Securely Simulating the Dealer Clause Samples

Securely Simulating the Dealer. As just noted, we would like to use the MPC protocol from Section 6 to simulate a dealer. Note that in this case we are evaluating a no-input (randomized) functionality, and so do not need any output MPC quality; let ΠMPC = Π0 . Using ΠMPC to simulate a dealer, however, is not straightforward. As described, ΠMPC evaluates a functionality where all parties receive the same output, but to simulate a dealer we need to compute a functionality where parties receive different outputs. The standard approach for adapting MPC protocols to provide parties with different outputs cannot be used in our context: Specifically, using symmetric-key encryption to encrypt the output of each party Pi using a key that Pi provides as part of its input does not work, since ΠMPC has no output quality MPC (and even ΠA only guarantees A-output quality for A < n) and so not all parties’ inputs will be included. Assuming a PKI, we can fix this by using public-key encryption instead (in the same way); this works since the public keys of all parties can be incorporated into the functionality being computed—since they are common knowledge—rather than being provided as inputs. Even when using public-key encryption as just described, additional issues remain. ΠMPC has expected subquadratic communication only when the output length of the functionality being computed is sublinear in the number of parties. Even if the dealer algorithm generates output whose length is independent of n, naively encrypting output for every party (encrypting a “null” value of the appropriate length for parties whose output is empty) would result in output of total length linear in n. Encrypting the output only for parties with non-empty output does not work either since, in general, this might reveal which parties get output—defeating the purpose of the setup altogether! We can address this difficulty by using anonymous public-key encryption [2] (cf. Appendix B.3). Roughly, an anonymous public-key encryption (APKE) scheme has the property that a ciphertext leaks no information about the public key pk used for encryption, except to the party holding the corresponding secret key sk (who is able to decrypt the ciphertext using that key). Using APKE to encrypt the output (using the corresponding public key) only for parties who obtain non-empty output, and then randomly permuting the resulting ciphertexts, allows us to compute a functionality with sublinear output length while hiding which parties receive output. T...