Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting...
Transcript of Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting...
![Page 1: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/1.jpg)
Secure Multiparty Computation: Introduction
Ran Cohen (Tel Aviv University)
![Page 2: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/2.jpg)
Scenario 1: Private Dating
Alice and Bob meet at a pub
โข If both of them want to date together โ they will find out
โข If Alice doesnโt want to date โ she wonโt learn his intentions
โข If Bob doesnโt want to date โ he wonโt learn her intentions
![Page 3: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/3.jpg)
Scenario 1: Private Dating
Alice and Bob meet at a pub
โข If both of them want to date together โ they will find out
โข If Alice doesnโt want to date โ she wonโt learn his intentions
โข If Bob doesnโt want to date โ he wonโt learn her intentions
Solution: use a trusted bartender
![Page 4: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/4.jpg)
Scenario 2: Private Auction
Many parties wish to execute a private auction
โข The highest bid wins
โข Only the highest bid (and bidder) is revealed
![Page 5: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/5.jpg)
Scenario 2: Private Auction
Many parties wish to execute a private auction
โข The highest bid wins
โข Only the highest bid (and bidder) is revealed
Solution: use a trusted auctioneer
![Page 6: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/6.jpg)
Scenario 3: Private Set Intersection
Intelligence agencies holds lists of potential terrorists
โข The would like to compute the intersection
โข Any other information must remain secret
MI5 FBI
Mossad
![Page 7: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/7.jpg)
Scenario 3: Private Set Intersection
Intelligence agencies holds lists of potential terrorists
โข The would like to compute the intersection
โข Any other information must remain secret
Solution: use a trusted party
Trust meMI5 FBI
Mossad
![Page 8: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/8.jpg)
Scenario 4: Online Poker
Play online poker reliably
![Page 9: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/9.jpg)
Scenario 4: Online Poker
Play online poker reliably
Solution: use a trusted party
![Page 10: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/10.jpg)
Secure Multiparty Computation
โข In all scenarios the solution of an externaltrusted third party works
โข Trusting a third party is a very strong assumption
โข Can we do better?
โข We would like a solution with the same security guarantees, but without using any trusted party
![Page 11: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/11.jpg)
X
Secure Multiparty Computation
Goal: use a protocol to emulate the trusted party
X XX
![Page 12: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/12.jpg)
The Setting
โข Parties ๐1, โฆ , ๐๐ (modeled as interactive TM)
โข Party ๐๐ has private input ๐ฅ๐
โข The parties wish to jointly compute a (known) function ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
โข The computation must preserve certain security properties, even is some of the parties collude and maliciously attack the protocol
โข Normally, this is modeled by an external adversary ๐ that corrupts some parties and coordinates their actions
![Page 13: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/13.jpg)
Auction Example โ Security Requirements
โ Correctness: ๐ canโt win using lower bid than the highest
โ Privacy: ๐ learns an upper bound on all inputs, nothing else
โ Independence of inputs: ๐ canโt bid one dollar more than the highest (honest) bid
โ Fairness: ๐ canโt abort the auction if his bid isnโt the highest (i.e., after learning the result)
โ Guaranteed output delivery: ๐ canโt abort (stronger than fairness, no DoS attacks)
![Page 14: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/14.jpg)
Security Requirements
โ Correctness: parties obtain correct output (even if some parties misbehave)
โ Privacy: only the output is learned (nothing else)
โ Independence of inputs: parties cannot choose their inputs as a function of other partiesโ inputs
โ Fairness: if one party learns the output, then all parties learn the output
โ Guaranteed output delivery: all honest parties learn the output
![Page 15: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/15.jpg)
Example โ Computing Sumโข Each ๐๐ has input ๐ฅ๐ < ๐ (work modulo ๐)
โข Want to compute โ๐ฅ๐
โข Is the protocol is secure facing one corruption (semi-honest)?
๐ โ โค๐
๐1 = ๐ฅ1 + ๐
๐2 = ๐ฅ2 +๐1
๐3 = ๐ฅ3 +๐2๐4 = ๐ฅ4 +๐3
๐5 = ๐ฅ5 +๐4
๐6 = ๐ฅ6 +๐5
๐6 โ ๐
![Page 16: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/16.jpg)
Example โ Computing Sumโข Each ๐๐ has input ๐ฅ๐ < ๐ (work modulo ๐)
โข Want to compute โ๐ฅ๐
โข Is the protocol is secure facing one corruption (semi-honest)?
โข What about two corruptions?
๐ โ โค๐
๐1 = ๐ฅ1 + ๐
๐2 = ๐ฅ2 +๐1
๐3 = ๐ฅ3 +๐2๐4 = ๐ฅ4 +๐3
๐5 = ๐ฅ5 +๐4
๐6 = ๐ฅ6 +๐5
๐6 โ ๐
![Page 17: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/17.jpg)
How to Define Security
Option 1: property-based definition
โข Define a list of security requirements for the task
โข Used for Byzantine agreement, coin flipping, etc.
โข Difficult to analyze complex tasks
โข How do we know if all concerns are covered?
Option 2: the real/ideal paradigm
โข Whatever an adversary can achieve by attacking a realprotocol can also be achieved by attacking an idealcomputation involving a trusted party
โข Formalized via a simulator
![Page 18: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/18.jpg)
Ideal World1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐3) Trusted party sends ๐ฆ to each party
![Page 19: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/19.jpg)
Real WorldParties run a protocol ๐ on inputs ๐ฅ1, โฆ , ๐ฅ๐
![Page 20: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/20.jpg)
Simulation-Based Security
![Page 21: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/21.jpg)
Simulation-Based Security
โ
Distinguisher ๐
![Page 22: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/22.jpg)
Simulation-Based Security
โ
Distinguisher ๐ Adversary ๐
![Page 23: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/23.jpg)
Simulation-Based Security
โ
Distinguisher ๐Simulator ๐ฎ Adversary ๐
![Page 24: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/24.jpg)
Simulation-Based Security
โ
The distinguisher ๐:
โข Gives inputs to parties
โข Gets back output from parties and from adversary/simulator
โข Guesses which world it is real/ideal
Protocol ๐ securely computes ๐ if โ๐ โ๐ฎ โ๐ distinguishing success is โsmallโ
![Page 25: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/25.jpg)
Sanity check
โ
โข Fairnessโข Correctness
โข Guaranteed output deliveryโข Privacy
โข Independence of inputs
![Page 26: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/26.jpg)
Advantages of this Approach
โข Very general โ captures any computational task
โข The security guarantees are simple to understand Simply imagine a trusted party computes the task
โข No security requirements are โmissedโ
โข Supports sequential modular composition
โ Security remains when secure protocols run sequentially
โ A single execution at a time
โ Arbitrary messages can be sent between executions
โข Useful for modular design of protocols
![Page 27: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/27.jpg)
Sequential Modular Composition
โข Design a protocol in a hybrid model
โ Similar to the stand-alone real world
โ A trusted party helps to compute some functionality ๐
โ In rounds with calls to ๐ no other messages are allowed
โข Theorem (informal)
โ Protocol ๐ securely computes ๐ in the ๐-hybrid model
โ Protocol ๐ securely computes ๐
โ Then, protocol ๐๐ securely computes ๐ in the real world
Replace ideal calls to ๐ with real protocol ๐
![Page 28: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/28.jpg)
The Definition Contโd
A definition of an MPC task involves defining:
โข Functionality: what do we want to compute?
โข Security type: how strong protection do we want?
โข Adversarial model: what do we want to protect against?
โข Network model: in what setting are we going to do it?
![Page 29: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/29.jpg)
The Functionality
โข The code of the trusted party
โข Captures inevitable vulnerabilities
โข Sometimes useful to let the functionality talk to the ideal-world adversary (simulator)
โข We will focus on secure function evaluation (SFE), the trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
โ Deterministic vs. randomized
โ Single public output vs. private outputs
โ Reactive vs. non-reactive
![Page 30: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/30.jpg)
Security Type
โข Computational: a PPT distinguisher
โ The real & ideal worlds are computationally indistinguishable
โข Statistical: all-powerful distinguisher, negligible error probability
โ The real & ideal worlds are statistically close
โข Perfect: all-powerful distinguisher, zero error probability
โ The real & ideal worlds are identically distributed
![Page 31: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/31.jpg)
Adversarial Model (1)
โข Adversarial behavior
โ Semi honest: honest-but-curious. corrupted parties follow the protocol honestly, ๐ tries to learn more information. Models inadvertent leakage
โ Fail stop: same as semi honest, but corrupted parties can prematurely halt. Models crash failures
โ Malicious: corrupted parties can deviate from the protocol in an arbitrary way
![Page 32: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/32.jpg)
Adversarial Model (2)
โข Adversarial power
โ Polynomial time: computational security, normally requires cryptographic assumptions, e.g., encryption, signatures, oblivious transfer
โ Computationally unbounded: an all-powerful adversary, information-theoretic security
![Page 33: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/33.jpg)
Adversarial Model (3)
โข Adversarial corruption
โ Static: the set of corrupted parties is defined before the execution of the protocol begins. Honest parties are always honest, corrupted parties are always corrupted
โ Adaptive: ๐ can decide which parties to corrupt during the course of the protocol, based on information it dynamically learns
โ Mobile: ๐ can โjumpโ between parties Honest parties can become corrupted, corrupted parties can become honest again
![Page 34: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/34.jpg)
Adversarial Model (4)
โข Number of corrupted parties
โ Threshold adversary:Denote by ๐ก โค ๐ an upper bound on # corruptions
No honest majority, e.g., two-party computation
Honest majority, i.e., ๐ก < ๐/2
Two-thirds majority, i.e., ๐ก < ๐/3
โ General adversary structure: Protection against specific subsets of parties
![Page 35: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/35.jpg)
Communication Model (1)
โข Point-to-point: fully connected network of pairwise channels.
โ Unauthenticated channels
โ Authenticated channels: in the computational setting
โ Private channels: in the IT setting
Partial networks: star, chain
โข Broadcast: additional broadcast channel
![Page 36: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/36.jpg)
Communication Model (2)
โข Message delivery:
โ Synchronous: the protocol proceeds in rounds. Every message that is sent arrives within an known time frame
โ Asynchronous (eventual delivery): the adversary can impose arbitrary (finite) delay on any message
โ Fully Asynchronous: the adversary has full control over the network, can even drop messages
![Page 37: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/37.jpg)
Execution Environment
โข Stand alone:
โ A single protocol execution at any given time (isolated from the rest of the world)
โข Concurrent general composition:
โ Arbitrary protocols are executed concurrently
โ An Internet-like setting
โ Requires a strictly stronger definition Captured by the universal composability (UC) framework
โ Impossible in general without a trusted setup assumption (e.g., common reference string)
![Page 38: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/38.jpg)
Relaxing the Definition
โข Recall the ideal world (with guaranteed output delivery)
1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐3) Trusted party sends ๐ฆ to each party
โข This ideal world is overly ideal
โข In general, fairness cannot be achieved without an honest majority [Cleveโ86]
โข A relaxed definition is normally considered
![Page 39: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/39.jpg)
Security with Abort
โข Ideal world without fairness and guaranteed output delivery:
1) Each party sends its input to the trusted party
2) The trusted party computes ๐ฆ = ๐ ๐ฅ1, โฆ , ๐ฅ๐
3) Trusted party sends ๐ฆ to the adversary
4) The adversary responds with continue/abort
5) If continue, trusted party sends ๐ฆ to all partiesIf abort, trusted party sends โฅ to all parties
โข Correctness, privacy, independence of inputs are satisfied
![Page 40: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/40.jpg)
Prevalent Modelsโข In the seminar we will consider:
โ Adversary: semi honest / malicious with static corruptions
โ Synchronous P2P network with a broadcast channel
โ Stand-alone setting
โข Computational setting
โ PPT adversary & distinguisher (computational security)
โ Arbitrary number of corruptions ๐ก < ๐
โ Authenticated channels
โข Information-theoretic setting
โ All powerful adversary & distinguisher (perfect/statistical)
โ Honest majority ๐ก < ๐/2 (if ๐ก < ๐/3 no need for broadcast)
โ Secure channels
![Page 41: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/41.jpg)
Oblivious Transfer
๐0, ๐1 ๐ โ 0,1
๐๐
![Page 42: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/42.jpg)
Feasibility Results
โข Malicious setting
โ For ๐ก < ๐/3, every ๐ can be securely computed with perfect security [BGWโ88,CCDโ88]
โ For ๐ก < ๐/2, every ๐ can be securely computed with statistical security [RBโ89]
โ For ๐ก < ๐, assuming OT, every ๐ can be securely computed with abort and computational security [GMWโ87]
โข Semi-honest setting
โ For ๐ก < ๐/2, every ๐ can be securely computed with perfect security [BGWโ88,CCDโ88]
โ For ๐ก < ๐, assuming OT, every ๐ can be securely computed with computational security [GMWโ87]
![Page 43: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/43.jpg)
Outline of the Seminarโข Lecture 2: definitions
โข Lectures 3-7: semi-honest setting
โ Yaoโs garbled circuit
โ Oblivious transfer
โ GMW protocol [Goldreich, Micali, Wigdersonโ87]
โ BGW protocol [Ben-Or, Goldwasser, Wigdersonโ88]
โ BMR protocol (constant-round MPC) [Beaver, Micali, Rogawayโ90]
โข Lectures 8-11: malicious setting โ GMW compiler
โ IKOS zero-knowledge proof
โ Cut and choose (Yaoโs protocol for malicious)
โ Sigma protocols
โข Lecture 12: specific functionalities (median, PSI)
![Page 44: Secure Multiparty Computation: Introductioniftachh/Courses/Seminars/MPC/Intro.pdfย ยท The Setting โข Parties ๐1,โฆ,๐๐ (modeled as interactive TM) โข Party ๐๐ has](https://reader033.fdocuments.net/reader033/viewer/2022050715/5f34b5a39ab5501f343e808d/html5/thumbnails/44.jpg)
Summary
โข Secure multiparty protocols emulate computations involving a trusted party
โข Impressive feasibility results: every task that can be computed can also be computed securely
โข Many different models and settings
โข Exciting and active field โ many open questions