Abstract
A protocol is presented that allows a set of parties to collectively perform any agreed computation, where every party is able to choose secret inputs and verify that the resulting output is correct, and where all secret inputs are optimally protected.
The protocol has the following properties:
-
One participant is allowed to hide his secrets unconditionally, i.e. the protocol releases no Shannon information about these secrets. This means that a participant with bounded resources can perform computations securely with a participant who may have unlimited computing power. To the best of our knowledge, our protocol is the first of its kind to provide this possibility.
-
The cost of our protocol is linear in the number of gates in a circuit performing the computation, and in the number of participants. We believe it is conceptually simpler and more efficient than other protocols solving related problems ([Y1], [GoMiWi] and [GaHaYu]). It therefore leads to practical solutions of problems involving small circuits.
-
The protocol is openly verifiable, i.e. any number of people can later come in and rechallenge any participant to verify that no cheating has occurred.
-
The protocol is optimally secure against conspiracies: even if n − 1 out of the n participants collude, they will not find out more about the remaining participants’ secrets than what they could already infer from their own input and the public output.
-
Each participant has a chance of undetected cheating that is only exponentially small in the amount of time and space needed for the protocol.
-
The protocol adapts easily, and with negligible extra cost, to various additional requirements, e.g. making part of the output private to some participant, ensuring that the participants learn the output simultaneously, etc.
-
Participants can prove relations between data used in different instances of the protocol, even if those instances involve different groups of participants. For example, it can be proved that the output of one computation was used as input to another, without revealing more about this data.
-
The protocol can be usen as an essential tool in proving that all languages in IP have zero knowledge proof systems, i.e. any statement which can be proved interactively can also be proved in zero knowledge.
The rest of this paper is organised as follows: First we survey some related results. Then Section 2 gives an intuitive-introduction to the protocol. In Section 3, we present one of the main tools used in this paper: bit commitment schemes. Sections 4 and 5 contain the notation, terminology, etc. used in the paper. In Section 6, the protocol is presented, along with proofs of its security and correctness. In Section 7, we show how to adapt the protocol to various extra requirements and discuss some generalisations and optimisations. Finally, Section 8 contains some remarks on how to construct zero knowledge proof systems for any language in IP.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Brassard and Crepeau: Zero knowledge simulation of boolean circuits. Proc. of Crypto 86.
Blum: Coinflipping by telephone: Protocols for solving impossible problem. Proc. of 24. IEEE CompCon, 1982.
Chaum, Damgård and Crepeau: Fundamental primitives for multiparty unconditionally secure protocols. To appear.
Chaum: Demonstrating that a public predicate can be satisfied while revealing no information about how. Proc. of Crypto 86.
Chaum: How to keep a secret alive. Proc. of Crypto 84.
Crepeau: Equivalence between two flavours of oblivious transfers. To appear in proceedings of Crypto 87.
Galil, Haber and Yung: Primitives for Designing Multi-Party Cryptographic Protocols from Specifications. To appear.
Goldreich and Vainish: How to solve any protocol problem: an efficiency improvement. Proc. of Crypto 87.
Goldreich, Micali and Wigderson: How to play any mental game, Proc. of STOC 1987.
Goldreich, Micali and Wigderson: How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design. Proc. of Crypto 86.
Goldwasser and Micali: Probabilistic Encryption. JCSS, vo1.28, No.2, April 1984, pp.270–299.
Goldwasser, Micali and Rackoff: The knowledge complexity of interactive proof systems. Proc. 17th STOC, 1985.
Peralta and van de Graaf: A simple and efficient protocol to prove the validity of your public key. To appear in proceedings of Crypto 87.
Yao: How to generate and exchange secrets. Proc. of 27. FOCS, 1986.
Yao: Protocols for secure computations. Proc. of 23. FOCS, 1982.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1988 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chaum, D., Damgård, I.B., van de Graaf, J. (1988). Multiparty Computations Ensuring Privacy of Each Party’s Input and Correctness of the Result. In: Pomerance, C. (eds) Advances in Cryptology — CRYPTO ’87. CRYPTO 1987. Lecture Notes in Computer Science, vol 293. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48184-2_7
Download citation
DOI: https://doi.org/10.1007/3-540-48184-2_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-18796-7
Online ISBN: 978-3-540-48184-3
eBook Packages: Springer Book Archive