A Pragmatic Introduction to Secure Multi-Party Computation Reading Notes
2 Defining Multi-Party Computation
Secret Sharing
Let \(D\) be the domain of secrets and \(D_1\) be the domain of shares. Let \(\text{Shr}:D\to D_1^n\) be a (possibly randomized) sharing algorithm, and \(\text{Rec} : D^k_1\to D\) be a reconstruction algorithm. A \((t, n)\)-secret sharing scheme is a pair of algorithms \((\text{Shr}, \text{Rec})\) that satisfies these two properties:
- Correctness. Let \((s_1, s_2,...,s_n) = \text{Shr}(s)\). Then, \(\text{Pr}[\forall k \geq t, \text{Rec}(s_{i_1},..., s_{i_k}) = s] = 1\).
- Perfect Privacy. Any set of shares of size less than \(t\) does not reveal anything about the secret in the information theoretic sense. More formally, for any two secrets \(a, b\in D\) and any possible vector of shares \(v=v_1, v_2, ..., v_k\) , such that \(k < t\),\(\text{Pr}[v = \text{Shr}(a)|_k ] = \text{Pr}[v = \text{Shr}(b)|_k ]\), where \(|_k\) denotes appropriate projection on a subspace of \(k\) elements.
Real-Ideal Paradigm
在 Ideal World 中,每一方都和一个可信方 \(\mathcal T\) 进行交流,他们将自己的输入 \(x_i\) 发送给 \(\mathcal T\),\(\mathcal T\) 计算出 \(\mathcal F(x_1,...,x_n)\) 并将结果返回给每一个人。
在 Real World 中,每一方都有一个 \(\pi_i\),根据 \(x_i\)、一个随机带、之前接收到的信息等来决定下一步给哪一方发送什么消息,或者终止并得到最终的输出。
如果攻击者在 Ideal World 和 Real World 中能做的事一样,称该协议 \(\pi\) 是安全的。
Semi-Honest Security
A semi-honest adversary is one who corrupts parties but follows the protocol as specified.