Introduction to Multi Party Computation

Secure Multi Party Computation
A Brief Introduction
Vineet Kumar
001410501018
Computer Science & Engineering Department
Jadavpur University
April 19, 2018

Introduction
Thirty years have passed since the concept of `secure computation', now
known as `secure multiparty computation', rst appeared in the computing
literature.
Vineet Kumar Secure Multi Party Computation April 19, 2018 2 / 19

Introduction
Thirty years have passed since the concept of `secure computation', now
known as `secure multiparty computation', rst appeared in the computing
literature.
Multi-party computation is a subeld of cryptography with the goal of
creating methods for parties to jointly compute a function over their
inputs while keeping those inputs private.

Introduction - I
1 Can we have an auction without an auctioneer?!
1 Declared winning bid should be correct
2 Only the winner and winning bid should be revealed

Introduction - I
1 Can we have an auction without an auctioneer?!
1 Declared winning bid should be correct
2 Only the winner and winning bid should be revealed
1 Hospitals which can't share their patient records with anyone
1 But want to data-mine on combined data

Motivation
A general problem To compute a function of private inputs without
revealing information about the inputs
Figure: To compute a function of private inputs

The Ambitious Goal
1 Without any trusted party, securely do
Distributed Data mining
E-commerce
Network Games
E-voting
Secure function evaluation

Building Trusted Computation
1 Encryption/Authentication allow us to emulate a trusted channel

2 Secure MPC: to emulate a source of trusted computation

2 Secure MPC: to emulate a source of trusted computation
Trusted means it will not leak a party's information to others
And it will not cheat in the computation

Security Issues
Protocol may leak a party's secrets Clearly an issue
Even if we trust everyone not to cheat in our Protocol

Security Issues
Protocol may leak a party's secrets Clearly an issue
Even if we trust everyone not to cheat in our Protocol
Protocol may give adversary illegal inuence on the outcome
Say in poker, if adversary can inuence hands dealt

Adversary
Adversary means a bad person with not good intentions

Adversary
Adversary means a bad person with not good intentions
Adversary can corrupt any set of players
More sophisticated notion: adaptive adversary which corrupts players
dynamically during/after the execution
Passive vs. Active adversary: Passive adversary gets only read access
to the internal state of the corrupted players. Active adversary
overwrites their state and program.

An Example
An auction, with Alice and Bob bidding
Rules:
A bid is an integer in the range [0,100]
Alice can bid only even integers and Bob odd integers
Person with the higher bid wins

An Example
An auction, with Alice and Bob bidding
Rules:
A bid is an integer in the range [0,100]
Alice can bid only even integers and Bob odd integers
Person with the higher bid wins
Goal: nd out the winning bid (winner amount) without revealing
anything more about the losing bid (beyond what is revealed by the
winning bid)

An Example
Secure protocol:
Count down from 100
At each even round Alice announces whether her bid equals the
current count; at each odd round Bob does the same
Stop if a party says yes

An Example
Secure protocol:
Count down from 100
At each even round Alice announces whether her bid equals the
current count; at each odd round Bob does the same
Stop if a party says yes
Dutch ower auction

Practical Implementations
Figure: Sugar beets
Danish Farmers can now bet in secure way for contracts to deliver sugar
beets. see [1]

Practical Implementations I
Distributed Cryptography can also be used in this way :-
Lets we have a secret key sk and we don't want to store it on my machine

Practical Implementations I
Distributed Cryptography can also be used in this way :-
Lets we have a secret key sk and we don't want to store it on my machine
Solution:
Share sk between n machines P1, P2, P3, P4..., Pn .
Sign in a distributed way. see [2]

Secret Sharing
Figure: Secret Sharing

Secret Sharing More formally
Every Secret Sharing Protocol consists of
A Sharing Procedure (S1, S2, ...Sn ) = share(S)
A Reconstruction Procedure
for any i1, i2, ....., im we have S = reconstruction (Si 1, Si 2, .....Sim )
A Security Condition
for every S, S and every i1, i2, ....., im−1 :
(Si 1, Si 2, .....Sim−1) and (Si 1, Si 2, .....Sim−1) are distributed identically.

Shamir Secret Sharing I
f is a random polynomial over degree n such that f (0) = s

Shamir Secret Sharing II
RECONSTRUCTION:
Given f (i1), f (i2)..., f (im ) can interpolate the polynomial f in point 0.
SECURITY:
One can show that f (i1), f (i2)..., f (im−1) are independent on f(0).
[Beyond Scope]

RECONSTRUCTION:
SECURITY:
[Beyond Scope]
1 Addition is easy

RECONSTRUCTION:
SECURITY:
[Beyond Scope]
1 Addition is easy
2 As Polynomials are homomorphic with respect to addition

Polynomials are homomorphic wrt addition

Many Platform Implementations
Many Implementations:
Fairplay, Vi, Sharemind, Scapi, Obliv-C, Obliv-M

Bibliography
1 Bogetoft, Peter, et al. Secure multiparty computation goes live.
International Conference on Financial Cryptography and Data Security.
Springer, Berlin, Heidelberg, 2009.
2 Gennaro, Rosario, et al. Robust threshold DSS signatures.
International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, Berlin, Heidelberg, 1996.
3 Goldwasser, Sha. Multi party computations: past and present.
Proceedings of the sixteenth annual ACM symposium on Principles of
distributed computing. ACM, 1997.
Thank youvntkumar8@gmail.com

Introduction to Multi Party Computation

More Related Content

What's hot

Similar to Introduction to Multi Party Computation

Recently uploaded

In this document

Introduction to Multi Party Computation