Efﬁcient Joint Random Number Generation for Secure Multi-party

Computation

Erwin Hoogerwerf

, Daphne van Tetering

, Aslı Bay

and Zekeriya Erkin

1,3

Cyber Security Group, Delft University of Technology, The Netherlands

Department of Computer Engineering, Antalya Bilim University, Antalya, Turkey

Digital Security Group, Radboud University Nijmegen, The Netherlands

Keywords:

Joint Random Number Generation, Secure Multi-party Computation, Data Aggregation.

Abstract:

Large availability of smart devices and an increased number of online activities result in extensive personalized

or customized services in many domains. However, the data these services mostly rely on are highly privacy-

sensitive, as in pace-makers. In the last decades, many privacy breaches have increased privacy awareness,

leading to stricter regulations on data processing. To comply with this legislation, proper privacy preserva-

tion mechanisms are required. One of the technological solutions, which is also provably secure, is Secure

Multi-Party Computation (SMPC) that can compute any function with secret inputs. Mainly, in several SMPC

solutions, such as data aggregation, we observe that secret values distributed among parties are masked with

random numbers, encrypted and combined to yield the desired outcome. To ensure correct decryption of the

ﬁnal result, it is required that these numbers sum to a publicly known value, for instance, zero. Despite its

importance, many of the corresponding works omit how to obtain such random numbers jointly or suggest

procedures with high computational and communication overhead. This paper proposes two novel protocols

for Joint Random Number Generation with very low computational and communication overhead. Our pro-

tocols are stand-alone and not embedded in others, and can therefore be used in data aggregation and other

applications, for instance, machine learning algorithms, that require such random numbers. We ﬁrst propose

a protocol that relies on bit-wise sharing of individually generated random numbers, allowing parties to adapt

random numbers to yield a public sum. Second, we propose a protocol that uses the sign function to generate

a random number from broadcast numbers. We provide security and complexity analyses of our protocols.

1 INTRODUCTION

Recent developments in machine learning and data

analytics have allowed more and more customized

personalized online services, thanks to the availability

of vast numbers and types of data collected all around

us. On the one hand, the data collected can be used

to improve machine learning algorithms and provide

users with personalized services such as news noti-

ﬁcations or product recommendations. On the other

hand, data collection raises serious privacy concerns

since often sensitive data is included (Jiang et al.,

2019; Zhao et al., 2019). Over the last years, we have

witnessed numerous privacy breaches (Privacy Inter-

national, 2020), damaging individuals and also busi-

nesses. These privacy breaches have led to increased

privacy awareness, not only among users but also in

the political arena, resulting in stricter laws on data

processing such as the General Data Protection Regu-

lation in Europe and the Personal Data Protection Act

in Singapore (European Parliament and Council of

European Union, 2016; Singapore Parliament, 2014).

To comply with legislation, proper privacy preserva-

tion mechanisms are required. Among many other

technological solutions, Secure Multi-Party Compu-

tation (SMPC) techniques attract more attention from

academia and business as it provides provable secu-

rity in different adversarial models.

Firstly introduced by Yao, SMPC protocols are

designed to evaluate a function using secret inputs

distributed among different parties, thereby yielding

a public result (Yao, 1982). Secure Multi-Party Com-

putation is used to perform, among others, data clus-

tering (Erkin et al., 2013), homomorphic encryp-

tion (Lyu, 2020) and data aggregation (Erkin and

Tsudik, 2012). In this paper, we focus on a particular

computation, namely Joint Random Number Genera-

tion (JRNG), which is notably used a lot in privacy-

436

Hoogerwerf, E., van Tetering, D., Bay, A. and Erkin, Z.

Efﬁcient Joint Random Number Generation for Secure Multi-party Computation.

DOI: 10.5220/0010534804360443

In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 436-443

ISBN: 978-989-758-524-1

preserving data aggregation protocols. In smart me-

ter settings, for example, individual measurements are

sent to a data aggregator, responsible for computing

aggregate statistics such as sum or average. Previous

research has shown that these measurements, when

obtained by adversaries in an attack on data conﬁ-

dentiality, can be used to infer patterns revealing cus-

tomer behaviour (Wang and Lu, 2013). To prevent

such eavesdropping attacks from happening, smart

meters are required to encrypt their measurements be-

fore sharing these with the aggregator. However, en-

cryption is not sufﬁcient to prevent malicious aggre-

gators from inferring additional knowledge (Kursawe

et al., 2011). One way to achieve this and protect

against malicious aggregators is by requiring all me-

ters to mask their measurements with random num-

bers. Jointly generating these among all participants

in the protocol ensures they sum to a publicly known

value, thereby guaranteeing the ﬁnal result’s correct

decryption. Therefore, Joint Random Number Gener-

ation can be considered an important step in privacy-

preserving data aggregation protocols.

Remarkably, most research on privacy-preserving

data aggregation omits how to obtain such numbers

and assumes their existence. For example, Shi et

al. assume that all keys during the setup of the pri-

vate stream aggregation algorithm sum to zero (Shi

et al., 2011; Shi et al., 2015). Lu et al. assume the

same in their homomorphic encryption protocol (Lu

et al., 2017). Moreover, several studies that do fo-

cus on JRNG have high computational and communi-

cation overhead. For example, Erkin and Tsudik as-

sume a fully connected network is available, allowing

each party to exchange random values with all others

(Erkin and Tsudik, 2012). With large networks, this

approach becomes infeasible. A similar approach by

Kursawe et al. uses the notion of leaders, who are re-

quired to compute their random values such that all

values together sum to zero (Kursawe et al., 2011).

This reduces the complexity for all other nodes in the

network since these only communicate with the set

of leaders. However, the complexity of leader nodes

remains the same as in (Erkin and Tsudik, 2012).

This paper presents two novel protocols to per-

form Joint Random Number Generation with minimal

computational and communication overhead. The

ﬁrst protocol relies on bit-wise sharing of individu-

ally generated random numbers. By doing so, for

each round, the information leaked to an adversary

is minimized to only one bit per participant. The

second protocol uses a single broadcast and is based

on Difﬁe-Hellman key exchange (Merkle, 1978). We

also present a version of the broadcast-based proto-

col that has reduced complexity. Finally, to compare

all protocols, we conduct an analysis considering both

communication and computation complexity.

Our contributions are two-fold. First, by formaliz-

ing two JRNG protocols explicitly, we provide clarity

on how to efﬁciently perform Joint Random Number

Generation. In contrast to previous work, our pro-

tocols are stand-alone and not embedded in others.

Therefore, they can be used in any domain or applica-

tion where JRNG is required. Finally, we show how to

perform JRNG with minimal computational and com-

munication overhead, thus improving the way JRNG

is done for the whole research community.

The remainder of this paper is structured as fol-

lows. First, we discuss related work and preliminar-

ies in section 2 and section 3. Next, we discuss the

share-based protocol in section 4, before discussing

the broadcast-based protocol in section 5, along with

its security proof. Finally, discuss complexity in sec-

tion 6 and conclude the paper in section 7.

2 RELATED WORK

Related work on Joint Random Number Generation

(JRNG) can be divided into two categories: research

that focuses on JRNG as a main goal, as does this

one, and research that uses it to achieve a broader

goal, and therefore embeds it in its protocol. First,

we discuss work that embeds JRNG to, for example,

perform privacy-preserving data aggregation: jointly

generated random numbers are used to mask indi-

vidual values before sending them to the aggregator.

When the aggregator sums or multiplies all values,

the masks cancel out and allow the aggregator to ob-

tain the exact result without revealing individual val-

ues. Since in this work, we care about JRNG specif-

ically, we only highlight those procedures and omit

any other details. An example of such research is the

work by Erkin and Tsudik, performing additive ag-

gregation of plaintexts in a setting with at least three

parties (K ≥ 3) (Erkin and Tsudik, 2012). First, par-

ties exchange random numbers in a pair-wise man-

ner, i.e. parties p

and p

exchange values r

→p

)

and

→p

)

. Then, each party computes its random value

by summing over the K − 1 received values:

∑

j=1, j6=i

→p

)

− r

→p

)

. (1)

It is trivial to see that the addition of these elements

yields zero. While presented in a smart meter set-

ting, this scheme can be used in any setting where

JRNG is required. However, it should be noted that

this work requires the presence of secure communica-

tion channels. The second work is an interactive pro-

tocol proposed by Kursawe, Danezis, and Kohlweiss

Efﬁcient Joint Random Number Generation for Secure Multi-party Computation

437

(Kursawe et al., 2011). Similar to Erkin and Tsudik,

it jointly generates random numbers yielding a zero-

sum. However, to reduce communication complexity,

it uses the notion of leaders. At the start of the proto-

col, each party generates a random number and shares

it with the set of leaders P. Then, each leader gener-

ates its random number in such a way that summing it

with all received shares yields zero. Similar to Erkin

and Tsudik, this protocol requires at least three parties

and secure communication channels. The use of lead-

ers reduces communication complexity for non-leader

parties, the complexity for leaders is unchanged. This

protocol is adapted by Van de Kamp et al. to remove

the notion of leaders: instead, parties share their ran-

dom number with all other parties (Van De Kamp

et al., 2019). In the same work, Kursawe et al. propose

a JRNG scheme based on the Difﬁe-Hellman key ex-

change. The scheme yields a publicly known product

rather than a sum, using the sign function s

( j).

( j) =

(

1 if i > j ,

−1 if i < j .

(2)

In this protocol, each party broadcasts its public key

, for which g ∈ Z

∗

is a public generator and k

∈

∗

is a random secret key. Each party uses these num-

bers to compute its random number R

as follows:

∏

j=1, j6=i

)

( j)k

= g

∑

j=1, j6=i

( j)k

. (3)

Verifying that this yields one is done by

∏

i=1

= g

∑

i=1

∑

j=1, j6=i

( j)k

= g

∑

i=1

∑

i−1

j=1

( j)+s

(i))k

= g

= 1 .

When using this protocol for aggregation, each party

masks its individual value c

i, j

using randomness R

and sends this to the aggregator as g

i, j

. As veri-

ﬁed above, all random numbers cancel out in the ﬁnal

sum, leaving the aggregator with g

∑

i, j

. Since it is not

trivial to ﬁnd the correct ﬁnal sum from this, Kursawe

et al. argue that the aggregator should launch a brute-

force attack to obtain it (Kursawe et al., 2011). More

recently, Bell et al. embedded JRNG in an aggrega-

tion protocol by requiring parties to establish shared

keys with their neighbours to derive pairwise random

masks, masking input c

as follows (Bell et al., 2020):

−

∑

j<i

i, j

∑

j>i

i, j

. (4)

This method again ensures that all masks cancel out

in the ﬁnal sum. The protocol operates in a semi-

honest security setting. It can be extended to a so-

called semi-malicious security setting, meaning that

the aggregation server is required to perform the ﬁrst

step of the protocol honestly, but is allowed to deviate

from the protocol after that (Bell et al., 2020).

Finally, we close this section by discussing work

that speciﬁcally focuses on Joint Random Number

Generation. In this work, JRNG is denoted by its au-

thors as modulo zero-sum randomness (Hayashi and

Koshiba, 2018). As the name explains, modulo zero-

sum randomness means that when summing individ-

ual numbers, the result is zero. To ensure zero-sum

randomness, three conditions have to be met:

1. Modulo Zero Condition: the sum of all random

numbers X

has to be zero.

2. Independence Condition: all numbers X

,...,X

used have to be generated independently.

3. Secrecy Condition: each player i has knowledge

of the random number it generated itself, X

, and

of the fact, the sum of all numbers will yield zero,

but has no additional knowledge.

In this work, to generate random numbers, the authors

impose a cyclic ordering on all parties. First, each

party agrees on a secret random number with its two

neighbors, Z

and Z

i−1

. Then, parties determine their

ﬁnal random by subtracting these two values:

= Z

− Z

i−1

. (5)

It is trivial to see that in summation, this yields zero.

In follow-up work, the use of multiple access chan-

nels and veriﬁable quantum protocols to generate

modulo zero-sum randomness is discussed (Hayashi,

2018; Hayashi and Koshiba, 2019).

It is important to note that all related work in this

section focuses on yielding a public sum of zero. Our

approach is a more generalized one, where instead we

facilitate the joint generation of random numbers that

sum up to a publicly known value N ≥ 0.

3 PRELIMINARIES

In this section, we introduce preliminaries, the secu-

rity assumption, and notation used in this work.

3.1 Decisional Difﬁe-Hellman Problem

The security of the broadcast-based scheme presented

in section 5 relies on the Decisional Difﬁe-Hellman

Problem (DDH). This problem is deﬁned as follows:

given a cyclic group G of prime order q, its public

generator g, the following two distinguishers are com-

putationally indistinguishable (in the security param-

eter q ); (g

), where x,y are chosen uniformly at

random from [0,... q − 1] and (g

), where x,y,z

are chosen uniformly at random from [0,... q − 1].

SECRYPT 2021 - 18th International Conference on Security and Cryptography

438

3.2 Security Setting

We assume an environment composed of a static

group of K entities wanting to jointly establish ran-

dom numbers with a publicly known sum. Similar

to related work, we assume all entities to be semi-

honest (honest-but-curious). This means they follow

the protocol but are not prevented from inferring ad-

ditional knowledge from received information. Each

entity is capable of performing modular operations,

such as modular addition, and of generating strong

random numbers. We do not assume the presence of

any other active entity, such as a trusted third party or

an aggregator, to perform computations. Protecting

against active adversaries can be done at the cost of

additional communication and computation complex-

ity, but is considered out of the scope of this work.

For the bit-wise sharing protocol, we assume the

existence of secure communication channels. These

ensure that any message sent over the network can

only be retrieved by its sender and recipient.

3.3 Notation

The notation used is summarized in Table 1.

Table 1: Notation Summary.

Symbol Deﬁnition

p large prime

→p

random value generated by p

send to p

g generator for Z

∗

K number of entities in the protocol

l security parameter

m bit-length of random numbers

carry-over from bit i

N publicly known target value

random number generated by entity p

temporary values used to construct R

i j

bit j of random number R

N j

bit j of publicly known target value N

updated bit i replacing x

of R

scaled carry-over for key entity i

( j) sign function

short for Z/aZ

4 SHARE-BASED JRNG

PROTOCOL

In this section, we describe a Joint Random Number

Generation protocol that uses the bit-wise sharing of

individually generated random numbers. The random

numbers generated by the protocol sum up to a pub-

licly known integer 0 ≤ N ≤ 2

, for some m ∈ N. Ini-

tially, all entities generate a random number R

, and

a subset of all entities is selected as m key entities.

Then, the acting key entity adjusts the j’th bit of its

random number such that it equals the j’th bit of the

target N. To do so, each entity sends its j’th bit to

the acting key entity, which sums these to determine

if its j’th bit should change. Finally, to prevent carry-

over from affecting subsequent computations, the act-

ing key entity subtracts this from its random number.

This process is repeated for m iterations until each key

entity has adjusted its random number once.

The protocol is formalized as follows:

1. All K entities generate random numbers R

∈

, such that R

∑

j=1

i j

j−1

i j

∈ {0,1}.

m entities are assigned key entity as in (Kursawe

et al., 2011).

2. Then, for m iterations:

2.1. All entities i send x

i j

to the acting key entity

using the underlying secure network.

2.2. The acting key entity calculates d

∑

i=1,i6= j

i j

. If d

≡ x

N j

mod 2, it sets its

j’th coefﬁcient to y

= 0. Otherwise, it sets its

j’th coefﬁcient to y

= 1.

2.3. Finally, the acting key entity calculates C

and updates its random number to

← R

−C

mod 2

In practice, usually N = 0. However, to keep the ﬁnal

outcome secret, different values for N can be used.

Then, the ﬁnal outcome can only be determined by the

entities that know N, since these can subtract it from

the ﬁnal outcome. While in this work the protocol is

demonstrated in a binary setting, it can be used in any

base-k setting for some k ∈ N.

A distinguishing feature of this protocol is that in-

stead of communicating full-sized random numbers

in each round, this protocol uses bit-wise communi-

cation. This reduces communication complexity to a

total of K − 1 bits per iteration. This reduction be-

comes more signiﬁcant for large numbers and high

amounts of entities. Since only key entities are re-

quired to perform modular operations, the scheme can

be used in situations where not all entities have equal

or sufﬁcient computing power. Even more important,

the use of key entities ensures that computation com-

plexity is dominated by the number of key entities,

not by the number of entities in general. Compared

to the work by Erkin and Tsudik, (Erkin and Tsudik,

2012), communication complexity is reduced and a

fully connected network is not required.

It is important to note that this scheme should not

be used for applications where certain bits are more

Efﬁcient Joint Random Number Generation for Secure Multi-party Computation

439

relevant than others, as is the case in a bank transfer.

If this protocol would be used to mask a bank transfer

with encryption c = m +R mod 2

, this would allow

the adversary to distinguish between high-valued and

low-valued transactions by only corrupting one entity.

Finally, it should be noted that the scheme can also

be used for situations where m > K. This can be done

as follows: for each j, where K < j ≤ m, we require

entity K to act during all remaining iterations, thereby

continuously adjusting its random number.

4.1 Security

When assessing the share-based protocol in a semi-

honest security setting, it becomes clear that the pro-

tocol is vulnerable to collusion among key entities. In

each round, the acting key entity receives an entity’s

j’th bit, thereby obtaining partial information about

each random number R

. Because of this, collusion

allows key entities to partially reconstruct the ran-

dom number held by other entities. While this seem-

ingly renders the protocol unusable, situations exist

in which computational speed is more important and

where non-privacy-preserving Joint Random Number

Generation sufﬁces. Such a situation is found in the

work by Garay, Schoenmakers, and Villegas (Garay

et al., 2007). Here, a random number of r is jointly

generated, before being encrypted using fresh ran-

domness. By adding fresh randomness to r, it is ef-

fectively masked. Therefore, in this case, our bit-wise

sharing protocol provides sufﬁcient security.

In situations where privacy of individual bits is

required, secure multi-party computation techniques,

such as (additive) secret sharing can be added to the

protocol (Van De Kamp et al., 2019). This can be

achieved as follows: during the second step of the

protocol, instead of directly sending its bit x

i j

to the

acting key entity, each entity ﬁrst generates K − 1

shares s

i j

of its bit, such that x

i j

∑

K−1

j=1

i j

mod N,

similar to the work by Garcia and Jacobs (Garcia and

Jacobs, 2010). Of these, it holds one by itself and

distributes the others among other non-acting key en-

tities. Finally, instead of sending entire bits, each en-

tity sends the received shares to the acting key en-

tity, together with its own share. Because of this,

the acting key entity receives all shares of all bits at

the same time. This allows it to reconstruct the orig-

inal bits, without knowing which bit originally be-

longed to which entity, thereby preserving the privacy

of each bit. While this allows the privacy protection

of individual bits, it also leads to an increase in com-

munication complexity. Therefore, using a privacy-

preserving version of this protocol should be justiﬁed.

5 SINGLE BROADCAST-BASED

JRNG PROTOCOL

In this section, we present a protocol, which is in-

spired by (Kursawe et al., 2011), that does not require

a secure network and only needs one broadcast per

entity to jointly establish random numbers with a pub-

licly known sum of N. We again assume a group of

at least three entities. Additionally, we assume a pub-

licly known ordering exists. Similar to the protocol

in (Kursawe et al., 2011), this protocol is based on

Difﬁe-Hellman key exchange and uses the sign func-

tion (Kursawe et al., 2011). However, different from

the protocol by Kursawe et al. our protocol performs

additive aggregation rather than multiplicative aggre-

gation. Thus, we provide the additive variant here.

Before we formalize the protocol, it is important

to note that in this work we assume a fully connected

network. This is, however, not required since all mes-

sages can be publicly known. Therefore, different

network topologies, such as a star network where all

messages are relayed through a semi-honest entity,

can also be used. Additionally, in this work, we set

N = 0, while in practice any N ∈ N can be used.

1. A public generator g ∈ Z

∗

is agreed upon. All

entities generate a random k

∈ Z

∗

and g

2. All entities publicly broadcast g

3. Each entity p

computes its ﬁnal random number:

∑

j=1, j6=i

( j)(g

)

∑

j=1, j6=i

( j)g

Correctness is easily veriﬁed since s

( j) + s

(i) = 0

for all i 6= j, and thus

∑

i=1

∑

i=1

∑

j=1, j6=i

( j)g

∑

i=1

i−1

∑

j=1

( j) + s

(i))g

= 0 .

5.1 Security

The security of this protocol is based on the hardness

of Decisional Difﬁe-Hellman Assumption. As the

protocol is a direct application of the Difﬁe-Hellman

Key exchange protocol, its security can be reduced to

Decisional Difﬁe-Hellman problem as R

’s are con-

structed from the public-key of Difﬁe-Hellman Ex-

change protocol and can not be distinguished from

random R

’s.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

440

5.2 Adapted Broadcast-based Protocol

To reduce the complexity of the broadcast-based

scheme, a ring-topology can be assumed. This re-

quires the assumption that any entity p

is only able

to communicate with its neighbours: the entities

ranked above and below it. Since this rank is seen in

(mod K), the lowest and highest ranked entities are

also neighbors. The scheme is formalized as follows:

1. A public generator g ∈ Z

∗

is agreed upon. All

entities generate a random k

∈ Z

∗

and g

2. Each entity publicly sends g

to both neighbors.

3. Each entity p

computes

∑

j∈N

( j)(g

)

∑

j∈N

( j)g

Correctness follows since i ∈ N

implies that j ∈ N

Therefore, correctness of this scheme can be veriﬁed

in the same way as the original scheme is veriﬁed.

6 COMPLEXITY ANALYSIS

In this section, we analyze the complexity of our pro-

tocols. For computation complexity, we base our

analysis on the number of modular additions and

modular exponentiation performed. For communica-

tion complexity, we base our analysis on the number

of messages exchanged and their lengths. We con-

clude this section by comparing our protocols.

6.1 Computation Complexity

The share-based protocol is asymmetric since the

number of operations performed by key entities dif-

fers from the number of operations performed by non-

key entities. This underlines the protocol’s versatility:

non-key entities require signiﬁcantly less computing

power than key entities. Its computation complex-

ity is dominated by modular addition, performed each

round by the acting key entity using all K −1 received

values. For m iterations, this results in m · (K − 1)

modular additions. It is important to note that in this

protocol modular addition is performed using single

bits. In contrast to the share-based protocol, the single

broadcast-based protocol is symmetric, meaning that

the number of operations performed is the same for

all entities. Besides modular addition, the complexity

of the broadcast-based protocol is dominated by mod-

ular exponentiation. Each entity performs both oper-

ations once during the protocol: modular exponentia-

tion during the ﬁrst step and modular addition during

the ﬁnal step. This results in K modular exponentia-

tions and K ·(K −1) modular additions, since modular

addition is performed using (K − 1) numbers. In con-

trast to the ﬁrst protocol, the addition is performed

using complete numbers. Compared to the original

version of the broadcast-based protocol, its adapted

version has lower computation complexity. This is

caused by the fact that entities only send messages to

their two neighbors. As a consequence, the amount

of numbers used in modular addition is reduced to 2

and computation complexity to 2K. The number of

modular exponentiation remains the same.

6.2 Communication Complexity

For the share-based JRNG protocol, communication

complexity strongly depends on the number of iter-

ations m performed during one run of the protocol.

For each iteration, each entity sends one message to

the acting key entity. Consequently, for m iterations,

this results in m messages send by non-key entities

and m − 1 messages send by key entities. For K

entities, this yields a communication complexity of

O(mK). This is comparable to any other system us-

ing the notion of l leaders, as discussed in Related

Work. However, since our protocol requires entities to

share one bit of their random number only, communi-

cation complexity is reduced, even if m far exceeds l.

The single broadcast-based protocol uses broadcast-

ing to communicate. Therefore, its communication

complexity is rather high. Each entity sends one mes-

sage to all others, resulting in K · (K − 1) messages

being sent during one execution of the protocol, sim-

pliﬁed as K

. Additionally, compared to the share-

based protocol, messages are longer, since numbers

are communicated entirely. In the adapted version of

the single broadcast-based protocol, each entity only

sends two messages, thereby reducing communica-

tion complexity to 2K. Similar to the original version

of the protocol, numbers are communicated entirely.

6.3 Comparison

Computation and communication complexity are

shortly summarized in Table 2. When looking at

communication complexity, it becomes visible that

both the share-based and the adapted protocol require

a number of messages that is linear with K. The

share-based protocol requires the shortest messages

and therefore has the lowest communication complex-

ity. When taking into account computation complex-

ity, it becomes visible that, again, the share-based and

adapted protocol have the lowest complexity. Since

the share-based protocol does not require modular ex-

Efﬁcient Joint Random Number Generation for Secure Multi-party Computation

441

Table 2: Computation and communication complexity of existing and our works.

Modular

Addition

Modular

Exp.

Number of

Messages

Message

length (bits)

Encryption/

Decryption

Key

Agreement

(Erkin and Tsudik, 2012) K · (K − 1) - K

m - -

(Kursawe et al., 2011)

DH key exchange based K · (K − 1) 2K K

m - -

(Kursawe et al., 2011)

Interactive P · (K − 1) - KP m KP/KP -

(Van De Kamp et al., 2019) K · (K − 1) - K

m - -

(Bell et al., 2020) K · (K − 1) - 2K m - 2K

(Hayashi and Koshiba, 2018) K - 2K m - 2K

Our Share-based pro. m · (K − 1) - K 1 - -

Our Broadcast-based pro. K · (K − 1) K K

m - -

Our Adapted broadcast-based pro. 2K K 2K m - -

ponentiation, while the others do, it has the best com-

putation complexity. However, it is important to note

that it does require the existence of secure commu-

nication channels, while messages in the broadcast-

based protocol can be shared publicly.

In Table 2, we also include computation and com-

munication complexity of related works. Comparing

these to the share-based protocol shows that the share-

based protocol has better computation and commu-

nication complexity, as it requires less modular ad-

ditions and sends fewer and shorter messages. Sim-

ilar to (Erkin and Tsudik, 2012), it requires secure

communication channels. Table 2 also shows the

computation and communication complexity of the

broadcast-based protocol are similar to those of the

works by (Erkin and Tsudik, 2012; Kursawe et al.,

2011) and (Van De Kamp et al., 2019). Additionally,

while the works by (Bell et al., 2020) and (Hayashi

and Koshiba, 2018) have better communication com-

plexity, they require additional key agreements to be

performed. The same holds for the interactive proto-

col by (Kursawe et al., 2011), while computation and

communication complexity are similar, it requires ad-

ditional encryption and decryption operations.

7 CONCLUSION

While Joint Random Number Generation can be

found in several Secure Multi-Party Computation so-

lutions, such as data aggregation, most research omits

how to obtain such numbers and simply assumes

their existence. In this paper, we have presented two

computationally efﬁcient protocols for Joint Random

Number Generation. One of these is share-based,

using bit-wise updates to ensure that all individual

numbers yield the correct sum. While this proto-

col does not provide semi-honest security, situations

exist in which the current security guarantees suf-

ﬁce and where computational speed is more impor-

tant. For completeness, we also demonstrate mea-

sures to increase the security of the share-based pro-

tocol. The other protocol is broadcast-based and uses

the sign function to ensure that all generated numbers

yield a public sum. This protocol relies on the com-

putational Difﬁe-Hellman Problem to provide semi-

honest security. Additionally, we have proposed an

adapted version of the broadcast-based protocol that

has lower computation and communication complex-

ity. By comparing all three protocols based on com-

putation and communication complexity, it becomes

clear that the share-based protocol is most efﬁcient.

However, the fact that it requires secure communi-

cation channels hinders its applicability. Therefore,

when choosing which protocol to employ, the desired

security guarantees and the additional cost of estab-

lishing secure channels should be taken into account.

ACKNOWLEDGMENT

This work was partly supported by SECREDAS

project that has received funding from the Electronic

Component Systems for European Leadership Joint

Undertaking under grant agreement No 783119. This

Joint Undertaking receives support from the European

Union’s Horizon 2020 research and innovation pro-

gramme and Netherlands, Austria, Belgium, Czech

Republic, Germany, Spain, Finland, France, Hungary,

Italy, Poland, Portugal, Romania, Sweden, Tunisia,

United Kingdom.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

442

REFERENCES

Bell, J. H., Bonawitz, K. A., Gasc

on, A., Lepoint, T., and

Raykova, M. (2020). Secure single-server aggregation

with (poly) logarithmic overhead. In Proceedings of

the 2020 ACM SIGSAC Conference on Computer and

Communications Security, pages 1253–1269.

Erkin, Z. and Tsudik, G. (2012). Private computation of

spatial and temporal power consumption with smart

meters. In International Conference on Applied

Cryptography and Network Security, pages 561–577.

Springer.

Erkin, Z., Veugen, T., Toft, T., and Lagendijk, R. L. (2013).

Privacy-preserving distributed clustering. EURASIP

Journal on Information Security, 2013(1):4.

European Parliament and Council of European Union

(2016). Regulation (eu) 2016/679.

Availableat:https://eur-lex.europa.eu/legal-content/

EN/TXT/HTML/?uri=CELEX:32016R0679&from=

EN.

Garay, J., Schoenmakers, B., and Villegas, J. (2007). Prac-

tical and secure solutions for integer comparison. In

International Workshop on Public Key Cryptography,

pages 330–342. Springer.

Garcia, F. D. and Jacobs, B. (2010). Privacy-friendly

energy-metering via homomorphic encryption. In In-

ternational Workshop on Security and Trust Manage-

ment, pages 226–238. Springer.

Hayashi, M. (2018). Secure modulo sum via multiple access

channel. arXiv preprint arXiv:1812.10862.

Hayashi, M. and Koshiba, T. (2018). Secure modulo zero-

sum randomness as cryptographic resource.

Hayashi, M. and Koshiba, T. (2019). Veriﬁable quan-

tum secure modulo summation. arXiv preprint

arXiv:1910.05976.

Jiang, L., Lou, X., Tan, R., and Zhao, J. (2019). Differen-

tially private collaborative learning for the iot edge. In

EWSN, pages 341–346.

Kursawe, K., Danezis, G., and Kohlweiss, M. (2011).

Privacy-friendly aggregation for the smart-grid. In In-

ternational Symposium on Privacy Enhancing Tech-

nologies Symposium, pages 175–191. Springer.

Lu, R., Heung, K., Lashkari, A. H., and Ghorbani, A. A.

(2017). A lightweight privacy-preserving data aggre-

gation scheme for fog computing-enhanced iot. IEEE

Access, 5:3302–3312.

Lyu, L. (2020). Lightweight crypto-assisted distributed

differential privacy for privacy-preserving distributed

learning. In 2020 International Joint Conference on

Neural Networks (IJCNN), pages 1–8. IEEE.

Merkle, R. C. (1978). Secure communications over insecure

channels. Communications of the ACM, 21(4):294–

299.

Privacy International (2020). Data breach.

Availableat:https://privacyinternational.org/examples/

data-breach.

Shi, E., Chan, T. H., Rieffel, E., Chow, R., and Song, D.

(2011). Privacy-preserving aggregation of time-series

data. In Proc. NDSS, volume 2, pages 1–17. Citeseer.

Shi, Z., Sun, R., Lu, R., Chen, L., Chen, J., and Shen, X. S.

(2015). Diverse grouping-based aggregation protocol

with error detection for smart grid communications.

IEEE Transactions on Smart Grid, 6(6):2856–2868.

Singapore Parliament (2014). Personal data protection act

overview.

Availableat:pdpc.gov.sg/Overview-of-PDPA/

The-Legislation/Personal-Data-Protection-Act.

Van De Kamp, L., Ugwuoke, C., and Erkin, Z. (2019).

Economy: Ensemble collaborative learning using

masking. In 2019 IEEE 30th International Sympo-

sium on Personal, Indoor and Mobile Radio Commu-

nications (PIMRC Workshops), pages 1–6. IEEE.

Wang, W. and Lu, Z. (2013). Cyber security in the smart

grid: Survey and challenges. Computer networks,

57(5):1344–1371.

Yao, A. C. (1982). Protocols for secure computations. In

23rd annual symposium on foundations of computer

science (sfcs 1982), pages 160–164. IEEE.

Zhao, L., Wang, Q., Zou, Q., Zhang, Y., and Chen, Y.

(2019). Privacy-preserving collaborative deep learn-

ing with unreliable participants. IEEE Transactions on

Information Forensics and Security, 15:1486–1500.

Efﬁcient Joint Random Number Generation for Secure Multi-party Computation

443