Secure Multiparty Computation, Study notes of Computer science

Secure Multiparty Computation (specifically part III)—and the instructor. SMC is a field of cryptography where multiple parties can jointly compute a function over their private inputs without revealing those inputs to each other.

Typology: Study notes

2025/2026

Uploaded on 12/24/2025

xam-lb
xam-lb 🇸🇦

1 document

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Slide 1: Title Slide
Explanation: This is the introduction. It tells us the topic—Secure Multiparty Computation
(specifically part III)—and the instructor. SMC is a field of cryptography where multiple
parties can jointly compute a function over their private inputs without revealing those
inputs to each other.
Example: Imagine two hospitals want to find out how many patients they have in common
to coordinate care, but neither hospital is allowed to see the other's patient list. Secure
Multiparty Computation provides the tools to do this.
Slide 2: Yao’s 2-PC Protocol (The Problem)
Explanation: This slide introduces a classic problem solved by a famous protocol
called Yao's 2-Party Computation (2-PC). Two people, Alice and Bob, each have a private
list (their phonebooks). They want to find out which contacts they share without showing
each other their full lists.
Example:
Alice's List: {1234 (Mom), 5678 (Bob's work), 9101 (Dad)}
Bob's List: {5678 (My Office), 2345 (Friend), 9101 (Uncle John)}
They want to discover they both have 5678 and 9101, but Alice shouldn't learn Bob has
2345, and Bob shouldn't learn Alice has 1234.
Slide 3 & 4: Private Set Intersection (PSI) - Definition
Explanation: The problem from Slide 2 is a specific type of SMC called Private Set
Intersection (PSI). It's a "secure 2-party computation" where the function to compute is
the intersection(common items) of two private sets.
Formal Definition: Alice has a secret set A, Bob has a secret set B. They want to
compute A ∩ B(the overlap) and only learn that result.
Key Rule: Items that are not in the intersection must remain completely hidden.
Examples of Use (From Slide 4):
Contact Discovery (WhatsApp): The app wants to tell you which of your contacts
are also on WhatsApp. It shouldn't reveal your entire address book to their servers,
nor reveal their user list to you.
No-Fly List Check: An airline (with a passenger list) wants to check against a
government no-fly list without seeing the full secret list, and the government doesn't
want to reveal the full list to the airline.
Slide 5: Attacker Model for PSI
Explanation: Before building a solution, we must define who we're protecting against (the
"adversary") and what we want to achieve (the "security objectives").
Part 1: The Setting
Alice & Bob: The two parties with private data.
Adversary: Could be a cheating Alice/Bob, or an external hacker listening to their
conversation.
Goal: Compute the intersection securely.
Setting: They communicate over a channel like the internet.
pf3
pf4
pf5

Partial preview of the text

Download Secure Multiparty Computation and more Study notes Computer science in PDF only on Docsity!

Slide 1: Title Slide Explanation: This is the introduction. It tells us the topic—Secure Multiparty Computation (specifically part III)—and the instructor. SMC is a field of cryptography where multiple parties can jointly compute a function over their private inputs without revealing those inputs to each other. Example: Imagine two hospitals want to find out how many patients they have in common to coordinate care, but neither hospital is allowed to see the other's patient list. Secure Multiparty Computation provides the tools to do this. Slide 2: Yao’s 2-PC Protocol (The Problem) Explanation: This slide introduces a classic problem solved by a famous protocol called Yao's 2-Party Computation (2-PC). Two people, Alice and Bob, each have a private list (their phonebooks). They want to find out which contacts they share without showing each other their full lists. Example:

  • Alice's List: {1234 (Mom), 5678 (Bob's work), 9101 (Dad)}
  • Bob's List: {5678 (My Office), 2345 (Friend), 9101 (Uncle John)} They want to discover they both have 5678 and 9101 , but Alice shouldn't learn Bob has 2345, and Bob shouldn't learn Alice has 1234. Slide 3 & 4: Private Set Intersection (PSI) - Definition Explanation: The problem from Slide 2 is a specific type of SMC called Private Set Intersection (PSI). It's a "secure 2-party computation" where the function to compute is the intersection (common items) of two private sets.
  • Formal Definition: Alice has a secret set A , Bob has a secret set B. They want to compute A ∩ B (the overlap) and only learn that result.
  • Key Rule: Items that are not in the intersection must remain completely hidden. Examples of Use (From Slide 4):
  • Contact Discovery (WhatsApp): The app wants to tell you which of your contacts are also on WhatsApp. It shouldn't reveal your entire address book to their servers, nor reveal their user list to you.
  • No-Fly List Check: An airline (with a passenger list) wants to check against a government no-fly list without seeing the full secret list, and the government doesn't want to reveal the full list to the airline. Slide 5: Attacker Model for PSI Explanation: Before building a solution, we must define who we're protecting against (the "adversary") and what we want to achieve (the "security objectives"). Part 1: The Setting
  • Alice & Bob: The two parties with private data.
  • Adversary: Could be a cheating Alice/Bob, or an external hacker listening to their conversation.
  • Goal: Compute the intersection securely.
  • Setting: They communicate over a channel like the internet.

Part 2: Types of Bad Guys (Adversaries)

  1. Semi-Honest (Honest-but-Curious): Follows the protocol steps correctly but is nosy. They will try to learn extra information from the messages they receive. o Example: Bob correctly computes the intersection but also records all encrypted data from Alice to try and figure out her other contacts later.
  2. Malicious: Actively cheats. They might send fake data, stop the protocol early, or manipulate messages. o Example: Bob doesn't use his real contact list. Instead, he sends a list of phone numbers he suspects Alice might have, to test if she owns them.
  3. External Eavesdropper: Doesn't participate but listens to all network traffic between Alice and Bob. o Example: A hacker intercepts the data packets being sent between two companies performing a fraud detection check. Part 3: What Makes a Protocol Secure? (Security Objectives)
  • Privacy: Only the intersection is revealed.
  • Correctness: The result is accurate.
  • Minimal Leakage: Don't even reveal the size of the sets (e.g., Alice knowing Bob has 10,000 contacts might be sensitive).
  • Robustness: The protocol should withstand cheating or early dropouts. Slide 6 & 7: Naïve PSI – Hash-Based Approach Explanation: This is the simplest, most intuitive idea for PSI, but it's INSECURE. The idea is to turn private data into hashes (like a unique digital fingerprint) and compare those. The Protocol:
  1. Alice and Bob agree on a public hash function (e.g., SHA-256).
  2. Alice computes hashes of her contacts: H("Mom-1234"), H("Dad-9101"), etc.
  3. Bob does the same.
  4. They exchange their lists of hashes.
  5. Any hash that appears in both lists indicates a matching contact. Why It's Insecure (Against each attacker type):
  • Semi-Honest/Malicious/Eavesdropper: All can perform a Dictionary Attack. o Example: Bob wants to guess Alice's contacts. He can take a giant list of common phone numbers (a "dictionary"), hash each one with the same function, and compare them to the hashes Alice sent. Any match reveals her contact. Since the hash function is public, the "fingerprint" is directly linked to the input. Slide 8 & 9: PSI Using Additive Homomorphic Encryption Explanation: This method uses advanced "magic math" cryptography. Homomorphic Encryption allows you to do computations on encrypted data without decrypting it first. Additive means you can add encrypted numbers together. The Protocol (Simplified):

Limitation: Building and sending the entire circuit requires a lot of communication bandwidth, which can be slow. Slide 13: Comparison of PSI Approaches Explanation: This table summarizes the trade-offs between the different methods.

  • Naïve Hash: Fast and simple, but insecure. Only for learning or non-sensitive data.
  • Homomorphic Encryption (Paillier): Good privacy for small data, but slow. The heavy math limits the size of datasets you can use.
  • Garbled Circuits (Yao's): Very secure and flexible, but complex and communication-heavy. Good for medium-sized sets when you need strong security guarantees. Slide 14: PSI Requirements as Set Sizes Vary Explanation: There's no "one-size-fits-all" PSI solution. The best tool depends on how much data you have.
  • Small Sets (<1,000 items): Prioritize strong security over speed. Homomorphic Encryption or Garbled Circuits work well.
  • Medium Sets (1K - 100K items): Need a balance. Look for optimized versions of Garbled Circuits or efficient PSI protocols that minimize communication.
  • Large Sets (>1M items): Speed and efficiency are critical. Specialized PSI protocols that use advanced hashing tricks and parallelism are needed, even if they have slightly weaker (but still strong) security models.
  • Asymmetric Sets (e.g., your phonebook vs. WhatsApp's giant server list): Must protect the smaller party. The protocol should be lightweight for you (the phone) and prevent the big server from learning anything about its non-matching data.
  • Multi-Party PSI (>2 parties): This is the most complex scenario (e.g., 3 hospitals finding common patients). It requires careful coordination to ensure fairness and prevent collusion between parties.

MCQ Set: Secure Multiparty Computation & PSI

1. What is the primary goal of Private Set Intersection (PSI)? A) To merge two sets into one larger set B) To compute the union of two private sets without revealing non-common elements C) To compute the intersection of two private sets without revealing non-intersecting elements D) To encrypt both sets and store them in a public database 2. In Yao’s 2-PC protocol for PSI, what is used to allow Bob to provide his input without revealing it to Alice? A) Symmetric encryption B) Digital signatures C) Oblivious Transfer (OT) D) Hash functions 3. Which attacker model follows the protocol correctly but tries to learn extra information from exchanged messages? A) Malicious adversary B) External eavesdropper C) Semi-honest (honest-but-curious) adversary D) Denial-of-service attacker 4. Why is the naïve hash-based PSI approach insecure against a dictionary attack? A) Hashes are too long B) The hash function is kept secret C) An attacker can precompute hashes of likely inputs and compare them to intercepted hashes D) Hashes cannot be transmitted over a network 5. In the Paillier-based PSI protocol, who decrypts the final encrypted differences? A) Bob B) Both Alice and Bob C) Alice D) A trusted third party 6. What is a major limitation of using Garbled Circuits for PSI? A) It is extremely fast for large datasets B) It leaks the size of the sets C) It requires high communication overhead D) It only works with numbers, not strings 7. Which PSI approach is best suited for very large datasets (over 1 million items)? A) Naïve hash-based PSI B) Paillier homomorphic encryption C) Garbled Circuits D) Specialized protocols optimized for performance and low communication 8. In the Paillier PSI protocol, if Alice has n n items and Bob has m m items, how many encrypted differences are computed? A) n+m n + m B) n×m n × m

2. C

3. C

4. C

5. C

6. C

7. D

8. B

9. B

10. B

11. C

12. B

13. C

14. C

15. C