The difference between theory and practice often rests on one major factor: efficiency. In distributed systems, communication is usually expensive, and protocols designed for practical use must require as few rounds of communication and as small messages as possible.A secure multiparty protocol to compute function F is a protocol that, when each player i of n players starts with private input xi, provides each participant i with F(x1,...xn) without revealing more information than what can be derived from learning the function value. Some number l of players may be corrupted by an adversary who may then change the messages they send. Recent solutions to this problem have suffered in practical terms: while theoretically using only polynomially-many rounds, in practice the constants and exponents of such polynomials are too great. Normally, such protocols express F as a circuit CF, call on each player to secretly share xi, and proceed to perform "secret addition and multiplication" on secretly shared values. The cost is proportional to the depth of CF times the cost of secret multiplication; and multiplication requires several rounds of interaction.We present a protocol that simplifies the body of such a protocol and significantly reduces the number of rounds of interaction. The steps of our protocol take advantage of a new and counterintuitive technique for evaluating a circuit: set every input to every gate in the circuit completely at random, and then make corrections. Our protocol replaces each secret multiplication -- multiplication that requires further sharing, addition, zero-knowledge proofs, and secret reconstruction -- that is used during the body of a standard protocol by a simple reconstruction of secretly shared values, thereby reducing rounds by an order of magnitude. Furthermore, these reconstructions require only broadcast messages (but do not require Byzantine Agreement). The simplicity of broadcast and reconstruction provides efficiency and ease of implementation. Our transformation is simple and compatible with other techniques for reducing rounds.
[1]
Michael Rabin,et al.
Security, fault tolerance, and communication complexity in distributed systems
,
1990
.
[2]
Donald Beaver,et al.
Multiparty Computation with Faulty Majority
,
1989,
CRYPTO.
[3]
David Chaum,et al.
Multiparty unconditionally secure protocols
,
1988,
STOC '88.
[4]
Stuart Alan Haber.
Multiparty cryptographic computation: techniques and applications
,
1988
.
[5]
Tal Rabin,et al.
Verifiable secret sharing and multiparty protocols with honest majority
,
1989,
STOC '89.
[6]
Judit Bar-Ilan,et al.
Non-cryptographic fault-tolerant computing in constant number of rounds of interaction
,
1989,
PODC '89.
[7]
Adi Shamir,et al.
How to share a secret
,
1979,
CACM.
[8]
Silvio Micali,et al.
How to play ANY mental game
,
1987,
STOC.
[9]
Leonid A. Levin,et al.
Fair Computation of General Functions in Presence of Immoral Majority
,
1990,
CRYPTO.
[10]
Donald Beaver,et al.
Cryptographic Protocols Provably Secure Against Dynamic Adversaries
,
1992,
EUROCRYPT.
[11]
Silvio Micali,et al.
The round complexity of secure protocols
,
1990,
STOC '90.
[12]
Avi Wigderson,et al.
Completeness theorems for non-cryptographic fault-tolerant distributed computation
,
1988,
STOC '88.
[13]
Moti Yung,et al.
Cryptographic Computation: Secure Faut-Tolerant Protocols and the Public-Key Model
,
1987,
CRYPTO.
[14]
Silvio Micali,et al.
Proofs that yield nothing but their validity and a methodology of cryptographic protocol design
,
1986,
27th Annual Symposium on Foundations of Computer Science (sfcs 1986).
[15]
Donald Beaver,et al.
Multiparty Protocols Tolerating Half Faulty Processors
,
1989,
CRYPTO.