| CPC H04L 9/085 (2013.01) [H04L 2209/46 (2013.01)] | 25 Claims |
|
1. A computer-implemented method, carried out between a plurality of D dealer nodes and N computing nodes, for use in calculating the result of an arithmetic function ƒ which can be expressed as the addition of A groups of multiplications of a set S of private input secrets {s0, s1, . . . , sS-1} such that:
 where each group of multiplications ma, a∈{0, 1, . . . , A−1} is the product of Ma secrets of said set S of private input secrets:
 and the subindices ia,m for α∈{0, 1, . . . , A−1}, m∈{0, 1, . . . , Ma−1} identify private input secrets from the set of S secrets, and where the S secrets are selected from integers, real numbers or complex numbers, and each secret sia,m is known to one of said dealer nodes, wherein the method comprises:
(a) providing each computing node n, n∈{0, 1, . . . , N−1}, with a respective set of shares [αa,0]n, [αa,1]n, . . . , [αa,L-1]n, for every addition a∈{0, . . . , A−1} where L is a number chosen such that L>Ma, ∀a∈{0, 1, . . . , A−1} and L>D, and such that:
(i) the set of all the l-th shares [αa,l]n, l∈{0, . . . L−1}, from the N computing nodes together represent shares of a degree-T polynomial that hide a respective secret exponent blinding factor αa,l at a certain abscissa such as x=0, with N≥T+1; and
(ii) the set of exponent blinding factors αa,0, αa,1, . . . , αa,L-1 for a given addition a are all elements of the multiplicative group (Z/pZ)x of integers modulo a prime number p;
(b) providing each computing node n, n∈{0, 1, . . . , N−1}, with a respective set of shares [ρ−λa]n, where:
(i) ρ is a public generator from the multiplicative group (Z/pZ)x of integers modulo p;
(ii) λa is a secret exponent which satisfies
 (iii) the set of all the shares [ρ−λa]n from the N computing nodes together represent shares of a degree-T polynomial that hide the secret value ρ−λ at a certain abscissa such as x=0;
(c) for each addition a comprising Ma multiplications, providing each of the computing nodes with the same partition sets Pa,0, Pa,1, Pa,Ma-1 of the indexing set {0, 1, . . . , L−1} such that all partition sets are disjoint and non-empty;
(d) each computing node computing, for each addition a, a set of shares [λa,0]n, [λa,1]n, . . . , [λa,Ma-1]n according to:
 for m∈{0, . . . , Ma−1}, wherein for a given addition a and multiplication m the set of the shares [λa,m]n for n∈{0, 1, . . . , N−1} together represent shares of a degree-T polynomial that hide the secret dealer blinding factor λa,m at a certain abscissa such as x=0;
(e) each computing node n sending the respective share [λa,m]n for a∈{0, 1, . . . , A−1}, m∈{0, 1, . . . , Ma−1}, to the respective dealer node contributing the secret sia,m to the computation;
(f) each dealer node reconstructing, for each secret sia,m which it contributes to the computation, the corresponding dealer blinding factor λa,m;
(g) each dealer node sending, for each secret sia,m which it contributes to the computation, a particle va,m to each of the computing nodes wherein:
va,m=sia,m·ρλa,m
(h) each computing node calculating, for each addition a∈{0, 1, . . . , A−1}, a share [ra]n from a degree-T polynomial ra(x) where:
 (i) each computing node calculating a result share [r]n from a degree-T polynomial r(x) where:
 (j) each computing node sending to one or more result node(s) their result share [r]n whereby the result node(s) may reconstruct the evaluation r(0) of polynomial r(x) from the received result shares [r]n, said evaluation r(0) being equal to the result of said arithmetic function ƒ.
|