Communication Locality in Secure Multi-party Computation - How to Run Sublinear Algorithms in a Distributed Setting

We devise multi-party computation protocols for general secure function evaluation with the property that each party is only required to communicate with a small number of dynamically chosen parties. More explicitly, starting with n parties connected via a complete and synchronous network, our protocol requires each party to send messages to (and process messages from) at most polylog(n) other parties using polylog(n) rounds. It achieves secure computation of any polynomial-time computable randomized function f under cryptographic assumptions, and tolerates up to $({1\over 3} - \epsilon) \cdot n$ statically scheduled Byzantine faults. We then focus on the particularly interesting setting in which the function to be computed is a sublinear algorithm: An evaluation of f depends on the inputs of at most q=o(n) of the parties, where the identity of these parties can be chosen randomly and possibly adaptively. Typically, q=polylog(n). While the sublinear query complexity of f makes it possible in principle to dramatically reduce the communication complexity of our general protocol, the challenge is to achieve this while maintaining security: in particular, while keeping the identities of the selected inputs completely hidden. We solve this challenge, and we provide a protocol for securely computing such sublinear f that runs in polylog(n)+O(q) rounds, has each party communicating with at most q ·polylog(n) other parties, and supports message sizespolylog(n) ·(l+n), where l is the parties' input size. Our optimized protocols rely on a multi-signature scheme, fully homomorphic encryption (FHE), and simulation-sound adaptive NIZK arguments. However, we remark that multi-signatures and FHE are used to obtain our bounds on message size and round complexity. Assuming only standard digital signatures and public-key encryption, one can still obtain the property that each party only communicates with polylog(n) other parties. We emphasize that the scheduling of faults can depend on the initial PKI setup of digital signatures and the NIZK parameters.

[1]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[2]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[3]  Yehuda Lindell,et al.  Secure Computation on the Web: Computing without Simultaneous Interaction , 2011, IACR Cryptol. ePrint Arch..

[4]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[5]  Robert Krauthgamer,et al.  Private approximation of NP-hard functions , 2001, STOC '01.

[6]  Ivan Damgård,et al.  Scalable and Unconditionally Secure Multiparty Computation , 2007, CRYPTO.

[7]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[8]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[9]  Yuval Ishai,et al.  Scalable Multiparty Computation with Nearly Optimal Work and Resilience , 2008, CRYPTO.

[10]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[11]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[12]  Jonathan Katz,et al.  Secure two-party computation in sublinear (amortized) time , 2012, CCS.

[13]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[14]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Abstract) , 1987, CRYPTO.

[15]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[16]  A. Czumaj,et al.  Switching Networks for Generating Random Permutations , 2001 .

[17]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[18]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[19]  Rafail Ostrovsky,et al.  Improved Fault Tolerance and Secure Computation on Sparse Networks , 2010, ICALP.

[20]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[21]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[22]  Moni Naor,et al.  Communication preserving protocols for secure function evaluation , 2001, STOC '01.

[23]  Joan Feigenbaum,et al.  Secure Multiparty Computation of Approximations , 2001, ICALP.

[24]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[25]  Jared Saia,et al.  Brief announcement: breaking the O(nm) bit barrier, secure multiparty computation with a static adversary , 2012, PODC '12.

[26]  Vinod Vaikuntanathan,et al.  On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption , 2012, STOC '12.

[27]  Ben Adida,et al.  How to Shuffle in Public , 2007, TCC.

[28]  Jared Saia,et al.  Breaking the O(n2) bit barrier: scalable byzantine agreement with an adaptive adversary , 2010, PODC.

[29]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[30]  Erik Vee,et al.  Scalable leader election , 2006, SODA '06.

[31]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[32]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[33]  Jared Saia,et al.  Load Balanced Scalable Byzantine Agreement through Quorum Building, with Full Information , 2011, ICDCN.

[34]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[35]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[36]  David P. Woodruff,et al.  Polylogarithmic Private Approximations and Efficient Matching , 2006, TCC.

[37]  Silvio Micali,et al.  Optimal algorithms for Byzantine agreement , 1988, STOC '88.

[38]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[39]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[40]  Rafail Ostrovsky,et al.  Edge Fault Tolerance on Sparse Networks , 2012, ICALP.

[41]  Craig Gentry,et al.  Fully Homomorphic Encryption without Bootstrapping , 2011, IACR Cryptol. ePrint Arch..

[42]  Yuval Ishai,et al.  Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography , 2010, IACR Cryptol. ePrint Arch..

[43]  Yuval Ishai,et al.  Scalable Secure Multiparty Computation , 2006, CRYPTO.

[44]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[45]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[46]  Jonathan Katz,et al.  Secure Computation with Sublinear Amortized Work , 2011, IACR Cryptol. ePrint Arch..

[47]  Yehuda Lindell,et al.  A Full Proof of the BGW Protocol for Perfectly Secure Multiparty Computation , 2015, Journal of Cryptology.