Output Privacy in Secure Multiparty Computation

In secure multiparty computation, a set of mutually mistrusting players engage in a protocol to compute an arbitrary, publicly known polynomial-sized function of the party’s private inputs, in a way that does not reveal (to an adversary controlling some of the players) any knowledge about the remaining inputs, beyond what can be deduced from the obtained output(s). Since its introduction by Yao [ 39], and Goldreich, Micali and Wigderson [ 29], this powerful paradigm has received a lot of attention. All throughout, however, very little attention has been given to the privacy of the players’ outputs. Yet, disclosure of (part of) the output(s) may have serious consequences for the overall security of the application e.g.,when the computed output is a secret key; or when the evaluation of the function is part of a larger computation, so that the function’s output(s) will be used as input(s) in the next phase. In this work, we define the notion of private-output multiparty computation . This newly revised notion encompasses (as a particular case) the classical definition and allows a set of players to jointly compute the output of a common function in such a way that the execution of the protocol reveals no information (to an adversary controlling some of the players) about (some part of) the outputs(other than what follows from the description of the function itself). Next, we formally verify that basically no function can be output-privately computed in the presence of an adversary who gets full access to the internal memory of the corrupted players. However, if one restricts the (computationally bounded) adversary to control only part of the stateof corrupted players, any function can be output-privately computed, assuming that enhanced trapdoor permutations exist and that public communication channels are available. Moreover, we prove security is preserved under sequential composition. We note thatpartial access to the internal state of some of the players (either part of the time .g., forward-security and intrusion-resiliency, or part of the space, e.g.,secure CPU/memory) is an assumption that has been used in various settings to formalize limits on the attacker’s capabilities that can be enforced via reasonable physical and architectural restrictions. However, previous models were devised for specific cryptographic tasks ( e.g.,encryption and signature schemes), whereas our formalization has a wider scope. We believe that the model we suggest may foster further studies of insider adversaries with partial control in the context of secure multiparty computation.

[1]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[2]  Yehuda Lindell,et al.  On the Limitations of Universally Composable Two-Party Computation Without Set-Up Assumptions , 2003, Journal of Cryptology.

[3]  Shai Halevi,et al.  Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control , 2005, IACR Cryptol. ePrint Arch..

[4]  Abhi Shelat,et al.  Completely fair SFE and coalition-safe cheap talk , 2004, PODC '04.

[5]  Silvio Micali,et al.  Algorithmic Tamper-Proof (ATP) Security: Theoretical Foundations for Security against Hardware Tampering , 2004, TCC.

[6]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[7]  Yuval Ishai,et al.  On 2-Round Secure Multiparty Computation , 2002, CRYPTO.

[8]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[9]  Moni Naor,et al.  A Minimal Model for Secure Computation , 2002 .

[10]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[11]  Yuval Ishai,et al.  The round complexity of verifiable secret sharing and secure multicast , 2001, STOC '01.

[12]  Yuval Ishai,et al.  On Adaptive vs. Non-adaptive Security of Multiparty Protocols , 2001, EUROCRYPT.

[13]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[14]  Matthew K. Franklin,et al.  Secure Communication in Minimal Connectivity Models , 1998, Journal of Cryptology.

[15]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[16]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[17]  Hugo Krawczyk,et al.  Adaptive Security for Threshold Cryptosystems , 1999, CRYPTO.

[18]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[19]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[20]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[21]  Ran Canetti,et al.  Maintaining Authenticated Communication in the Presence of Break-Ins , 1997, PODC '97.

[22]  Matthew K. Franklin,et al.  Secure hypergraphs: privacy from partial broadcast , 1995, STOC '95.

[23]  Moti Yung,et al.  Perfectly secure message transmission , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[24]  Reuven Bar-Yehuda,et al.  Privacy, additional information, and communication , 1990, Proceedings Fifth Annual Structure in Complexity Theory Conference.

[25]  Eyal Kushilevitz,et al.  A zero-one law for Boolean privacy , 1989, STOC '89.

[26]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[27]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[28]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[29]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.