Output Privacy in Secure Multiparty Computation

In secure multiparty computation, a set of mutually mistrusting players engage in a protocol to compute an arbitrary, publicly known polynomial-sized function of the party’s private inputs, in a way that does not reveal (to an adversary controlling some of the players) any knowledge about the remaining inputs, beyond what can be deduced from the obtained output(s). Since its introduction by Yao [39], and Goldreich, Micali and Wigderson [29], this powerful paradigm has received a lot of attention. All throughout, however, very little attention has been given to the privacy of the players’ outputs. Yet, disclosure of (part of) the output(s) may have serious consequences for the overall security of the application e.g., when the computed output is a secret key; or when the evaluation of the function is part of a larger computation, so that the function’s output(s) will be used as input(s) in the next phase. In this work, we define the notion of private-output multiparty computation. This newly revised notion encompasses (as a particular case) the classical definition and allows a set of players to jointly compute the output of a common function in such a way that the execution of the protocol reveals no information (to an adversary controlling some of the players) about (some part of) the outputs (other than what follows from the description of the function itself). Next, we formally verify that basically no function can be output-privately computed in the presence of an adversary who gets full access to the internal memory of the corrupted players. However, if one restricts the (computationally bounded) adversary to control only part of the state of corrupted players, any function can be output-privately computed, assuming that enhanced trapdoor permutations exist and that public communication channels are available. Moreover, we prove security is preserved under sequential composition. We note that partial access to the internal state of some of the players (either part of the time e.g., forward-security and intrusion-resiliency, or part of the space, e.g., secure CPU/memory) is an assumption that has been used in various settings to formalize limits on the attacker’s capabilities that can be enforced via reasonable physical and architectural restrictions. However, previous models were devised for specific cryptographic tasks (e.g., encryption and signature schemes), whereas our formalization has a wider scope. We believe that the model we suggest may foster further studies of insider adversaries with partial control in the context of secure multiparty computation.