Donald Beaver

The round complexity of secure protocols

Assume we have a network of three or more players, each player in possession of some private input. The players want to compute some function of these private inputs, but in a way which protects the privacy of each participants contribution. Not all of the players can be trusted to do as they are instructed. The resources the players are given to accomplish their goal are communication--the ability to privately send messages to one another, or to broadcast messages to the community as a whole--and local computation. Many insightful protocols have been proposed for solving this problem of multiparty secure function evaluation. Building on Yaos protocol for the case of two players (Ya86), Goldreich, Micali and Wigderson (GMW87) offered the first general protocol for this problem, and they provided the paradigm on which a large body of successive work was based. Despite enormous progress, research on secure function evaluation has suffered from some serious shortcomings. First, though many protocols have been devised for solving the problem, what, exactly, these protocols accomplish has not been fully understood. In fact, no rigorously specified and generally accepted definitions have been proposed in this field. Second, protocols for multiparty secure function evaluation could be extremely inefficient, the main cause being that they required an unbounded (and usually large) number of communication rounds. We address both of these points, carefully crafting definitions which satisfactorily deal with the myriad of issues lurking here, and offering a new protocol for multiparty secure function evaluation--one which categorically improves the complexity requirements for this task. The new protocol completely divorces the computational complexity of the function being collaboratively computed from the round complexity of the protocol that evaluates it. Using this approach, we show that a rigorously-specified and extremely strong notion of secure function evaluation can be achieved by a protocol which requires only a fixed constant number of rounds of interaction. This result assumes only the existence of a one-way function and that the majority of the participants to the protocol behave correctly. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)

Hiding instances in multioracle queries

Abadi, Feigenbaum, and Kilian have considered instance-hiding schemes [1]. Let f be a function for which no randomized polynomial-time algorithm is known; randomized polynomial-time machine A wants to query an oracle B for f to obtain f(x), without telling B exactly what x is. It is shown in [1] that, if f is an NP-hard function, A cannot query a single oracle B while hiding all but the size of the instance, assuming that the polynomial hierarchy does not collapse. This negative result holds for all oracles B, including those that are non-r.e.

Non-cryptographic fault-tolerant computing in constant number of rounds of interaction

Let ~(zI,... ,zn) be computed by a circuit C with bounded fanin. There are non-cryptographic protocols (BGW88,CCD88] by which a network of n processors can evaluate C at secret inputs Xl,,. >xn, revealing the final value f(x1,. . . ,x,,) without revealing any information about the inputs except what the final result provides. Current methods require O(depth(C)) rounds of communication and messages of size polynomial in size(C) and n. In practical terms, such a degree of interaction is unacceptable. We show how to secretly evaluate any finite function in a constant expected number of rounds, regardless of the minimal depth of a circuit for that function. We provide a means to simulate unbounded fanin multiplicative (or AND) gates using constant rounds. Using our new methods, any function can be evaluated in a constant number of rounds, using messages of size proportional to the size of a constant-depth, unbounded-fanin circuit describing the function. We also show how to secretly evaluate any function described by an algebraic formula of polynomial size (or an NC1 circuit), using a constant number of rounds yet requiring messages of only polynomial size. This provides a speedup over original methods by a factor of log n, while incurring only a polynomial number of bits. ‘This research was supported in part under NSF grant CCR-870-4513. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. ?fll ii.,,

Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority

A multiparty protocol to compute a function f(x1, ..., xn) operates as follows: each of n processors holds an input xi, and jointly they must compute and reveal f(x1, ..., xn) without revealing any additional information about the inputs. The processors are connected by secure communication lines but some number of processors may be corrupted by a resource-unbounded adversary that may attempt to interfere with the protocol or to gain extra information. Ben-Or, Goldwasser, Wigderson, Chaum, Crépeau, and Damgård have given protocols tolerating faults in t<n/3 processors. We improve the bound to t<n/2; as long as a majority remains uncorrupted, general and secure computations are achievable. To address and prove the security of our results, we introduce concise definitions for security and fault-tolerance. In particular, our notion of relative resilience—a means to compare the security and fault-tolerance of one protocol with that of another in a formal manner—provides a key tool for understanding and proving protocol security.

Correlated pseudorandomness and the complexity of private computations

The race to find the weakest possible assumptions on which to base cryptographic primitives such aa oblivious transfer was abruptly baited by Impagliazzo’s and Rudich’s surprising result: basing oblivious transfer or other related problems on a black-box one-way permutation (as opposed to a one-way trapdoor permutation ) is tantamount to showing P#NP. In contrast, we show how to generate OT – in the sense of random number generation – using any one-way function in a black-box manner. That is, an initial “seed” of k OT’S suffices to generate O(kc) OT’S. In turn, we show that such generation is impossible in an information-theoretic setting, thus placing OT on an equal footing with random number generation, and resolving an artificial asymmetry in the analysis of randomness and partiallycorrelated randomness.

Multiparty protocols tolerating half faulty processors

We show that a complete broadcast network of n processors can evaluate any function f(x1,..., xn) at private inputs supplied by each processor, revealing no information other than the result of the function, while tolerating up to t maliciously faulty parties for 2t < n. This improves the previous bound of 3t < n on the tolerable number of faults [BG W88, CCD88]. We demonstrate a resilient method to multiply secretly shared values without using unproven cryptographic assumptions. The crux of our method is a new, non-cryptographic zero-knowledge technique which extends verifiable secret sharing to allow proofs based on secretly shared values. Under this method, a single party can secretly share values v1,...vm along with another secret w = P(v1,...,vm), where P is any polynomial size circuit; and she can prove to all other parties that w = P(v1,..., vm), without revealing w or any other information. Our protocols allow an exponentially small chance of error, but are provably optimal in their resilience against Byzantine faults. Furthermore, our solutions use operations over exponentially large fields, greatly reducing the amount of interaction necessary for computing natural functions.

Commodity-based cryptography (extended abstract)

We introduce a new paradigm for the efficient design of protocols for secure joint computation requiring minimal interaction. Instead of relying on trusted and specialized devices, unproven cryptographic assumptions, or highly interactive multiparty computations, we propose a commoditybased model in which servers provide security resources to clients but are not involved in the clients’ computations themselves. Unlike oracles, which typically provide comput ational resources such as the resnlts of infeasible computations, these servers assist clients in establishing shared resources for secure computations such as oblivious transfer and circuit evaluation, broadcast and multiparty computations. Unlike protocols for secure multiparty computation, the servers themselves are “non-interactive,” having no knowledge whatsoever of each other, and providing security resources in a single message. This approach to secure interactive computing obviates the need for unproven cryptographic assumptions, special hardware (such as oblivious transfer channels), completely-connected networks, or global knowledge and synchronization. It gracefully accommodates expansion without introducing bottlenecks (even polynomial) at larger scales. We give explicit constructions supporting oblivious transfer and network multicast.

Locally random reductions: Improvements and applications

A (t, n)-locally random reduction maps a problem instancex into a set of problem instancesy1,...,yn in such a way that it is easy to construct the answer tox from the answers toy1,...,yn, and yet the distribution ont-element subsets ofy1,...,yn depends only on |x|. In this paper we formalize such reductions and give improved methods for achieving them. Then we give a cryptographic application, showing a new way to prove in perfect zero knowledge that committed bitsx1,...,xm satisfy some predicateQ. Unlike previous techniques for such perfect zero-knowledge proofs, ours uses an amount of communication that is bounded by a fixed polynomial inm, regardless of the computational complexity ofQ.

Multiparty computation with faulty majority

The problem of performing a multiparty computation when more than half of the processors are cooperating Byzantine faults is addressed. It is shown how to compute any Boolean function of n inputs distributively, preserving the privacy of inputs held by nonfaulty processors and ensuring that faulty processors obtain the function value if and only if the nonfaulty processors do. If the nonfaulty processors do not obtain the correct function value, they detect cheating with high probability. The solution is based on a new type of verifiable secret sharing in which the secret is revealed not all at once but in small increments. This process ensures that all processors discover the secret at roughly the same time. The solution assumes the existence of an oblivious transfer protocol and uses broadcast channels. The processors are not required to have equal computing power.<<ETX>>

Security with Low Communication Overhead

We consider the communication complexity of secure multiparty computations by networks of processors each with unlimited computing power. Say that an n-party protocol for a function of m bits is efficient if it uses a constant number of rounds of communication and a total number of message bits that is polynomial in max(m, n). We show that any function has an efficient protocol that achieves (n log n)/m resilience. Ours is the first secure multiparty protocol in which the communication complexity is independent of the computational complexity of the function being computed.We also consider the communication complexity of zero-knowledge proofs of properties of committed bits. We show that every function f of m bits has an efficient notarized envelope scheme; that is, there is a protocol in which a computationally unlimited prover commits a sequence of bits x to a computationally unlimited verifier and then proves in perfect zero-knowledge (without decommitting x) that f(x) = 1, using a constant number of rounds and poly(m) message bits. Ours is the first notarized envelope scheme in which the communication complexity is independent of the computational complexity of f.Finally, we establish a new upper bound on the number of oracles needed in instance-hiding schemes for arbitrary functions. These schemes allow a computationally limited querier to capitalize on the superior power of one or more computationally unlimited oracles in order to obtain f(x) without revealing its private input x to any one of the oracles. We show that every function of m bits has an (m/logm)-oracle instance-hiding scheme.The central technique used in all of these results is locally random reducibility, which was used for the first time in [7] and is formally defined for the first time here. In addition to the applications that we present, locally random reducibility has been applied to interactive proof systems, program checking, and program testing.