ArticlePDF Available

How to play ANY mental game



We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest. Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [C].
... SMC protocols are usually built over some form of Secret Sharing (e.g. Shamir's Secret Sharing [18], GMW [19], BGW [20]), or Garbled Circuits (e.g., Yao's GCs [21], BMR [22]), and are often combined with cryptographic primitives like public-key encryption, symmetric encryption, Homomorphic Encryption (HE) or Oblivious Transfers (OTs) to perform specific functionalities, each lending different levels of security, computational and communication costs [23]. Our approach for the private extraction of x-vectors relies on two forms of secret sharing briefly described below. ...
... The above-mentioned schemes are described with regard to arithmetic operations, but also hold for binary computations, with minor modifications [19]. This is important, as performing operations in each of these domains may prove to be more efficient for different operations, or may even allow performing different functionalities. ...
Full-text available
The development of privacy-preserving automatic speaker verification systems has been the focus of a number of studies with the intent of allowing users to authenticate themselves without risking the privacy of their voice. However, current privacy-preserving methods assume that the template voice representations (or speaker embeddings) used for authentication are extracted locally by the user. This poses two important issues: first, knowledge of the speaker embedding extraction model may create security and robustness liabilities for the authentication system, as this knowledge might help attackers in crafting adversarial examples able to mislead the system; second, from the point of view of a service provider the speaker embedding extraction model is arguably one of the most valuable components in the system and, as such, disclosing it would be highly undesirable. In this work, we show how speaker embeddings can be extracted while keeping both the speaker's voice and the service provider's model private, using Secure Multiparty Computation. Further, we show that it is possible to obtain reasonable trade-offs between security and computational cost. This work is complementary to those showing how authentication may be performed privately, and thus can be considered as another step towards fully private automatic speaker recognition.
Secure multi-party computation (MPC) allows a set of parties to jointly compute a function on their private inputs, and reveals nothing but the output of the function. In the last decade, MPC has rapidly moved from a purely theoretical study to an object of practical interest, with a growing interest in practical applications such as privacy-preserving machine learning (PPML). In this paper, we comprehensively survey existing work on concretely efficient MPC protocols with both semi-honest and malicious security, in both dishonest-majority and honest-majority settings. We focus on considering the notion of security with abort, meaning that corrupted parties could prevent honest parties from receiving output after they receive output. We present high-level ideas of the basic and key approaches for designing different styles of MPC protocols and the crucial building blocks of MPC. For MPC applications, we compare the known PPML protocols built on MPC, and describe the efficiency of private inference and training for the state-of-the-art PPML protocols. Furthermore, we summarize several challenges and open problems to break though the efficiency of MPC protocols as well as some interesting future work that is worth being addressed. This survey aims to provide the recent development and key approaches of MPC to researchers, who are interested in knowing, improving, and applying concretely efficient MPC protocols.
Full-text available
In secure two-party computation, each party has its input and wants to jointly compute a function from which it obtains the output corresponding to its respective inputs. For achieving security against a malicious adversary, an effective approach is using cut-and-choose, which requires the circuit constructor P1 to construct S copies of the circuit C (C is used to compute the function F). The circuit evaluator P2 selects S∕2 circuits to open for the check. If these S∕2 circuits are correctly constructed, P2 assumes that the remaining S∕2 circuits are also correctly constructed and uses the remaining circuits to compute. However, this method introduces significant computational complexity and interactive rounds, mainly due to more circuits that must be used for security purposes and the need for multiple interactions to transmit the keys. In this paper, regarding the issue above, we present a novel secure two-party computation protocol, and it can achieve security against the malicious adversary. Concretely, we still use the idea of cut-and-choose but improve the cut-and-choose oblivious transfer (CCOT) of the usual secure two-party computation protocol into cut-and-choose bilateral oblivious transfer (CCBOT) and propose a variant of it that we call batch single-choice CCBOT, which makes our protocol only needs two rounds of interaction to complete the transmission of all keys and 28Sl of exponentiations. In addition, we use a check mechanism to prevent the case that p1 cheats, but P2 is powerless. Our proposed protocol with an error probability of 2–s of P1 significantly optimizes the communication rounds and computation overheads, solves the selective failure attack, and ensures the consistency of the input.
Full-text available
In this paper, we propose CryptMed, a system framework that enables medical service providers to offer secure, lightweight, and accurate medical diagnostic service to their customers via an execution of neural network inference in the ciphertext domain. CryptMed ensures the privacy of both parties with cryptographic guarantees. Our technical contributions include: 1) presenting a secret sharing based inference protocol that can well cope with the commonly-used linear and non-linear NN layers; 2) devising optimized secure comparison function that can efficiently support comparison-based activation functions in NN architectures; 3) constructing a suite of secure smooth functions built on precise approximation approaches for accurate medical diagnoses. We evaluate CryptMed on 6 neural network architectures across a wide range of non-linear activation functions over two benchmark and four real-world medical datasets. We comprehensively compare our system with prior art in terms of end-to-end service workload and prediction accuracy. Our empirical results demonstrate that CryptMed achieves up to respectively 413 ×, 19 ×, and 43 × bandwidth savings for MNIST, CIFAR-10, and medical applications compared with prior art. For the smooth activation based inference, the best choice of our proposed approximations preserve the precision of original functions, with less than 1.2% accuracy loss and could enhance the precision due to the newly introduced activation function family.
Conference Paper
Full-text available
Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined. The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received. An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.
Conference Paper
Pseudorandom generators transform in polynomial time a short random “seed” into a long “pseudorandom” string. This string cannot be random in the classical sense of [6], but testing that requires an unrealistic amount of time (say, exhaustive search for the seed). Such pseudorandom generators were first discovered in [2] assuming that the function (a x modb) is one-way, i.e., easy to compute, but hard to invert on a noticeable fraction of instances. In [12] this assumption was generalized to the existence of any one-way permutation. The permutation requirement is sufficient but still very strong. It is unlikely to be proven necessary, unless something crucial, like P=NP, is discovered. Below, among other observations, a weaker assumption about one-way functions is proposed, which is not only sufficient, but also necessary for the existence of pseudorandom generators.
Conference Paper
The authors give a set of conditions that allow one to generate 50-50 unpredictable bits. Based on those conditions, they present a general algorithmic scheme for constructing polynomial-time deterministic algorithms that stretch a short secret random input into a long sequence of unpredictable pseudo-random bits. They give an implementation of their scheme and exhibit a pseudo-random bit generator for which any efficient strategy for predicting the next output bit with better than 50-50 chance is easily transformable to an 'equally efficient' algorithm for solving the discrete logarithm problem. In particular: if the discrete logarithm problem cannot be solved in probabilistic polynomial time, no probabilistic polynomial-time algorithm can guess the next output bit better than by flipping a coin: if 'head' guess '0', if 'tail' guesss '1'.
Conference Paper
In this paper we demonstrate the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. These are probabilistic and interactive proofs that, for the members x of a language L, efficiently demonstrate membership in the language without conveying any additional knowledge. So far, zero-knowledge proofs were known only for some number theoretic languages in NP ∩ Co-NP.
Bits Are 1/2 4- 1/poly(log N) Seeure
  • Cg B Chor
  • O Goldreich
Pseudo-Random Generatoro and Complexity Clauses
  • Bh R Boppana
  • R Hirschfeld
A Digital Signature Scheme Secure Against Adaptive, Chosen Gyphertext Attack To appear in SIAM J. on Computing (available from authors) Earlier version, titled 'A Paradoxical Solution to The Signature Problem
  • S Gomiri
  • S Goldwasser
  • R Micali
  • Rivest