# Lecture 1

### Definition of secure computation

The main topic of this course is the study of secure multiparty computation protocols. The main problem studied in the course can be generally (and informally) described as follows:

• Players: n mutually distrustful parties
• Input: each party holds a private input x_i
• Goal: collectively compute function f(x_1,...,x_n) of the inputs in such a way that inputs remain as private as possible

A seemingly more general formulation consider n functions f_i, such that party i only learns the value of function f_i.

Function f can be certainly evaluated in the presence of a trusted party: every player sends the private input x_i to the trusted party, who computes the function, returns the result to all the players, and erases the inputs. The question is to what extent this trusted party can be "emulated" (in a sense to be made precise later on) by a distributed (fault tolerant) computation. Notice that the notion of fault tolerance required here is much stronger than what tipycally considered in the area of distributed algorithms: in traditional distributed algorithms, fault tolerance can be easily achieved by replication, however, replication clearly does not help at all in achieving privacy.

### Motivations and Examples

There are two distinct reasons why we are interested in secure multiparty computation.

First, there are many practical applications that can be modeled as a secure function evaluation problem. Here are some examples.

1. Electronic voting: Each party holds a 0/1vote x_i, and the function to be computed is f(X) = majority(x_1,...,x_n)

Many possible variants: 2/3 majority, computing the tally, multi-candidate voting, etc.

2. Bidding for contracts and electronic auctions: each party makes an offer x_i, and the function f(X) outputs max_i(x_i) together with the index i achieving the maximum.

Many variants: e.g. compute the second highest bid, and the index i achieving the maximum

3. Data base computation: Different companies or agencies want to pull together their databases to perform some joint computation, but without revealing more data than required. For example, each party holds a list of names, and the function to be computed is the list of all names common to all lists. Think of a list of passegers on a flight, and a list of suspect terrorists, or companies that want to perform some joint marked research using their clients database. (In this latter case the amount of information about the clients that can be revealed by one company to the other might be restricted by law.)
4. Statistics: say, all students in the class want to compute statistical data like the maximum score, average, median, etc., but without revealing their grades. (And without the help of the instructor, which tipically play the role of the trusted third party.)
5. Querying a data base: a user want to query a database, and receive an answer to the query, but keeing the content of the query as private as possiblem. In this case the players are a server holding the database as private input, and a client holding the query as its private input. Privacy of both can be an important issue. For example, if the database holder is charging for answering queries, than he wants to make sure that no information from the database (other than the answer to a single query) is leaked at each interaction. On the other side a typical example might be a research firm that wants to consult the official patent database, before investing in a new research project, but keeping their research plans secret. (Notice, if appropriately formulated, the database query problem can mandate that the server does not learn not only the user query, but also the answer to the query.)
6. Distributed certification authority: you want to implement a certification authority that reseales certificates to users, by signing them using some secret key. In order to protect the key, you want to distribute it among several sites (each holding a "share" of the key). The problem is how to perform the cryptographic operation (in this case, signing), without ever pulling all the shares together on a single computer, which would introduce a single point of failure. The problem is easily modeled as a secure function computation, where the inputs are the shares of the key and the message to be signed, and the output is the signature.

The second motivation we are interested in secure multiparty computation is that many traditional cryptographic tasks can be casted as general secure function computation problems. So, secure computation gives a general framework to study cryptography, and address general issues as compositionality: is the composition of insividually secure cryptographic primitives still secure? under what assumptions? Some examples of traditional cryptographic tasks that can be described as general secure computation problems are:

1. Private communication: each party holds a message m_i and the index of an intended recipient r_i. The output of the computation, for party j, is the list of messages m_i such that r_i = j.
2. Authenticated channels: same as above, but the output of the function also include, for evey received message m_i, also the identity i of the sender.
3. Zero-knowledge proofs for NP-languages: one party holds a string x and the other holds an NP-witness that x belongs to some language L. The function to be computed is the relation defining language L.

### Course Outline

1. Introduction to secure computation and examples (done)
2. Brief review of complexity theory and cryptography background (today)
3. General plausibility results in the computational setting
4. General plausibility results in the secure channel setting
5. Efficiency and improvements of generic constructions
6. Special cases: a selection of specific problems for which ad-hoc solutions have been investigates. (E.g., Byzantine agreement, Private Information Retrieval, Threshold cryptography)
7. Definitional issues and composition of secure protocols: Canetti's "Universally Composable" security, general framework, composition theorems, formulation of standard cryptographic primitives, constructions, impossibility results.
8. (Optional) Advanced topics in zero-knoweldge: e.g., concurrent zero knolwedge, upper and lower bounds on round complexity, black-box vs. non-black-box ZK, efficient transformation techniques, etc.