Communication-Efficient Secure Computation of Encrypted Inputs Using (k, n) Threshold Secret Sharing

Advancements in Internet of Things devices allow for the collection and analysis of big data. Moreover, cloud computing has emerged as an ideal platform for big data analysis because it quickly provides computing resources for analysis at scale. However, concerns exist regarding the privacy and security of this information. Secure computation is a technology that enables computation while maintaining data encryption. In this study, we present a new secure computation based on a client-server model, in which a set of servers perform computations using the inputs of multiple clients. We adopt the <inline-formula> <tex-math notation="LaTeX">$(k, n)$ </tex-math></inline-formula> threshold secret sharing approach, where an input <inline-formula> <tex-math notation="LaTeX">$s$ </tex-math></inline-formula> is divided into <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula> shares and can be recovered from shares with a threshold <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>. However, conventional secure computation using <inline-formula> <tex-math notation="LaTeX">$(k,n)$ </tex-math></inline-formula> threshold secret sharing generally requires the condition <inline-formula> <tex-math notation="LaTeX">$n \geq 2k-1$ </tex-math></inline-formula> and communication among multiple servers for each multiplication. To the best of our knowledge, no previous study has solved this problem completely. We demonstrate that processes that require communication can be concentrated in the preprocessing phase and propose a secure computation using <inline-formula> <tex-math notation="LaTeX">$(k,n)$ </tex-math></inline-formula> threshold secret sharing that does not require communication during the secure computation phase, even when multiplication is performed. Moreover, we show that the number of communications does not depend on the number of multiplications, unlike in conventional methods. As communication often requires more processing time than the actual secure computation, our method makes it possible to realize faster overall processing than conventional methods. We also present an extensive security analysis and experimental simulation of the proposed method. Our proposed method achieves information-theoretic security against semi-honest adversaries under certain conditions with <inline-formula> <tex-math notation="LaTeX">$n < 2k-1$ </tex-math></inline-formula>.


I. INTRODUCTION
With the advancements in big data and the Internet of Things (IoT), technology that can make use of the information of an individual has emerged. However, concerns exist regarding the privacy, security, and confidentiality of such information. Therefore, research on secure computation that can perform arithmetic processing while maintaining the confidentiality The associate editor coordinating the review of this manuscript and approving it for publication was Md. Abdur Razzaque . of privacy-related information is being actively conducted in the use of big data and IoT data.
Secure computation methods can be divided into those that use homomorphic encryption [1], [2], [3], [4], [5], [6], [7] and secret sharing [8], [9], [10], [11], [12], [13], [14], [15], [16]. Homomorphic encryption generally requires a huge computational cost and a long time to perform the computation. Therefore, the secret sharing approach is preferable for big data and IoT data that comprise large datasets because of its lower computational cost when considering utilization in a cloud system. Secret sharing is a method of converting a piece of secret input that is held by a user into multiple values (hereinafter referred to as ''shares'') and distributing it to multiple computing servers. The (k, n) threshold secret sharing method converts one secret input into n shares and distributes them among n computing servers [22], [23]. The original secret input can be restored by collecting k shares from the distributed n shares, but no information regarding the secret input can ever be obtained from fewer than k shares. Therefore, (k, n) threshold secret sharing can be considered as resistant to the loss of n − k servers when the number of computing servers n > k.
However, in conventional secure computation methods that use secret sharing, addition can be easily realized, but a problem occurs when multiplication is performed. For example, in Shamir's (k, n) threshold secret sharing, the polynomial degree changes from k − 1 to 2k − 2 when multiplication is performed. Therefore, the problem with conventional methods is that the number of shares that are required to restore the secret input increases from k to 2k − 1. Moreover, as each computing server holds only one share, the number of required computing servers n also increases from k to 2k − 1 [8], [10], [17].
In general, in secure computation using (k, n) threshold secret sharing or multi-party computation, no known secure computation realizes information-theoretic security at n < 2k − 1. Therefore, all secure computation methods that realize information-theoretic security using the (k, n) threshold secret sharing method assume n ≥ 2k − 1 and require considerable server resources. Furthermore, as these methods require communication between the computing servers every time multiplication is performed, substantial processing time is required if the multiplication operation is necessary in the secure computation.
However, very few studies have been conducted on secure computation when k ≤ n < 2k − 1 using (k, n) threshold secret sharing. Methods such as the SPDZ method [5] (which will be described later) and the SPDZ 2 method [6] combine the use of somewhat homomorphic encryption; however, these methods only offer computational security. Moreover, the SPDZ method does not solve the problem of the communication that is required for each multiplication.
In this study, we investigate secure computation with k ≤ n < 2k − 1 using (k, n) threshold secret sharing. In this approach, we first search for condition(s) that can realize a secure computation that is information-theoretic secure against semi-honest adversaries when k ≤ n < 2k − 1. Subsequently, we focus on relaxing the required conditions. The Tokyo University of Science (TUS) methods [17], [18], [39] enable secure computation including the multiplication operation under the following three conditions: 1) 0 is not included in the secure computation result.
2) Random numbers that are restored by each server are fixed.
In particular, the third revision of the TUS methods (the TUS 3 method) is based on the product-sum operation of ab + c, but it has also been proven that the combination of the product-sum operation is information-theoretic secure, which enables any four arithmetic operations to be computed securely with k ≤ n < 2k −1 under the aforementioned three conditions [39]. Moreover, all TUS methods share a common point: the secret input is first encrypted with a random number to produce an encrypted secret input, and secure computation is performed using (k, n) threshold secret sharing.
However, the greatest disadvantage of all proposed TUS methods is that large computation and communication costs are required, which results in a slow processing (computation) speed. Therefore, in this study, our objectives are (1) to improve the overall processing speed of the TUS methods and (2) to reduce the required conditions to realize information-theoretic security against semi-honest adversaries. Moreover, we evaluate and discuss the most suitable method between the use of computation with repetition (where multiple inputs are processed simultaneously) or computation without repetition (where a computation is broken into smaller parts) to realize more complex computations, such as multiple-input multiplication.

A. OUR CONTRIBUTIONS
We propose a new secure computation method using multiple cloud computing servers based on (k, n) threshold secret sharing with the parameters k ≤ n < 2k − 1 and Condition (3). This method captures both the security requirements of a secure computation protocol (including the realization of information-theoretic security) and the efficiency requirements of a cloud computing ecosystem (with the minimum number of required communications between computing servers during the secure computation phase). The specific contributions of this study are summarized as follows: The disadvantages of all proposed TUS methods are that multiple communications are required during the computation phase and multiple-input computations cannot be performed simultaneously, thereby further increasing the required computation and communication costs when a complex computation is realized. We present the specific construction of a secure computation using (k, n) threshold secret sharing with k ≤ n < 2k − 1, without any communication required during the secure computation phase (when computation without repetition is assumed). In this case, computation without repetition implies that the result of the computation is not used for consecutive computations. A preliminary version of this method appeared in [20]. However, we also extend the basic product-sum operation in the previous TUS methods, such that multiple processes including multiple individual multiplication operations can be executed simultaneously (the extended product-sum operation). This allows various operations to be implemented without repeating the computation using the previously computed values (as in the previous TUS methods), thereby eliminating communication from the secure computation phase. In this protocol, the overall operation is divided into the preprocessing and secure computation phases, and processes that require communication are concentrated in the preprocessing phase. Thus, the required communication can be completely removed from the actual secure computation phase, even if the multiplication operation is included, to realize a secure computation phase with a very fast processing speed.

2) NEW PROTOCOL 2
We present the construction of secure computation when repetition is assumed. In Protocol 1, a constant value of ''1'' is added to the secret input before encryption. Therefore, if the reconstructed computation result is zero, the computation result will be leaked. Protocol 2 solves this problem by introducing a new encryption method that adds a random number to the secret input and a new protocol for correcting the computation result. We present a new and improved secure computation protocol where Condition (1) of the TUS methods is no longer required even when computation with repetition is assumed, thereby realizing a secure computation with higher usability and broader possible application. In Protocol 1, when the result of the initial computation is used for the consecutive computation, Condition (1), where the output of the initial computation does not include 0, will be required, thereby limiting the possible application of the protocol. To overcome this limitation, we propose a new method of encryption, computation, and reconstruction. Moreover, to realize Condition (1) of the TUS methods, we propose a novel protocol for correcting the output value, which is known as the correction phase, where the output (which is equivalent to the input for the consecutive computation) with the value ''0'' can be used without sacrificing the security of the secure computation. However, although the main concept of dividing the computation into the preprocessing and secure computation phases to eliminate communication for each multiplication is maintained in Protocol 2, communication is required only once when the computation is repeated (in contrast to communication for each multiplication that is performed). Furthermore, we present a new secure computation protocol whereby the extended product-sum operation can be computed even when random numbers are added to the inputs to reduce the number of required computations. As a result, the communication can be further reduced compared to that of conventional methods, including the previous TUS methods, which can only handle the aforementioned inputs and computations by repeating the product-sum operation multiple times. Therefore, the proposed method achieves high-speed processing.

3) SECURITY AND EFFICIENCY ANALYSIS
We present a comprehensive security evaluation of each protocol using the entropy approach, as in the previous TUS methods, and demonstrate that both new protocols are information-theoretic secure against semi-honest adversaries with only Condition (3). Moreover, we show that only one communication is required for each repetition in the new protocol; however, the number of communications does not depend on the number of multiplications that are performed, as in conventional methods. As a result, the number of required communications required can be significantly reduced and the processing speed can be accelerated.

4) DISCUSSION AND COMPARISON
We present a discussion on the merits and demerits of each protocol as well as the selection (and balancing) of the most suitable number of communications when considering other aspects and physical limitations, such as the memory use of the overall computation. Moreover, we examine the aforementioned conditions in the TUS methods and show that both new protocols can be performed with only Condition (3) when semi-honest adversaries are considered. Furthermore, we provide a comparison between our new protocols and conventional secure computation methods.

5) EXPERIMENTAL IMPLEMENTATION
We present the implementation results of our new Protocol 1 for computing the inner-product computation of length l. We demonstrate that our new Protocol 1 can realize secure computation at a very high speed. Moreover, we discuss the theoretical performance of our new protocols compared to conventional methods.

B. PAPER ORGANIZATION
The remainder of this paper is as follows. Preliminary concepts are outlined in Section II. Section III describes related work, Section V presents the method when the computation is not repeated, and Section VI explains the method when the computation is repeated. In Section VII, the features of the proposed method and each condition are discussed. Finally, an implementation evaluation is provided in Section VIII, and we demonstrate that the proposed method can realize very high-speed processing when the computation is not repeated.

II. PRELIMINARIES
In this section, we explain various basic concepts that are required in realizing secure computation using (k, n) threshold secret sharing.
A. (k, n) THRESHOLD SECRET SHARING Secret sharing that satisfies both conditions stated below is known as (k, n) threshold secret sharing [22]. However, n ≥ k > 1.
• Any k − 1 or less shares will reveal nothing about the original secret input s.
• Any k and above shares will allow for the reconstruction of the original secret input s.
Examples of (k, n) threshold secret sharing include the method that uses polynomials for the distribution of secret input proposed by Shamir (hereinafter, Shamir's (k, n) method) [22], the method that involves the XOR operation proposed by Kurihara et al. to realize the distribution and restoration of secret input (hereinafter referred to as the XOR method) [23], and additive secret sharing.
In the following, unless otherwise specified, Shamir's (k, n) method is used and the prime number used is p. Furthermore, the share of a secret input s held by each server S i (i = 0, . . . , n − 1) is denoted by [s] i (i = 0, . . . , n − 1).

B. SECURITY AND SYSTEM MODEL
The system model that is used in this study is based on the client-server model. That is, an arbitrary number of clients secretly send the secret input to n computing servers, n computing servers perform secure computation, and the computation result is returned to the client with the restoration authority. This business model is often used in services such as Cybernetica [21]. However, it is possible to establish a typical multi-party computation model by assuming that the clients also play the role of computing servers.
Moreover, we assume a semi-honest adversary (sometimes known as a passive adversary). The adversary controls some of the computing parties and clients, which still follow the protocol but collude on extracting additional information, such as the inputs of other honest players or the computation output. We also assume secure communications between the clients and computing servers.
Finally, we state and prove the security of the proposed methods by expressing the entropy against semi-honest adversaries and demonstrate that the adversaries can only learn what can be derived from the public/obtained information. However, in a future study, we will evaluate the security using the standard ideal/real-world definition, as proposed by Canetti et al [33].

III. RELATED WORKS
In this section, we consider several secure computation methods that use secret sharing and briefly explain the difference between each method and our proposed methods.
In the SPDZ method, the owner of the secret input is one of the n players that are involved in the secure computation. Moreover, even when n − 1 players collude, provided that the owner maintains his/her share of the secret secure, the original secret input cannot be reconstructed from n − 1 shares.
The SPDZ method consists of the preprocessing and online phases. The confidentiality of secret inputs is ensured using additive secret sharing. Addition can easily be achieved using the SPDZ method. However, multiplication is based on Beaver's circuit randomization (or Beaver's multiplication) [24]. To perform multiplication, shares of random numbers In the SPDZ method, for example, the process in which the secret input x is reconstructed from its shares [x] i is denoted as x = open([x] i ); however, as this process is performed twice for each multiplication, two communications are required for each multiplication.
The protocol for multiplying xy that is proposed in the SPDZ method is described as follows. The construction of a multiplication triple requires SHE, which entails a prohibitive computation cost, thereby significantly increasing the overall processing time. Moreover, the overall security that is achieved using the SPDZ method is related to the computational security.
In contrast, our proposed methods use only secret sharing for computation, thereby realizing a lower computational overhead than the SPDZ method. Moreover, our proposed methods are not limited to n = k but are also effective for any n, k, under the condition n ≥ k > 1.

B. METHOD OF ARAKI ET AL
In secure computation, the cost of communication between servers may affect the overall processing speed more than the actual computational cost. Therefore, Araki et al. proposed a method for fast secure computation under the parameters n = 3, k = 2, which requires only one communication per multiplication [16]. The detailed protocol is described below. It is usually not considered a problem, even if communication is required during the preprocessing phase. Furthermore, the secure computation of addition is performed locally, where the shares are added.
In contrast, our proposed methods are effective for any parameters of n and k, where n ≥ k. Moreover, our proposed methods can realize multiplication with zero communication in the secure computation phase when computation without repetition (such as the inner product of multiple inputs) is assumed. VOLUME 11, 2023 51169 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. 1) Players P 1 ,P 2 ,P 3 generate and hold β 1 ,β 2 ,β 3 ∈ Z 2 n , where β 1 + β 2 + β 3 = 0.
2) DISTRIBUTION PHASE 1) Dealer D selects random numbers 3) MULTIPLICATION PHASE 1) Each player P i computes the following and sends it to player P i+1 .
r i , and holds (z i , c i ) as a share of the result of multiplication v 1 v 2 .

4) RECONSTRUCTION PHASE
1) From the information z i , c i , z j , c j of player P i and player P j , the result of v 1 v 2 can be computed using the equation below. It should be noted that

C. TUS METHODS
The TUS methods represent the secure computation methods proposed by the research group at the Tokyo University of Science (TUS). In this study, we enhance the TUS methods and realize fast and secure computation. The first variation of the TUS method was proposed by Shingu et al. to perform a two-inputs-one-output secure computation (known as the TUS 1 method) [17], in which the secret input of a client is first encrypted with a random number. When secure multiplication is performed, the encrypted secret is momentarily restored as a scalar value and multiplication is performed using the scalar value × polynomial approach to prevent an increase in the polynomial degree.
However, the TUS 1 method introduces another problem: when computation that involves a combination of operations, such as ab + c, is performed, if the adversary has information regarding one of the inputs and the output, they can specify the value of the remaining two inputs. Therefore, a condition in which computation that involves a combination of addition and multiplication is not performed is required, in addition to the existing condition, in which the input of the secure computation does not include the value 0. Therefore, the TUS 1 method can enable highly effective specific computation, such as the computation of Rivest-Shamir-Adleman (RSA) encryption. However, it cannot deal with computations that require a combination of addition and multiplication.
Kamal et al. introduced an improved method known as the TUS 2 method, in which a computation that involves a combination of addition and multiplication can also be performed securely [18], to solve this problem. This method was proven as secure under the three aforementioned conditions. However, the first condition in this method is extended as follows: the values of the inputs and output of the computation do not include 0. Furthermore, it was demonstrated that this method is secure against computation that involves a combination of product-sum operations. Therefore, this method can realize any arithmetic computation under the setting k ≤ n < 2k −1. However, the TUS 2 method incurs a significantly higher computational cost compared with the conventional method for n ≥ 2k − 1; therefore, it is not the most efficient method.
For this reason, Tokita et al. proposed two new and improved secure computation methods: (1) an improved version that incorporates the XOR method to achieve a more efficient secure computation [39] (hereafter, TUS 3 method), and (2) an improved method of the TUS 3 method that also provides a means of easing one of the aforementioned three conditions, whereby the limit on the inputs of the secure computation is removed; however, the three conditions remain [19] (hereafter, TUS 3' method).
In contrast, our new Protocol 2 completely solves the first condition of the TUS methods. Moreover, when computation without repetition is assumed, zero communication is required in our new Protocol 1, thereby realizing a faster secure computation phase than all TUS methods. Our proposed methods are not limited to only one product-sum operation, but can also execute multiple operations on multiple inputs simultaneously.
Note that all TUS methods have a common point whereby the secret input is first encrypted with a random number and then used in the secure computation using secret sharing. Furthermore, in Condition (3), each server S j (j = 0, . . . , k − 1) holds the following, where ε is defined as a random number that is unknown to the adversary:

IV. OVERVIEW OF PROPOSED METHODS
We present a method to eliminate the communication cost from the secure computation phase and realize high-speed computation by dividing the overall computation into the preprocessing and secure computation phases, with all processes that require communication concentrated in the preprocessing phase.
In this study, computation with repetition means that the computing server momentarily restores the encrypted result of the secure computation and uses it as a secret input for the consecutive computation. For example, let us assume that the computing servers first perform secure computation for the encrypted multiplication result αβab of inputs a, b (where αβ is used to keep ab secure). However, instead of returning the encrypted result to the user for decryption, the encrypted 51170 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
result is used to perform a consecutive computation with a new input (or inputs), such as multiplication with a new input c, to produce a new encrypted output of abc.
In contrast, computation without repetition means that the secure computation is performed only once and the authorized player restores the computation result. For example, in the aforementioned computation of ab, the encrypted result αβab is returned to the authorized user for decryption into plaintext ab.
The method for computation without repetition is described as Proposed Method 1, whereas Proposed Method 2 represents the secure computation with repetition.

V. PROPOSED METHOD 1: COMPUTATION WITHOUT REPETITION
In the TUS methods, a product-sum operation of ab + c is used to realize all four arithmetic operations (if a = 1, addition b + c is possible; if c = 0, multiplication ab is possible). However, any computation with more than three inputs using the previous TUS methods requires the repetition of multiple product-sum operations, thereby increasing the total computation and communication costs.
Instead of a simple product-sum operation, such as ab + c as demonstrated in the TUS methods, we show the following extended computation of the product-sum operation, which can compute multiple inputs simultaneously. Therefore, the proposed method can overcome the limitations of the previous TUS methods.
The range of each computation is not limited to only one ab + c by applying the aforementioned computation. For example, when the parameters l = 2, m 1 = 2, m 2 = 1 are set, the computation will be a single product-sum operation a 1,1 a 2,1 + a 1,2 . The conventional method is often limited to m i = 2, but one feature of the proposed method is that m i can be selected arbitrarily.
Furthermore, the expansion of equation (2) yields the following.
However, the value of (a * j + 1) will depends on the elements of the combinations that select m−r from m number of (a j + 1).
Furthermore, it is assumed that the communication among the players who input the secret input, the computing servers, and the player who restores the result is secure. The random numbers that are unknown to the adversary shown in Condition (3) are ε i,j are assumed to be prepared and stored on the servers in advance. VOLUME 11, 2023 It is also assumed that k servers that execute steps other than step 5 of the preprocessing phase are predetermined among the n servers. For ease of understanding, the algorithm when l = 1, m 1 = 3, and n = k is presented for simplicity, but it is clear that it can be extended to any l and m i . Moreover, player A m i ,i may be the same.
2) Each server S j (j = 0, . . . , k − 1) collects the following k shares and reconstructs ε 3) Each server S j (j = 0, . . . , k − 1) generates a random number d j , computes the following, and sends it to one of the servers (here, we assume server S 0 ). Subsequently, d j is distributed to all servers using Shamir's (k, n) method.
) Server S 0 computes the following from the received values and broadcasts it to all n servers.
. . , l) computes the following for secret input a g,i that he/she has and sends it to all n servers.
Protocol 1.3: Secure computation phase 1) Each server S j (j = 0, . . . , k − 1) computes the following: Protocol 1.4: Reconstruction phase 1) The player collects the following from k servers S j and 2) Subsequently, the computation result l i=1 a 1,i a 2,i a 3,i is computed as follows: In the case of the t(= l i=1 m i )-inputs-one-output operation, such as the extended product-sum operation in Proposed Method 1, regardless of the security of the computation that is used, if t − 1 inputs and the output are known, the remaining input will also be leaked, and if t inputs are known, the output will also be leaked. Therefore, it is meaningless to assume an attack beyond the attacks that are defined below.
Unless the proposed method provides Adversaries 1 and 2 (defined below) with the information required by each adversary, Proposed Method 1 can be considered to realize a secure extended product-sum operation with Condition (3).
Adversary 1: When a player who knows t − 2 inputs and the output of the extended product-sum operation becomes an attacker, he/she knows the secret inputs that are entered by himself/herself, the random numbers that are used to encrypt the secret inputs, and the information that is obtained at the time of reconstruction. Furthermore, Adversary 1 knows the information from k − 1 servers, based on which he/she attempts to learn the remaining two secret inputs individually.
Adversary 2: When a player who knows t − 1 inputs to the extended product-sum operation becomes an attacker, he/she knows the secret inputs that are entered by himself/herself and the random numbers that are used to encrypt the secret inputs. Furthermore, Adversary 2 knows the information that is known by k − 1 servers, based on which he/she attempts to learn the remaining secret input and computation result.
Therefore, the security of the above protocol is as follows: Security Against Adversary 1: Consider the case in which the player who knows the values related to all secret inputs (other than a 1,1 ,a 2,1 ) and the reconstructed result becomes Adversary 1. Adversary 1 knows the values that are computed in steps 3 and 4 of Protocol 1.1 (the preprocessing phase) and knows b g,i (a g,i + 1) in Protocol 1.2 (the encryption of the secret inputs). Furthermore, Adversary 1 knows d l i=1 (a 1,i a 2,i a 3,i ), d and l i=1 (a 1,i a 2,i a 3,i ) in Protocol 1.4 (the reconstruction phase). From this information, Adversary 1 attempts to learn the secret inputs a 1,1 , a 2,1 . However, if k random numbers and shares that are distributed to the servers are not collected, a random number that is the product of those k random numbers, and the secret input are not known.
Moreover, in the above algorithm, l = 1, m i = 3 are set for simplicity; however, even for values other than l = 1, m i = 3, the values that do not leak are not included in B and hold for any l and m i . Therefore, assuming that Condition (3) is fulfilled, Proposed Method 1 achieves information-theoretic security against Adversary 1.
Security Against Adversary 2: Consider the case in which Adversary 2 is the player who knows the values related to all secret inputs other than secret input a 1,1 . Adversary 2 knows the values that are computed in steps 3 and 4 of Protocol 1.1 and also knows b g,i (a g,i + 1) in Protocol 1.2. Furthermore, in Protocol 1.4, Adversary 2 knows k −1 shares . From this information, Adversary 2 attempts to learn the secret input a 1,1 and computation result l i=1 (a 1,i a 2,i a 3,i ). However, if k random numbers and shares that are distributed to the servers are not collected, a random number that is the product of these k random numbers, and the secret will not be known.
If the overlapping information in the information shown above is removed and organized, Adversary 2 will know the following (however, g ′ , i ′ are values other than 1, 1 and j ′ is k − 1 or less, whereas the others are the same as in the case of Adversary 1): From the above, the ratios of (ε (1) 1 ,ε 1 , ε 1 , ε Moreover, the adversary knows k − 1 shares [d l i=1 (a 1,i a 2,i a 3,i )] j ′ and random numbers d j ′ . However, because the computation result and random number d cannot be restored, the computation result cannot be determined.
The same applies when inputs other than a 1,1 are used. Furthermore, even for values other than l = 1, m i = 3, the values that do not leak are not included in C and hold for any l and m i . Therefore, the following can be stated and, assuming that Condition (3) is fulfilled, Proposed Method 1 has information-theoretic security against Adversary 2: Moreover, if n > k, steps 1 to 4 of Protocol 1.1 are performed by the specified k servers, but the subsequent processing can be performed by all n servers. Therefore, Proposed Method 1 can also be executed when n ≥ k.

VI. PROPOSED METHOD 2: COMPUTATION WITH REPETITION
In Proposed Method 1, the computation is not repeated and the reconstruction is performed by a player who is authorized to obtain the final result; therefore, even if the reconstructed result is 0, no information leakage occurs.
When the computation is repeated, one server restores the encrypted intermediate result and broadcasts it for use as the input for consecutive computations. If the reconstructed result is 0, a problem will occur whereby the information that the intermediate result is 0 will be leaked. If the reconstructed result is equal to 0 even if the value 1 is added to the computation result, as in the input of Proposed Method 1, the fact that the computation result is a value corresponding to −1 in the modulo p will be leaked. Therefore, although Proposed Method 1 solves condition (1) of the TUS methods, it still requires a certain condition/limitation on the computation result when computation with repetition is required. Therefore, the value to be added to the secret input is not limited to 1 but is a random number. In this manner, the limitation of Proposed Method 1 can be solved and Condition (1) of all previous TUS methods can be completely removed, albeit at the cost of additional computation.
2) Each server S j (j = 0, . . . , k − 1) collects the following k shares and reconstructs ε  3) The following k shares that are used for Protocol 1.4 (the correction phase) are also collected and the random numbers ε (h) j are reconstructed by each server S j in advance. Here, h = 5, . . .,required number.
) Each server S j generates random numbers d j , f j , computes the following, and sends it to one of the servers (here, we assume server S 0 ). Furthermore, d j , f j are distributed to all servers using Shamir's (k, n) method.
) Server S 0 computes the following from the received values and broadcasts it to all servers.
6) All servers S j compute and hold the following: Protocol 2.2: Encryption of secret inputs 1) Player A g,i (g = 1, 2, i = 1, . . . , l) generates a random number r g,i such that a g,i + r g,i ̸ = 0 for his/her secret input a g,i . Subsequently, the following is computed and sent to all servers. b g,i a g,i + r g,i = b g,i × a g,i + r g,i , c g,i r g,i = c g,i × r g,i Protocol 2.3: Secure computation phase 1) All servers S j compute the following: 2) When repetition of the computation is required, server S 0 collects the following k shares from k servers S j and restores f l i=1 −r 1,i r 2,i .
a 1,i a 2,i are expressed as follows: If the reconstructed f r 12 does not equal to 0, d(a 12 + r 12 ) is restored. If f r 12 = 0 or d(a 12 + r 12 ) = 0, proceed to Protocol 2.4 (the correction phase). Finally, the values in which d(a 12 + r 12 ) ̸ = 0, f r 12 ̸ = 0 are disclosed as the result of the secure computation, and the computation is repeated using the corrected encrypted results instead of b g,i (a g,i + r g,i ),c g,i r g,i . 5) At the end of the repetition of computation, proceed to Protocol 2.5 (the reconstruction phase) without restoring f r 12 and d(a 12 + r 12 ). Protocol 2.4: Correction phase 1) Server S j (j = 0, . . . , k − 1) generates random numbers q j and h j , computes h j q j = h j × q j and sends it to server S 0 . 2) Server S 0 computes hq as follows and broadcasts it.
h j q j VOLUME 11, 2023 3) Server S j computes the following and sends it to server ) Server S 0 computes the following and sends it to all servers.
Server S 0 first collects the following k shares from k servers S j , reconstructs f r ′ 12 , and, if f r ′ 12 = 0, returns to Step 1 and changes the random numbers. 8) If f r ′ 12 ̸ = 0, server S 0 collects the following k shares and reconstructs d(a 12 + r ′ 12 ), and if d(a 12 + r ′ 12 ) = 0, returns to Step 1, and repeats the process by changing the random numbers. d(a 12 + r ′ 12 ) 0 , . . . , d(a 12 + r ′ 12 ) k−1 9) Finally, the values of d(a 12 + r ′ 12 ), f r ′ 12 when both are not equal to 0 are returned as d(a 12 + r 12 ), f r 12 . Protocol 2.5: Reconstruction phase 1) The player collects shares of d(a 12 + r 12 ), f r 12 , d j , f j from k servers S j and reconstructs them.
2) The result of computation a 12 is calculated as follows:

A. SECURITY OF PROPOSED METHOD 2
It is sufficient for Proposed Method 2 to be secure against Adversaries 1 and 2. However, the probability that the process for the correction phase in Protocol 2.4 will be required is considered to be very small when prime p is large; therefore, the evaluation of the security of Proposed Method 2 is discussed by separating the correction phase and other computation phases.
Security Against Adversary 1: (the correction phase is not included) Consider the case in which the player who knows the values related to all t − 2 secret inputs (other than a 1,1 , a 2,1 ) and the reconstructed result becomes Adversary 1. Adversary 1 knows the values that are computed in steps 4 and 5 of Protocol 2.1 (the preprocessing phase) and b g,i (a g,i + r g,i ), c g,i r g,i in Protocol 2.2 (the encryption of the secret input). Furthermore, Adversary 1 learns d(a 12 + r 12 ), f r 12 , d, f and l i=1 (a 1,i a 2,i ) from Protocol 2.5 (the reconstruction phase). From this information, Adversary 1 attempts to learn the remaining two secret inputs a 1,1 , a 2,1 . However, if k random numbers and shares that are distributed to the servers are not collected, a random number that is the product of those k random numbers, and the secret input is not known.
If the overlapping information in the information shown above is removed and organized, Adversary 1 will know the following. However, g ′ , i ′ and ε (h) * are the same as those described in Section V-A for Adversary 1. 1 (a 1,1 + r 1,1 ), 1 , b 2,1 , c 1,1 , c 2,1 will not leak from them. Therefore, r 1,1 , r 2,1 are not known and a 1,1 , a 2,1 are not leaked. Therefore, Adversary 1 cannot know the secret inputs a 1,1 , a 2,1 . Hence, the following holds: It is clear that the same argument holds for combinations of inputs other than a 1,1 , a 2,1 .
Furthermore, in the above algorithm, l = 1, m i = 2 are set for simplicity; however, even for values other than l = 1, m i = 2, the values that do not leak are not included in D and hold for any l and m i . Therefore, assuming that Condition (3) is fulfilled, Proposed Method 2 achieves information-theoretic security against Adversary 1.
Security Against Adversary 2: (the correction phase is not included) Consider the case in which Adversary 2 is a player who knows the values related to all t − 1 secret inputs (other than the secret input a 1,1 ). Adversary 2 knows the values that are computed in steps 4 and 5 of Protocol 2. 1, and b g,i (a g,i +r g,i ), c g,i r g,i in Protocol 2.2. Moreover, in Protocol 2.5, Adversary 2 learns k − 1 number of shares of d(a 12 + r 12 ), f r 12 , d j , f j . From this information, Adversary 2 attempts to learn the secret input a 1,1 and computation result l i=1 (a 1,i a 2,i ). However, if k random numbers and shares that are distributed to the servers are not collected, a random number that is the product of these k random numbers, and the secret will not be known.
If the overlapping information in the information shown above is removed and organized, Adversary 2 will know the following. However, g ′ , i ′ exclude 1, 1, and j ′ represents k − 1 or fewer shares. 1 (a 1,1 + r 1,1 ), i is independent, b 1,1 and c 1,1 do not leak from them.
Furthermore, the adversary knows k − 1 shares of [d(a 12 + r 12 but because the adversary cannot restore them, it cannot learn the computation result. The same argument applies when a 1,1 are other secret inputs. Moreover, even for values other than l = 1, m i = 2, the values that do not leak are not included in E and hold for any l and m i . Therefore, the following can be stated and, assuming that Condition (3) is fulfilled, Proposed Method 2 has information-theoretic security against Adversary 2.

Security of Protocol 2.4: Correction Phase:
In the correction phase, if the reconstructed value is equal to 0, a new random number q is added, r 12 is updated to r ′ 12 , and finally, d(a 12 + r 12 ), f r 12 , where neither is equal to 0, are computed. Here, d(a 12 +r 12 ), f r 12 are not reconstructed simultaneously, but if the reconstructed result f r 12 = 0 or d(a 12 + r 12 ) = 0, the information that r 12 = 0 or r 12 ̸ = 0, a 12 + r 12 = 0 will be leaked. However, even if r 12 = 0, the secret inputs will not be leaked because r 12 is composed only of random numbers. Furthermore, when r 12 ̸ = 0, a 12 +r 12 = 0, the information that a 12 = −r 12 ̸ = 0 will be leaked. However, as mentioned previously, during the security evaluation of the proposed method, because it is assumed that the protocol is secure if the secret inputs that were set or the computation result is not leaked, even if the intermediate result (that is not equal to 0) is leaked, there is no problem if the above secret inputs or computation result are not leaked. (For example, because it is assumed that all secret inputs other than a 1,1 , a 2,1 are known to Adversary 1, the information of ε (h) i when i > 1 is leaked, but because the adversary cannot learn a 1,1 , a 2,1 , it is secure.) For example, even if a 12 = l i=1 (a 1,i a 2,i ) = −r 12 ̸ = 0 is leaked in the correction phase, because r 12 is a random number and the value cannot be specified, a 1,1 a 2,1 cannot be obtained and each individual a 1,1 , a 2,1 will not be leaked. Moreover, as in Proposed Method 1, in Proposed Method 2, only the player who is authorized to restore the result knows the final computation result; therefore, even if d(a 12 + r 12 ) = f r 12 = 0 is reconstructed, the computation result is not leaked. That is, even if r 12 = 0 or a 12 = −r 12 ̸ = 0 is added in D, E, as shown in the evaluation of the security against Adversaries 1 and 2, it can be stated that the result does not change.
Furthermore, when the correction phase is repeated, different random numbers are used each time, except for d, f , so d, f , and q are not leaked from [dq] j , [fq] j , and Adversaries 1 and 2 cannot learn the secret inputs and new random numbers.

A. TRADE-OFF BETWEEN COMPUTATIONAL COST AND COMMUNICATION
When a secure computation is performed using the expansion in Equation (3), the computational cost increases because the computation of 2 m i random numbers to satisfy Condition (3) and 2 m i number of terms are required. Therefore, if the computation time of the aforementioned process exceeds the total communication time or if the required storage capacity is inadequate for all random numbers, the computation can be performed by dividing and repeating the computation.
For example, when m i = 16, it is necessary to compute 2 16 = 65, 536 random numbers to satisfy Condition (3) and 2 16 = 65, 536 terms. In contrast, if multiplication is performed in the form of a quadtree with m i = 4 (as shown in Figure 2), it is sufficient to compute 5 × 2 4 = 80 random numbers to satisfy Condition (3) and 5 × 2 4 = 80 terms. When m i = 16, communication does not occur in the secure computation. However, when using the form of a quadtree, the computation result of the lower layer is used in the upper layer; hence, only one communication occurs. Furthermore, when multiplying in the form of a binary tree with m i = 2, the computation of 15 × 2 2 = 60 random numbers to satisfy Condition (3), computation of 15 × 2 2 = 60 terms, and three communications are required.
That is, if the computation is not repeated, the communication can be set to zero, but the overall computational cost increases. However, when the computation is repeated, the amount of computation can be reduced, but communication occurs. Therefore, when m i is large, the balance between the amount of required computation and the amount of communication can be adjusted by selecting the optimal number of repetitions. However, the conventional method is often limited to m i = 2, so it always has a binary tree structure and requires communication for each multiplication.
Tables 1 and 2 present the simulation results of the computations depicted in Figures 1 and 2, respectively. In the  Figure 1).

TABLE 2.
Total times in microseconds for computing 16-input multiplication using Proposed Method 2 with m i = 4 (as in Figure 2). simulation, parameters n and k were set to n = k = 2, and 16 inputs were generated randomly from GF(p), with prime p = 282, 671, 531, 609. Moreover, a single server (CPU: Intel Xeon E-2378G; memory: 16 GB) running Ubuntu Desktop 20.04.5LTS was used to simulate the role of all input players, two computing servers, and the player who reconstructed the result. Therefore, the communication times in Table 2 represent the time required to send/receive shares from each individual virtual server within the same machine (in the case of k = 2, each server only sent and collected one share). However, in real-world applications, where individual physical servers are used, we anticipate that the communication time will be longer than that in Table 2 (depending on the network).
As indicated in Table 1, each server required less than 1 s to compute the resulting shares of the 16-input multiplication completely. Moreover, because all inputs were multiplied simultaneously, no communication was required between servers during the secure computation phase.
In contrast, Table 2 shows the results when 16 inputs were divided into four parts (each with four inputs), and each server performed four-input multiplication (as illustrated in Figure 2). As the number of inputs was smaller, the total time required by each server to compute all shares locally was significantly less. However, because communication was required once for each computed part, this approach required significantly more communication time than the computation without repetition. Moreover, if the parameter k is increased, the number of shares required to be collected by each server will also increase, thereby further increasing the communication time.
However, the simulation results in Tables 1 and 2 demonstrate that the overall time that was required for performing communication once with five m i = 4 computations was still less than that when computing all inputs simultaneously with m i = 16 (assuming that n = k = 2). Therefore, when m i is large, the number of repetitions can be adjusted to achieve an optimal result. (1) is solved using the proposed method. That is, in Proposed Method 1, reconstruction is performed only by the player who is authorized to know the computation result, and in Proposed Method 2, it is solved by introducing the correction phase in Protocol 2.4.

Condition
Condition (2) is generally necessary in the following cases: in the preprocessing of Proposed Method 1 and Proposed Method 2, each random number is held by each k predetermined server. However, if one of the servers becomes unusable owing to a failure or other occurrence, the random number will be lost and secure computation cannot be continued. Therefore, when n > k, if the server or player distributes the random numbers to all n servers using Shamir's (k, n) method, even if up to n − k servers cannot be used, the replacement server can restore the random numbers that are used by that server and continue the secure computation. Consequently, when n > k, the server loss tolerance of the (k, n) threshold secret sharing method is maintained. However, even if the new server is dishonest and the previous server that it replaced is honest, no problem occurs because it is assumed that there are only k − 1 dishonest servers originally. Therefore, it is necessary to consider the old and new servers as one server and assume that they will handle the same random numbers. When a semi-honest adversary is assumed, this assumption can be maintained if it is described by the algorithm. However, countermeasures are required when a malicious adversary is assumed.
Finally, Condition (3) can be solved, depending on the application. For example, in the case of searchable encryptions that realize direct searching over encrypted inputs using secret sharing, as proposed by Kamal et al. in [26] and [27], and Iwamura et al. in [28], the owner of the secret information does not become an attacker; thus, the owner can generate random numbers that satisfy Condition (3). Furthermore, in the outsourcing computation [29], the client that requests the computation does not become an attacker; hence, the client can generate random numbers that satisfy Condition (3). However, it is often difficult to realize Condition (3) in other applications. In such cases, we can assume a trusted third party (TTP), as in [30], [31], and [32], to generate random numbers that satisfy Condition (3) and distribute them to each server. Therefore, we can assume the application of our proposed method in real-world applications, such as searching for encrypted genomic data [34], analyzing medical data [35], or outsourcing the database of a company to a public cloud [36].
These applications can often be realized by pattern matching, where secure subtraction of [d(a 1 − a 2 )] j can be computed using our proposed Protocol 1.3 (in this case, d, a 1 , and a 2 represent a random number, search pattern, and registered pattern, respectively). That is, if the differences between the two patterns match (a 1 = a 2 ), the reconstructed encrypted result d(a 1 − a 2 ) in Protocol 1.4 will be zero and the search will be successful. However, when the two patterns do not match (a 1 ̸ = a 2 ), our proposed method is optimal in ensuring security such that both the search and registered patterns cannot be identified from the actual difference of (a 1 − a 2 ) because the reconstructed result is encrypted (multiplied) by a random number d. However, a specific approach for constructing a TTP method will be the focus of a follow-up study.
The aforementioned approach can be extended to applications such as the searchable encryptions in [37] and [38], which realize keyword-based information retrieval with fine-grained access control over encrypted cloud data. In the construction of [37] and [38], during the encryption process, the data owner first encrypts each file with a symmetric encryption key, and subsequently protects the symmetric key and builds the search indices for the entire file set. In the trapdoor generation process, the data user encrypts their search query with a secret key before sending the encrypted query to the cloud server. Finally, in the search process, the server returns the data search results if and only if both the attributes and search query match the access policy and indices, respectively. The data user can obtain the original file by decrypting the result using the corresponding symmetric key [37].
Our proposed method for secure computation can also be extended to realize the function of searching over encrypted data. However, we do not consider the access control function because it involves another research topic for access control. To realize the function of keyword-based information retrieval over encrypted data as in [37] and [38], the encryption, search query generation, and search processes are required. In this case, we assume four entities: a data owner (who outsources keyword a 1,1 to cloud servers), a data user (who wishes to search for matching data using search query a 1,2 ), n cloud servers (that perform the search process), and a trusted entity (to realize Condition (3)). However, as mentioned previously, as the data owner does not become an attacker, the data owner can be used to satisfy Condition (3).
In the encryption and search query generation processes, both the data owner (with keyword a 1,1 ) and data user (with search query a 1,2 ) compute the following encrypted data and send them to all servers. We omit the detailed preprocessing that is required to compute the random numbers.
• Encrypted keyword: b 1,1 (a 1,1 + 1) = b 1,1 × (a 1,1 + 1) • Encrypted query: b 1,2 (a 1,2 + 1) = b 1,2 × (a 1,2 + 1) Thereafter, in the search process, by extending Protocol 1.3 such that l = 2 and m i = 1, and changing the addition symbol to the subtraction symbol, k (out of n) servers cooperate to compute the following shares, where the difference between the search query and keyword is encrypted by a random number d: Finally, the computed shares are sent to one of the computing servers for the reconstruction of d (a 1,1 − a 1,2 ). If the search query matches that particular keyword, such that a 1 ,1 = a 1,2 , d(a 1,1 − a 1,2 ) = 0, the servers will send the corresponding encrypted data and random numbers back to the data user for reconstruction, as in Protocol 1.4. Moreover, even if d(a 1,1 − a 1,2 ) ̸ = 0, as mentioned previously, because the difference between the search query and keyword is encrypted by a random number d, no additional information will be leaked except that the result is equal to an unknown random number, thereby realizing a secure search process. Moreover, as both the encryption and decryption processes of our method can be realized without using any symmetric keys, as in [37] and [38], a faster computation time can be achieved.

C. QUALITATIVE COMPARISON WITH CONVENTIONAL METHODS
The SPDZ method is limited to n = k and the method of Araki et al. is limited to n = 3, k = 2. Only in the TUS methods (including those proposed in this paper), can n, k be set to any value, and it is possible to realize the property of server loss resistance (the method of Araki et al. can be used with n = 3, k = 2, but secure computation cannot be performed even if one server is lost).
However, SPDZ can handle malicious adversaries. Moreover, the method of Araki et al. realizes two proposed methods with two different securities: one with information-theoretic security and the other with computational security. Table 3 presents a qualitative evaluation of the proposed method compared to conventional methods.

VIII. IMPLEMENTATION ANALYSIS
We implemented our Proposed Method 1 using C++. Tables  4 and 5 show the times (in microseconds) required to realize secure computation on one machine with an Intel Xeon processor and the parameters n = k = 2. In the implementation shown in Tables 4 and 5, a single machine played the role of both computing servers (S 0 , S 1 ), clients who input l inputs, and players who reconstructed the computation result. The details of the environment that was used in the implementation are as follows.
• CPU: Intel Xeon E-2378G CPU @ 2.80 GHz • Memory: 16.00 GB • OS: Ubuntu Desktop 20.04.5LTS • Code Language: C++ Table 4 displays the results of the implementation of the secure computation phase of Proposed Method 1 to realize an inner-product computation of length l. Inner-product VOLUME 11, 2023   computation is often used for statistical calculations, such as the variance and sum of the squared deviation, and its application range is wide, including the secure search of gene sequences and secure matrix calculation. Furthermore, because the computation is not repeated in the innerproduct computation, communication is not required during the secure computation phase of our Proposed Method 1. The specific algorithm for this corresponds to the case in which m i = 2 in Proposed Method 1. However, as the processes for the preprocessing and encryption of the secret inputs can be performed in advance, these operations are not subject to implementation. It can be observed from Table 4 that Proposed Method 1, which excludes communication from the secure computation, could realize computation very quickly. Moreover, Table 5 shows the time that was required to perform secure computation l = 100 for m i = 3, 4, 5, and 6. The results demonstrate that the time required to perform secure computation increased when m i increased; however, our proposed method still achieved a very fast computing speed.
Moreover, we also compare our previous work on secure computation with our proposed method. The details of the TUS 3 and TUS 3' methods are described in Appendices A and B, respectively. As shown in Appendices A and B, the TUS 3 method requires that the input does not include ''0''; while the TUS 3' method requires that the output (which will be used for the consecutive computation) does not include ''0''. In contrast, our proposed methods solved these by introducing new encryption and correction phases.
The computation was executed as above, where both methods were used to perform an inner-product computation of two l-element vectors with m i = 2. However, to realize a fair comparison under the same conditions with our proposed method, we combined the secure computation proposed in the TUS 3 and TUS 3' methods to perform the same optimized inner-product operation as in our proposed method. That is, the inner-product operation was computed simultaneously using the following computation, without the need for momentarily reconstructing each product. Here, γ , i are random numbers and a i , b i are l-inputs of Players A and B, respectively. Moreover, the encryption of secret inputs a i and b i was performed using Protocol B.1 of the TUS 3' method (shown in Appendix B). However, since we assume n = k, random numbers α i,j and β i,j that made up α i and β i are sent directly to each corresponding server S j instead of secret sharing it using XOR method to all servers. By this, we could demonstrate the benefit of implementing a preprocesing phase. (4) i ] j Table 6 presents the results of this comparison. In the proposed method, because the processes regarding random numbers and communication were moved to the preprocessing phase, the secure computation process only required local computation and can therefore be completed in a significantly shorter time than the TUS 3 and TUS 3' methods, which required additional communications and computations. Moreover, if the TUS 3 and TUS 3' methods are used without any optimization, because the product of each two inputs needs to be reconstructed before computing the sum, an additional communication time will be necessary, as shown in Section VII-A, where the communication time will increase when the number of shares that are required to be collected increases. Moreover, the TUS 3 and TUS 3' methods will also require an additional precondition such that the output of each product does not include ''0'' owing to the lack of a correction phase (the TUS 3 method will also require the condition that the input does not include the value ''0''). Therefore, our proposed method significantly improves our previous work by introducing a preprocessing phase, an extended product-sum operation, and a correction phase.
We also performed a comparison with other related studies on secure computation. Because the SPDZ method communicates two data per server for each multiplication and the Araki et al.'s method communicates one data per server for each multiplication, the SPDZ method communicates a total of 2l data and the Araki et al.'s method communicates a total of l data. However, in Proposed Method 2, even if communication is required when the computation is repeated, each server only needs to send two data points once and does not depend on the number of l. Therefore, when l is large, Proposed Method 2 is also considered to be theoretically faster than the SPDZ method and the method of Araki et al.
In our future study, we will also include a detailed implementation of conventional methods and perform a detailed comparison of the computation time of each method. Moreover, the implementations listed in Tables 4, 5 and 6 were performed without any parallelization. However, we believe that in secure computation based on secret sharing with multiple inputs, parallel computation is essential to improve the computation speed. Therefore, in our future study, we will also consider the question of how to translate our implementation into the realization of parallel computation to achieve a faster computing speed.

IX. CONCLUSION
In this study, we demonstrated that by moving the processes that are concerned with random numbers into a preprocessing phase, a method in which communication does not depend on the number of multiplications and enables high-speed processing is possible. Furthermore, we relaxed the conditions of the TUS methods that realize secure computation with information-theoretic security against semi-honest adversaries, and presented a method that can be realized with only Condition (3). We also showed that the proposed method is the only one that can select any n and k when n ≥ k.
In a future study, we will examine the optimal solution for Condition (3) and construct a secure computation method that is also secure against malicious adversaries. Moreover, we will consider the implementation of parallel computation and perform a detailed comparison with other conventional methods.

APPENDIX A TUS 3 METHOD
In the TUS 2 method, the encrypted secret input and all its corresponding random numbers are secret-shared using Shamir's (k, n) method to all computing servers. Therefore, the TUS 2 method requires significantly large computation, communication, and storage costs when compared to other conventional secure computation methods.
To solve the problem of increase in the computation and communication costs of the TUS 2 method, Tokita et al. proposed the TUS 3 method [39], where XOR method of secret sharing is used instead of Shamir's (k, n) method. Moreover, in the TUS 3 method, the encrypted secrets are not distributed, but are broadcasted to all servers, therefore further eliminating the computation and communication costs of the TUS 2 method.
Here, we will explain the secure computation processes of the TUS 3 method. For ease of understanding, we included the encryption, secure computation, and reconstruction protocols of the TUS 3 method, under the settings of n ≥ k. Since the TUS 3 method is based on the TUS 2 method, the proposed computation is a product-sum operation of three inputs a, b, and c. In the product-sum operation of ab + c; if b = 1, two inputs addition of a + c is possible, and if c = 0, two inputs multiplication of ab is possible.
Note that all inputs a, b, and, c of Players A, B, and C, and all random numbers are derived from non-zero elements of a finite field GF(p). Furthermore, n shares of a variable x computed using the XOR method are denoted by [x] * i (i = 0, . . . , n − 1). In the following, we assume i = 0, . . . , n − 1, and j = 0, . . . , k − 1. Moreover, each server is assumed to hold the following shares of random numbers in advance (Condition 3).
[ε (1)  β j , βb = β × b 4) Player C computes the following random number λ and encrypted secret λ c, and computes n shares [λ j ] * i of k random numbers λ j using XOR method. Then, Player B sends (λ c, [λ j ] * i ) to each server S i .

APPENDIX B TUS 3' METHOD
In the TUS 3 method [39], the secret input is multiplied by a random number before being sent to all servers. However, this introduces a new problem: when the encrypted secret is equal to ''0'' (e.g., αa = 0), the adversary learns that secret a = 0 from the public value αa = 0 (since all random numbers are non-zero elements of GF(p)). Therefore, the inputs in the TUS 3 method must not include ''0''. Tokita et al. proposed a method of solving this by adding a value of ''1'' to the input (e.g., a + 1) before being multiplied with a random number. By this, even if the input a = 0, the encrypted secret α(a + 1) ̸ = 0.
Moreover, as in the TUS 3 method, the TUS 3' method also realizes a single product-sum operation of (ab+c)+1. Therefore, to realize a complex computation such as inner-product computation of (ab+cd)+1: first, input c of the product-sum operation needs to be set such that c = 0 to compute encrypted products of (ab) + 1 and (cd) + 1, then, each encrypted product must be reconstructed before being used for the consecutive computation.
This introduces a new problem: if the reconstructed encrypted product of (ab) + 1 is equal to 0, the adversary will learn that the result (ab) + 1 is equal to 0; therefore, a condition where the result does not include 0 is needed. In contrast, in our proposed method, this limitation is solved by introducing a correction phase in Section VI.
Below, we explain in detail the encryption, secure computation, and reconstruction protocols of the TUS 3' method. Here, inputs a, b, and c are chosen within 0 to p − 2, and all random numbers are non-zero elements of GF(p). Moreover, we assume n ≥ k, i = 0, . . . , n − 1, and j = 0, . . . , k − 1. Moreover, each server is assumed to hold the following shares of random numbers in advance (Condition 3).