<p style="text-align: center;" markdown="1"> Notes for the ”MPC and Blockchain” Course (MPC - Fall 22) </br> Verneet SINGH & Abhishek Burse, EURECOM</br> February 7, 2023</p> **Security Models** There are 2 kinds of security models: **1. Semi-Honest Security Model** - **Follow the protocol specification** - Means the adversary (corrupted party) would not change the working of the protocol. - **Use correct inputs** - Means the adversary would not change the private inputs of the parties. - **Use uniformly sampled randomness** - Means use good randomness in the protocol. **2. Malicious Security Model** - **Can deviate from the protocol specification -** the adversary (corrupted party) does not follow the exact working of the protocol. - **Can send arbitrary inputs -** the adversary can send wrong inputs. - **Can use bad randomness -** using bad randomness in the protocol. **The Ideal World**  In a semi-honest setting in an ideal world, the view of the adversary is given in the first column while in the second column the view of the adversary in a malicious setting is mentioned. **Security with aborts**  The security model of identifiable abort aims to prevent these attacks, by allowing honest parties to agree upon the identity of a cheating party, who can then be excluded in the future. **Malicious-Secure MPC ala GMW** We use Zero knowledge protocol for securely realizing GMW in a malicious setting. In Malicious setting, the corrupted parties: - Can deviate from the protocol specification - Can send arbitrary inputs - Can use bad randomness  **Generating Good Public Randomness** Generating good public randomness is important in the GMW (Garbled Circuit, Millionaires' Problem) protocol for several reasons: 1. **Security**: Good public randomness is critical to the security of the GMW protocol, as it ensures that the garbled circuits produced by each party are truly random and cannot be predicted by an adversary. 2. **Privacy**: The GMW protocol relies on the use of garbled circuits to keep the inputs of each party private, and good public randomness helps to ensure that the garbled circuits cannot be correlated with the inputs, preserving the privacy of each party. 3. **Correctness**: Good public randomness is essential to the correct functioning of the GMW protocol, as it ensures that the outputs of the garbled circuits match the expected results, even in the presence of an adversary who may be attempting to interfere with the computation.  - In the commit phase the party Pi broadcasts its commitment message to all the parties. - For a given party Pj, it runs zero knowledge protocol and verifies whether the commitment received is genuine or not. - In the reveal phase, open commitment broadcasting.  **For the GMW protocol compiler we need private randomness.** Private randomness is generated and kept secret by a party or a group of parties, while public randomness is generated and broadcast by a trusted third-party for use in protocols that require unbiased randomness. As in malicious setting there are 2 main problems: - Corrupt parties do not follow the protocol properly. - Corrupt Parties do not select good randomness and thus the protocol is weak. We use coin flipping protocol or commitment to ensure corrupt parties use good randomness and zero knowledge protocol to ensure corrupt parties follow the protocol properly. **Generating Good Private Randomness** The randomly sampled random string is sent to designated party only.   **Commit and Prove in Zero Knowledge (2PC Case):**  - We have 2 parties P1 and P2 and we assume party P2 is a corrupt party. Now P2 may send wrong output to other parties so we use commit and prove in zero knowledge to make sure the output of P2 is computed as per the protocol.   - In case of 2 party protocol when zero knowledge was not used, party Pi sent πk+1 to the next party. While in the case where zero knowledge is used the malicious party sends πk+1 along with the commitment message so that the receiver party can check the authenticity of the message.