Presented at SCN 2014, Amalfi, Italy by Carsten Baum, Aarhus University
Blog written by Rasmus Lauritsen
In multi-party computation a set of $n$ players wants to compute a function $y=f$ on inputs $x_1, …, x_n$ where each input $x_i$ is private information to player $i$. Security in this setting means that each player essentially learns *Nothing* new other then the result $y$.
In the above definition the meaning of security holds if at least one player is still honest (or acting non-corrupt). In this presentation the notion and meaning of security is extended to include the setting where all parties are corrupted however leaving an auditable transcript of the computation allowing third-party observers to audit the computation afterwards. Naturally the transcript is public information and the above security definition must still hold in the presents of a single honest party.
One setting in particular stands out: A small number of MPC-servers are carrying out a computation on behalf of a (for MPC impractically) larger set of clients (who are stakeholders) providing inputs. In this client/worker setting the Auditable MPC approach suggested in this talk will allow the clients to verify that none of the MPC servers deviated from the protocol and actually did the specified computation from the transcript.
The famous Sugar beet auction taking place in Denmark each year is an example of such a scenario: the farmers are clients and indeed stakeholders inputting data to a small set of MPC servers one of which is maintained by their trade-union.
An example of a concrete construction is presented: In the context of the SPDZ protocol we use a bulletin board where the input-providers will publish Pedersens-commitment to their input values. These commitments allow the same homomorphic operations on commitments as the SPDZ protocol can perform on values. Therefore, with an also public description of the function on the bulletin board any auditor can reply (and thereby audit) the function on the input-commitments to obtain a commitment on the result. Because of the hiding property of the commitment scheme this reveals no extra information. The binding property ensures that if even all MPC servers deviates computing another function they will be caught by an auditor.
A noticeable feature with this construction is that only a small overhead is introduced linear in the inputs. As SPDZ is secure against n-1 parties only if all computation servers are suspected to be corrupt an actual Audit (reply on commitments) has to take place.