 1996

[8] D Chaum C Crepeau and I Damgard ldquoMultiparty uncon-ditionally secure protocolsrdquo in Proceedings of the 20th annualACM symposium onTheory of computing (STOC rsquo88) pp 11ndash191988

[9] I Damgard V Pastro N P Smart and S Zakarias ldquoMultipartycomputation from somewhat homomorphic encryptionrdquo inAdvances in CryptologymdashCRYPTO 2012 vol 7417 of LectureNotes in Computer Science pp 643ndash662 Springer 2012

[10] Y Lindell and B Pinkas ldquoAn efficient protocol for secure two-party computation in the presence of malicious adversariesrdquoin Advances in CryptologymdashEUROCRYPT 2007 vol 4515 ofLecture Notes in Computer Science pp 52ndash78 Springer 2007

[11] B Pinkas T Schneider N P Smart and S CWilliams ldquoSecuretwo-party computation is practicalrdquo in Advances in Cryptolo-gymdashASIACRYPT 2009 vol 5912 of Lecture Notes in ComputerScience pp 250ndash267 Springer 2009

[12] M Armbrust A Fox R Griffith et al ldquoA view of cloud com-putingrdquo Communications of the ACM vol 53 no 4 pp 50ndash582010

[13] T Velte A Velte and R Elsenpeter Cloud Computing a Practi-cal Approach McGraw-Hill 2009

[14] J Loftus and N P Smart ldquoSecure outsourced computationrdquoin Progress in CryptologymdashAFRICACRYPT 2011 pp 1ndash20Springer Berlin Germany 2011

[15] M J Atallah and K B Frikken ldquoSecurely outsourcing linearalgebra computationsrdquo in Proceedings of the 5th ACM Sympo-sium on Information Computer and Communication Security(ASIACCS rsquo10) pp 48ndash59 April 2010

[16] S Kamara P Mohassel and M Raykova ldquoOutsourcing multi-Party computationrdquo IACR Cryptology ePrint Archive vol 2011article 272 2011

[17] A Peter E Tews and S Katzenbeisser ldquoEfficiently outsourcingmultiparty computation undermultiple keysrdquo IACRCryptologyePrint Archive vol 2013 article 13 2013

[18] B Wang M Li M Chow et al ldquoComputing encrypted clouddata efficiently under multiple keysrdquo in Proceedings of the IEEEConference on Communications and Network Security (CNS rsquo13)pp 504ndash513 2013

[19] M VanDijk and A Juels ldquoOn the impossibility of cryptographyalone for privacy-preserving cloud computingrdquo in Proceedings

of the 5th USENIX conference on Hot topics in security (HotSecrsquo10) pp 1ndash8 2010

[20] C Gentry A fully homomorphic encryption scheme [Doctoraldissertation] Stanford University 2009

[21] G Asharov A Jain A Lopez-Alt E Tromer V Vaikun-tanathan and D Wichs ldquoMultiparty computation with lowcommunication computation and interaction via thresholdfherdquo in Advances in CryptologymdashEUROCRYPT 2012 LectureNotes in Computer Science pp 483ndash501 Springer BerlinGermany 2012

[22] S Halevi Y Lindell and B Pinkas ldquoSecure computation on theweb computing without simultaneous interactionrdquo inAdvancesin CryptologymdashCRYPTO 2011 pp 132ndash150 Springer 2011

[23] Z Brakerski and V Vaikuntanathan ldquoEfficient fully homomor-phic encryption from (standard) LWErdquo in Proceedings of theIEEE 52nd Annual Symposium on Foundations of ComputerScience (FOCS rsquo11) pp 97ndash106 2011

[24] A Lopez-Alt E Tromer and V Vaikuntanathan ldquoCloud-assist-ed multiparty computation from fully homomorphic encryp-tionrdquo IACRCryptology ePrint Archive vol 2011 article 663 2011

[25] Z Brakerski and V Vaikuntanathan ldquoFully homomorphicencryption from ring-lwe and security for key dependentmessagesrdquo in Advances in CryptologymdashCRYPTO 2011 vol 6841of Lecture Notes in Computer Science pp 505ndash524 2011

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



public-private keys (119901119896119894 119904119896119894) 119894 = 1 119898 encrypt their

respective private inputs by their own public keys and thenupload the ciphertexts of the inputs to a cloud server Theywant to obtain the value 119910 = 119891(119909

1 1199092 119909

119898) even if they

may not be aware of what the computing function 119891(sdot) isby applying two cloud servers to operate on the outsourcedencrypted data without revealing 119909

1 1199092 119909

119898and the result

119910In this paper we study the outsourcing computation

problem in multiple users-two-cloud-servers scenario andpropose a two-cloud-servers-assisted secure outsourcingmultiparty computation protocol to compute any functionon lattice-based encrypted data under multiple keys of theusers Herein we apply one cloud server called the storing-cloud (SC) to store the outsourced data encrypted by usersand make a midtransformation to these ciphertexts oncesome function begins to be computed We call the othercloud server the computing-cloud (CC) It is responsible fortransforming the midtransformed ciphertexts by SC to theones that are blinded by the same two private keys of thetwo assisted cloud servers so that CC can further compute119910 following the function on the ciphertexts Finally in orderto protect the result the two servers cooperatively produce acustom-made result for each user Compared with previoussolutions our protocol has the following three advantages

(1) Our protocol is completely noninteractive betweenany users

(2) The cloud is to do all of the computations relatedto the computing function while users would donothing except for encrypting their private inputs anddecrypting the returned result

(3) The computation and communication complexitiesof each user in our solution are independent of thecomputing function

OrganizationThe rest of this paper is organized as follows InSection 2 we briefly give an overview of some recent relatedworks Herein we consider the problems in secure outsourc-ing computation from the point of view of the users andthe cloud servers respectively and then rationally constructour protocol in the multiple users-two-cloud-servers settingIn Section 3 we briefly introduce a lattice-based encryptionscheme and the securitymodel and then present our protocolin Section 4 in detail In Section 5 we analyze the proposedprotocol in detail and give a strict proof based on real-idealsimulation paradigm Finally we summarize our work of thispaper in the last section

2 Related Works

According to previous research there are many problems tobe considered when outsourcing private data for functioncomputation to the cloudWe discuss the difficulties in secureoutsourcing computation to the cloud from the following twoaspects

(1) To Users Privacy of the Inputs and Results In secure out-sourcing computation users have to contribute their private

data as the inputs of the function while not participating inthe computation processMoreover all parties of the protocolincluding all users and cloud servers are mutually distrustedTherefore users would not like to submit their private datato the cloud Allowing for security a usual solution is toencrypt the private data before outsourcing them to the cloudAnd there are some basic encryptionmodels according to theencryption keys that users used

In 2009 Gentry [20] presented a model where all usersuse a joint public key to encrypt their own private inputswhile sharing the private key Therein the cloud cannotobtain the inputs or the result because they are protected bythe encryption scheme while the cloud does not have theprivate key However users have to participate in anotherinteractive protocol to firstly recover the private key and thenachieve the desired result The processes producing a jointpublic key sharing the private key and jointly recoveringthe result by their shared private key bring large number ofadditional interactions among users which is contrary to ourexpectation that we want to design a secure protocol with theleast communications Encrypting private data by the jointpublic key is not so satisfactory either In cloud outsourcingscenario it means that there are no interactions among theusers whatsoever and the least two rounds of inevitable inter-actions between the user and the cloud server sending out theinputs and receiving the result Therefore we look forwardto a protocol with the least communications as well as lowcomputations and high security A recent work by Asharov etal [21] proposes a schemewhere users utilize their ownpublickeys to encrypt their inputs respectively and guarantee thatthe cloud can succeed in computing the function on theirprivate inputs by computing on the ciphertexts of the inputsencrypted under different keys Although users still haveto interact to obtain the result in the last step encryptingrespective input by the public key of each user is the bestencryption model so far

As to the privacy of the result in 2011 Halevi et al [22]proposed a noninteractive protocol to securely realize out-sourcing computation Therein the server is entitled to learnthe result However the computing result may be the vitalinformation to the users in some scenario and so it cannotbe revealed to others Hence besides the security of the inputsdiscussed above usersmust consider the security of the resultwhen constructing protocols It should guarantee that anyunauthorized users are not able to get the result althoughthey may contribute their inputs and the cloud servers arenot able to get the result although the result is computed bythem To this aspect [20] has already protected the result bya joint public key of the users However this method is stillnot satisfactory since each authorized user is also not able toget it individually

(2) To Cloud Servers Feasibility of Operating on EncryptedInputs As discussed above users would like to upload theencrypted inputs under their respective public keys to thecloud server rather than the original inputs Therefore thecloud servers whose task is to compute a function on usersrsquoprivate inputs would only obtain the ciphertexts of theinputsThatmeans that the cloud has to compute the function







0= ⟨119901 119890⟩ + 119898 isin 119877

119902and 1198881= ⟨119886 119890⟩ isin 119877

119902 Output


119902


Algorithm 1







3 Preliminaries










119894from user 119875

119894 119894 =


119898) to the






Encrypted data of P



c1

ct

ci

ci

yt

yt

yt

cm

P1 1 r

Pt t r

m rmP

y = f(x1 xm)

i

c998400i

c998400i

c998400998400i

t isin 1 m t

⨁

⨂

SC ri ksc CC kcc




1 1199092 119909



1 1199092 119909

119898) as REAL


119888

asymp REALΠA()

4 Our Result





119894with




119891consisting




119894larr 119877119899





119894is

119901119894= 119886119894119904119894+ 2119909119894isin 119877119899

119902 And then 119875




119894




119894


0= ⟨119901119894 119890119894⟩ + 119909119894isin 119877119902and 1198881198941= ⟨119886119894 119890119894⟩ isin 119877

119902 Then it


0 119888119894

1) isin 119877

2

119902




119894rarr 119888119894

1015840 where119888119894

1015840= (119888119894

0

1015840

119888119894

1

1015840

) = (119896sc sdot 119888119894


119894

1) and sends 119888

119894

1015840 to CC


119894


1015840 to 119888119894

10158401015840= (119896cc sdot 119896sc sdot 119888

119894


119894

1)


0

10158401015840

119888119894

1

10158401015840

) = (119896 sdot 119888119894

0 119896 sdot 119904119894sdot 119888119894



119894

10158401015840oplus 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) oplus (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 119896 sdot (119909119894+ 119909119895)


10158401015840otimes 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) otimes (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 1198962sdot (119909119894times 119909119895)




sdot 119910 = 119896sc119897+1

sdot 119896cc119897+1

sdot 119910 where 119910 = 119891 (1199091 1199092 119909




119905to compute 119910

119905

1015840= 119903119905sdot 119896119897+1



119905= 119903119905sdot 119910 and sends




119905

Algorithm 2



119894selects



119894 119894 = 1 2 119898 are


119894sdot 119904119894to CC



119894encrypted




1minus 11988811989410158401015840

0) oplus (119888

11989510158401015840

1minus 11988811989510158401015840

0) =

119896 sdot (119909119894+ 119909119895) and (11988811989410158401015840

1minus 11988811989410158401015840

0) otimes (119888

11989510158401015840

1minus 11988811989510158401015840

0) = 119896

2sdot (119909119894times 119909119895)







119905= 119903119905sdot 119896119897+1



119905




119905

5 Analysis





119894sends 119903







1 1198982uploaded by 119875

119894



119894to 1198881015840

119894and sends 1198881015840





119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA


1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)


1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA



IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)


6 Conclusion




Acknowledgments



References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in









0= ⟨119901 119890⟩ + 119898 isin 119877

119902and 1198881= ⟨119886 119890⟩ isin 119877

119902 Output


119902


Algorithm 1







3 Preliminaries










119894from user 119875

119894 119894 =


119898) to the






Encrypted data of P



c1

ct

ci

ci

yt

yt

yt

cm

P1 1 r

Pt t r

m rmP

y = f(x1 xm)

i

c998400i

c998400i

c998400998400i

t isin 1 m t

⨁

⨂

SC ri ksc CC kcc




1 1199092 119909



1 1199092 119909

119898) as REAL


119888

asymp REALΠA()

4 Our Result





119894with




119891consisting




119894larr 119877119899





119894is

119901119894= 119886119894119904119894+ 2119909119894isin 119877119899

119902 And then 119875




119894




119894


0= ⟨119901119894 119890119894⟩ + 119909119894isin 119877119902and 1198881198941= ⟨119886119894 119890119894⟩ isin 119877

119902 Then it


0 119888119894

1) isin 119877

2

119902




119894rarr 119888119894

1015840 where119888119894

1015840= (119888119894

0

1015840

119888119894

1

1015840

) = (119896sc sdot 119888119894


119894

1) and sends 119888

119894

1015840 to CC


119894


1015840 to 119888119894

10158401015840= (119896cc sdot 119896sc sdot 119888

119894


119894

1)


0

10158401015840

119888119894

1

10158401015840

) = (119896 sdot 119888119894

0 119896 sdot 119904119894sdot 119888119894



119894

10158401015840oplus 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) oplus (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 119896 sdot (119909119894+ 119909119895)


10158401015840otimes 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) otimes (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 1198962sdot (119909119894times 119909119895)




sdot 119910 = 119896sc119897+1

sdot 119896cc119897+1

sdot 119910 where 119910 = 119891 (1199091 1199092 119909




119905to compute 119910

119905

1015840= 119903119905sdot 119896119897+1



119905= 119903119905sdot 119910 and sends




119905

Algorithm 2



119894selects



119894 119894 = 1 2 119898 are


119894sdot 119904119894to CC



119894encrypted




1minus 11988811989410158401015840

0) oplus (119888

11989510158401015840

1minus 11988811989510158401015840

0) =

119896 sdot (119909119894+ 119909119895) and (11988811989410158401015840

1minus 11988811989410158401015840

0) otimes (119888

11989510158401015840

1minus 11988811989510158401015840

0) = 119896

2sdot (119909119894times 119909119895)







119905= 119903119905sdot 119896119897+1



119905




119905

5 Analysis





119894sends 119903







1 1198982uploaded by 119875

119894



119894to 1198881015840

119894and sends 1198881015840





119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA


1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)


1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA



IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)


6 Conclusion




Acknowledgments



References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






Encrypted data of P



c1

ct

ci

ci

yt

yt

yt

cm

P1 1 r

Pt t r

m rmP

y = f(x1 xm)

i

c998400i

c998400i

c998400998400i

t isin 1 m t

⨁

⨂

SC ri ksc CC kcc




1 1199092 119909



1 1199092 119909

119898) as REAL


119888

asymp REALΠA()

4 Our Result





119894with




119891consisting




119894larr 119877119899





119894is

119901119894= 119886119894119904119894+ 2119909119894isin 119877119899

119902 And then 119875




119894




119894


0= ⟨119901119894 119890119894⟩ + 119909119894isin 119877119902and 1198881198941= ⟨119886119894 119890119894⟩ isin 119877

119902 Then it


0 119888119894

1) isin 119877

2

119902




119894rarr 119888119894

1015840 where119888119894

1015840= (119888119894

0

1015840

119888119894

1

1015840

) = (119896sc sdot 119888119894


119894

1) and sends 119888

119894

1015840 to CC


119894


1015840 to 119888119894

10158401015840= (119896cc sdot 119896sc sdot 119888

119894


119894

1)


0

10158401015840

119888119894

1

10158401015840

) = (119896 sdot 119888119894

0 119896 sdot 119904119894sdot 119888119894



119894

10158401015840oplus 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) oplus (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 119896 sdot (119909119894+ 119909119895)


10158401015840otimes 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) otimes (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 1198962sdot (119909119894times 119909119895)




sdot 119910 = 119896sc119897+1

sdot 119896cc119897+1

sdot 119910 where 119910 = 119891 (1199091 1199092 119909




119905to compute 119910

119905

1015840= 119903119905sdot 119896119897+1



119905= 119903119905sdot 119910 and sends




119905

Algorithm 2



119894selects



119894 119894 = 1 2 119898 are


119894sdot 119904119894to CC



119894encrypted




1minus 11988811989410158401015840

0) oplus (119888

11989510158401015840

1minus 11988811989510158401015840

0) =

119896 sdot (119909119894+ 119909119895) and (11988811989410158401015840

1minus 11988811989410158401015840

0) otimes (119888

11989510158401015840

1minus 11988811989510158401015840

0) = 119896

2sdot (119909119894times 119909119895)







119905= 119903119905sdot 119896119897+1



119905




119905

5 Analysis





119894sends 119903







1 1198982uploaded by 119875

119894



119894to 1198881015840

119894and sends 1198881015840





119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA


1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)


1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA



IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)


6 Conclusion




Acknowledgments



References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





119894larr 119877119899





119894is

119901119894= 119886119894119904119894+ 2119909119894isin 119877119899

119902 And then 119875




119894




119894


0= ⟨119901119894 119890119894⟩ + 119909119894isin 119877119902and 1198881198941= ⟨119886119894 119890119894⟩ isin 119877

119902 Then it


0 119888119894

1) isin 119877

2

119902




119894rarr 119888119894

1015840 where119888119894

1015840= (119888119894

0

1015840

119888119894

1

1015840

) = (119896sc sdot 119888119894


119894

1) and sends 119888

119894

1015840 to CC


119894


1015840 to 119888119894

10158401015840= (119896cc sdot 119896sc sdot 119888

119894


119894

1)


0

10158401015840

119888119894

1

10158401015840

) = (119896 sdot 119888119894

0 119896 sdot 119904119894sdot 119888119894



119894

10158401015840oplus 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) oplus (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 119896 sdot (119909119894+ 119909119895)


10158401015840otimes 119888119895

10158401015840= (119888119894

1

10158401015840

minus 119888119894

0

10158401015840

) otimes (119888119895

1

10158401015840

minus 119888119895

0

10158401015840

) = 1198962sdot (119909119894times 119909119895)




sdot 119910 = 119896sc119897+1

sdot 119896cc119897+1

sdot 119910 where 119910 = 119891 (1199091 1199092 119909




119905to compute 119910

119905

1015840= 119903119905sdot 119896119897+1



119905= 119903119905sdot 119910 and sends




119905

Algorithm 2



119894selects



119894 119894 = 1 2 119898 are


119894sdot 119904119894to CC



119894encrypted




1minus 11988811989410158401015840

0) oplus (119888

11989510158401015840

1minus 11988811989510158401015840

0) =

119896 sdot (119909119894+ 119909119895) and (11988811989410158401015840

1minus 11988811989410158401015840

0) otimes (119888

11989510158401015840

1minus 11988811989510158401015840

0) = 119896

2sdot (119909119894times 119909119895)







119905= 119903119905sdot 119896119897+1



119905




119905

5 Analysis





119894sends 119903







1 1198982uploaded by 119875

119894



119894to 1198881015840

119894and sends 1198881015840





119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA


1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)


1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA



IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)


6 Conclusion




Acknowledgments



References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in






119905

5 Analysis





119894sends 119903







1 1198982uploaded by 119875

119894



119894to 1198881015840

119894and sends 1198881015840





119888S (1198981) = Enc (119901119896S 1)

119888S (1198982) = Enc (119901119896S 1)(1)

and sends 119888S(1198981) 119888S(1198982) toA


1) 119888S(119898

lowast

2) to S

Then S computes

119888S (119898lowast

1+ 119898lowast

2) = 119888S (119898

lowast

1) oplus 119888S (119898

lowast

2)

119888S (119898lowast

1times 119898lowast

2) = 119888S (119898

lowast

1) otimes 119888S (119898

lowast

2)

(2)


1+ 119898lowast

2) 119888S(119898

lowast

1times 119898lowast

2) toA



IDEALFS (119888S (119898119894))119888

asymp REALΠA (119888S (119898119894)) 119894 = 1 2 (3)


6 Conclusion




Acknowledgments



References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in




References


































Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



Documents

Research Article Two-Cloud-Servers-Assisted Secure ...downloads.hindawi.com/journals/tswj/2014/413265.pdf · Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty