secure computation (lecture 5) arpita patra. recap >> scope of mpc > models of computation...
TRANSCRIPT
![Page 1: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/1.jpg)
Secure Computation (Lecture 5)
Arpita Patra
![Page 2: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/2.jpg)
Recap
>> Scope of MPC
> models of computation
> network models
> modelling distrust (centralized/decentralized adversary)
> modelling adversary
> Various Parameters/questions asked in MPC
>> Defining Security of MPC
> Ideal World & Real world
> Indistinguishability of the view of adversary in real and ideal (with the help of simulator) world
> Indistinguishability of the joint dist. of the output of the honest parties and the view of adversary in real and ideal (with the help of simulator) world.
![Page 3: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/3.jpg)
Ideal World MPC
x1 x2
x3 x4
Any task
(y1,y2,y3,y4) = f(x1,x2,x3,x4)
![Page 4: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/4.jpg)
Ideal World MPC
Any task
y1y2y4y3
The Ideal World
y1 y2
y4y3
The Real World
(y1,y2,y3,y4) = f(x1,x2,x3,x4) (y1,y2,y3,y4) = f(x1,x2,x3,x4)
x1 x2
x3 x4
x1 x2
x3x4
![Page 5: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/5.jpg)
How do you compare Real world with Ideal World?
>> Fix the inputs of the parties, say x1,….xn >> Real world view of adv contains no more info than ideal world view
ViewReali : The view of Pi on input (x1,
….xn) - Leaked Values
{x3, y3, r3, protocol transcript}
The Real World
y1y2
y4
{ViewReali}Pi in C
{x3, y3}
y1y2
y4
The Ideal World
ViewIdeali : The view of Pi on input (x1,
….xn) - Allowed values
{ViewIdeali}Pi in C
Our protocol is secure if the leaked values contains no more info than allowed values
![Page 6: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/6.jpg)
Real world (leaked values) vs. Ideal world (allowed values)
{x3, y3, r3, protocol transcript}
The Real World
y1y2
y4
{x3, y3}
y1y2
y4
The Ideal World
>> If leaked values can be efficiently computed from allowed values.
>> Such an algorithm is called SIMULATOR (simulates the view of the adversary in the real protocol).
>> It is enough if SIM creates a view of the adversary is “close enough” to the real view so that adv. can not distinguish from its real view.
![Page 7: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/7.jpg)
Definition1: View indistinguishability of Adversary in Real and Ideal world
{ViewReali}Pi in C
The Real World
y1y2
y4
{x3, y3}
y1y2
y4
The Ideal World
SIM
Interaction on behalf of the honest parties
SIM: Ideal Adversary
{ViewIdeali}Pi in C
Random Variable/distribution (over the random coins of parties)
Random Variable/distribution (over the random coins of SIM and adv)
{x3, y3, r3, protocol transcript}
![Page 8: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/8.jpg)
Definition 2: Indistinguishability of Joint Distributions of Output and View
>> Joint distribution of output & view of the honest & corrupted parties in both the worlds can not be told apart
OutputReali : The output of Pi on input
(x1,….xn) when Pi is honest.
ViewReali : As defined before when Pi is
corrupted.
The Real World
[ {ViewReali}Pi in C , {OutputReal
i}Pi in H ]
The Ideal World
OutputIdeali : The output of Pi on input
(x1,….xn) when Pi is honest.
ViewIdeali : As defined before when Pi is
corrupted.
[ {ViewIdeali}Pi in C , {OutputIdeal
i}Pi in H ]
>> First note that this def. subsumes the previous definition (stronger)
>> Captures randomized functions as well
![Page 9: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/9.jpg)
Randomized Function and Definition 1
The Real WorldThe Ideal World
>> Is this protocol secure?
The proof says the protocol is secure!
f( , ) = (r , ) r is a random bit
r .
. .
Sample r randomly
. .
Sample r randomly and output
r
No!
{ViewReali}Pi in C
SIMInteraction on behalf of the honest party
Sample and send a random r’
{ViewIdeali}Pi in C
r : r is random r’ : r’ random
![Page 10: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/10.jpg)
Randomized Function and Definition 2
The Real WorldThe Ideal World
>> Is this protocol secure?
The proof says the protocol is insecure!
f( , ) = (r , ) r is a random bit
r .
. .
Sample r randomly
. .
Sample r randomly and output
r
No!
{ViewReali}Pi in C
SIM
{ViewIdeali}Pi in C
[ {ViewReali}Pi in C , {OutputReal
i}Pi in H ][ {ViewIdeali}Pi in C , {OutputIdeal
i}Pi in H ]
[{r’ , r} | r,r’ random and independent] [{r , r} | r random]
Interaction on behalf of the honest party
Sample and send a random r’
![Page 11: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/11.jpg)
Definition 1 is Enough!
{{ViewReali}Pi in C }{x1,.,xn ,
k}
{ {ViewIdeali}Pi in C }{x1,.,xn ,
k}
{{ViewReal
i}Pi in C ,{OutputReali}Pi in H } {x1,..xn , k}{{ViewIdeal
i}Pi in C ,{OutputIdeali}Pi in H }{x1,.,xn , k}
>> For deterministic Functions:
> View of the adversary and output are NOT co-related. > We can separately consider the distributions> Output of the honest parties are fixed for inputs
>> For randomized functions:
> We can view it as a deterministic function where the parties input randomness (apart from usual inputs).
Compute f((x1,r1), (x2,r2)) to compute g(x1,x2;r) where r1+r2 can act as r.
![Page 12: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/12.jpg)
Making Indistinguishability Precise
Notations:o Security parameter k (natural number)o We wish security to hold for all inputs of all lengths, as long as k is
large enough
Definition (Function is negligible): If for every polynomial p() there exists an N such that for all k > N we have (k) < 1/p(k)
Definition (Probability ensemble X={X(a,k)}): o Infinite series, indexed by a string a and natural ko Each X(a,k) is a random variable
In our context: o X(x1,.,xn , k) = { {ViewReal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of parties)
o Y(x1,.,xn , k) = { {ViewIdeali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of the corrupt parties and simulator)
![Page 13: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/13.jpg)
Computational Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Computational indistinguishability of X = {X(a,k)} c Y =
{Y(a,k)})
For every polynomial-time distinguisher* D there exists a negligible function such that for every a and all large enough k’s:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| < (k)
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| < ½ + (k)
distinguisher D = Real Adv A
![Page 14: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/14.jpg)
Statistical Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Statistical indistinguishability of X = {X(a,k)} s Y = {Y(a,k)})
For every* distinguisher D there exists a negligible function such that for every a and all large enough k’s:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| < (k)
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| < ½ + (k)
May have unbounded power
![Page 15: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/15.jpg)
Perfect Indistinguishability
o X(x1,.,xn , k) = { {ViewReali}Pi in C }{x1,.,xn , k} (Probability space: randomness
of parties)o Y(x1,.,xn , k) = { {ViewIdeal
i}Pi in C }{x1,.,xn , k} (Probability space: randomness of the corrupt parties and simulator)
Definition (Perfect indistinguishability of X = {X(a,k)} P Y = {Y(a,k)})
For every* distinguisher D such that for every a and for all k:
|Pr[D(X(a,k) = 1 ] - Pr[D(Y(a,k) = 1 ]| = 0
For our case a: (x1,.,xn)
Alternative def.AdvD (X,Y) = The prob of D guessing the correct distribution|AdvD (X,Y)| = ½
May have unbounded power
![Page 16: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/16.jpg)
Definition Applies for
Dimension 2 (Networks)
Complete
Synchronous
Dimension 3 (Distrust)
Centralized
Dimension 4 (Adversary)
Threshold/non-threshold
Polynomially Bounded and unbounded powerful
Semi-honest
Static
![Page 17: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/17.jpg)
What is so great about the definition paradigm?
>> One definition for all
> Sum: (x1 + x2 + … + xn) = f(x1, x2, … , xn)
> OT: (- , xb) = f((x1, x2 ), b)
> BA: (y , y, …,y) = f(x1, x2, … , xn): y = majority(x1, x2, … ,
xn)/default value
>> Easy to tweak the ideal world and weaken/strengthen securityReal world protocol achieves whatever ideal world achieves
>> Coming up with the right ideal world is tricky and requires skill
> Will have fun with it in malicious world!
![Page 18: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/18.jpg)
Information Theoretic MPC with Semi-honest Adversary and honest majority [BGW88]
Dimension 2 (Networks)
Complete
Synchronous
Dimension 3 (Distrust)
Centralized
Dimension 4 (Adversary)
Threshold (t)
Unbounded powerful
Semi-honest
Static
Dimension 1 (Models of Computation)
Arithmetic
Michael Ben-Or, Shafi Goldwasser, Avi Wigderson:Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract). STOC 1988.
![Page 19: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/19.jpg)
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
![Page 20: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/20.jpg)
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
![Page 21: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/21.jpg)
(n, t) - Secret Sharing Scheme[Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
Less than t +1 parties have no info’ about the secret
ReconstructionPhase
![Page 22: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/22.jpg)
(n, t) - Secret Sharing Scheme [Shamir 1979, Blackley 1979]
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
…
t +1 parties can reconstruct the secretSecret s
Reconstruction Phase
![Page 23: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/23.jpg)
Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
Secret x is Shamir-Shared if
x2 x3 xnx1 …
Random polynomial of degree t over Fp s.t p>n
P1 P2 PnP3
![Page 24: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/24.jpg)
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries
x2
x3
xn
x1P1
P2
Pn
P3
Pi
The same is done for all Pi
Lagrange’s Interpolation
![Page 25: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/25.jpg)
Shamir-sharing Properties
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Property 1: Any (t+1) parties have ‘complete’ information about the secret.
>> Both proof can be derived from Lagrange’s Interpolation.
![Page 26: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/26.jpg)
Lagrange’s Interpolation
>> Assume that h(x) is a polynomial of degree at most t and C is a subset of Fp of size t+1
>> Poly of degree t
>> At i, it evaluates to 1
>> At any other point, it gives 0.
Theorem: h(x) can be written as
>> Assume for simplicity C = {1,……,t+1}
where
Proof:
Consider LHS – RHS:
Both LHS and RHS evaluates to h(i) for every i in C
Both LHS and RHS has degree at most t
LHS - RHS evaluates to 0 for every i in C and has degree at most t
More zeros (roots) than degree Zero polynomial!
LHS = RHS
![Page 27: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/27.jpg)
Lagrange’s Interpolation
>> Poly of degree t
>> At i, it evaluates to 1
>> At any other point, it gives 0.
Theorem: h(x) can be written as
C = {1,……,t+1}
where
>> are public polynomials
>> are public values, denote by ri
>> Can be written as the linear combination of h(i)s
The combiners are (recombination vector): r1,….rt+1
Property 1: Any (t+1) parties have ‘complete’ information about the secret.
![Page 28: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/28.jpg)
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof: For any secret s from Fp if we sample f(x) of degree at most t randomly s.t. f(0) = s and consider the following distribution for any C that is subset of Fp \ {0} and of size t :
( {f(i)}i in C ) uniform distribution in Fpt
For a fixed s,
If not then two different sets of t+1 values will define the same polynomial
t coefficients from Fpt A unique element from the above
distribution
![Page 29: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/29.jpg)
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof: For any secret s from Fp if we sample f(x) of degree at most t randomly s.t. f(0) = s and consider the following distribution for any C that is subset of Fp \ {0} and of size t :
( {f(i)}i in C ) uniform distribution in Fpt
For a fixed s,
t coefficients from Fpt A unique element from the above
distribution
fs : Fpt Fp
t
Uniform distribution
bijective
Uniform distribution
For every s, uniform dist and independent of dist. of s
![Page 30: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/30.jpg)
Lagrange’s Interpolation
Property 2: Any t parties have ‘no’ information about the secret. Pr[secret =s before secret sharing] – Pr[secret =s after secret sharing] = 0
Proof:
![Page 31: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/31.jpg)
![Page 32: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/32.jpg)
(n,t) Secret Sharing
s : (n,t) Secret Sharing of secret s
For MPC: Linear (n,t) Secret Sharing
s1 s2
c s
s1 s2
c: public constant s
from
from
Linearity: The parties can do the following
Linear
![Page 33: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/33.jpg)
Linearity of (n, t) Shamir Secret Sharing
a1 a2 a3 a
1 2 3
a1 a2
a3 a
b1 b2 b3 b b
b1 b2
b3+ + +
each party does locally
c1 c2 c3
![Page 34: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/34.jpg)
Linearity of (n, t) Shamir Secret Sharing
a1 a2 a3 a
1 2 3
a1 a2
a3 a
b1 b2 b3 b b
b1 b2
b3+ + +
c1 c2 c3 ab
c1 c2
c3
a+b
Addition is Absolutely free
![Page 35: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/35.jpg)
Linearity of (n, t) Shamir Secret Sharing
1 2 3
a1 a2 a3
a1 a2
a3 a
a
c c c
c is a publicly known constant
d1 d2 d3
ca
d1 d2
d3
ca
Multiplication by public constants is Absolutely free
![Page 36: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/36.jpg)
Non-linearity of (n, t) Shamir Secret Sharing
a1 a2 a3
b1 b2 b3 b
a
1 2 3
a1 a2
a3 a
b
b1 b2
b3
d1 d2 d3 ab
d1
d3 d2
ab
Multiplication of shared secrets is not free
![Page 37: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/37.jpg)
Secure Circuit Evaluation
x1 x2 x3 x4
c
y
![Page 38: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/38.jpg)
2 1 5 9
y
3
Secure Circuit Evaluation
![Page 39: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/39.jpg)
Secure Circuit Evaluation
1. (n, t)- secret share each input
2 1 5 9
3
![Page 40: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/40.jpg)
Secure Circuit Evaluation
2 1 5 9
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
3
![Page 41: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/41.jpg)
Secure Circuit Evaluation
3
2 1 5 9
3
48
144
45
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
![Page 42: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/42.jpg)
Secure Circuit Evaluation
2 1 5 9
3
48
Linear gates: Linearity of Shamir Sharing - Non-Interactive
144
45 3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
![Page 43: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/43.jpg)
Secure Circuit Evaluation
2 1 5 9
3
48 Non-linear gate: Require degree-reduction Technique. Interactive
45
144
3
2. Find (n, t)-sharing of each intermediate value
1. (n, t)- secret share each input
Linear gates: Linearity of Shamir Sharing - Non-Interactive
![Page 44: Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized](https://reader030.vdocuments.mx/reader030/viewer/2022033101/56649efb5503460f94c0d7eb/html5/thumbnails/44.jpg)
Secure Circuit Evaluation
2 1 5 9
1. No inputs of the honest parties are leaked.
2. No intermediate value is leaked.
3
48
45
144
Privacy follows (intuitively) because:
3