Universally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems

Abstract: Abstract. Multiparty computation can be used for privacy-friendly outsourcing of computations on private inputs of multiple parties. A computation is outsourced to several computation parties; if not too many are corrupted (e.g., no more than half), then they cannot determine the inputs or produce an incorrect output. However, in many cases, these guarantees are not enough: we need correctness even if all computation parties may be corrupted; and we need that correctness can be verified even by parties that di… Show more

“…Combining verifiability with privacy has traditionally only been considered for particular applications such as e-voting [CF85,SK95], but recent works [dH12,BDO14,SV15] have also started studying the problem of verifiability for general multiparty computation. In essence (like in our work) the correctness proofs of these works rely on zero-knowledge proofs of correct multiplication and decryption: of Paillier encryptions in [dH12,SV15], and of somewhat homomorphic encryptions in [BDO14].…”

“…In essence (like in our work) the correctness proofs of these works rely on zero-knowledge proofs of correct multiplication and decryption: of Paillier encryptions in [dH12,SV15], and of somewhat homomorphic encryptions in [BDO14]. Compared to these works, this work proposes a private multiplier approach that enables the use of the much more efficient ElGamal encryption scheme (besides introducing the approach of certificate validation).…”

“…The first two can be computed locally using homomorphic properties of ElGamal. Multiplications of an encryption Y by an encryption X i of a shared plaintext x i can be performed verifiably by letting the workers verifiably multiply their shares, and combining correctness proofs on the shares into an overall correctness proof using the multiparty Fiat-Shamir transform [SV15]. Finally, a proof that R decrypts to zero is made by homomorphically combining decryption proofs using shares [s] i .…”

“…Indeed, this is the basic idea behind recent universally verifiable [SV15] (or publicly auditable [BDO14]) multiparty computation protocols. (Correctness holds regardless of the workers, but privacy only holds up to a certain maximum of corruptions: we cannot hope to circumvent this in outsourcing scenarios without resorting to fully homomorphic encryption.)…”

“…(Correctness holds regardless of the workers, but privacy only holds up to a certain maximum of corruptions: we cannot hope to circumvent this in outsourcing scenarios without resorting to fully homomorphic encryption.) However, producing correctness proofs in a multi-party way is too expensive for realistic computations such as linear programming, requiring zeroknowledge proofs involving threshold Paillier encryptions [SV15] or somewhat homomorphic encryptions [BDO14]. Moreover, existing approaches need secure distributed set-up of these threshold cryptosystem, which is hard in practice.…”

Certificate Validation in Secure Computation and Its Use in Verifiable Linear Programming

“…Combining verifiability with privacy has traditionally only been considered for particular applications such as e-voting [CF85,SK95], but recent works [dH12,BDO14,SV15] have also started studying the problem of verifiability for general multiparty computation. In essence (like in our work) the correctness proofs of these works rely on zero-knowledge proofs of correct multiplication and decryption: of Paillier encryptions in [dH12,SV15], and of somewhat homomorphic encryptions in [BDO14].…”

“…In essence (like in our work) the correctness proofs of these works rely on zero-knowledge proofs of correct multiplication and decryption: of Paillier encryptions in [dH12,SV15], and of somewhat homomorphic encryptions in [BDO14]. Compared to these works, this work proposes a private multiplier approach that enables the use of the much more efficient ElGamal encryption scheme (besides introducing the approach of certificate validation).…”

“…The first two can be computed locally using homomorphic properties of ElGamal. Multiplications of an encryption Y by an encryption X i of a shared plaintext x i can be performed verifiably by letting the workers verifiably multiply their shares, and combining correctness proofs on the shares into an overall correctness proof using the multiparty Fiat-Shamir transform [SV15]. Finally, a proof that R decrypts to zero is made by homomorphically combining decryption proofs using shares [s] i .…”

“…Indeed, this is the basic idea behind recent universally verifiable [SV15] (or publicly auditable [BDO14]) multiparty computation protocols. (Correctness holds regardless of the workers, but privacy only holds up to a certain maximum of corruptions: we cannot hope to circumvent this in outsourcing scenarios without resorting to fully homomorphic encryption.)…”

“…(Correctness holds regardless of the workers, but privacy only holds up to a certain maximum of corruptions: we cannot hope to circumvent this in outsourcing scenarios without resorting to fully homomorphic encryption.) However, producing correctness proofs in a multi-party way is too expensive for realistic computations such as linear programming, requiring zeroknowledge proofs involving threshold Paillier encryptions [SV15] or somewhat homomorphic encryptions [BDO14]. Moreover, existing approaches need secure distributed set-up of these threshold cryptosystem, which is hard in practice.…”

Certificate Validation in Secure Computation and Its Use in Verifiable Linear Programming

An Internet Voting Proposal Towards Improving Usability and Coercion Resistance

An Artificial Intelligence Approach for Enhancing Trust Between Social IoT Devices in a Network