owned this note
owned this note
Published
Linked with GitHub
# 1/12: MPC Definitions / Problems Collection
- chapter 23 of https://toc.cryptobook.us/book.pdf
- the book https://www.cs.virginia.edu/~evans/pragmaticmpc/pragmaticmpc.pdf
thanks to cryptohack discord for sending me resources below
- https://nigelsmart.github.io/SCALE/
- https://github.com/rdragos/awesome-mpc
## Key Definitions
The intuitive setting - is that there are $n$ parties each with input $x_1, x_2, \cdots, x_n$ and a public function $f$. These $n$ parties want to work together to compute $y = f(x_1, \cdots, x_n)$, but they want to reveal nothing about their inputs $x_i$ except the information that is trivially revealed due to the output $y$. In this scenario, there's some desirable properties we can define.
### Properties
- privacy: as mentioned, other parties do not know anything about $x_i$ except the information directly revealed by the output $y$ (e.g. consider $f(x_1, x_2) = x_1 + x_2$)
- soundness: honest parties compute correct outputs
- input independence: all parties choose their inputs independent from other inputs
- guaranteed output delievery: honest parties are guaranteed to obtain output
- fairness: if any party obtains an output, all honest parties do
where the latter two are a bit more optional than the previous three.
### Communication
Such protocols need to deal with communications between parties.
- Synchronous: message between honest parties will be delivered in a fixed amount of time
- Asynchronous: messages may be arbitrarily delayed
- Secure point-to-point communication channels are used (authenticated encryption)
### Attack/Corruption Models
- malicious security: corrupt parties behave arbitrarily adversarily
- static: corrupted parties are fixed at the very beginning
- adaptive: adversaries use an adaptive strategy
- honest-but-curious adversaries: faithfully follow the protocol, but leak their internal state
- also called "semi-honest security"
### Formal Security
The precise definition of MPC is quite difficult - so more or less should be looked a bit later after studying some problems and constructions first - but some keywords.
- Real/Ideal Paradigm
- ideal world is where a trusted party is used - so each party, honest or corrupt, submits the input to the trusted party, and the protocol is ran by the trusted party
- so a protocol is secure when an attack on the "real world" also works on the "ideal world" - and we prove this similar to the ZK-ness proof, by providing a *simulator* on the "ideal world" that provides the views of the "real world adversary", in a manner in which the two distributions are computationally indistinguishable
- Universal Composability
For a concrete look into the definitions, Chapter 23.5 of the big book works as an intro.
The Chapter 2 of the pragmatic MPC book also has some nice explanations as well.
## Problems to Look
### General Purpose MPC
This is the most general format: we aim to do MPC for general function $f$.
The current reading list looks as follows. First, the fundamentals.
- Beaver's Protocol
- Garbled Circuits and their extensions/improvements
from both books seems to be must-read.
Then, there are more "recent" papers
- BDOZ (https://eprint.iacr.org/2010/514.pdf)
- SPDZ (https://eprint.iacr.org/2011/535.pdf)
- https://eprint.iacr.org/2012/642.pdf
- https://eprint.iacr.org/2015/523.pdf
- https://eprint.iacr.org/2017/1230.pdf
- https://eprint.iacr.org/2018/482.pdf
- https://eprint.iacr.org/2019/599.pdf
- https://eprint.iacr.org/2020/521.pdf
### Yao's Millionare Problem
This one aims to simply compare two inputs.
- https://eprint.iacr.org/2005/043.pdf
- https://www.win.tue.nl/~berry/papers/pkc07intcomp.pdf
- https://iacr.org/archive/pkc2007/44500343/44500343.pdf
- https://eprint.iacr.org/2016/544.pdf
- https://eprint.iacr.org/2020/1002.pdf
### Oblivious Transfer
The first participant has $x_1, \cdots, x_n$, the other has the index $k$, and the output is $x_k$, but the first participant should not know the index $k$. There is 1-out-of-$n$, $k$-out-of-$n$ and such.
- https://dl.acm.org/doi/pdf/10.1145/301250.301312
- https://link.springer.com/content/pdf/10.1007/3-540-45664-3_11.pdf
- https://ir.nctu.edu.tw/bitstream/11536/27052/1/000188196400010.pdf
- https://eprint.iacr.org/2013/552.pdf
- https://eprint.iacr.org/2015/267.pdf
- https://eprint.iacr.org/2016/799.pdf
- https://eprint.iacr.org/2016/933.pdf
- https://eprint.iacr.org/2019/414.pdf
- https://dl.acm.org/doi/pdf/10.1145/3503045
### Private Set Intersection
Two participants have a set, wish to compute intersection.
- https://eprint.iacr.org/2015/634.pdf
- https://eprint.iacr.org/2016/930.pdf
- https://eprint.iacr.org/2017/299.pdf
- https://eprint.iacr.org/2017/1064.pdf
- https://eprint.iacr.org/2018/120.pdf
- https://eprint.iacr.org/2019/634.pdf
- https://eprint.iacr.org/2020/729.pdf
- https://eprint.iacr.org/2021/122.pdf
### Multiparty ECDSA / Schnorr
Compute a signature via multiparty signature with each party having key shares
- https://eprint.iacr.org/2019/114.pdf
- https://eprint.iacr.org/2020/540.pdf
- https://eprint.iacr.org/2021/060.pdf
- https://eprint.iacr.org/2022/374.pdf
### MPC-in-the-head
MPC related ideas to ZKP, signatures, and etc.
- https://web.cs.ucla.edu/~rafail/PUBLIC/77.pdf
- https://eprint.iacr.org/2016/687.pdf
- https://eprint.iacr.org/2018/475.pdf
- https://eprint.iacr.org/2019/532.pdf
- https://eprint.iacr.org/2021/068.pdf
- https://eprint.iacr.org/2021/692.pdf
- https://eprint.iacr.org/2022/588.pdf
### Others (TBD)
Private Information Retrieval, Private Function Evaluation, etc