Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas

Secure Multi-party Secure Multi-party Computations Computations

(MPC)(MPC)A useful tool to cryptographic

applications

Vassilis Zikas

Secure Multi-party Secure Multi-party Computations (MPC)Computations (MPC)

• The problem:There is given a set of parties

(players, computers, authorites...) who want to do a joint computation but may not trust eachother!!!

Example (The millionair ‘s problem):There are 2 millionairs who want to

find out how is richer (without of course revealing eachother the exact ammount of money they own).


Obvious solution:Existence of a fully Trusted Party(TP)• All players send their values to the

TP• The TP does the computation and

sends each player what he is supposed to know

Goal of MPCGoal of MPCSimulate the TP (when such dosn‘t

exist) via a protocol among the parties.

1


1


Special case of MPC:Secure function evaluation(SFE):n players want to compute a function of

their inputs whithout giving them away (actualy the function can output n values of which only the i-th should be known to the i-th player).

e.g. a. e-voting (f=sum of votes)b. f:Nn!Nn where pn learns only fn(x1,,xn)




Difficulty???Dishonest players (adversary)!!!Adversary types:1. Pasive: All the corrupted players follow

the protocol but the aversary can see averything they see.

2. Fail: The corrupted player might stop sending messages at some point of the execution.

3. Active: (Most general) The adversary can see what the corrupted players see, and he can force them to misbehave arbitrarily.



Categories (according to the communication channels and the resources of the adversary)

1. Secure Channels Model:The parties communicate via secure

authenticated channels • Perfect (information-theoretic)

security.• Unconditional security (small

error-probability)1. Cryptographic model



Not good when p1 is corrupted








Broadcast (definition):input: x1, outputs: y1,,yn

1. (consistency): All honest players have the same output y.

2. (validity): If the sender is honestsender is honest then all the honest playersall the honest players output x1.

3. (termination): Every player ends with an output.


Consensus (Agreement) (definition):input: x1,,xn , outputs: y1,,yn

1. (consistency): All honest players have the same output y.

2. (validity): If the all honest players all honest players have input x have input x then all the honest all the honest playersplayers output y=x.

3. (termination): Every player ends with an output.



Secret sharing (thresshold case):

Player p wants to share a secret s to players p1,, pn in a way that

the shares of any t players (put alltogether) give no information about s,

the shares of t+1 players uniquely define s


Shamir ‘s secret sharing:Vector (a1,,an) is publicly known.Sharing phase:• p chooses a random polynomial q(¢) of degree t

where the constant term is s (i.e. q(0)=s).• p sends q(ai) to player pi.Reconstruction phase:In order for pi to learn the secret s all player send

him their shares and he applies Lagrange’s interpolation:




MPC (secure channels - passive case)INVARIANT: The inputs and the results of

the computations remain shared to the players throughout the protocol.

1. Inputs Sharing:Every player pi shares his input (Shamir’s SS Scheme) using a random polynomial qi(¢).

2. Computation: i. Addition: Can be done without

interaction locally.ii. Multiplication: (BOARD)

3. Reconstruction (towards pj)All players send their shares of the output

to pj and he does the reconstruction


When active adversaries are considered SS is not enough (why?) we need Verifiable SS!!!

Difference:• The dealer is committed to the

value he shares (therefore verifiable)

• All players are committed to the values they ‘ve recieved


Mixed (Active+Passive+Fail) Model:

There is an MPC protocol for any spacification

iff3ta+2tp+tf<n


General Adversaries:

• Adversary structure Z={(Ai,Pi,Fi)}

• Ai={set of players that can be actively corrupted by adversary Zi}

• Pi, Fi similar defined

• Z is a monotone set• Z can be characterized by the class

of maximal sets (Base of Z ( )).

We will consider on Active + Passive corruption for the general adversaries



Results for General Adversaries:(secure channels model)

MPC (Perfect security) Q(3,2)

MPC (Unconditional security) BC is given

Q(2,2)

MPC (Unconditional security)

Q(2,2)Æ Q(3,0)

Documents

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas