ArticlePDF Available

How to play ANY mental game



We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a protocol for playing the game that leaks no partial information, provided the majority of the players is honest. Our algorithm automatically solves all the multi-party protocol problems addressed in complexity-based cryptography during the last 10 years. It actually is a completeness theorem for the class of distributed protocols with honest majority. Such completeness theorem is optimal in the sense that, if the majority of the players is not honest, some protocol problems have no efficient solution [C].
... As described in Figure 5, the party Sen and Rec send their input sets X and Y to the functionality F PSI , and F PSI computes the intersection Res ≔ X ∩ Y and sends Res to Rec. PSI can be solved using generic MPC techniques, like GMW protocol [37] and Yao's garbled circuit protocol [38], while there are also custom protocols for this problem that are more efficient. ...
... The proof can be found in Appendix B.3. Given this two-party Beaver triple-generation protocol Π triple , we can use it to generate sufficiently many Beaver triples in the preprocessing phase and carry out a GMW-style two-party computation protocol [37] in the online phase, where the XOR gates can be computed locally and the AND gates consume one Beaver triple each and need communication. The details of the protocol Π 2PC can be found in Figure 17. ...
... The proof is done by combining the result of [37,51]. ...
Full-text available
The wireless network suffers from many security problems, and computation in a wireless network environment may fail to preserve privacy as well as correctness when the adversaries conduct attacks through backdoors, steganography, kleptography, etc. Secure computation ensures the execution security in such an environment, and compared with computation on the plaintext, the performance of secure computation is bounded by the underlying cryptographic algorithms and the network environment between the involved parties. Besides, the Chinese cryptography laws require the cryptographic algorithms that appeared in the commercial market to be authorized. In this work, we show how to implement oblivious transfer (OT), an important primitive in secure multiparty computation (MPC), using the Chinese government-approved SM2 and SM3 algorithms. The SM2 algorithm is based on the elliptic curve cryptography and is much faster than the discrete logarithm-based solutions. Moreover, by adopting the standard OT extension technique, we can extend the number of OTs efficiently with one more round of communication and invocations to the SM3 and SM4 algorithms. The OT primitive can be used in the Beaver multiplication triple generation and other MPC protocols, e.g., private set intersection. Therefore, we can utilize the SM series cryptography, specifically, the SM2, SM3, and SM4 algorithms, to build highly efficient secure computation frameworks which are suitable for the wireless network environment and for commercial applications in China. The experimental evaluation results show that our protocols have comparable performance to existing protocols; specifically, our protocols are quite suitable for bad network environments.
... E. Vedadi (end devices in Fig. 1) have private data and the goal is to compute a function of data collectively with the participation of all parties (end devices and edge servers in Fig. 1), while preserving privacy, i.e., each party only knows its own information. MPC can be categorized into cryptographic solutions [8], [9] and information-theoretic solutions [10]. In this paper, our focus is on the information-theoretic MPC solution; BGW (Ben-Or, Goldwasser and Widgerson) [10] using Shamir's secret sharing scheme [11] thanks to its lower computational complexity and quantum safe nature [12]. ...
... Step 1: Set P(S A (x)). 2: Determine all elements of P(S A (x)) starting from the minimum possible element satisfying C1 in (9). ...
... where i, l ∈ Ω t−1 0 and s, t ∈ N. Our algorithm that determines P(S A (x)) and P(S B (x)) to satisfy the conditions in (9) is provided in Algorithm 1. Next, we show in Theorem 1 that our PolyDot-CMPC mechanism, where the coded terms of its polynomials F A (x) and F B (x) are determined according to Algorithm 1, satisfy the conditions in (9). ...
Multi-party computation (MPC) is promising for designing privacy-preserving machine learning algorithms at edge networks. An emerging approach is coded-MPC (CMPC), which advocates the use of coded computation to improve the performance of MPC in terms of the required number of workers involved in computations. The current approach for designing CMPC algorithms is to merely combine efficient coded computation constructions with MPC. We show that this approach fails short of being efficient; e.g., entangled polynomial codes are not necessarily better than PolyDot codes in MPC setting, while they are always better for coded computation. Motivated by this observation, we propose a new construction; Adaptive Gap Entangled (AGE) polynomial codes for MPC. We show through analysis and simulations that MPC with AGE codes always perform better than existing CMPC algorithms in terms of the required number of workers as well as computation, storage, and communication overhead.
... Secure multi-party summation (SMS) is a special primitive of secure multi-party computing (MPC), which was proposed by Goldreich [27] in 1987. It aims to accomplish the task of correctly calculating the sum of the secret integers of multiple participants without exposing the secret integers. ...
Full-text available
In quantum secure multi-party summation protocols, some attackers can impersonate legitimate participants in the summation process, and easily steal the summation results from the participants. This is often overlooked for existing secure multi-party summation protocols, thus rendering them insecure. Based on commutative encryption, a quantum secure multi-party summation protocol with identity authentication is proposed in this paper. In the protocol, each participant encodes a secret integer on photons via unitary operations. At the same time, a one-way hash function technique with a key is utilized to perform identity authentication operations for each participant. Finally, the summation is calculated with the help of a semi-trusted third party. The analysis of the protocol shows that the proposed protocol is correct and resistant to common and impersonation attacks. Compared to related protocols, the use and measurement of single photons makes the protocol easier to implement into existing technology. Furthermore, the simulation experiments on the IBM Q Experience cloud platform demonstrate the effectiveness of the presented protocol.
Private function evaluation (PFE) is a special case of secure multiparty computation. In multiparty PFE, the party \(P_1\) holds its private n-variable function \(f\) and private input \(x_1\), while other parties \(P_i~(n\ge i\ge 2)\) hold their private input \(x_i\). All n participants can jointly evaluate the function \(f\), and learn nothing from the interactions except the result \(f(x_1,...,x_n)\) (known to a subset or all of the parties). The existing multiparty PFE protocols (e.g., Mohassel et al. at Eurocrypt’13 and Asiacrypt’14) are with round complexity \(O(g)\) (\(g\) is the circuit size) which makes them extremely unpractical. In this work, we propose for the first time constant-round multiparty PFE protocols that are secure against any number of corrupted parties under the semi-honest security model. We design our first construction from oblivious evaluation of switching network (OSN) protocol (Mohassel et al. at Eurocrypt’13), which only needs 9 rounds of interaction and can achieve quasi-linear communication and computation complexities (i.e., \(O(ng\log (g))\)). Our second construction is based on singly homomorphic encryption, which only needs 8 rounds of interaction and can achieve linear complexities. The OSN-based construction also benefits from the design trick that it only relies on symmetric operations (which makes it really efficient in actual executions). We further optimize our constructions by half-gate technology.KeywordsPrivate function evaluationSecure multiparty computationConstant roundsLinear complexityQuasi-linear complexity
Full-text available
The growing volumes of data being collected and its analysis to provide better services are creating worries about digital privacy. To address privacy concerns and give practical solutions, the literature has relied on secure multiparty computation techniques. However, recent research over rings has mostly focused on the small-party honest-majority setting of up to four parties tolerating single corruption, noting efficiency concerns. In this work, we extend the strategies to support higher resiliency in an honest-majority setting with efficiency of the online phase at the centre stage. Our semi-honest protocol improves the online communication of the protocol of Damgård and Nielsen (CRYPTO’07) without inflating the overall communication. It also allows shutting down almost half of the parties in the online phase, thereby saving up to 50% in the system’s operational costs. Our maliciously secure protocol also enjoys similar benefits and requires only half of the parties, except for one-time verification towards the end, and provides security with fairness. To showcase the practicality of the designed protocols, we benchmark popular applications such as deep neural networks, graph neural networks, genome sequence matching, and biometric matching using prototype implementations. Our protocols, in addition to improved communication, aid in bringing up to 60–80% savings in monetary cost over prior work.
In the setting of secure multiparty computation, a set of parties wish to carry out a joint computation of their inputs while keeping them private. In this paper, we describe new information-theoretic protocols for secure three-party computation with an honest majority. Our protocols compute Boolean circuits with minimal computation and communication. We start with a protocol, based on replicated secret sharing, which is secure in the presence of semi-honest adversaries in which the parties communicate only a single bit per AND gate. Then, we show how to modify it to be secure in the presence of malicious adversaries. Our malicious protocol follows the paradigm of first constructing Beaver multiplication triples and then using them to verify that circuit gates are correctly computed. As in previous work (e.g., the so-called TinyOT and SPDZ protocols), we rely on the cut-and-choose paradigm to verify that triples are correctly constructed. We are able to utilize the fact that at most one of three parties is corrupted in order to construct an extremely simple and efficient method of constructing such triples. Then, we provide general techniques for improving efficiency of cut-and-choose protocols on multiplication triples and utilize them to further improve the protocol. The resulting protocol for malicious adversaries has bandwidth of only 7 bits per AND gate per party, when amortizing over 1 million gates and with statistical error \(2^{-40}\). An implementation of our protocol achieves a throughput of over 7 billion AND gates per second with the semi-honest protocol, and over 1 billion AND gates per second with the malicious protocol (using the above parameters). Our results demonstrate that high-throughput secure computation is possible.
A Fair Digital Exchange is defined as either all or none of the participants achieving a (predetermined) desirable outcome. This work addresses third party mediated systems for digital content where mutually unknown, and hence non-trusting, buyers, sellers and the mediator (third party) take part in an exchange protocol. We address the lack of guaranteed fairness, as defined above, in the existing platforms for this setting. We present TEDX, a decentralized solution for guaranteed three party fair exchange of digital goods with scalability and support for incremental deployment over the existing (non-fair) platforms. TEDX combines carefully crafted message exchanges with incentive schemes designed to deter malicious behavior. TEDX also leverages ideas from blockchain anchored state-channels to provide trusted execution while minimizing the operational overheads of blockchain. We present the design and a security analysis of TEDX to validate the claimed fairness properties. We also present the details of a prototype implementation of TEDX leveraging Hyperledger Fabric and performance evaluation of the same on a realistic testbed spanning five public cloud zones. Our results indicate that TEDX adds only a minimal overhead of 16% while being 46x faster than a naive blockchain solution, thereby demonstrating that TEDX is scalable.
Secure multiparty computation (MPC) on incomplete communication networks has been studied within two primary models: (1) where a partial network is fixed a priori, and thus corruptions can occur dependent on its structure, and (2) where edges in the communication graph are determined dynamically as part of the protocol. Whereas a rich literature has succeeded in mapping out the feasibility and limitations of graph structures supporting secure computation in the fixed-graph model (including strong classical lower bounds), these bounds do not apply in the latter dynamic-graph setting, which has recently seen exciting new results, but remains relatively unexplored. In this work, we initiate a similar foundational study of MPC within the dynamic-graph model. As a first step, we investigate the property of graph expansion. All existing protocols (implicitly or explicitly) yield communication graphs which are expanders, but it is not clear whether this is inherent. Our results consist of two types (for constant fraction of corruptions): Upper bounds: We demonstrate secure protocols whose induced communication graphs are not expander graphs, within a wide range of settings (computational, information theoretic, with low locality, even with low locality and adaptive security), each assuming some form of input-independent setup. Lower bounds: In the plain model (no setup) with adaptive corruptions, we demonstrate that for certain functionalities, no protocol can maintain a non-expanding communication graph against all adversarial strategies. Our lower bound relies only on protocol correctness (not privacy) and requires a surprisingly delicate argument. More generally, we provide a formal framework for analyzing the evolving communication graph of MPC protocols, giving a starting point for studying the relation between secure computation and further, more general graph properties.
Conference Paper
Full-text available
Randomized protocols for signing contracts, certified mail, and flipping a coin are presented. The protocols use a 1-out-of-2 oblivious transfer subprotocol which is axiomatically defined. The 1-out-of-2 oblivious transfer allows one party to transfer exactly one secret, out of two recognizable secrets, to his counterpart. The first (second) secret is received with probability one half, while the sender is ignorant of which secret has been received. An implementation of the 1-out-of-2 oblivious transfer, using any public key cryptosystem, is presented.
Conference Paper
Pseudorandom generators transform in polynomial time a short random “seed” into a long “pseudorandom” string. This string cannot be random in the classical sense of [6], but testing that requires an unrealistic amount of time (say, exhaustive search for the seed). Such pseudorandom generators were first discovered in [2] assuming that the function (a x modb) is one-way, i.e., easy to compute, but hard to invert on a noticeable fraction of instances. In [12] this assumption was generalized to the existence of any one-way permutation. The permutation requirement is sufficient but still very strong. It is unlikely to be proven necessary, unless something crucial, like P=NP, is discovered. Below, among other observations, a weaker assumption about one-way functions is proposed, which is not only sufficient, but also necessary for the existence of pseudorandom generators.
Conference Paper
The authors give a set of conditions that allow one to generate 50-50 unpredictable bits. Based on those conditions, they present a general algorithmic scheme for constructing polynomial-time deterministic algorithms that stretch a short secret random input into a long sequence of unpredictable pseudo-random bits. They give an implementation of their scheme and exhibit a pseudo-random bit generator for which any efficient strategy for predicting the next output bit with better than 50-50 chance is easily transformable to an 'equally efficient' algorithm for solving the discrete logarithm problem. In particular: if the discrete logarithm problem cannot be solved in probabilistic polynomial time, no probabilistic polynomial-time algorithm can guess the next output bit better than by flipping a coin: if 'head' guess '0', if 'tail' guesss '1'.
Conference Paper
In this paper we demonstrate the generality and wide applicability of zero-knowledge proofs, a notion introduced by Goldwasser, Micali and Rackoff. These are probabilistic and interactive proofs that, for the members x of a language L, efficiently demonstrate membership in the language without conveying any additional knowledge. So far, zero-knowledge proofs were known only for some number theoretic languages in NP ∩ Co-NP.
Bits Are 1/2 4- 1/poly(log N) Seeure
  • Cg B Chor
  • O Goldreich
Pseudo-Random Generatoro and Complexity Clauses
  • Bh R Boppana
  • R Hirschfeld
A Digital Signature Scheme Secure Against Adaptive, Chosen Gyphertext Attack To appear in SIAM J. on Computing (available from authors) Earlier version, titled 'A Paradoxical Solution to The Signature Problem
  • S Gomiri
  • S Goldwasser
  • R Micali
  • Rivest