Page 1: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Multi-Party Proofs and Computation

Based in part on materials from Cornell class CS 4830.

Page 2: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Interactive Proofs

A prover must convince a verifier that some statement is true.

Typically the prover is thought of as all powerful, while the verifier has limited computational ability.

The verifier doesn’t trust the prover.


Page 3: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


How can the prover convince the verifier that this puzzle has a solution?

Page 4: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Interactive Proof

Prover shows the verifier a solution.Verifier checks every row, column, 3x3 box.

Page 5: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Pepsi Challenge

Professor Maggs claims that he can distinguish Pepsi from Coke without ever making an error.

How can this claim be verified?

Page 6: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


Boyang: Randomly decides (with equal probability) on Coke or Pepsi and hands the professor a glass containing the chosen drink.

Professor: Takes a sip of the drink and pronounces “Coke” or “Pepsi”.

Boyang: Notes whether the pronouncement was correct, and repeats.

Page 7: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Verifying the Claim

Suppose that the professor can actually only tell the difference between Coke and Pepsi with probability p.

After t trials, the probability that the professor gets the answer correctly every time is pt.

Example, for p = 0.9, t = 100, pt < 0.00003

Page 8: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Zero-Knowledge Proof

Prover wants to convince verifier that some statement is true, without revealing anything about the proof.

Rewording: prover wants to convince verifier that prover knows a solution to a problem without revealing any information about the solution.

Page 9: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Hamilton Path

A graph has a Hamilton path if there is a path through the graph that visits every vertex exactly one.







Page 10: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Zero-Knowledge Proof

Prover: 1.Draw the graph on a piece of cardboard

with vertices positioned at random places. Vertices are unnumbered.

2.Cover the drawing with scratch-off paint. 3.Give the cardboard to the verifier

Page 11: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


The verifier flips a unbiased random coin, then based on the outcome asks the prover to do one of two things:

1: Reveal the numbers of the vertices. The verifier will then check that the graph is correct.

2: Reveal the Hamilton path (without revealing the numbers of the vertices). The verifier then knows that the drawn graph is Hamiltonian.

If the graph is Hamiltonian, the prover always succeeds. If the graph is not Hamiltonian, the prover fails with probability ½.

Page 12: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Note that Hamilton Path is NP-complete, i.e., every other problem in NP can be reduced to Hamilton Path

ZKP for Hamilton Path → ZKP for all NP!

Page 13: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

How to flip a coin over the Internet

1. First party chooses a random number X in the range [0-2256)

publishes A := H(X)2. Second party likewise chooses a number Y

publishes B := H(Y)3. After receiving A,B, both parties reveal X and Y

If (X+Y) is even, first party wins.

What if first party waits to see H(Y) before choosing X?What if first party tries to change X after seeing Y?

Page 14: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Computing Average Salary

n professors in a room would like to compute their average salary, but they do not wish to reveal their salary to others. in fact, they do not wish to reveal their salary

to any coalition of n-2 professors.

Page 15: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


Page 16: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


• Suppose prof3 through profn collude.

• What can they learn about the salaries of prof1 and prof2?

• They can deduce s1 + s2 from the sum, but this in inherent in the computation.

• They have shares r1,3 through r1,n and r2,3 through r2,n

• They can deduce r1,1+r1,2+r2,1+r2,2 from the shares they have and s1 + s2

• But they can’t deduce s1 or s2 to an accuracy greater than r1,1+r1,2+r2,1+r2,2


Page 17: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Two-Party Secure AND Computation

Alice and Bob wish to know whether they mutually have feelings for each other.

• If both have feelings for the other, great!• If Alice loves Bob but Bob does not love

Alice back, Alice will be embarrassed -- she would not want Bob to know that she loves Bob (or vice versa)

Page 18: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Securely computing AND

truth tableA B AND0 0 0 0 1 0 1 0 01 1 1 both learn the others’ input by definition

Alice does not learn which caseBob does not learn which case

Page 19: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830


1. place Alice’s input cards, heart, Bob’s input cards in order, face down

1. shuffle (cycle shift)

1. reveal

Page 20: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

We have seen so far: • n-party secure computation for addition

(n>2)• 2-party secure computation for AND

(multiplication mod 2)

This is tantalizing: gives us reason to hope that secure multiparty computation is generally possible for any function!

Page 21: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Byzantine Agreement Requirement

[Consensus]• All honest nodes agree on the same value

[Validity]• If sender is correct, all honest nodes agree

on sender’s proposed value

Page 22: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

A protocol that defends against f malicious nodes in f+1 rounds

extracted = {}, sender signs value and sends it to allfor round r = 1...f+1:• receive message• preserve only messages whose value v has not

been extracted, and has r distinct sigs• if v is extracted in this round and node has not

relayed v in any round: append node’s sig and relay v to nodes not on the signature list

Page 23: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

In round f+1: decide based on the following• decide 0 if 2 values have been extracted• decide 0 if no value has been extracted• decide v is a single value v has been


Page 24: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Validity: If sender is honest, then all correct nodes will extract sender’s value v, and all correct nodes can’t extract anything else

Page 25: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Claim 1: If a correct node extracts v in round r < f+1, then all correct nodes must have extracted v by round f+1.

Proof of consensus

Page 26: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

Proof of consensusClaim 2: If a node extracts a value v{p1, p2, … pr} in round rthen p1, p2, …pr-1 are faulty

Claim 3: If a node extracts a value v{p1, p2, … pf+1} in round f+1then p1, p2, …pf are faulty, and pf+1 must be


Page 27: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

If a correct node did not extract v by round f+1. • suppose another correct node extracted v in

round r < f+1. this is impossible by claim 1• suppose that another correct node extracted

v in round r = f+1, then by claim 3, pf+1 is correct, and therefore all correct nodes must extract v in round r=f+1 (if not earlier), since the correct pf+1 will send the message to everyone in round f+1

Page 28: Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830

This is not the most efficient Byzantine Agreement protocol
