lecture 10 - multi-party computation protocols
DESCRIPTION
Lecture 10 - Multi-Party Computation ProtocolsTRANSCRIPT
![Page 1: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/1.jpg)
Lecture 10 Multi-party Computation Protocols
Stefan DziembowskiUniversity of Rome
La Sapienza
![Page 2: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/2.jpg)
Plan
1. Definitions and motivation2. Security against the threshold
adversaries1. overview of the results2. overview of the constructions
3. General adversary structures4. Applications
![Page 3: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/3.jpg)
Multi-party computations (MPC)
P5
P1
P3P2
P4
input a1input a1
input a2input a2 input a3input a3
input a4input a4
input a5input a5
they want to compute some value
f(a1,a2,a3,a4,a5)for a publicly-known f.
they want to compute some value
f(a1,a2,a3,a4,a5)for a publicly-known f.
a group of parties:
Before we considered this problem for n = 2 parties.
Now, we are interested in arbitrary groups of n parties.
Before we considered this problem for n = 2 parties.
Now, we are interested in arbitrary groups of n parties.
outputf(a1,a2,a3,a4,a5)
outputf(a1,a2,a3,a4,a5)
![Page 4: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/4.jpg)
Examples
P5
P1
P3P2
P4
input a1input a1
input a2input a2 input a3input a3
input a4input a4
input a5input a5
A group of millionaires wants to compute how much money they own together.f(a1,a2,a3,a4,a5) = a1+a2+a3+a4+a5
Another example: votingAnother example: voting
![Page 5: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/5.jpg)
The general settingsEach pair of parties is
connected by a secure channel.
(assume also that the network is synchronous)
Some parties may be corrupted.
The corrupted parties may act in coalition.
P5
P1
P3
P2
P4
![Page 6: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/6.jpg)
How to model the coalitions of the corrupted parties?
We assume that there exists one adversary that can corrupt several parties.
Once a parity is corrupted the adversary “takes control over it”.
what it means depends on the settings
what it means depends on the settings
![Page 7: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/7.jpg)
Threshold adversaries
In the two-party case we considered an adversary that could corrupt one of the players.
Now, we assume that the adversary can corrupt some subset of the players.
The simplest case:set some threshold t < n and allow the adversary to
corrupt up to t players.
![Page 8: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/8.jpg)
Examplen = 5, t = 2
P5P5
P1P1
P3P3P2P2
P4P4
![Page 9: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/9.jpg)
Types of adversariesAs before, the adversary can be:• computationally bounded, or• infinitely powerful,and• passive• active
These choices are orthogonal!
computationally bounded
infinitely powerful
passive
active
all those choices make
sense!
all those choices make
sense!
![Page 10: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/10.jpg)
Adaptivness
In addition to it the adversary may be
• adaptive – he may decide whom to corrupt during the execution of the protocol, or
• non-adaptive – he has to decide whom to corrupt, before the execution starts.
![Page 11: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/11.jpg)
The security definitionThe security definition is complicated and we do not present it here.
Main intuition: the adversary should not be able to do more damage in the “real” scenario than he can in the “ideal” scenario.
Remember the two-party case?
AA BB
f(A,B)f(A,B) f(A,B)f(A,B)
AA BB
f(A,B)f(A,B) f(A,B)f(A,B)
AA
f(A,B)f(A,B) f(A,B)f(A,B)
BBprotocol
πprotocol
π
“ideal” scenario“real” scenario
![Page 12: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/12.jpg)
The “real scenaro”
P5
P1
P3P2
input a1input a1
input a2input a2 input a3input a3
input a4input a4
input a5input a5
output:f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)output:
f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)
P4protocol πprotocol π
![Page 13: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/13.jpg)
The “ideal” scenario
P5
P1
P3P2
input a1input a1
input a2input a2 input a3input a3
input a4input a4
input a5input a5
output:f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)output:
f(a1,...,a5)output:
f(a1,...,a5)
output:f(a1,...,a5)output:
f(a1,...,a5)
P4
computes fcomputes f
![Page 14: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/14.jpg)
Plan
1. Definitions and motivation2. Security against the threshold
adversaries1. overview of the results2. overview of the constructions
3. General adversary structures4. Applications
![Page 15: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/15.jpg)
Classical resultsQuestion:For which values of the parameter t multi-party computations are
possible (for every poly-time computable function f)? n – the number of players
setting adversarytype
condition
computational passive t < n
computational active t < n/2
information-theoretic passive t < n/2
information-theoretic active t < n/3
(Turns out that the adaptivness doesn’t matter)
this can be improved to t < n/2
if we add a “broadcast channel”
(these are tight bounds)
this can be improved to t < n
if we give up “fairness”
![Page 16: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/16.jpg)
Example of a lower bound
information-theoretic, passive: t < n/2Suppose n=8 and t=4
Suppose we have a protocol for computingf(a1,a2,a3,a4,a5,a6,a7,a8) = a1a2a3a4a5a6a7a8
We show an information-theoretically secure 2-party protocol for computing
F(A,B) = A BAfter showing this we will be done, since we know it’s
impossible!
![Page 17: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/17.jpg)
P1
input a1input a1
P2
input a2input a2
P3
input a3input a3
input a4input a4
P4
input a5input a5
P5
input a6input a6
P6
input a7input a7
P7
input a8input a8
P8
simulates witha5 :=Ba6 := a7 := a8 := 1
simulates witha1 :=Aa2 := a3 := a4 := 1 the “internal”
messages are not sent outside
the “external” messages are exchanged between Alice and Bob
![Page 18: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/18.jpg)
Correctness?
At the end of the execution of the simulated protocol Alice and Bob know
f(A,1,1,1,B,1,1,1) = ABSo they have computed F.
![Page 19: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/19.jpg)
Why is this protocol secure?
If the adversary corrupted Alice or Bob then he “corrupted” exactly t=4 parties.
From the security of the MPC protocol the “new” 2-party protocol is also secure!
![Page 20: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/20.jpg)
A broadcast channel
P5
P1
P3P2
P4
mmmmmmmm
Every player receives to same message (even if the sender is malicious).
mmmm
![Page 21: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/21.jpg)
Broadcast channel vs. byzantine agreement
If t < n/2 and the broadcast channel is available then the byzantine agreement can be achieved as follows:
1.every party Pi broadcasts her input si
2.the majority of the broadcasted values is the agreed value.
![Page 22: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/22.jpg)
Fact
In the information-theoretic settings:
A broadcast channel can be “emulated” by a multiparty protocol.
![Page 23: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/23.jpg)
On the other handA trusted party can “emulate” a broadcast channel:
P5
P1
P3P2
input minput m
output: moutput: m
output: moutput: m
output: moutput: m output: moutput: m
output: moutput: m
P4
So, this is the reason, why in the information theoretic, active case we have t < n/3
So, this is the reason, why in the information theoretic, active case we have t < n/3
![Page 24: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/24.jpg)
IdeaAllow the parties to use a broadcast channel.We get:
setting adversarytype
condition
information-theoretic
passive t < n/2
information-theoretic
active t < n/3
information-theoretic(with broadcast)
active t < n/2
![Page 25: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/25.jpg)
Plan
1. Definitions and motivation2. Security against the threshold
adversaries1. overview of the results2. overview of the constructions
3. General adversary structures4. Applications
![Page 26: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/26.jpg)
How to construct such protocols?
The general scheme is like in the two-party case:1. Represent the function as a circuit.
2. Let every party “share” her input with the other parties.
3. Evaluate the circuit gate-by-gate (maintaining the invariant that the values of the intermediary gates are shared between the parties)
4. Reconstruct the output.
usually: arithmetic circuit over some fieldusually: arithmetic circuit over some field
![Page 27: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/27.jpg)
FieldsA field is a set F with operations + and · , and an
element 0 such that• F is an abelian group with the operation +,• F \ {0} is an abelian group with the operation ·, • [distributivity of multiplication over addition]:
For all a, b and c in F, the following equality holds: a · (b + c) = (a · b) + (a · c).
Examples of fields: real numbers, Zp for prime p.
Polynomials over any field have many intuitive properties of the polynomials over the reals.
![Page 28: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/28.jpg)
Arithmetic circuits
a0a0 a1a1 a2a2 a3a3 a4a4 a5a5 a6a6 a7a7
++
**
++
++
++**
**
++**
**
c1c1
**
c2c2 c5c5c4c4c3c3
input gates
output gates
multplicationgates
additiongates
![Page 29: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/29.jpg)
How to share a secret?
Informally:
We want to share a secret s between a group of parties, in such a way that:
1.any set of up to t corrupted parties has no information on s, and
2.even if t parties refuse to cooperate we can still reconstruct the secret s.
![Page 30: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/30.jpg)
m-out-of-n secret sharing
dealer’s secret Sdealer’s secret S
S1S1 S5S5S3S3S2S2 S4S4
1. Every set of at least m players can reconstruct S.2. Any set of less than m players has no information about S.
note: this primitive assumes that the adversary is passive
(n = 5)(n = 5)
we will havem = t+1
we will havem = t+1
![Page 31: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/31.jpg)
Every secret sharing protocol consists of
• a sharing procedure:(S1,...,Sn) = share(S)
• a reconstruction procedure:for any i1,..,im we have S = reconstruct(Si1,...,Sim)
• a security condition:for every S,S’ and every i1,..,im-1: (Si1,...,Sim-1) and (S’i1,...,S’im-1) are distributed indentically,where:
(S1,...,Sn) := share(S) and (S’1,...,S’n) := share(S’)
matching
m-out-of-n secret sharing – more formally
![Page 32: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/32.jpg)
Shamir’s secret sharing [1/2]
1 2 3 n . . .
f(1)f(1)
f(n)f(n)f(3)f(3)
f(2)f(2)
P1 P2 P3 Pn . . .
ss
0
Suppose that s is an element of some finite field F, such that |F| > nf – a random polynomial of degree m-1 over F such that f(0) = s sharing:sharing:
![Page 33: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/33.jpg)
Given f(i1),...,f(im) one can interpolate the polynomial f in point 0.
Shamir’s secret sharing [2/2]
reconstruction:reconstruction:
security:security:
One can show that f(i1),...,f(im-1) are independent on f(0).
![Page 34: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/34.jpg)
How to construct a MPC protocol on top of Shamir’s secret sharing?
ObservationAddition is easy...
Why?: because polynomials are homomorphic with respect to addition.
![Page 35: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/35.jpg)
Polynomials are homomorphic with respect to addition
1 2 n . . .
f(1)f(1)
f(n)f(n)f(3)f(3)
ss
0
ttg(1)g(1)
g(3)g(3)g(n)g(n)
s+ts+tf(1)+g(1)f(1)+g(1)
f(3)+g(3)f(3)+g(3)f(n)+g(n)f(n)+g(n)
degree t degree t
degree t degree t
degree t degree t
![Page 36: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/36.jpg)
Addition
sharingsharing
secret a
sharingsharing
secret b
sharingsharing
secret a+b The parties can compute it non-interactively, by adding their shares locally!
![Page 37: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/37.jpg)
How can we use it?
We can construct a protocol for computing
f(a1,...,an) := a1 + · · · + an
This protocol will be secure against an adversary that
• corrupts up to t parties and is• passive, and• information-theoretic.
![Page 38: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/38.jpg)
A protocol for f(a1,...,an) := a1 + · · · + an
1. Each party Pi shares her input using a (t+1)-out-of-n Shamir’s secret sharing.Let ai
1,...,ain be the shares.
Therefore at the end we have quadratic number of shares
a11 ... ai
1 ... an1
... ... ...
a1j ai
j anj
... ... ...
a1n ... ai
n ... ann
![Page 39: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/39.jpg)
2. Each Pj computes a sum of the shares that he received
a11 ... ai
1 ... an1
... ... ...
a1j ai
j anj
... ... ...
a1n ... ai
n ... ann
this is what Pj
received in Step 1
this is what Pj
received in Step 1
i
1 j
i
b : a
i
j j
i
b : a
i
n j
i
b : a
![Page 40: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/40.jpg)
The final steps:
3. Each party Pj broadcasts bj
4. Every party can now reconstructf(a1,...,an) := a1 + · · · + an
by interpolating the sharesb1,..., bn
It can be shown that no coalition of up to t parties can break the security of the protocol.
(Even if they are infinitely-powerful)
![Page 41: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/41.jpg)
How to construct a protocol for any function
Polynomials are homomorphic also with respect to multiplication.
ProblemThe degree gets doubled...
Hence, the construction of such protocols is not-trivial.
But it is possible!
![Page 42: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/42.jpg)
Plan
1. Definitions and motivation2. Security against the threshold
adversaries1. overview of the results2. overview of the constructions
3. General adversary structures4. Applications
![Page 43: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/43.jpg)
General adversary structures
Sometimes assuming that the adversary can corrupt up to t parties is not general enough.
It is better to consider arbitrary coalitions of the sets of parites that can be corrupted.
![Page 44: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/44.jpg)
Example of coalitions
![Page 45: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/45.jpg)
Adversary structures
Δ is an adversary structure over the set of players {P1,...,Pn} if:
Δ 2{P1,...,Pn}
and for every A Δ if B A then B Δ
This property is called monotonicity.Because of this, to specify Δ it is enough to specify a set M of its
maximal sets.We will also say that M induces Δ.
![Page 46: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/46.jpg)
Q2 and Q3 structuresWe say that A is a Δ-adversary if he can corrupt only the
sets in Δ.
How to generalize the condition that t < n/2?We say that a structure Δ is Q2 if
What about “t < n/3”? We say that a structure Δ is Q3 if
1 nA,B
A B {P ,...,P }
1 nA,B,C
A B C {P ,...,P }
![Page 47: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/47.jpg)
A generalization of the classical results
setting adversarytype condition generalized
condition
information-theoretic passive t < n/2 Q2
information-theoretic active t < n/3 Q3
information-theoreticwith broadcast
active t < n/2 Q2
[Martin Hirt, Ueli M. Maurer: Player Simulation and General Adversary Structures in Perfect Multiparty Computation. J. Cryptology, 2000]
![Page 48: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/48.jpg)
There is one problem, though...
What is the total number of possible adversary structures?
FactIt is doubly-exponential in the number of
players.
![Page 49: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/49.jpg)
Why?
{P1,...,Pn}
(suppose n is even)
X := family of sets of cardinality n/2 X := family of sets of cardinality n/2
inclusion is a partial order on the set of subsets of {P1,...,Pn}
n/2n|X| 2
n / 2
![Page 50: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/50.jpg)
On the other hand...
Every subset of X induces a different adversary structure.
Hence the set of all adversary structures has cardinality at least:
(X := family of sets of cardinality n/2 )
n/2|X| 22 2
![Page 51: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/51.jpg)
So, we have a problem, because
On the other handThe number of poly-time protocols is just
exponential in the size of the input.
HenceIf the number of players is super-logarithmic, we
cannot hope to have a poly-time protocol for every adversary structure.
![Page 52: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/52.jpg)
What to do?
Consider only those adversary structure that “can be represented in polynomial space”.
For example see:Ronald Cramer, Ivan Damgård, Ueli M. Maurer:
General Secure Multi-party Computation from any Linear Secret-Sharing Scheme. EUROCRYPT 2000:
![Page 53: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/53.jpg)
Plan
1. Definitions and motivation2. Security against the threshold
adversaries1. overview of the results2. overview of the constructions
3. General adversary structures4. Applications
![Page 54: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/54.jpg)
Practical implementation
Peter Bogetoft et al. Multiparty Computation Goes Live. 2009
The Danish farmers can now bet in a secure way for the contracts to deliver sugar beets.
![Page 55: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/55.jpg)
Efficiency
![Page 56: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/56.jpg)
Other applicationsDistributed cryptography is also used in the following way.
Suppose we have a secret key sk (for a signature scheme) and we do not wan to store it on on machine.
Solution:1. share sk between n machines P1,...,Pn
2. “sign” in a distributed way (without reconstructing sk)
see e.g.:Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, Tal Rabin: Robust Threshold DSS Signatures. EUROCRYPT 1996:
![Page 57: Lecture 10 - Multi-Party Computation Protocols](https://reader035.vdocuments.us/reader035/viewer/2022070301/546ce1b2af7959e91e8b6ea8/html5/thumbnails/57.jpg)
©2009 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.