1. Cryptographic protocols 2016, Lecture 9 multi-party computation
Helger Lipmaa
University of Tartu, Estonia

2. up to now Two-message two-party protocols
Can compute everything in 2 messages, good comm.
Can be extremely slow
Multi-message two-party protocols
Same, but faster
Needs many rounds

3. multi-party computation
MULT/EQ/... protocols generalize to n parties
assuming appropriate secret sharing
Both computational and information-theoretic setting possible
Comp. setting: secure if somebody is honest
Inf.-th. setting: secure if majority is honest

4. Can take t = 1 (need to only trust yourself)
today
Generalizing the last lecture to n > 2 parties
Security based on DDH (and trust: t honest)
Information-theoretically secure protocol
Security based on trust alone (majority honest)
BGW protocol (Ben-Or, Goldwasser, Wigderson)
Can take t = 1 (need to only trust yourself)
Need: t > n / 2 honest
Note: since we are interested in semihonest model, here by honest we mean that we trust that no t parties (no t-coalition) are going to pool their inputs together

5. (n,t)-threshold encryption
Assume we have n > t parties
Every party generates her random key yi and public key hi
Let h be the joint public key
Completeness:
given access to h, Ench (m), and at least t different secret keys, one can efficiently recover m
IND-CPA under (t - 1)-corruption:
given access to h, Ench (m), and at most t - 1 different secret keys, an efficient adversary cannot break IND- CPA

6. IDEA: secret sharing (2,2) case: y = y0 + y1 (mod q)
Completeness: from y0 and y1 one can recover y
Hiding: if yi is random, then just knowing y1 - i does not give any information about y
We need the same for arbitrary (n, t), t < n

7. QUIZ: (n, n)-secret sharing
Assume the case (n, t = n)
Question:
how to combine y from (y1, ..., yn) so that no n - 1 parties can obtain any information about y? y₁

8. QUIZ: (n, n)-secret sharing
Assume the case (n, t = n)
Question:
how to combine y from (y1, ..., yn) so that no n - 1 parties can obtain any information about y?
Answer:
generalization of (2, 2)
y = y yn (mod q) y y1 y2 y0 y₁

9. quiz: General case Assume the case (n, t) for any t < n Question:
how to combine y from (y1, ..., yn) so that no t - 1 parties can obtain any information about y?
Answer:
not so simple anymore
need secret sharing

10. Shamir secret sharing
Choose random yi ∈ ℤq for all 1 ≤ i ≤ t, t ≤ n ≤ q - 1
Construct a degree-(t - 1) polynomial f : ℤq → ℤq
s.t. f (i) = yi for 1 ≤ i ≤ t
Such a polynomial exists and is unique
Found by using interpolation (again!)
Send ith secret share yi = f (i) to party i ∈ {1, ..., n}
= 1, x = xi
= 0, x = xj for j ≠ i
∑ yi li (xj) = yj

11. quiz: what is the secret?
Note: instead of 0, one can use any point not in {1, ...., n}
(Answer:) secret: y := f (0) = ∑ yi li (0)
Given f (i) for any t inputs 1 ≤ i ≤ n:
since f has degree-(t - 1), can recover f by using interpolation
... thus can recover f (j) for any other input, including f (0)
Given f (i) for any t - 1 inputs 1 ≤ i ≤ n:
for any s', there exists a unique t - 1 degree polynomial g that agrees with f (i) on these t inputs and has g (0) = s'
g is obtained from interpolating (s', ..., f (i), ...) at (0, ..., i,...)

12. Threshold (n,t)-elgamal
For i = 0 to t - 1: fi ← ℤq
f (x) ← ∑i ∈ [0, t - 1] fi xi
For i = 1 to n: yi ← f (i)
y ← f (0)
pk = h ← gy
Dealer
h, y1
h, y3
h, yn
h, y2

13. Threshold (n,t)-elgamal
h1= gy1, y1
h3 = gy3, y3
c = (c1, c2) = Enc(m; r) = (gmhr, gr)
Note: Dec* is the same function as in the last lecture
h2 = gy2, y2
h4 = gy4, y4
d3 = ... = c₂y₃
d1 = Dec* (y1, c) := c2y₁
d4 = c₂y₄
Dec({yi}, c) = log (c1 / ∏ di lᵢ (0))

14. thr-elgamal: correctness
Enc (m; r) = (gmhr, gr), di = c2 yᵢ for i ∈ {x1, …, xt}
∏i di lᵢ(0) = ∏i g ryᵢ lᵢ(0) = g r ∑ᵢ yᵢ lᵢ(0) = gr f (0) = gry = hr
Thus log (c1 / ∏ dᵢlᵢ (0)) = log (gmhr / hr) = m
= gryᵢ

15. remarks Dealing can be done without a trusted third party
beyond this lecture course
If users are semihonest, can take any n ≥ t
For decryption, at least t must be present
Also works when a minority of users is malicious
then n ≥ 2t + 1 (beyond this lecture course)
Choice of t depends on application: sometimes it is good to be able to threshold-decrypt with small t, but then need each coalition of t parties to only decrypt "allowed values" (i.e., be semihonest)

16. information-theoretic MPC
Everything up to now: only computationally secure
secure only under some comput. assumption
(except one-time pad)
Important:
one can avoid this in the honest majority model
Cost: additional trust (majority is honest)
The famous “BGW" protocol. See slides of Benny Pinkas at
for more information

17. recall: ideal model Trusted third party TTP a b a ∈ S1 b ∈ S2 fa(a, b)
fb(a, b)

18. semihonest real model Protocol a ∈ S1 b ∈ S2 fa(a, b) fb(a, b)
Goal: (under a cryptographic assumption) semihonest parties should not gain more information than needed

19. MPC model Majority honest
No information is leaked, given a majority of parties is honest
All n parties can have an input and an output
Majority honest
Share your input between others
Perform computation on shares
Send shares of outputs to others
Reconstruct your output

20. Majority-honest model:
remarks
Ideal model
assume exists a trusted party
and secure communication channels...
everything is trivially secure
Real model
trust nobody but yourself
need cryptographic assumptions to get security
Majority-honest model:
trust that a majority of parties is honest. Not as trivial as ideal model, but can still achieve security without assumptions

21. Notation: [a]i is i's share of a
step 1: input sharing
Notation: [a]i is i's share of a
Inp: s1
Inp: s2
{[si]2}i
{[si]1}i
{[si]j}j ← share (i, si)
Inp: s3
Inp: sn
{[si]3}i
{[si]n}i

22. step 2: evaluation of circuit
s1, [a]1, [b]1
s2, [a]2, [b]2
for each gate, from bottom to top:
if ADD(a, b, c) gate: [c]i ← [a]i + [b]i
if MULT(a, b, c) gate: [c]i ← mult (i, [a]i, [b]i)
s3, [a]3, [b]3
sn, [a]n, [b]n

23. step 3: recovering outputs
s1, {[yj]1}j
s2, {[yj]2}j
// i does:
For each j ≠ i: send [yj]i to j
Wait until
has received [yi]j from at least t - 1 parties j
Reconstruct yi (by using interpolation)
s3, {[yj]3}j
sn, {[yj]n}j

24. input sharing Input: s1 Input: s2 Input: s₃ Input: sn [s1] 1 [s1] 2
function share (i, si):
For j = 1 to t - 1 : fij ← ℤq
fi0 ← si
fi (x) ← ∑j ∈ [0,t - 1] fij xj
// fi (0) = si
For all j = 1 to n: evaluate fi (j)
For all j = 1 to n: [si]j ← fi (j)
[s1] 2
[s1] 3
[s1]n
Input: s₃
Input: sn

25. input sharing Input: s1 Input: s2 Input: s3 Input: sn share (2, s2)
share (n, sn)
Input: s3
Input: sn

26. why it works For each i: Each party j ≠ i gets value [si]j = fi (j)
Since deg f = t - 1, any t parties can reconstruct si
by pooling their shares and using interpolation
No t - 1 parties (not involving i) can reconstruct si

27. efficiency: input sharing
Computation:
multipoint evaluation: n polynomial evaluations to compute all fi (j)
Θ (n2) mult-s in ℤq by using "obvious" algorithm
Special "multipoint evaluation" algorithm: Θ (n log n) mult-s in ℤq
function share (i, si):
For j = 1 to t - 1 : fij ← ℤq
fi0 ← si
fi (x) ← ∑j ∈ [0,t - 1] fij xj
// fi (0) = si
For all j: evaluate fi (j)
For all j: [si]j ← fi (j)
does not really matter: in most applications, n is very small

28. efficiency of sharing Communication:
each party sends and receives (n - 1) log q bits
Total comm.: (n - 1)n log q
Rounds:
1 (everything in parallel; no delay)
We will not deal with the question of the size of q; q is approximately lower-bound by n + 1 and the "data size". In many applications log q = 20 might be ok

29. Private addition Input: party i has shares [a]i, [b]i of a and b
Output: party i has share [c]i = [a]i + [b]i of c = a + b
Needed:
generate a random degree-(t - 1) polynomial C, with restriction that C (0) = A (0) + B (0)
Quiz: how?

30. Thus if input shares are random, then output shares are random
private addition
Need: generate a random degree-(t - 1) polynomial C, with restriction that C (0) = A (0) + B (0)
Solution: define C (x) = A (x) + B (x)
C (0) = A (0) + B (0)
C (i) = [c]i = [a]i + [b]i = A (i) + B (i)
C (i) is random if at least one share is random
Party i locally computes [c]i by doing 1 addition
Thus if input shares are random, then output shares are random

31. private multiplication
Input: party i has shares [a]i = A (i), [b]i = B (i) of a and b
Output: party i has share [c]i of c = ab
Needed: generate polynomial C of degree t - 1 which is random, except C (0) = A (0) · B (0)
Quiz: define C (x) = A (x) · B (x) --- is it ok?
partly: C (0) = A (0) · B (0)
no: C is not random, and it also has degree up to 2t - 2

32. private multiplication
Recall: C (x) = A (x) B (x)
not random, has degree 2t - 2
Need: 2t - 2 ≤ n
also: if n / 2 parties pool their data, they get a degree n polynomial => hence t < n / 2

33. private multiplication
Idea: party i has [a]i[b]i = C (i)
He creates a random polynomial Di of degree t - 1, s.t. Di (0) = [a]i[b]i
… and shares it
Denote D (x) := ∑i∈[1,n] Di (x) li (0)
D (0) = ∑i Di (0) li (0) = ∑ [a]i[b]i li (0)
= ∑ C (i) li (0) = C (0) = ab (secret)
The new share of ab is
[ab]i = ∑j∈[1,n] Dj(i) lj (0) = g (i)
function mult (i, ai, bi):
For j = 1 to t - 1: Dij ← ℤq
Di0 ← [a]i · [b]j
Di (x) ← ∑j∈[0,t-1] gij xj
// gi (0) = [a]i · [b]i
For all j: evaluate Di (j)
For j ≠ i: send Di (j) to j
Wait until
received Dj (i) from all j ≠ i
Set [ab]i ← ∑j Dj (i) lj (0)
D(X) is a random polynomial, not known by any single party, s.t. D (0) = ab

34. efficiency per party Computation:
dominated by multipoint evaluation and interpolation
Computing all lj (0)
Θ (n log n) mod q multiplications
Communication:
(n - 1) log q bits per party
Rounds: 1
function mult (i, ai, bi):
For j = 1 to t - 1: Dij ← ℤq
Di0 ← [a]i · [b]j
Di (x) ← ∑j∈[0,t-1] gij xj
// gi (0) = [a]i · [b]i
For all j: evaluate Di (j)
For j ≠ i: send Di (j) to j
Wait until
received Dj (i) from all j ≠ i
Set [ab]i ← ∑j Dj (i) lj (0)

35. reconstruction of secrets
For each party i with private output yi:
Obtain at least t - 1 shares [yi]j of yi from other parties
Use interpolation to compute y from them

36. security
Every set of t - 1 players receives in each round values that are (t - 1)-wise independent, and thus uniformly distributed
Hence no information about the actual wire values is leaked
(t - 1)-wise independence means intuitively: each (t - 1)-dimensional subvector of the full vector (x1,…,xn) looks random

37. circuit eval: efficiency
Let M be the number of multiplication gates
Computation:
Dominated by appr. M multipoint evaluations / interpolations
Θ (Mn log n) operations in ℤq
Communication:
Approx. Mn messages or Mn log q bits per party
Rounds:
multiplicative depth of circuit
Additions/multiplications only. No expensive cryptographic operations!
Recall: n is small, so overhead compared to non-private computation is minimal

38. Comparison Rounds Trust BDD-based Comp. assmpt. Comp. MPC
Communication
Computation
Trust
BDD-based
Comp. assmpt.
Comp. MPC
Inf theor. MPC
"majority are honest"

39. Tradeoffs Efficiency:
More efficient with a smaller number n of parties
Trust:
With larger n, tolerance against a larger number t of corrupted parties
In practice, n depends on application:
how many parties are needed, how many applicable, how many we can trust...?

40. next lecture Garbled circuits very good computation, rounds
bad communication