Markus Jakobsson Bell Laboratories
Ari JuelsRSA Laboratories
Mix and Match:A Simple Approach to
General Secure Multiparty Computation
+
What is secure multiparty computation?
The problem
Alice Bob
a b
f(a,b)
f(a,b)
The problem
f
Black Box
Alice Bob
a b
a b
Richie Rich
is richer
Who’s
richer?
Millionaires’ Problem
>
Worth $a Worth $b
Auctions
Bob
$810
f
Alice
Bob
Edgar
Cate
What’s in the black box?
Trusted third party?
TrustedParty
We want to do without!
Tamper-resistant hardware
Alice Bob
a b
f(a,b)
But we don’t want to rely on hardware!
Secure multiparty computation
Alice Bob
a b
Alice and Bob simulate circuit
f(a,b)
Other methods
Complex Recently becoming somewhat practical
Simulate full field operations
gate involves local computation
gate requires rounds of verifiable secret sharing
Our method: Mix and match
Conceptually simple Simulates only boolean gates directly Very efficient for bitwise operations, not
so for others Some pre-computation possible
Some previous work
Yao– Use of logical tables (two-player)
Chaum, Damgård, van de Graaf– Multi-party use of logical tables
(for passive adversaries)
Mix and Match(Non-private)
Non-private simulation: OR gate
a b a b
0
0
1
1
0
1
0
1
0
1
11
1 0
Non-private simulation: OR gate
BobAlice
a ba b a b
0
1
1
1
0
1
0
1
1
1
0 00 0=?
0 01 0 0 0
0 1=?
01 0 0 1
1 0=?
1 0 a b = 11
Mix and Match
Alice Bob
a b
Alice and Bob simulate circuit
f(a,b)
Mix and Match(Private)
First tool: Mix network (MN)
plaintext 1
plaintext 2
plaintext 3
plaintext 4
Randomly permutes and encrypts inputs
Mix network (MN)
Second tool: Matching orPlaintext equivalence decision
(PED)
Ciphertext 1 Ciphertext 2
=?
Reveals no information other than equality
Mix and Match
Step 1: Key sharing between Alice and Bob -- public key y
Step 2: Alice and Bob encrypt individual bits under y
Alice
Bob
a
b
a
b
Step 3: Alice and Bob mix tables
a b a b
0
1
1
1
0
1
0
1
1
1
0 0
a b a b
Mix network (MN)
Permute and encrypt rows
Step 4: Matching using PED, i.e., Table lookup
Find matching row
ba =?
ba =?
a b a b
a b =
Repeat matching on each table for entire circuit
f(a,b) =
f(a,b)
Decrypting f(a,b)
Step 5: Decrypt f(a,b)
f(a,b)
Alice
Bob
Some extensions
Easy to have multiple parties participate “Mixing” and “matching” can be
performed by different coalitions We can get XOR for “free” using
Franklin-Haber cryptosystem
Privacy and Robustness
As long as more than half of participants are honest…
Computation will be performed correctly No information other than output is
revealed Security in random oracle model
reducible to Decision Diffie-Hellman problem
Low cost Very low overall broadcast complexity:
O(Nn) group elements– N is number of gates– n is number of players– Equal to that of best competitive methods
O(n+d) broadcast rounds– d is circuit depth
Computation: O(Nn) exponentiations for each player
Questions?
+?
Top Related