Full Power Secure Computation for Agent Privacy Protection
Qingkai Ma, Wei Hao, I-Ling Yen, and Farokh Bastani
Department of Computer Science
University of Texas at Dallas
{qingkma, weihao, ilyen, bastani}@utdallas.edu
Abstract
In mobile agent computation, protecting agent secrecy and integrity is a critical issue, but current
solutions do not provide sufficient protection. The major problem comes during the agent computation
time. At that time, raw agent data is used to perform the computation. Without proper protection, a
malicious agent host can compromise the privacy and integrity of the data. Existing approaches either do
not provide sufficient protection, incurs high overhead, or do not support general computations that are
required in most agents. In this paper, we propose an algorithm that can assure the privacy of secret agent
data and, at the same time, provide full agent computation power. Our algorithm can also be combined
with replication schemes to provide assure data integrity.
1
1
Introduction
Mobile agent technique offers a new computing paradigm for distributed applications over large-scale
networks such as the Internet. Compared with currently widely deployed client-server architectures, the
mobile agent technology has many advantages that make it more suitable for widely distributed
computing. It yields reduced network traffic, better load distribution, and reduced request latency due to
reduced frequency of client-server interactions. In spite of all these advantages, one problem has to be
solved before mobile agent systems can be widely deployed, namely, the security issues. Generally,
security in mobile agent systems consists of two aspects. First, agent hosts can be attacked by malicious
agents. Hence, protection mechanisms should be provided in agent execution environment to prevent the
hosts from being compromised. Second, the privacy and integrity of agents need to be protected. Consider
the auction example. Agents are frequently used in auction systems. A buyer agent may carry the bidding
information which has to be kept secret from the seller agents. Also, agent integrity needs to be protected
to ensure that the data it gathered or computed are not altered while traveling around following its
itinerary. For example, when an agent is sent out to collect prices from different vendors, a malicious host
might attempt to set the lowest price to its price and change the itinerary of that agent to ensure that it
does not visit any other vendor hosts. While there have been many mobile agent systems and security
mechanisms that provide protection for agent host [3, 2, 20, 14], there is no good solution for protecting
agents from malicious hosts.
Most existing mobile agent systems only consider agent protection at the communication time by
encrypting the agent code and data for transmission [19]. A few research works consider more
sophisticated agent protection mechanisms. In [21], an approach for agent protection using tamper-proof
hardware has been proposed. The use of specialized hardware is costly. Also, it is only a matter of time
when the hardware can be tampered with. In [15], an approach using time-limited black-box scheme is
presented. It obfuscates the agent code and data periodically. The assumption is that it will take more than
the time limit to understand and tamper with the obfuscated code and the data purposefully. Thus, within
2
the time limit, the code and the data are safe. This approach only protects agents from attacks within a
limited time period, but does not provide privacy protection. The agent’s function and data can be known
after the time period. In [16], server replication is used to provide fault tolerance and integrity assurance
for agent computation. It does not consider privacy protection for agents.
In the literature, some mechanisms have been proposed for protecting agents, especially privacy
assurance. In [1], a protocol for secure circuit evaluation is proposed. However, the algorithm incurs a
high communication overhead between the client and the computation site. In the mobile agent case, it
implies very frequent traffic between the source that sends out the agent and the agent host that is
executing the agent program. More specifically, several communication rounds are required for the
execution of each instruction. Consider the auction example. It would be much better for the buyer to
keep the secret information locally and communicate with its buyer agent at the auction host when
coordination is required. Multiparty computation algorithms [12, 17, 8] can also be employed to protect
agent secrecy and integrity. However, these algorithms only consider basic arithmetic operations, not
program control constructs such as the conditional branch. Thus, they cannot be used for general-purpose
agent computation. Overall, current approaches only offer solutions for special situations; they cannot be
used for general-purpose agent systems.
In this paper, we consider the agent protection problem. We do not consider agent protection during
communication and transferring time. Well-developed encryption algorithms and authentication protocols
can be used for this purpose. Also, in many agent applications, the data carried by agents are highly
critical, but not the agent code. And, existing obfuscation techniques can be used for agent code
protection. Thus, we focus on the secrecy and integrity protection of agent data against malicious agent
hosts. Our goal is to achieve highly secure computations during agent execution time such that secret
agent data cannot be tampered with or compromised by malicious agent hosts. Our approach is based on
secret sharing techniques [4, 18]. In contrast to other secret sharing based algorithms, our approach
supports general agent computation, including basic arithmetic operations as well as basic program
3
control constructs. To the best of our knowledge, this is the first algorithm that supports general secure
computation for mobile agents.
The rest of the paper is organized as follows. In Section 2, we specify in detail the agent security
protection problem to be addressed in this paper. Also, two algorithms that provide the closest solutions
to the specified problem are introduced. Our approach for agent privacy protection is presented in Section
3. The computation protocols for the addition, multiplication, division, and test operations are presented.
The correctness and secrecy of each protocol are also analyzed. Section 4 compares the performance of
our algorithm with that of the existing ones. Section 5 summarizes the paper and identifies some future
research directions.
2
Problem Description and Background
The system we consider consists of many clients and a group of n agent hosts, where n is a constant
number that can be configured at initialization time. For communication, we assume a virtual private
channel between each pair of hosts. Also, we assume semi-honest hosts. A semi-honest host follows the
protocol and behaves exactly as it is required, but it may try to obtain the secret information from its local
information and the information made available to them as a result of the computation. Also, multiple
semi-honest hosts may cooperate to try to compromise the secret information.
On the client side, we use a program transformer to convert a normal agent program into n secure
computation programs, A0, A1, …, A n–1. The n programs are sent to n different agent hosts H0, H1, …, Hn–1.
More specifically, Ai is sent to Hi, for all i. The transformer also partitions each secret data item d into n
secret shares, d0, d1, …, dn–1, and assign the secret share di to agent Ai. Thus, the secret information is only
known to the client and no agent host can compromise it unless m or more agent hosts are collaborating to
compromise the information. For the algorithm discussed in this paper, we have m = n.
Generally, agent data can be compromised by an agent host in three phases of the agent life cycle,
including the communication, storage, and run time. It is easy to protect agent secrecy during the
communication and storage phases. Well-developed encryption algorithms and authentication protocols
4
can be used for agent protection during the communication phase. Existing techniques, such as data
encryption with distributed keys [11, 13] and data partitioning algorithms such as Shamir’s [18] &
Blakley’s [4] schemes, can be used to ensure the secrecy and integrity of agent data during storage time.
On the other hand, agent secrecy protection during the execution time is more difficult to achieve since
clear form agent data are generally needed to allow accurate computation. Thus, agent host can easily spy
on the agent data in its memory or registers. Our goal is to protect the secrecy of agent data at execution
time.
Some existing research works provide secrecy protection at execution time by considering pure
arithmetic computations, including basic assignment, addition, and multiplication operations. According
to the Turing machine model, we need to consider three basic computation statements (besides the
assignment statement), namely, increment, decrement, and conditional statements to support full
computation power [10]. Here, we will consider the set of instructions at a higher level but with
equivalent power to the basic set of statements, including addition, multiplication, and test operations.
Secure computations have been investigated since the 80’s [1, 17, 22]. Secure circuit evaluation [1,
22] is the first approach along this direction. In [1], a secure circuit evaluation protocol based on the
properties of quadratic residues is introduced. Consider two parties C and D. C holds a secret program p
implementing a function f and D holds the confidential data x. The protocol allows C to compute f(x) for
D without revealing x to C or p to D. Let k be the product of two large prime numbers p and q. Both p and
q are congruent to 3 mod 4. For an integer a that is in the set Z k* [ 1] (i.e., a is relative prime to k with
Jacobi symbol 1), a is a quadratic residue mod k if there exists an x, such that a = x2 mod k. D holds the
secret keys p and q, and both C and D know the public information k. The basic concept of the approach
is to use the quadratic residue property to encrypt the binary values, where 0 is mapped to a quadratic
residue number and 1 to a quadratic non-residue number. The protocol considers “negate” and “and”
operations on encrypted data. Note that “negate” and “and” operations constitute a complete set of basic
operations for binary computations. The “negate” operation on the original binary data can be easily
5
mapped to the secret operation on the encrypted data. However, for the “and” operation, the secret
computation on the encrypted data cannot be accomplished without consulting the key holder (D).
To map the secure circuit evaluation approach to secure agent computation, the client acts as D and
the agent host acts as C. The client sends out an agent, which holds encrypted input data, to the agent host.
The agent on the host performs computations on the encrypted data following the above protocol. As we
can see, this approach incurs a very high communication overhead between the client and the agent host.
Also, the approach cannot be extended to the case of having more than one agent hosts.
Another secret computation model is the secure multiparty computation. Many secure multiparty
computation algorithms have been proposed [17, 9, 12] in the literature. In [12], a secure multiparty
computation algorithm based on the Shamir’s secret sharing scheme is introduced. A secret data item d is
partitioned into n shares and distributed to n shareholders. A polynomial f of degree m is chosen to
compute the n shares, each share di is f(xi) for some chosen xi and the original data d is the constant field
of f. Thus, from m or more shares, the secret data d can be reconstructed. Further, no information about d
can be inferred from fewer than m shares. For the addition operation, each host simply adds up its shares
of the two secret data. For the multiplication operation, if each agent simply multiplies its shares of the
two secret data, the resulting sharing polynomial will be of degree 2m. To reduce the degree of the
sharing polynomial back to m, each share holder chooses a polynomial and repartitions its multiplication
result among all the share holders. The process of reducing the degree of the share polynomial incurs
O(n2) communication overhead. Many similar secure computation algorithms have been proposed [17, 5,
7]. A fundamental problem with these algorithms is that they do not support general computations. More
specifically, based on these approaches, there is no clear method of performing a test operation on a secret
data d (i.e., to check if d > 0) without revealing d.
3
An Approach for Agent Data Protection
The secure circuit evaluation algorithm requires frequent communication between the client and the
agent host and, hence, is not suitable for agent computation due to the potentially long communication
6
latency between the client and the agent host. On the other hand, the multiparty computation approach
does not support general computations. It also incurs high communication cost for the multiplication
operation. Our approach is based on the secret sharing and multiparty computation approach. We use a
nonlinear secret sharing scheme to make it easy to implement the test operation. Also it can easily
accomplish the division operation, which is not possible with most of the secure multiparty computation
approaches.
3.1
Decomposition
Consider a secret data d. d is partitioned into secret shares d0, d1,…, dn1, where d 

n 1
i 0
d i . Note
that the partitioning process is nondeterministic. The same number can be partitioned into totally different
sets of secret shares. Also, it is not desirable to allow di to be a factor of d since, otherwise, it will be very
easy to compromise d from an individual share di. If d is partitioned into real numbers, then there may be
precision problem after several computations. Thus, we use a fraction to represent each di to avoid these
problems. We have di = si / ti, for some arbitrarily chosen si. The secret share di, or more specifically si
and ti, is sent with Ai to the agent host Hi. Only from all the secret shares can the original secret data d be
reconstructed. For simplicity of presentation, we introduce the algorithms using di instead of si and ti in
some of the following sections. The actual computation is performed on si and ti correspondingly. Also, to
avoid complicated expressions in indices, we assume that the “+” and “–” for index computation are
modular n operations (e.g., di+1 is used to represent d(i+1) mod n).
3.2
Multiplication Computation
Protocol: Consider two secret data d and d’. Let di, i = 0, 1, …, n1, be the secret shares of d and let
di’, i = 0, 1,…, n1, be the secret shares of d’. To compute d  d’, each agent Ai simply computes di  di’.
More specifically, Ai simply computes si  si’ and ti  ti’.
Correctness of the multiplication computation: From d 
7
n 1
n 1
i 0
i 0
 d i and d '   d i ' , we can get
n 1
n 1
n 1
i 0
i 0
i 0
d  d '   d i   d i '   (d i  d i ' ) .
Hence, di  di’, i = 0, 1,…, n1, are secret shares of d  d’.
Secrecy: Since the multiplication computation is done by each agent host locally without any
communication, there is no possibility for any agent host Hi to obtain information in addition to its own
shares di and di’. Hence, secrecy is assured.
3.3
Division Computation
Protocol: Consider two secret data d and d’. Let di, i = 0, 1, …, n1, be the secret shares of d and let
di’, i = 0, 1,…, n1, be the secret shares of d’. To compute d / d’, each agent Ai simply computes di / di’.
More specifically, Ai simply computes si  ti’ and ti  si’. Due to the use of fraction representation for d and
di’, the computation for division operations is the same as that for multiplication operations.
Correctness and Secrecy: Similar to the case of the multiplication computation.
3.4
Addition Computation
Protocol: Consider two secret data d and d’. We decompose d into

n 1
i 0
d i and d’ into i 0 d i ' . To
n 1
compute d + d’, we can use
n 1
n 1
n 1

 n 1
d  d '   d i   d i'  1   d i / d i '  d i ' .
i 0
i 0
i 0

 i 0
n 1
The computation of
 d i / d i ' and
i 0
n 1
 d ' are straightforward. But there is no easy way to compute
i
i 0
n 1
n 1
i 0
i 0
1   d i / d i ' autonomously. If a single host knows the value of 1   d i / d i ' , then d / d’ will be

revealed. Thus, instead, we let the hosts compute   1 

n 1

,
i.e.,




d i / d i ' , where  is
d
/
d
'



i
i 
i 0
i 0

n 1
an arbitrary secret number. Note that  has to remain secret during the computation. If we compute
8
n 1
n 1
i 0
i 0
   d i / d i ' first and then add  to it, it is similar to the computation of 1   d i / d i ' , and we cannot
find a good way to do the computation with the guarantee that a minority of compromised hosts cannot
cooperate to know the value of  and d / d’. To successfully compute    
n 1
d
i
/ d i ' with guaranteed
i 0
secrecy, we need to decompose  in several different ways. Before introducing the method, we define two
ways for secret share decomposition. First, we have the same secret share decomposition as introduced in
Section 3.1, where a secret data d is decomposed into d0, d1, …, dn-1 and

n 1
i 0
d i  d . Also, we can
decompose d into “secret addition shares”, where a secret data d is decomposed into d0, d1, …, dn-1 and

n 1
i 0
di  d .
To facilitate the secret computation of    
n 1
d
i
/ d i ' , we first need to decompose  into secret
i 0
addition shares where  =
n 1
i0  i . Also,    d i / d i ' should be computed in a way such that each
n 1
i 0
host gets a secret addition share of it, i.e.,  
n 1
 di / di ' =
i 0
n 1





d j / d j '  and host Hi gets share
i 0  i 
j 0


n 1
n 1
 i   d j / d j ' (how this term is computed will be addressed later). By doing so, each host, say host Hi,
j 0
can easily compute  i   i 
n 1
d
j 0
still needs to obtain  i 
j
/ d j ' . To guarantee secrecy, we require  i   i . However, host Hi
n 1
d
j
/d j '.
j 0
9
To compute  i 
n 1
d
j
/ d j ' , Hi needs the cooperation of other hosts. Again, to guarantee secrecy,
j 0
 i is further decomposed into secret shares where  i =  j 0  j ,i and Hk holds k,i. Thus, each host Hk
n 1
can compute k i  dj / dj’ and Hi can obtain  i 
n 1
d
/d j'.
j
j 0

Note that after getting   1 

n 1
d
i 0
i
n 1

/ d i '  , we need to divide it by  to get 1   d i / d i ' . Thus, we
i 0

also need to decompose  into secret shares where  =

n 1
i 0
 i and host Hi has the secret share i.
In summary, for the addition operation, host Hi, i = 0, 1,…, n–1, has secret values i,0, i,1, …, i,n–1,
i, and i that satisfy

 i  i 0  i  i 0  j 0  j ,i   and  i   j 0  j ,i , for all i.
n 1
i 0
n 1
n 1
n 1
n 1
These values are computed at the initialization time and stored in a file for each host. Agent host reads in
one set of secret values for an addition operation, and for the next addition operation, it will use a
different set of secret values to avoid information leakage.
From d 
n 1
n 1
i 0
i 0
 d i and d '   d i ' , let   i0  j 0 j ,i we have
n 1
n 1
n 1
n 1
n 1
n 1

 n 1

 n 1
d  d '   d i   d i '  1   d i / d i'  d i '        d i / d i '  d i ' /  i
i 0
i 0
i 0
i 0

 i 0

 i 0
Host Hi, i = 0, 1, …, n1, computes d i' /  i locally. Each host computes part of    
n 1
d
i
/ di '
i 0
and sends the result to a chosen host Hx. Hx adds them up and multiplies the result with d x ' /  x to get its
share of d + d’. Each host Hi, i ≠ x, takes d i ' /  i as its share of d + d’. The pseudo-code for the addition
operation is given in the following.
Hi, ( i ≠ x):
computes d i ' /  i and take it as its share of d + d’;
10
computes  i 

n 1
j 0
 i , j  d j / d j ' and send it to Hx;
Hx:
computes d x ' /  x and    x 

n 1
j 0
 x, j  d j / d j ' ;
   d / d ' from H , for any i;
         d / d ';
until received      d / d ' , for all i;
repeat receive  i 
n 1
j 0
j ,i
j
i
j
n 1
j 0
i
j ,i
j
j
n 1
j 0
i
j ,i
j
j
compute   d x ' /  x and take it as its share of d + d’;
Now let us look at how host Hi ( i = 0, 1,…, n1) computes  i 

n 1
j 0
 j ,i  d j / d 'j . Hi needs the
cooperation of the other hosts for the computation. First, Hi+1 computes  i 1,i  d i 1 / d i'1 and sends it to
Hi+2. Hi+2 multiplies the data it receives by  i 2,i  d i 2 / d i'2 and sends the result to Hi+3. The subsequent
hosts do the same until the computation result gets to Hi. Finally, Hi multiplies the data it received by
 i ,i  d i / d i ' to get

 j ,i  d j / d j ' and then adds  i to it to get  i   j 0  j ,i  d j / d 'j .
j 0
n 1
n 1
An alternative way for computing  i 

n 1
j 0
 j ,i  d j / d 'j , for all i, can be used to reduce the
number of messages. The computation is done in a circular way with multiple lines of computation. H0
starts the computation of

n 1
j 0
 j ,n1  d j / d j ' by sending Tn0..10   0,n1d 0 / d 0 ' to H1. (Note that we
use Tkx.. y to denote the partial result obtained by host Hy for computing

that
host
starts
the
computation
and
the
computation
ends
at
n 1
j 0
 j ,k d j / d j ' . Hx is the host
Hk.
At
Hk,
we
have
Tkk 1.. k   j 0  j ,k d j / d j ' .) H1 computes Tn0..11  Tn0..10 *1,n1d1 / d1 ' and sends Tn0..11 to H2. However,
n 1
H1 does not send Tn0..11 alone to H2. It also initiates the computation of T01..0 

n 1
j 0
 0, j  d j / d j ' by
sending T01..1  1,0 d1 / d1 ' to H2. Tn0..11 and T01..1 are sent together from H1 to H2 in one message.
Subsequently, Hi initiates the computation of T0i ..i 1 and continues the previous lines of computation. Hi
ends up sending i+1 terms to Hi+1. Each line of computation completes after going through n nodes. In
11
this way, computing  i 

n 1
j 0
 j ,i  d j / d 'j , for all i, requires a total of 2n – 1 messages, which is
much less than the original approach stated in the paragraph above which requires a total of n * ( n – 1 )
messages). However, this approach requires 2n – 1 rounds of communication, increased by n rounds from
the original approach (where the computation of  i 

n 1
j 0
 j ,i  d j / d 'j , for all i, can be done in
parallel and, hence, only requires n – 1 rounds).
Correctness: Since the multiplication of the shares of all host equals
n 1
n 1
n 1
n 1




      d i / d i '   d x' /  x  i 0,i  x d i ' /  i        d i / d i '   i 0 d i ' /  i  d  d ' ,
i 0
i 0




our protocol correctly computes shares of the addition result for all hosts.
Secrecy of the protocol: During the computation of  i 

n 1
j 0
 j ,i  d j / d 'j , the only information
that host Hi releases is  i , j  (d i / d i ' ) . From  i , j  (d i / d i ' ) , for all j, it is not possible to derive d i and
d i ' since  i, j ’s are preset secret values only known to host Hi. During the final step of computing

n 1


i 0

  1   d i / d i '  , each node Hi (ix) offers  i   j 0  j ,i  d j / d 'j to Hx. The only way for Hx to
n 1
know d / d’ is to know . In order to know the value of , it needs to crack all the other hosts in order to
know all the  i or all the  j ,i values for all i. For Hk (k  x), in order to know d / d’, it needs to know the
value of    k or

n 1
j 0
 j ,k . In order to know one of these two values, it also needs to crack all the
other hosts. Coalition of malicious hosts doesn’t increase their chance of knowing d / d’. So the adversary
needs to crack all the hosts to know d / d’. Since d i and d i ' are all kept secret by host Hi, even when the
adversary get the value of d / d ' , no information about the value of d and d ' except their relative ratio
can be known unless all the d i ’s or all the d i ' ’s are known. So, the addition protocol ensures the secrecy
of the value of d, d’, d / d’ and d + d’ unless all of the hosts are corrupted.
12
3.5
Testing Operation
Protocol: Here, we show how to test a given data d and determine whether d > 0. To compare two
secret data d and d’, we can first compute d  d’ and then check whether d  d’ > 0.
To determine whether d > 0, each host Hi first computes sign (di), where
 1, if x is postive
.
sign( x)  
1, if x is negative
Similar to the addition algorithm, a host Hx is chosen randomly to start the computation. Host Hx
picks a random number  (which can be positive or negative) and computes sign( di). Then, Hx sends
sign( di) to its neighbor H(x+1) mod n.
Host Hi upon receiving data p from its neighbor executes the following code:
if (i  x) then
compute p’ = sign (di)  p;
send p’ to H(i+1) mod n;
else compute p’ = sign ()  p; broadcast p’ to all Hi, for all i;
endif;
After Hx obtains p’, it broadcasts p’ to all other hosts. Note that the final p’ obtained by Hx is sign(d).
Thus, all hosts can make the same decision after the test based on the value p’ (= sign(d)). A drawback of
the test statement is that the sign information of the secret data d has to be revealed. It is an inevitable
consequence for the test operation. Some patching scheme will be discussed in Section 3.7 to avoid the
leakage of sign(d).
Correctness: The correctness of the testing operation is quite obvious. The final result of the test
statement the agent hosts get equals
n 1
n 1
i 0
i 0
 sign (d i ) . Since d   d i ,
n 1
 sign (d )  sign (d ) .
i
i 0
Secrecy: During the testing operation, the only information that is revealed from the share held by an
agent host is the sign of the shared data. Thus, the secret information is kept secret except that its sign will
be revealed if any of the hosts are corrupted.
13
3.6
Fraction Simplification
Unbounded growth in the size of the secret shares can be a potential problem in our approach due to
the use of a nonlinear decomposition scheme (fraction representation). In most conventional multiparty
computations, linear decomposition schemes are used. Therefore, it is straightforward to apply the
modular arithmetic and the operations such as addition and multiplication can be defined in Zn (where n is
a large prime number) as modular n operations. Thus, all data from the computation are in a finite field Zn
and there is no unbounded growth problem (as long as the original computation does not overflow).
In our approach, we use fraction simplification technique to enforce bounds on the numerator and
denominator values of each secret share. Two thresholds Bl and Bh are used, where Bh is the upper
threshold and Bl is the lower threshold. For our protocol, if the maximum number that can be represented
in a computer is z, we have Bh 
z . We also require Bl  Bh . To guarantee the secrecy of the
shares during fraction simplification, we impose some restrictions on the secret data d. We have d = s / t,
where s < Bl and t < Bl. All the intermediate results in the corresponding non-encrypted computation and
secret numbers used for our intermediate computation should also satisfy this condition. When a value
grows beyond Bh, fraction simplification is performed. Let v denote the value that grows beyond Bh. A
factor from v is selected and sent out to one specific host Hx. Hx collects all such factors and computes
their product r1 / r2. From the constraint on the secret data and shares, we can see that the numerator (r1)
and denominator (r2) definitely have common factors and can be canceled out. After the simplification of
r1 / r2, Hx will be able to decompose r1 / r2 into n + 1 shares and the numerator and denominator of each
share are less than Bl. Hx then sends one share to each host.
After each addition or multiplication operation, all the hosts check their shares to see if there is a need
for fraction simplification and broadcast their decision. If at least one host requires fraction simplification,
then a host Hx is randomly chosen to coordinate the effort. For host Hi other than Hx, a new fraction
number nui / dei is chosen as Hi’s temporary share with the requirement that both nui and dei are less than
Bl. Hi multiplies dei / nui with its share, and sends the result to Hx. After Hx finishes its computation, it
14
sends a new share dsi / dti back to Hi, where both dsi and dti are less than Bl. Hi then integrates the new
factor into its own share. The code for Hi (ix) is given in the following:
if fraction simplification is necessary then
choose nui and dei s.t. nui < Bl and dei < Bl,
send ( si / nui) / ( ti / dei) to Hx for fraction simplification ;
wait for share dsi / dti from Hx;
compute new si = dsi  nui;
compute new ti = dti  dei;
endif;
Hx collects all the factors sent from other hosts, multiplies them together with its own shares, and then
decomposes the result it gets into n+1 shares where all the numbers in each share is less than Bl. Hx takes
two such shares to derive its new secret share and sends one share to each of the other hosts. The code for
host Hx is as follows:
if fraction simplification is necessary then
r1 = sx; r2 = tx;
while (have not received factor data sent from all other hosts)
wait for factor from other hosts;
if received factor (si/nui)/(ti/dei) from Hi then
r1 = r1  (si / nui); r2 = r2  (ti / dei);
endif
end while
decompose r1 / r2 into ( ds0 / dt0)  ( ds1 / dt1) … ( dsn / dtn) with the requirement that
dsi < Bl and dti < Bl, i = 0, 1,…, n;
for all i  x ,send ( dsi / dti) to Hi ;
compute new sx = dsx  dsn;
compute new tx = dtx  dtn;
endif;
Correctness: Assume that the original secret data is s/t. We need to prove two things. The first is that
after fraction simplification, the shares held by all hosts still correctly represent the original secret data.
Let s i ' and t i ' denote the new shares held by Hi, replacing the original shares si and ti, respectively. After
fraction simplification, we have
 s 't '  
 
 
n 1
i 0
n 1
i
i
i  0 ,i  x
n 1
i  0 ,i  x
n 1
i  0 ,i  x
nui / dei  ds x / dt x   dsn / dt n 
nui / dei  in0 dsi / dti 
nui / dei  in01,i  x si / nui   ti / dei  s x / t x 
15


n 1
i  0 ,i  x
si / ti  s x / t x 
 i 0 si / t i 
n 1
 s/t
Thus, the new shares held by all the hosts still correctly represent the original secret data.
Next we need to prove that on host Hx, after all the factor data have been received, r1/ r2 can be
decomposed into ( ds0 / dt0)*( ds1 / dt1) * … * ( dsn / dtn) where dsi < Bl and dti < Bl, i = 0,1,…,n. We have

 
 
r1 / r2 
n 1
i  0 ,i  x
n 1
i  0 ,i  x
n 1
i  0 ,i  x
si / nui  /ti / d ei  s x / t x 
d ei / nui  in0 si / ti 
d ei / nui  s / t 
From the code for fraction simplification, we know that all the dei and nui are less than Bl. Also, we know
that the original s and t satisfy s < Bl and t < Bl, so

n 1
i  0 ,i  x
d ei  s < Bl
n+1
and

n 1
i  0 ,i  x
nui  t < Bl
n+1
.
Thus, there is at least one way to decompose r1 / r2 in into multiplication of n+1 fraction numbers whose
denominators and numerator are all less than Bl.
Secrecy: As we discussed above, no secret data contains prime factor that is larger than Bl. So no one
can tell whether the factors sent to and received from Hx are really a factor of the secret data. Also, host
Hx have no way of knowing the factor of the secret data since host Hi, i  x , have flexibility in choosing
nui and dei. It can choose nui to be a factor of si or a random number that is less than Bl, and similarly for dei.
When Hx performs the decomposition, it has no way to decide whether any factor is part of the secret data.
And no host can learn from its share any factor of the secret data because it doesn’t know whether a factor
of its share is a factor of the secret data or just generated during decomposition to protect the secret data
from being cracked.
16
3.7
Algorithm Patches
We have presented our algorithms for complete secure computation based on non-linear secret
sharing. It has relatively good performance and low communication cost (see Section 3.8). However,
there are some special cases that need to be considered.
The algorithm for the test statement ( if ( d > 0) ) has the problem of revealing the sign of d. This may
not be avoidable no matter what secret sharing scheme or computation algorithm is used since all hosts
need to know the results to determine which path to go to. But the transformer can help to hide the sign of
d by modifying the program. Instead of testing if (d > 0), the program can be transformed to test if (d + d’
+ d” > 0) and let d’ = – d”. When d’ and d” are secret shared, the transformer ensures that the shares for
them on the same host would seem to have no relationship. Since each individual node does not know the
relation between d’ and d”, hence it cannot be inferred whether d > 0.
For any d = 0, at least one node, say Hz, should hold the share 0, and d is fully revealed to Hz. Similar
to the above case, a programming technique can be used to hide d’s value. Instead of having d in the
program, we always have d + d’. Whenever a computation needs to be performed on d, we first add d” to
d + d’, where d’ = – d”.
Another case is that currently in our approach, it is required that d ' 0 when computing d + d’;
otherwise, there will be “divide by zero” errors. The solution is to place a test statement before every
addition. If d’ = 0, everyone just keep his share of d as the result of the computation. Code obfuscation
techniques as discussed above can be used by the transformer to prevent these from being identified by
the hosts.
4
Performance Comparisons
Here, we analyze the performance of our algorithm. The multiplication and division operations are all
performed at the local hosts and no communication is involved. The addition operation is more complex.
For the computation of  i 

n 1
j 0
 j ,i  d j / d 'j , we consider the second approach which minimizes the
17
number of messages required, i.e., it requires 2n – 1 messages. The computation time is insignificant and

is omitted. For the computation of   1 

n 1
d
i 0
i

/ d i '  , all hosts other than Hx sends a message to Hx.

The rest are simple local computation at each host. Thus, it requires a total of n – 1 messages. Together,
the total number of messages is 3n – 2. For the test operation, n – 1 messages are required. Similarly, the
factor simplification operation requires n – 1 messages.
The following table compares the performance of Abadi’s secure circuit evaluation, Gennaro’s secure
multiparty computation, and our algorithm. Since the computation time in these algorithms is very
insignificant compared to the communication cost, we only consider the number of messages needed in
each algorithm. For the Gennaro’s secure multiparty computation, we consider the same circular approach
as discussed for our algorithm, which reduces the number of messages to 2n – 1.
addition
# messages
# messages
with client
among servers
multiplication
# messages
# messages
with client
among servers
computation
power
Abadi’s
Approach
O(nb)
0
O(nb log log nb)
0
full power
Gennaro’s
Approach
0
0
0
O(n)
do not support
test and division
operations
Our
Approach
0
O(n)
0
0
full power
Here nb is the number of bits of the secret data and n is the number of agent hosts. We can see that the
performance of our algorithm is similar to that of Gennaro’s approach, but our approach supports fullpower secure computation while Gennaro’s approach doesn’t support the test and division operations. In
Abadi’s approach, it is necessary to communicate with the client for each “and” operation. To complete a
multiplication operation, O(nb log log nb) messages are required between the host and the client. Generally,
the number of agents would be relatively small and, hence, n < nb. Also, it is expected that the
communication cost among two hosts is much less than the communication cost between the client and
the host. So, our approach has better performance than Abadi’s approach.
18
5
Summary and Future Research
In this paper, we have presented a novel secure agent computation approach which protects the
privacy of agents during their computation on a remote host. The significance of this work is that our
secure agent computation approach provides full computation power. Other similar approaches do not
consider the testing operation that is required in any general-purpose computation and, hence, cannot be
used for general-purpose systems. Also, we have shown that our algorithm is efficient relative to existing
ones.
Our future research includes two directions. First, we will investigate other potential solutions that do
not require preset secret values (used for addition operations). Also, we are investigating the enhancement
methods to embed redundancy in the secret sharing scheme such that partial failures can be tolerated and
the secret sharing scheme can satisfy Verifiable Secret Sharing.
References
[1] M. Abadi and J. Feigenbaum, “Secure circuit evaluation: a protocol based on hiding information
from an oracle,” Journal of Cryptology, May 1990, pp. 1-12.
[2] http://www.trl.ibm.co.jp/aglets
[3] http://www.cs.umn.edu/Ajanta
[4] G.R. Blakley, “Safeguarding cryptographic keys,” Proc. AFIPS 1979 National Computer Conf., Vol.
48, Arlington, VA, June 1979, pp. 313-317.
[5] R. Canetti, U. Feige, O. Goldreich, and M. Naor, “Adaptively secure multi-party computation,”
ACM Symposium on the Theory of computing, 1996, pp. 639-648.
[6] D. Chaum, C. Crepeau, and I. Damgard, “Multiparty unconditionally secure protocols,” Proc. 20th
Annual ACM Symposium on Theory of Computing, 1988, pp. 11-19.
[7] R. Cramer, I. Damgard, S. Dziembowski, M. Hirt, and T. Rabin, “Efficient multiparty computations
secure against an adaptive adversary,” Proc. EUROCRYPT, 1999, pp. 311-326.
[8] R. Cramer, I.B. Damgard, and U. Maurer, “General secure multi-party computation from any linear
secret sharing scheme,” Proc. EUROCRYPT, 2000, pp. 316-334.
[9] R. Cramer, “Introduction to Secure Computation”, In Lectures on Data Security - Modern
Cryptology in Theory and Practice, Ivan Damgaard (Ed.), Springer LNCS Tutorial, vol.1561, March
1999, pp. 16-62., January 2000.
19
[10] M. D. Davis, R. Sigal, E. J. Weyuker, “Computability, Complexity, and Languages: Fundamentals of
Theoretical Computer Science” (2nd edition), pp17-18, Academic Press, 1994.
[11] P. Gemmell, “An introduction to threshold cryptography”, in CryptoBytes, a technical newsletter of
RSA laboratories, Vol.2, No. 7, 1997.
[12] Rosario Gennaro, Michael O. Rabin, Tal Rabin, “Simplified VSS and Fast-Track Multiparty
Computations with Applications to Threshold Cryptography”, Proceedings of ACM PODC’98.
[13] R. Gennaro, S. Janecki, H. Krawczyk, T. Rabin, “Secure Distributed Key Generation for DiscreteLog Based Cryptosystems”, Advances in Cryptology – Eurocrypt ’99, Springer-Verlag LNCS 152,
pp. 295-310, 1999
[14] R.S. Gray, “Agent Tcl: A Flexible and Secure Mobile-Agent System,” doctoral Dissertation, CS
Dept., Dartmouth College, Hanover, N.H., 1997.
[15] F. Hohl, “ Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts”, in:
Giovanni Vigna (Ed.): Mobile Agents and Security. pp 92-113. Springer-Verlag, 1998.
[16] Yaron Minsky, Robert van Renesse, Fred B. Schneider, Scott D. Stoller, “Cryptographic Support for
Fault-Tolerant Distributed Computing”.
[17] T. Rabin and M. Ben-Or, “Verifiable secret sharing and multiparty protocols with honest majority,”
Proc. 21th ACM Symposium on Theory of Computing, 1989, pp. 73-85.
[18] A. Shamir, “How to share a secret,” Communication of the ACM, Vol. 22, 1979, pp. 612-61.
[19] http://www.netscape.com/eng/ssl3/
[20] N. Suri, et al. “NOMADS: Toward a strong and safe mobile agent system”. In: Proceedings of the
fourth international conference on Autonomous agents June 2000.
[21] U. Wilhelm, “A Technical Approach to Privacy based on Mobile Agents Protected by Tamperresistant Hardware”, PhD Theses Nr. 1961. Departement D'Informatique, Ecole Polytechnique
Federale de Lausanne, 1999.
[22] A.C. Yao. “Protocols for secure computations,” Proc. 23rd Annual IEEE Symposium on Foundations
of Computer Science, 1982, pp. 160-164.
20