# Lecture 12: The [BGW] protocol for private computation

### Overview

In the last lectures we showed how to to build protocols that are secure in the computational setting, i.e., under the assumption that the adversary is computationally bounded. The protocol was designed in a modular way: starting from the solution to a basic primitive (Obliviuos Transfer), we built private protocols for arbitrary gates, and then combined the single gate protocols to built protocols for complex functions (boolean circuits.)

In the construction we used a composition theorem that holds both in the computational model and the unbounded adversary model: if the basic building blocks are secure only against computationally bounded adversaries, then also the resulting protocol is computationally secure, while if we start from perfectly secure building blocks, then the resulting protocol is also perfectly secure. Unfortunately, our solution to the OT problem is secure only in the computational setting, and in fact one can formally prove that secure computation in the unbounded adversary model is possible only if less than half of the parties are faulty. This rules out, as a special case, two parties protocols, where even a single faulty user would account for half of the parties.

Today we start studying a solution to the secure multiparty computation problem in the unbounded adversary model, where the number of faulty players t satisfies t < n/2. As in the previous protocol, we first consider the simpler problem of achieving privacy, i.e., security against semi-honest parties. (We consider malicious adversaries in the next lecture where we assume t< n/3.) The general structure of the protocol is similar to the [GMW] one:

• Parties initially share their inputs using a secret sharing scheme
• Computation proceeds gate by gate, with the invariant that parties holds random shares of the values of the internal wires of the circuit.
• At the end, shared corresponding to the output wires are transmitted to the legitimate party

The protocol we study is due to Ben-Or, Goldwasser and Widgerson [BGW]. Below, we highlight the differences between the [GMW] and the [BGW] protocol:

• Instead of sharing boolean values, shares are elements of an arbitrary field GF(q) (with q>n), allowing potenrially more efficient computations
• The secret sharing scheme used is different: each party is associated to a field element x_i. Value s is shares picking a random polynomial of degree t, p(x) = s + a_1*x_1 + ... + a_t*x_t, such that p(0) = s. The share of party i is given by p(x_i).
• Next time we will show how to achieve robustness using error correcting codes techniques, instead of zero knowledge.

From the theoretical point of view, the main advantage of the BGW protocol is that security is achieved against computationally unbounded adversary, assuming the existence of secret channels. However, the use of error correcting codes instead of zero knowledge, and the execution of arithmetic operations over large fields (instead of bit operations) as single steps, already offer many potentialy efficiency advantages, even in the computational model.

### Shamir secret sharing scheme

Here we recall the main properties of the polynomial secret sharing scheme due to Shamir. All properties immediately follows from properties of polynomials and finite fields:

• For any t+1 points X = x_0, x_1,...,x_t, the values p(X) of a t degree polynomial are uniformly and independently distributed.
• The function L mapping polynomial coefficients (a_0,...,a_t) to points p(x_i) is linear, non-singular, and it can be efficiently computed in both directions.

### Linear gates

Assume parties hold shares of p(0) and q(0). Then, they can easily compute (locally, with no communications) shares of (p+q)(0), setting each share to (p+q)(x_i) = p(x_i) + q(x_i).

Similarly, for any constant c, they can compute shares of (c*p)(0), setting (c*p)(x_i) = c*p(x_i).

These operations can be combined to obtain a private protocol for any linear function f(v) = Av, where each party contributes one input v_i, and receives as output A_i*v. The protocol is the following:

1. Each party P[i] shares v[i] with the other players
1. Pick random polynomial p[i](x) = v[i] + c[i,q]x + ... + c[i,t]*x^t
2. Send v[i,j] = p[i](x_j) to P[j]
2. P[j] computes shares of output values
1. Set s[k,j] = Sum_i a[k,i]*v[i,j]
2. Send s[k,j] to P[k]
3. P[k] reconstruct output
1. Interpolated (x_j,s[k,j]) with a (degree t) polynomial q[k](x_j) = s[k,j]
2. Output p[k](0)

The correctness of the protocol is immediate:
q[k](x_j) = s[k,j] = Sum_i a[k,i]*v[i,j] = (Sum_i a[k,i]*p[i])(x_j)

Both sides are polynomials of degree t and agree on n points, so they must be the same polynomial q[k] = (Sum_i a[k,i]*p[i]). Evaluating the polynomial in 0 we get q[k](0) = Sum_i a[k,i]*p[i](0) = Sum_i a[k,i]*v[i] = A[k]*v

The privacy of the protocol is proved giving a simulator:

Let B the set of (at most t) corrupted parties, and let G' be a subset of honest parties such that |B| + |G'| = t. The simulator Sim(v[B], A[B]*v) outputs a view for B computed as follows:

1. For every i in B, chooses p[i] at random (this defines the internal randomness of P[i])
2. For every j in B, define the messages v[i,j] received by P[j] at step 2 of the protocol as follows
• If i is in B, then set v[i,j] = p[i](x_j)
• If i is not in B, then set v[i,j] at random
3. For every k in B, define the messages s[k,j] received by P[k] at step 3 as follows
• For all j in B, set s[k,j] = Sum_i a[k,i]*v[i,j]
• For all j in G', choose s[k,j] at random
• Let q[k] the unique polynomial of degree at most t such that q[k](0) = A[k]*v and q[k](x_j)=s[k,j] for all j in B or G'
• For all remaining j, set s[k,j] = q[k](x_j)

We leave is as an excercise to prove that the view Sim = (v[B],p[B],v[*,B],s[B,*]) prodiced by the simulator satisfies (Sim,Output[\B]) = (View[B],Output[\B]), for any input values v.

### Multiplication gates

Consider the problem of computing p(0)*q(0). One possible way to compute shares of the product, is to take pointwise multiplication of the shares. This approach has two drawbacks: the resulting shares correspond to a polynomial of degree higher than t, and the polynomial is not uniformly distributed.

We first describe how to reduce the degree. Let p(x) = a_0 + ... + a_{2t} x^{2t} a polynomial of degree 2t corresponding to value p(0), and define the polynomial p'(x) = a_0 + ... + a_t x^t. Notice that p'(0) = p(0), so we can use p'(x_i) as shares of p'(0) in Shamir secret sharing scheme. The crucial observation is that the function mapping {p(x_i)} to {p'(x_i)} is linear, as it can be expressed as the composition of three linear functions: the interpolation function mapping {p(x_i)} to (a_0,...,a_{2t}), the truncation function mapping (a_0,...,a_{2t}) to (a_0,...,a_t), and the evaluation function mapping (a_0,...,a_t) to {p'(x_i)}.

Using the solution to compute linear functions, all parties can compute shares of the product p(0)*q(0). However, these shares do not correspond to a random polynomial. In order to make the shares random, random polynomials r_i such that r_i(0)=0 are added to p*q before reducing the degree.

We formally define a protocol to compute the randomized function that on input shares (p(x_i),q(x_i)) of p(0) and q(0), output shares s(x_i) of p(0)*q(0) where s(x) = p(0)*q(0) + u[1]x + ... + u[t]*x^t for randomly chosen u[1],...,u[t]. The protocol is defined in a model where we assume ideal access to a linear function f(v) = A*v (where each party send v[i] and receive A[i]*v), for matrix A defined as follows.

Let V be the Vandermonde matrix with rows [1,x[i],...,x[i]^{n-1}], and P be the diagonal matrix .with P[i,i] = 1 for i=1,...,t+1, and P[i,j]=0 otherwise. Notice that for any polynomial p(x) = a_0 + a_1x + ... + a_{n-1}x^{n-1}, the produce [a_0,...,a_{n-1}]*V^T is equal to [p(x[1]),...,p(x[n-1])]. Vandermonde matrix V is non singular, and we can define A = V*P*V^{-1}.

The protocol for the product function is

1. P[i] shares 0 as a degree 2t polynomial
• Pick random r[i](x) = c[i,1]x + ... + c[i,2t]x^{2t}
• Send r[i,j] = r[i](x_j) to P[j]
2. Compute shares of the output using ideal protocol for linear function A = V*P*V^{-1}
• P[j] contributes input v[j] = p[j]*q[j] + Sum_i r[i,j]
• P[j] receives output s[j] = A[j]*v
3. P[j] outputs s[j]

Correctness easily follow. Values v[j] satisfy v[j] = (p*q + Sum_i r[i])(x_j). Let y be the coefficient vectors of polynomial (p*q + Sum_i r[i]). We now y[0] = p(0)*q(0), and y[i] is random for all 1<=i<=2t. The protocol multiplies A=V*P*V^{-1} by v=Vy, so the result is V*P*y = V*s, where s is a vector with s[0] = p(0)*q(0), and s[i] chosen at random for all 1<=i<=t.

The privacy of the protocol is easily proved in the hybrid model. The simulator receives as input p(x_B), q(x_B) and s(x_B). The only missing part of the view of P[B] is the randomness r[B] and messages r[\B,B]. These are chosen as follows:

• For all i in B, choose r[i] uniformly at random
• For all i not in B, and j in B, choose r[i,j] uniformly at random

In order to prove that the simulator is correct, one need to show that the conditional probability (in a real execution of the protocol) of r[B] and r[\B,B], given ALL inputs p(x_i), q(x_i) and ALL outputs s[i], is uniform.

### The circuit protocol

The protocol in the circuit works in the obvious way:

• First each party shares the input x_i picking a random polynomial of degree t
• Computation proceeds gate by gate using the linear function and multiplication protocols described above
• At the end, shares of the output of P_i are sent to P_i who reconstruct the output using interpolation.

The simulator is also easily defined. Let B be the set of (at most t) corrupted parties. We assume B follow the protocol, but attempts to obtain more information than the output of the circuit. We want to give a simulator that on input X[B] and f(X)[B], outputs a view S = Sim(X[B],f(X)[B]) such that (S,f(X)[\B]) is distributed identically to (View(X)[B],f(X)[\B]).

The simulator proceeds as follows:

• Shares for the inputs X[\B] are chosen at random
• Shares for the linear gates are computed locally
• Shares for the output of multiplication gates are chosen at random
• Shares of the output wires for B are chosen at random, subject to the constraint that the sum of the shares equal to the given output

### References

M. Ben-Or, S. Goldwasser, A. Widgerson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, STOC 88