Client Puzzles

Mix and Match:
A Simple Approach to
General Secure Multiparty
Computation
+
Markus Jakobsson
Bell Laboratories
Ari Juels
RSA Laboratories
What is secure multiparty
computation?
The problem
f(a,b)
Alice
a
Bob
b
The problem
f(a,b)
b
a
Alice
a
f
Black Box
Bob
b
Millionaires’ Problem
Richie Rich
is richer
Who’s
richer?
>
Worth $a
Worth $b
Auctions
Alice
Bob
$810
Cate
f
Bob
Edgar
What’s in the black box?
Trusted third party?
Trusted
Party
We want to do without!
Tamper-resistant hardware
f(a,b)
Alice
Bob
a
b
But we don’t want to rely on hardware!
Secure multiparty computation
f(a,b)
Alice
Bob
a
b
Alice and Bob simulate circuit
Other methods
u
Simulate full field operations
u
gate involves local computation
u
gate requires rounds of verifiable
secret sharing
Complex
Recently becoming somewhat practical
u
u
Our method: Mix and match
u
u
u
u
Conceptually simple
Simulates only boolean gates directly
Very efficient for bitwise operations, not
so for others
Some pre-computation possible
Some previous work
Yao
– Use of logical tables (two-player)
Chaum, Damgård, van de Graaf
– Multi-party use of logical tables
(for passive adversaries)
Mix and Match
(Non-private)
Non-private simulation: OR gate
a
b
0
0
0
0
1
1
1
1
1
1
0
1
b
a
Non-private simulation: OR gate
Bob
Alice
a
1
1
1
b
0
0
0
?
?
?
=
=
=
b
a
b
0
0
1
0
1
0
0
1
1
1
1
1
a
a
b=1
Mix and Match
f(a,b)
Alice
Bob
a
b
Alice and Bob simulate circuit
Mix and Match
(Private)
First tool: Mix network (MN)
plaintext 1
Mix network (MN)
plaintext 2
plaintext 3
plaintext 4
Randomly permutes and encrypts inputs
Second tool: Matching or
Plaintext equivalence decision
(PED)
?
=
Ciphertext 1
Ciphertext 2
Reveals no information other than equality
Mix and Match
Step 1: Key sharing between Alice and
Bob -- public key y
Step 2: Alice and Bob encrypt individual
bits under y
Alice
a
a
Bob
b
b
Step 3: Alice and Bob mix tables
b
a
a
b
0
0
0
0
1
1
1
0
1
1
1
1
a
Mix network (MN)
Permute and encrypt rows
b
a
b
Step 4: Matching using PED, i.e., Table
lookup
a
a
b
b
?
?
a
b
a
b
=
=
Find matching row
a
b=
Repeat matching on each table for
entire circuit
f(a,b) =
Decrypting f(a,b)
Step 5: Decrypt f(a,b)
Alice
f(a,b)
f(a,b)
Bob
Some extensions
Easy to have multiple parties participate
“Mixing” and “matching” can be
performed by different coalitions
We can get XOR for “free” using
Franklin-Haber cryptosystem
Privacy and Robustness
As long as more than half of participants
are honest…
Computation will be performed correctly
No information other than output is
revealed
Security in random oracle model
reducible to Decision Diffie-Hellman
problem
Low cost
Very low overall broadcast complexity:
O(Nn) group elements
– N is number of gates
– n is number of players
– Equal to that of best competitive methods
O(n+d) broadcast rounds
– d is circuit depth
Computation: O(Nn) exponentiations for
each player
Questions?
+