Upload
ray-gilliam
View
23
Download
3
Embed Size (px)
DESCRIPTION
+. Mix and Match: A Simple Approach to General Secure Multiparty Computation. Markus Jakobsson Bell Laboratories. Ari Juels RSA Laboratories. What is secure multiparty computation?. Alice. Bob. The problem. f(a,b). a. b. f(a,b). b. a. Alice. f. Bob. Black Box. The problem. a. - PowerPoint PPT Presentation
Citation preview
Markus Jakobsson Bell Laboratories
Ari JuelsRSA Laboratories
Mix and Match:A Simple Approach to
General Secure Multiparty Computation
+
Other methods
Complex Recently becoming somewhat practical
Simulate full field operations
gate involves local computation
gate requires rounds of verifiable secret sharing
Our method: Mix and match
Conceptually simple Simulates only boolean gates directly Very efficient for bitwise operations, not
so for others Some pre-computation possible
Some previous work
Yao– Use of logical tables (two-player)
Chaum, Damgård, van de Graaf– Multi-party use of logical tables
(for passive adversaries)
1 0
Non-private simulation: OR gate
BobAlice
a ba b a b
0
1
1
1
0
1
0
1
1
1
0 00 0=?
0 01 0 0 0
0 1=?
01 0 0 1
1 0=?
1 0 a b = 11
First tool: Mix network (MN)
plaintext 1
plaintext 2
plaintext 3
plaintext 4
Randomly permutes and encrypts inputs
Mix network (MN)
Second tool: Matching orPlaintext equivalence decision
(PED)
Ciphertext 1 Ciphertext 2
=?
Reveals no information other than equality
Mix and Match
Step 1: Key sharing between Alice and Bob -- public key y
Step 2: Alice and Bob encrypt individual bits under y
Alice
Bob
a
b
a
b
Step 3: Alice and Bob mix tables
a b a b
0
1
1
1
0
1
0
1
1
1
0 0
a b a b
Mix network (MN)
Permute and encrypt rows
Some extensions
Easy to have multiple parties participate “Mixing” and “matching” can be
performed by different coalitions We can get XOR for “free” using
Franklin-Haber cryptosystem
Privacy and Robustness
As long as more than half of participants are honest…
Computation will be performed correctly No information other than output is
revealed Security in random oracle model
reducible to Decision Diffie-Hellman problem
Low cost Very low overall broadcast complexity:
O(Nn) group elements– N is number of gates– n is number of players– Equal to that of best competitive methods
O(n+d) broadcast rounds– d is circuit depth
Computation: O(Nn) exponentiations for each player