CSE208: Advanced cryptography, Fall 2002

Lecture 12: The [BGW] protocol for private computation


In the last lectures we showed how to to build protocols that are secure in the computational setting, i.e., under the assumption that the adversary is computationally bounded. The protocol was designed in a modular way: starting from the solution to a basic primitive (Obliviuos Transfer), we built private protocols for arbitrary gates, and then combined the single gate protocols to built protocols for complex functions (boolean circuits.)

In the construction we used a composition theorem that holds both in the computational model and the unbounded adversary model: if the basic building blocks are secure only against computationally bounded adversaries, then also the resulting protocol is computationally secure, while if we start from perfectly secure building blocks, then the resulting protocol is also perfectly secure. Unfortunately, our solution to the OT problem is secure only in the computational setting, and in fact one can formally prove that secure computation in the unbounded adversary model is possible only if less than half of the parties are faulty. This rules out, as a special case, two parties protocols, where even a single faulty user would account for half of the parties.

Today we start studying a solution to the secure multiparty computation problem in the unbounded adversary model, where the number of faulty players t satisfies t < n/2. As in the previous protocol, we first consider the simpler problem of achieving privacy, i.e., security against semi-honest parties. (We consider malicious adversaries in the next lecture where we assume t< n/3.) The general structure of the protocol is similar to the [GMW] one:

The protocol we study is due to Ben-Or, Goldwasser and Widgerson [BGW]. Below, we highlight the differences between the [GMW] and the [BGW] protocol:

From the theoretical point of view, the main advantage of the BGW protocol is that security is achieved against computationally unbounded adversary, assuming the existence of secret channels. However, the use of error correcting codes instead of zero knowledge, and the execution of arithmetic operations over large fields (instead of bit operations) as single steps, already offer many potentialy efficiency advantages, even in the computational model.

Shamir secret sharing scheme

Here we recall the main properties of the polynomial secret sharing scheme due to Shamir. All properties immediately follows from properties of polynomials and finite fields:

Linear gates

Assume parties hold shares of p(0) and q(0). Then, they can easily compute (locally, with no communications) shares of (p+q)(0), setting each share to (p+q)(x_i) = p(x_i) + q(x_i).

Similarly, for any constant c, they can compute shares of (c*p)(0), setting (c*p)(x_i) = c*p(x_i).

These operations can be combined to obtain a private protocol for any linear function f(v) = Av, where each party contributes one input v_i, and receives as output A_i*v. The protocol is the following:

  1. Each party P[i] shares v[i] with the other players
    1. Pick random polynomial p[i](x) = v[i] + c[i,q]x + ... + c[i,t]*x^t
    2. Send v[i,j] = p[i](x_j) to P[j]
  2. P[j] computes shares of output values
    1. Set s[k,j] = Sum_i a[k,i]*v[i,j]
    2. Send s[k,j] to P[k]
  3. P[k] reconstruct output
    1. Interpolated (x_j,s[k,j]) with a (degree t) polynomial q[k](x_j) = s[k,j]
    2. Output p[k](0)

The correctness of the protocol is immediate:
q[k](x_j) = s[k,j] = Sum_i a[k,i]*v[i,j] = (Sum_i a[k,i]*p[i])(x_j)

Both sides are polynomials of degree t and agree on n points, so they must be the same polynomial q[k] = (Sum_i a[k,i]*p[i]). Evaluating the polynomial in 0 we get q[k](0) = Sum_i a[k,i]*p[i](0) = Sum_i a[k,i]*v[i] = A[k]*v

The privacy of the protocol is proved giving a simulator:

Let B the set of (at most t) corrupted parties, and let G' be a subset of honest parties such that |B| + |G'| = t. The simulator Sim(v[B], A[B]*v) outputs a view for B computed as follows:

  1. For every i in B, chooses p[i] at random (this defines the internal randomness of P[i])
  2. For every j in B, define the messages v[i,j] received by P[j] at step 2 of the protocol as follows
  3. For every k in B, define the messages s[k,j] received by P[k] at step 3 as follows

We leave is as an excercise to prove that the view Sim = (v[B],p[B],v[*,B],s[B,*]) prodiced by the simulator satisfies (Sim,Output[\B]) = (View[B],Output[\B]), for any input values v.

Multiplication gates

Consider the problem of computing p(0)*q(0). One possible way to compute shares of the product, is to take pointwise multiplication of the shares. This approach has two drawbacks: the resulting shares correspond to a polynomial of degree higher than t, and the polynomial is not uniformly distributed.

We first describe how to reduce the degree. Let p(x) = a_0 + ... + a_{2t} x^{2t} a polynomial of degree 2t corresponding to value p(0), and define the polynomial p'(x) = a_0 + ... + a_t x^t. Notice that p'(0) = p(0), so we can use p'(x_i) as shares of p'(0) in Shamir secret sharing scheme. The crucial observation is that the function mapping {p(x_i)} to {p'(x_i)} is linear, as it can be expressed as the composition of three linear functions: the interpolation function mapping {p(x_i)} to (a_0,...,a_{2t}), the truncation function mapping (a_0,...,a_{2t}) to (a_0,...,a_t), and the evaluation function mapping (a_0,...,a_t) to {p'(x_i)}.

Using the solution to compute linear functions, all parties can compute shares of the product p(0)*q(0). However, these shares do not correspond to a random polynomial. In order to make the shares random, random polynomials r_i such that r_i(0)=0 are added to p*q before reducing the degree.

We formally define a protocol to compute the randomized function that on input shares (p(x_i),q(x_i)) of p(0) and q(0), output shares s(x_i) of p(0)*q(0) where s(x) = p(0)*q(0) + u[1]x + ... + u[t]*x^t for randomly chosen u[1],...,u[t]. The protocol is defined in a model where we assume ideal access to a linear function f(v) = A*v (where each party send v[i] and receive A[i]*v), for matrix A defined as follows.

Let V be the Vandermonde matrix with rows [1,x[i],...,x[i]^{n-1}], and P be the diagonal matrix .with P[i,i] = 1 for i=1,...,t+1, and P[i,j]=0 otherwise. Notice that for any polynomial p(x) = a_0 + a_1x + ... + a_{n-1}x^{n-1}, the produce [a_0,...,a_{n-1}]*V^T is equal to [p(x[1]),...,p(x[n-1])]. Vandermonde matrix V is non singular, and we can define A = V*P*V^{-1}.

The protocol for the product function is

  1. P[i] shares 0 as a degree 2t polynomial
  2. Compute shares of the output using ideal protocol for linear function A = V*P*V^{-1}
  3. P[j] outputs s[j]

Correctness easily follow. Values v[j] satisfy v[j] = (p*q + Sum_i r[i])(x_j). Let y be the coefficient vectors of polynomial (p*q + Sum_i r[i]). We now y[0] = p(0)*q(0), and y[i] is random for all 1<=i<=2t. The protocol multiplies A=V*P*V^{-1} by v=Vy, so the result is V*P*y = V*s, where s is a vector with s[0] = p(0)*q(0), and s[i] chosen at random for all 1<=i<=t.

The privacy of the protocol is easily proved in the hybrid model. The simulator receives as input p(x_B), q(x_B) and s(x_B). The only missing part of the view of P[B] is the randomness r[B] and messages r[\B,B]. These are chosen as follows:

In order to prove that the simulator is correct, one need to show that the conditional probability (in a real execution of the protocol) of r[B] and r[\B,B], given ALL inputs p(x_i), q(x_i) and ALL outputs s[i], is uniform.

The circuit protocol

The protocol in the circuit works in the obvious way:

The simulator is also easily defined. Let B be the set of (at most t) corrupted parties. We assume B follow the protocol, but attempts to obtain more information than the output of the circuit. We want to give a simulator that on input X[B] and f(X)[B], outputs a view S = Sim(X[B],f(X)[B]) such that (S,f(X)[\B]) is distributed identically to (View(X)[B],f(X)[\B]).

The simulator proceeds as follows:


M. Ben-Or, S. Goldwasser, A. Widgerson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, STOC 88