A Secure Data Aggregation Protocol in VANETs Based on Multi-key FHE

Abstract

For sake of data aggregation in VANETs, a protocol is devised based on multi-key fully homomorphic encryption (MFHE). In order to introduce practical properties, such as scalability, into the proposed protocol, a dynamic topology is utilized to structure the very-basic framework. To address the problem of dynamic changes with respect to floating nodes, linear secret sharing scheme is applied to multi-key fully homomorphic encryption with threshold decryption, and then the partial sharing decryption is proposed. Performance analysis illustrated that the proposed scheme is feasible and the complexity expands. Under the universal composability frame, the proposed protocol is also proved to be semantically secure.

1 Introduction

With the expansion of the data and the increase in the accounting overhead, it is natural to store the clients’ data and perform the expensive computation on the remote powerful “cloud” servers. Although the “cloud” can provide considerably many advantages in costs and functionality, how to protect the data privacy has become one of the most serious problems in the process.

Fully homomorphic encryption (FHE), which was first proposed by Gentry in 2009 [1], can perform arbitrary circuits on encrypted data as the plaintext. FHE was initially designed to only involve one user and one cloud. However, there are many scenarios including multiparty communication, such as multiuser to one core, which could carry out the FHE operation under different keys. Multi-key FHE (MFHE) [7, 8] is an interesting result derived from it.

Further, we can consider a more complex situation in VANETs. Considering a basic VANETs data aggregation protocol with clusters abstractly, VANETs can be divided into many clusters which consist of vehicle members. In the process of data aggregation, the vehicle members will broadcast their traffic data to complete aggregations. In traffic transportation, we need to achieve the safety aggregation of vehicle data [9, 13, 14] within a certain range to complete various functions, such as early warning, congestion control and so on (Fig. 1).

Fig. 1.

VANETs

In order to achieve data aggregation privately, FHE could be used in the communication in VANETs with a set of natural and stringent requirements. First, we should protect the privacy information. Second, with the dynamic change of VANETs topology, we need to ensure the correctness of data aggregation. And some MFHE schemes make these requirements true partially. But the dynamic change also put up some new requirements for MFHE. For example, with the increase or decrease of the node number, an MFHE scheme should achieve a multi-hop homomorphic encryption.

Based on MFHE and threshold decryption, we present a secure 3-round protocol of data aggregation in VANETs. We applied an MFHE scheme based on GSW [8] and a Two-Round MPC protocol [16] to complete the data aggregation. And then in the dynamic situation, the linear secret sharing scheme has been used to cut apart the secret key and store the sharing separately on the other nodes. With the reduction of vehicle nodes, the sharing of the node left from the cluster will be reconstructed from the other nodes which are still in it to finish the decryption of the final ciphertext.

1.1 Our Results and Techniques

In order to achieve the data aggregation in VANETs, we make some changes:

Based on the threshold encryption, the linear secret sharing has been applied to realize the variant partial decryption. By the linear secret sharing, a secret key will be split into the other nodes. Then we can reconstruct the variant partial decryption of the secret key using one-round communication. And then we can complete the threshold decryption.

To construct the 3-round data aggregation protocol in VANETs, we applied the Two-Round MPC protocol based on MFHE to complete the basis communication, and the variant partial decryption to ensure the reliability in the dynamic situation. In the dynamic situation of VANETs, each secret key will be split into some sharing for the other nodes. If one vehicle leaves the cluster, the variant partial decryption will be executed for this node to complete the final decryption.

1.2 Other Related Work

The basic idea of performing the evaluation between the ciphertexts encrypted by different keys using the homomorphic encryption schemes was first proposed by López-Alt, Tromer and Vaikuntanathan [7]. Their protocol, however, was built on the NTRU scheme which relied on a non-standard assumption, referred to as the Decisional Small Polynomial Ratio assumption. Clear and McGoldrick [8], on the basis of GSW IBFHE schemes [6] and GPV IBE schemes [10], constructed a new approach to achieve the multi-identity IBFHE. Coincidentally, based on the standard LWE assumption, the approach implements the multi-key FHE of [11]. Based on the Clear and McGoldrick’s multi-key FHE scheme, Mukherjee and Wichs [16] proposed a two-round MPC protocol.

1.3 Organization

In Sect. 2, we introduce the notation used in this paper and the related definition of the MFHE with threshold decryption. In Sect. 3, we show the threshold decryption and the variant partial decryption. In Sect. 4, we show how to construct the data aggregation and analyze the security and performance.

2 Preliminary

Notations.

Throughout, we let \( \lambda \) denote the security parameter and \( \text{negl}(\lambda ) \) denote a negligible function. We represent elements in \( {\mathbf{\mathbb{Z}}}_{q} \) as integers in the range \( ( - q/2,q/2] \). Let \( {\mathbf{x}} = (x_{1} , \ldots ,x_{n} ) \in {\mathbf{\mathbb{Z}}}_{q}^{n} \) be a vector. We use the notation \( {\mathbf{x}}[i] \) to denote the i-th component scalar. Similarly, for a matrix \( {\mathbf{M}} \in {\mathbf{\mathbb{Z}}}_{q}^{n \times m} \), we use \( {\mathbf{M}}[i,j] \) to denote the scalar element located in the i-th row and the j-th column. And, for an integer \( x \in {\mathbf{\mathbb{Z}}}_{q} \), we use \( x[i] \) to denote the i-th bit. The infinity norm of a vector \( {\mathbf{x}} \) is defined as \( \left\| {\mathbf{x}} \right\|_{\infty } = \max_{i} (\left| {{\mathbf{x}}[i]} \right|) \). The norm of matrices is defined similarly.

2.1 Multi-key FHE with Threshold Decryption

We start with the definition of Threshold multi-key FHE which has been proposed in [16].

Definition 2.1.

Threshold multi-key FHE scheme (TMFHE) is a multi-key FHE scheme with two additional algorithms PartDec, FinDec described as follow:

• \( p_{i} \leftarrow \text{PartDec}(\hat{c},(pk_{1} , \ldots ,pk_{N} ),i,sk_{i} ) \): On input an expanded ciphertext under a sequence of N keys and the i-th secret key output a partial decryption p_i.

• \( \mu \leftarrow \text{FinDec}(p_{1} , \ldots ,p_{N} ) \): On input N partial decryption output the plaintext μ.

Now we propose our definition for the variant partial decryption. 3 algorithms have been inserted into the new definition as follow:

Definition 2.3.

Threshold multi-key FHE scheme* (TMFHE*) is a threshold multi-key FHE scheme with three additional algorithms SecSplit, SharPartDec, SharFinDec described as follow:

• \( \{ s_{j} \}_{{j \in [N]\backslash \{ i\} }} \leftarrow {\text{SecSplit}}(N,i,sk_{i} ) \): On input a secret key sk_i and the number of parties N output N − 1 sharing.

• \( sp_{j} \leftarrow {\text{SharPartDec}}(\hat{c},(pk_{1} , \ldots ,pk_{N} ),j,s_{j} ) \): On input an expanded ciphertext under a sequence of N keys and the j-th sharing s_j output a partial sharing decryption sp_j.

• \( p_{i}^{\prime } \leftarrow {\text{SharFinDec}}(sp_{1} , \ldots ,sp_{N} ) \): On input N partial sharing decryptions output the partial decryption p_i′.

This definition requires correctness and security as follow:

Simulator Security.

There exists a PPT simulator \( {\mathcal{S}}^{{^{vthr} }} \) which, on input the index \( j \in [N] \) and all but the i-th sharing \( \{ s_{j} \}_{{j \in [N]\backslash \{ i\} }} \), the evaluated ciphertext \( \hat{c} \) and the k-th secret key sk_k produces a simulated partial sharing decryption \( s{p_i}^\prime \leftarrow {\mathcal{S}^{vthr}}(s{k_k},\hat c,i,{\{ {s_j}\}_{j \in [N]\backslash \{ i,k\} }}) \) such that:

$$ sp_{i}^{\prime } \mathop \approx \limits^{comp} sp_{i} $$

where \( sp_{i} \leftarrow {\text{SharPartDec}}(\hat{c},(pk_{1} , \ldots ,pk_{N} ),i,s_{i} ) \).

Correctness.

The following holds with probability 1:

$$ {\text{FinDec}}(p_{1} , \ldots ,p_{i}^{\prime } , \ldots ,p_{N} ) = \mu $$

where \( p_{i}^{\prime } \leftarrow {\text{SharFinDec}}(sp_{1} , \ldots ,sp_{N} ) \).

2.2 Other Related Definitions

Now we give some related definitions which would be used in the rest of this paper.

Definition 2.4

(B-Bounded Distribution). A distribution ensemble χ, supported over the integers, is called B-bounded if

$$ \mathop {\Pr }\limits_{e \leftarrow \chi } [\left| e \right| > B] \le \text{negl}(\lambda ). $$

Definition 2.5

(Statistical Indistinguishability). For two distribution ensembles X, Y, over a finite domain \( {\varvec{\Omega}} \). X, Y is statistical indistinguishable, denoted by \( {\text{X}}\mathop \approx \limits^{stat} {\text{Y}} \), if

$$ \Delta ({\text{X}},{\text{Y}}) \le {\text{negl}}(n). $$

where \( \Delta ({\text{X,Y}})\mathop = \limits^{def} \frac{1}{2}\sum\nolimits_{\omega \in \varOmega } {\left| {{\text{X}}(\omega ) - {\text{Y}}(\omega )} \right|} . \)

3 Threshold Decryption via Linear Secret Sharing

We now show how to construct the variant threshold decryption from MFHE by linear secret sharing. It proceeds in 3 parts, which is shown as follow:

1. 1.

   We show how to perform the threshold decryption and the variant based on linear secret sharing for this scheme.

2. 2.

   We show the correctness and security of the variant threshold decryption.

3.1 Variant of Threshold Decryption Based on Linear Secret Sharing

This part is to implement the variant threshold decryption for the MFHE construction and its reconstruction on the sharing of one’s secret key.

The threshold decryption is implemented by the following 2 functions PartDec(…) and FinDec(…):

• \( {\mathbf{PartDec}}(\hat{c},i,sk_{i} ) \): On input an expanded ciphertext \( \hat{c} = {\hat{\mathbf{C}}} \in {\mathbf{\mathbb{Z}}}_{q}^{nN \times mN} \) in [8] and the i-th secret key \( sk_{i} = {\mathbf{t}}_{i} \in {\mathbf{\mathbb{Z}}}_{q}^{n} \) do the following:

  1. 1.

     Parse \( {\hat{\mathbf{C}}} \) as consisting of N sub-matrices \( {\hat{\mathbf{C}}}^{(i)} \in {\mathbf{\mathbb{Z}}}_{q}^{n \times mN} \) such that \( {\hat{\mathbf{C}}} = \left[ {\begin{array}{*{20}c} {{\hat{\mathbf{C}}}^{(1)} } \\ \vdots \\ {{\hat{\mathbf{C}}}^{(N)} } \\ \end{array} } \right] \)

  2. 2.

     Define \( {\hat{\mathbf{w}}} \in {\mathbf{\mathbb{Z}}}_{q}^{nN} \) as \( {\hat{\mathbf{w}}} = \left[ {0, \ldots ,0,\left\lceil {{q \mathord{\left/ {\vphantom {q 2}} \right. \kern-0pt} 2}} \right\rceil } \right] \).

  3. 3.

     Then compute \( \gamma_{i} = {\mathbf{t}}_{i} {\hat{\mathbf{C}}}^{(i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) \in {\mathbf{\mathbb{Z}}}_{q} \) and output \( p_{i} = \gamma_{i} + e_{i}^{sm} \in {\mathbf{\mathbb{Z}}}_{q} \) where \( e_{i}^{sm} \mathop \leftarrow \limits^{\$ } \left[ { - B_{smdg}^{dec} ,B_{smdg}^{dec} } \right] \) is a random noise where \( B_{smdg}^{dec} = B_{\chi } 2^{d\lambda \,\log \,\lambda } \).

• \( {\mathbf{FinDec}}(p_{1} , \ldots ,p_{N} ) \): Given \( p_{1} , \ldots ,p_{N} , \) compute the sum \( p = \sum\nolimits_{i = 1}^{N} {p_{i} } \). Output \( \mu : = \left| {Round\left( {\frac{p}{{{q \mathord{\left/ {\vphantom {q 2}} \right. \kern-0pt} 2}}}} \right)} \right| \).

As mentioned in the Sect. 1, the increase and decrease of the node number will affect the encryption and decryption of the MFHE scheme in the multi-hop environment. When it increases, we can make evaluation ciphertexts expanded in the next hop. And if a node leaves, we make use of linear secret sharing scheme to solve it. A new parameter r will be set as \( r = r(\lambda ,d) \). The variant based on the linear secret sharing consists of the following 3 algorithms:

• \( {\mathbf{SecSplit}}(N,i,sk_{i} ) \): On input a secret key \( sk_{i} \), parse \( sk_{i} = {\mathbf{t}}_{i} = \left[ {t_{i,1} ,t_{i,2} , \ldots ,t_{i,n} } \right] \in {\mathbf{\mathbb{Z}}}_{q}^{n} \). For \( j \in \left[ n \right] \) compute the sharing of \( t_{i,j} \) as follow:

  1. 1.

     Sample 2 vectors \( {\mathbf{x}}_{j} = [x_{j,1} , \ldots ,x_{j,i - 1} ,x_{j,i + 1} , \ldots ,x_{j,N} ]\mathop \leftarrow \limits^{\$ } {\mathbf{\mathbb{Z}}}_{q}^{N - 1} \) and \( {\mathbf{k}}_{j} = [k_{j,1} , \ldots ,k_{j,N - 2} ]\mathop \leftarrow \limits^{\$ } {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \) for \( \forall k_{1} \ne k_{2} \in [N]\backslash \{ i\} \), \( \left| {x_{{j,k_{1} }} - x_{{j,k_{2} }} } \right| \ge r \).

  2. 2.

     Compute the vector \( {\mathbf{y}}_{j} \in {\mathbf{\mathbb{Z}}}_{q}^{N - 1} \) as follow:

  $$ \begin{aligned} {\mathbf{y}}_{j} = & [(1^{N - 1} )^{T} ,{\mathbf{x}}_{j}^{T} ,({\mathbf{x}}_{j}^{2} )^{T} , \ldots ,({\mathbf{x}}_{j}^{N - 2} )^{T} ] \cdot \left[ {\begin{array}{*{20}c} {t_{i,j} } \\ {{\mathbf{k}}_{j}^{T} } \\ \end{array} } \right] \\ \, = & [y_{j,1} , \ldots ,y_{j,N - 1} ] \in {\mathbf{\mathbb{Z}}}_{q}^{N - 1} \\ \end{aligned} $$

  and the sharing is output as follow:

  $$ \left[ {\begin{array}{*{20}c} {(x_{1,1} ,y_{1,1} )} & \cdots & \cdots & {(x_{n,1} ,y_{n,1} )} \\ \vdots & \ddots & {} & \vdots \\ \vdots & {} & \ddots & \vdots \\ {(x_{1,N} ,y_{1,N} )} & \cdots & \cdots & {(x_{n,N} ,y_{n,N} )} \\ \end{array} } \right] $$

  These tuples in the same row are the sharing received by the same party, and the tuples in the same column are the sharing split by the same value.

• \( {\mathbf{SharPartDec}}((x_{i,j} ,y_{i,j} ),\hat{c},i,k,N) \): On input a sharing tuple \( (x_{i,j} ,y_{i,j} ) \), the expanded ciphertext \( \hat{c} = {\hat{\mathbf{C}}} \in {\mathbf{\mathbb{Z}}}_{q}^{nN \times mN} \), the index \( k \) of the secret key \( {\mathbf{t}}_{k} \) and the index \( i \) of the i-th component scalar \( t_{k,i} \), execute the following steps:

  1. 1.

     Parse \( {\hat{\mathbf{C}}} \) as consisting of \( n \times N \) vectors \( {\hat{\mathbf{c}}}^{(i)} \in {\mathbf{\mathbb{Z}}}_{q}^{mN} \) such that \( {\hat{\mathbf{C}}} = \left[ {\begin{array}{*{20}c} {{\hat{\mathbf{c}}}^{(1)} } \\ \vdots \\ {{\hat{\mathbf{c}}}^{(nN)} } \\ \end{array} } \right] \)

  2. 2.

     Difine \( {\hat{\mathbf{w}}} \in {\mathbf{\mathbb{Z}}}_{q}^{nN} \) as \( {\hat{\mathbf{w}}} = \left[ {0, \ldots ,0,\left\lceil {{q \mathord{\left/ {\vphantom {q 2}} \right. \kern-0pt} 2}} \right\rceil } \right] \).

  3. 3.

     Then compute the partial sharing decryption \( (\upsilon_{i,j} ,\tau_{i,j} ) \) as follow:

  $$ \upsilon_{i,j} = x_{i,j} {\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e_{i}^{smx} \in {\mathbf{\mathbb{Z}}}_{q} $$
  $$ \tau_{i,j} = y_{i,j} {\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e_{i}^{smy} \in {\mathbf{\mathbb{Z}}}_{q} $$

  where \( e_{i}^{smx} ,e_{i}^{smy} \mathop \leftarrow \limits^{\$ } \left[ { - B_{smdg}^{vdec} ,B_{smdg}^{vdec} } \right] \) is a random noise where \( B_{smdg}^{vdec} = 2^{d\lambda \,\log \,\lambda } \).

• \( {\mathbf{SharFinDec}}((\upsilon_{i,j} ,\tau_{i,j} )_{{i \in [n],j \in [N]\backslash \{ k\} }} ) \): Given all the partial sharing decryptions \( (\upsilon_{i,j} ,\tau_{i,j} )_{{i \in [n],k \in [N]\backslash \{ k\} }} \), compute the variant partial decryption as follow:

  $$ p_{j}^{\prime } = \sum\limits_{i = 1}^{n} {\sum\nolimits_{\begin{subarray}{l} j = 1 \\ j \ne k \end{subarray} }^{N} {\tau_{i,j} \prod\limits_{\begin{subarray}{l} h = 1 \\ h \ne j \\ h \ne k \end{subarray} }^{N} {\upsilon_{i,h} /(\upsilon_{i,h} - \upsilon_{i,j} )} } } $$

  and then output \( p_{j}^{\prime } \).

3.2 Correctness and Simulation Security

Now, we testify the correctness along with security of our partial sharing decryption

Theorem 3.1.

The above variant procedures of threshold decryption for MFHE satisfy correctness and simulation security.

Correctness.

Here the entire scheme is same as MFHE except the variant of threshold decryption based on linear secret sharing. If \( (\upsilon_{i,h} ,\tau_{i,h} ) \) and \( (\upsilon_{i,j} ,\tau_{i,j} ) \) are the partial sharing decryption of a secret key \( {\mathbf{t}}_{k} \), then we have

$$ \begin{aligned} \frac{{\upsilon_{i,h} }}{{\upsilon_{i,h} - \upsilon_{i,j} }} = & \frac{{x_{i,h} {\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e_{h} }}{{(x_{i,h} - x_{i,j} ){\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + (e_{h} - e_{j} )}} \\ \, = & \frac{{x_{i,h} }}{{x_{i,h} - x_{i,j} }} \cdot \frac{{{\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{\prime } }}{{{\hat{\mathbf{c}}}^{(kn + i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{\prime \prime } }} \\ \end{aligned} $$

where \( e^{\prime } = e_{h} /x_{i,h} (x_{i,h} - x_{i,j} ) \), \( e^{\prime \prime } = (e_{h} - e_{j} )/(x_{i,h} - x_{i,j} ) \). The equation can be generalized into the following form:

$$ \begin{array}{*{20}l} {\sum\limits_{i = 1}^{n} {\sum\nolimits_{j = 1}^{N} {\tau_{i,j} \prod\limits_{\begin{subarray}{l} h = 1 \\ h \ne j \\ h \ne k \end{subarray} }^{N} {\upsilon_{i,h} /(\upsilon_{i,h} - \upsilon_{i,j} )} } } } \hfill \\ { = \sum\limits_{i = 1}^{n} {\frac{{({\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{{\prime }} )^{N - 1} }}{{({\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{{\prime \prime }} )^{N - 2} }} \cdot t_{k,i} } } \hfill \\ { = (\frac{{{\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{{\prime }} }}{{{\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e^{{\prime \prime }} }})^{N - 2} ({\mathbf{t}}_{k} {\hat{\mathbf{C}}}^{(k)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + {\mathbf{t}}_{k} {\mathbf{e}}^{{\prime }} )} \hfill \\ \end{array} $$

where \( {\hat{\mathbf{c}}} \) is a row vector of \( {\hat{\mathbf{C}}} \). It is easy to see that \( {\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}) \) is much larger than \( e^{{\prime }} \) and \( e^{{\prime \prime }} \), and the value of \( (\frac{{{\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}})\, + \,e^{{\prime }} }}{{{\mathbf{\hat{c}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}})\, + \,e^{{\prime \prime }} }})^{N - 2} \) is very close to 1. So the correctness is primarily determined by \( {\mathbf{t}}_{k} {\hat{\mathbf{C}}}^{(k)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + {\mathbf{t}}_{k} {\mathbf{e}}^{{\prime }} \).

If \( {\hat{\mathbf{C}}} \) is an evaluated ciphertext encrypting a bit \( \mu \) and the secret key is \( {\hat{\mathbf{t}}} = [{\mathbf{t}}_{1} , \ldots ,{\mathbf{t}}_{N} ] \), then we have \( {\mathbf{\hat{t}\hat{C}\hat{G}}}^{ - 1} ({\hat{\mathbf{w}}}^{T} ) = \mu (q/2) + e \). Now, one can observe that decryption without threshold decryption works correctly as long as \( \left\| e \right\|_{\infty } \le q/4 \).

If the threshold decryption with partial sharing decryption is executed, the final result must be correctly decrypted by the function FinDec(…). So we take \( {\mathbf{t}}_{k} \)’s variant partial decryption and the other partial decryption as input. And we have

$$ \sum\nolimits_{i} {({\mathbf{t}}_{i} {\hat{\mathbf{C}}}^{(i)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}})) + {\mathbf{t}}_{k} {\mathbf{e}}^{\prime } } + e^{sm} = \mu (q/2) + e + {\mathbf{t}}_{k} {\mathbf{e}}^{\prime } + e^{sm} $$

Lemma 3.2.

Let \( {\hat{\mathbf{C}}} \) be the evaluated ciphertext of the above MFHE scheme and \( e \) be the decryption noisy after a homomorphic evaluation of a d-level circuit \( \mathcal{C} \) . The noisy \( e \) has norm upper bound \( B_{\chi } 2^{O(d\,\log \,\lambda )} \).

Proof.

We refer the reader to [8] for details.

Lemma 3.3.

Let \( p \) be the final decryption of the above Threshold Decryption scheme generated by function FinDec(…), and \( e^{sm} \) be the “smudging noisy” of p. The noisy \( e^{sm} \) has norm upper bound \( B_{\chi } 2^{O(d\lambda \,\log \,\lambda )} \).

Proof.

We refer the reader to [16] for details.

Lemma 3.4.

Let \( p_{k}^{\prime } \) be the final result of the above Variant Partial Decryption scheme and \( {\mathbf{t}}_{i} {\mathbf{e}}^{\prime } \) be the “variant smudging” noisy. The noisy \( {\mathbf{t}}_{k} {\mathbf{e}}^{\prime } \) has norm upper bound \( B_{\chi } 2^{O(d\lambda \,\log \,\lambda )} \).

Proof.

Let \( {\mathbf{t}}_{i} {\mathbf{e}}^{\prime } \) be the “variant smudging” noisy. Recall that, \( {\mathbf{t}}_{i} = [ - {\mathbf{s}}_{i} ,1] \) with \( {\mathbf{s}}_{i} \leftarrow \chi^{n - 1} \), and \( {\mathbf{e}}^{\prime } = [e_{1}^{\prime } , \ldots ,e_{N}^{\prime } ] \). And for any \( i \in [n] \), \( e_{i}^{\prime } \le \frac{{2^{d\lambda \,\log \,\lambda } }}{r} \). Therefore, we have \( {\mathbf{t}}_{i} {\mathbf{e}}^{\prime } \le \frac{{nB_{\chi } 2^{d\lambda \,\log \,\lambda } }}{r} = B_{\chi } 2^{O(d\lambda \,\log \,\lambda )} \).

So \( e \) has norm \( \left| e \right| \le B_{\chi } 2^{O(d\,\log \,\lambda )} \), \( {\mathbf{t}}_{i} {\mathbf{e}}^{\prime } \) has norm \( \left| {{\mathbf{t}}_{i} {\mathbf{e}}^{\prime } } \right| \le B_{\chi } 2^{O(d\lambda \,\log \,\lambda )} \) and \( e^{sm} \) has norm \( \left| {e^{sm} } \right| \le B_{\chi } 2^{O(d\lambda \,\log \,\lambda )} \). Since \( q = B_{\chi } 2^{\omega (d\lambda \,\log \,\lambda )} \), we have \( \left| {e + {\mathbf{t}}_{i} {\mathbf{e}}^{\prime } + e^{sm} } \right| \le q/4 \) and correctness holds.

Security.

We construct the simulator \( {\mathcal{S}^{vthr}} \) as below:

On input sharing \( (x_{u,j} ,y_{u,j} )_{{u \in [n],j \in [N]\backslash \{ i,k\} }} \), an evaluated ciphertext \( \hat{c} \) and the secret key \( {\mathbf{t}}_{k} \) generating secret sharing \( (x_{u,j} ,y_{u,j} ) \), outputs the simulated partial sharing decryption as the below steps:

1. 1.

   Construct n matrices \( \{ {\mathbf{MX}}_{u} = [{\mathbf{x}}_{u} ,{\mathbf{x}}_{u}^{2} , \ldots ,{\mathbf{x}}_{u}^{N - 2} ] \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2 \times N - 2} \}_{u \in [n]} \) and n vectors \( \{ {\mathbf{Vy}}_{u} = [{\mathbf{y}}_{u} - {\mathbf{t}}_{k,u} ] \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \}_{u \in [n]} \) where \( {\mathbf{x}}_{u} = [ \ldots ,x_{u,j} , \ldots ]_{{j \in [N]\backslash \{ i,k\} }}^{T} \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \), \( {\mathbf{y}}_{u} = [ \ldots ,y_{u,j} , \ldots ]_{{j \in [N]\backslash \{ i,k\} }}^{T} \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \) and \( {\mathbf{t}}_{k,u} = [t_{k,u} , \ldots ,t_{k,u} ]^{T} \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \). And then compute n vectors \( \{ {\mathbf{k}}_{u} = ({\mathbf{MX}}_{u} )^{ - 1} \cdot {\mathbf{Vy}}_{u} \in {\mathbf{\mathbb{Z}}}_{q}^{N - 2} \}_{u \in [n]} \).

2. 2.

   Sample a vector \( {\mathbf{Sx}}_{i} = [x_{1,i}^{\prime } , \ldots ,x_{n,i}^{\prime } ]^{T} \mathop \leftarrow \limits^{\$ } {\mathbf{\mathbb{Z}}}_{q}^{n} \) and for each \( u \in [n] \) compute \( y_{u,i}^{\prime } = [1^{n} ,x_{u,i}^{\prime } ,(x_{u,i}^{\prime } )^{2} , \ldots ,(x_{u,i}^{\prime } )^{N - 2} ] \cdot \left[ {\begin{array}{*{20}c} {t_{k,u} } \\ {{\mathbf{k}}_{u} } \\ \end{array} } \right] \). And we have \( {\mathbf{Sy}}_{i} = [y_{1,i}^{\prime } , \ldots ,y_{n,i}^{\prime } ]^{T} \).

3. 3.

   For each \( u \in [n] \) compute the u-th simulated partial sharing decryption:

$$ \upsilon_{u,i}^{\prime } = x_{u,i}^{\prime } {\hat{\mathbf{c}}}^{(kn + u)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e_{u}^{smx} \in {\mathbf{\mathbb{Z}}}_{q} ,\tau_{u,i}^{\prime } = y_{u,i}^{\prime } {\hat{\mathbf{c}}}^{(kn + u)} {\hat{\mathbf{G}}}^{ - 1} ({\hat{\mathbf{w}}}) + e_{u}^{smy} \in {\mathbf{\mathbb{Z}}}_{q} $$

where \( e_{u}^{smx} ,e_{u}^{smy} \mathop \leftarrow \limits^{\$ } \left[ { - B_{smdg}^{vdec} ,B_{smdg}^{vdec} } \right] \). Then output the simulated partial sharing decryption \( sp_{i}^{\prime } = \{ (\upsilon_{u,i}^{\prime } ,\tau_{u,i}^{\prime } )_{u \in [n]} \} \).

The real value \( sp_{i} \) and the simulated \( sp_{i}^{\prime } \) are almost statistically indistinguishable.

4 Data Aggregation Protocol in VANETs

In this section, we now describe our secure aggregation protocol in VANETs within the cluster through 3 rounds of communication. The following two procedures are supplemented in [16].

Increase.

When a new vehicle participants in the cluster, the next hop computation should be executed within N + 1 nodes after the final decryption of the last hop.

Decrease.

When a vehicle in the cluster leaves, the original protocol will have some changes in the 3^rd round which supplements the variant partial decryption of the vehicle’s secret key.

4.1 Data Aggregation Protocol Against \( N{ - }1 \) Corruptions

We have some similar processes with the two-round MPC protocol in [16], so we will not dwell on these. We remind readers to consult [16] for details. And now we describe the additional process. Let \( f:(\{ 0,1\}^{{\ell_{im} }} )^{N} \to \{ 0,1\}^{{\ell_{out} }} \) be the function to compute.

Round 1.

Each party \( P_{k} \) executes the key generation function of the MFHE scheme in [16], and then broadcast the public key \( pk_{k} \)

Round 2.

Each party \( P_{k} \) on receiving values \( \{ pk_{i} \}_{{i \in [N]\backslash \{ k\} }} \) executes the following steps:

• Split the secret key \( \{ \{ s_{j} \}_{{j \in [N]\backslash \{ k\} }} \} \leftarrow {\text{SecSplit}}(N,k,sk_{k} ) \).

• Execute the MFHE encryption function for the secret key sharing \( \{ cs_{i,g} \leftarrow {\text{Encrypt}}(pk_{i} ,s_{i} [g])\}_{{i \in [N]\backslash \{ k\} ,g \in [2n\left\lceil {{ \log }q} \right\rceil ]}} \) bit-by-bit and then broadcast these ciphertexts.

Round 3.

On receiving these values \( \{ cs_{k,g} \}_{{g \in [2n\left\lceil {\log q} \right\rceil ]}} \), if all vehicles are still in the cluster, the final decryption will be executed as [16]. And if the vehicle \( P_{s} \) leaves the cluster, the following steps will be executed:

1. 1.

   Each \( P_{k} \) decrypts these sharing ciphertexts \( \{ cs_{k,g} \}_{{g \in [2n\left\lceil {\log q} \right\rceil ]}} \) encrypted by \( pk_{k} \) of the secret key \( sk_{s} \) and reconstructs \( s_{k} \).

2. 2.

   Each \( P_{k} \) computes the partial decryption \( p_{k}^{(j)} \leftarrow {\text{PartDec}}(\hat{c}_{j} ,k,sk_{k} ) \) and the variant partial decryption \( (\tau_{k}^{(j)} ,\upsilon_{k}^{(j)} ) \leftarrow {\text{SharPartDec}}(s_{k} ,\hat{c}_{j} ,k,N) \) of \( P_{s} \) for all \( j \in [\ell_{out} ] \).

3. 3.

   Then \( P_{k} \) will broadcast all the above values \( \{ p_{k}^{(j)} ,\upsilon_{k}^{(j)} ,\tau_{k}^{(j)} \}_{{j \in [\ell_{out} ]}} \).

Output

1. 1.

   On receiving the values \( \{ p_{k}^{(j)} \}_{{j \in [\ell_{out} ]}} \) run the final decryption to obtain the j-th bit \( \{ y_{j} \leftarrow {\text{FinDec}}(p_{1}^{(j)} , \ldots ,p_{N}^{(j)} )\}_{{j \in [\ell_{out} ]}} \) and then Output \( y = y_{1} \cdots y_{{\ell_{out} }} \).

2. 2.

   On receiving the values \( \{ p_{i}^{(j)} ,\upsilon_{i}^{(j)} ,\tau_{i}^{(j)} \}_{{j \in [\ell_{out} ],i \in [N]\backslash \{ s\} }} \), run the partial sharing decryption to obtain \( \{ p_{s}^{(j)\prime } \leftarrow {\text{SharFinDec}}(\{ \upsilon_{i}^{(j)} \tau_{i}^{(j)} \}_{{i \in [N]\backslash \{ s\} }} )\}_{{j \in [\ell_{out} ]}} \) and then run the final decryption to obtain \( \{ y_{i} \leftarrow {\text{FinDec}}(p_{1}^{(j)} , \ldots ,p_{i}^{(j)\prime } , \ldots ,p_{N}^{(j)} )\}_{{j \in [\ell_{out} ]}} . \)

Then Output \( y = y_{1} \cdots y_{{\ell_{out} }} \).

4.2 Correctness and Security Analysis

Formally we prove the following theorem.

Theorem 4.1.

Let \( f \) be a poly-time computable deterministic function with N inputs and 1 output. Let the scheme MFHE = (Setup, Kengen, Encrypt, Expand, Eval, PartDec, FinDec, SecSplit, SharPartDec, SharFinDec) be a multi-key FHE scheme with variant threshold decryption. Then the protocol described in Sect. 4.1 UC-realize the function \( f \) against any semi-honest adversary corrupting exactly N-1 vehicles in a cluster.

Proof.

The correctness of the protocol follows in a straightforward way from the correctness of the underlying variant threshold MFHE scheme.

To prove the security we construct an efficient (PPT) simulator \( \mathcal{S} \) for any adversary corrupting exactly N-1. Let A be a semi-honest adversary, \( P_{h} \) be the only honest party and \( P_{s} \) be the vehicle left the cluster.

The Simulator.

In round 2, the simulator encrypt 0s as the simulated sharing encryption \( \{ cs_{k,g}^{\prime } \}_{{g \in [2n\left\lceil {\log q} \right\rceil ]}} \) instead of the real ones. In round 3, it computes the simulated variant partial decryption \( s{p_i}^\prime \leftarrow {\mathcal{S}^{vthr}}(s{k_s},\hat c,i,{({s_j})_{j \in [N]\backslash \{ s,h\} }}) \) instead of the correctly computed values generated via SharPartDec(…).

Hybrid Games.

We now define a series of hybrid games that will be used to prove the indistinguishability of the real and ideal worlds:

The output of each game is always just the out of the environment.

The game :

This is exactly an execution of the protocol \( \pi \) in the real world with environment and semi-honest adversary \( \mathcal{A} \).

The game :

In this game, we modify the real world experiment as follows. Assume that \( P_{h} \) is given the simulated sharing encryption \( \{ cs_{k,g}^{\prime } \}_{{g \in [2n\left\lceil {\log q} \right\rceil ]}} \) after round 2. In the 3^rd round, instead of broadcasting a correctly generated sharing encryption \( \{ cs_{k,g} \}_{{g \in [2n\left\lceil {\log q} \right\rceil ]}} \), it broadcasts simulated ones.

The game :

In this game, we modify the game as follows. Assume that \( P_{h} \) is given all the sharing \( \{ s_{j} \}_{{j \in [N]\backslash \{ s,h\} }} \) of the secret keys \( {\mathbf{t}}_{s} \) after round 2. In the 3^rd round, instead of broadcasting a correctly generated variant partial decryption \( sp_{i} \) generated via SharPartDec(…), it broadcasts simulated ones \( s{p_i}^\prime \leftarrow {\mathcal{S}^{vthr}}(s{k_s},\hat c,i,{\{ {s_j}\}_{j \in [N]\backslash \{ s,h\} }}) \).

Claim 4.2.

Proof.

The only changes between those experiments are in generating encryption of party \( P_{h} \). We have the following lemma:

Lemma 4.3.

The MFHE scheme described in Sect. 3.1 satisfies semantic security.

The semantic security of the above MFHE scheme has been proved in detail in reference [8]. We refer the reader to [8] for details. So the encryptions are also computationally indistinguishable.

Claim 4.4.

Proof.

The only changes between those experiments are that the variant partial decryption of party \( P_{h} \) is generated through simulator \( {\mathcal{S}^{vthr}} \) instead of correctly using SharPartDec(…). By simulation security the variant partial decryptions are statistically indistinguishable hence so are the experiments.

This concludes the proof of the theorem.

4.3 Complexity Analysis

In this section, we analyze the communication complexity and computational complexity of our protocols. And for simplicity, we will take the vehicle \( P_{h} \) as the example to carry out the analysis.

In round 1, the public keys are generated and broadcasted in the cluster. So for fixed parameters, the communication complexity is \( \omega (d^{2} \,\lambda^{2} \,(\log \,\lambda )^{2} ) \). In round 2, it is \( \omega (\ell_{in} d^{2} \,\lambda^{2} \,(\log \,\lambda )^{2} ) + \omega (d^{3} \,\lambda^{3} \,(\log \,\lambda )^{3} ) \). In round 3, it is \( \omega \,(\ell_{out} d\,\lambda \,(\log \,\lambda )) \). As described above, the total communication complexity is

$$ \omega (\ell_{in} d^{4} \,\lambda^{4} \,(\log \,\lambda )^{4} ) + \omega (d^{5} \,\lambda^{5} \,(\log \,\lambda )^{5} ). $$

In the execution of the entire protocol, the function Encrypt(…) has been invoked for \( \ell_{in} + 2n(N - 1)\log \,q \) times. And the function performs \( nm^{4} \) multiplication operations every time. So the computation complexity is

$$ \omega (\ell_{in} d^{4} \,\lambda^{4} \,(\log \,\lambda )^{4} ) + \omega (d^{5} \,\lambda^{5} \,(\log \,\lambda )^{5} ). $$

We list the differences in complexity between our scheme and some other related scheme in Table 1. Compared with the previous scheme.

Table 1. Complexity comparison.

5 Conclusion

This paper main contributes to the data aggregation protocol based on MFHE in VANETs. To adapt the existed schemes to the new situation, a novel protocol based on MFHE is proposed. The main conclusion as follow:

Considering the dynamic structure of the vehicle cluster, after the variant partial decryption, we can realize the data aggregation in the more complex situation. And the multi-hop evaluation can be performed in this environment. On the other hand, because too many cryptographic suites and matrix operations are invoked, the performance of the proposed scheme is much lower than that of the previous one. The above will be the focus of our future research.