\documentclass[11pt]{article}
\usepackage{amssymb,amsmath,amsthm,url}
\usepackage{graphicx}
%uncomment to get hyperlinks
%\usepackage{hyperref}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%Some macros (you can ignore everything until "end of macros")
\def\class{0}
\topmargin 0pt \advance \topmargin by -\headheight \advance
\topmargin by -\headsep
\textheight 8.9in
\oddsidemargin 0pt \evensidemargin \oddsidemargin \marginparwidth
0.5in
\textwidth 6.5in
%%%%%%
\newcommand{\getsr}{\gets_{\mbox{\tiny R}}}
\newcommand{\bits}{\{0,1\}}
\newcommand{\Ex}{\mathbb{E}}
\newcommand{\To}{\rightarrow}
\newcommand{\e}{\epsilon}
\newcommand{\R}{\mathbb{R}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\maxpr}{\text{\rm max-pr}}
\newenvironment{summary}{\begin{quote}\textbf{Summary.}}{\end{quote}}
\newtheorem{theorem}{Theorem}
\newtheorem{axiom}{Axiom}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{corollary}[theorem]{Corollary}
\theoremstyle{definition}
\newtheorem{exercise}{Exercise}
\newtheorem{definition}[theorem]{Definition}
\newcommand{\sstart}{\triangleright}
\newcommand{\send}{\triangleleft}
\newcommand{\cclass}[1]{\mathbf{#1}}
\renewcommand{\P}{\cclass{P}}
\newcommand{\NP}{\cclass{NP}}
\newcommand{\Time}{\cclass{Time}}
\newcommand{\BPP}{\cclass{BPP}}
\newcommand{\Size}{\cclass{Size}}
\newcommand{\Ppoly}{\cclass{P_{/poly}}}
\newcommand{\CSAT}{\ensuremath{\mathsf{CSAT}}}
\newcommand{\SAT}{\ensuremath{\mathsf{3SAT}}}
\newcommand{\IS}{\mathsf{INDSET}}
\newcommand{\poly}{\mathrm{poly}}
\newcommand{\inp}{\mathsf{in}}
\newcommand{\outp}{\mathsf{out}}
\newcommand{\Adv}{\mathsf{Adv}}
\newcommand{\Supp}{\mathsf{Supp}}
\newcommand{\dist}{\Delta}
\newcommand{\indist}{\approx}
\newcommand{\PRG}{\mathsf{G}}
\newcommand{\Gen}{\mathsf{Gen}}
\newcommand{\Enc}{\mathsf{E}}
\newcommand{\Dec}{\mathsf{D}}
\newcommand{\Com}{\mathsf{C}}
\newcommand{\Sign}{\mathsf{Sign}}
\newcommand{\Ver}{\mathsf{Ver}}
\newcommand{\eqdef}{\stackrel{\text{\tiny def}}{=}}
\newcommand{\set}[1]{ \{ #1 \} }
\newcommand{\cF}{\mathcal{F}}
\newcommand{\angles}[1]{\langle #1 \rangle}
\newcommand{\iprod}[1]{\angles{#1}}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\view}{\mathsf{view}}
\newcommand{\trans}{\mathsf{trans}}
% end of macros
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title{Lecture 20 --- Homomorphic Encryption 2: Two party secure computation.}
\author{Boaz Barak}
\begin{document}
\maketitle
{ \ifnum\class=1 \fontsize{14pt}{16pt} \selectfont \fi
\begin{description}
\item[Multi-party secure computation] We've considered a great many cryptographic applications in this course,
encryption, signatures, coin tossing, commitments, zero knowledge, private information retrieval,... and there
are more such as electronic elections, electronic auctions, etc.. that we didn't consider.
Today we consider one framework that captures all of them.
\item[Cryptography in the presence of a completely trusted party] We observe that all the cryptographic problems we
considered become trivial if there is a completely trusted party $\cF$ that has a secure private channel to
every one of the participants:
\begin{description}
\item[Coin tossing] The participants ask $\cF$ to toss a coin, $\cF$ tosses it and broadcasts the result.
\item[Authenticated Encryption] Alice sends a message $x$ to $\cF$ and asks to relay it to Bob and no one
else, $\cF$ relays $x$ to Bob and tells him this message was received from Alice.
\item[Zero knowledge] To prove that she knows $x$ such that $C(x)=1$, Alice sends $C,x$ to $\cF$. $\cF$
verifies that $C(x)=1$, then sends only $C$ to Bob that it can guarantee that there is $x$ such that
$C(x)=1$.
\end{description}
And here are some we didn't consider:
\begin{description}
\item[Electronic voting] Everyone sends their votes to $\cF$, that announces the winner.
\item[Electronic auctions] Everyone sends their bids to $\cF$, that announces who was the highest bidder,
and what was the value of the second highest bid.
\item[Poker] $\cF$ chooses a random permutation of the $52$ cards, sends each party their cards, parties
send their choices to $\cF$ that announces the public information and sends to individual parties their
secret cards, etc..
\item[Yao's Miliionaire's problem] Alice and Bob want to compare who has a higher salary. Alice sends her
salary $x$ to $\cF$, and Bob sends his salary $y$ to $\cF$, $\cF$ announces whether $x>y$ or not.
(In fact, we allow here for the possibility of Alice and/or Bob to cheat in the number they provide
$\cF$, but at least they will not learn more than this one bit about the other person's salary, one can
also think of a functionality that gets as input a public key of say the IRS, and checks that $x$ and
$y$ are signed with this key.)
\item[Distributed signature and decryption] Three parties each has strings $s_1,s_2,s_3$ and a public
message $x$, they all send their strings to $\cF$ that broadcasts a signature on $x$ using the key $s_1
\oplus s_2 \oplus s_3$. One can similarly have $\cF$ decrypt a ciphertext using the a secret key
obtained by the XOR of the inputs.
\end{description}
\item[Virtual trusted party] The notion of \emph{secure multi-party computation} is to allow $k$ parties to create
a virtual trusted party out of thin air. The basic setting is assuming that these parties have identities and
can talk privately and securely to one another (e.g., there is a public key infrastructure) though this has
been generalized to weaker notions as well. There are many variants of the definition and the one we'll use is
the following. Below for simplicity we assume that $\cF$ is a deterministic stateless function: that is $\cF$
takes input $x_i$ from the $i^{th}$ party, and after receiving all inputs, sends the output $y_j$ to the
$j^{th}$ party, where $(y_1,..,y_k) = \cF(x_1,...,x_k)$. We'll remark later how to generalize this for
randomized and stateful functionalities.
Let $\cF:(\bits^n)^k\To(\bits^n)^k$ be some function. A $k$-party protocol is a \emph{secure function
evaluation} protocol for $\cF$ if for every subset $S \subsetneq [k]$ and coordinated cheating strategy $A^*$
for the parties in $S$, there exists a simulator $SIM$ and a set of inputs $\{ x_i \}_{i \in S}$ such that:
\begin{description}
\item[Correctness] For every set of inputs $\{ x_i \}_{i \in \overline{S}}$, if the parties in
$\overline{S}$ follow the protocol, then we have a guarantee that for every $i \in \overline{S}$, the
output the $i^{th}$ party obtains is either $f(x_1...x_k)_i$ or $\bot$. Here $\overline{S}$ denotes
$[k] \setminus S$.
\item[Simulation] For every set of inputs $\{ x_i \}_{i \in \overline{S}}$, if $SIM$ obtains as output $\{
f(x_1...x_k)_i \}_{i\in S}$ and a parameter $\e>0$ then $SIM$ runs in $\poly(1/\e,n,k)$-time and the
output of $SIM$ is computationally indistinguishable from the view of all the parties in $S$ in an
interaction where for every $i$, if $i\in \overline{S}$ then the $i^{th}$ party follows the protocol
and uses $x_i$ as input, and if $i\in S$ then the $i^{th}$ party follows the coordinated strategy
$A^*$.
\end{description}
(It is possible to combine the two conditions together in one requirement, though we will not follow this
route.)
The validity requirement ensures that the cheating parties have no control over the output the honest parties
receive beyond their obvious power to choose their own inputs. The ability to cause the output to be $\bot$
comes from the fact that it's always possible for an attacker to halt the protocol and stop communicating. In
fact, it is possible in certain settings (in particular when $|S|