(DRAFT) Garbled Circuits for Three-Party Computation
Imagine a group of people have some private data, and they want to jointly compute a function of their private data, without sharing any of the data. Maybe they want to know the median of their salaries, without anyone revealing their own. Maybe a group of doctors wants to collaborate on a statistical study, without sharing any data about individual patients. This is the problem that multiparty computation solves.
If you haven't thought about this before, you'll want to start with the special case of two-party computation, which rests on Yao's garbled circuits protocol and a technique called oblivious transfer. This post by Gubsheep walks you through understanding how you would discover the protocol on your own. If you just want to see the protocol, Vitalik's post is also very good.
In this post I'm going to explain how to upgrade two-party computation to handle computations between three (or more) people, still using the basic idea of garbled circuits.
For this post, we're going to assume that all three parties carry out the protocol honestly... One could ask for stronger security guarantees. There are lots of different 3PC protocols, with different tradeoffs among security and complexity. There are also lots of good ideas that we won't get into in this blog post -- for example, "cut-and-choose".
A three-party version of oblivious transfer