Secure Multi-party Computation Made Simple [chapter]

Ueli Maurer
2003 Lecture Notes in Computer Science  
Known secure multi-party computation protocols are quite complex, involving non-trivial mathematical structures and subprotocols. The purpose of this paper is to present a very simple approach to secure multi-party computation with straight-forward security proofs. This approach naturally yields protocols secure for mixed (active and passive) corruption and general (as opposed to threshold) adversary structures, confirming the previously proved tight bounds in a simpler framework. Due to their
more » ... implicity, the described protocols are well-suited for didactic purposes, which is a main goal of this paper. 371 arbitrary on-going computation during which new inputs can be provided and players can interact with an environment. This corresponds to the simulation of a trusted party [14, 15] . Security in MPC means that the players' inputs remain secret (except for what is revealed by the intended results of the computation) and that the results of the computation are guaranteed to be correct. More precisely, security is defined relative to an ideal-world specification involving a trusted party: anything the adversary can achieve in the real world (where the protocol is executed) he can also achieve in the ideal world [5, 21] . Many distributed cryptographic protocols can be seen as special cases of secure MPC. For specific tasks like collective contract signing, on-line auctions, or voting, there exist very efficient protocols. Throughout this paper we consider general secure MPC protocols, where general means that any given specification involving a trusted party can be computed securely without the trusted party. In other words, we consider compilers that take as input a specification and generate a secure protocol for realizing the specification. Most protocols for general secure MPC work roughly as follows: The function (or specification) to be computed is specified by a circuit over some finite field consisting of addition and multiplication gates. This is no essential restriction. Each input value and each intermediate result is shared appropriately among the players so that no cheating player set can learn anything. The circuit is evaluated gate by gate, performing a sub-protocol for each gate. The result(s) of the computation are jointly reconstructed. General MPC protocols tend to be less efficient than special-purpose protocols, for two reasons. First, the circuit can generally be quite large. Second, the multiplication sub-protocol is rather inefficient as it requires substantial interaction (but see [17] for efficiency improvements for general MPC protocols).
doi:10.1007/3-540-36413-7_2 fatcat:7umiln2scnaptd3d5xw6ho43ta