Almost-Asynchronous MPC with Faulty Minority

Secure multiparty computation (MPC) allows a set of parties to securely evaluate any agreed function of their inputs, even when up to t of the n parties are faulty. Protocols for synchronous networks (where every sent message is assumed to arrive within a constant time) tolerate up to t < n/2 faulty parties, whereas in the more realistic asynchronous setting (with no a priory information on maximal message delay) only security against t < n/3 is possible. Note that even asynchronous Byzantine agreement requires t < n/3. In this paper, we are interested in the minimal synchronicity assumption for achieving security against t < n/2. It turns out that the bottleneck of asynchronous MPC is the distribution of the inputs: Once the inputs are correctly distributed, any deterministic function can be computed over a fully asynchronous network with t < n/2. Furthermore, we show that the inputs can be verifiably distributed with t < n/2, if a single round of synchronous broadcast is available. Composing the above, we obtain the first MPC protocol that achieves security against t < n/2 without assuming a fully synchronous network. Actually our protocol guarantees security against any faulty minority in an almost asynchronous network, i.e. in a network with one single round of synchronous broadcast (followed by a fully asynchronous communication). Furthermore our protocol takes inputs of all parties (in a fully asynchronous network only inputs of n− t parties can be guaranteed), and so achieves everything that is possible in synchronous networks (but impossible in fully asynchronous networks) at the price of just one synchronous broadcast round. As tools for our protocol we introduce the notions of almost non-interactive verifiable secret-sharing and almost non-interactive zero-knowledge proof of knowledge, which are of independent interest as they can serve as efficient replacements for fully non-interactive verifiable secret-sharing and fully non-interactive zero-knowledge proof of knowledge. ⋆ This work was supported by the Zurich Information Security Center, and by the Danish Agency for Science Technology and Innovation. It represents the views of the authors.

[1]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[2]  David Chaum,et al.  Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result , 1987, CRYPTO.

[3]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[4]  Danny Dolev,et al.  An almost-surely terminating polynomial protocol for asynchronous byzantine agreement with optimal resilience , 2008, PODC '08.

[5]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[6]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[7]  Silvio Micali,et al.  Optimal algorithms for Byzantine agreement , 1988, STOC '88.

[8]  Sam Toueg,et al.  Randomized Byzantine Agreements , 1984, PODC '84.

[9]  Silvio Micali,et al.  The Round Complexity of Secure Protocols (Extended Abstract) , 1990, STOC 1990.

[10]  Ivan Damgård,et al.  Multiparty Computation from Threshold Homomorphic Encryption , 2000, EUROCRYPT.

[11]  Yuval Ishai,et al.  Randomizing polynomials: A new representation with applications to round-efficient secure computation , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[12]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[13]  Ivan Damgård,et al.  Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encryption , 2003, CRYPTO.

[14]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[15]  Ivan Damgård,et al.  Asynchronous Multiparty Computation: Theory and Implementation , 2008, IACR Cryptol. ePrint Arch..

[16]  Yoram Moses,et al.  Programming simultaneous actions using common knowledge , 1987, Algorithmica.

[17]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[18]  Jonathan Katz,et al.  On expected constant-round protocols for Byzantine agreement , 2006, J. Comput. Syst. Sci..

[19]  Donald Beaver,et al.  Multiparty Protocols Tolerating Half Faulty Processors , 1989, CRYPTO.

[20]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[21]  Piotr Berman,et al.  Optimal Early Stopping in Distributed Consensus (Extended Abstract) , 1992, WDAG.

[22]  Jonathan Katz,et al.  Round-Efficient Secure Computation in Point-to-Point Networks , 2007, EUROCRYPT.

[23]  Martin Hirt,et al.  Cryptographic Asynchronous Multi-party Computation with Optimal Resilience (Extended Abstract) , 2005, EUROCRYPT.

[24]  Martin Hirt,et al.  Simple and Efficient Perfectly-Secure Asynchronous MPC , 2007, ASIACRYPT.

[25]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[26]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[27]  Michael O. Rabin,et al.  Randomized byzantine generals , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[28]  Jesper Buus Nielsen,et al.  A Threshold Pseudorandom Function Construction and Its Applications , 2002, CRYPTO.

[29]  Yoram Moses,et al.  Fully polynomial Byzantine agreement in t + 1 rounds , 1993, STOC.

[30]  Matthias Fitzi,et al.  On the Number of Synchronous Rounds Required for Byzantine Agreement , 2008, IACR Cryptol. ePrint Arch..

[31]  Nancy A. Lynch,et al.  A Lower Bound for the Time to Assure Interactive Consistency , 1982, Inf. Process. Lett..

[32]  Ran Canetti,et al.  Fast asynchronous Byzantine agreement with optimal resilience , 1993, STOC.

[33]  Matthew K. Franklin,et al.  Joint encryption and message-efficient secure computation , 1993, Journal of Cryptology.

[34]  Danny Dolev,et al.  Polynomial algorithms for multiple processor agreement , 1982, STOC '82.

[35]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[36]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[37]  Jonathan Katz,et al.  Improving the round complexity of VSS in point-to-point networks , 2008, Inf. Comput..

[38]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[39]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[40]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[41]  Gabriel Bracha,et al.  An asynchronous [(n - 1)/3]-resilient consensus protocol , 1984, PODC '84.

[42]  Danny Dolev,et al.  Early stopping in Byzantine agreement , 1990, JACM.

[43]  Yehuda Lindell,et al.  Sequential composition of protocols without simultaneous termination , 2002, PODC '02.

[44]  Victor Shoup,et al.  Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography , 2000, Journal of Cryptology.

[45]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[46]  Yuval Ishai,et al.  On 2-Round Secure Multiparty Computation , 2002, CRYPTO.