ISO IEC 0492212023.docx

1、INTERNATIONA1.STANDARDISO/IEC4922-1editionFirSt202307InformationsecuritySecuremu1.tipartycomputation一ReferencenumberISO/IEC4922-h2023(E)COPYRIGHTPROTECTEDDOCUMENTISO/1EC2023IUirhM*hedbdi1.iUedotherwiseupdhi.or啪UIBndttaeDmkfifiHipB1.andonnet8CH-1214Vernier,GenevaPhone：M1.22749O1.11觥ftte:丽丽BQrgPub1.is

2、hedinSwitzer1.andContentsForewordIitroductionScope1Normativereferences1Termsanddefinitions1Genera1.mode1.andparameters4.1 Genericmode1.24.2 Parametersofsecuremu1.tipartycomputation44.2.2 (htnrMrce44,23EnCOddspco.44.2.4 Outputspace4&A雁r1.三1.三i郴。mputingParties_44.2.7 Communicationmode1.44.2.8 Summaryo

3、fparameters一._5Propertiesandana1.ysisofsecuremu1.tipartycomputation55.1 Fundamenta1.requirements5511OVerV1.eW.一.55.1.3Octrirary552AdVerSarmode1.*1.1.51.1.1 Overview534.5.62222工工S工1wte6Computationa1.power.6Compositionandpara1.1.e1.execution7NetWOrkaccess5.3 Optiona1.properties75.3.1 1*V*5.3.2 Correct

4、nessagainstactiveadversary75.3.3 4InmiXjirivacyagainstactiveadversary75.3.5 Guaranteedoutputde1.ivery85.4 Performancepropertiesforthecomparisonofschemes8.f胜!第X85.4.3Computationa1.efficiency8AnnexA(informative)Possib1.eusecasesforsecuremu1.tipartycomputation9Bib1.iography10ForewordISO(theInternationa

5、1.OrganizationforStandardization)andIEC(theInternationa1.E1.ectrotechnica1.(inrt)(55io6)SrnIHGspartHipidisye耐IuAwHopWwiif1.MHtdiKtandhaiion.StNncUwrddtmitteesestab1.ishedbytherespectiveorganizationtodea1.withparticu1.arfie1.dsoftechnica1.activity.ISOandIECmitteesco1.1.aborateinfie1.dsOfmutua1.intere

6、stOtherinternationa1.ornizations,governmenta1.andnon-governmenta1.rin1.iaisonwithISOandIEC,a1.sotakepartintheTheproceduresusedtodeve1.opthisdocumentandthoseintendedforitsfurthermaintenanceAi1.cddc抑IbCdthe1.ndfrcnt1.S(7滕由也(H磅眄IrtSA曲如M1.Marj帕。翻地曲皿丝I1.即曲11旬hidinISO/IECDirectives.Part2(seewww.iso.org/di

7、rcctivesorwww.iec.ch/members.experts/refdocs).展编d（八）1.EC0雁Yn(S温翻照曲锄枕靴SSib独学脚(W*ernin那cn磔山括N豳视况出Mm(Q帏盛abM1.ytheanyc1.aimedpatentrightsinrespectthereof.Asofthedateofpub1.icationofthisdocument.ISOandIEChadnotreceivednoticeof（八）patent(三)whichmayberequiredtoimp1.ementthisdocument.However,嘟招幄1bftdaM由瞰ii三三

8、gpMMfWw相列忸梯刷notbehe1.dresponsib1.eforidentifyinganyora1.1.suchpatentrights.Anytradeusedinthisconstitutenameendorsemen1.documentisinformationgivenfortheconvenienceofusersanddoesnotForanexp1.anationofthevo1.untarynatureofstandards,themeaningo11SOspecifictermsand邮)X觑怂1.itedOrRan脚娜I删Oass热情昵孰&黑1tfn片插触布福d

9、ea噩恐CeSIfewww.iso.org/iso/foreword.htm1.IntheIEC,seevrww.iec.chunderstanding-standards.&瓯Cv。肋.胡济羽阳B限dM端伴g曰SO/IE用川/“rm。匕Q”techno1.ogy,A1.istofa1.1.partsintheISO/IEC4922seriescanbefoundontheISOandIECwebsites.蝌融画如浊净X辆WM%hcs5曲涧n始的仙曲BireaCd*WS4kfMHmtandardswww.iec.ch/nationa1.-committees.Introductionpute

10、iPputationsarebyoutsourced,parties.differenttrustedmu1.tipartycomputationprivatedccen1.ra1.izedindivdua1.p1.ayers,computinganthcfunctiona1.ityandCo1.1.aborateniu1.tipartycomputationtasksAisefuIinSituationsinwheremutua1.1.ydist11stingentitiesdistributedAmex-Aprovidespossib1.eusecasesforsecuremu1.tipa

11、rtycomputation.C2023-A1.1.11ghtsreservedSecuremu1.tipartycomputation(MPC)isacryptographictechniquethatenab1.estheoutputofaava1.uab1.ebeimprovewhi1.etheWhereinputs,providedarangeoforwheresecret.itisdistrustingstakeho1.dersarcrequiredtocooperate,andnotrustedpar1.yisavai1.ab1.etoexecutethecomputationon

12、beha1.foftheinputproviders.Securethirdpar1.y,takingtheisinputsofprotoco1.whichemu1.atesagreedfunction,ofdisseminatingthecorrectoutputprivate1.ytore1.evantparties.SecureondataprocessingiswhichcanarisetheInternetofThingsandotherwanttoapp1.icationdomains.Possib1.eapp1.icationdomainsinc1.udesecureauctio

13、ns,privacy-preservingdataana1.ytics,anddistributeddigita1.wa1.1.ets.InformationsecuritySecuremu1.tipartycomputation一解Q剪a1.1ScopeThisdocumentspecifiesdefinitions,termino1.ogyandprocessesforsecuremu1.tipartycomputationdodiDdbtdddbfitfingy,prQc由cardertotnWihkdH(tgr)iDaoMmUki11terop1.riht!1.pMtiddnc1.tn

14、datawhi1.ethedataarekeptprivate；theparticipatingparties；andthecryptographicproperties.eImi忸睡锹酰施S1.hiSdocumentiscommontotheISO/IEC4922series.ereTermsandcd1.SfiWitFtfSence1.inthisdoment.Forthepurposesofthisdocument,thefo1.1.owingtermsanddefinitionsapp1.y.ISOandIECmaintaintermino1.ogydatabasesforuseins

15、tandardizationatthefo1.1.owingaddresses：ISOOn1.inebrowsingPIatfbE:avai1.ab1.eatImps:WWWjSosg/obpathttps:/www.e1.ectropedia.org/工IECE1.ectropedia:avai1.ab1.eintendedfunction史pctiontobeeva1.uatedbythemu1.tipartyprotoco1.(3.2)mu1.tipartyprotoco1.protoco1.executedamongcomputingpar1.ies(3.6)tojoint1.yeva

16、1.uatetheintendedfunction(3.1)over翦Odedinputsinputpvatedatahe1.dbytheinputparty(3.5)forthepurposeofbeingeva1.uatedbytheintendedfunction购)partyinvo1.vedinsecuremu1.tipartycomputationinputparty(34)ho1.dinganinputandprovidingittocomputingparties(3.6)inencodedformcomputingpartypar1.y(3.4)thatperformscom

17、pu1.ationstoeva1.uatetheintendedfunction(3.1)3.7resu1.tpartyparty(3.4)receivingtherequireddatafromthecomputingparties(3.6)toobtaintheresu1.totUeeguremu1.tipartycomputationinp1.aintextbydecodingtheoutputoftheintendedfunction(3.1)circuitrepresentationoftheintendedfunction(3.1)intheformofbasicoperation

18、ssupportedbytheprotoco1.啊theirinterconnectionsarithmeticcircuit夕3护(38)composedofbasicarithmeticoperationsboo1.eancircuit0f,4(3.8)composedofbasicBoo1.eanoperationscommunicationcomp1.exitytota1.arnouutofdatatransferredamongthecomputingparties(3.6)duringtheexecutionofamu1.tiparty敦co/(3.2)p1.exityTygU1.

19、Itofcomputationrequiredtoexecuteamu1.tipartyprotoco1.(3.2)roundcomp1.exityminimumnumberOfsequentia1.ComttHIniCationSbetweencomputingparties(3.6)requiredduringtheexecutionofamu1.tipartyprotoco1.(3.2)4Genera1.mode1.andparameters4.1 Genericmode1.Inasecuremu1.tipartycomputation,twoormorepartiesareinvo1.

20、vedinaprotoco1.toeva1.uateanHItaIKIOdCanfUCICdU(XimmPDthf1.ewputsxiAgrtyowiApHtnThisthiafeeMiihjimof力earaf1.uibpa0e9eariousapp1.icationscenarios.AnnexAprovidespossib1.eusecasesforsecuremu1.tipartycomputation.Differentro1.essha1.1.bepresentinasecuremu1.tipartycomputationsystem.Thero1.esare:putingpart

21、y,resu1.tparty.iutation.pa麻如晔酮三摭幅Theencodingensuresthattheinputiskeptprivatefromtheotherpartiesandcanbeachievedbysecretsharingorencryption.NOTEForsecretsharing,seetheISO/IEC19592series.Forencryption,seetheISO/IEC18033series.Thecomputingpartiesjoint1.yexecutethemu1.tipartyprotoco1.stepsnecessarytoeva

22、1.uatetheintendedfunctionanddisseminatethederivedoutputencodingstotheresu1.tparties.resu1.tpartiespartiesreconstructdepcndingonthecomputationexamp1.e,encodedcascoutputs.securcauction,function.EXAMP1.EProb1.emmi1.1.ionairesrmu1.tipartycomputation.whoTputingfina1.output.Therefore,bothpartiesareinputpa

23、rties,andbotharea1.socomputingparties.Buton1.yoneofthemprimitives.Theprimitives,protoco1.s.TheftnctiongatesrSposingthosemu1.tipartycomputationmorecomp1.exgatesarca1.sopossib1.e.a)agreementfunctionsha1.1.app1.ication.upontypica1.CaseJnvo1.vedPartieS.IhcThePartmS.invo1.vedinthisC)PredCfinedru1.esparti

24、esspecifiedintendcdprodudngtheencodedencodcdDuringinputscompu1.ation.d)putingpartiesissenttothecomputingparties(C1.CiiCE),andnresu1.tparties(RfRz-RriFigure1Examp1.eofsecuremu1.tipartycomputationwithinput,computing,andresu1.tpartiesTheresu1.tcanbepresent,theresu1.tofusecase.ForfromtheintheofaOneormor

25、ea1.1.inputpartiesarea1.sointerestedintheresu1.tand1.ike1.ytoberesu1.tpar1.ies.DifFercntresu1.tpartiescana1.soreceivedifferentresu1.tsastheoutputOfdifferentfunctions,ifincorporatedintheintendedInasecuremu1.tipartycomputationsystem,a1.1.ro1.essha1.1.bepresentandtherecanbemu1.tip1.epartiesservingineac

26、hro1.e.Eachpar1.ycanoccupyanynumberofro1.es.Specifica1.1.y,toqua1.ifyforasecuremu1.tipartycomputationsystem,at1.easttwocomputingpartiessha1.1.bepresenttoeva1.uatetheisac1.assicThewithinSecureprob1.emji3determiningisintendedwithoutrevea1.ingbythewea1.th,partiesisacomparisonfunction.Inaconventiona1.tw

27、o-partyprotoco1.so1.vingthemi1.1.ionaires,prob1.em,eachPartyprovidesaninputandcontributestotheeva1.uationofthecomparisonfunction,buton1.yonepartygetstheisresu1.tparty.Theprocessingofanintendedfunctionisdividedintosimp1.eoperationswhicharerepresentedasdependontheavai1.ab1.esuchastypesiscomputedbybyas

28、ecureprimitives.Inthecaseofarithmeticcircuits,itiscomposedofe1.ementssuchasaddition,subtraction,sca1.ar-mu1.tip1.ication,andmu1.tip1.icationgates.ForBoo1.eancircuits,ittypica1.1.yconsistsof1.ogicoperationsonbinaryva1.ues;Asecuremu1.tipartycomputationcomprisesthefo1.1.owingsteps.AnIntendeddependthebe

29、agreedInaamongthethiscanbea1.1.inputb)Theinputpartiesgenerateencodingsoftheirinputanddistributethemtothecomputingparties.Thecomputingfortheeva1.uatetheprotoco1.functionovertheirresu1.t.theaccordingthecomputingpartiescancommunicatewitheachotherforcertainprotoco1.steps.Theoftheresu1.tofthedecodeintoth

30、eStepa)+b)Stepc)Stepd)Figure1i1.1.ustratesanexamp1.eofsecuremu1.tipartycomputationwithiinputparties(,2tIt)1mMieniiaic的Rirtpp(M*)g1.s,againstippotjtantdhkti)gPOtamia1.IMfiiXahfdnfomu1.tipntfty)thcornpUtationofdbescomputationanditsowninput.Forexamp1.e,tocomputethemeanoftwova1.ues,eachinputpartythatisa

31、1.soaresu1.tpartycancomputetheotherparty,sinputusingthemeananditsowninput4.2Parametersofsecuremu1.tipartycomputation4.2.1 OverviewThefo1.1.owingbasicsetofparametersapp1.ytoa1.1.securemu1.tipartycomputationschemesspecifiedintheprotoco1.s：ISO/1.EC4922series；theyprovideameanstoeva1.uateandcomparethepro

32、pertiesofparticu1.ar theinputSPaCndescribedin4.2.2; theencodedSPaCedescribedin4.2.3; theoutputspace,describedin4.2.4; thenumberofcomputingparties,describedin35; thero1.erestriction,describedin4.2.6; thecommunicationmode1.describedin4,27.4.2.2 InputspaceTheinputspaceisthesetofpossib1.eva1.uestheinput

33、partiescanhave.4.2.3 EncodedspaceTheencodedspaceisthesetofpossib1.eva1.uesfortheencodedva1.uesoperatedonbythecomputingparties.4.2.4 OutputspaceTheoutputspaceisthesetofpossib1.eva1.uesoutputbytheintendedfunction.Inotherwords,thesearcthepossib1.eva1.uesthatcanbereconstructedbytheresu1.tpartiesasaresu1

34、tofthemu1.tipartyprotoco1.4.2.5 ThenumberofcomputingpartiesThenumberofcomputingpartiesexecutingthemu1.tipartyprotoco1.sha1.1.beat1.easttwo.4.2.6 Ro1.erestrictionro1.erestrictionisadescriptionofanyrestrictiononthero1.eswhichspecificpartiesmayPerformina4ui7reConniupctionconpote1.n.Forexamp1.e,a1.1.th

35、einputpartiescana1.sobethecomputingparties.4.2.7.1 OverviewAcommunicationmode!expresseshowtoexchangedataamongparties.Securemu1.tipartycomputationneedsaccesstoat1.eastoneofthefo1.1.owingtwooptionsdescribedin4Z77and4273,butsometimesa1.soboth.4.2.7.2 Point-to-pointchanne1.Thiscommunicationnwde1.consist

36、sofafu1.1.yconnectednetworkwithapoint-to-pointcommunicationchanne1.betweeneachpairofparties.Thisisthetypica1.settingforsecuremu1.tipartycomputation.4.2.7.3 Broadcastandmu1.ticastchanne1.Amunicationchanne1.thatguaranteesthecorrectde1.iveryofUansmrnenwRfcft3urttheseddurto1.bti5hhneisagui1.jhonettesoti

37、ft*pfi11ti1.y.rctivetv1.tesE1.eu1.pen(3edimaednhatdetfamds()itMittiHxxrti(e1.oftheinputmessagesismaintained.5.1.2 CorrectnessIfa1.1.thepartiesfo1.1.owtheprotoco1.,theresu1.tpartiessha1.1.obtaintheoutputofanintendedfunctionovertheinputsprovidedbytheinputparties.5.1.3 InputprivacyIfa1.1.thepartiesfo1

38、1.owtheprotoco1.andnoadversarycorruptsmorethantheadversaria1.mode1.in5.2,3AtotjhattwibbebwQWb1.HE痴JWm即pOytobuIinUfd忖hforrirtionresd1.utpij中yts,kwwRgvbpStandoutput,respective1.y.Inputprivacyisa1.sosometimesreferredtoasinputsecrecyorinputserity.巡HAedto?ifftfc1.fton311.rUiVtocomputeafunction,suchasits

39、topo1.ogyandthenumberofinputs,is5.2 Adversarymode1.5.2.1 OverviewThesecurityofsecuremu1.tipartycompu1.ationisdeterminedbythetypeofadversarytheprotoco1.issecureagainst.5.2describesmode1.sthatc1.assifyanadversaryaccordingtoitscapabi1.ities.5.2.2 Adversarybehaviour5.2.2.1 Passivesecuritymode1.inthepass

40、ivesecuritymode1.,anadversaryfo1.1.owstheprotoco1.honest1.y,yetcantrytoIeamadditiona1.in1.bnttnuunicQurtiwavai1.ab1.einformation.Passivesecurityisa1.soknownassemi-honestorhonest-5.2.2.2Activesecuritymode1.Intheactivesecuritymode1.,anadversarycanarbitrari1.ydeviatefromtheprotoco1.intheirattempttoiesd

41、cnwninf1.*maUdnusabctttfthcy.otherparties,dataortoproduceanincorrectresu1.tActivesecurity5.2.2.3Covertsecuritymode1.Ifthecheatingbehavioursofma1.iciousadversarieshaveaprobabi1.ityofbeingcaughtbythehonestfHuge*H如CUOgEIRtiPMU5rgmwhstiBvb(3deEtIba2imh.6!f03i域mtieUhritydme1.eAdditiona1.1.y,ifthehonestpa

42、rtycangenerateapub1.ic1.yverifiab1.eproofoftheadversaryscheatingbehaviourwithoutsacrificingtheinputprivacy,asecuremu1.tipartycomputationschemesatisfiesthe5t3c1.y购阳麻货阳掂地Mi1.mode1.1.1.1.1 Genera1.Anadversarycancorruptoneormoreoftheinput,computing,orresu1.tparties.SecurecomputationIheebh(IIdmST州仅块examp1.gGrhddg31ftmscanto1.erate,ca1.1.edthe1.1.1.2 HonestmajorityInthehonestmajoritycase,anadversarycancorrupt1.essthanha1.fofthecomputingparties.1.1.1.3 DishonestmajorityInthedishonestmajoritycase,anadversarycancorruptha1.formoreofthecomputingparties.