Round-Optimal Secure Multiparty Computation with Honest...
Transcript of Round-Optimal Secure Multiparty Computation with Honest...
![Page 1: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/1.jpg)
Round-Optimal Secure Multiparty Computation with Honest Majority
Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain
CRYPTO 2018
![Page 2: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/2.jpg)
Secure Multiparty Computation
!"
!#
!$
!%
![Page 3: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/3.jpg)
Secure Multiparty Computation
!"
!#
!$
!%
Securely compute &(!", !#, !$, !%)
![Page 4: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/4.jpg)
Secure Multiparty Computation
!"
!#
!$
!%
Compute &(!", !#, !$, !%)Adversary doesn’t learn anything
beyond &(!", !#, !$, !%)
![Page 5: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/5.jpg)
Honest Majority MPC
![Page 6: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/6.jpg)
Honest Majority MPC (up to ! < #/2 corrupted parties)
![Page 7: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/7.jpg)
Honest Majority MPC (up to ! < #/2 corrupted parties)
• Oblivious Transfer is not necessary.Necessary for dishonest majority [Kil88].
• Fairness and Guaranteed output delivery can be achieved.
• UC security without external trusted setups
• Round complexity lower bounds of dishonest majority do not apply.4 rounds necessary for dishonest majority in the plain model [Garg-Mukherjee-Pandey-Polychroniadou16]
![Page 8: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/8.jpg)
Honest Majority MPC (up to ! < #/2 corrupted parties)
• Oblivious Transfer is not necessary.Necessary for dishonest majority [Kil88].
• Fairness and Guaranteed output delivery can be achieved.
• UC security without external trusted setups
• Round complexity lower bounds of dishonest majority do not apply.4 rounds necessary for dishonest majority in the plain model [Garg-Mukherjee-Pandey-Polychroniadou16]
![Page 9: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/9.jpg)
Honest Majority MPC (up to ! < #/2 corrupted parties)
• Oblivious Transfer is not necessary.Necessary for dishonest majority [Kil88].
• Fairness and Guaranteed output delivery can be achieved.
• UC security without external trusted setups
• Round complexity lower bounds of dishonest majority do not apply.4 rounds necessary for dishonest majority in the plain model [Garg-Mukherjee-Pandey-Polychroniadou16]
![Page 10: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/10.jpg)
Honest Majority MPC (up to ! < #/2 corrupted parties)
• Oblivious Transfer is not necessary.Necessary for dishonest majority [Kil88].
• Fairness and Guaranteed output delivery can be achieved.
• UC security without external trusted setups
• Round complexity lower bounds of dishonest majority do not apply.4 rounds necessary for dishonest majority in the plain model [Garg-Mukherjee-Pandey-Polychroniadou16]
![Page 11: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/11.jpg)
Problem Statement
What is the exact round complexity of honest majority MPC in the plain model?
![Page 12: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/12.jpg)
Honest Majority MPC: Security Notions
![Page 13: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/13.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:
![Page 14: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/14.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:Adversary may learn the output but can prevent honest parties from doing so.
![Page 15: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/15.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:
• Guaranteed output Delivery:
Adversary may learn the output but can prevent honest parties from doing so.
![Page 16: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/16.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:
• Guaranteed output Delivery:
Adversary may learn the output but can prevent honest parties from doing so.
Honest parties always learn the output even if some parties abort prematurely.
![Page 17: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/17.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:
• Guaranteed output Delivery:
Adversary may learn the output but can prevent honest parties from doing so.
Honest parties always learn the output even if some parties abort prematurely.
Guaranteed output delivery ⟹ Fairness
![Page 18: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/18.jpg)
Honest Majority MPC: Security Notions
• Security with Abort:
• Guaranteed output Delivery:
Adversary may learn the output but can prevent honest parties from doing so.
Honest parties always learn the output even if some parties abort prematurely.
Guaranteed output delivery ⟹ Fairness
Goal: Develop round optimal protocols in these settings.
![Page 19: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/19.jpg)
Brief History: Security with Abort
![Page 20: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/20.jpg)
Brief History: Security with Abort
Polynomial round protocols• [Goldreich-Micali-Wigderson87, Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]
Constant round protocols• [Beaver-Micali-Rogaway90]• And subsequently many works investigated improvements.
Two round protocols• [Ishai-Kushilevitz00, Ishai-Kushilevitz-Paskin10]: Unconditional security, ! < #/3 corruptions.• [Benhomouda-Lin17, Garg-Srinivasan17]: ! < # semi-honest corruptions based on OT. Malicious
corruptions in the CRS model.
![Page 21: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/21.jpg)
Brief History: Security with Abort
Polynomial round protocols• [Goldreich-Micali-Wigderson87, Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]
Constant round protocols• [Beaver-Micali-Rogaway90]• And subsequently many works investigated improvements.
Two round protocols• [Ishai-Kushilevitz00, Ishai-Kushilevitz-Paskin10]: Unconditional security, ! < #/3 corruptions.• [Benhomouda-Lin17, Garg-Srinivasan17]: ! < # semi-honest corruptions based on OT. Malicious
corruptions in the CRS model.
![Page 22: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/22.jpg)
Brief History: Security with Abort
Polynomial round protocols• [Goldreich-Micali-Wigderson87, Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]
Constant round protocols• [Beaver-Micali-Rogaway90]• And subsequently many works investigated improvements.
Two round protocols• [Ishai-Kushilevitz00, Ishai-Kushilevitz-Paskin10]: Unconditional security, ! < #/3 corruptions.• [Benhomouda-Lin17, Garg-Srinivasan17]: ! < # semi-honest corruptions based on OT. Malicious
corruptions in the CRS model.
![Page 23: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/23.jpg)
Brief History: Security with Abort
Polynomial round protocols• [Goldreich-Micali-Wigderson87, Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]
Constant round protocols• [Beaver-Micali-Rogaway90]• And subsequently many works investigated improvements.
Two round protocols• [Ishai-Kushilevitz00, Ishai-Kushilevitz-Paskin10]: Unconditional security, ! < #/3 corruptions.• [Benhomouda-Lin17, Garg-Srinivasan17]: ! < # semi-honest corruptions based on OT. Malicious
corruptions in the CRS model.
![Page 24: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/24.jpg)
Brief History: Security with Abort
Polynomial round protocols• [Goldreich-Micali-Wigderson87, Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]
Constant round protocols• [Beaver-Micali-Rogaway90]• And subsequently many works investigated improvements.
Two round protocols• [Ishai-Kushilevitz00, Ishai-Kushilevitz-Paskin10]: Unconditional security, ! < #/3 corruptions.• [Benhomouda-Lin17, Garg-Srinivasan17]: ! < # semi-honest corruptions based on OT. Malicious
corruptions in the CRS model.
![Page 25: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/25.jpg)
Question: Security with Abort
Does there exist a two round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
![Page 26: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/26.jpg)
Question: Security with Abort
Does there exist a two round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
Open regardless of assumptions.
Impossible for dishonest majority [Garg- Mukherjee-Pandey-Polychroniadou16]
Open even in semi-honest case from assumptions weaker than OT.
![Page 27: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/27.jpg)
Question: Security with Abort
Does there exist a two round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
Open regardless of assumptions.
Impossible for dishonest majority [Garg- Mukherjee-Pandey-Polychroniadou16]
Open even in semi-honest case from assumptions weaker than OT.
![Page 28: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/28.jpg)
Question: Security with Abort
Does there exist a two round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
Open regardless of assumptions.
Impossible for dishonest majority [Garg- Mukherjee-Pandey-Polychroniadou16]
Open even in semi-honest case from assumptions weaker than OT.
![Page 29: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/29.jpg)
Brief History: Guaranteed Output Delivery
![Page 30: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/30.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10, Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the
plain model with n>4, t=1 malicious corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 31: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/31.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10]: Two-round MPC in the plain model with n>4, t=1 malicious
corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 32: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/32.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10]: Two-round MPC in the plain model with n>4, t=1 malicious
corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 33: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/33.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10]: Two-round MPC in the plain model with n>4, t=1 malicious
corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 34: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/34.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10]: Two-round MPC in the plain model with n>4, t=1 malicious
corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 35: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/35.jpg)
Brief History: Guaranteed Output Delivery
Upper Bounds• [Ben-Or-Goldwasser-Wigderson88, Chaum-Crépeau-Damgård88]: Feasibility• [Ishai-Kushilevitz-Paskin10]: Two-round MPC in the plain model with n>4, t=1 malicious
corruptions from OWFs.• [Ishai-Kumaresan-Kushilevitz-Paskin15]: Two-round MPC in the plain model with n=4, t=1
malicious corruptions from injective OWFs.• [Gordon-Liu-Shi15]: Three-round maliciously secure protocol in the CRS model from LWE and
NIZKs.
Lower Bounds• [Gennaro-Ishai-Kushilevitz-Rabin’02]: Impossibility of two-round protocols with t>2 malicious
corruptions in the plain model. • [Gordon-Liu-Shi’15]: Impossibility of two-round broadcast channel protocols against fail-stop
corruptions.
![Page 36: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/36.jpg)
Question: Guaranteed Output Delivery
![Page 37: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/37.jpg)
Question: Guaranteed Output Delivery
Does there exist a two round MPC protocol secure against ! < #/2fail-stop corruptions in the plain model?
![Page 38: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/38.jpg)
Question: Guaranteed Output Delivery
Does there exist a two round MPC protocol secure against ! < #/2fail-stop corruptions in the plain model?
Does there exist a three round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
![Page 39: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/39.jpg)
Question: Guaranteed Output Delivery
Does there exist a two round MPC protocol secure against ! < #/2fail-stop corruptions in the plain model?
Does there exist a three round MPC protocol secure against ! < #/2malicious corruptions in the plain model?
Both questions open regardless of assumptions.
![Page 40: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/40.jpg)
Our Results: Security with Abort
Two round MPC for general functionalities in the plain model, assuming one-way functions.
![Page 41: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/41.jpg)
Our Results: Guaranteed Output Delivery
Broadcast channel protocol in the bare-public-key model, assuming PKE.
Fail-Stop Corruptions: Two round MPC for general functions:
Point-to-point channel protocol in the plain model, assuming OT.
![Page 42: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/42.jpg)
Our Results: Guaranteed Output Delivery
Broadcast channel protocol in the bare-public-key model, assuming PKE.
Fail-Stop Corruptions:
Point-to-point channel protocol in the plain model, assuming OT.Three round MPC from one-way functions in the plain model.
![Page 43: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/43.jpg)
Our Results: Guaranteed Output Delivery
Malicious Corruptions: Three round MPC for general functions:
Broadcast channel protocol in the plain model, assuming Zaps and PKE.
Broadcast channel protocol in the bare-public-key model, assuming PKE.
Fail-Stop Corruptions: Two round MPC for general functions:
Point-to-point channel protocol in the plain model, assuming OT.
![Page 44: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/44.jpg)
Security with Abort against Malicious Adversaries
![Page 45: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/45.jpg)
[Garg-Srinivasan17]
A compiler from any polynomial round MPC protocol to a two round protocol using two round UC secure OT.
![Page 46: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/46.jpg)
[Garg-Srinivasan17]
A compiler from any polynomial round MPC protocol to a two round protocol using two round UC secure OT.
Starting Idea: Leverage honest majority to remove OT.
![Page 47: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/47.jpg)
[Garg-Srinivasan17]
Use of OT in [GS17]
![Page 48: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/48.jpg)
[Garg-Srinivasan17]
Any polynomial round MPC Protocol
Use of OT in [GS17]
Start with any dishonest majority protocol based on OT over broadcast channels
![Page 49: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/49.jpg)
[Garg-Srinivasan17]
OT+GC
Two-round MPC Protocol
Any polynomial round MPC Protocol
Use of OT in [GS17]
Start with any dishonest majority protocol based on OT over broadcast channels
Compile it into a 2 round protocol using OT and
Garbled circuits
![Page 50: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/50.jpg)
Our Strategy
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
2Compile it into a 2 round
protocol using OT and Garbled circuits
![Page 51: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/51.jpg)
Our Strategy
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
![Page 52: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/52.jpg)
Our Strategy
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
Require private channels
![Page 53: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/53.jpg)
Our Strategy
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
Require private channels
Challenges
How to compress protocols that use private channels?
![Page 54: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/54.jpg)
Our Strategy
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
Leverage honest majority to replace OT
Require private channels
Challenges
How to compress protocols that use private channels?
How to achieve OT functionality without OT?
![Page 55: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/55.jpg)
Recap of [Garg-Srinivasan17]
A Multi-round MPC Protocol
![Page 56: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/56.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
Conforming Protocol
A Multi-round MPC Protocol
Transform into a “conforming protocol” with
a specific syntactic structure.
![Page 57: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/57.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
A Multi-round MPC Protocol
Computation Phase:
Only a single bit is broadcasted by a single party (speaker) in each round.
All other parties are listeners for that round.
Conforming Protocol
![Page 58: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/58.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
A Multi-round MPC Protocol Two-round MPC
Protocol
OT+GC
Conforming Protocol
![Page 59: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/59.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
Conforming Protocol
Round 1
Two-round UC secure OT+
Garbled Circuits
OT1 MessagesPreprocessing Phase
• Each party sends OT receiver messages for the rounds in which it speaks.
• These messages commit to all its actions in the computation phase of the conforming protocol.
![Page 60: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/60.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
Round 1
OT1 MessagesPreprocessing Phase
Round 2
Each party sends garbled circuits corresponding to each round in the computation phase.
Two-round UC secure OT+
Garbled Circuits
Conforming Protocol
![Page 61: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/61.jpg)
Recap of [Garg-Srinivasan17]Preprocessing
Phase
Computation
Phase
Round 1
OT1 MessagesPreprocessing Phase
Round 2
GCs output the OT sender messages.
Goal of these OTs is to deliver wire labels of GC.
Two-round UC secure OT+
Garbled Circuits
Conforming Protocol
![Page 62: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/62.jpg)
Our Strategy: Challenge 2
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
Leverage honest majority to replace OT
Require private channels
Challenges
How to compress protocols that use private channels?
How to achieve OT functionality without OT?
![Page 63: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/63.jpg)
New Gadget for OT: Multi-party OT
Multi-party protocol.
![Page 64: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/64.jpg)
New Gadget for OT: Multi-party OT
Multi-party protocol.
Only 2 parties have inputs, others have no input.
![Page 65: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/65.jpg)
New Gadget for OT: Multi-party OT
Multi-party protocol.
Only 2 parties have inputs, others have no input.
Every party receives the output.
![Page 66: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/66.jpg)
New Gadget for OT: Multi-party OT
Multi-party protocol.
Only 2 parties have inputs, others have no input.
Every party receives the output.
OT functionality for sender inputs ("#,"%) and receiver input (') can be represented as a degree 2 polynomial in ().
"* = "# 1 + ' +"%(')
![Page 67: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/67.jpg)
New Gadget for OT: Multi-party OT
Multi-party protocol.
Only 2 parties have inputs, others have no input.
Every party receives the output.
OT functionality for sender inputs ("#,"%) and receiver input (') can be represented as a degree 2 polynomial in ().
"* = "# 1 + ' +"%(')Later: How to implement
![Page 68: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/68.jpg)
Our Strategy: Challenge 1
Use of OT in [GS17] Our approach
1Start with any dishonest
majority protocol based on OT over broadcast channels
Start with an unconditionally secure honest majority
protocol
2Compile it into a 2 round
protocol using OT and Garbled circuits
Leverage honest majority to replace OT
Require private channels
Challenges
How to compress protocols that use private channels?
How to achieve OT functionality without OT?
![Page 69: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/69.jpg)
Compressing Private Channel Protocols
Perfectly Secure
Honest Majority
Protocol
Uses both broadcast and private channels.
![Page 70: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/70.jpg)
Compressing Private Channel Protocols
Setup Phase
Perfectly Secure
Honest Majority
Protocol
![Page 71: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/71.jpg)
Compressing Private Channel Protocols
Exchange one-time pads to emulate private channels.Setup Phase
Perfectly Secure
Honest Majority
Protocol
![Page 72: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/72.jpg)
Compressing Private Channel Protocols
Only uses broadcast channels
Exchange one-time pads to emulate private channels.Setup Phase
Perfectly Secure
Honest Majority
Protocol
![Page 73: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/73.jpg)
Compressing Private Channel Protocols
Preprocessing Phase
Conforming Protocol
Transform to a conforming protocol with a setup phase
Setup Phase
Perfectly Secure
Honest Majority
Protocol
Setup Phase
Computation
Phase
![Page 74: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/74.jpg)
Compressing Private Channel Protocols
Two-round Protocol
MOT+GC
Preprocessing Phase
Conforming Protocol
Setup Phase
Perfectly Secure
Honest Majority
Protocol
Setup Phase
Computation
Phase
Setup Phase
![Page 75: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/75.jpg)
Compressing Private Channel Protocols
Perfectly Secure
Honest Majority
Protocol
Setup Phase Preprocessing Phase
Computation
Phase
Output Phase
Conforming Protocol
Setup Phase
Two-round MPC Protocol
Output Phase
Setup Phase
Can we parallelize the first round with the setup phase?
![Page 76: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/76.jpg)
Can we parallelize the first round with the setup phase?
!
Conforming Protocol with setup
Listener of round "
Speaker of round "
Setup Phase
Preprocessing Phase
Setup Phase
Computation
Phase
![Page 77: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/77.jpg)
Can we parallelize the first round with the setup phase?
(computation phase)
!"#$%&$'(' (*⨁,)
Conforming Protocol with setup
Listener of round (
Speaker of round (
Speaker of round (
Setup Phase
Round (
,
Preprocessing Phase
Setup Phase
Computation
Phase
![Page 78: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/78.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Round 1!"#$%&$'(' )*+ ,-''$.-'
Listener of round (
Speaker of round (
Speaker of round (
Setup Phase/
Setup Phase
Round 1
Round 2
![Page 79: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/79.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Round 1!"#$%&$'(' )*+ ,-''$.-'
Listener of round (
Speaker of round (
Speaker of round (
Setup Phase
)*+ messages commit to all actions in the first round.
/
![Page 80: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/80.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Round 1!"#$%&$'(' )*+ ,-''$.-'
Listener of round (
Speaker of round (
Speaker of round (
Setup Phase
)*+ messages depend on /which is not known before
setup.
/
![Page 81: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/81.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Listener of round !
Speaker of round !
Setup Phase"
![Page 82: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/82.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Listener of round !
Speaker of round !
Setup Phase"
• Similar problem arises. • Transfers the problem to another round.
![Page 83: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/83.jpg)
Can we parallelize the first round with the setup phase?
Setup Phase
2 Round Protocol with setup
Listener of round !
Speaker of round !
Setup Phase"
• Similar problem arises. • Transfers the problem to another round.
This approach doesn’t seem to work!
![Page 84: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/84.jpg)
Multi-party Homomorphic OT
• Multi-party protocol.
• Only 3 parties have inputs, others have no input.
• Every party receives the output.
![Page 85: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/85.jpg)
Multi-party Homomorphic OT
Multi-party Homomorphic OT
Sender
Receiver
(+,,+.)
(1)
![Page 86: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/86.jpg)
Multi-party Homomorphic OT
Multi-party Homomorphic OT
Sender
Receiver
DesignatedSender
(12,14)
(6)
(7)
![Page 87: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/87.jpg)
Multi-party Homomorphic OT
Multi-party Homomorphic OT
Sender
Receiver
DesignatedSender
(12,14)
(6) 1789
(:)
![Page 88: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/88.jpg)
Multi-party Homomorphic OT
• The homomorphic OT functionality with sender inputs ("#,"%),receiver input (() and designated sender input ()) can be represented as degree 2 polynomial in *+.
",-. = "# 1 + ( + ) +"%(( + ))
![Page 89: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/89.jpg)
Parallelizing using MHOT
2 Round Protocol with setup
!"#$%&$'(' )*+ ,-''$.-'
Listener of round ( Speaker of round (
Speaker of round (
/
Round 1
Setup Phase
![Page 90: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/90.jpg)
Parallelizing using MHOT
!"#$%&$'(' )*+ ,-''$.-'
Listener of round ( Speaker of round (
Speaker of round (
/
2 Round Protocol with setup
Listener of round (
!"#$%&$'(' )*+ ,-''$.-0'12. 1230( /
Round 1
Setup Phase
![Page 91: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/91.jpg)
Parallelizing using MHOT
!"#$%&$'(' )*+ ,-''$.-'
Listener of round ( Speaker of round (
Speaker of round (
/
2 Round Protocol with setup parallelized
Listener of round (
!"#$%&$'(' )*+ ,-''$.-0'12. 1230( /
Round 1Setup Phase
The homomorphism property of the multi-party OT allows us to parallelize
![Page 92: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/92.jpg)
Instantiating Multi-party Homomorphic OT
• [Ishai-Kushilevitz-Paskin10] give a construction for such a degree 2 polynomial computation protocol that satisfies statistical t-privacy with knowledge of outputs.
![Page 93: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/93.jpg)
Ideal World: Privacy with Knowledge of Outputs
!" !#
![Page 94: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/94.jpg)
!" !#
$ = &(!", !#)
Ideal World: Privacy with Knowledge of Outputs
![Page 95: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/95.jpg)
!" !#
$ = &(!", !#)
$′
Ideal World: Privacy with Knowledge of Outputs
![Page 96: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/96.jpg)
!" !#
$ = &(!", !#)
$′ $′
Ideal World: Privacy with Knowledge of Outputs
![Page 97: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/97.jpg)
Instantiating Multi-party Homomorphic OT
• [Ishai-Kushilevitz-Paskin10] give a construction for such a degree 2 polynomial computation protocol that satisfies statistical t-privacy with knowledge of outputs.
Privacy with knowledge of outputs: A weaker notion than security with abort that does not guarantee correctness of output of the honest parties.
![Page 98: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/98.jpg)
Instantiating Multi-party Homomorphic OT
• [Ishai-Kushilevitz-Paskin10] give a construction for such a degree 2 polynomial computation protocol that satisfies statistical t-privacy with knowledge of outputs.
Privacy with knowledge of outputs: A weaker notion than security with abort that does not guarantee correctness of output of the honest parties.
Challenge: How to ensure correctness of honest party outputs?
![Page 99: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/99.jpg)
… (#$, #&)
( = #*
(′ (′Honest Sender
Challenge: How to ensure correctness of honest party outputs?
![Page 100: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/100.jpg)
… (#$, #&)
( = #*
(′ (′Honest Sender
(′ does not depend on #&,*
Challenge: How to ensure correctness of honest party outputs?
![Page 101: Round-Optimal Secure Multiparty Computation with Honest ...aarushig/slides/Crypto2018_Aarushi.pdfHonest Majority MPC (up to !](https://reader034.fdocuments.us/reader034/viewer/2022052023/6038b44ec7b8a934224fd1a4/html5/thumbnails/101.jpg)
• OT functionality transmits wire labels for GC.
• Unless valid labels are transmitted, GC remains private.• Since MOT functionality is used to transmit wire labels for GC, unless
valid labels are transmitted, GC remains private.
Challenge: How to ensure correctness of honest party outputs?