Secure Error Correction using Multi-Party Computation

by   Mohammad G. Raeini, et al.
Florida Atlantic University

During recent years with the increase of data and data analysis needs, privacy preserving data analysis methods have become of great importance. Researchers have proposed different methods for this purpose. Secure multi-party computation is one of such techniques that allows a group of parties to evaluate a function on their data without revealing the data. This is done by secret sharing approach, in which parties share a piece of their data using polynomials and after doing function evaluation on shares of data finally they do a Lagrange interpolation to get the result. Two approaches have been proposed in secure multi-party computation for evaluating a function, arithmetic gates and logical gates. In both of them and since communication is an important step in multi-party computation, errors may happen. So, being able to detect and correct errors is important. Moreover, as adversaries may interrupt communication or manipulate the data, either in communication or during computation, this error detection and correction provide participating parties with a technique to detect such errors. Hence, in this paper we present a secure multi-party computation error correcting technique that has the ability to detect and correct errors on players shares. This technique is based on Berlekamp-Welch error correcting codes and we assume that players shares are generated using Reed-Solomon codes.



There are no comments yet.


page 1

page 2

page 3

page 4


Secure Multi-party Quantum Computation with a Dishonest Majority

The cryptographic task of secure multi-party (classical) computation has...

Performance Evaluation of Secure Multi-party Computation on Heterogeneous Nodes

Secure multi-party computation (MPC) is a broad cryptographic concept th...

Design of SEC-DED and SEC-DED-DAEC Codes of different lengths

Reliability is an important requirement for both communication and stora...

Secure Collaborative Training and Inference for XGBoost

In recent years, gradient boosted decision tree learning has proven to b...

SecureGBM: Secure Multi-Party Gradient Boosting

Federated machine learning systems have been widely used to facilitate t...

Three-Party Integer Comparison and Applications

Secure integer comparison has been a popular research topic in cryptogra...

Secure Evaluation of Knowledge Graph Merging Gain

Finding out the differences and commonalities between the knowledge of t...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

During recent years, the increase of data on one hand and the importance of privacy of them on the other hand, encouraged researchers to work on techniques that allow data holders to do data analysis techniques without revealing private data. One of such techniques is secure multi-party computation. Secure multi-party computation is a kind of distributed computation that allow a set of parties to compute a function on their private data, without revealing them. The idea was first introduced by Yao, in his Millionarie’s problem [1]. The problem says two millionaries want to know who is richer, but they do not want to reveal their wealth. After Yao’s seminal paper, many researches have been done in this direction and his idea was generalized to a general purpose form. Specifically, researchers focused on how they can evaluate a function on n piece of data, holding by n parties, without revealing the data. It has been shown that any function can be computed in on such data without revealing them. Two general approaches have been proposed, using binary circuits or using arithmetic circuits. In the first case, n parties share their data among themselves, using for example Shamir’s secret sharing [2] and then the parties do function calculation using binary circuits on the shared data. In this approach, parties do bit-wise calculation using for example Oblivious Transfer. As communication is an inseparable part of multi-party computation, because parties are constantly send and receive data, this approach is not efficient from communication complexity point of view. In the arithmetic circuit scenario, the parties use secret sharing to share their data and do function evaluation on them. As this idea is based on polynomials and finite field calculation, it is more efficient.
In both scenarios all parties need to communicate and share their data. On the other hand adversaries may interrupt data communication, or create noise while players are doing local calculation on their data. As such, if they have the ability to use an error detection and correction technique, they can increase the reliability of the protocol they use for multi-party computation. In this paper we propose a secure error correction technique that can be added to a secure multi-party computation for detecting errors created by adversaries or communication channels. The idea is based on Berlekamp-Welch algorithm and we assume parties have created their shares based on Reed-Solomon codes. The reason that we use these two specific techniques is that, as secret sharing, they are based on polynomials over finite fields which are efficient for implementation.
The paper organization is as follows. First we presents the preliminaries of our work, including multi-party computation, Reed-Solomon codes and their decoding using Berlekamp-Welch algorithm. Then the previous works will be reviewed. After that the main part of this paper will be presented.

2 Preliminaries

In this section we present the preliminaries our our work. These include multi-party comutation, Reed-Solomon codes (we call them RS codes for simplicity), Berlekamp-Welch decoding algorithm (we call it BW algorithm for simplicity) for RS codes.

2.1 Secure Multi Party Computation

Secure multi-party computation which its first idea was introduced by Yao [1] is defined as follows. parties each have a private value, want to evaluate a public function on their private data in such a way that they don’t reveal any information about their data but they all can get the output of the public function. One simple example is that parties have integer values and they want to find the maximum of them without revealing them.
Many researches have been done in this area [4], [5], [8], [7], [6]. In secure multi-party computation two approaches can be used. One approach is doing computation based on bits of shared values and the other approach is doing computation based on shared values of secrets in a finite field , for a prime integer p, [4]. In both cases the shares of secret values are being distributed using a secret sharing scheme, such as Shamir secret sharing [2]. However, both approaches have their own pros and cons, for example, doing addition and multiplication is efficient in finite field arithmetic, but using boolean circuits it is not efficient. Unfortunately, doing calculations such as secret comparisons is not efficient and trivial in arithmetic circuits, whereas it is trivial in boolean circuit calculations [4]. However, for large integers this task is not efficient using boolean circuits.
To overcome the inefficiency of these two scenarios and having an efficient in [5] authors presented a protocol, called bit-decomposition, that allows parties to convert sharing of finite field elements to sharing of bits. In [4] authors improved the bit-decomposition protocol by reducing its communication complexity. Another work in this area has been presented in [9] which is based on threshold homomorphic systems.

2.2 Reed-Solomon Codes

Reed-Solomon codes was introduced in 1960 in [10]. These linear error-correcting codes are based on polynomials over finite fields and have many applications. In the following we assume all calculation are done in the finite field for a given prime number . RS codes encode a message of length into a codeword of length , . Mathematically, given a message , the polynomial is defined as following:


In which coefficients are in . To encode the message , the polynomial will be evaluated on different points, say , so the encoded message, denoted by would be:


For the Reed-Solomon codes we have the following theorems:

Theorem 2.1

The weight of Reed-Solomon codes of length with a message of length , , is .

Theorem 2.2

An with can correct errors.

A decoding algorithm was developed by Berlekamp and Welch in [11], which we will discuss it in the next section.

2.3 Berlekamp-Welch Decoding Algorithm

Berlekamp-Welch algorithm is a decoding algorithm for RS codes [11]. As we discussed in the previous section, an code encodes a message with length to a codeword of length . Now, assume that errors has happened in the codeword and the codeword with error is . That is, for at most cases.

Theorem 2.3

Given a received codeword, generated by RS(n, k) codes, with errors, then there exists non-zero polynomials and for which we have [12]:


Moreover, will give the polynomial that has generated the codeword, .

Equation 5 is called key equation and solving it gives us the location of the errors in the received codeword, which is guaranteed by theorem 2.3.
For , key equation, equation 5, will produce a linear system of equations, which we can solve it by different methods in linear algebra, such as Gaussian elimination or Cramer’s rule. By finding the solution of key equation, we can find errors location and the polynomial which gives the corrected message.

3 Secure Error Detection and Correction using MPC

We assume that parties have shares and they want to be able to check if any errors has happened in their data, because in multy-party computation parties constantly exchange their data. We also assume that all the following calculations are done in finite field where is a prime number.
In order to be able to detect and correct errors, we need to have at least shares, in other words parties need to participate, because according to theorem 2.2, , which is the message length. Also, we assume that the number of errors at most can be one less than the message length. In other words, all the message has not been altered. In the following we will address the problem of error detection and then provide a technique that allows the parties to recover the incorrect share.

Locating one error at the time: Each player creates an equation using his secret value (which is denoted by for player ).


So we have equations, each at hand of one party, by which we can define the following system linear equation (consisting of equations and unknowns including ).


will be used for the error correction polynomial in BW algorithm and is error locator as the polynomial in BW algorithm. Also we assume that all of calculations are done in for a public pre-defined prime number . Now, players evaluate equations with , like BW algorithm. So, they have:


To make it simple, we use matrix notation to show this linear system of equations:


The first columns of the first matrix are public values, which are the same as the columns of the Vandermone matrix. If we use Cramer’s rule for solving this system of equations (just for , which determines the location of the error), we would have:






if we expand the determinant based on the last column, we will have:




where is the matrix that is created by eliminating the -th row and -th column of A. As we see in the above equation just ’s are secret and the second term in the summation is a public value. So, to calculate and , players just need to locally multiply their secret value by a public term and send a shares of the result to other players and finally do a Lagrange interpolation to find the location of the error. The error detection algorithm is as following, see algorithm 1.

1:  Each player defines his own equation (with his public ID and his secret value ), as following:
2:  All players put their public part of their equation in a matrix (in the last column which is private value of each player they just put , because in the next step during Gaussian expansion, this will be eliminated) as follows:
3:  One of the players accepts to calculate and , from matrix. means the by matrix that has been created from by eliminating its -th row and -th column. After calculation this player hands out and to player with ID .
4:  Now, each player, which just received his related terms in equations 13 and 14, calculate the multiplication of his private value by the received term locally, we call the result value for player .
5:  Each player, shares his between all players.
6:  Each player adds up his received shares, lets denote the result by , that is .
7:  Finally all players do a Lagrange interpolation on their and get the and , as in equation 10. Note that for and players need to multiply their private values with the corresponding terms as in equations 13 and 14.
Algorithm 1 Error Detection Protocol

Correcting one error at a time: For the error correction we will use the idea in [13]. In this paper authors proposed a new approach, based on Lagrange interpolation, for recovering incorrect shares. After the location of error has been determined, solving the system of equations for , the other parties who have correct shares, help the party with incorrect share to correct his share. The whole idea is that each player calculates his Lagrange interpolation constant and multiplies it by his share and send the shares of the result value to all players. After all players do so, they will have portions of a share of the original data, by which the player with incorrect share can correct his share. The error correction protocol 2 shows the step by step process for helping a player to correct his share.

1:  Each party calculates his Lagrange interpolation constant as following:
2:  Then each player multiplies his secret value by his Lagrange interpolation constant and splits it into portions, where is threshold in secret sharing.
Next, he sends each portion to one of players.
3:  Each party receives portions in total and adds them up as follows:
which means the portion that participant has sent to participant .
4:  Party then sends to party, say with ID , whose share is corrupted or altered. players need to send their share for player , so he will be able to recover his correct share.
5:  Party adds up all the received shares, from helper players, the result is his recovered share:
Algorithm 2 Error Correction Protocol

4 Technical Discussion

In this section we will discuss the security analysis as well as computational and communication complexity of the error detection and correction protocols.

4.1 Security Analysis of Error Dectection Protocol

Similar to -threshold secret sharing, in which a group of players need to cooperate in order to get the secret value, here in this secure error correction protocol players need to come together to detect and correct an error. To do so, they create a asystem of linear equations and when they represent it in the matrix format, , one column of the matrix and the vector consist of secret values of players. As they calculate the determinant of the matrix using Gaussian expansion based on the column containing the secret values, the new sub-matrices are all containing public values, which their determinant will be calculated and distributed among all players by a volunteer player. Then each player needs to caclulate a multiplication by a public value localy which can be calculated easily by each player without revealing any information, , see equations 13 and 14 and the toy example in appendix A.

4.2 Round Complexity Discussion

Communication or round complexity, which can very large in some MPC protocol, for our secure error correction protocol is very small. For error detection players calculate two determinants ( according to the equation 13 and according to the equation 14) in which they only do multiplication by some public values, which can be easily done and does not need any multiplication in MPC which requrires sharing and resharing. After that they do a Lagrange interpolation collaboratively.
For error correction, one round of communication is needed in step 2 and one round in step 3, in totall two round of communication.

4.3 Computational Complexity Discussion

The computational complexity of error correction algorithm is where is the number of players. Because a volunteer player calculates the determinant of by matrices which can be done in , or by using more efficient algorithms in a lower time complexity. The Lagrange interpolation can be done in .

5 Conclusion

In this paper we introduced the idea of secure error correction that allows a group of parties to detect and correct their shares in a privacy-preserving manner. The idea is based on Reed-Solomon codes and Berlekamp-Welch decoding algorithm. In fact we used Berlekamp-Welch algorithm for finding the location of the errors and for error correction we used the assumption of Shamir’s -threshold Secret Sharing, that a group of parties have enough data to recover the secret or equivalently create the share of a specific party. The protocol works as follows.
At any point in an MPC protocol, players can collaboratively form the system of equations in BW algorithm and then solve it. Note that each equation is at the hand of one player. Then they expand the determinant of the matrix of their system of equations using the Laplace expansion and they calculate and announce the determinant of the sub-matrices if there is no secret value in any column. After doing calculation and finding the location of the error, which is the ID of a player, any subset of of players with correct share can help the player with incorrect share to recover his correct share ( is threshold in the Shamir’s (t, n)-threshold secret sharing).

Appendix: A Toy Example

A toy example: Assume that the prime and players ID are 1, 2, 3, 4. Also the private values of four parties are 2, 0, 5, 3 and the third value has changed to 4 because of an error. So, the codeword is and the received vector, as described in BW algorithm, is . The key equation of BW algorithm would be


Evaluating it for (here each is the ID of a player and each equation is at the hand of one player):


In fact each player create his equation using his ID which is a public value. This system of equations can be written as, after doing all calculation in :


To find the erroneous private value (or its location) we need to find as following, which was explained in section 3.






After doing the calculation we will have , which means the location of the error is 3. Because error locator polynomial would be and its root shows the location of the error, and its root in is . Notice that the last column of and are consisted of a multiplicative factor of parties private value, so the determinant calculation should be expanded based on that column and after the expansion players can use any method to calculate the determinant of the resulting matrix.


  • [1] A. Yao, Protocols for Secure Computation, In Proc. 23rd Annual Symp. on Foundations of Computer Science (FOCS), pages 160–164. IEEE, 1982.
  • [2] A. Shamir, How to share a secret, Commun. ACM, 22(11):612–613, 1979.
  • [3] Liu X, Li S, Liu J, Chen X, Xu G. Secure multiparty computation of a comparison problem, SpringerPlus, 2016, 5(1):1489. doi:10.1186/s40064-016-3061-0.
  • [4] T. Nishide and K. Ohta, Multiparty computation for interval, equality, and comparison without bit-decomposition protocol, in Proc. 2007 PKC, pp. 343-360.
  • [5] I. Damgard, M. Fitzi, E. Kiltz, J.B. Nielsen, and T. Toft, Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation, Proc. 3rd Theory of Cryptography Conference, LNCS 3876, pp.285-304, Springer Verlag, 2006.
  • [6] O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game or a complete theorem for protocols with honest majority, Proc. 19th STOC, pp.218– 229, 1987.
  • [7]

    M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness theorem for noncryptographic fault-tolerant distributed computation, 20th Annual ACM Symposium on Theory of Computing, pp.1–10, 1988.

  • [8] D. Chaum, C. Crepeau, and I. Damgard, Multi-party unconditionally secure protocols, Proc. ACM STOC’88, pp.11–19, 1988.
  • [9] 21. B. Schoenmakers and P. Tuyls, Efficient binary conversion for Paillier encrypted values, EUROCRYPT’06, LNCS 4004, pp.522–537, Springer Verlag, 2006.
  • [10] I. S. Reed and G. Solomon, Polynomial codes over certain finite fields, 1. SIAM, vol 8, no 2, June 1960, pp 300-304
  • [11] Lloyd R. Welch and Elwyn R. Berlekamp. Error correction for algebraic block codes, December 30 1986. US Patent 4,633,470.
  • [12] mhaiman/math55/reed-solomon.pdf
  • [13] M. Nojoumian, D. Stinson, and M. Grainger, Unconditionally secure social secret sharing scheme, IET Information Security, Special Issue on Multi-Agent and Distributed Information Security 4, 4 (2010), 202-211.