This document provides an introduction and overview of Secure Multi-Party Computation (SMPC). It begins with an introduction of the speaker and agenda. It then defines SMPC as a problem in distributed computing where parties wish to compute a function while preserving privacy and correctness, even if some parties are faulty. It presents the Millionaire's Problem protocol as an example. Real-world applications are discussed, along with adversary classifications and desirable SMPC properties. Key techniques like garbled circuits, oblivious transfer, and secret sharing are introduced. The document concludes by outlining future topics to be covered.

1. Introduction to SMPC
Jitendra Kumar Patel Saturday, January 30, 2016
Secure Multi-Party
Computation

2. Jitendra Patel ... ?
 M.Tech from International Institute of Information Technology, Bangalore (Pursuing)
 Experience in Teaching ( 3+ years)
 Worked as an Offline Instructor at Innobuzz Knowledge Solutions - Delhi, Classroom
faculty at Oviyans Infotech – Indore, Trainer at Osinfotech – Indore, Performance
Engineering R&D at RedHat, Bangalore.
 Research interest in Ethical Hacking, Network Security, Reverse Engineering, Wireless
Security, Technical Analysis, Bitcoin Blockchain Technology, SMPC
 Tech Enthusiast

3. Agenda of the Talk... ?
 Story
 What is Secure Multi Party Computation ?
 The Millionaires Problem and Few real world problems
 Adversary classification
 Issues and desirable properties from SMPC
 Few SMPC Terminologies/Techniques
 What is next ?

4. Should I invite herfora cup of coffee… ?
Alice and Bob meet accidentally. Both don’t know India. Both are tourists.
Bob is lost. He would like to ask Alice for the way to his guest house. And maybe whether she would
like to drink a hot coffee with him. But he doesn’t know her. And if she says no? “I would ask her, if
only I knew that she would accept”, he thinks. But he is shy. Too shy.
Alice is lost as well. She would like to ask Bob for the way to the hostel. And maybe whether Bob
would not be willing to accompany her. It’s already getting dark. She would of course then invite him
for a cup of hot milk with honey. And some banana cake. In order to thank him. And maybe...who
knows. But what if he says no? Should she dare to ask? “If I knew that he would not laugh at me, I
would ask”. But Alice is shy. Too shy.
They cross each other. Watching each other. Not asking each other. Finally, they both find their way.
Bob to his guest house, Alice to the hostel. The wrong way. They will never meet Again.
If only they would know the techniques of secure multi-party computation.
Story

5. Secure Multi Party Computation… ?
Also known as secure computation or multi-party computation
Fundamental problem in distributed computing and cryptography
Definition
- Set of n parties
- Some are faulty/corrupted
- Do not trust each other
- Still parties wish to compute some function
- Private local inputs (Privacy)
- Public Output (Correctness)

6. The Millionaires Problem
P
r
o
t
o
c
o
l
s
f
o
r
S

Y
a
o
’
sX
$
Y
$
?
<
=
>
F

F
o
r
m
u
l
a
t
e
d
b
y
T
u

7. Real World Problem….?
 Online Dating
 Electronic Voting
 Privacy-preserving Statistics [ ex: satellite collision ]
 Privacy-preserving Database Operations
 Benchmarking
 Privacy-preserving data mining
 Secure e-auction

8. Secure Function Evaluation

A set of (two or more) parties with private inputs wish to compute
some joint function of their inputs.

Parties wish to preserve some security properties. E.g., privacy and
correctness.
– Example: Computing the maximum

Many results depending on
– Number of players
– Means of communication
– the power and MODEL of the adversary
– how the function is REPRESENTED

9. The Security Definition
IDEALREAL
Trusted party
Protocol
interaction
For every real
adversary A
there exists an
adversary S
≈

10. Computational Setting

Any two-party function can be securely computed in the semi-
honest adversarial model [Yao]

Any multiparty function can be securely computed in the
malicious model, for any number of corrupted parties [GMW]

11. Adversary Classification ... ?
Nature of Adversary : Passive
Fail-stop
Active
Mixed
Mobility : Static
Adaptive/Dynamic:
Mobile
Corruption Capacity : Threshold
Non-threshold
Computational Resources : Bounded
Unbounded

12. Issues with the Design of SMPC…?
Possibility : What are the necessary and sufficient conditions
for the existence of a protocol in a given network?
Feasibility : Does there exist a polynomial time and efficient
protocol ? (We assume that the protocol exists).
Optimality : How do we design a protocol whose total
complexities (communication and round) match their respective
lower bound?

13. Desirable Properties of a SMPC…?
 Correctness
 Privacy
 Input Independence
 Robustness
 Fairness

14. SMPC Terminologies/Techniques…?
Semi Honest Adversary
Garbled Circuit
Oblivious Transfer
Secret Sharing
Verifiable Secret Sharing
Commitment Schemes

15. Garbled Circuit…?
We can garble a circuit (hide its structure) so that two parties, sender and
receiver, can learn the output of the circuit and nothing else.
At a high level, the sender prepares the garbled circuit and sends it to the
receiver, who obliviously evaluates the circuit, learning the encodings
corresponding to both his and the senders output.
He then just sends back the senders encodings, allowing the sender to
compute his part of the output.
The sender sends the mapping from the receivers output encodings to bits to
the receiver, allowing the receiver to obtain their output.
Ref : Wikipedia

16. Semi-Honest Construction
1-out-of-2 Oblivious Transfer (OT)

Inputs
– Sender has two messages m0 and m1
– Receiver has a single bit σ∈{0,1}

Outputs
– Sender receives nothing
– Receiver obtain mσ and learns nothing of m1-σ

17. Semi-Honest OT

Let (G,E,D) be a public-key encryption scheme
– G is a key-generation algorithm (pk,sk) ← G
– Encryption: c = Epk(m)
– Decryption: m = Dsk(c)

Assume that a public-key can be sampled without
knowledge of its secret key:
– Oblivious key generation: pk ← OG
– El-Gamal encryption has this property

18. Semi-Honest OT
Protocol for Oblivious Transfer

Receiver (with input σ):
– Receiver chooses one key-pair (pk,sk) and one public-key pk’ (obliviously
of secret-key).
– Receiver sets pkσ = pk, pk1-σ = pk’
– Note: receiver can decrypt for pkσ but not for pk1-σ
– Receiver sends pk0,pk1 to sender
 Sender (with input m0,m1):
– Sends receiver c0=Epk0(m0), c1=Epk1(m1)

Receiver:
– Decrypts cσ using sk and obtains mσ.

19. Security Proof

Intuition:
– Sender's view consists only of two public keys pk0 and pk1. Therefore, it
doesn't learn anything about that value of σ.
– The receiver only knows one secret-key and so can only learn one
message

Formally:
– Sender's view is independent of receiver's input and so can easily be
simulated (just give it 2 keys)
– Receiver's view can be simulated by obtaining the output m and sending
it Epk0(m),Epk1(m).

Note: Assumes semi-honest behavior. A malicious receiver can choose two keys together with theirsecret keys.

20. Secret Sharing.... ?
In secret sharing
- Dealer who shares a secret among a group of n parties
- Sharing Phase
- Reconstruction Phase
The requirements are that :
- For t <n, any set of t colluding parties
- No information about the dealer’s secret at the end of the sharing
- Any set of t+1 parties can recover the dealer’s secret
Assumption :
- The dealer is honest

21. Verifiable Secret Sharing (VSS) .... ?
Just like secret sharing but requires :
- No matter what a cheating dealer does (in conjunction with t other
colluding parties), there is some unique secret to which the dealer is
“committed” by the end of the sharing phase.
Perfect VSS, where the security guarantees are :
- Unconditional
- Privacy is perfect
- Protocol is error-free.
Perfect VSS is known to be possible if and only if t < n/3

22. Whats Cooking in the Kitchen ... ?
 Bitcoin and Block Chain Technologies
 Yao's Millionaire Problem and Proposed Solution
 Secret Sharing and VSS (almost done but still need help)
 Secure 2 Party Computation (AES) (protocol implementation)
 GMW Protocol
 Efficient Micro-payments with Bitcoins (current research)

23. References - 1 ...
Y. Lindell and B. PinkasY. Lindell and B. Pinkas
A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)A Proof of Yao's Protocol for Secure Two-Party Computation (Paper)
Iftach HaitnerIftach Haitner
Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations (Paper)
Yan Huang, David Evans, Jonathan Katz, Lior MalkaYan Huang, David Evans, Jonathan Katz, Lior Malka
Faster Secure Two-Party Computation Using Garbled Circuits (Paper)Faster Secure Two-Party Computation Using Garbled Circuits (Paper)
Ninghui Li , Purdue UniversityNinghui Li , Purdue University
Topic 24: Secure Function Evaluation (Slides)Topic 24: Secure Function Evaluation (Slides)
Benny Pinkas, HP Labs, PrincetonBenny Pinkas, HP Labs, Princeton
Introduction to Secure Computation (Slides)Introduction to Secure Computation (Slides)
Moni Naor , Weizmann Institute of ScienceMoni Naor , Weizmann Institute of Science
Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)Lecture 15: Oblivious Transfer and Secure Function Evaluation (Slides)
Scribes from Dr. Ashish Choudhury lecturesScribes from Dr. Ashish Choudhury lectures
https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813https://sites.google.com/site/ashishcrypto/Courses/2015-cs-nc-813
ApologiesApologies for Others unmentioned sources from internet for articles and referencesfor Others unmentioned sources from internet for articles and references

24. References -2 ...
Improving The Round Complexity of VSS in Point-To-Point Networks
Jonathan Katz
Chiu-Yuen Koob
Department of Computer Science,
University of Maryland, College Park, MD 20742, USA
Ranjit Kumaresana
Google Labs, Mountain View, CA 94043, USA
Link : http://www.journals.elsevier.com/information-and-computation

25. Jitendra Kumar Patel
www.jitendrapatel.in
jitendra.dinesh@gmail.com
@bewithjitendra
facebook.com/bewithjitendrapatel
Saturday, January 30, 2016