1 / 29

Mix and Match: A Simple Approach to General Secure Multiparty Computation

+. Mix and Match: A Simple Approach to General Secure Multiparty Computation. Markus Jakobsson Bell Laboratories. Ari Juels RSA Laboratories. What is secure multiparty computation?. Alice. Bob. The problem. f(a,b). a. b. f(a,b). b. a. Alice. f. Bob. Black Box. The problem. a.

ray-gilliam
Download Presentation

Mix and Match: A Simple Approach to General Secure Multiparty Computation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. + Mix and Match:A Simple Approach toGeneral Secure Multiparty Computation Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories

  2. What is secure multiparty computation?

  3. Alice Bob The problem f(a,b) a b

  4. f(a,b) b a Alice f Bob Black Box The problem a b

  5. Richie Rich is richer Millionaires’ Problem Who’s richer? > Scrooge McDuck Worth $a Worth $b

  6. Special Edition Auctions Bob $810 Furby Special Edition Alice Furby Cate Bob Edgar f

  7. What’s in the black box?

  8. Trusted third party? Trusted Party We want to do without!

  9. Alice Bob Tamper-resistant hardware f(a,b) b a But we don’t want to rely on hardware!

  10. Alice Bob Secure multiparty computation f(a,b) b a Alice and Bob simulate circuit

  11. gate involves local computation • gate requires rounds of verifiable secret sharing Other methods • Complex • Recently becoming somewhat practical • Simulate full field operations

  12. Our method: Mix and match • Conceptually simple • Simulates only boolean gates directly • Very efficient for bitwise operations, not so for others • Some pre-computation possible

  13. Some previous work • Yao • Use of logical tables (two-player) • Chaum, Damgård, van de Graaf • Multi-party use of logical tables (for passive adversaries)

  14. Mix and Match(Non-private)

  15. a b b a 0 0 0 0 1 1 1 0 1 1 1 1 Non-private simulation: OR gate

  16. ? ? ? = = = Alice 1 1 1 0 0 0 0 1 0 0 0 0 0 0 1 0 1 0 0 1 b = 1 a 1 0 Non-private simulation: OR gate Bob a b b b a a 0 0 0 0 1 1 1 0 1 1 1 1

  17. Alice Bob Mix and Match f(a,b) b a Alice and Bob simulate circuit

  18. Mix and Match(Private)

  19. First tool: Mix network (MN) Mix network (MN) plaintext 1 plaintext 2 plaintext 3 plaintext 4 Randomly permutes and encrypts inputs

  20. Second tool: Matching orPlaintext equivalence decision (PED) ? = Ciphertext 1 Ciphertext 2 Reveals no information other than equality

  21. Alice a b b Bob Mix and Match • Step 1: Key sharing between Alice and Bob -- public key y • Step 2: Alice and Bob encrypt individual bits under y a

  22. b b a a a b a b Mix network (MN) 0 0 0 0 1 1 1 0 1 1 1 1 • Step 3: Alice and Bob mix tables Permute and encrypt rows

  23. b a ? ? a b = = a a b b b = a • Step 4: Matching using PED, i.e., Table lookup Find matching row

  24. f(a,b) = • Repeat matching on each table for entire circuit

  25. Alice f(a,b) Bob Decrypting f(a,b) • Step 5: Decrypt f(a,b) f(a,b)

  26. Some extensions • Easy to have multiple parties participate • “Mixing” and “matching” can be performed by different coalitions • We can get XOR for “free” using Franklin-Haber cryptosystem

  27. Privacy and Robustness As long as more than half of participants are honest… • Computation will be performed correctly • No information other than output is revealed • Security in random oracle model reducible to Decision Diffie-Hellman problem

  28. Low cost • Very low overall broadcast complexity: O(Nn) group elements • N is number of gates • n is number of players • Equal to that of best competitive methods • O(n+d) broadcast rounds • d is circuit depth • Computation: O(Nn) exponentiations for each player

  29. + Questions? ?

More Related