Secure Computation with Minimal Interaction, Revisited

2010

We revisit the question of secure multiparty computation (MPC) with two rounds of interaction. It was previously shown by Gennaro et al. (Crypto 2002) that 3 or more communication rounds are necessary for general MPC protocols with guaranteed output delivery, assuming that there may be t ≥ 2 corrupted parties. This negative result holds regardless of the total number of parties, even if broadcast is allowed in each round, and even if only fairness is required. We complement this negative result by presenting matching positive results. Our first main result is that if only one party may be corrupted, then n ≥ 5 parties can securely compute any function of their inputs using only two rounds of interaction over secure point-to-point channels (without broadcast or any additional setup). The protocol makes a black-box use of a pseudorandom generator, or alternatively can offer unconditional security for functionalities in NC1. We also prove a similar result in a client-server setting, where there are m ≥ 2 clients who hold inputs and should receive outputs, and n additional servers with no inputs and outputs. For this setting, we obtain a general MPC protocol which requires a single message from each client to each server, followed by a single message from each server to each client. The protocol is secure against a single corrupted client and against coalitions of t < n/3 corrupted servers. The above protocols guarantee output delivery and fairness. Our second main result shows that under a relaxed notion of security, allowing the adversary to selectively decide (after learning its own outputs) which honest parties will receive their (correct) output, there is a general 2-round MPC protocol which tolerates t < n/3 corrupted parties. This protocol relies on the existence of a pseudorandom generator in NC1 (which is implied by standard cryptographic assumptions), or alternatively can offer unconditional security for functionalities in NC1.

We consider the central cryptographic task of secure two- party computation: two parties wish to compute some function of their private inputs (each receiving possibly different outputs) where security should hold with respect to arbitrarily-malicious behavior of either of the participants. Despite extensive research in this area, the exact round- complexity of this fundamental problem (i.e., the number of rounds re- quired to compute an arbitrary poly-time functionality) was not previ- ously known. Here, we establish the exact round complexity of secure two-party com- putation with respect to black-box proofs of security. We first show a lower bound establishing (unconditionally) that four rounds are not suf- ficient to securely compute the coin-tossing functionality for any super- logarithmic number of coins; this rules out 4-round protocols for other natural functionalities as well. Next, we construct protocols for securely computing any (randomized) functionality using only five...

International Conference on Cryptology, 2008

In this paper, we propose a round efficient unconditionally secure multiparty computation (UMPC) protocol in information theoretic model with n > 2t players, in the absence of any physical broadcast channel. Our protocol communicates \({\cal O}(n^4)\) field elements per multiplication and requires \({\cal O}(n \log(n) + {\cal D})\) rounds, even if up to t players are under the control of an active adversary having unbounded computing power, where \({\cal D}\) denotes the multiplicative depth of the circuit representing the function to be computed securely. In the absence of a physical broadcast channel and with n > 2t players, the best known UMPC protocol with minimum number of rounds, requires \({\cal O}(n^2{\cal D})\) rounds and communicates \({\cal O}(n^6)\) field elements per multiplication. On the other hand, the best known UMPC protocol with minimum communication complexity requires communication overhead of \({\cal O}(n^2)\) field elements per multiplication, but has a round complexity of \({\cal O}(n^3 +{\cal D})\) rounds. Hence our UMPC protocol is the most round efficient protocol so far and ranks second according to communication complexity.

Lecture Notes in Computer Science, 2003

We consider the round complexity of multi-party computation in the presence of a static adversary who controls a majority of the parties. Here, n players wish to securely compute some functionality and up to n − 1 of these players may be arbitrarily malicious. Previous protocols for this setting (when a broadcast channel is available) require O(n) rounds. We present two protocols with improved round complexity: The first assumes only the existence of trapdoor permutations and dense cryptosystems, and achieves round complexity O(log n) based on a proof scheduling technique of Chor and Rabin [13]; the second requires a stronger hardness assumption (along with the non-black-box techniques of Barak [2]) and achieves O(1) round complexity.-Secure two-party computation may be achieved in a constant number of rounds by applying the compiler of Lindell [30] (based on earlier work of Goldreich, Micali, and Wigderson [24]) to the constant-round protocol of Yao [34] (which is secure against semi-honest adversaries).

2017

Traditional protocols for secure multi-party computation among n parties communicate at least a linear (in n) number of bits, even when computing very simple functions. In this work we investigate the feasibility of protocols with sublinear communication complexity. Concretely, we consider two clients, one of which may be corrupted, who wish to perform some “small” joint computation using n servers but without any trusted setup. We show that enforcing sublinear communication complexity drastically affects the feasibility bounds on the number of corrupted parties that can be tolerated in the setting of information-theoretic security.

Topics in Cryptology–CT-RSA 2008, 2008

Advances in Cryptology – CRYPTO 2005, 2005

We present a constant-round protocol for general secure multiparty computation which makes a black-box use of a pseudorandom generator. In particular, the protocol does not require expensive zeroknowledge proofs and its communication complexity does not depend on the computational complexity of the underlying cryptographic primitive. Our protocol withstands an active, adaptive adversary corrupting a minority of the parties. Previous constant-round protocols of this type were only known in the semi-honest model or for restricted classes of functionalities.

Advances in Cryptology – ASIACRYPT 2009, 2009

Multi-party secure computations are general important procedures to compute any function while keeping the security of private inputs. In this work we ask whether preprocessing can allow low latency (that is, small round) secure multi-party protocols that are universally-composable (UC). In particular, we allow any polynomial time preprocessing as long as it is independent of the exact circuit and actual inputs of the specific instance problem to solve, with only a bound k on the number of gates in the circuits known. To address the question, we first define the model of "Multi-Party Computation on Encrypted Data" (MP-CED), implicitly described in [FH96, JJ00, CDN01, DN03]. In this model, computing parties establish a threshold public key in a preprocessing stage, and only then private data, encrypted under the shared public key, is revealed. The computing parties then get the computational circuit they agree upon and evaluate the circuit on the encrypted data. The MP-CED model is interesting since it is well suited for modern computing environments, where many repeated computations on overlapping data are performed. We present two different round-efficient protocols in this model:-The first protocol generates k garbled gates in the preprocessing stage and requires only two (online) rounds.-The second protocol generates a garbled universal circuit of size O(k log k) in the preprocessing stage, and requires only one (online) round (i.e., an obvious lower bound), and therefore it can run asynchronously. Both protocols are secure against an active, static adversary controlling any number of parties. When the fraction of parties the adversary can corrupt is less than half, the adversary cannot force the protocols to abort. The MP-CED model is closely related to the general Multi-Party Computation (MPC) model and, in fact, both can be reduced to each other. The first (resp. second) protocol above naturally gives protocols for three-round (resp. two-round) universally composable MPC secure against active, static adversary controlling any number of parties (with preprocessing).

Advances in Cryptology – EUROCRYPT 2010, 2010

We study the following two related questions:-What are the minimal computational resources required for general secure multiparty computation in the presence of an honest majority?-What are the minimal resources required for two-party primitives such as zero-knowledge proofs and general secure two-party computation? We obtain a nearly tight answer to the first question by presenting a perfectly secure protocol which allows n players to evaluate an arithmetic circuit of size s by performing a total of O(s log s log 2 n) arithmetic operations, plus an additive term which depends (polynomially) on n and the circuit depth, but only logarithmically on s. Thus, for typical largescale computations whose circuit width is much bigger than their depth and the number of players, the amortized overhead is just polylogarithmic in n and s. The protocol provides perfect security with guaranteed output delivery in the presence of an active, adaptive adversary corrupting a (1/3 − ε) fraction of the players, for an arbitrary constant ε > 0 and sufficiently large n. The best previous protocols in this setting could only offer computational security with a computational overhead of poly(k, log n, log s), where k is a computational security parameter, or perfect security with a computational overhead of O(n log n). We then apply the above result towards making progress on the second question. Concretely, under standard cryptographic assumptions, we obtain zero-knowledge proofs for circuit satisfiability with 2 −k soundness error in which the amortized computational overhead per gate is only polylogarithmic in k, improving over the ω(k) overhead of the best previous protocols. Under stronger cryptographic assumptions, we obtain similar results for general secure two-party computation.

Lecture Notes in Computer Science, 2018

We consider information-theoretic secure two-party computation in the plain model where no reliable channels are assumed, and all communication is performed over the binary symmetric channel (BSC) that flips each bit with fixed probability. In this reality-driven setting we investigate feasibility of communication-optimal noise-resilient semihonest two-party computation i.e., efficient computation which is both private and correct despite channel noise. We devise an information-theoretic technique that converts any correct, but not necessarily private, two-party protocol that assumes reliable channels, into a protocol which is both correct and private against semihonest adversaries, assuming BSC channels alone. Our results also apply to other types of noisy-channels such as the elastic-channel. Our construction combines tools from the cryptographic literature with tools from the literature on interactive coding, and achieves, to our knowledge, the best known communication overhead. Specifically, if f is given as a circuit of size s, our scheme communicates O(s + κ) bits for κ a security parameter. This improves the state of the art (Ishai et al., CRYPTO' 11) where the communication is O(s) + poly(κ • depth(s)).