Welcome to the lecture Secure Multi-Party Computation.

We are now in Lecture number 8.

So I'll begin this lecture briefly reviewing what you have seen in the last lecture.

Remember that the overall goal that we have for the remaining lectures is to achieve secure-to-party

computation in the malicious security setting. And the malicious security setting in particular

means that the adversary may behave arbitrarily. So you may do whatever you want. And this is

in contrast to the same honest setting where the adversary must follow the protocol honestly and he tries to deviate some information afterwards.

So the goal is to achieve secure-to-party computation in the malicious security setting.

And the goal is to achieve secure-to-party computation in the malicious security setting.

And the goal is to achieve secure-to-party computation in the malicious security setting.

And the goal is to achieve secure-to-party computation in the malicious security setting.

This is why in the last lecture we essentially started first of all by discussing the formal

The formal definition is way more complicated because it now has to take arbitrary behavior

into account.

Right?

In the setting of simultaneous security, we could do these nice things that we could say,

look, of course, the transcript will have a certain distribution because the adversary

will follow the protocol and so on and so forth.

And this is not possible in the case of malicious security.

Furthermore, one has to be a little bit careful on how to define malicious security because

of fairness issues.

In addition to that, we also introduced new cryptographic tools that we need and in particular

we introduced commitment schemes.

So remember that a commitment scheme is essentially a cryptographic functionality that allows

Alice to commit to some message M and you can really think about this putting the message

into a box.

And it has two properties, namely after committing to this value, A cannot change its mind

and this is essentially known as binding.

So once the person is committed to a certain message, then the message cannot be changed.

On the other hand, before opening the commitment, B doesn't learn M and this is known as hiding.

So this is one of the building blocks that we will need in order to achieve malicious

security.

Furthermore, we introduced the cryptographic notion as known as coin tossing.

So coin tossing is a functionality between two parties, let's say P1 having input X and

P2 having input Y and then they execute this protocol and at the end of the protocol they

both learn a uniformly random string and this is R. And as you can imagine, this is very

useful because essentially you can fix a certain randomness honestly generated during this

execution and then you can work with the output of this execution in the remaining part of

the protocol.

And this allows you, for example, to predict how does the message or how must the message

be formed with respect to this randomness.

So in this lecture and also in the next lecture, we want to construct the protocol.

So the 2PC protocol and in particular, we first want to understand what's going by,

what's wrong with the R, why is it insecure and how can we actually boost it.

So what do we need to do in order to achieve malicious security?

And what I really like about this part is that you can nicely understand the extra cost

that malicious security brings into the game.

So we have the nice protocol that is semi-honest secure, it's obviously insecure and in order

to achieve malicious security, you need to do some extra work in terms of the cryptographic

assumptions, the primitives and also the techniques that we will use.