Secure Computation

  • Silvio Micali
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 576)


We define what it means for a network of communicating players to securely compute a function of privately held inputs. Intuitively, we wish to correctly compute its value in a manner which protects the privacy of each player’s contribution, even though a powerful adversary may endeavor to disrupt this enterprise.

This highly general and desirable goal has been around a long time, inspiring a large body protocols, definitions, and ideas, starting with Yao [1982, 1986] and Goldreich, Micali and Wigderson [1987]. But all the while, it had resisted a full and satisfactory formulation.

Our definition is built on several new ideas. Among them:
  1. Closely mimicking an ideal evaluation. A secure protocol must mimic this abstraction in a run-by-run manner, our definition depending as much on individual executions as on global properties of ensembles.

  2. Blending privacy and correctness in a novel way, using a special type of simulator designed for the purpose.

  3. Requiring adversarial awareness—capturing the idea that the adversary should know, in a very strong sense, certain information associated to the execution of a protocol.

Among the noteworthy and desirable properties of our definition is the reducibility of secure protocols, which we believe to be a cornerstone in a mature theory of secure computation.


Secure Protocol Secure Computation Ideal Evaluation Oblivious Transfer Interactive Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [Be91a]
    D. Beaver, “Formal Definitions for Secure Distributed Protocols,” in Distributed Computing and Cryptography — Proceedings of a DIMACS Workshop, October 1989. (Paper not presented at workshop but invited to appear in proceedings.)Google Scholar
  2. [Be91b]
    D. Beaver, “Foundations of Secure Interactive Computing,” these proceedings.Google Scholar
  3. [BG89]
    D. Beaver and S. Goldwasser, “Multiparty Computations with Faulty Majority,” Proc. of the 30th FOCS (1989), 468–473.Google Scholar
  4. [BMR90]
    D. Beaver, S. Micali and P. Rogaway, “The Round Complexity of Secure Protocols,” Proc. of the 22nd FOCS (1990), 503–513.Google Scholar
  5. [BF85]
    J. Benaloh (Cohen) and M. Fischer, “A Robust and Verifiable Cryptographically Secure Election Scheme,” Proc. of the 26th FOCS (1985), 372–381.Google Scholar
  6. [BGW88]
    M. Ben-Or, S. Goldwasser and A. Wigderson, “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation,” Proc. of the 20th STOC (1988), 1–10.Google Scholar
  7. [Bl82]
    M. Blum, Coin Flipping by Telephone, IEEE COMPCON, (1982) 133–137.Google Scholar
  8. [BM82]
    M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits,” SIAM J. of Computing, Vol. 13, No. 4, 1984, 850–864. Earlier version in Proc. of the 23rd FOCS (1982).zbMATHCrossRefMathSciNetGoogle Scholar
  9. [Ch81]
    D. Chaum. “Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms,” Comm. of the ACM 24(2) February 1981, 84–88.CrossRefGoogle Scholar
  10. [BCC88]
    G. Brassard, D. Chaum and C. Crépeau, “Minimum disclosure proofs of knowledge,” Journal of Computer and System Science, Vol. 37, No. 2, October 1988, 156–189.zbMATHCrossRefGoogle Scholar
  11. [CCD88]
    D. Chaum, C. Crépeau and I. Damgárd, “Multiparty Unconditionally Secure Protocols,” Proc. of the 20th STOC (1988), 11–19.Google Scholar
  12. [CDG87]
    D. Chaum, I. Damgård and J. van de Graff, “Multiparty Computations Ensuring the Privacy of Each Party’s Input and Correctness of the Result,” CRYPTO-87 Proceedings, 87–119.Google Scholar
  13. [CG89]
    B. Chor and E. Kushilevitz, “A Zero-One Law for Boolean Privacy,” Proc. of the 21st STOC (1989), 62–72.Google Scholar
  14. [CGK90]
    B. Chor, M. Geréb-Graus and E. Kushilevitz, “Private Computations over the Integers,” Proc. of the 31st FOCS (1990), 325–344. Earlier version by Chor and Kushilevitz, “Sharing over Infinite Domains,” CRYPTO-89 Proceedings, Springer-Verlag, 299–306.Google Scholar
  15. [CGMA85]
    B. Chor, O. Goldwasser, S. Micali and B. Awerbuch, “Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults,” Proc. of the 26th FOCS (1985), 383–95.Google Scholar
  16. [Cr90]
    C. Crépeau, “Correct and Private Reductions Among Oblivious Transfers,” MIT Ph.D. Thesis, February 1990.Google Scholar
  17. [DLM]
    R. DeMillo, N. Lynch, and M. Meritt, “Cryptographic Protocols,” Proc. of the 14th STOC (1982) 383–400.Google Scholar
  18. [DH76]
    W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Transactions on Information Theory, 22(6) (November 1976). 644–654.zbMATHCrossRefMathSciNetGoogle Scholar
  19. [Ed65]
    J. Edmonds, “Paths, Trees, and Flowers,” Canadian J. of Mathematics, 17:449–467, 1965.zbMATHMathSciNetGoogle Scholar
  20. [FFS87]
    U. Feige, A. Fiat, and A. Shamir, “Zero Knowledge Proofs of Identity,” Proc. of the 19th STOC (1987), 210–217.Google Scholar
  21. [FS90]
    U. Feige and A. Shamir, “Witness indistinguishability and witness hiding protocols,” Proc. of the 22nd STOC (1990), 416–426.Google Scholar
  22. [FS91]
    U. Feige and A. Shamir, “On Expected Polynomial Time Simulation of Zero Knowledge Protocols,” in Distributed Computing and Cryptography — Proceedings of a DIMACS Workshop, October 1989.Google Scholar
  23. [Fe88]
    P. Feldman, “One Can Always Assume Private Channels,” unpublished manuscript (1988).Google Scholar
  24. [FM90]
    P. Feldman and S. Micali, “An Optimal Algorithms for Synchronous Byzantine Agreement,” MIT/LCS Technical Report TM-425 (June 1990). Previous version in Proc. of the 20th STOC (1988), 148–161.Google Scholar
  25. [GHY87]
    Z. Galil, S. Haber and M. Yung, “Cryptographic Computation: Secure Fault-Tolerant Protocols and the Public-Key Model,” CRYPTO-87 Proceedings, 135–155.Google Scholar
  26. [Go89]
    O. Goldreich, “Foundations of Cryptography — Class Notes,” Spring 1989, Technion University, Haifa, Israel.Google Scholar
  27. [GL90]
    S. Goldwasser and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority,” CRYPTO-90 Proceedings, 75–84.Google Scholar
  28. [GM84]
    S. Goldwasser and S. Micali, “Probabilistic Encryption,” Journal of Computer and System Sciences, Vol. 28, No. 2 (1984), 270–299. Earlier version in Proc. of the 14th STOC (1982).zbMATHCrossRefMathSciNetGoogle Scholar
  29. [GMR89]
    O. Goldwasser, S. Micali, and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems,” SIAM J. of Comp., Vol. 18, No. 1, 186–208 (February 1989). Earlier version in Proc. of the 17th STOC (1985), 291–305.zbMATHCrossRefMathSciNetGoogle Scholar
  30. [GMR88]
    S. Goldwasser, S. Micali, and R. Rivest, “A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks,” SIAM Journal on Computing, 17(2):281–308, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  31. [GMW87]
    O. Goldreich, S. Mmicali and A. Wigderson, “How to Play Any Mental Game,” Proc. of the 19th STOC (1987), 218–229.Google Scholar
  32. [GV87]
    O. Goldreich and R. Vainish, “How to Solve any Protocol Problem—An Efficiency Improvement,” CRYPTO-87 Proceedings, 76–86.Google Scholar
  33. [Ha88]
    S. Haber, “Multi-Party Cryptographic Computation: Techniques and Applications,” Columbia University Ph.D. Thesis (1988).Google Scholar
  34. [HU79]
    J. Hopcroft and J. Ullman, Introduction to Automata Theory, Languages, and Computation, Addison-Wesley, 1979.Google Scholar
  35. [Ki89]
    J. Kilian, “Uses of Randomness in Algorithms and Protocols,” MIT Ph.D. Thesis, April 1989.Google Scholar
  36. [KMR90]
    J. Kilian, S. Micali, and P. Rogaway, “The Notion of Secure Computation,” manuscript, 1990.Google Scholar
  37. [Le85]
    L. Levin, “One-Way Functions and Pseudorandom Generators,” Combinatorica, Vol. 17, 1988, 357–363. Earlier version in Proc. of the 17th STOC (1985).Google Scholar
  38. [LMR83]
    M. Luby, S. Micali and C. Rackoff, “How to Simultaneously Exchange a Secret Bit by Flipping a Symmetrically Biased Coin,” Proc of the 24th FOCS (1983).Google Scholar
  39. [Me83]
    M. Meritt, “Cryptographic Protocols.” Georgia Institute of Technology Ph.D. Thesis, Feb. 1983.Google Scholar
  40. [MRS88]
    S. Micali, C. Rackoff and B. Sloan, “The Notion of Security for Probabilistic Cryptosystems,” SIAM J. of Computing, 17(2):412–26, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  41. [MR91]
    S. Micali and P. Rogaway, “Secure Computation,” manuscript, August 1991.Google Scholar
  42. [Or87]
    Y. Oren, “On the Cunning Power of Cheating Verifiers: Some Observations about Zero Knowledge Proofs,” Proc. of the 28th FOCS (1987), 462–471.Google Scholar
  43. [PSL80]
    M. Pease, R. Shostak and L. Lamport, “Reaching Agreement in the Presence of Faults,” J. of the ACM Vol. 27, No. 2, 1980.Google Scholar
  44. [Ra81]
    M. Rabin, “How to Exchange Secrets by Oblivious Transfer,” Technical Memo TR-81, Aiken Computation Laboratory, Harvard University, 1981.Google Scholar
  45. [RB89]
    T. Rabin and M. Ben-Or, “Verifiable Secret Sharing and Multiparty Protocols with Honest Majority,” Proc. of the 21st STOC (1989), 73–85.Google Scholar
  46. [SRA81]
    A. Shamir, R. Rivest, and L. Adleman, “Mental Poker,” in Mathematical Gardener, D. D. Klarner, editor, Wadsworth International (1981) pp 37–43.Google Scholar
  47. [TW87]
    M. Tompa and H. Woll, “Random Self-Reducibility and Zero Knowledge Interactive Proofs of Possession of Information,” Proc. of the 28th FOCS (1987), 472–482.Google Scholar
  48. [Ya82a]
    A. Yao, “Protocols for Secure Computation,” Proc. of the 23 FOCS (1982), 160–164.Google Scholar
  49. [Ya82b]
    A. Yao, “Theory and Applications of Trapdoor Functions,” Proc. of the 23 FOCS (1982) 80–91.Google Scholar
  50. [Ya86]
    A. Yao, “How to Generate and Exchange Secrets,” Proc. of the 27 FOCS (1986).Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1992

Authors and Affiliations

  • Silvio Micali
    • 1
  • Phillip Rogaway
    • 2
  1. 1.MIT Laboratory for Computer ScienceCambridge
  2. 2.IBMAustin

Personalised recommendations