Broadcast-Efficient Secure Multiparty Computation

Secure multiparty computation (MPC) is perhaps the most popular paradigm in the area of cryptographic protocols. It allows several mutually untrustworthy parties to jointly compute a function of their private inputs, without revealing to each other information about those inputs. In the case of unconditional (information-theoretic) security, protocols are known which tolerate a dishonest minority of players, who may coordinate their attack and deviate arbitrarily from the protocol specification. It is typically assumed in these results that parties are connected pairwise by authenticated, private channels, and that in addition they have access to a “broadcast” channel. Broadcast allows one party to send a consistent message to all other parties, guaranteeing consistency even if the broadcaster is corrupted. Because broadcast cannot be simulated on the point-to-point network when more than a third of the parties are corrupt, it is impossible to construct general MPC protocols in this setting without using a broadcast channel (or some equivalent addition to the model). A great deal of research has focused on increasing the efficiency of MPC, primarily in terms of round complexity and communication complexity. In this work we propose a refinement of the round complexity which we term broadcast complexity. We view the broadcast channel as an expensive resource and seek to minimize the number of rounds in which it is invoked. 1. We construct an MPC protocol which uses the broadcast channel only three times in a preprocessing phase, after which it is never required again. To the best of our knowledge, ours is the first unconditionally secure MPC protocol for t < n/2 to achieve a constant number of broadcast rounds. In contrast, the best previous protocols we are aware of require Ω(min{n,D}) broadcast rounds, for n parties and circuit of depth D. 2. In the negative direction, we show a lower bound of two broadcast rounds for the specific functionality of Weak Secret Sharing (a.k.a. Distributed Commitment), also a very natural functionality and central building block of many MPC protocols. The broadcast-efficient MPC protocol relies on new constructions of Pseudosignatures and Verifiable Secret Sharing, both of which might be of independent interest. ∗AT&T Labs – Research. Email: garay@research.att.com. †Department of Mathematics, UCLA. Email: cgivens@math.ucla.edu. ‡Departments of Computer Science and Mathematics, UCLA, 3732D Boelter Hall, Los Angeles CA 90095-1596, U.S. Email: rafail@cs.ucla.edu Supported in part by NSF grants 0830803, 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, and Lockheed-Martin Corporation Research Award. This material is based upon work supported by the Defense Advanced Research Projects Agency through the U.S. Office of Naval Research under Contract N00014-11-1-0392. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.

[1]  Torben Hagerup Fast Parallel Generation of Random Permutations , 1991, ICALP.

[2]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[3]  Jonathan Katz,et al.  Round-Efficient Secure Computation in Point-to-Point Networks , 2007, EUROCRYPT.

[4]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[5]  Danny Dolev,et al.  Authenticated Algorithms for Byzantine Agreement , 1983, SIAM J. Comput..

[6]  Chiu Yuen Koo Studies on Fault-tolerant Broadcast and Secure Computation , 2007 .

[7]  David Chaum,et al.  Unconditionally Secure Digital Signatures , 1990, CRYPTO.

[8]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[9]  Moti Yung,et al.  Perfectly secure message transmission , 1993, JACM.

[10]  Martin Hirt,et al.  Efficient Multi-party Computation with Dispute Control , 2006, TCC.

[11]  Donald Beaver,et al.  Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority , 2004, Journal of Cryptology.

[12]  Birgit Pfitzmann,et al.  Information-Theoretic Pseudosignatures and Byzantine Agreement for t ≥ n/3 , 2007 .

[13]  Vasek Chvátal,et al.  The tail of the hypergeometric distribution , 1979, Discret. Math..

[14]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[15]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[16]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[17]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[18]  Matthias Fitzi,et al.  Detectable byzantine agreement secure against faulty majorities , 2002, PODC '02.

[19]  Birgit Pfitzmann,et al.  Unconditional Byzantine Agreement with Good Majority , 1991, STACS.

[20]  C. Pandu Rangan,et al.  The Round Complexity of Verifiable Secret Sharing: The Statistical Case , 2010, ASIACRYPT.

[21]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[22]  Jonathan Katz,et al.  Improving the round complexity of VSS in point-to-point networks , 2009, Inf. Comput..

[23]  Matthias Fitzi,et al.  Unconditional Byzantine Agreement and Multi-party Computation Secure against Dishonest Minorities from Scratch , 2002, EUROCRYPT.

[24]  Yehuda Lindell,et al.  Secure Multi-Party Computation without Agreement , 2005, Journal of Cryptology.

[25]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[26]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.