Mix and Match:
A Simple Approach to
General Secure Multiparty
Computation
+
Markus Jakobsson
Bell Laboratories
Ari Juels
RSA Laboratories
What is secure multiparty
computation?
The problem
f(a,b)
Alice
a
Bob
b
The problem
f(a,b)
b
a
Alice
a
f
Black Box
Bob
b
Millionaires’ Problem
Richie Rich
is richer
Who’s
richer?
>
Worth $a
Worth $b
Auctions
Alice
Bob
$810
Cate
f
Bob
Edgar
What’s in the black box?
Trusted third party?
Trusted
Party
We want to do without!
Tamper-resistant hardware
f(a,b)
Alice
Bob
a
b
But we don’t want to rely on hardware!
Secure multiparty computation
f(a,b)
Alice
Bob
a
b
Alice and Bob simulate circuit
Other methods
 Simulate

full field operations
gate involves local computation
gate requires rounds of verifiable
secret sharing
 Complex
 Recently becoming somewhat practical

Our method: Mix and match
 Conceptually
simple
 Simulates only boolean gates directly
 Very efficient for bitwise operations, not
so for others
 Some pre-computation possible
Some previous work
 Yao
– Use of logical tables (two-player)
 Chaum,
Damgård, van de Graaf
– Multi-party use of logical tables
(for passive adversaries)
Mix and Match
(Non-private)
Non-private simulation: OR gate
a
b
0
0
0
0
1
1
1
1
1
1
0
1
b
a
Non-private simulation: OR gate
Bob
Alice
a
1
1
1
b
0
0
0
?
?
?
=
=
=
b
a
b
0
0
1
0
1
0
0
1
1
1
1
1
a
a
b=1
Mix and Match
f(a,b)
Alice
Bob
a
b
Alice and Bob simulate circuit
Mix and Match
(Private)
First tool: Mix network (MN)
plaintext 1
Mix network (MN)
plaintext 2
plaintext 3
plaintext 4
Randomly permutes and encrypts inputs
Second tool: Matching or
Plaintext equivalence decision
(PED)
?
=
Ciphertext 1
Ciphertext 2
Reveals no information other than equality
Mix and Match
 Step
1: Key sharing between Alice and
Bob -- public key y
 Step
2: Alice and Bob encrypt individual
bits under y
Alice
a
a
Bob
b
b
 Step
3: Alice and Bob mix tables
b
a
a
b
0
0
0
0
1
1
1
0
1
1
1
1
a
Mix network (MN)
Permute and encrypt rows
b
a
b
 Step
4: Matching using PED, i.e., Table
lookup
a
a
b
b
?
?
a
b
a
b
=
=
Find matching row
a
b=
 Repeat
matching on each table for
entire circuit
f(a,b) =
Decrypting f(a,b)
 Step
5: Decrypt f(a,b)
Alice
f(a,b)
f(a,b)
Bob
Some extensions
 Easy
to have multiple parties participate
 “Mixing” and “matching” can be
performed by different coalitions
 We can get XOR for “free” using
Franklin-Haber cryptosystem
Privacy and Robustness
As long as more than half of participants
are honest…
 Computation will be performed correctly
 No information other than output is
revealed
 Security in random oracle model
reducible to Decision Diffie-Hellman
problem
Low cost
 Very
low overall broadcast complexity:
O(Nn) group elements
– N is number of gates
– n is number of players
– Equal to that of best competitive methods
 O(n+d)
broadcast rounds
– d is circuit depth
 Computation:
each player
O(Nn) exponentiations for
Questions?
+