COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM

JUST THE ANSWER PLEASE WHAT CAN WE KEEP SECRET? INPUTS PARTICIPATION [FROM OUTSIDERS] PARTICIPATION [FROM EACH OTHER]

R 1,R 2,R 3 SECRET + R 1 +R 2 +R 3 R1R1 R2R2 R3R3 SECURE COMPUTATION  KEEP INPUTS SECRET SPLIT THE SECRETS INTO RANDOM SHARES 2-PARTY COMPUTE ON SHARES RECOMBINE ANSWE R+ R 1 +R 2 +R 3 R1R1 R2R2 R3R3

STEGANOGRAPHY  EXTERNAL COVERTNESS EXTERNAL OBSERVERS DON’T NOTICE ANYTHING WEATHER SURE IS NICE THINK OF IT AS A CLEVER HASH 10011

WE CAN HASH ANY MESSAGE [EVEN IF THE SENDER HONESTLY WANTED TO TALK ABOUT THE WEATHER] CAN WE DO SOMETHING CLEVER WITH THAT?

COVERT COMPUTATION  INTERNAL COVERTNESS EVEN THE OTHER PARTIES DON’T KNOW YOU’RE COMPUTING! WEATHER SURE IS NICE RANDOM OR PSEUDO- RANDOM ??? WHAT DO YOU MEAN “DON’T KNOW”? THREE DEFINITIONS AND PROOFS/DISPROOFS OF FEASIBILITY

COVERT TWO PARTY COMPUTATION: VON AHN,HOPPER,LANGFORD

COVERT TWO-PARTY COMPUTATION AFTER LEARNING F(X,Y), EACH PARTY CAN ONLY TELL WHETHER THE OTHER PARTICIPATED IF THEY CAN DISTINGUISH F(X,Y) FROM RANDOM BITS EXTERNAL COVERTNESS INTERNAL COVERTNESS NO OUTSIDE OBSERVER CAN TELL IF THE TWO PARTIES ARE RUNNING A COMPUTATION OR JUST COMMUNICATING AS NORMAL ASSOCIATE REVEALING OTHER PARTIES WITH SUCCESSFUL OUTPUT

COULD WE GET THE ANSWER WITHOUT EVER REVEALING WHO WAS COMPUTING?

A SIMPLE WORLD [GIVEN STEGO] A ROOM OF SLEEPING PARTIES SNORING 0s AND 1s AT RANDOM SOME PARTIES ARE AWAKE AND “SNORING” PSEUDO- RANDOMLY

COULD WE GET THE ANSWER WITHOUT REVEALING GUILT? AT THE END OF THE PROTOCOL: –OUR INPUT –THE ANSWER –TRANSCRIPT OF ALL COMMUNICATIONS PROTOCOL SHOULD GIVE: –ANSWER WRONG WITH NEGLIGIBLE [<1/POLY] PROBABILITY –NEGLIGIBLY BETTER CHANCE OF GUESSING WHO’S ASLEEP THAN WITH JUST INPUT AND ANSWER

COULD WE GET THE ANSWER WITHOUT REVEALING GUILT? EXAMPLE: VOTING IN A SECRET ORGANIZATION IF, SAY, MORE THAN HALF THE PEOPLE ARE PARTICIPATING, CAN WE DETERMINE A NEW LEADER?

INFORMATION THEORY POV COMPUTATIONAL COMPLEXITY POV NO.

SIMPLIFYING FURTHER: AWAKE PARTY’S POINT OF VIEW W S/W W/S THREE PLAYERS FORGET ABOUT HIDING INPUTS [SAY WE ARE CALCULATING THE XOR] ONE PERSON IS ASLEEP; CAN I TELL WHICH?

THOUGHT EXPERIMENT: INFORMATION THEORETIC VIEW W:A BIT S/W W/S THE OTHER BIT INFORMATION GETS TO THE AWAKE PARTY ONE CHANNEL IS RANDOM - THE OTHER MUST NOT BE!

COMPUTATIONAL COMPLEXITY VIEW EVEN PUBLIC KEY CRYPTO BREAKS IN INFORMATION THEORETIC MODEL IDEA: NORMALLY, WE CAN’T MODEL THE OTHER PARTIES – BUT SNORING IS JUST RANDOM THE AWAKE PARTY’S ALGORITHM SHOULD WORK REGARDLESS OF SNORER’S INPUT

COMPUTATIONAL COMPLEXITY VIEW: PROOF IDEA CONSIDER THE LAST ROUND OF COMMUNICATION WHAT HAPPENS IF WE REPLACE ONE OF THE MESSAGES WITH RANDOM NOISE? IF THE ALGORITHM DOESN’T BREAK – THE LAST ROUND WASN’T HELPFUL!

THAT’S NOT RANDOM I GUESS EVERYONE’S AWAKE CHANGE OF DEFINITION CONCLUSION: SNORING PEOPLE SUCK TOO HARD TO PROTECT THEM! COULD WE HAVE INDISTINGUISHABLE PARTIES UNLESS A NON-RANDOM ANSWER IS OUTPUTTED? RESULT: ASSOCIATE REVEALING OTHER PARTIES WITH SUCCESSFUL OUTPUT

YES.

COVERT COMPUTATION  SNORERS GIVE RANDOM RESULTS A BAD COMPUTATION THROWS EVERYTHING ELSE OFF RESULT RANDOM SPLIT THE SECRETS INTO RANDOM SHARES COVERT 2- PARTY COMPUTE ON SHARES RECOMBINE

MALICIOUS PARTIES SNORERS ARE A KIND OF MALICIOUS PARTY YET WE WANT TO PROTECT THEM [IF WE KNOW THE SNORERS, THEN WE KNOW WHO WAS AWAKE] CAN WE FIDDLE THE DEFINITION INTO HANDLING MALICIOUS PARTIES SENSIBLY?

THANK YOU!