Martin Hirt

Efficient multiparty computations secure against an adaptive adversary

We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the secure-channels model, where a broadcast channel is given and a non-zero error probability is allowed. In this model Rabin and Ben-Or proposed VSS and MPC protocols secure against an adversary that can corrupt any minority of the players. In this paper, we first observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q2-adversaries.

Player Simulation and General Adversary Structures in Perfect Multiparty Computation

Abstract. The goal of secure multiparty computation is to transform a given protocol involving a trusted party into a protocol without need for the trusted party, by simulating the party among the players. Indeed, by the same means, one can simulate an arbitrary player in any given protocol. We formally define what it means to simulate a player by a multiparty protocol among a set of (new) players, and we derive the resilience of the new protocol as a function of the resiliences of the original protocol and the protocol used for the simulation. In contrast to all previous protocols that specify the tolerable adversaries by the number of corruptible players (a threshold), we consider general adversaries characterized by an adversary structure, a set of subsets of the player set, where the adversary may corrupt the players of one set in the structure. Recursively applying the simulation technique to standard threshold multiparty protocols results in protocols secure against general adversaries. The classical results in unconditional multiparty computation among a set of n players state that, in the passive model, any adversary that corrupts less than n/2 players can be tolerated, and in the active model, any adversary that corrupts less than n/3 players can be tolerated. Strictly generalizing these results we prove that, in the passive model, every function (more generally, every cooperation specified by involving a trusted party) can be computed securely with respect to a given adversary structure if and only if no two sets in the adversary structure cover the full set of players, and, in the active model, if and only if no three sets cover the full set of players. The complexities of the protocols are polynomial in the number of maximal adverse player sets in the adversary structure.

Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract)

The classical results in unconditional multi-party computation among a set of n players state that less than n/2 passive or less than n/3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n/2. Strictly generalizing these results we specify the set of potentially misbehaving players as an arbitrary set of subsets of the player set. We prove the necessary and sufficient conditions for the existence of secure multi-party protocols in terms of the potentially misbehaving player sets. For every function there exists a protocol secure against a set of potential passive collusions if and only if no two of these collusions add up to the full player set. The same condition applies for active adversaries when assuming a broadcast channel. Without broadcast channels, for every function there exists a protocol secure against a set of potential active adverse player sets if and only if no three of these sets add up to the full player set. The complexities of the protocols not using a broadcast channel are polynomial, that of the protocol with broadcast is only slightly higher.

Efficient multi-party computation with dispute control

Secure multi-party computation (MPC) allows a set of n players to securely compute an agreed function of their inputs, even when up to t players are under the control of an (active or passive) adversary. In the information-theoretic model MPC is possible if and only if t n/3 requires a trusted key setup). Known passive MPC protocols require a communication of O(n 2 ) field elements per multiplication. Recently, the same communication complexity was achieved for active security with t < n/3. It remained an open question whether O(n 2 ) complexity is achievable for n/3 ≤ t < n/2. We answer this question in the affirmative by presenting an active MPC protocol that provides optimal (t < n/2) security and communicates only O(n 2 ) field elements per multiplication. Additionally the protocol broadcasts O(n 3 ) field elements overall, for the whole computation. The communication complexity of the new protocol is to be compared with the most efficient previously known protocol for the same model, which requires broadcasting Ω(n 5 ) field elements per multiplication. This substantial reduction in communication is mainly achieved by applying a new technique called dispute control: During the course of the protocol, the players keep track of disputes that arise among them, and the ongoing computation is adjusted such that known disputes cannot arise again. Dispute control is inspired by the player-elimination framework. However, player elimination is not suited for models with t ≥ n/3.

Efficient Secure Multi-party Computation

Since the introduction of secure multi-party computation, all proposed protocols that provide security against cheating players suffer from very high communication complexities. The most efficient unconditionally secure protocols among n players, tolerating cheating by up to t < n/3 of them, require communicating O(n6) field elements for each multiplication of two elements, even if only one player cheats. In this paper, we propose a perfectly secure multi-party protocol which requires communicating O(n3) field elements per multiplication. In this protocol, the number of invocations of the broadcast primitive is independent of the size of the circuit to be computed. The proposed techniques are generic and apply to other protocols for robust distributed computations. Furthermore, we show that a sub-protocol proposed in [GRR98] for improving the efficiency of unconditionally secure multi-party computation is insecure.

Optimally efficient multi-valued byzantine agreement

All known protocols for Byzantine agreement (BA) among <i>n</i> players require the message to be communicated at least Ω(<i>n</i>²) times, which results in an overall communication complexity of at least Ω(<i>l</i><i>n</i>²) bits for an <i>l</i>-bit message. We present the first BA protocol in which the message is communicated only <i>O</i>(<i>n</i>) times (the hidden factor is less than 2). More concretely, for a given synchronous broadcast protocol which communicates <i>B</i>(<i>b</i>) bits for reaching agreement on a <i>b</i>-bit message with security parameter κ, our construction yields a synchronous BA protocol with communication complexity <i>O</i>(<i>l</i><i>n</i>+<i>n</i><i>B</i>(<i>n</i>+κ)) bits. Our reduction is information theoretically secure and tolerates up to <i>t</i><<i>n</i>/2 corrupted players, which is optimal for the consensus variant of BA. Although this resilience is not optimal for the broadcast (Byzantine generals) variant, it is sufficient for most distributed applications that involve BA protocols since they typically require <i>t</i><<i>n</i>/2.

Robust multiparty computation with linear communication complexity

We present a robust multiparty computation protocol. The protocol is for the cryptographic model with open channels and a poly-time adversary, and allows n parties to actively securely evaluate any poly-sized circuit with resilience t < n/2. The total communication complexity in bits over the point-to-point channels is

Robustness for Free in Unconditional Multi-party Computation

{\mathcal{O}}(S n \kappa + n {\mathcal{BC}})

Simple and efficient perfectly-secure asynchronous MPC

, where S is the size of the circuit being securely evaluated, κ is the security parameter and

Resource-Restricted Indifferentiability

{\mathcal{BC}}