1 Introduction
During recent years, the increase of data on one hand and the importance of privacy of them on the other hand, encouraged researchers to work on techniques that allow data holders to do data analysis techniques without revealing private data. One of such techniques is secure multiparty computation.
Secure multiparty computation is a kind of distributed computation that allow a set of parties to compute a function on their private data, without revealing them. The idea was first introduced by Yao, in his Millionarie’s problem [1]. The problem says two millionaries want to know who is richer, but they do not want to reveal their wealth.
After Yao’s seminal paper, many researches have been done in this direction and his idea was generalized to a general purpose form.
Specifically, researchers focused on how they can evaluate a function on n piece of data, holding by n parties, without revealing the data. It has been shown that any function can be computed in on such data without revealing them. Two general approaches have been proposed, using binary circuits or using arithmetic circuits. In the first case, n parties share their data among themselves, using for example Shamir’s secret sharing [2] and then the parties do function calculation using binary circuits on the shared data. In this approach, parties do bitwise calculation using for example Oblivious Transfer. As communication is an inseparable part of multiparty computation, because parties are constantly send and receive data, this approach is not efficient from communication complexity point of view. In the arithmetic circuit scenario, the parties use secret sharing to share their data and do function evaluation on them. As this idea is based on polynomials and finite field calculation, it is more efficient.
In both scenarios all parties need to communicate and share their data. On the other hand adversaries may interrupt data communication, or create noise while players are doing local calculation on their data. As such, if they have the ability to use an error detection and correction technique, they can increase the reliability of the protocol they use for multiparty computation. In this paper we propose a secure error correction technique that can be added to a secure multiparty computation for detecting errors created by adversaries or communication channels. The idea is based on BerlekampWelch algorithm and we assume parties have created their shares based on ReedSolomon codes. The reason that we use these two specific techniques is that, as secret sharing, they are based on polynomials over finite fields which are efficient for implementation.
The paper organization is as follows. First we presents the preliminaries of our work, including multiparty computation, ReedSolomon codes and their decoding using BerlekampWelch algorithm. Then the previous works will be reviewed. After that the main part of this paper will be presented.
2 Preliminaries
In this section we present the preliminaries our our work. These include multiparty comutation, ReedSolomon codes (we call them RS codes for simplicity), BerlekampWelch decoding algorithm (we call it BW algorithm for simplicity) for RS codes.
2.1 Secure Multi Party Computation
Secure multiparty computation which its first idea was introduced by Yao [1] is defined as follows. parties each have a private value, want to evaluate a public function on their private data in such a way that they don’t reveal any information about their data but they all can get the output of the public function. One simple example is that parties have integer values and they want to find the maximum of them without revealing them.
Many researches have been done in this area [4], [5], [8], [7], [6]. In secure multiparty computation two approaches can be used. One approach is doing computation based on bits of shared values and the other approach is doing computation based on shared values of secrets in a finite field , for a prime integer p, [4]. In both cases the shares of secret values are being distributed using a secret sharing scheme, such as Shamir secret sharing [2]. However, both approaches have their own pros and cons, for example,
doing addition and multiplication is efficient in finite field arithmetic, but using boolean circuits it is not efficient. Unfortunately, doing calculations such as secret comparisons is not efficient and trivial in arithmetic circuits, whereas it is trivial in boolean circuit calculations [4]. However, for large integers this task is not efficient using boolean circuits.
To overcome the inefficiency of these two scenarios and having an efficient in [5] authors presented a protocol, called bitdecomposition, that allows parties to convert sharing of finite field elements to sharing of bits. In [4] authors improved the bitdecomposition protocol by reducing its communication complexity. Another work in this area has been presented in [9] which is based on threshold homomorphic systems.
2.2 ReedSolomon Codes
ReedSolomon codes was introduced in 1960 in [10]. These linear errorcorrecting codes are based on polynomials over finite fields and have many applications. In the following we assume all calculation are done in the finite field for a given prime number . RS codes encode a message of length into a codeword of length , . Mathematically, given a message , the polynomial is defined as following:
(1) 
In which coefficients are in . To encode the message , the polynomial will be evaluated on different points, say , so the encoded message, denoted by would be:
(2) 
For the ReedSolomon codes we have the following theorems:
Theorem 2.1
The weight of ReedSolomon codes of length with a message of length , , is .
Theorem 2.2
An with can correct errors.
A decoding algorithm was developed by Berlekamp and Welch in [11], which we will discuss it in the next section.
2.3 BerlekampWelch Decoding Algorithm
BerlekampWelch algorithm is a decoding algorithm for RS codes [11]. As we discussed in the previous section, an code encodes a message with length to a codeword of length . Now, assume that errors has happened in the codeword and the codeword with error is . That is, for at most cases.
Theorem 2.3
Given a received codeword, generated by RS(n, k) codes, with errors, then there exists nonzero polynomials and for which we have [12]:
(3) 
(4) 
(5) 
Moreover, will give the polynomial that has generated the codeword, .
Equation 5 is called key equation and solving it gives us the location of the errors in the received codeword, which is guaranteed by theorem 2.3.
For , key equation, equation 5, will produce a linear system of equations, which we can solve it by different methods in linear algebra, such as Gaussian elimination or Cramer’s rule. By finding the solution of key equation, we can find errors location and the polynomial which gives the corrected message.
3 Secure Error Detection and Correction using MPC
We assume that parties have shares and they want to be able to check if any errors has happened in their data, because in multyparty computation parties constantly exchange their data. We also assume that all the following calculations are done in finite field where is a prime number.
In order to be able to detect and correct errors, we need to have at least shares, in other words parties need to participate, because according to theorem 2.2, , which is the message length. Also, we assume that the number of errors at most can be one less than the message length. In other words, all the message has not been altered.
In the following we will address the problem of error detection and then provide a technique that allows the parties to recover the incorrect share.
Locating one error at the time:
Each player creates an equation using his secret value (which is denoted by for player ).
(6) 
So we have equations, each at hand of one party, by which we can define the following system linear equation (consisting of equations and unknowns including ).
(7) 
will be used for the error correction polynomial in BW algorithm and is error locator as the polynomial in BW algorithm. Also we assume that all of calculations are done in for a public predefined prime number . Now, players evaluate equations with , like BW algorithm. So, they have:
(8) 
To make it simple, we use matrix notation to show this linear system of equations:
(9) 
The first columns of the first matrix are public values, which are the same as the columns of the Vandermone matrix. If we use Cramer’s rule for solving this system of equations (just for , which determines the location of the error), we would have:
(10) 
where
(11) 
and
(12) 
if we expand the determinant based on the last column, we will have:
(13) 
and
(14) 
where is the matrix that is created by eliminating the th row and th column of A.
As we see in the above equation just ’s are secret and the second term in the summation is a public value. So, to calculate and , players just need to locally multiply their secret value by a public term and send a shares of the result to other players and finally do a Lagrange interpolation to find the location of the error. The error detection algorithm is as following, see algorithm 1.
(15) 
(16) 
Correcting one error at a time: For the error correction we will use the idea in [13]. In this paper authors proposed a new approach, based on Lagrange interpolation, for recovering incorrect shares. After the location of error has been determined, solving the system of equations for , the other parties who have correct shares, help the party with incorrect share to correct his share. The whole idea is that each player calculates his Lagrange interpolation constant and multiplies it by his share and send the shares of the result value to all players. After all players do so, they will have portions of a share of the original data, by which the player with incorrect share can correct his share. The error correction protocol 2 shows the step by step process for helping a player to correct his share.
(17) 
(18) 
(19) 
(20) 
4 Technical Discussion
In this section we will discuss the security analysis as well as computational and communication complexity of the error detection and correction protocols.
4.1 Security Analysis of Error Dectection Protocol
Similar to threshold secret sharing, in which a group of players need to cooperate in order to get the secret value, here in this secure error correction protocol players need to come together to detect and correct an error. To do so, they create a asystem of linear equations and when they represent it in the matrix format, , one column of the matrix and the vector consist of secret values of players. As they calculate the determinant of the matrix using Gaussian expansion based on the column containing the secret values, the new submatrices are all containing public values, which their determinant will be calculated and distributed among all players by a volunteer player. Then each player needs to caclulate a multiplication by a public value localy which can be calculated easily by each player without revealing any information, , see equations 13 and 14 and the toy example in appendix A.
4.2 Round Complexity Discussion
Communication or round complexity, which can very large in some MPC protocol, for our secure error correction protocol is very small. For error detection players calculate two determinants ( according to the equation 13 and according to the equation 14) in which they only do multiplication by some public values, which can be easily done and does not need any multiplication in MPC which requrires sharing and resharing. After that they do a Lagrange interpolation collaboratively.
For error correction, one round of communication is needed in step 2 and one round in step 3, in totall two round of communication.
4.3 Computational Complexity Discussion
The computational complexity of error correction algorithm is where is the number of players. Because a volunteer player calculates the determinant of by matrices which can be done in , or by using more efficient algorithms in a lower time complexity. The Lagrange interpolation can be done in .
5 Conclusion
In this paper we introduced the idea of secure error correction that allows a group of parties to detect and correct their shares in a privacypreserving manner. The idea is based on ReedSolomon codes and BerlekampWelch decoding algorithm. In fact we used BerlekampWelch algorithm for finding the location of the errors and for error correction we used the assumption of Shamir’s threshold Secret Sharing, that a group of parties have enough data to recover the secret or equivalently create the share of a specific party. The protocol works as follows.
At any point in an MPC protocol, players can collaboratively form the system of equations in BW algorithm and then solve it. Note that each equation is at the hand of one player. Then they expand the determinant of the matrix of their system of equations using the Laplace expansion and they calculate and announce the determinant of the submatrices if there is no secret value in any column. After doing calculation and finding the location of the error, which is the ID of a player, any subset of of players with correct share can help the player with incorrect share to recover his correct share ( is threshold in the Shamir’s (t, n)threshold secret sharing).
Appendix: A Toy Example
A toy example: Assume that the prime and players ID are 1, 2, 3, 4. Also the private values of four parties are 2, 0, 5, 3 and the third value has changed to 4 because of an error. So, the codeword is and the received vector, as described in BW algorithm, is . The key equation of BW algorithm would be
(21) 
Evaluating it for (here each is the ID of a player and each equation is at the hand of one player):
(22) 
In fact each player create his equation using his ID which is a public value. This system of equations can be written as, after doing all calculation in :
(23) 
To find the erroneous private value (or its location) we need to find as following, which was explained in section 3.
(24) 
where
(25) 
and
(26) 
After doing the calculation we will have , which means the location of the error is 3. Because error locator polynomial would be and its root shows the location of the error, and its root in is . Notice that the last column of and are consisted of a multiplicative factor of parties private value, so the determinant calculation should be expanded based on that column and after the expansion players can use any method to calculate the determinant of the resulting matrix.
References
 [1] A. Yao, Protocols for Secure Computation, In Proc. 23rd Annual Symp. on Foundations of Computer Science (FOCS), pages 160–164. IEEE, 1982.
 [2] A. Shamir, How to share a secret, Commun. ACM, 22(11):612–613, 1979.
 [3] Liu X, Li S, Liu J, Chen X, Xu G. Secure multiparty computation of a comparison problem, SpringerPlus, 2016, 5(1):1489. doi:10.1186/s4006401630610.
 [4] T. Nishide and K. Ohta, Multiparty computation for interval, equality, and comparison without bitdecomposition protocol, in Proc. 2007 PKC, pp. 343360.
 [5] I. Damgard, M. Fitzi, E. Kiltz, J.B. Nielsen, and T. Toft, Unconditionally secure constantrounds multiparty computation for equality, comparison, bits and exponentiation, Proc. 3rd Theory of Cryptography Conference, LNCS 3876, pp.285304, Springer Verlag, 2006.
 [6] O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game or a complete theorem for protocols with honest majority, Proc. 19th STOC, pp.218– 229, 1987.

[7]
M. BenOr, S. Goldwasser, and A. Wigderson, Completeness theorem for noncryptographic faulttolerant distributed computation, 20th Annual ACM Symposium on Theory of Computing, pp.1–10, 1988.
 [8] D. Chaum, C. Crepeau, and I. Damgard, Multiparty unconditionally secure protocols, Proc. ACM STOC’88, pp.11–19, 1988.
 [9] 21. B. Schoenmakers and P. Tuyls, Efficient binary conversion for Paillier encrypted values, EUROCRYPT’06, LNCS 4004, pp.522–537, Springer Verlag, 2006.
 [10] I. S. Reed and G. Solomon, Polynomial codes over certain finite fields, 1. SIAM, vol 8, no 2, June 1960, pp 300304
 [11] Lloyd R. Welch and Elwyn R. Berlekamp. Error correction for algebraic block codes, December 30 1986. US Patent 4,633,470.
 [12] https://math.berkeley.edu/ mhaiman/math55/reedsolomon.pdf
 [13] M. Nojoumian, D. Stinson, and M. Grainger, Unconditionally secure social secret sharing scheme, IET Information Security, Special Issue on MultiAgent and Distributed Information Security 4, 4 (2010), 202211.
Comments
There are no comments yet.