Professional Documents
Culture Documents
Introduction
Introduction
Security of MPC
Security of MPC
Security of MPC
Security of MPC
Security of MPC
Security of MPC
Indistinguishability
Indistinguishability
Indistinguishability
Indistinguishability
Indistinguishability
Communication
Communication
Communication
Communication
MPC Results
MPC Results
MPC Results
MPC Results
MPC Results
MPC Results
How is it done?
How is it done?
How is it done?
How is it done?
How is it done?
Correlated Equilibrium
Correlated Equilibrium
• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .
Correlated Equilibrium
• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .
Correlated Equilibrium
• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .
Correlated Equilibrium
• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .
Correlated Equilibrium
• Definition
A correlated equilibrium is a distribution D over strategies such that
Es∼D|si [ui (si , s−i )] ≥ Es∼D|si [ui (s∗i , s−i )] for all players i and all
alternative strategies s∗i .
Simulating MPC
The players run an M P C protocol in the preamble that performs the
computation f (t1 , t2 , · · · , tn , r) = (s1 , s2 , · · · , sn ) previously carried
out by the mediator.
Simulating MPC
The players run an M P C protocol in the preamble that performs the
computation f (t1 , t2 , · · · , tn , r) = (s1 , s2 , · · · , sn ) previously carried
out by the mediator.
Verifiable Mediator
The trusted mediator is replaced by a verifiable device, which carries
out computation in public while maintaining privacy.
Definition
A computational nash equilibrium is set of strategies (x1 , x2 , · · · , xn )
each one efficiently computable such that ui (xi , x−i ) ≥ ui (x∗i , x−i ) −
for all players i and efficient alternative strategies x∗i .
k-resilient equilibria
k-resilient equilibria
• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .
k-resilient equilibria
• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .
k-resilient equilibria
• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .
k-resilient equilibria
• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .
k-resilient equilibria
• Definition
A distribution D over strategies such that ∀C ⊂ [n], |C| ≤ k we have
Ex∼D|xC [ui (xC , x−C )] ≥ Ex∼D|xC [ui (xC ∗, x−C )] for all players i ∈ C
and for all alternative strategies x∗C .
• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.
• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.
• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.
• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.
• Theorem
If x is a k-resilient CE for a game specified by function f , and π is a
M P C protocol (output delivery) secure against upto k parties, then
running π in the preamble yields a k-resilient CE for the extended
game with the same payoffs as x.
Directions
Directions
Perfect Implementation
Perfect Implementation
Perfect Implementation
Perfect Implementation
Perfect Implementation
Perfect Implementation
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
• Example: Four player, two strategy game.
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
• Example: Four player, two strategy game.
• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),
(a, b, a, b) = (10, 10, −100, −100), −∞ for all other strategies.
The CE?
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
• Example: Four player, two strategy game.
• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),
(a, b, a, b) = (10, 10, −100, −100), −∞ for all other strategies.
The CE?
• Implementation: A and B flip a coin. Send outcome to C and D.
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
• Example: Four player, two strategy game.
• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),
(a, b, a, b) = (10, 10, −100, −100), −∞ for all other strategies.
The CE?
• Implementation: A and B flip a coin. Send outcome to C and D.
• A and B control the game!
Imperfect Implementations
0
• There is a bijection between the equilibria of M and the
equilibria of M .
• Example: Four player, two strategy game.
• Payoffs: (a, a, a, a) = (0, 1, 0, 1), (b, b, b, b) = (1, 0, 1, 0),
(a, b, a, b) = (10, 10, −100, −100), −∞ for all other strategies.
The CE?
• Implementation: A and B flip a coin. Send outcome to C and D.
• A and B control the game!
• We require that the information available to a subset of players in
0
a run of M is the same as the information available in a run of
M.
Remarks
Remarks
Remarks
Remarks
Operations on Envelopes
Operations on Envelopes
Operations on Envelopes
Operations on Envelopes
Operations on Envelopes
Operations on Envelopes
Operations on Envelopes
• Permutation Inverse
• Permutation Inverse
• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.
• Permutation Inverse
• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.
• Output: Envelopes B1 , B2 , · · · , B5 containing σ −1 .
• Permutation Inverse
• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.
• Output: Envelopes B1 , B2 , · · · , B5 containing σ −1 .
• Publicly make B = I and pack (A, B) = (σ, I) into five
super-envelopes.
• Permutation Inverse
• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.
• Output: Envelopes B1 , B2 , · · · , B5 containing σ −1 .
• Publicly make B = I and pack (A, B) = (σ, I) into five
super-envelopes.
• Ballot box to get (τ σ, τ ). Open the envelopes A to reveal τ σ
publicly.
• Permutation Inverse
• Input: Envelopes A1 , A2 , · · · , A5 containing permutation σ.
• Output: Envelopes B1 , B2 , · · · , B5 containing σ −1 .
• Publicly make B = I and pack (A, B) = (σ, I) into five
super-envelopes.
• Ballot box to get (τ σ, τ ). Open the envelopes A to reveal τ σ
publicly.
• (τ σ)−1 ◦ τ = σ −1 .
• Permutation Product
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Output: Envelopes containing στ .
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Output: Envelopes containing στ .
• Obtain envelopes D containing σ −1 by previous algorithm.
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Output: Envelopes containing στ .
• Obtain envelopes D containing σ −1 by previous algorithm.
• Pack (D, B) = (σ −1 , τ ) into five super-envelopes.
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Output: Envelopes containing στ .
• Obtain envelopes D containing σ −1 by previous algorithm.
• Pack (D, B) = (σ −1 , τ ) into five super-envelopes.
• Ballot box to get (ρσ −1 , ρτ ). Open B to reveal ρσ −1 publicly.
• Permutation Product
• Input: Envelopes A, B containing σ, τ .
• Output: Envelopes containing στ .
• Obtain envelopes D containing σ −1 by previous algorithm.
• Pack (D, B) = (σ −1 , τ ) into five super-envelopes.
• Ballot box to get (ρσ −1 , ρτ ). Open B to reveal ρσ −1 publicly.
• (ρσ −1 )−1 ◦ ρτ = στ .
• Permutation Clone
• Permutation Clone
• Input: Envelopes A containing σ.
• Permutation Clone
• Input: Envelopes A containing σ.
• Output: Envelopes B, C containing σ.
• Permutation Clone
• Input: Envelopes A containing σ.
• Output: Envelopes B, C containing σ.
• Publicly create B, C = I. Obtain envelopes D containing σ −1 .
• Permutation Clone
• Input: Envelopes A containing σ.
• Output: Envelopes B, C containing σ.
• Publicly create B, C = I. Obtain envelopes D containing σ −1 .
• Pack (D, B, C) = (σ −1 , I, I) into five super-envelopes.
• Permutation Clone
• Input: Envelopes A containing σ.
• Output: Envelopes B, C containing σ.
• Publicly create B, C = I. Obtain envelopes D containing σ −1 .
• Pack (D, B, C) = (σ −1 , I, I) into five super-envelopes.
• Ballot box to get (τ σ −1 , τ, τ ). Open A to reveal τ σ −1 publicly.
• Permutation Clone
• Input: Envelopes A containing σ.
• Output: Envelopes B, C containing σ.
• Publicly create B, C = I. Obtain envelopes D containing σ −1 .
• Pack (D, B, C) = (σ −1 , I, I) into five super-envelopes.
• Ballot box to get (τ σ −1 , τ, τ ). Open A to reveal τ σ −1 publicly.
• (τ σ −1 )−1 ◦ τ = σ.
• Magic! Barrington
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Fanout: Use clone.
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Fanout: Use clone.
• Randomness: Create two envelopes with contents 0 and 1. Ballot
box and destroy one of them.
• Magic! Barrington
• 0 = 12345, 1 = 12453.
• Not(a)= 12354 ◦ a ◦ 12435
• And(a,b)=
13245 ◦ a ◦ 34125 ◦ b ◦ 34125 ◦ a−1 ◦ 34125 ◦ b−1 ◦ 24135.
• Fanout: Use clone.
• Randomness: Create two envelopes with contents 0 and 1. Ballot
box and destroy one of them.
• This is a universal set of primitives.
Perfect Implementation
Perfect Implementation
Perfect Implementation
Perfect Implementation
Perfect Implementation
Problem Overview
Problem Overview
Problem Overview
Shamir’s Scheme
Shamir’s Scheme
Shamir’s Scheme
Shamir’s Scheme
Shamir’s Scheme
Definition
Strategy σi is weakly dominated with respect to S−i if there exists a
σi0 ∈ Si such that σi is weakly dominated by σi0 with respect to S−i .
Definition
Let DOMi (S1 × · · · × Sn ) denote the set of strategies in Si that are
weakly dominated with respect to S−i . Let Si0 denote the initial set of
allowable strategies of Pi . For all k ≥ 1, define Sik inductively as
k k−1 k−1 k−1 ∞
T k
Si , Si \ DOMi (S1 × · · · × Sn ). Let Si , k Si .
We say σi survives iterated deletion of weakly dominated strategies if
σi ∈ Si∞ .
• If s0 ∈ S then the players know that this is the true secret, and
can terminate the protocol.
• If s0 ∈ S then the players know that this is the true secret, and
can terminate the protocol.
• If s0 ∈ F \ S, the players know this is an invalid secret and proceed
to the next iteration.
• If s0 ∈ S then the players know that this is the true secret, and
can terminate the protocol.
• If s0 ∈ F \ S, the players know this is an invalid secret and proceed
to the next iteration.
Theorem
For appropriate choice of β, the protocol constitutes a Nash
equilibrium for t-out-of-n secret sharing that survives iterated deletion
of weakly dominated strategies.
Setup:
Setup:
Setup:
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
• Each party inputs the values (si , σi ) received from the dealer.
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
• Each party inputs the values (si , σi ) received from the dealer.
• The functionality checks that each σi is a valid signature on si ,
and aborts if this is not the case.
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
• Each party inputs the values (si , σi ) received from the dealer.
• The functionality checks that each σi is a valid signature on si ,
and aborts if this is not the case.
• The t∗ ≥ t shares define a secret s.
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
• Each party inputs the values (si , σi ) received from the dealer.
• The functionality checks that each σi is a valid signature on si ,
and aborts if this is not the case.
• The t∗ ≥ t shares define a secret s.
• With probability β, the functionality generates a fresh t-out-of-n
Shamir sharing {s0i } of s, and each player receives output s0i .
Protocol:
At the beginning of each iteration, the players proceed as follows:
1 The t∗ participating parties run the protocol that computes the
following probabilistic functionality:
• Each party inputs the values (si , σi ) received from the dealer.
• The functionality checks that each σi is a valid signature on si ,
and aborts if this is not the case.
• The t∗ ≥ t shares define a secret s.
• With probability β, the functionality generates a fresh t-out-of-n
Shamir sharing {s0i } of s, and each player receives output s0i .
• With probability 1 − β, the functionality generates a fresh
t-out-of-n Shamir sharing {s0i } of a bogus secret ŝ ∈ F \ S, and
each player Pi receives output s0i .
Protocol:
Protocol:
Protocol:
Protocol: