Multi-Party Computation
This section is intended to give some theoretical background on MPC for those seeking to get a deeper understanding of the underlying technology of Sodot's products.
Understanding this section is not needed to use the products safely and provided for advanced readers who wish to better understand the foundations of the technology.
Historical Background
Communication Security
Primarily throughout history, cryptography has been focused on the goal of securing communication. That is, assuming two parties, typically referred to as Alice and Bob, cryptography sought to secure the communication between them such that no malicious party, typically referred to as Eve can:
- Infer full or even partial information about the contents of Alice and Bob’s messages. This threat is mitigated by means of Encryption. Both Alice and Bob agree1 on some encryption keys2 and subsequently encrypt all messages prior to communicating them over untrusted channels.
- Modify messages Alice (or Bob) sends to Bob (or Alice). This threat is mitigated by employing Message Authentication Codes (MACs, one commonly known example is the hash-based HMAC construction).
- Impersonate Alice or Bob. This threat is mitigated by means of Digital Signatures.
MPC Background
Since the 1980’s, cryptography has been found useful for a wide variety of other purposes, amongst which is the purpose of securing general distributed computation, typically referred to as Multi-Party Computation (MPC). Up until the early 2000's MPC research was focused primarily on theoretical aspects, with little to no practical implementations. Starting from the early 2000's, MPC research has seen a surge in practical implementations, with the first practical MPC protocols being implemented in 2008. Interest in MPC has been growing ever since, with MPC being used in a wide variety of applications, such as secure auctions, secure voting, secure cloud computing, and threshold digital signatures used for securing digital assets.
What is Multi-Party Computation (MPC)?
We start with an example, consider a set of three persons, each holding a private number representing their salary. The persons are interested in learning who has the highest salary. This comes with a few caveats:
- The persons are not interested in revealing their own salary, but only in learning the result of the comparison.
- They only wish to tell who has the highest salary, and not the actual value of the highest salary.
- They do not want to learn who has the second-highest salary and a secure protocol must not disclose this information.
- The persons cannot provide input that depends, in any way, on another person's inputs.
Notice that MPC does not provide any means to verify that the parties' inputs are correct! In our example, the persons can cheat and provide false inputs that are not their actual salaries.
A secure MPC protocol must meet all these demands.
MPC Definition
We provide a (simplistic) definition of MPC in a slightly more formal manner in what follows. In the context of MPC, we consider a set of mistrusting parties, denoted that wish to collaboratively compute some function securely. The function takes inputs, where party provides a private input . The parties share pairwise secure channels. That is, each pair of parties and can communicate over a dedicated channel that is both secret (i.e. no other party can read its contents) and authenticated (i.e. no other party can impersonate one of the other parties).
In our simplified setting (as general, formal, academic definitions can be quite complex), we consider MPC protocols to work in the following way:
- The protocols begin with each party holding its private input and computing some initial, local state.
- The protocol proceeds in rounds. Each round starts with each party making some local computation.
- At the end of the local computation each party sends a message to each other party over the secure channel.
- Upon receiving all messages from all other parties, each party updates its local state and proceeds to the next round.
- Once all rounds have accomplished, each party outputs some value .
Let be some protocol. We say that securely computes the function if it satisfies the following properties:
The correctness property states that parties output correct values from the protocol. That is, let denote the output of each party and let be its private input. The protocol satisfies the correctness property if for each party it holds that .
Unfortunately, some parties may be malicious and deviate from the protocol arbitrarily. This can be done for various reasons such as trying to learn more information than they should, or trying to disrupt the computation so that it leads to incorrect or biased results. In terms of security, we consider some subset of the parties to be malicious. We also refer to these parties as corrupted and think of these parties as following some adversarial strategy to disrupt the computation. This leads us to the second property of secure MPC protocols:
We say that protocol is private if for every such adversarial strategy it can be shown that the corrupted parties learn nothing more than what they would have learned if they had followed the protocol honestly. In other words, corrupted parties can deviate arbitrarily from the protocol, but they should not learn more information than what they should have learned from the protocol or bias its outcome in some adversarial way.
In summary, for a protocol to be considered secure, it must satisfy both the correctness and privacy properties.
Further Reading
An interested reader can find more information about MPC in the following resources:
- Wikipedia
- A Survey on Secure Multi-Party Computation
- Oded Goldreich's Book on Foundations of Cryptography (Volume 1,Volume 2)