![Page 1: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/1.jpg)
Two Round Information-Theoretic MPC with Malicious Security
Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain
EUROCRYPT 2019
![Page 2: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/2.jpg)
Adversarial Model
![Page 3: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/3.jpg)
Adversarial Model
Malicious Adversary
![Page 4: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/4.jpg)
Adversarial Model
Malicious Adversary
Corrupts < "/2 parties (Honest Majority)
![Page 5: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/5.jpg)
Honest Majority MPC
![Page 6: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/6.jpg)
Honest Majority MPC
Information-Theoretic security is possible.[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds of dishonest majority do not apply. 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
![Page 7: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/7.jpg)
Honest Majority MPC
Information-Theoretic security is possible.[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds of dishonest majority do not apply. 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
![Page 8: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/8.jpg)
Honest Majority MPC
Information-Theoretic security is possible.[Ben-Or, Goldwasser, Widgerson’88]
Typically UC secureSimulation proofs are typically straight-line
Round complexity lower bounds of dishonest majority do not apply. 4 rounds necessary for dishonest majority in the plain model [Garg- Mukherjee-Pandey-Polychroniadou16]
![Page 9: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/9.jpg)
Honest Majority MPC: Applications
Useful for constructing efficient ZK-protocols.
![Page 10: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/10.jpg)
Honest Majority MPC: Applications
(Courtesy: Sergey Gorbunov’s talk)
![Page 11: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/11.jpg)
History of IT-MPC
Round Complexity
Class of Functions
Corruption Threshold
Adversary
[BGW’88] > # of multiplications
P/Poly t<n/2 Malicious
[BB’89, IK’00, AIK’06]
constant NC1 t<n/2 Malicious
[IKP’10] 2 NC1 t<n/3 Malicious[GIS’18, ABT’18] 2 NC1 t<n/2 Semi-honest
[ABT’19] 2 NC1 t<n/2 Malicious
Security with selective abort
Security with selective abort
![Page 12: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/12.jpg)
Our Results
Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious
Security with Abort over Broadcast + P2P
Security with Selective Abort over P2P
![Page 13: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/13.jpg)
This Talk
Round Complexity Class of Functions Corruption Threshold Adversary2 NC1 t<n/2 Malicious
Security with Abort over Broadcast + P2P
Security with Selective Abort over P2P
![Page 14: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/14.jpg)
Our Strategy
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
![Page 15: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/15.jpg)
Security with Abort
Party 1
Party 2
Party 3
Trusted Party
!
![Page 16: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/16.jpg)
Security with Abort
!1
!2
!3Party 1
Party 2
Party 3
Trusted Party
%
![Page 17: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/17.jpg)
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
Party 1
Party 2
Party 3
Trusted Party
'
![Page 18: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/18.jpg)
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
%’ = % ,- ⊥Party 1
Party 2
Party 3
Trusted Party
'
![Page 19: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/19.jpg)
Security with Abort
!1
!2
!3
% = '(!1, !2, !3)
%’ = % ,- ⊥
%’
%’Party 1
Party 2
Party 3
Trusted Party
'
![Page 20: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/20.jpg)
Security with Abort
Privacy!2 and !3 remain hidden
$
![Page 21: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/21.jpg)
Security with Abort
Privacy!2 and !3 remain hidden
Output CorrectnessHonest Parties either output
$ !%, !', !( or ⊥
$
![Page 22: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/22.jpg)
Privacy with Knowledge of Outputs
Privacy!2 and !3 remain hidden
Output CorrectnessHonest Parties either output
$ !%, !', !( or ⊥
$
![Page 23: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/23.jpg)
First Step
Multi-Key MAC
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
![Page 24: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/24.jpg)
Our Tool: Multi-Key MAC
!"
!#
!$%
![Page 25: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/25.jpg)
Our Tool: Multi-Key MAC
! = #$%& ', )*, )+, ),
)*
)+
),'
![Page 26: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/26.jpg)
Our Tool: Multi-Key MAC
!
!
!
! = #$%& ', )*, )+, ),
'
![Page 27: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/27.jpg)
Our Tool: Multi-Key MAC!.#$%&'( (*, ,, -.)
!. #$%&'( (*, ,, -0)
!. #$%&'( (*, ,, -1)
,
,
,
, = 3&45 *, -., -0, -1
*
![Page 28: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/28.jpg)
Our Tool: Multi-Key MAC (Correctness)
YES
YES
YES
!.#$%&'( (*, ,, -.)
!. #$%&'( (*, ,, -0)
!. #$%&'( (*, ,, -1)
,
,
,
, = 3&45 *, -., -0, -1
*
![Page 29: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/29.jpg)
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = ()*+ !, ",, "#, "%
&",
![Page 30: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/30.jpg)
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = ()*+ !, ",, "#, "%
&",
"#
!-, &’
..012)34 (!′, &′, "#)NO
![Page 31: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/31.jpg)
Our Tool: Multi-Key MAC (Security)
!, "#, "%& = ()*+ !, ",, "#, "%
&",
"#
!-, &’
..012)34 (!′, &′, "#)NO
An adversary cannot output any valid message-signature pair other than the
one it received
![Page 32: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/32.jpg)
Using Multi-Key MAC
!"1"2"3
& = ! ("), "+, ",)
![Page 33: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/33.jpg)
Using Multi-Key MAC
!′#1, &' ( = ! (#', #+, #,)#+, &+#,, &,
. = /012 ((, &1, &2, &3)
![Page 34: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/34.jpg)
!", $"%, &
Party 2Trusted Party
Using Multi-Key MAC
'.)*+,-%(%, &, $")
-’
![Page 35: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/35.jpg)
Security with abort: Using Multi-Key MAC
IF !, # = %′((()*)), ((,, *,), ((-, *-))
(,, *,
!, #
Honest Party 2Trusted Party
(-, *-
!, #
Honest Party 3
%′
![Page 36: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/36.jpg)
Security with abort: Using Multi-Key MAC
!.#$%&'(((, +, ,-)!. #$%&'(((, +, ,/ )
0-, ,-
(, +
Honest Party 2Trusted Party
0/, ,/
(, +
Honest Party 3
YES YES
IF (, + = '′((03,3), (0-, ,-), (0/, ,/))
'′
![Page 37: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/37.jpg)
Security with abort: Using Multi-Key MAC
!", $"
%, &
Honest Party 2Trusted Party
!', $'
%, &
Honest Party 3
IF %, & ≠ )′((!,$,), (!", $"), (!', $'))
)′
![Page 38: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/38.jpg)
Security with abort: Using Multi-Key MAC
IF ! ≠ #(%&, %(, %))
Honest Party 2
%(, +(
!, ,
Honest Party 2Trusted Party
%), +)
!, ,
Honest Party 3
NONO
-./012#!(!, ,, +()-. /012#!(!, ,, +) ) IF !, , ≠ #′((%&+&), (%(, +(), (%), +)))
#′
![Page 39: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/39.jpg)
Recall: Our Strategy
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Multi-Key MAC
![Page 40: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/40.jpg)
Second Step
2 Round IT-MPC(Privacy with Knowledge of
Outputs)
2 Round IT-MPC(Security with Abort)
Broadcast + P2P
Broadcast + P2P
Constant Round IT-MPC(Security with Abort)
Broadcast + P2P
Multi-Key MAC
![Page 41: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/41.jpg)
Technique: Round Compression
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
![Page 42: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/42.jpg)
Initial Idea
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
![Page 43: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/43.jpg)
Round Compression Template
!"#$
...
Interactive secure MPC 2 round secure MPC
!"#%!"#&
Commit Inputs
'( !"#$ , '( !"#% , . .
![Page 44: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/44.jpg)
Round Compression Template
!"#$
...
Interactive secure MPC 2 round secure MPC
!"#%!"#&
Commit Inputs
'( !"#$ , '( !"#% , . .
'( !"#%
After Round 2
'( !"#$
'( !"#%
'( !"#$
Party 1 Party 2
.
.
.
.
.
.
...
...
![Page 45: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/45.jpg)
Round Compression Template: After Round 2
!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
![Page 46: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/46.jpg)
Round Compression Template: After Round 2!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Helper Protocol forOT functionality
Wire Labels 1st Message of Party 2
Wire Labels for 1st Message of Party 2
![Page 47: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/47.jpg)
Initial Idea: Doesn’t Work
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of
the circuit being garbled.
![Page 48: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/48.jpg)
Initial Idea: Doesn’t Work
Interactive secure MPC
2 round secure MPC
[GGHR’13]Indistinguishability Obfuscation
[GLS’15]Witness Encryption + Garbled circuits
[GS’17]Bilinear Maps + Garbled circuits
[GS’18, BL’18]OT + Garbled Circuits
[ACGJ’18] Garbled circuits
Replace garbled circuits with Information-theoretic garbled circuits
(IT-GC)
ProblemSize of the input wire labels in IT-GC grows exponentially in the depth of
the circuit being garbled.
!"#$ %&' ≈ |*|
![Page 49: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/49.jpg)
Our Approach!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Helper Protocol for OT functionality
Wire Labels1st Message of Party 2
Wire Labels for 1st Message of Party 2
(&
Similar to the approach used in [BL’18]
![Page 50: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/50.jpg)
Our Approach!" #$%&
!" #$%' !" #$%'
Party 1 Party 2
Helper Protocol for OT functionality
Wire Labels
Wire Labels for 1st Message of Party 2
() *', #$%& *&
*&
![Page 51: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/51.jpg)
Our ApproachDesign a 2 round helper protocol for
!" #$, &'() #)*+ &'()
*+ &'($ *+ &'($
Party 1 Party 2
Helper Protocol for OT functionality
Wire Labels
Wire Labels for 1st Message of Party 2
!" #$, &'() #)
#)
![Page 52: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/52.jpg)
Challenges in Designing such a protocol
2 Round MPC Template using a 2 Round Helper Protocol
1st round of Helper Protocol (implicitly commits to inputs)
2nd round of Helper Protocol & !" #$%& , !" #$%( , . .R 2
R 1
![Page 53: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/53.jpg)
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Simulator
Adversary
A
A
Malicious Security
![Page 54: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/54.jpg)
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Malicious Security using helper protocol
![Page 55: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/55.jpg)
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Need to extract the inputs from inner adversary
Malicious Security using helper protocol
![Page 56: Two Round Information-Theoretic MPC with Malicious Securityaarushig/slides/Eurocrypt19_Aarushi.pdfHonest Majority MPC Information-Theoretic security is possible. [Ben-Or, Goldwasser,](https://reader033.vdocuments.mx/reader033/viewer/2022051814/6038b44ec7b8a934224fd1a5/html5/thumbnails/56.jpg)
Challenges in Designing such a protocol
R 1
R 2
Inputs of Adversary
Output y
Trusted Party
Outer Simulator
OuterAdversary
Inner Simulator
A
BA
InnerAdversary
B
Need to extract the inputs from inner adversary
For Malicious Security
CIRCULAR PROBLEM
How to design 2 round maliciously secure helper protocol?