Mix and Match: Secure Function Evaluation via Ciphertexts

Extended Abstract
  • Markus Jakobsson
  • Ari Juels
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural simplicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match. While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealed-bid auctions. Thus, as another contribution in this paper, we present a practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies.

Key words

auction general secure multiplayer computation millionaires’ problem secure function evaluation 


  1. 1.
    M. Abe. Universally verifiable mix-net with verification work independent of the number of mix-servers. In K. Nyberg, ed., EUROCRYPT’ 98, pages 437–447. Springer-Verlag, 1998. LNCS no. 1403.CrossRefGoogle Scholar
  2. 2.
    M. Abe. A mix-network on permutation networks. In K.Y. Lam, C. Xing, and E. Okamoto, eds., ASIACRYPT’ 99, pages 258–273, 1999. LNCS no. 1716.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM CCS’ 93, pages 62–73. ACM, 1993.Google Scholar
  4. 4.
    M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for noncryptographic fault-tolerant distributed computations. In STOC’ 88, pages 1–10. ACM, 1988.Google Scholar
  5. 5.
    C. Cachin. Efficient private bidding and auctions with an oblivious third party. In G. Tsudik, ed., ACM CCS’ 99, pages 120–127. ACM, 1999.Google Scholar
  6. 6.
    J. Camenisch and M. Michels. Proving that a number is the product of two safe primes. In J. Stern, ed., EUROCRYPT’ 99, pages 107–122. Springer-Verlag, 1999. LNCS no. 1592.Google Scholar
  7. 7.
    R. Canetti. Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Adaptive security for threshold cryptosystems. In M. Weiner, ed., CRYPTO’ 99, pages 98–115. Springer-Verlag, 1999. LNCS no. 1166.Google Scholar
  9. 9.
    R. Canetti, R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in)security of distributed key generation in dlog-based cryptosystems. In J. Stern, ed., EUROCRYPT’ 99, pages 295–310. Springer-Verlag, 1999. LNCS no. 1592.Google Scholar
  10. 10.
    D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–88, 1981.CrossRefGoogle Scholar
  11. 11.
    D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols. In STOC’ 88, pages 11–19. ACM, 1988.Google Scholar
  12. 12.
    D. Chaum, I. Damgård, and J. van de Graaf. Multiparty computations ensuring privacy of each party’s input and correctness of the result. In C. Pomerance, ed., CRYPTO’ 87, pages 87–119. Springer-Verlag, 1987. LNCS no. 293.Google Scholar
  13. 13.
    D. Chaum and T.P. Pedersen. Wallet databases with observers. In E.F. Brickell, ed., CRYPTO’ 92, pages 89–105. Springer-Verlag, 1992. LNCS no. 740.Google Scholar
  14. 14.
    B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneity in the presence of faults. In FOCS’ 85, pages 383–395. IEEE Computer Society, 1985.Google Scholar
  15. 15.
    R. Cramer, I. Damgård, S. Dziembowski, M. Hirt, and T. Rabin. Efficient multiparty computations secure against an adaptive adversary. In J. Stern, ed., EUROCRYPT’ 99, pages 311–326. Springer-Verlag, 1999. LNCS no. 1592.Google Scholar
  16. 16.
    R. Cramer, I. Damgård, and J.B. Nielsen. Multiparty computation from threshold homomorphic encryption, 2000. IACR ePrint archive manuscript.Google Scholar
  17. 17.
    R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Y.G. Desmedt, ed., CRYPTO’ 94, pages 174–187. Springer-Verlag, 1994. LNCS no. 839.Google Scholar
  18. 18.
    R. Cramer and V. Shoup. A practical public-key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, ed., CRYPTO’ 98, pages 13–25. Springer-Verlag, 1998. LNCS no. 1462.Google Scholar
  19. 19.
    G. Di Crescenzo. Private selective payment protocols. In P. Syverson, ed., Financial Cryptography’ 00, 2000. To appear.Google Scholar
  20. 20.
    A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In J. L. Massey, ed., EUROCRYPT’ 86, pages 186–194. Springer-Verlag, 1986. LNCS no. 263.Google Scholar
  21. 21.
    M. Franklin and M. Reiter. The design and implementation of a secure auction server. IEEE Transactions on Software Engineering, 22(5):302–312, 1996.CrossRefGoogle Scholar
  22. 22.
    M.K. Franklin and S. Haber. Joint encryption and message-efficient secure computation. Journal of Cryptology, 9(4):217–232, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    A. Fujioka, T. Okamoto, and K. Ohta. A practical secret voting scheme for large scale elections. In J. Seberry and Y. Zheng, eds., AUSCRYPT’ 92, pages 244–251. Springer-Verlag, 1992. LNCS no. 718.Google Scholar
  24. 24.
    T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985.CrossRefzbMATHGoogle Scholar
  25. 25.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In U. Maurer, ed., EUROCRYPT’ 96, pages 354–371. Springer-Verlag, 1996. LNCS no. 1070.Google Scholar
  26. 26.
    R. Gennaro, M. Rabin, and T. Rabin. Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In PODC’ 98, pages 101–111. ACM, 1998.Google Scholar
  27. 27.
    O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In STOC’ 87, pages 218–229. ACM, 1987.Google Scholar
  28. 28.
    S. Goldwasser and S. Micali. Probabilistic encryption. J. Comp. Sys. Sci, 28(1):270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    M. Harkavy, J.D. Tygar, and H. Kikuchi. Electronic auctions with private bids. In 3rd USENIX Workshop on Electronic Commerce, pages 61–73, 1999.Google Scholar
  30. 30.
    M. Hirt, U. Maurer, and B. Przydatek. Efficient secure multi-party computation. In T. Okamoto, ed., ASIACRYPT’ 00, 2000. To appear.Google Scholar
  31. 31.
    P. Horster, M. Michels, and H. Petersen. Some remarks on a receipt free and universally verifiable mix-type voting scheme. In K. Kim and T. Matsumoto, eds., ASIACRYPT’ 96, pages 125–132. Springer-Verlag, 1996. LNCS no. 1163.Google Scholar
  32. 32.
    M. Jakobsson. A practical mix. In K. Nyberg, ed., EUROCRYPT’ 98, pages 448–461. Springer-Verlag, 1998. LNCS no. 1403.CrossRefGoogle Scholar
  33. 33.
    M. Jakobsson. Flash mixing. In PODC’ 99, pages 83–89. ACM, 1999.Google Scholar
  34. 34.
    M. Jakobsson and A. Juels. Millimix: Mixing in small batches, June 1999. DIMACS Technical Report 99-33.Google Scholar
  35. 35.
    A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.Google Scholar
  36. 36.
    M. Naor, B. Pinkas, and R. Sumner. Privacy preserving auctions and mechanism design. In 1st ACM Conf. on Electronic Commerce, pages 129–139. ACM, 1999.Google Scholar
  37. 37.
    W. Ogata, K. Kurosawa, K. Sako, and K. Takatani. Fault tolerant anonymous channel. In ICICS’ 97, pages 440–444. Springer-Verlag, 1997. LNCS no. 1334.Google Scholar
  38. 38.
    C. Park, K. Itoh, and K. Kurosawa. All/nothing election scheme and anonymous channel. In T. Helleseth, ed., EUROCRYPT’ 93. Springer-Verlag, 1993. LNCS no. 921.Google Scholar
  39. 39.
    T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, ed., CRYPTO’ 91, pages 129–140. Springer-Verlag, 1991. LNCS no. 576.Google Scholar
  40. 40.
    K. Sako. An auction protocol which hides bids of losers. In H. Imai and Y. Zheng, editors, PKC’ 00, pages 422–432. Springer-Verlag, 2000. LNCS no. 1751.Google Scholar
  41. 41.
    K. Sako and J. Kilian. Receipt-free mix-type voting scheme-a practical solution to the implementation of a voting booth. In L.C. Guillou and J.-J. Quisquater, eds., EUROCRYPT’ 95. Springer-Verlag, 1995. LNCS no. 921.Google Scholar
  42. 42.
    C.P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174, 1991.zbMATHCrossRefGoogle Scholar
  43. 43.
    Y. Tsiounis and M. Yung. On the security of ElGamal-based encryption. In H. Imai and Y. Zheng, eds., PKC’ 98, pages 117–134. Springer-Verlag, 1998. LNCS no. 1431.Google Scholar
  44. 44.
    A.C. Yao. Protocols for secure computations (extended abstract). In FOCS’ 82, pages 160–164. IEEE Computer Society, 1982.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Markus Jakobsson
    • 1
  • Ari Juels
    • 2
  1. 1.Bell Labs Murray HillInformation Sciences Research CenterNew Jersey
  2. 2.RSA LaboratoriesRSA Security Inc.BedfordUSA

Personalised recommendations