Markus Jakobsson Bell Laboratories

Ari JuelsRSA Laboratories

Mix and Match:A Simple Approach to

General Secure Multiparty Computation

+

What is secure multiparty computation?

The problem

Alice Bob

a b

f(a,b)

f(a,b)

The problem

f

Black Box

Alice Bob

a b

a b

Richie Rich

is richer

Who’s

richer?

Millionaires’ Problem

>

Worth $a Worth $b

Auctions

Bob

$810

f

Alice

Bob

Edgar

Cate

What’s in the black box?

Trusted third party?

TrustedParty

We want to do without!

Tamper-resistant hardware

Alice Bob

a b

f(a,b)

But we don’t want to rely on hardware!

Secure multiparty computation

Alice Bob

a b

Alice and Bob simulate circuit

f(a,b)

Other methods

Complex Recently becoming somewhat practical

Simulate full field operations

gate involves local computation

gate requires rounds of verifiable secret sharing

Our method: Mix and match

Conceptually simple Simulates only boolean gates directly Very efficient for bitwise operations, not

so for others Some pre-computation possible

Some previous work

Yao– Use of logical tables (two-player)

Chaum, Damgård, van de Graaf– Multi-party use of logical tables

(for passive adversaries)

Mix and Match(Non-private)

Non-private simulation: OR gate

a b a b

0

0

1

1

0

1

0

1

0

1

11

1 0

Non-private simulation: OR gate

BobAlice

a ba b a b

0

1

1

1

0

1

0

1

1

1

0 00 0=?

0 01 0 0 0

0 1=?

01 0 0 1

1 0=?

1 0 a b = 11

Mix and Match

Alice Bob

a b

Alice and Bob simulate circuit

f(a,b)

Mix and Match(Private)

First tool: Mix network (MN)

plaintext 1

plaintext 2

plaintext 3

plaintext 4

Randomly permutes and encrypts inputs

Mix network (MN)

Second tool: Matching orPlaintext equivalence decision

(PED)

Ciphertext 1 Ciphertext 2

=?

Reveals no information other than equality

Mix and Match

Step 1: Key sharing between Alice and Bob -- public key y

Step 2: Alice and Bob encrypt individual bits under y

Alice

Bob

a

b

a

b

Step 3: Alice and Bob mix tables

a b a b

0

1

1

1

0

1

0

1

1

1

0 0

a b a b

Mix network (MN)

Permute and encrypt rows

Step 4: Matching using PED, i.e., Table lookup

Find matching row

ba =?

ba =?

a b a b

a b =

Repeat matching on each table for entire circuit

f(a,b) =

f(a,b)

Decrypting f(a,b)

Step 5: Decrypt f(a,b)

f(a,b)

Alice

Bob

Some extensions

Easy to have multiple parties participate “Mixing” and “matching” can be

performed by different coalitions We can get XOR for “free” using

Franklin-Haber cryptosystem

Privacy and Robustness

As long as more than half of participants are honest…

Computation will be performed correctly No information other than output is

revealed Security in random oracle model

reducible to Decision Diffie-Hellman problem

Low cost Very low overall broadcast complexity:

O(Nn) group elements– N is number of gates– n is number of players– Equal to that of best competitive methods

O(n+d) broadcast rounds– d is circuit depth

Computation: O(Nn) exponentiations for each player

Questions?

+?