Skip to main content

Efficient private multi-party computations of trust in the presence of curious and malicious users


Schemes for multi-party trust computation are presented. The schemes do not make use of a Trusted Authority. The schemes are more ein a completely distributed manner, where each user calculates its trust value privately and independently. Given a community C and its members (users) U1,…,U n , we present computationally secure schemes for trust computation. The first scheme, Accumulated Protocol AP computes the average trust attributed to a specific user, U t following a trust evaluation request initiated by a user U n . The exact trust values of each queried user are not disclosed to U n . The next scheme, Weighted Accumulated Protocol WAP generates the average weighted trust in a specific user U t taking into consideration the unrevealed trust that U n has in each user participating in the trust evaluation process. The Public Key Encryption Protocol PKEP outputs a set of the exact trust values given by the users without linking the user that contributed a specific trust value to the trust this user contributed. The obtained vector of trust values assists in removing outliers. Given the set of trust values, the outliers that provide extremely low or high trust values can be removed from the trust evaluation process. We extend our schemes to the case when the initiator, U n , can be compromised by the adversary, and we introduce the Multiple Private Keys and the Weighted protocols (MPKP and MPWP) for computing average unweighted and weighted trust, respectively. Moreover, the Csed Protocol (CEBP) extends the PKEBP in this case. The computation of all our algorithms requires the transmission of O(n) (possibly large) messages.

Our contribution

The purpose of this paper is to introduce new schemes for decentralized reputation systems. These schemes do not make use of a Trusted Authority to compute the trust in a particular user that is attributed by a community of users. Our objective is to compute trust while preserving user privacy.

We present new efficient schemes for calculating the trust in a specific user by a group of community members upon the request of an initiator. The trust computation is provided in a completely distributed manner, where each user calculates its trust value privately. The user privacy is preserved in a computationally secure manner. The notions of privacy and privately computed trust, are determined in the sense that given an output average trust in a certain user, it is computationally infeasible to reveal the exact trust values in this user, given by community users. We assume a community of users C={U1, U2,…,U n }. Let U n be an initiator. The goal of U n is to get an assessment of the trust in a certain user, U t by a group consisting of U1, U2,…,Un−1 users from C. The AP calculates the average trust (or the sum of trust levels) in the user U t (Section ‘Accumulated protocol AP’). The AP protocol is based on a computationally secure homomorphic cryptosystem, e.g., the Paillier cryptosystem [1], which provides a homomorphic encryption of the secure trust levels T1,…,Tn−1 calculated by each user U1, U2,…,Un−1 from C. The AP satisfies the features of the Additive Reputation System [2] and does not take into consideration U n s subjective trust values in the queried users U1, U2,…,Un−1. A decentralized reputation system is defined as additive/non additive [2] if feedback collection, combination, and propagation are implemented in a decentralized way, and if a combination of feedbacks provided by agents is calculated in an additive/non additive manner, respectively. The WAP carries out a non additive trust computation (Section ‘Weighted accumulated protocol WAP’). It outputs the weighted average trust which is based on the trust given by the initiator U n in each C member participating in the feedback. The WAP is an enhanced version of the AP protocol. The AP and WAP protocols cope with a curious adversary and are restricted to the case of an uncompromised initiator, U n . The MPKP and MPWP protocols, introduced in Section ‘Multiple Private Keys Protocol MPKP’, use additional communication to relax the condition that the initiator U n is uncompromised and provide average unweighted and weighted privately computed trust, respectively.

Compared with the recent results in [2] and [3], our schemes have several advantages.

The Private Trust scheme is resistant against either curious or semi-malicious users

The AP and WAP protocols preserve user privacy in a computationally secure manner. Our protocols cope with any number of curious but honest adversarial users. Moreover, the PKEBP (Section ‘Protocols for removal of outliers’) is resistant against semi-malicious users that return false trust values. The PKEBP supports the removal of outliers. The general case, when the initiator, U n , can be compromised by the adversary, is addressed by the MPKP, MPWP and CEBP (Sections ‘Protocols for removal of outliers’ and ‘Multiple Private Keys Protocol MPKP’) protocols. Unlike our model, [2] suggests protocols that are resistant against curious agents who only try to collude in order to reveal private trust information. Moreover, the reputation computation in some of the algorithms in [3] contains a random parameter that reveals information about the reputation range of the queried users.

Low communicational overhead

The proposed schemes require only O(n) size messages to be sent, while the protocols of [2] and [3] require O(n3) communication messages.

No limitations on the number of curious users

The computational security of the proposed schemes does not depend on the number of curious users in the community. Moreover, privacy is preserved regardless of the size of the coalition of curious users. Note that the number of the curious users should be no greater than half of the community users in the model presented in [2].

Background and literature review

The use of homomorphic cryptosystems in general Multiparty Computation (MPC) models is presented in [4]. In [4] it is demonstrated that, given keys for any sufficiently efficient homomorphic cryptosystem, general MPC protocols for n players can be devised such that they are secure against an active adversary who corrupts any minority group of the players. The problem stated and solved in [4] is as follows: given the encryptions of two numbers, say a and b (where each player knows only its input), compute securely an encryption of c=a b. The correctness of the result is verified. The total number of bits sent is O(n k C), where k is a security parameter and C is the size of a Boolean circuit computing the function that should be securely evaluated. An earlier scheme proposed in [5] with the same complexity was only secure for passive adversaries. Earlier protocols had complexity that was at least quadratic in n. Threshold homomorphic encryption is used to achieve the linear communication complexity in [4]. The schemes proposed in [4, 6], and [7] are based on public key infrastructure and use Zero Knowledge proofs (ZKP) as building blocks. When compared to [4, 6], and [7] our schemes privately compute the average unweighted (additive) and weighted (non additive) characteristics, respectively, without using relatively hard-to-implement techniques such as ZKP.

Independently, (though slightly later than [8, 9]), linear communication MPC was presented in [10]. A perfectly secure MPC protocol with linear communication complexity was proposed in [11]. Our model presented herein, (with a semi-honest but curious adversary) copes with at most n 2 1 compromised users that supply arbitrary trust values, while [11] copes (in an information theoretic manner) with up to n 3 compromised users (even totally malicious users) with a similar communication overhead, O(n3·l n3). Here, l denotes the total message length.

Following [8, 9], privacy preserving protocols were investigated in [12] and [13]. Protocols for efficient multi-party sum computation (in the semi-honest adversarial model) are proposed in [12] and [13]. The derived protocols are augmented (by applying Zero Knowledge Proofs of plaintext equality and set membership) to handle malicious adversary. The simulation results demonstrate the efficiency of the designed methods. Compared with our results, the most powerful and efficient StR protocol of [12] and [13] is based on a completely connected network topology where each network user is directly connected to all other users. In addition, the schemes of [12] and [13] can be applied in the Additive Reputation Systems, while our schemes are designed also for the Non-Additive Reputation System.

Homomorphic ElGamal encryption is used in [6] as part of a scheme for multi-party private web search with untrusted partners (users). The scheme is based on multi-party computation that protects the privacy of the users with regards to the web search engine and any number of dishonest internal users. The number of sent messages is linear in the number of users (each of the n users sends 4n−4 messages). In order to obtain a secure permutation (of N elements), switches of the Optimized Arbitrary Size Benes network (OAS-Benes) are distributed among a group of n users, and the honest users control at least a large function S(N) of the switches of the OAS-Benes. The proposed MPC protocol is based on the homomorphic threshold n-out of-n ElGamal encryption. Nevertheless, unlike our model, a MPC protocol is based on the computationally expensive honest-verifier ZKP protocol, and the Benez permutation network.

The efficient scheme for the secure two-party computation for “asymmetric settings” in which one of the devices (smart card, mobile device, etc.) is strictly computationally weaker than the other, is introduced in [7]. The workload for one of the parties is minimized in the presented scheme. The proposed protocol satisfies one-round complexity (i.e., a single message is sent in each direction assuming trusted setup).The proposed protocol performs only two-party secure computations, while the number of participants is not bounded in our schemes. Moreover, computationally expensive, Non Interactive Zero-Knowledge Proof techniques, and “extractable hash functions” are used in the scheme of [7].

A number of systematic approaches and corresponding architectures for creating reliable trust and reputation systems have been recently proposed in [1418]. The main scope of these papers is the definitions of variety of settings for decentralized trust and reputation systems. A probabilistic approach for constructing computational models of trust and reputation, is presented in [17], where trust and reputation are studied in the scope of various social and scientific disciplines.

The computation models for the reputation systems of [16] support user anonymity by generating a pseudonym for any user, therefore, concealing user identity. In contrast to [16], the main challenge of our approach is to preserve the user anonymity in the computation process of the trust.

One of the common problems stated and discussed in [18] is that most existing reputation systems lack the ability to differentiate dishonest from honest feedback and, therefore, are vulnerable to malicious cooperations of users (peers in P2P systems) who provide dishonest feedback. The dishonest feedback is effectively filtered out in [18] by introducing the factor of feedback similarity between a user (pair) in the collusive group, and a user (peer) outside the group. We propose a different approach for the removal of dishonest users (outliers) by estimating the range of the correct trust values [19].

Two other works that are related to our scheme appear in [2] and [3]. In [2] several privacy and anonymity preserving protocols are suggested for an Additive Reputation System.

The authors state that supporting perfect privacy in decentralized reputation systems is impossible. Nevertheless, they present alternative probabilistic schemes for preserving privacy. A probabilistic “witness selection” method is proposed in [2] in order to reduce the risk of selecting dishonest witnesses. Two schemes are proposed. The first scheme is very efficient in terms of communication overhead, but this scheme is vulnerable to collusion of even two witnesses. The second scheme is more resistant toward curious users, but still is vulnerable to collusion. It is based on a secret splitting scheme. This scheme provides a secure protocol based on the verifiable secret sharing scheme [20] derived from Shamir’s secret sharing scheme [21]. The number of dishonest users is heavily restricted and must be no more than n 2 , where n is the number of contributing users. The communication overhead of this scheme is rather high and requires O(n3) messages.

An enhanced model for reputation computation that extends the results of [2] is introduced in [3]. The main enhancement of [2] is that a non additive (weighted) trust and reputation can be computed privately. Three algorithms for computing non additive reputation are proposed in [3]. The algorithms have various degrees of privacy and different levels of protection against adversarial users. These schemes are computationally secure regardless of the number of dishonest users.

The paper [22] (published later than [8, 9]), proposes the distributed Malicious-k-shares protocol, which extends the results of [2] and [3] in the sense that a high majority of users (agents) can find k, k<<n sufficiently trustworthy agents in a set of n−1 users-feedback providers. This protocol is based on homomorphic encryption and Non-Interactive Zero-Knowledge proofs. The Malicious k-shares protocol is applicable in the Additive Reputation System only, while our schemes privately compute also the weighted trust. The techniques, used for removal of outliers, is based on Non-Zero Knowledge Proofs of set-membership and plain-text equality, while the proof preserves that a certain share lies in the correct interval. The proposed protocol requires the exchange of O(n+ log N) messages (where n and N are the number of users in the protocol and environment, respectively), while we use a more computationally effective techniques for removal of outliers exchanging only O(n) messages.

We propose new efficient trust computation schemes that can replace any of the above schemes. Our schemes enable the initiator to compute unweighted (additive) and weighted (non additive) trust with low communication complexity of O(n) (large) messages.

Table 1 summarizes the approaches proposed in this paper, computations that they perform, resistance to the different types of attacks and the crypto building blocks that are used.

Table 1 Summary of the Presented Approaches

This paper extends the schemes of [9] by introducing the MPKP and MPWP protocols that compute average unweighted and weighted trust in the general case, even when the initiator U n can be compromised by the adversary. The proofs of correctness of the proposed protocols extend the presentations of [9] and [8].

Paper organization

The formal system description appears in Section ‘Research design and methodology’. The computationally resistant (against curious but honest adversary) private trust protocol, AP, is introduced in Section ‘Results and discussion’ (Subsection “Accumulated protocol AP”). The enhanced version of AP, WAP, is presented in Section ‘Results and discussion’ (Subsection “Weighted accumulated protocol WAP”). The (resistant against semi-malicious users) PKEBP and CEBP and the scheme for removing outliers are presented in Section ‘Results and discussion’ (Subsection “Protocols for removal of outliers”). The generalized MPKP protocol and the weighted MPWP protocol are introduced in Section ‘Results and discussion’ (Subsection “Multiple Private Keys Protocol MPKP”). Conclusions appear in Section ‘Conclusions’.

Research design and methodology

The purpose of this paper is to generate new schemes for private trust computation within a community. The contribution of our work is as follows: (a) the trust computation is performed in a completely distributed manner without involving a Trusted Authority. (b) the trust in a particular user within the community is computed privately. The privacy of trust values, held by the community users is preserved subject to standard cryptographic assumptions, when the adversary is computationally bounded. (c) The proposed protocols are resistant to a curious but honest poly-bounded k-listening adversary, Ad[23]. Such an adversary Ad may do the following: Ad may trace all the network links in the system and Ad may compromise up to k users, k< n. We require that an adversary Ad, compromising an intermediate node can only learn the node’s trust values and an adversary Ad, compromising the initiator U n can learn the output of the protocol, namely the average trust. We distinguish between two categories of adversaries: honest but curious adversaries, and semi-malicious adversaries [2]. An honest but curious k-listening adversary follows the protocol by providing correct input. Nevertheless, it might try to learn trust values in different ways, including collusion with, at most, k compromised users. While an honest but curious adversary does not try to modify the correct output of the protocol, a semi-malicious adversary may provide dishonest input in order to bias the average trust value.

Let C=U1,…,U n be a community of users such that each pair of users is connected via an authenticated channel. Assume that the purpose of a user U n from C is to get the unweighted T t avr or weighted average trust wT t avr in a specific user, U t , evaluated by the community of users. Denote by Ti, i=1.. n, the trust of user U i in U t , and by T t avr = i = 1 n T i n and wT t avr =1/10 i = 1 n w i T i the unweighted and weighted average trust in U t , respectively. Here w i =1,2,…,10 is the subjective trust of the initiator U n in U i in the form of an integer that facilitates our secure computation. In the subsequent work we always assume that w i is an integer in this range. Denote by M t the message sent by U n to the first member of the community, C.

Our definitions of computational indistinguishability, simulation and private computation follow the definitions of [24]. Informally speaking, two probability ensembles are computationally indistinguishable if no polynomial time, probabilistic algorithm can decide with non-negligible probability if a given input is drawn from the first or the second ensemble. A distributed protocol computes a function f privately if an adversary cannot obtain any information on the input and output of other parties, beyond what is implicit in the adversary’s own input and output. The way to prove that a protocol is private is to show that there exists a polynomial time, probabilistic simulator that receives as input the same input and output as an adversary and generates a string that is computationally indistinguishable from the whole view of the adversary, including every message that the adversary received in the protocol. Intuitively, the existence of a simulator implies that the adversary learns nothing from the execution of the protocol except its input and output.


The main tool we use in our schemes is public-key, homomorphic encryption. In such an encryption scheme there is a modulus, M, and an efficiently computable function ϕ that maps a pair of encrypted values (E K (x),E K (y)), where 0≤x,y<M, to a single encrypted element ϕ(E K (x),E K (y))=E K (x+y mod M). In many homomorphic encryption systems the function ϕ is multiplication modulo some integer N. Given a natural number, c, and an encryption, E K (x), it is possible to compute E K (c·x mod M), without knowing the private key. Set β=E K (1) and let the binary representation of c be c=c k ck−1c0. Go over the bits c k ,…,c0 in descending order. If c j =0, set β=ϕ(β,β) and if c j =1, set β=ϕ(ϕ(β,β),E K (x)). If ϕ is modular multiplication, this algorithm is identical to standard modular exponentiation.

There are quite a few examples of homomorphic encryption schemes known in the cryptographic literature, including [1, 2528]. There are also systems that allow both addition and multiplication of two encrypted plaintexts, e.g., [29] where only a single multiplication is possible for a pair of ciphertexts, and [30]. All of these examples of homomorphic cryptosystems are currently assumed to be semantically secure [26].

Results and discussion

Accumulated protocol AP

The AP protocol may be based on any homomorphic encryption scheme such that the modulus N satisfies N> i = 1 n T i . We illustrate the protocol by using the semantically secure Paillier cryptosystem [1]. This cryptosystem possesses a homomorphic property and is based on the Decisional Composite Residuosity assumption. Let p and q be large prime numbers, and N=p q. Let g be some element of Z N 2 . Note that the base, g, should be chosen properly by checking whether g c d(L(gλm o d N2),N)=1, where λ=l c m(p−1,q−1), and the L function is defined as L(u)= u 1 N . The public key is the (N,g) pair, while the (p,q) pair is the secret private key. The ciphertext, c, for the plaintext message m<N is generated by the sender as c=gmrN mod N2, where r<N is a randomly chosen number. The decryption is performed as m= L ( c λ mod N 2 ) L ( g λ mod N 2 ) modN at the destination. Our schemes are based on the homomorphic property of the Paillier cryptosystem. Namely, the multiplication of two encrypted plaintexts m1 and m2 is decrypted as the sum m1+m2 mod N of the plaintexts. Thus, E(m1E(m2)≡E(m1+m2 mod m) mod N2 and E ( m 1 ) m 2 E( m 1 · m 2 modN)mod N 2 . The AP protocol is described in Algorithm 1.

Assume that the initiator, U n , has generated a pair of its public and private keys as described above, and it has shared its public key with each community user. Then, U n initializes to 1 the single entry trust message M t and sends it to the first U1 user (lines 1–3). Upon receiving the message, M t , each node, U i , encrypts its trust in U t as E( T i )= g T i r i N mod N 2 . Here, T i is a secret U i s trust level in U t and r i is a randomly generated number. The U i s output is accumulated in the accumulated variable A multiplying its current value by the new encrypted U i t h trust E(T i ) from the it h entry as A=A·(E(T i )). Then U i sends the updated M t message to the next user, Ui+1. This procedure is repeated until all trust values are accumulated in A (lines 4–9). The final M t message received by the initiator, U n is M t =A= i = 1 n E( T i )mod N 2 . As a result, the U n user decrypts the value accumulated in the M message as the sum of trusts S t =D( M t )= i = 1 n T i . Thus, the average trust is T t avr = S t n 1 (Algorithm 1, lines 10–12). Proposition 1 proves that AP is a computationally private protocol to compute the trust of a community in U t .

Proposition 1

Assume that an honest but curious adversary corrupts at most k users out of a community of n users, k<n. Then, AP privately computes Tavr, the average trust in user U t .


In order to prove the proposition, we have to prove that for every adversary there exists a simulator that given only the adversary’s input and output, generates a string that is computationally indistinguishable from the adversary’s view in AP. Let I={ U i 1 , U i 2 ,, U i k } denote the set of users that the adversary controls. Let view I AP ( X I , 1 n ) denote the combined view of all users in I. view I AP includes the input, X I ={ T i 1 ,, T i k }, of all users in I, and a sequence of messages E( j = 1 i 1 T j ),,E( j = 1 i k T j ) received by users in I. A simulator cannot generate the exact sequence E( j = 1 i 1 T j ),,E( j = 1 i k T j ), since it does not have the input of uncorrupted users. Instead, the simulator chooses a random value α j for any user U j I, from the distribution of trust values, D. The simulator denotes α i 1 = T i 1 ,, α i k = T i k and computes E(α j ) for j=1,…,n−1. The simulator now computes: j = 1 i 1 E( α j )E( j = 1 i 1 α j )mod N 2 ,, j = 1 i k E( α j )E( j = 1 i k α j )mod N 2 . Hence, a simulator replaces E( j = 1 i k T j ) by E( j = 1 i k α j ).

Assume, in contradiction, that there exists an algorithm DIS that distinguishes between the encryption of partial sums E( j = 1 i 1 T j ),E( j = 1 i k T j ) of the correct trust values and the values E( j = 1 i 1 α j ),E( j = 1 i k α j ) randomly produced by a simulator. We construct an algorithm, B, that distinguishes between the two sequences E(T1), E(Tn−1) and E(α1),,E(α k ), contradicting the semantic security property of E. The input to algorithm B is a sequence of values E(x1), E(xn−1) and it attempts to determine whether the values x1,…,xn−1 are equal to the values T1,…,Tn−1 that the users provide, or is a sequence of random values chosen from the distribution D. The algorithm B computes for every =1,…,k

j = 1 i E ( x j ) E j = 1 i x j mod N 2 ,

and provides the encryption of partial sums E( j = 1 i 1 x j ),E( j = 1 i k x j ) as input to DIS. B returns as output the same output as DIS. Since the input of DIS is E( j = 1 i 1 T j ),E( j = 1 i k T j ) if and only if the input of B is E(T1),…E(Tn−1), we find that B distinguishes between its two possible input distributions with the same probability that DIS distinguishes between its input distributions. □

AP uses O(n) messages each of length O(n).

Weighted accumulated protocol WAP

The Weighted Accumulated WAP protocol, in addition to the AP protocol, generates the weighted average trust in a specific user, U t , by the users in the community. The WAP protocol is based on an anonymous communications protocol proposed in [31] and on the homomorphic cryptosystem, e.g., Paillier cryptosystem [1]. It is described in Algorithm 2.

The initiator, U n , generates n−1 weights w1,…,wn−1. Each w i value reflects the U n s subjective trust level in user U i . U n initializes the accumulated variable, A, to 1, encrypts each w i value by means of, e.g., the Paillier cryptosystem [1] as E( w i )= g w i h r n , i (mod N 2 ), composes a Trust Vector T V= [ E(w1).. E(wn−1)] and sends the message M t =(T V,A) to U1. Here, as in the AP case, p, q are large prime numbers which compose the Paillier cryptosystem, N=(p−1)(q−1), and g and h are properly chosen parameters of the Paillier cryptosystem. rn,i is a random degree of h chosen by U n for each U i from C. Note that the AP protocol is a private case of the WAP protocol where all weights w i are equal to 1.

As in the AP case, the M t message is received by the community users in the prescribed order. Each U i user encrypts its weighted trust in U t as E( T i )=E ( w i ) T i E( 0 ¯ ) and accumulates it in the accumulated variable A (lines 6–10). Note that multiplying by the random encryption of zero E( 0 ¯ ) ensures semantic security of the WAP protocol since the user’s output cannot be distinguished from a simulated random string. As a result, the initiator, U n , receives the M t message and decrypts the value accumulated in A as the weighted sum of trust S t =D(A)= i = 1 n 1 w i T i . Therefore, the average trust is equal to wT t avr =1/10 i = 1 n w i T i . Proposition 2 proves the privacy of the weighted average trust wT t avr in the U t user by the community users in a computationally secure manner.

Proposition 2

Assume that an honest but curious adversary corrupts at most k users out of a community of n users, k<n. Then, WAP privately computes w Tavr, the average weighted trust in user U t .


The proof is similar to the proof of Proposition 1. View of adversary includes the input of compromised users T i 1 ,, T i k , trust vector TV, and the accumulated variable, A. Each compromised user U i j from I receives TV=[E( w i j ),E( w i j + 1 ),E( w n )] and A= i = 1 i j E ( w i ) T i E( 0 ¯ ).

A simulator for the adversary simulates view I WAP as follows. The simulator input T i 1 ,, T i k is the same as the input of the compromised users. A simulator chooses at random v1,…,v n according to a distribution, W, of weights, and T 1 ~ ,, T n ~ according to a distribution, D, of trust values. Here T i 1 ~ = T i 1 ,, T i k ~ = T i k . Due to the semantic security of the homomorphic cryptosystem, the encrypted random values E(v1),…,E(v n ) are indistinguishable from the encrypted correct weights E( w i 1 ),,E( w i n ).

The randomization of any U i t h user output is performed by multiplying its secret w i T i by the random encryption of a zero string E( 0 ¯ ). Given E(w), the two values E(w)T and E(u), where u is chosen at random from the distribution of wT, can be distinguished since T is chosen from a small domain of trust values. Given E(w), the values E ( w ) T E( 0 ¯ ) are distributed identically to an encryption E(w)T=E(w T mod N). Based on the semantic security of the homomorphic cryptosystem, E(u) and E(w T) cannot be distinguished even given E(w). □

WAP uses O(n) messages each of length O(n).

Protocols for removal of outliers

The protocols for outliers removal are introduced in this section. The Public Key Encryption Based Protocol PKEBP produces a vector of the exact trust values. As a result, the initiator, U n , can evaluate the correct trust range by removing the outliers that provide extremely high or low trust feedback. PKEBP preserves user privacy in a case where the adversary cannot corrupt the initiator and several users at the same time.

The generalized Commutative Encryption Based Protocol (C E B P) relaxes this limitation and privately computes the exact trust values contributed by each community user, even in the case when an adversary can corrupt the initiator and several users at the same time.

Public Key Encryption Based Protocol PKEBP

Denote the encryption algorithm used in this scheme by E and the decryption algorithm by D. U n generates a pair (k,s) of public-private keys. Then U n publishes its decryption public key k, while the private decryption key s is kept secret.

The Public Key Encryption Based Protocol PKEBP is performed in two rounds (Algorithm 3, Figure 1). At the initialization stage U n initializes the n−1-entry vector T V[ 1.. n−1] and sends it to the community of users in the prescribed order in the M t =(T V[ 1.. n−1]) message (Algorithm 3, lines 1–2 and Figure 1, Round 1).

Figure 1

Public Key Encryption Based Protocol PKEBP .

In the first round, on reception of M t each user, U i , encrypts its trust, T i , by k in the corresponding T V[ i]s entry as E(T i ), and sends the updated message M t to the next user (Algorithm 3, lines 3–7).

The second round of the PKEBP protocol is performed when the updated T V[ 1.. n−1] vector returns from Un−1 to the user U1 (see Algorithm 3, lines 8–11 and Figure 1, Round 2). Note that the TV vector does not visit the initiator U n after execution of the first round. Each user, U i , performs a random permutation of its it h entry with a randomly chosen i j t h entry during the second round. After that, the newly updated M t vector-message is sent to the next Ui+1 user (Algorithm 3, lines 8–11).

The result of round 1 is a sequence of encrypted elements (E(T1),…,E(Tn−1)) while the result of round 2 is a sequence TV[1..n1]=(E( T 1 ),,E( T n 1 )). The multi-set T1, …,Tn−1 is identical to the multi-set T 1 ,, T n 1 . The sequence T1,…,Tn−1 is permuted to T 1 ,, T n 1 by a permutation π, which is computed in a distributed manner by all community members (Algorithm 3, line 10). Thus, by applying the decryption procedure, all encrypted trust values T1,…,Tn−1 are revealed (Algorithm 3, lines 12–13). Moreover, the random permutation π performed at the second round preserves the unlinkability of user identities.

Proposition 3 proves the privacy of the PKEBP protocol.

Proposition 3

PKEBP performs computationally secure computation of exact private trust values assuming that an adversary cannot corrupt the initiator and several users at the same time.

Proof sketch

Case 1: U n I. We argue that PKEBP is private by showing that an adversary that controls a set of compromised users does not learn any information on the trust values of other users. We achieve that by showing a simulator that, given the input of compromised users, can simulate the messages that these users receive as part of the protocol. Therefore, protocol messages do not give users in I any information on users outside of I. Assume that the set I of compromised users includes k members I= U i 1 , , U i k , while the uncompromised users are U i k + 1 ,, U i n . The view of users in I includes the input of compromised users T i 1 ,, T i k and trust vectors TV. Each compromised user U i j from I receives the TV vector with partially permuted entries.

A simulator for the adversary simulates this view as follows. The simulator input is the same as the input of compromised users and it contains the trust values of the compromised users T i 1 ,, T i k and the set of their permuted indexes i j 1 , i j k . The simulator chooses a random value, α i , for any user U I from the distribution D of trust values. The simulator sets α =T and computes E(α j ) for =k+1,…,n. Due to the semantic security of the homomorphic cryptosystem [24, 32], the simulator cannot distinguish between the encryption of the correct trust values and the encryption of simulated random variables, E(α j ), of uncompromised users, U j , chosen from the distribution, D, of trust values.

Case 2: { U n }= I. In this case, the view of U n consists of the TV with the randomly permuted entries. TV includes the sequence of the randomly permuted exact trust values, decrypted by the secret key, s. We prove the privacy of PKEBP by showing a simulator that, given a PKEBP output sequence T i 1 ,, T i n 1 of the exact trust values, can simulate the TV as U n receives it as a part of the protocol. A simulator for the compromised U n simulates this view as follows. The simulator input is the multi-set T1,…,T n of the exact trust values that have been decrypted by U n s public key, s. The simulator chooses a random permutation and permutes the received values. Due to the random permutation, π, performed by each community user, the simulator cannot distinguish between the simulated sequence T j 1 ,, T j n 1 and the correct output of the PKEBP.

As a result, given a multi-set of the exact trust values, U n cannot link these values to the users that contributed them. □

PKEBP uses O(n) messages each of length O(n).

Generating the average trust level in the presence of semi-malicious users is based on the algorithm suggested in [19]. Let us define by U, the multi-set of non corrupted users which provide correct feedback, and by V, the multi-set of all users participating in the trust computation process. According to [19] the following requirement must be satisfied in our model: |VU|≤J and |V|≥2J for a certain J value. Then the range of the correct trust values, r a n g e(U), contains the subset r e d u c eJ(V) of V. Here r e d u c eJ(V) is received from the V multi-set of all (correct and extremely low/high) trust values, by deleting the J smallest and J largest values, respectively.

If an adversary can corrupt the initiator and several users at the same time, a different protocol is required. The generalized Commutative Encryption Based Protocol CEBP is presented in the next subsection.

Commutative Encryption Based Protocol CEBP

The CEBP we propose, uses commutative encryption as a building block. An encryption scheme is commutative if a ciphertext that is encrypted by several keys can be decrypted regardless of the order of decryption keys. Formally, denote the encryption algorithm by E and the decryption algorithm by D. The encryption scheme is commutative if for every plaintext message m and every two keys k1,k2 if c= E k 1 ( E k 2 (m)) then m= D k 1 ( D k 2 (c)) (note that for any encryption scheme m= D k 2 ( D k 1 (c)). One possible candidate for a commutative encryption scheme is the Pohlig-Hellman scheme [33].

The basic idea of CEBP is for each user to encrypt all the trust values and then decrypt and permute them at the same time so that an adversary cannot associate decrypted trust values with the users that published their encryption. The CEBP protocol is executed in three rounds (Algorithm 4). Each round passes sequentially from the first user U n to the last Un−1.

The first round begins with the initiator, U n choosing and publishing a public key. Every other user selects a symmetric key for a commutative encryption scheme. All the users encrypt their trust values both with their keys and with the public key of U n . Encryption with the initiator’s public key prevents an adversary that does not control the initiator, U n , from obtaining the multi-set of trust values. After the first round, for every i=1,…,n−1, the i-th entry in the trust vector, TV, includes the trust value of U i encrypted by both the public key of U n and the symmetric key of U i .

In the second round each user encrypts all entries in TV entries in such a way that at the end of the second round the i-th entry is the trust value of U i encrypted by the keys of U1,U2,…,U n . Finally, in the third round, for every i=1,…,n−1, U i decrypts every entry using its own symmetric key and randomly permutes the entries of TV. At the end of round 3 the trust vector contains all the trust values, encrypted by the public key of U n and permuted. By decrypting all the entries in TV, U n obtains the vector of all trust values.

We use El-Gamal encryption [34] as the initiator’s public key scheme. The symmetric scheme for users U1,…,Un−1 is Pohlig-Hellman. Both the Pohlig-Hellman and the El-Gamal schemes are implemented over the same group, which is defined as follows. Let p be a large prime, such that p−1 has a large prime factor, q. Let g ℤ p be an element of order q in ℤ p . In a Pohlig-Hellman scheme, the key is a pair a,b ℤ p 1 such that a b≡1 mod (p−1). A plaintext m ℤ p is encrypted by cma mod p and a ciphertext is decrypted by mcb mod p. In an El-Gamal scheme, the private key is a{0,…,q−1}, the public key is ga mod p and a plaintext m ℤ p is encrypted by the pair (gb mod p,gab·m mod p). We refer to the two parts of an El-Gamal encryption as two components.

By using Pohlig-Hellman and El-Gamal encryption schemes over the same group we ensure that the security of CEBP can be reduced to the hardness of the Decisional Diffie-Hellman (DDH) problem [35]. The DDH problem is to distinguish between the two ensembles (gx mod p,gy mod p,gz mod p) and (gx mod p,gy mod p,gxy mod p). The hardness assumption of DDH is that no probabilistic, polynomial time algorithm can distinguish between these two probability ensembles with non-negligible probability.

The details of the protocol follow.

The initiator begins round 1 (lines 1–9) by choosing parameters for El-Gamal encryption and distributes its public key g k n modp. Every other user U i (i=1,…,n−1) chooses four random and independent pairs of Pohlig-Hellman keys ( a i 1 , b i 1 ), ( a i 2 , b i 2 ), ( α i 1 , β i 1 ), ( α i 2 , β i 2 ). U i uses the El-Gamal public key to encrypt its trust value, T i . The result is g k i mod p , T i g k i k n mod p , where U i chooses k i randomly in the range 0,…,q−1. U i proceeds to encrypt the El-Gamal encryption of T i with its Pohlig-Hellman keys. Each of the two components of the El-Gamal encryption is encrypted by one distinct Pohlig-Hellman key. The result is

g k i a i 1 mod p , ( T i g k i k n ) a i 2 mod p .

U i completes the round by publishing this value in T V[ i]. We think of T V[ i] as having two components, T V[ i,1] and T V[ i,2]. U i stores g k i a i 1 modp in T V[ i,1] and stores ( T i g k i k n ) a i 2 modp in T V[ i,2].

In round 2, every user, U i , i=1,…,n−1 makes sure that every entry in T V[ ] is encrypted with all four of its Pohlig-Hellman encryption keys (where two of the keys are used to encrypt the left component and two are used to encrypt the right component). Thus, U i encrypts T V[ i] with α i 1 and α i 2 and encrypts T V[ j] for any ji with a i 1 , a i 2 , α i 1 and α i 2 . After the second round the entry T V[ i] holds the value:

g k i · α 1 1 a 1 1 · · α n 1 1 a n 1 1 mod p , ( T i g k i k n ) α 1 2 a 1 2 · · α n 1 2 a n 1 2 mod p .

In round 3, the users both decrypt and permute all the values. Each user decrypts all values using both its pairs of Pohlig-Hellman keys (lines 20–27) and then randomly permutes the resulting vector of values. Due to the commutative property of the scheme, the initiator, U n , holds all the trust values at the end of round 3. However, the random permutation each user applies to the encrypted values in round 3 ensures that even if only a pair of users is not compromised, the decrypted trust values are randomly permuted in relation to their associated users.

Proposition 4

Assume that the DDH problem is hard and assume that an honest but curious adversary corrupts at most k users out of a community of n users, kn. If the trust values of all the users are in the sub-group generated by g, then, CEBP privately computes the set of all trust values of community users.

Proof sketch

If the adversary controls at least n−1 users, including the initiator, then the protocol is trivially private, since the output reveals the exact trust values of every user, and thus any protocol does not add information. If the adversary does not control the initiator then the protocol is private because all trust values are encrypted by the initiator’s public key throughout the protocol. Since the El-Gamal encryption scheme is semantically secure, given the hardness of DDH problem, it is easy to argue privacy.

Therefore, the most interesting case is when kn−2 and the adversary controls the initiator. To prove privacy we define a simulator that is given the adversary’s input and output (which includes the set of trust values) and simulates the adversary’s view of protocol messages.

Each message in our protocol consists of the trust vector TV. Each entry in this vector is a pair of elements in ℤ p . Thus, the whole view of the adversary can be written as e1,…,e m , where e i ℤ p for every i=1,…,m. The value of m is at most O(n2) because the number of elements in TV is 2(n−1) and the adversary receives a message with TV in it at most n−2 times for each of the three rounds.

Note that each element e i is obtained by raising g to a power η i that depends on the input and random coin tosses of each participant. The simulator generates a simulated view f1,…,f m as follows. If η i is determined by the input and coin tosses of the adversary, then the simulator who has access to this input and coin tosses sets f i =e i . However, if η i is generated at least partially by an uncorrupted node then the simulator independently chooses a random element ζ i {0,…,q−1} and sets f i = g ζ i .

To prove that the simulator’s view is computationally indistinguishable from the real-world view, we construct a series of hybrid ensembles H0,…,H m , such that H0 is the real world view e1,…,e m and for every i=1,…,m we define H i =f1,…,f i ,ei+1,…,f m . Essentially, H m is the view of the simulator.

We can show that for every i, if H i can be computationally distinguished from Hi+1 then the DDH assumption is false. Since we assume that DDH is a hard problem we have that H i and Hi+1 are computationally indistinguishable and since m is of polynomial size in n, we have that H0 is indistinguishable from H m , completing the proof. □

The protocol requires O(n) messages, each of length O(n) and the computation complexity for each participant in the scheme is O(n).

Multiple Private Keys Protocol MPKP

The AP and WAP protocols introduced in the previous sections carry out private trust computation assuming that the initiator U n is not compromised and does not share its private key with other users. In the rest of this work assume that any community user, including U n , may be compromised by a poly-bounded k-listening curious adversary.

The generalized Multiple Private Keys Protocol MPKP copes with this problem and outputs the average trust. The idea of the MPKP protocol is as follows. During the initialization stage the U n user initializes all entries of trust vector, TV, and accumulated vector, AV, to 1, sets the accumulated variable A to 1, and sends the M t =(T V,A V,A) message to the first community user U1 as in the previous protocols. During the first round of the MPKP protocol execution each user, U i , randomly fragments its secret trust, T i , to a sum of n−1 shares, encrypts the corresponding share by the public key of each U j , j=1.. n−1 user and accumulates its encrypted shares (multiplying each of them with the corresponding entries) in the accumulated vector, AV. After execution of the first round, the updated AV vector does not return to the initiator U n . The AV vector visits each community user, while each U i opens the it h entry (that is encrypted by U i t h public key) revealing a sum of decrypted shares, encrypts this sum by the public key of the initiator U n , accumulates this sum in the accumulated variable,A, and deletes the it h entry of the AV vector.

A detailed description of the MPKP protocol follows. Assume that each community user, U i , i=1.. n−1 generates its personal pair ( P i + , P i ) of private and public keys. Denote by E i and D i the encryption and decryption algorithms produced by U i . The private key, P i + , is kept secret, while the public key, P i , is shared with all other users U1,…,Ui−1, Ui+1U n . As in the previous schemes, the cryptosystem must be homomorphic. An additional requirement is that the homomorphism modulus, m, must be identical for all users. One possibility is to use the Benaloh cryptosystem [28, 36] for which many different key pairs are possible for every homomorphism modulus. The system works as follows. Select two large primes, p,q, such that: N=p q, m|p−1, gcd(m,(p1)/m)=1 and gcd(m,q1)=1, which implies that m is odd. The density of such primes along appropriate arithmetic sequences is large enough to ensure efficient generation of multiple p,q (see [36] for details). Select y ℤ N such that yϕ(N)/m1 mod N. The public key is (N,y), and encryption of M ℤ m is performed by choosing a random u ℤ m and sending yMum mod N. In order to decrypt, the holder of the secret key computes at a preprocessing stage T M =yMϕ(N)/m mod N for every M ℤ m . It should be noted that m is small enough such that m exponentiations can be performed. Decryption of z is performed by computing zϕ(N)/n mod N and finding the unique T M to which it is equal.

The MPKP is performed in two rounds (Algorithm 5). The initialization procedure is shown in lines 1–4. The first round is the accumulation round, where all users share their secret trust T i values with other users. Upon reception of a message, M t , each user, U i , proceeds as follows: (a) U i chooses r 1 i ,, r n 1 i uniformly at random such that T i = j = 1 n 1 r j i ; (b) U i encrypts each r j i ,j=1..n1 by the public key P j of the U j user and multiplies it by the current value stored in jt h entry of AV. As a result, the output AV vector contains the accumulated product k = 1 n 1 E j ( r j k ) in each jt h entry (lines 5–12).

In the second round, on reception of message M t , each user, U i , decrypts the M t message and decrypts the corresponding it h entry by its private key, P i + , computes the j = 1 n 1 r i j sum, encrypts it by the U ns public key, P n , as E n ( j = 1 n 1 r i j ), accumulates this sum in the accumulated variable, A, deletes the it h entry and sends the updated TV vector to the next Ui+1 user. Note that the partial sum j = 1 n 1 r i j that U i decrypts reveals no information about correct trust values. As a result of the second round the initiator U n receives A= i = 1 n 1 E n ( j = 1 n 1 r i j ) (lines 13–19). U n decrypts j = 1 n 1 E n ( r i j ), and computes the sum of trusts as S t = i = 1 n 1 j = 1 n 1 r i j . Actually, the average trust Tavr is equal to S t n (lines 20–22). Proposition 4 states the privacy of the MPKP protocol. The communication complexity of the MPKP protocol is O(n) messages, each of length O(n).

Proposition 5

MPKP performs computationally secure computation of the exact private trust values in the Additive Reputation System. No restriction is imposed on the initiator U n .

The last introduced protocol is the MPWP for the weighted average trust wT t avr computation. The idea of the MPWP is as follows. During the initialization stage the U n user generates a vector, TV, such that each it h entry contains the U i t h weight w i encrypted by the U n t h public key. U n sends TV and a (n−1)×(n−1) matrix, SM, with all entries initialized to 1 to the first community user, U1, as in the previous protocols. During the first round of the MPWP execution each U i computes its encrypted weight in the power of its secret trust E n ( w i ) T i , multiplies it by a randomly chosen number (bias) z i , and accumulates the product in the accumulated entry (by multiplying the entry by the obtained result). In addition, U i fragments its bias, z i , into n−1 shares, encrypts each jt h share by the public key of U j , and inserts it in the jt h location of it h matrix row. At the end of the first round U n decrypts the total biased weighted trust. The total random bias is removed during the second round of the MPWP execution when each U j decrypts the entries of jt h matrix column, encrypts the sum of these values by the public key of the initiator, accumulates it in an accumulation variable, A, and deletes the jt h column.

The details follow. The initiator, U n , starts the first round by generating the encryption of the n−1 entries trust vector, T V= [ E n (w1).. E n (wn−1)]. Note, that each weight w i is encrypted by the U n t h public key, P n . In addition, U n initializes to 1 each entry of the (n−1)×(n−1) matrix of shares SM. The M t w message sent by U n to the community users is M=(T V,S M). Upon the TV vector reception each U i user proceeds as follows: (a) U i computes E n ( w i ) T i · z i . Here z i is a randomly generated by U i number that provides the secret bias. (b) U i accumulates its encrypted weighted trust in the accumulated variable A by setting A=A· E n ( w i ) T i · z i . After that, the it h entry of TV is deleted. (c) U i shares z i in the it h row of the SM shares matrix as SM[i][]=[ E 1 ( z i 1 ).. E n 1 ( z i n 1 )]. At the end of the first round U n receives the T V[ ] entry that is equal to the biased product BT= j = 1 n E n ( w i ) T i z i , encrypted by its public key, and the updated shares matrix SM while SM[i][j]= E j ( z i j ). Actually, the decryption procedure applied on the T V[] vector outputs the decrypted sum D(TV[])= i = 1 n 1 w i T i + i = 1 n 1 z i . A second round is performed in order to subtract the random bias i = 1 n 1 z i from the correct weighted average trust w Tavr. The second round of the MPWP is identical to the corresponding round of the MPKP. Upon reception of the SM matrix each user, U i , decrypts the corresponding it h column E i ( z 1 i ) E i ( z 2 i ) E i ( z n 1 i ), encrypted by all community users by U i t h public key, P i . Each U i , i=1.. n−1 computes the sum of the partial shares PSS i = j = 1 n 1 z j i , encrypts it by the U n t h public key, P n , and accumulates it in the accumulated variable A. After that, it h S Ms column S M[ ][ i] is deleted. As a result of the second round, the initiator, U n , receives the accumulated variable, A= i = 1 n 1 E i ( PSS i ). The encrypted bias, BT, is decrypted as D(A)= i = 1 n 1 j = 1 n 1 z j i .

Finally, the weighted average trust w Tavr is equal to w Tavr=T VA. The private trust computation carried out by the MPKP and the MPWP protocols is preserved in the computationally secure manner due to the following reasons:

  1. (a)

    Each community user, U i , fragments its trust, T i , randomly into n−1 shares (Algorithm 5, lines 6–8).

  2. (b)

    Each r i j encrypted by U i by the U j t h public key, P j , shared with each U j ,j=1,…,n−1 user and accumulated in the TV vector, reveals no information about the exact T i value to U j (lines 9–14).

  3. (c)

    The decryption performed by each U i ,i=1,…,n−1 by its private key, P i + , at the second round, outputs the sum of the partial shares, D i (TV[i])= j = 1 n 1 r j i of all community users. In essence, the j = 1 n 1 r j i value reveals no information about the secret trust values T 1,…,T i−1, T i+1,…,T n−1.

  4. (d)

    The encryption E n ( j = 1 n 1 r j i ) of the partial shares sum performed by each U i with the initiator U n public key P n and accumulated in A, can be decrypted by U n only.

  5. (e)

    Assume a coalition U j i ,, U j i + k 1 of at most k<n curious adversarial users, possibly including the initiator U n . Then the exact trust values revealed by the coalition, are the coalition members trust only. The privacy of the uncorrupted users is preserved by the homomorphic encryption scheme which generates for each user its secret private key, and by the random fragmentation of the secret trust.

In MPWP, O(n) messages of length O(n2) are sent.


We derived a number of schemes for the private computation of trust in a given user by a community of users. Trust computation is performed in a fully distributed manner without involving a Trusted Authority. The proposed AP and WAP protocols are computationally secure, under the assumption of an uncompromised initiator, U n . The AP and WAP protocols compute the average unweighted and weighted trust, respectively. The generalized MPKP and MPWP protocols relax the assumption that U n is non-compromised. They carry out the private unweighted and weighted trust computation, respectively, without limitations imposed on U n . The number of messages sent in the proposed protocols is O(n) (large) messages.

The PKEBP and CEBP for the removal of outliers are presented as well.The protocols, introduced and analyzed in this paper, may be efficiently applied in the fully distributed environment without any trusted authority. Compared with other models, our schemes privately compute trust values with low communication overhead of O(n) (large) messages in the simplified ring network topology. The schemes may be applied to complete topology systems when all network users are connected by direct links. The schemes may be attractive in the case when sending the linear number (O(n)) of large messages is better than sending a substantially larger number (O(n3)) of possibly smaller messages. Moreover, the outliers removal (performed by the CEBP protocol) may be efficiently performed by the computationally restricted users when there are no resources for generating computationally expensive Interactive and Non Interactive Zero Knowledge Proofs. The schemes proposed in this paper are not restricted to trust computation. They may be extended to other models that compute privately sensitive information with only O(n) messages.

In a case where the trust is represented by several values rather then a single value, one can apply our techniques to each such value independently.


Supported by Deutsche Telekom Laboratories at Ben-Gurion University of the Negev, Israel, Rita Altura Trust Chair in Computer Sciences, ICT Programme of the European Union under contract number FP7-215270 (FRONTS), Lynne and William Frankel Center for Computer Sciences, and the internal research program of the Sami Shamoon College of Engineering. The paper is a full version of two extended abstracts each describing a different part of the results [8, 9].


  1. 1.

    Paillier P: Public-key cryptosystems based on composite degree residuosity classes. Advances in cryptology, EUROCRYPT 99. Springer Berlin Heidelberg, pp 223–238; 1999.

    Google Scholar 

  2. 2.

    Pavlov E, Rosenschein JS, Topol Z: Supporting privacy in decentralized additive reputation systems. Trust Management, Springer Berlin Heidelberg, pp 108–119; 2004.

    Google Scholar 

  3. 3.

    Gudes E, Gal-Oz N: A grubshtein: methods for computing trust and reputation while preserving privacy. 2009. Proceedings of 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Springer Berlin Heidelberg, pp 291–298

    Google Scholar 

  4. 4.

    Cramer R, Damgard IB, Buus Nielsen J: Multiparty computation from threshold homomorphic encryption. In EUROCRYPT ‘01: proceedings of the international conference on the theory and application of cryptographic techniques. Springer, Berlin Heidelberg; 2001:280–299.

    Google Scholar 

  5. 5.

    Franklin M, Haber S: Joint encryption and message-efficient secure computation. J Cryptology 1996, 9(4):217–232. 10.1007/s001459900013

    MATH  MathSciNet  Article  Google Scholar 

  6. 6.

    Romero-Tris C, Castella-Roca J, Viejo A: Multi-party private web search with untrusted partners. 2012. Security and Privacy in Communication Networks, Springer Berlin Heidelberg. pp. 261-280. In: Rajarajan M, et al., Proceedings of SecureComm 2011, pp 261–280

    Google Scholar 

  7. 7.

    Damgard I, Faust S, Hazay C: Secure two-party computation with low communication. In TCC 2012, LNCS 7194 Edited by: Cramer R. 2012, 54–74.

    Google Scholar 

  8. 8.

    Dolev S, Gilboa N, Kopeetsky M: Computing trust privately in the presence of curious and malicious users. In Proceedings of the international symposium on stochastic models in reliability engineering, life sciences and operations management. Beer-Sheva, Israel: Sami Shamoon College of Engineering; 2010.

    Google Scholar 

  9. 9.

    Dolev S, Gilboa N, Kopeetsky M: Computing multi-party trust privately in O(n) time units sending one (possibly large) message at a time. In Proceedings of 25-th Symposium On Applied Computing (SAC 2010). Sierre, Switzerland; 2010:1460–1465.

    Google Scholar 

  10. 10.

    Asharov G, Jain A, Tromer E, Vaikuntanathan N, Wichs D: Multiparty computation with low communication, computation and interaction via threshold FHE. Proceedings of the EUROCRYPT 2012 2012, 483–501. 2012 2012

    Google Scholar 

  11. 11.

    Beerliova-Trubmiova Z, Hirt M: Perfectly-secure mpc with linear communication complexity. TCC2008, LNCS 4948 2008, 213–230.

    Google Scholar 

  12. 12.

    Dimitriou T, Michalas A: Multi-party trust computation in decentralized environment. In Proceedings of the 5-th, IFIP international conference on New Technologies, Mobility and Security (NTMS 2012). Istanbul, Turkey; 2012.

    Google Scholar 

  13. 13.

    Dimitriou T, Michalas A: Multi-party trust computation in decentralized environments in the presence of malicious adversaries. 2013. Ad Hoc Netw J. Elsevier,

    Google Scholar 

  14. 14.

    Bachrach Y, Parnes A, Procaccia AD, Rosenschein JS: Gossip-based aggregation of trust in decentralized reputation systems. Autonomous Agents, Multi-Agent Syst 2009, 19(2):153–172. 10.1007/s10458-008-9073-6

    Article  Google Scholar 

  15. 15.

    Huynh TD, Jennings NR, Shadbolt NR: An integrated trust and reputation model for open multi-agent systems. In Proceedings of 16th European Conference on Artificial Intelligence. Spain, pp 18–22; 2004.

    Google Scholar 

  16. 16.

    Kinateder M, Rothermel K: Architecture and algorithms for a distributed reputation system. Trust, Management. Springer Berlin Heidelberg; 2003.

    Google Scholar 

  17. 17.

    Mui L, Mohtashemi M, Halberstadt A: A computational model of trust and reputation. 2002. System Sciences, 2002. HICSS. Proceedings of the 35th Annual Hawaii International Conference on. IEEE/pp 1435–1439

    Google Scholar 

  18. 18.

    Xiong L, Liu L: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl Data, Eng 2004, 16(7):843–857. 10.1109/TKDE.2004.1318566

    Article  Google Scholar 

  19. 19.

    Dolev D, Lynch NA, Pinter SS, Stark EW, Weihl WE: Reaching approximate agreement in the presence of faults. J ACM 1986, 33(3):499–516. 10.1145/5925.5931

    MathSciNet  Article  Google Scholar 

  20. 20.

    Pedersen TP: Non-interactive and information theoretic secure verifiable secret sharing. Advances in Cryptology CRYPTO 91,. Springer Berlin Heidelberg, pp 129–140; 1991.

    Google Scholar 

  21. 21.

    Shamir A: How to share a secret. Commun ACM 1979, 11(22):612–613.

    MathSciNet  Article  Google Scholar 

  22. 22.

    Hasan O, Brunie L, Bertino E, Shang N: A decentralized privacy preserving reputation protocol for the malicious adversarial model. Inf Forensics Secur J 2013, 8(6):1–14.

    Article  Google Scholar 

  23. 23.

    Dolev S, Ostrovsky R: Xor-trees for efficient anonymous multicast and reception. ACM Trans Inf Syst Secur 2000, 3(2):63–84. 10.1145/354876.354877

    Article  Google Scholar 

  24. 24.

    Goldreich O: Foundations of cryptography: volume 1, basic tools. New York: Cambridge University Press; 2000.

    Google Scholar 

  25. 25.

    Naccache D, Stern J: A new public key cryptosystem based on higher residues. 1998. Proceedings of the 5th, ACM Conference on Computer and Communications Security, pp 59–66

    Google Scholar 

  26. 26.

    Goldwasser S, Micali S: Probabilistic encryption. J Comput Sci Contr Syst 2004, 28: 108–119.

    Google Scholar 

  27. 27.

    Okamoto T, Uchiyama S: A new public-key cryptosystem as secure as factoring. EUROCRYPT 1998 1998, 308–318.

    Google Scholar 

  28. 28.

    Benaloh J: Dense probabilistic encryption. Proceedings of the workshop on selected areas of cryptography. Kingston, pp 120–128 1994.

    Google Scholar 

  29. 29.

    Boneh D, Goh E-J, Nissim K: Evaluating 2-DNF formulas on ciphertexts. Theory of cryptography TCC, Springer Berlin Heidelberg, pp 325–341; 2005.

    Google Scholar 

  30. 30.

    Gentry C: Fully homomorphic encryption using ideal lattices. In Proceedings of the forty-first annual ACM symposium on Theory of computing STOC. New York, NY, USA: ACM; 2009:169–178.

    Google Scholar 

  31. 31.

    Beimel A, Dolev S: Buses for anonymous message delivery. J Cryptology 2003, 16(1):25–39. 10.1007/s00145-002-0128-6

    MATH  MathSciNet  Article  Google Scholar 

  32. 32.

    Goldreich O: Foundations of cryptography: volume 2, basic applications. New York: Cambridge University Press; 2004.

    Google Scholar 

  33. 33.

    Pohlig SC, Hellman ME, (1978): An improved algorithm for computing logarithms in GF(p) and its cryptographic significance. IEEE Trans. Inf. Theory 24(1):106–110.

  34. 34.

    El Gamal T: A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO 84 on Advances in cryptology. New York, NY, USA: Springer-Verlag New York, Inc; 1985:10–18.

    Google Scholar 

  35. 35.

    Boneh D: The decision Diffie-Hellman problem. Proceedings of Algorithmic Number Theory, Third International Symposium, ANTS-III. 1998, 48–63.

    Google Scholar 

  36. 36.

    Benaloh J: Verifiable secret-ballot elections. Ph.D. thesis 1987. Yale University Yale University

    Google Scholar 

Download references

Author information



Corresponding authors

Correspondence to Shlomi Dolev or Marina Kopeetsky.

Additional information

Competing interests

The authors declare that they have no competing interests.

Authors’ contributions

All authors read and approved the final manuscript.

Authors’ original submitted files for images

Below are the links to the authors’ original submitted files for images.

Authors’ original file for figure 1

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Dolev, S., Gilboa, N. & Kopeetsky, M. Efficient private multi-party computations of trust in the presence of curious and malicious users. J Trust Manag 1, 8 (2014).

Download citation


  • Private trust computations
  • Multi-party computations
  • Anonymity