![Page 1: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/1.jpg)
Secure Multiparty Computation (MPC)
Serge FehrCWI Amsterdam
www.cwi.nl/~fehr
Meeting on Privacy-Enhancing Cryptography
December 8 & 9, 2011
![Page 2: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/2.jpg)
Intro and problem description
Possibility result
High-level idea
Outline
![Page 3: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/3.jpg)
ALICE BOB
Encryption and more
![Page 4: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/4.jpg)
ALICE BOB
EVE
Encryption and more
![Page 5: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/5.jpg)
ALICE BOB
EVE
Encryption and more
Eve can: eavesdrop the communication -> use encryption (symmetric or public-key)
![Page 6: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/6.jpg)
ALICE BOB
EVE
Encryption and more
Eve can: eavesdrop the communication -> use encryption (symmetric or public-key)modify (or insert/delete) messages -> use authentication or digital signatures
![Page 7: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/7.jpg)
ALICE BOB
EVE
Encryption and more
Eve can: eavesdrop the communication -> use encryption (symmetric or public-key)modify (or insert/delete) messages -> use authentication or digital signatures
Distinguishing features clear distinction between good and badknow whom to trust reveal all-or-nothing
![Page 8: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/8.jpg)
t black white
ALICE BOB
EVE
Encryption and more
Eve can: eavesdrop the communication -> use encryption (symmetric or public-key)modify (or insert/delete) messages -> use authentication or digital signatures
Distinguishing features clear distinction between good and badknow whom to trus reveal all-or-nothing
But:
The world is not just and whiteblack
![Page 9: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/9.jpg)
Company A Company B
Examples
A and B want to compare their performance
![Page 10: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/10.jpg)
Company A Company B
Examples
A and B want to compare their performanceNeither is willing to reveal its detailed performance data
![Page 11: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/11.jpg)
Company A Company B
Examples
A and B want to compare their performance
ORA and B want to find the overlap in customers Neither is willing to reveal its own customer list
Neither is willing to reveal its detailed performance data
![Page 12: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/12.jpg)
BIDDER 1 SELLER
Want to find out if bids are sufficient and who bids more, and e.g. agree on max{W, min{X,Y}+1} as price.No one is willing to reveal his upper/lower bound.
I offer X
I offer Y
Examples
BIDDER 2
I want at least W
![Page 13: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/13.jpg)
Voters want to find out outcome of the vote.None is willing to reveal his individual vote.
Examples
YES
NO
YES
NOYES
NO
NO
![Page 14: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/14.jpg)
Every user Ui has a private input xi .
The General Problem
x1
x4
xm
x2
x3 x5
F
![Page 15: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/15.jpg)
Every user Ui has a private input xi .
The General Problem
x1
x4
xm
x2
x3 x5
F
F(x1,x2,x3,...,xm) = ?
Users want to learn F(x1,x2,x3,...,x1).Variation: Different users learn different functions. Private inputs should remain private.
![Page 16: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/16.jpg)
An Ideal Solution
x1
x4
xm
x2
x3 x5
F
![Page 17: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/17.jpg)
An Ideal Solution
x1
x4
xm
x2
x3 x5
F
trusted authority TA
![Page 18: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/18.jpg)
xm
Every user Ui sends his xi to .
An Ideal Solution
x1
x4
xm
x2
x3 x5
F
x1
x2x3 x4 x5
trusted authority TA
![Page 19: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/19.jpg)
xm
Every user Ui sends his xi to .
An Ideal Solution
x1
x4
xm
x2
x3 x5
F
x1
x2x3 x4 x5
y = F(x1,x2,x3,...,x1)
TA computes y = F(x1,x2,x3,...,x1), andannounces y to everyone.
trusted authority TA
![Page 20: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/20.jpg)
MPC: Removing the Trusted Authority
x1
x4
xm
x2
x3 x5
F
![Page 21: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/21.jpg)
MPC: Removing the Trusted Authority
x1
x4
xm
x2
x3 x5
F
![Page 22: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/22.jpg)
MPC: Removing the Trusted Authority
x1
x4
xm
x2
x3 x5
F
S1S2 S3
Sn
Idea: Perform computation by a group of servers.Some of the servers may be malicious.
![Page 23: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/23.jpg)
MPC: Removing the Trusted Authority
x1
x4
xm
x2
x3 x5
F
S1S2 S3
Sn
Idea: Perform computation by a group of servers.Some of the servers may be malicious.
![Page 24: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/24.jpg)
MPC: Removing the Trusted Authority
x1
x4
xm
x2
x3 x5
F
S1S2 S3
Sn
Idea: Perform computation by a group of servers.Some of the servers may be malicious.
![Page 25: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/25.jpg)
MPC: Removing the Trusted Authority Idea:
Perform computation by a group of servers.Some of the servers may be malicious.
![Page 26: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/26.jpg)
MPC: Removing the Trusted Authority
Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any input.Also: malicious servers cannot influence outcome y.
Idea: Perform computation by a group of servers.Some of the servers may be malicious.
![Page 27: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/27.jpg)
MPC: Removing the Trusted Authority
Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any input.Also: malicious servers cannot influence outcome y.
Advantages: No need to know whom to trust.Different users may trust different servers.No single point of failure
Idea: Perform computation by a group of servers.Some of the servers may be malicious.
Only requirement: sufficiently many servers are honest.
![Page 28: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/28.jpg)
MPC: Removing the Trusted Authority
Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any input.Also: malicious servers cannot influence outcome y.
Idea: Perform computation by a group of servers.Some of the servers may be malicious. A MPC emulates an imaginary fully trusted party by means of a group of partly trusted parties.
Advantages: No need to know whom to trust.Different users may trust different servers.No single point of failure
Only requirement: sufficiently many servers are honest.
![Page 29: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/29.jpg)
MPC: Removing the Trusted Authority
Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any input.Also: malicious servers cannot influence outcome y.
Idea: Perform computation by a group of servers.Some of the servers may be malicious. A MPC emulates an imaginary fully trusted party by means of a group of partly trusted parties.
Advantages: No need to know whom to trust.Different users may trust different servers.No single point of failure
Only requirement: sufficiently many servers are honest.
![Page 30: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/30.jpg)
Intro and problem description
Possibility result
High-level idea
Outline
![Page 31: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/31.jpg)
Possibility of MPC
Under reasonable set-up assumptions (e.g. PKI),general secure MPC is possible if (and only if) a majority of the servers are honest, i.e., t < n/2 of the n servers are malicious.
Exist many different variants which differ in: flavors of securityset-up assumptionscomplexity
# of malicious servers communication model etc.
![Page 32: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/32.jpg)
Example
YES
NO
YES
NOYES
NO
NO
![Page 33: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/33.jpg)
Example
YES
NO
YES
NOYES
NO
NOYES
NO
NO
YES
NOYES
NO
![Page 34: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/34.jpg)
Example
YES
NO
YES
NOYES
NO
NOYES
NO
NO
YES
NOYES
NO
3 times YES, 4 times NO
Promise: Votes remain private and tally is guaranteed correctIf a majority of servers is honest.
![Page 35: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/35.jpg)
Intro and problem description
Possibility result
High-level idea
Outline
![Page 36: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/36.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
![Page 37: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/37.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them)
![Page 38: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/38.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them) x
![Page 39: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/39.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them) x
x
![Page 40: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/40.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them) x
x
?
![Page 41: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/41.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them) x
x
? x
![Page 42: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/42.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them)
Homomorphic: When given encryption of x and y an encryption of x +y can be computed
x
x
? x
![Page 43: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/43.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them)
Homomorphic: When given encryption of x and y an encryption of x +y can be computed
x
x
? xx y
![Page 44: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/44.jpg)
Tool: Homomorphic Threshold Encryption
Public-key encryption scheme with special properties
Threshold: Decryption key is ``shared” among servers.A malicious minority cannot decrypt All servers together can decrypt (even if a malicious minority tries to prevent them)
Homomorphic: When given encryption of x and y an encryption of x +y can be computed
x
x
? xx y x +y
![Page 45: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/45.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
![Page 46: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/46.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
x y w z
![Page 47: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/47.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
homomorphic property
x +y
x y w z
![Page 48: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/48.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
homomorphic property
x +y
(x +y)!z
x y w z
![Page 49: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/49.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
homomorphic property
complex subprotocol, involving communication among the servers
x +y
(x +y)!z
x y w z
![Page 50: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/50.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
homomorphic property
complex subprotocol, involving communication among the servers
homomorphic property
x +y
(x +y)!z
(x +y)!z + w
x y w z
![Page 51: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/51.jpg)
MPC in Action x y
w
z
F(x,y,w,z) = (x +y)!z + w
homomorphic property
complex subprotocol, involving communication among the servers
homomorphic property
threshold property
x +y
(x +y)!z
(x +y)!z + w(x +y)!z + w
x y w z
![Page 52: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/52.jpg)
Summary
MPC is useful whenparties have common goal yet conflicting interests it is unclear whom we can trustthere is no fully trusted party available
![Page 53: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/53.jpg)
Summary
MPC is useful whenparties have common goal yet conflicting interests it is unclear whom we can trustthere is no fully trusted party available
Downside: general solutions are rather inefficientBut: special purpose solutions can be reasonably efficient (see next talk by Tomas Toft)
![Page 54: Secure Multiparty Computation (MPC) - NIST...MPC: Removing the Trusted Authority Want: No single (malicious) server learns any input. Malicious servers jointly should not learn any](https://reader033.vdocuments.site/reader033/viewer/2022060901/609e883b2396bf1a38553d01/html5/thumbnails/54.jpg)
Summary
MPC is useful whenparties have common goal yet conflicting interests it is unclear whom we can trustthere is no fully trusted party available
THANK YOU
Downside: general solutions are rather inefficientBut: special purpose solutions can be reasonably efficient (see next talk by Tomas Toft)