Secure Multi-party Proof and Its Applications

We define a new type cryptographical model called secure multi-party proof that allows any t players and a verifier to securely compute a function) ,..., (1 t x x f : each of the players learns nothing about other players' input and about the value of f , and the verifier obtains the value of f and it's validity but learns nothing about the input of any of the players. It is implemented by a protocol using oblivious transfer and Yao's scrambled circuit. We prove that our protocol is secure if the players and the verifier are semi-honest (i.e. they follow the protocol) and polynomial time bounded. The main applications of our protocol are for electronic voting and electronic bidding.


Introduction 1.1 Secure Multi-Party Computation and its Disadvantage
In a secure multi-party computation, a set of n parties with private inputs wish to jointly and securely compute a function that depends on the individual inputs of the parties.This computation should be such that each party receives its correct output (correctness), and none of the parties learn anything beyond their prescribed output (privacy).For example, in an election protocol, correctness ensures that no coalition of parties can influence the outcome of the election beyond just voting outcome for their preferred candidate, whereas privacy ensures that no parties learn anything about the individual votes of other parties.Secure multi-party computation can be viewed as the task of carrying out a distributed computation, while protecting honest parties from the malicious manipulation of dishonest (or corrupted) parties.In all secure multi-party computation, only participants obtain information about the value of the function f computed.In some applications, some party say an arbiter, other than the participants, may want to know the function value and needs to be sure of its validity, yet the arbiter learns nothing about the secret inputs of the participants.Here's a possible scenario.Assume a company needs to appoint a new manager for a department.The administrators of the company hope that the manager is elected by the staff in this department only.The staff could elect a new manager by using an electronic voting protocol from a secure multiparty computation.However, these administrators are usually not in this department, hence they may not be convinced that the election result is valid.
Another main application of secure multi-party computation is the design of electronic bidding protocols.Usually, all participants jointly run a secure multi-party computation protocol and decide the winner; as a result, only all participants know who the winner is.However, the sponsor in any electronic bidding is not a participant; hence the sponsor may not be sure about the winner.Also, in some time the participants may not be allowed to know the winner, as the winner wants to be kept anonymous.

Our Contributions
We define a new type cryptographical model called secure multi-party proof that allows any t players and a verifier to securely compute a function 1 ( ,..., ) t f x x .The model requires the following properties: each of the players learns nothing about other players' input and nor any information about the value of f , and the verifier obtains the value of f and it's validity but learns nothing about the input of any of the players.We implement this model by a protocol using oblivious transfer and Yao's scrambled circuit.We prove that our protocol is secure if the players and the verifier are semi-honest (i.e. they follow the protocol) and polynomial time bounded.Based on our secure multi-party proof, our protocol can be used for electronic voting and electronic bidding.

Related Work
A great deal of work has been done about secure multi-party computation.Secure computation for two parties was first formulated by Yao [1] in 1982.In [2,3], Lindell and Pinkas gave a complete and explicit proof of Yao's protocol for secure two-party computation.Goldreich, Micali and Wigderson [4] showed how to securely compute any multivariate function (even if malicious adversaries are present); see [5] for complete proof of their results.Ben-Or, Goldwasser and Wigderson [6] (and, independently, Chaum, Crepeau and Damgard [7]) study secure multiparty computation in the secure channels setting.They show that: 1) If the adversary is eavesdropping then there exist   Furthermore, they show that these bounds on the number of corruptions are tight.These protocols can be shown secure in the presence of non-adaptive adversaries.
Adaptive security (i.e., security in the presence of adaptive adversaries) is provable in certain variants of this setting.
Goldwasser and Levin [8] study the case of Byzantine adversaries where a majority of the parties may be corrupted.Chor and Kushilevitz [9] deal with secure multiparty computation with majority of the parties corrupted in the secure channels setting.Goldreich, Goldwasser and Linial [10] study secure multiparty computation in the presence of insecure channels and computationally unlimited adversaries.Ostrovsky and Yung [11] study secure multiparty computation in the presence of secure channels and mobile adversaries.Micali and Rogaway [12], and also Beaver [13], propose definitions for secure multiparty computation in the secure channels setting in the presence of adaptive adversaries.Other types of secure multi-party computation include adaptively secure multi-party computation [14], almost-everywhere secure computation [15], concurrent secure multi-party computation [16], and fair multi-party computation [17][18][19] and so on.

Organization
The paper is organized as follows.We start with some basic definitions and tools in Section 2. Section 3 gives a formal model of secure multi-party proof.Section 4 constructs a secure multi-party proof for any polynomialtime computable function if all participants are semi-honest.Section 5 provides a general method to construct a protocol that can be used for electronic voting and electronic bidding.Finally, Section 6 outlines concluding remarks and future directions.

Preliminary and Basic Tools
Let n denote a positive integer.We say that a function negligible in s (for s S  ).For a probabilistic machine M , we denote by ( ) M x the output of M when the input is x .The value ( ) M x is a probabilistic distribution, as it depends on some random values from an internal random tape used by the machine.
Semi-honest Adversaries vs. Malicious Adversaries.Loosely speaking, the aim of a secure multi-party protocol is to protect honest parties against dishonest behaviors by some other parties.Usually, adversaries are divided into semi-honest and malicious adversaries.
A semi-honest adversary controls one of the parties and follows the protocol specification exactly.However, it may try to learn more information than allowed by the protocol via analyzing the transcript of messages received.
A malicious adversary may arbitrarily deviate from the specified protocol.When considering malicious adversaries, there are certain undesirable actions that cannot be prevented.Specifically, a party may refuse to participate in the protocol or substitute its local input (and use instead a different input).The adversary may also abort the protocol prematurely so that the adversary may obtain its output while the honest party does not.
In this paper, we assume that all parties or adversaries are semi-honest.
Special Symmetric Encryption.In [2], a special symmetric encryption scheme was constructed that has indistinguishable encryption for multiple messages.This means that for any two messages x and y , no polynomial-time adversary can distinguish an encryption of x from that of y .

Definition 1 Let ( , , )
G E D be a symmetric encryption scheme and let the range of a key k denoted by 1) We say that ( , , ) G E D has an elusive range if, for every probabilistic polynomial-time machine M and for every polynomial ( )  p n , we have Pr( ( ) for sufficiently large n , where k is a random binary string of length n .
2) We say that ( , , ) G E D has an efficiently verifiable range if there exists a probabilistic polynomial time machine M such that (1 , , ) In [2], Y. Lindell and B. Pinkas give a simple construction of a special symmetric encryption scheme.
be a family of pseudorandom functions [11], where r  and 0 n x denotes the concatenation of x and 0 n .
Oblivious Transfer.We will briefly describe the oblivious transfer protocol of [20].This protocol is secure in the presence of semi-honest adversaries.Our description will be for the case that 0 1 , {0,1 } x x  ; when considering semi-honest adversaries, the general case can be obtained by running the single-bit protocol many times in parallel.It is assumed that there is a family of permutations with trapdoors, so the permutations are one-way functions if the trapdoors are not given.Furthermore, ( ) B x is a hardcore bit of the one-way functions, so computing ( ) B x is equivalent to inverting the one-way functions (without using the trapdoors). Suppose 3) 1 P uses the trapdoor t and computes , where B is a hard-core bit of E .
Finally, 1 , which is the bit transferred to 2 P by 1 P .It was proven in [21] that the above protocol is secure if both of 1 P and 2 P are semi-honest.

Definition of Secure Multi-Party Proof
Suppose there are t players 1 2 , , , t P P P  with secret inputs 1 2 , , , t x x x  , respectively, and a verifier V .We assume that all the players and the verifier are computationally bounded.In addition, assume that   Proof sub-protocol: In this sub-protocol, the verifier , , , m m  t m and verifies its validity.
When defining security of multi-party proof, we have to consider the security of each of the two sub-protocols.The computation sub-protocol is an ordinary multi-party computation which allows a set of mutually distrusting parties to compute a function in a distributed way while guaranteeing (to the extent possible) the privacy of their local inputs and the correctness of the outputs.To be more exact, security is typically formulated by comparing a real execution of the protocol to an ideal execution where the parties just send their inputs to a trusted party and receive back their outputs.A real protocol is said to be secure if an adversary can do no more harm in a real execution than in an ideal execution (which is secure by definition).The main security properties that have been identified, and are implied by this formulation, are privacy (parties learn nothing more than their own output) and correctness (the outputs are correctly computed).
In the proof sub-protocol, the verifier V will learn nothing beyond the value of   , , , t f x x x  with high probability, that is, the probability Pr( 0 ) is negligible as a function of n .
2) Privacy: For each player i P ,1 i t   , let i M be all the message that i P obtains from all other players in the computation sub-protocol.The protocol is said to have privacy for all the players if, for each1 i t   , there exists a bounded probabilistic polynomial time simulator S i such that i M is indistinguishable from the output   For the verifier V , let , , , all the messages received from the players.We say that the protocol has privacy for V if there exists a bounded probabilistic polynomial time simulator v S so that v M is indistinguishable with the output   n v S 1 of the simulator v S .Also, none of the players learn anything about the function value computed.
3) Validity: The validity includes the two following properties: a) V can verify with high probability that the value i m is correctly computed from the claimed value of , 1 i x i t   , all of which are kept secret from V .b) V can verify the correctness of 0 y .Assume the function f is given as a boolean circuit C .Then V can verify every gate's computation from the input wires to the output wires.

Construction of Secure Multi-Party Proof
In this section, we will construct a secure multi-party proof for any polynomial-time computable function if all players 1 , , n P P  are semi-honest.

Two-Party Computation Secure against Semi-Honest Adversaries
We firstly describe the construction of secure two-party computation (for semi-honest adversaries) due to Yao [1].We follow the description by [2,3] where it is proven to be secure against semi-honest adversaries.
Let  .Furthermore, let 0 1 0 , , k k k be six random keys obtained by independently invoking the keygeneration algorithm   ; for simplicity, assume that these keys are also of length n .Intuitively, we wish to be able to compute k  and 2 k  , without revealing any of the other three values, , , and . The garbled gate g is defined by the following four values where E is from a private key encryption scheme

 
, , G E D that has indistinguishable encryptions for multiple messages, and has an elusive efficiently verifiable range [2,3].The actual gate is defined by a random permutation of the above values, denoted as 0 1 2 3 , , , c c c c ; from here on we call them the garbled of gate g .Notice that given 1 k  and 2 k  , and these values 0 1 2 3 , , , c c c c , it is possible to compute the output of the gate we stress that all of these keys are chosen independently of the others.Now, given these keys, the four garbled values of each gate are computed as described above and the results are permuted randomly.Finally, the output or decryption tables of the garbled circuit are computed.
These tables simply consist of the values   ).
The , and 2 P 's input equals i y .
The above oblivious transfers can all be run in parallel.c) Following the above, 2 P has obtained the garbled circuit and 2n keys corresponding to the 2n input wires to C .Party 2 P then computes using the garbled circuit, as described above, obtaining   f x . 2 P then sends the value   f x to 1 P , and they both output this value.
Assume that the oblivious transfer protocol is secure in the presence of static semi-honest adversaries, and that the encryption scheme has indistinguishable encryptions for multiple messages, and has an elusive and efficiently verifiable range.Then it is proved in [2] that Protocol 1 securely computes f in the presence of static semihonest adversaries.

Secure Multi-Party Proof against Semi-Honest Adversaries
In this section, we will construct multi-party proof secure against semi-honest adversaries for any polynomial time computable function.We firstly construct a secure multi-party proof between two parties, then generalize it to a secure multi-party proof for more than two participants.

Secure Two-Party Proof against Semi-Honest Adversaries
Assume   f x is a polynomial computable function, so there exists a polynomial size boolean circuit C such that for every , {0,1} n x y  it holds that  

 
, f x y and C are public.We claim that the following protocol is a secure two-party proof for f .Protocol 2: 1) Input: then constructs a garbled computation table for every gate by using the special symmetric encryption described in Section 2, and obtains a garbled circuit

 
G C which consists of the garbled table for each gate and the output tables.Finally, 1 P publicizes

 
G C , and keeps 0 1 , k , , , and 2 P execute a 1-out-of-2 oblivious transfer protocol in which , and , 2 P s input equals i y .
b) The above oblivious transfers can be run by using the oblivious transfer protocol in Section 2 and can be done in parallel.c) 1 P sends V the strings 1  1 , , n n 1-out-of-2 oblivious transfer protocols between 1 P and 2 P .In the transfer protocol, every ij  is chosen at random.The simulator M for 1 P is just a pseudorandom generator, see for example [12,16].Let   where i E is a permutation-trapdoor and pair   Hence, privacy for 2 P is satisfied by using a pseudorandom generator as a simulator.
The privacy for both 1 P and 2 P implies that 1 P and 2 P do not obtain any information on the other player's input.
Next we consider privacy for V in computation sub-protocol.All messages V obtains are garbled circuit  .By the design of the oblivious transfer protocol, every , random.The simulator M for 1 P is just a pseudorandom generator, say the one constructed in [12,16] , , , t f x x x  and verifies its validity by verifying every gate's computation from the circuit-input wires to circuit-output wires.

Electronic Protocols Based on Secure Multi-Party Proof
Protocol 3 can be used in many applications where the verifier has no influence on the functions to be computed, yet he/she wants to learn the function values, however, Protocols 1 and 2 cannot be used because there are only two participants.The arbitrator is assured of the correctness and validity of the function value computed.Two important applications we have in mind are electronic voting and electronic bidding.
Assume   and its circuit C are public information.Then our Protocol 3 above can be applied to both of these cases, and it is secure if the participants and the verifier are semi-honest.

Conclusions
We defined a new type cryptographical model called secure multi-party proof that allows any t players and a verifier to securely compute a function with t variables.
We presented a protocol that is secure when all the participants and the verifier are semi-honest.Our protocol can be used for electronic voting and electronic bidding.
The main difference between multi-party computation and multi-party proof is that, in the former case only participants know the output or partial output, while in the later case only a designated verifier learns the final output.The latter is more practicable in some important situations, for example, in an electronic bidding, where an arbiter is only a verifier but not a participant.
It should be noted, however, that our protocol is not secure against malicious adversaries.
Based on non-interactive zero-knowledge proof, it is possible to construct secure multi-party proof against malicious adversaries.However, these protocols are inefficient because of complexity of zero-knowledge proof.In future work, we intend to construct secure multi-party proof for any polynomial-time computable function , , , t f x x x  from tools other than zero-knowledge proof.
for computing any function.2) If the adversary is Byzantine, then any function can be  


is a circuit-output wire.(Alternatively, output gates can just compute 0 or 1 directly.That is, in an output gate, one can define Sub-protocol: V has obtained the garbled circuit   G C and 2n keys corresponding to the 2n input wires to C .V then computes and obtains   , f x y via   G C .Proof: Correctness.It is correct by the design of the garbled circuit.Privacy.Assume that 1 P constructs the garbled circuit   G C for boolean circuit C .According to the oblivious transfer protocol in Section 2, all messages 1 P C be a Boolean circuit that receives two inputs assume that the input length, output length and the security parameter are all n ).We also assume that C has the property that every gate with a circuit-output wire has no other outgoing wires.We begin by describing the construction of a single garbled gate g in C .
 value that is obtained.(Notice that if only a single non- value is obtained, then this will be there are more than one decryption then returns a non- value, then output abort.Otherwise, define 3 k  to be the only non- entire garbled circuit of C , denoted

4.2.2 Secure Multi-Party Proof against Semi-Honest Adversaries
2 oblivious transfer protocols between 1