ISO/IEC 4922-1:2023

INTERNATIONAL ISO/IEC
STANDARD 4922-1
First edition
2023-07
Information security — Secure
multiparty computation —
Part 1:
General
Reference number
ISO/IEC 4922-1:2023(E)
© ISO/IEC 2023

---------------------- Page: 1 ----------------------
ISO/IEC 4922-1:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
 © ISO/IEC 2023 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 4922-1:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General model and parameters . 2
4.1 Generic model . 2
4.2 Parameters of secure multiparty computation . 4
4.2.1 Overview . 4
4.2.2 Input space . 4
4.2.3 Encoded space . 4
4.2.4 Output space . 4
4.2.5 The number of computing parties . 4
4.2.6 Role restriction . 4
4.2.7 Communication model . 4
4.2.8 Summary of parameters . 5
5 Properties and analysis of secure multiparty computation . 5
5.1 Fundamental requirements . 5
5.1.1 Overview . 5
5.1.2 Correctness . 5
5.1.3 Input privacy . 5
5.2 Adversary model . 5
5.2.1 Overview . 5
5.2.2 Adversary behaviour . 6
5.2.3 Number of corruptions . 6
5.2.4 Computational power . . 6
5.2.5 Composition and parallel execution . 7
5.2.6 Network access . 7
5.3 Optional properties . 7
5.3.1 Overview . 7
5.3.2 Correctness against active adversary . 7
5.3.3 Input privacy against active adversary. 7
5.3.4 Fairness . 8
5.3.5 Guaranteed output delivery . 8
5.4 Performance properties for the comparison of schemes . . 8
5.4.1 Overview . 8
5.4.2 Communication efficiency . 8
5.4.3 Computational efficiency . 8
Annex A (informative) Possible use cases for secure multiparty computation .9
Bibliography .10
iii
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/IEC 4922-1:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 4922 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 4922-1:2023(E)
Introduction
Secure multiparty computation (MPC) is a cryptographic technique that enables the output of a
function to be computed while keeping the individual inputs, provided by a range of parties, secret. It is
a valuable tool to improve privacy in situations where computations are outsourced, or where different
distrusting stakeholders are required to cooperate, and no trusted party is available to execute the
computation on behalf of the input providers.
Secure multiparty computation is a decentralized protocol which emulates the functionality of a
trusted third party, taking the private inputs of individual players, computing an agreed function, and
disseminating the correct output privately to relevant parties.
Secure multiparty computation is useful in situations where mutually distrusting entities want to
collaborate on data processing tasks, which can arise in the Internet of Things and other distributed
application domains. Possible application domains include secure auctions, privacy-preserving data
analytics, and distributed digital wallets.
Annex A provides possible use cases for secure multiparty computation.
v
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 4922-1:2023(E)
Information security — Secure multiparty computation —
Part 1:
General
1 Scope
This document specifies definitions, terminology and processes for secure multiparty computation
and related technology, in order to establish a taxonomy and enable interoperability. In particular, this
document defines the processes involved in cryptographic mechanisms which compute a function on
data while the data are kept private; the participating parties; and the cryptographic properties.
The terminology contained in this document is common to the ISO/IEC 4922 series.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
intended function
function to be evaluated by the multiparty protocol (3.2)
3.2
multiparty protocol
protocol executed among computing parties (3.6) to jointly evaluate the intended function (3.1) over
encoded inputs
3.3
input
private data held by the input party (3.5) for the purpose of being evaluated by the intended function
(3.1)
3.4
party
entity involved in secure multiparty computation
3.5
input party
party (3.4) holding an input and providing it to computing parties (3.6) in encoded form
3.6
computing party
party (3.4) that performs computations to evaluate the intended function (3.1)
1
© ISO/IEC 2023 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/IEC 4922-1:2023(E)
3.7
result party
party (3.4) receiving the required data from the computing parties (3.6) to obtain the result of the
secure multiparty computation in plaintext by decoding the output of the intended function (3.1)
3.8
circuit
representation of the intended function (3.1) in the form of basic operations supported by the protocol
and their interconnections
3.9
arithmetic circuit
circuit (3.8) composed of basic arithmetic operations
3.10
boolean circuit
circuit (3.8) composed of basic Boolean operations
3.11
communication complexity
total amount of data transferred among the computing parties (3.6) during the execution of a multiparty
protocol (3.2)
3.12
computational complexity
amount of computation required to execute a multiparty protocol (3.2)
3.13
round complexity
minimum number of sequential communications between computing parties (3.6) required during the
execution of a multiparty protocol (3.2)
4 General model and parameters
4.1 Generic model
In a secure multiparty computation, two or more parties are involved in a protocol to evaluate an
intended function on private inputs. A party learns nothing about the inputs of other parties except
what it can deduce from the output and its own input. This security property can be useful in various
application scenarios. Annex A provides possible use cases for secure multiparty computation.
Different roles shall be present in a secure multiparty computation system. The roles are:
— input party,
— computing party,
— result party.
The input parties hold the inputs for the intended function to be evaluated in secure multiparty
computation. Each input party encodes its input and distributes the encodings to the computing parties.
The encoding ensures that the input is kept private from the other parties and can be achieved by secret
sharing or encryption.
NOTE For secret sharing, see the ISO/IEC 19592 series. For encryption, see the ISO/IEC 18033 series.
The computing parties jointly execute the multiparty protocol steps necessary to evaluate the intended
function and disseminate the derived output encodings to the result parties.
2
  © ISO/IEC 2023 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 4922-1:2023(E)
The result parties reconstruct the result of the computation from the encoded outputs. One or more
result parties can be present, depending on the use case. For example, in the case of a secure auction,
all input parties are also interested in the result and likely to be result parties. Different result parties
can also receive different results as the output of different functions, if incorporated in the intended
function.
In a secure multiparty computation system, all roles shall be present and there can be multiple parties
serving in each role. Each party can occupy any number of roles. Specifically, to qualify for a secure
multiparty computation system, at least two computing parties shall be present to evaluate the
intended function.
[13]
EXAMPLE The millionaires’ problem, determining who is wealthier without revealing their actual wealth,
is a classic problem within secure multiparty computation. The intended function evaluated by the computing
parties is a comparison function. In a conventional two-party protocol solving the millionaires’ problem, each
party provides an input and contributes to the evaluation of the comparison function, but only one party gets the
final output. Therefore, both parties are input parties, and both are also computing parties. But only one of them
is a result party.
The processing of an intended function is divided into simple operations which are represented as
primitives. The primitives, such as types of gates, supported by a secure multiparty computation
depend on the available protocols. The function is computed by composing those primitives. In the case
of arithmetic circuits, it is composed of elements such as addition, subtraction, scalar-multiplication,
and multiplication gates. For Boolean circuits, it typically consists of logic operations on binary values;
more complex gates are also possible.
A secure multiparty computation comprises the following steps.
a) An intended function shall be agreed upon among the involved parties. The parties involved in this
agreement depend on the application. In a typical case, this can be all the input parties.
b) The input parties generate encodings of thei
...