Secure multiparty computation • Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values • We can only do our best to reduce the amount of information about x or y that is disclosed
Secure multiparty computation • An example, calculate the average salary of multiple users • Alice sends E_B (Salary_A + random) • Bob decrypts the value, adds his salary, sends to C: E_C (Salary_A + random + Salary_B) • C and D do the same, until the value returns to Alice • Alice removes the random value and calculates the average salary
Problems of the salary calculation protocol • If two malicious nodes can sandwich a good node, they can figure out his salary • A malicious node can lie about his salary but figure out the real average value • Alice knows the result before others and she can lie. (we cannot ask everybody to reveal keys since the secret will be disclosed) • Example of privacy preservation in database queries
A more complicated example of secure multiparty computation – Yao’s millionaire problem • Two parties want to determine whose number is larger, but they do not want to share the numbers • Protocol details • Can be used on: on-line auction
A more complicated example of secure multiparty computation – Yao’s millionaire problem • Can Bob cheat? Bob does not know which random number is real x • Can Alice cheat? Alice does not know the private key. • Alice knows the results before Bob • Nothing prevent them from sending the fake numbers, but the results will be meaningless. (You will not send meaningless number in the auction since you will lose the auction or pay the money that you do not want to pay)
Interest matching and other SMC problems • Both sides have some “not-so-common” interests but none want to disclose. • Hashing the interest multiple times and create a yahoo email address, leave the way to contact • Other problems: Database query and data mining, Geometric computation, statistical analysis
A more complicated example: • Alice has a vector (x1, x2, ---, xn), Bob has a vector (y1, y2, ---, yn), Alice wants to know X•Y = x1*y1 + x2*y2 + ----- + xn * yn. Bob wants to help Alice as long as he does not disclose his vector. Alice too. • A simple solution using oblivious transfer • Alice generates (t-1) fake vectors, she sends X and the fake ones to Bob. • Bob calculates the dot product of every vector with Y • Alice and Bob use Oblivious Transfer to send the result back to Alice. Bob does not know which value Alice picks.
The problem of the simple protocol • Bob has a 1/t chance to guess the vector of Alice • Bob need to be careful about the fake vectors • In real life, it could be very difficult to find t-1 fake vectors that look meaningful and are not too similar to X. • We need a better protocol.
A better protocol to calculate dot product of vectors • Details • The vectors that are similar to z1 to zm will be easier to find • Now Bob has a chance of 1/ t^m to guess the vector X
A even better protocol to calculate dot product of vectors • We know that there exist algorithms satisfy E(x) * E(y) = E(x+y) • If P represents a permutation function, X • Y = P(X) • P(Y), where X and Y are two vectors. • A m-round protocol • Alice’s vector is protected by the encryption • Can Alice figure out Bob’s vector? • She knows the sum of all elements, but that is it.
Dining cryptographers and anonymous message broadcast • Dining cryptographer problem: • Flip a coin between every two neighboring parties, every one states whether the two coins that he can see is the same or not • If a party pays the bill, he lie about the result. • If nobody pays the bill, we have even number of “different”, otherwise, we have odd.
Application of dining cryptographer problem: anonymous message broadcasting • All entities forms a circle and flip coins at constant interval • If an entity wants to send out “0”, it states the truth, otherwise, it lies. • The “0”s and “1”s will form the message. • If the message is encrypted by one node’s public key, then both the sender and the receiver will be anonymous • During conflict, the nodes will back off. • Problem: a malicious node will always saying something to disturb the channel.