askvity

What is BGW Protocol?

Published in Secure Computation 4 mins read

The BGW protocol is a method for performing secure multi-party computation using Shamir's secret sharing. It enables the computation of functions by expressing them as arithmetic circuits of addition and multiplication gates.

Understanding Secure Multi-Party Computation (MPC)

Before diving into the specifics of BGW, let's briefly define MPC:

  • MPC: Allows multiple parties, each with their own private inputs, to compute a function collectively without revealing their individual inputs to each other.
  • Goal: To achieve the desired outcome of a computation as if a trusted third party were performing it, but without relying on any such trusted entity.

How BGW Works

The BGW protocol leverages Shamir's secret sharing scheme to achieve its goal of secure multi-party computation.

Shamir's Secret Sharing

  • Principle: This method divides a secret into multiple shares, distributing them among different parties.
  • Threshold: A predetermined number of shares are required to reconstruct the original secret. Less than this threshold provides no information about the secret.

BGW Protocol Steps

  1. Secret Sharing: Each party shares their input using Shamir's secret sharing scheme.
  2. Circuit Representation: The function to be computed is represented as an arithmetic circuit composed of addition and multiplication gates.
  3. Computation:
    • Addition Gates: Addition can be performed locally on the shares owned by each party.
    • Multiplication Gates: Multiplication requires more complex protocols to ensure the result shares are still secret. Specifically, a sub-protocol is used to achieve this while hiding intermediate values.
  4. Reconstruction: After processing all gates in the circuit, the output shares are combined to reconstruct the final output, revealing the computation's result without disclosing any of the input values.

Key Features and Advantages of BGW

  • Security: Achieves secure computation assuming that the adversary controls less than a certain threshold of parties (typically half).
  • Efficiency: The protocol is relatively efficient for many practical applications.
  • Generality: It can compute any function that can be expressed as an arithmetic circuit.
  • Homomorphic Properties: Addition operations can be performed on the shares directly which can be seen as homomorphic property.

Example of a Simple Computation

Imagine two parties (A and B) want to calculate the sum of their secret numbers (x and y) without disclosing what x or y are to each other. Using BGW:

  1. Share Input:

    • Party A shares x using Shamir’s secret sharing scheme, creating shares x_A and x_B, keeping one and sending the other to party B.
    • Party B does the same with y, creating y_A and y_B, keeping one and sending the other to party A.

  2. Local Addition:

    • Party A locally adds x_A and y_A (x_A + y_A).
    • Party B locally adds x_B and y_B (x_B + y_B).

  3. Reconstruction: Parties combine their resulting shares to reveal x + y, without disclosing the individual values x and y.

Practical Insights

  • Real-World Applications: BGW has found applications in various fields including:
    • Secure machine learning
    • Privacy-preserving data analysis
    • Secure auctions
  • Complexities: While BGW provides significant security advantages, implementing it correctly can be complex due to the cryptographic operations involved.

In Summary, the BGW protocol provides a strong framework for secure multi-party computation, allowing parties to compute on their private data without revealing this data to each other. Its use of Shamir's secret sharing and arithmetic circuit computation allows for flexibility in designing secure applications.

Related Articles