Secure Multiparty Computation (MPC) is a computer paradigm where several parts calculate a total feature – says, their arourage salary – without revealing private information – says their individual employees – to each other. It has found applications in auction design, cryptography, data analysis, digital-wallet security and blockchain calculation, among others.
By 2023, Association for Computing Machinery’s annual Dijkstra prize in distributed computing awdard for three papers on Secure MPC from the late 1980s. One of these papers, “verifiable secret sharing and multiparty protocols with honest Maurity,” grew out of the doctoral dissertation by Tal Rabin, a senior main scientist in Amazon Web Services’ cryptographies and a professor of computer science at the University of Pennsylvania. She is together with the paper of her dissertation adviser, Michael Ben-or, professor of computer science at the Hebrew University in Jerusalem, where Rabin served her PhD.
In a remark, Rabin’s father, Michael Rabin, also won the Dijkstra Prize, in 2015, making Rabins the only parent-child couple who received the award. Even more remarkable, Michael Rabin’s co-owner was one of his PhD student-Michael Ben-or.
“So I’m my father’s academic grandson,” says Rabin.
Information-theoretical security
The field with Secure MPC stood off the ground in 1982, when Andrew Yao, now professor of computer science at Tsinghua University, released a paper on secure two-party calculation. However, the security of the YAOS MPC scheme was dependent on the difficulty of factoring large integers – the same calculation insurance company that ensures the security of most online financial transactions today. Yao’s results raised the question of whether the Secure MPC was possible, though an opponent had unlimited calculation resources, an attitude known as information theoretical.
The Dijkstra Prize three 2023 of Dijkstra solves all the problem of information theoretically secure MPC. The first two papers, both released at ACM Symposium from 1988 on theory of Computing (STOC), Pro Information-theoretic Secure MPC is possible, if not more than a third of the participants in the calculation are BAD-Féh players who secretly share information and collusive manipulator their results.
Tal Rabin and Michael Ben’s paper, which appeared at Stoc the following year, improve the relationship with (approx.) Half, which is the maximum number of deficitors that can be tole in information theoretical setting. It is also the threshold that Yao proved for its original calculation defined approach.
Today, 35 years after Rabin and Ben-OR’s paper, techniques for information theoretically secure MPC begin to apply. And as general-no-juvenile quantum computers, which can effectively factor a large number of, empty against reality, information-theoretical-snarers than computer cryptographic methods become more urgent.
“The goal of our team is to use MPC techniques to improve the security and privacy of Amazon,” says Rabin.
Checking information
The heart of Rabin and Ben-OR’s paper is the adaptation of the concept of a digital signature to information theoretical setting. A digital signature is a use of public-key cryptography: The author of a document has a private signature wrench and a public verification key, both derived from the most important factors in a very large number. Calculation of a document’s signature requires the private key, but verifying it requires only the public key. And an opponent cannot be falsified by the signature of calculating the factors of the number.
Rabin and Ben-Or offer method which they call Checking informationWhich is not as powerful as digital signatures, but assumes no assumptions about the calculation limits of the defender. And it turns out to be an addable basis for secure multi -parties calculation.
Rabin and Ben’s Protocol involves a Dealeryear Intermediaryand a container. The dealer has some data element, S.As it is transferred to the intermediary, who at a later stage can again pass it on to the container.
To mimic the security guarantors of digital signatures, information checks must meet two criteria: (1) If the dealer and container are honest, the container will always accept S. If it is legitimate and will most likely reject any false substitutions; and (2) Whther or not the dealer is honest, the middlemen can predict with high probability that or not the container will accept S.. Together, these two criteria find that false substitutions can be detected if the dealer or intermediary (but not condition) is dishonest.
To accommodate the first criterion, the dealer sends the intermediary two values, S. and another number, Y. It sends the container a different Random number pair, (B, c)which satisfies an arithmetic operation (says, Y = bs + c). Communicates by that Y and S. Don’t target either C Not either B; If it is atmosphere to pass the recipient a fake S.The arithmetic operation will fail.
Zero-knowledge proof
In order to fulfill the second criterion, rabin and leg-gold a Zero-knowledge proofA mechanism that allows a party to prove that it knows some value without revealing the value itself. Intostad to apply an arithmetic operation on S. And a single set of randomly generated number the dealer assigns it to S. and more sets of randomly generated nurse producing a number (BIcI) Peers. Once the dealer has smelled these friends to the container, the intermediary chooses half of them randomly and asks the container to reveal them.
Sales of the intermediary by S.It can determine where the arithmetic relationship holds and where the dealer has smell the container valid (BIcI) Peers. On the other hand, since the intermediary is not now the non -reveled comrades, it cannot, if it is dishonest, play the system by trying to pass the container false false Yare together with fake S.‘p.
From weak to the lake’s secret division
Next, Rabin and Ben- or generalize this result to the situation where there are several containers each receiving its own S.I. In this context, the authors show that their protocol enables Weak secret sharingWhich means that if the containers collectively try to reconstruct a value from their respective S.IEither they will either rebuild the correct value or the calculation fails.
However, providing a basis for safe MPC requires the stronger standard for verifiable Sharing Sharing, which means that regardless of the interference, container -collective reconstruction will success. The other major contribution made by Rabin and Ben-OR’s paper is a method of exploiting weak secret sharing to enable verifiable secret sharing.
In Rabin and Ben’s Protocol, all (BIcI) Peers feel for all containers is generated using the same polynomial fun. In the Multiple Recipient Settings, degree Of the polynomial – its broad expression – is half the number of containers. To find that a secret has been properly shared, the dealer has to show that all the comrades received fit the polynomial – without revealing the polynomial itself. Again, the mechanism is a zero-knowledge proof.
“What we want is for parts to commit to their values ​​through the weak secret division,” Rabin explains. “So now you know it’s either on value or nothing. And then the dealer proves on these values ​​that they all sit on a polynomial of degree T.. Once this proof is performed, you know about the values ​​shared with weak secret sharing that they either open or do not open. You know that all that opens is on the same polynomial of degree T.. And now you know you can reconstruct. “
When Rabin and Ben-Or published their paper, MPC was research in his infant. “You can do information about controlling much better, much more efficient and so on today,” says Rabin. But the central result of the paper was theoretical. Today, designers of Safe-MP protocols can use any mechanism of evidence they choose, and they will enjoy the same guarantee of calculation and defect that Rabin and Ben-Gold established 35 years ago.