Multiparty Computations Ensuring Privacy of Each Party’s Input and Correctness of the Result
Abstract
A protocol is presented that allows a set of parties to collectively perform any agreed computation, where every party is able to choose secret inputs and verify that the resulting output is correct, and where all secret inputs are optimally protected.

One participant is allowed to hide his secrets unconditionally, i.e. the protocol releases no Shannon information about these secrets. This means that a participant with bounded resources can perform computations securely with a participant who may have unlimited computing power. To the best of our knowledge, our protocol is the first of its kind to provide this possibility.

The cost of our protocol is linear in the number of gates in a circuit performing the computation, and in the number of participants. We believe it is conceptually simpler and more efficient than other protocols solving related problems ([Y1], [GoMiWi] and [GaHaYu]). It therefore leads to practical solutions of problems involving small circuits.

The protocol is openly verifiable, i.e. any number of people can later come in and rechallenge any participant to verify that no cheating has occurred.

The protocol is optimally secure against conspiracies: even if n − 1 out of the n participants collude, they will not find out more about the remaining participants’ secrets than what they could already infer from their own input and the public output.

Each participant has a chance of undetected cheating that is only exponentially small in the amount of time and space needed for the protocol.

The protocol adapts easily, and with negligible extra cost, to various additional requirements, e.g. making part of the output private to some participant, ensuring that the participants learn the output simultaneously, etc.

Participants can prove relations between data used in different instances of the protocol, even if those instances involve different groups of participants. For example, it can be proved that the output of one computation was used as input to another, without revealing more about this data.

The protocol can be usen as an essential tool in proving that all languages in IP have zero knowledge proof systems, i.e. any statement which can be proved interactively can also be proved in zero knowledge.
The rest of this paper is organised as follows: First we survey some related results. Then Section 2 gives an intuitiveintroduction to the protocol. In Section 3, we present one of the main tools used in this paper: bit commitment schemes. Sections 4 and 5 contain the notation, terminology, etc. used in the paper. In Section 6, the protocol is presented, along with proofs of its security and correctness. In Section 7, we show how to adapt the protocol to various extra requirements and discuss some generalisations and optimisations. Finally, Section 8 contains some remarks on how to construct zero knowledge proof systems for any language in IP.
References
 [BrCr]Brassard and Crepeau: Zero knowledge simulation of boolean circuits. Proc. of Crypto 86.Google Scholar
 [Bl]Blum: Coinflipping by telephone: Protocols for solving impossible problem. Proc. of 24. IEEE CompCon, 1982.Google Scholar
 [ChCrDa]Chaum, Damgård and Crepeau: Fundamental primitives for multiparty unconditionally secure protocols. To appear.Google Scholar
 [Ch]Chaum: Demonstrating that a public predicate can be satisfied while revealing no information about how. Proc. of Crypto 86.Google Scholar
 [Ch2]Chaum: How to keep a secret alive. Proc. of Crypto 84.Google Scholar
 [Cr]Crepeau: Equivalence between two flavours of oblivious transfers. To appear in proceedings of Crypto 87.Google Scholar
 [GaHaYu]Galil, Haber and Yung: Primitives for Designing MultiParty Cryptographic Protocols from Specifications. To appear.Google Scholar
 [GoVa]Goldreich and Vainish: How to solve any protocol problem: an efficiency improvement. Proc. of Crypto 87.Google Scholar
 [GoMiWi]Goldreich, Micali and Wigderson: How to play any mental game, Proc. of STOC 1987.Google Scholar
 [GoMiWi2]Goldreich, Micali and Wigderson: How to prove all NPstatements in zeroknowledge, and a methodology of cryptographic protocol design. Proc. of Crypto 86.Google Scholar
 [GoMi]Goldwasser and Micali: Probabilistic Encryption. JCSS, vo1.28, No.2, April 1984, pp.270–299.MathSciNetMATHGoogle Scholar
 [GoMiRa]Goldwasser, Micali and Rackoff: The knowledge complexity of interactive proof systems. Proc. 17th STOC, 1985.Google Scholar
 [GrPe]Peralta and van de Graaf: A simple and efficient protocol to prove the validity of your public key. To appear in proceedings of Crypto 87.Google Scholar
 [Y1]Yao: How to generate and exchange secrets. Proc. of 27. FOCS, 1986.Google Scholar
 [Y2]Yao: Protocols for secure computations. Proc. of 23. FOCS, 1982.Google Scholar