Secure Multi-party Computation

Secure multi-party computation (also known as secure computation or multi-party computation (MPC)) is a subfield of cryptography. The goal of methods for secure multi-party computation is to enable parties to jointly compute a function over their inputs, while at the same time keeping these inputs private. For example, two millionaires can compute which one is richer, but without revealing their net worth. In fact, this very example was initially suggested by Andrew C. Yao in a 1982 paper., and was later named the millionaire problem.

The concept is important in the field of cryptography and is closely related to the idea of zero-knowledgeness. In general it refers to computational systems in which multiple parties wish to jointly compute some value based on individually held secret bits of information, but do not wish to reveal their secrets to one another in the process. For example, two individuals who each possess some secret information— and, respectively—may wish to jointly compute some function without revealing any information about and other than what can be reasonably deduced by knowing the actual value of, where "reasonably deduced" is often interpreted as equivalent to computation within polynomial time. The primary motivation for studying methods of secure computation is to design systems that allow for maximum utility of information without compromising user privacy.

Secure computation was formally introduced in 1982 by A. Yao (incidentally, the first recipient of the Knuth Prize) as secure two-party computation.

The millionaire problem and its solution gave way to a generalization to multi-party protocols. In an MPC, a given number of participants p₁, p₂, ..., p_N each have a private data, respectively d₁, d₂, ..., d_N. The participants want to compute the value of a public function F on N variables at the point (d₁, d₂, ..., d_N). An MPC protocol is secure if no participant can learn more from the description of the public function and the result of the global calculation than what he/she can learn from his/her own entry — under particular conditions depending on the model used.

Like many cryptographic protocols, the security of an MPC protocol can rely on different assumptions:

• It can be computational (i.e. based on some mathematical problem, like factoring) or unconditional (usually with some probability of error which can be made arbitrarily small).
• The model in which the scheme is described might assume that participants use a synchronized network (a message sent at a "tick" always arrives at the next "tick"), that a secure and reliable broadcast channel exists, that a secure communication channel exists between every pair of participants (an adversary cannot read, modify or generate messages in the channel), etc.
• The centrally controlled adversary considered can be passive (only allowed to read the data of a certain number of participants) or active (can corrupt the execution protocol or a certain number of participants).
• An adversary can be static (chooses its victims before the start of the multi-party computation) or dynamic (can choose its victims during the course of execution of the multiparty computation). Attaining security against a dynamic adversary is often much harder than security against a static adversary.
• An adversary can be defined as a threshold structure (meaning that it can corrupt or simply read the memory of a number of participants up to some threshold), or be defined as a more complex structure (it can affect certain predefined subsets of participants, modeling different possible collusions). These structures are commonly referred to as adversary structures. The opposite set consisting of the sets of honest parties that can still execute a computational task is related to the concept of access structures.

An important primitive in MPC is oblivious transfer.

Unconditionally or information-theoretically secure MPC is closely related to the problem of secret sharing, and more specifically verifiable secret sharing (VSS); many secure MPC protocols that protect against active adversaries use VSS.

Performing a computation using MPC protocols is still order of magnitudes slower than performing the computation using a trusted third party. However, more and more efficient protocols for MPC have been proposed, and MPC can be now used as a practical solution to various real-life problems such as distributed voting, private bidding and auctions, sharing of signature or decryption functions, private information retrieval, etc. The first large-scale and practical application of multiparty computation took place in Denmark in January 2008, as described by Bogetoft et al.