CSE208: Advanced cryptography, Fall 2002

Lecture 10: Private multiparty computation


In the last lectures we proved a composition theorem for secure protocols, and observed that it holds true also in the semihonest model. Today, we start studying general protocols to securely compute any function. In other words, we want to describe a general method that given as input the description of a (randomized) function f, efficiently produces the description of a multiparty protocol to securely compute f. The construction is modular. Here is an outline:

Before starting the description of the individual steps, we introduce the general framework. We assume that function f is described as an arithmetic function over GF(2), with + and * gates. Inputs are usually shared among the players as follows. A bit v is stored giving to each party a share v_i such that sum_i v_i = v mod 2. Notice that, unless one knows all the shared, the value of v is information theoretically hidden.

Multiplication gate for 2 parties

Assume there are only two players, each holding (a_i,b_i). They want to compute function
f((a_1,b_1),(a_2,b_2)) = (c_1,c_2)
where c_1, c_2 are chosen at random such that c_1+c_2 = (a_1+a_2)*(b_1+b_2).

The function is easily computed using the (4/1)-OT protocol. (See homeworks for a construction of (n/1)-OT from (2/1)-OT). The idea is that one party prepares the four possible outputs of f based on its own bits (which are known and fixed) and the (unknown) input bits of the other party. Specifically, the two parties invoke the OT protocol with P_1 playing the sender and P_2 playing the receiver. The program for P_1, on input (a_1,b_1), chooses c_1 at random and obliviously transfer one of the following bits:

  1. c_1 + a_1 * b_1
  2. c_1 + (a_1+1)*b_1
  3. c_1 + a_1*(b_1+1)
  4. c_1 + (a_1+1)*(b_1+1)

Similarly, on input (a_2,b_2), P_2 selects

  1. if a_2=b_2=0
  2. if a_2=1 and b_2=0
  3. if a_2=0 and b_2 = 1
  4. if a_2=b_2=1

P_1 output c_1 and P_2 output the value c_2 received in the OT protocol.

It is easy to see that the protocol privately compute function f, assuming access to a secure OT protocol. Correctness can be verified by inspection and case analysis. In order to prove that the protocol is private, we need to give a simulator. Simulating the view of P_1 is immediate as the OT function does not produce any output for P_1 and the view of P_1 only consists of its input and random bit. The view of P_2 is easily simulated given access to the output of f for P_2, as the output of OT is the same as the output of f for P_2, and the view of P_2 consists of the input of P_2 together with this output.

It follows from the composition theorem, and the protocol for OT studied in class, that function f can be privately computed assuming point-to-point communication channels and the existence of a trapdoor permutation.

Multiplication gate for n parties

The above protocol can be used as a building block to implement a private protocol for the product of two bits shared among n parties. This time we want to compute function
M((a_1,b_1),...,(a_n,b_n)) = (c_1,...,c_n)
such that sum_i c_i = (sum_i a_i)*(sum_i b_i), and c_i chosen at random. Notice that we can choose (n-1) of the c_i independently and uniformly at random, and the function F only contrains the last bit.

One can verify that (sum_i c_i) can be equivalently rewritten as
n*(sum_i a_i*b_i) + sum_{i<j} (a_i+a_j)*(b_i+b_j).

Notice that each summand involves the input of at most two parties and can be computed using function f. (Function f can be trivially extended to a function f_ij where all parties except i and j send and receive no values, and parties i and j compute function f.) The protocol for M is

  1. Each pair of parties (i<j), invokes function f_ij on inputs (a_i,b_i) and (a_j,b_j), to obtain c{i,j}_i and c{i,j}_j. (These n(n-1)/2 functions are invoked sequentially in some fixed order.)
  2. Party i sets c_i = n*a_i*b_i + sum_{j=/=i} c{i,j}_i
  3. Party i outputs c_i

As before, correctness is easily verifies by inspection. We give a simulator to prove privacy. Say we want to simulate the view of semihinest parties B, given their inputs and outputs. We assume, without loss of generality, that B does not contains all players (in which case, the simulation is trivial.)

  1. For each pair of bad players i,j in B, uniformly select c{i,j}_i and set c{i,j}_j = c{i,j}_i + (a_i+a_j)*(b_i + b_j).
  2. Let l be the index of some good player. For any i in B, select c{i,j}_i at random for all j not in (B+{l}), and set
    c{i,l}_i = c_i + n*a_i*b_i + sum_{j =/= i or l} c{i,j}_i
    where c_i is the output of M for P_i.
  3. The simulated view is defined by all c{i,j}_i with i in B.

Circuit evaluation protocol

We use the protocols to compute the product of two shares to design a protocol to compute any n-party function. Let M be the multiplication function, and assume F is represented as an arithmetic circuit over GF(2). We consider the values associated to each wire in the circuit, sorted from the input wires to the outputs, in such a way that for each gate the input wired are always before the output. The protocol to privately compute F computes shares v_{ij} for the value of each wire i, such that sum_j v_{ij} = v_i is the value associated to the wire. Party P_j only knows share v_{ij}. Shared are computed inductively as follows:

  1. Each party P_i shares its input x_i among the other parties, choosing x_{i,j} at random such that sum_j x_{ij} = x_i, and sending x_{ij} to P_j
  2. For constant wires, party P_1 sets v_{i1} to the value of the wire, and all other parties set v_{ij} = 0
  3. If v_i is the output of an addition gate with inputs v_k and v_l (with k,l<i), each party sets v_ij = v_kj + v_kl
  4. If v_i is the output of a multiplication gate with inputs v_k and v_l (with k,l<i), then the parties invoke function M on inputs (v_kj,v_lj) to obtain v_ij.
  5. Once all wires have been processed, including the output wires y_i, each party P_j sends y_ij to P_i, and P_i recovers and output y_i = sum_j y_ij

The correctness of the protocol is proved by induction on the number of wires, proving the invariant that the sum of the shared always equals the value of teh wire. The privacy of the protocol is proved giving a simulator that given the inputs x_B and outputs y_B of bad players B, produces their entire view. As usual we assume B is not the entire set of players.

  1. Input shared are chosen at random, both for the good and bad parties. Notice that since at least one of the shares of good party is not known, the input value for x_G is independent of these messages.
  2. Compute shared for all other wires, emulating the circuit gate by gate. The shares of constant and addition gates are easily computed locally from shares previously computed. For multiplication gates, shares for v_{iB} are set uniformly at random, independently of the (unknown) wire value.
  3. For the last round of messages, shares transmitted from the good players to the bad players are chosen uniformly at random, subject to the constraint that the sum of all shares y_{ij} equal output value y_i.

Randomized Functions

The above protocol allows to compute any deterministic function. Randomized functions are computed by reducing them to deterministic functions as follows. Say we wand to compute function F(x_1,...,x_n,r) where r is the randomness. We define function
G((x_1,r_1),...,(x_n,r_n)) = F(x_1,...,x_n,sum_i r_i)
This is a deretministic function, so we can compute it privately as described above writing G as an arithmetic circuit. The protocol to compute F is:

It is easy to see that this protocol is not only private, but also secure. By the composition theorem, if the implementation of G is secure against malicious parties, then the composed protocol is also secure against malicious parties.

We still need to show how to transform private protocols into secure ones. The above reducion shows that we only need to consider deterministic functions.


O. Goldreich, Secure Multi-Party Computation. manuscript