# 1/12: MPC Definitions / Problems Collection - chapter 23 of https://toc.cryptobook.us/book.pdf - the book https://www.cs.virginia.edu/~evans/pragmaticmpc/pragmaticmpc.pdf thanks to cryptohack discord for sending me resources below - https://nigelsmart.github.io/SCALE/ - https://github.com/rdragos/awesome-mpc ## Key Definitions The intuitive setting - is that there are $n$ parties each with input $x_1, x_2, \cdots, x_n$ and a public function $f$. These $n$ parties want to work together to compute $y = f(x_1, \cdots, x_n)$, but they want to reveal nothing about their inputs $x_i$ except the information that is trivially revealed due to the output $y$. In this scenario, there's some desirable properties we can define. ### Properties - privacy: as mentioned, other parties do not know anything about $x_i$ except the information directly revealed by the output $y$ (e.g. consider $f(x_1, x_2) = x_1 + x_2$) - soundness: honest parties compute correct outputs - input independence: all parties choose their inputs independent from other inputs - guaranteed output delievery: honest parties are guaranteed to obtain output - fairness: if any party obtains an output, all honest parties do where the latter two are a bit more optional than the previous three. ### Communication Such protocols need to deal with communications between parties. - Synchronous: message between honest parties will be delivered in a fixed amount of time - Asynchronous: messages may be arbitrarily delayed - Secure point-to-point communication channels are used (authenticated encryption) ### Attack/Corruption Models - malicious security: corrupt parties behave arbitrarily adversarily - static: corrupted parties are fixed at the very beginning - adaptive: adversaries use an adaptive strategy - honest-but-curious adversaries: faithfully follow the protocol, but leak their internal state - also called "semi-honest security" ### Formal Security The precise definition of MPC is quite difficult - so more or less should be looked a bit later after studying some problems and constructions first - but some keywords. - Real/Ideal Paradigm - ideal world is where a trusted party is used - so each party, honest or corrupt, submits the input to the trusted party, and the protocol is ran by the trusted party - so a protocol is secure when an attack on the "real world" also works on the "ideal world" - and we prove this similar to the ZK-ness proof, by providing a *simulator* on the "ideal world" that provides the views of the "real world adversary", in a manner in which the two distributions are computationally indistinguishable - Universal Composability For a concrete look into the definitions, Chapter 23.5 of the big book works as an intro. The Chapter 2 of the pragmatic MPC book also has some nice explanations as well. ## Problems to Look ### General Purpose MPC This is the most general format: we aim to do MPC for general function $f$. The current reading list looks as follows. First, the fundamentals. - Beaver's Protocol - Garbled Circuits and their extensions/improvements from both books seems to be must-read. Then, there are more "recent" papers - BDOZ (https://eprint.iacr.org/2010/514.pdf) - SPDZ (https://eprint.iacr.org/2011/535.pdf) - https://eprint.iacr.org/2012/642.pdf - https://eprint.iacr.org/2015/523.pdf - https://eprint.iacr.org/2017/1230.pdf - https://eprint.iacr.org/2018/482.pdf - https://eprint.iacr.org/2019/599.pdf - https://eprint.iacr.org/2020/521.pdf ### Yao's Millionare Problem This one aims to simply compare two inputs. - https://eprint.iacr.org/2005/043.pdf - https://www.win.tue.nl/~berry/papers/pkc07intcomp.pdf - https://iacr.org/archive/pkc2007/44500343/44500343.pdf - https://eprint.iacr.org/2016/544.pdf - https://eprint.iacr.org/2020/1002.pdf ### Oblivious Transfer The first participant has $x_1, \cdots, x_n$, the other has the index $k$, and the output is $x_k$, but the first participant should not know the index $k$. There is 1-out-of-$n$, $k$-out-of-$n$ and such. - https://dl.acm.org/doi/pdf/10.1145/301250.301312 - https://link.springer.com/content/pdf/10.1007/3-540-45664-3_11.pdf - https://ir.nctu.edu.tw/bitstream/11536/27052/1/000188196400010.pdf - https://eprint.iacr.org/2013/552.pdf - https://eprint.iacr.org/2015/267.pdf - https://eprint.iacr.org/2016/799.pdf - https://eprint.iacr.org/2016/933.pdf - https://eprint.iacr.org/2019/414.pdf - https://dl.acm.org/doi/pdf/10.1145/3503045 ### Private Set Intersection Two participants have a set, wish to compute intersection. - https://eprint.iacr.org/2015/634.pdf - https://eprint.iacr.org/2016/930.pdf - https://eprint.iacr.org/2017/299.pdf - https://eprint.iacr.org/2017/1064.pdf - https://eprint.iacr.org/2018/120.pdf - https://eprint.iacr.org/2019/634.pdf - https://eprint.iacr.org/2020/729.pdf - https://eprint.iacr.org/2021/122.pdf ### Multiparty ECDSA / Schnorr Compute a signature via multiparty signature with each party having key shares - https://eprint.iacr.org/2019/114.pdf - https://eprint.iacr.org/2020/540.pdf - https://eprint.iacr.org/2021/060.pdf - https://eprint.iacr.org/2022/374.pdf ### MPC-in-the-head MPC related ideas to ZKP, signatures, and etc. - https://web.cs.ucla.edu/~rafail/PUBLIC/77.pdf - https://eprint.iacr.org/2016/687.pdf - https://eprint.iacr.org/2018/475.pdf - https://eprint.iacr.org/2019/532.pdf - https://eprint.iacr.org/2021/068.pdf - https://eprint.iacr.org/2021/692.pdf - https://eprint.iacr.org/2022/588.pdf ### Others (TBD) Private Information Retrieval, Private Function Evaluation, etc