Content deleted Content added
No edit summary Tags: Reverted Mobile edit Mobile web edit |
Cyberified (talk | contribs) Link suggestions feature: 3 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links |
||
| (4 intermediate revisions by 4 users not shown) | |||
Line 2:
'''Secure multi-party computation''' (also known as '''secure computation''', '''multi-party computation''' ('''MPC''') or '''privacy-preserving computation''') is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private.<ref>{{cite web |last1=Evans |first1=David |last2=Kolesnikov |first2=Vladimir |last3=Rosulek |first3=Mike |title=A Pragmatic Introduction to Secure Multi-Party Computation |url=https://securecomputation.org/docs/pragmaticmpc.pdf |website=securecomputation.org |access-date=19 October 2024 |language=en-us |date=2018|archive-url=https://web.archive.org/web/20240812213844/https://securecomputation.org/docs/pragmaticmpc.pdf|archive-date=2024-08-12}}</ref> Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants (an eavesdropper on the sender and receiver), the cryptography in this model protects participants' [[privacy]] from each other.
The foundation for secure multi-party computation started in the late 1970s with the work on mental poker, cryptographic work that simulates game playing/computational tasks over distances without requiring a [[trusted third party]]. Traditionally, cryptography was about concealing content, while this new type of computation and protocol is about concealing partial information about data while computing with the data from many sources, and correctly producing outputs. By the late 1980s, [[Michael Ben-Or]], [[Shafi Goldwasser]] and Avi Wigderson, and independently David Chaum, Claude Crépeau, and [[Ivan Damgård]], had published papers showing "how to securely compute any function in the secure channels
== History ==
Special purpose protocols for specific tasks started in the late 1970s.<ref>A. Shamir, R. Rivest, and L. Adleman, "Mental Poker", Technical Report LCS/TR-125, Massachusetts Institute of Technology, April 1979.</ref> Later, secure computation was formally introduced as [[secure two-party computation]] (2PC) in 1982 (for the so-called [[Yao's Millionaires' Problem|Millionaires' Problem]], a specific problem which is a Boolean predicate), and in generality (for any feasible computation) in 1986 by [[Andrew Yao]].<ref name="Yao">Andrew C. Yao, [http://www.cs.wisc.edu/areas/sec/yao1982-ocr.pdf Protocols for secure computations] (extended abstract)</ref><ref>Andrew Chi-Chih Yao:How to Generate and Exchange Secrets (Extended Abstract). FOCS 1986: 162-167 [https://ieeexplore.ieee.org/document/4568207]</ref> The area is also referred to as Secure Function Evaluation (SFE). The two party case was followed by a generalization to the multi-party by Oded Goldreich, [[Silvio Micali]], and Avi Wigderson. The computation is based on secret sharing of all the inputs and zero-knowledge proofs for a potentially malicious case, where the majority of honest players in the malicious adversary case assure that bad behavior is detected and the computation continues with the dishonest person eliminated or his input revealed. This work suggested the very basic general scheme to be followed by essentially all future multi-party protocols for secure computing.<ref name="goldreich_87">Oded Goldreich, Silvio Micali, Avi Wigderson:How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. STOC 1987: 218-229 [http://dl.acm.org/citation.cfm?doid=28395.28420]</ref> This work introduced an approach, known as GMW paradigm, for compiling a multi-party computation protocol which is secure against semi-honest adversaries to a protocol that is secure against malicious adversaries. This work was followed by the first robust secure protocol which tolerates faulty behavior graciously without revealing anyone's output via a work which invented for this purpose the often used `share of shares idea'<ref>[[Zvi Galil]], Stuart Haber, Moti Yung: Cryptographic Computation: Secure Fault-Tolerant Protocols and the Public-Key Model. CRYPTO 1987: 135-155
[https://link.springer.com/chapter/10.1007%2F3-540-48184-2_10]</ref> and a protocol that allows one of the parties to hide its input unconditionally.<ref>[[David Chaum]], [[Ivan Damgård]], Jeroen van de Graaf: Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result. 87-119 [https://link.springer.com/chapter/10.1007%2F3-540-48184-2_7]</ref> The GMW paradigm was considered to be inefficient for years because of huge overheads that it brings to the base protocol. However, it is shown that it is possible to achieve efficient protocols,<ref name=":0">{{Cite book|last1=Abascal|first1=Jackson|last2=Faghihi Sereshgi|first2=Mohammad Hossein|last3=Hazay|first3=Carmit|last4=Ishai|first4=Yuval|last5=Venkitasubramaniam|first5=Muthuramakrishnan|title=Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security |chapter=Is the Classical GMW Paradigm Practical? The Case of Non-Interactive Actively Secure 2PC |date=2020-10-30|chapter-url=https://doi.org/10.1145/3372297.3423366|series=CCS '20|___location=Virtual Event, USA|publisher=Association for Computing Machinery|pages=1591–1605|doi=10.1145/3372297.3423366|isbn=978-1-4503-7089-9|s2cid=226228208 }}</ref> and it makes this line of research even more interesting from a practical perspective. The above results are in a model where the adversary is limited to polynomial time computations, and it observes all communications, and therefore the model is called the `computational model'. Further, the protocol of [[oblivious transfer]] was shown to be complete for these tasks.<ref>Joe Kilian: Founding Cryptography on Oblivious Transfer. STOC 1988: 20-31 [http://dl.acm.org/citation.cfm?doid=62212.62215]</ref> The above results established that it is possible under the above variations to achieve secure computation when the majority of users are honest.
Line 168:
|
|-
| MP-SPDZ - A versatile framework for multi-party computation <ref>{{Cite web | title=Welcome to MP-
| [[CSIRO]]'s Data61
| 2018
| |||