The Resiliency of MPC with Low Interaction: The Benefit of Making Errors (Extended Abstract)

Applebaum, Benny; Kachlon, Eliran; Patra, Arpita

doi:10.1007/978-3-030-64378-2_20

Benny Applebaum¹⁰,
Eliran Kachlon¹⁰ &
Arpita Patra¹¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12551))

Included in the following conference series:

Theory of Cryptography Conference

493 Accesses
6 Citations

Abstract

We study information-theoretic secure multiparty protocols that achieve full security, including guaranteed output delivery, at the presence of an active adversary that corrupts a constant fraction of the parties. It is known that 2 rounds are insufficient for such protocols even when the adversary corrupts only two parties (Gennaro, Ishai, Kushilevitz, and Rabin; Crypto 2002), and that perfect protocols can be implemented in 3 rounds as long as the adversary corrupts less than a quarter of the parties (Applebaum, Brakerski, and Tsabary; Eurocrypt, 2019). Furthermore, it was recently shown that the quarter threshold is tight for any 3-round perfectly-secure protocol (Applebaum, Kachlon, and Patra; FOCS 2020). Nevertheless, one may still hope to achieve a better-than-quarter threshold at the expense of allowing some negligible correctness errors and/or statistical deviations in the security.

Our main results show that this is indeed the case. Every function can be computed by 3-round protocols with statistical security as long as the adversary corrupts less than third of the parties. Moreover, we show that any better resiliency threshold requires 4 rounds. Our protocol is computationally inefficient and has an exponential dependency in the circuit’s depth d and in the number of parties n. We show that this overhead can be avoided by relaxing security to computational, assuming the existence of a non-interactive commitment (NICOM). Previous 3-round computational protocols were based on stronger public-key assumptions. When instantiated with statistically-hiding NICOM, our protocol provides everlasting statistical security, i.e., it is secure against adversaries that are computationally unlimited after the protocol execution.

To prove these results, we introduce a new hybrid model that allows for 2-round protocols with linear resiliency threshold. Here too we prove that, for perfect protocols, the best achievable resiliency is n/4, whereas statistical protocols can achieve a threshold of n/3. In the plain model, we also construct the first 2-round n/3-statistical verifiable secret sharing that supports second-level sharing and prove a matching lower-bound, extending the results of Patra, Choudhary, Rabin, and Rangan (Crypto 2009). Overall, our results refine the differences between statistical and perfect models of security, and show that there are efficiency gaps even for thresholds that are realizable in both models.

The full version of this paper can be found in [7]. The first two authors are supported by the European Union’s Horizon 2020 Programme (ERC-StG-2014–2020) under grant agreement no. 639813 ERC-CLC, and the Check Point Institute for Information Security. Arpita Patra would like to acknowledge financial support from SERB MATRICS (Theoretical Sciences) Grant 2020 and Google India AI/ML Research Award 2020.

You have full access to this open access chapter, Download conference paper PDF

Non-Interactive MPC with Trusted Hardware Secure Against Residual Function Attacks

On the Power of Secure Two-Party Computation

Multiparty Reusable Non-interactive Secure Computation from LWE

Keywords

1 Introduction

Interaction is a valuable and expensive resource in cryptography and distributed computation. Consequently, a huge amount of research has been devoted towards characterizing the amount of interaction, typically measured via round complexity, that is needed for various distributed tasks (e.g., Byzantine agreement [27, 29, 44], coin flipping [24, 45], and zero-knowledge proofs [19, 35]) under different security models. In this paper, we focus on two central cryptographic goals: secure-multiparty-computation (MPC) of general n-party functionalities and verifiable secret sharing (VSS) [23]. We strive for full information-theoretic security, including guaranteed output delivery, at the presence of a computationally-unbounded active (aka Byzantine or malicious) rushing adversary that controls up to t of the parties. In this setting, originally presented in the classical works of Ben-Or, Goldwasser, and Wigderson [17] and Chaum, Crépeau and Damgård [21], we assume that each pair of parties is connected by a secure and authenticated point-to-point channel and that all parties have access to a common broadcast channel, which allows each party to send a message to all players and ensures that the received message is identical.

The round complexity of information-theoretic MPC was extensively studied [2,3,4,5, 8, 12, 16, 28, 31, 32, 34, 37, 39,40,41, 43, 46, 52]. For passive perfect security, it was recently showed that optimal resiliency of $t=\left\lfloor (n-1)/2 \right\rfloor $ and optimal round complexity of two can be simultaneously achieved [4, 31]. For active-security the picture is more complicated, and there seems to be a tradeoff between the number of rounds r and the resiliency threshold t. If the adversary is allowed to corrupt a single party ($t=1$) then 2 rounds are sufficient whenever $n\ge 4$ [37]. Any larger resiliency threshold $t>1$ requires at least three rounds [32, 34]. For 3-round error-free perfectly-secure protocols, it was recently showed that a resiliency threshold of $t=\left\lfloor (n-1)/4 \right\rfloor $ is achievable [5] and that no better resiliency can be achieved [8]. The latter paper also shows that, for error-free perfectly-secure protocols, 4 rounds suffice for a threshold of $t_p=\left\lfloor (n-1)/3 \right\rfloor $ which is known to be optimal for perfect protocols regardless of their round complexity [17].

In this paper, we will be studying the other extreme point of this tradeoff. We fix a minimal model of communication (i.e., a round-complexity bound $r_{\text {min}}$) for which linear resiliency is realizable, and try to characterize the best achievable resiliency t within this model. Since 2-round protocols cannot achieve resiliency larger than 1, we ask:

Q1: What is the best resiliency threshold t that can be achieved by a three-round protocol with full information-theoretic active security? Can we beat the $\left\lfloor (n-1)/4 \right\rfloor $ perfect-MPC barrier by resorting to statistical security?

Q2: Can we formalize a meaningful two-round model in which a linear resiliency threshold is achievable ?

We provide a complete answer to the first question and show that statistical three-round protocols can achieve $\left\lfloor (n-1)/3 \right\rfloor $ resiliency and nothing beyond that! We also answer the second question to the affirmative by presenting a new two-round hybrid model in which linear-resiliency is achievable. This model will serve as a stepping stone towards constructing three-round protocols. Along the way, we reveal new interesting differences between perfectly-secure error-free protocols to protocols that achieve perfect-secrecy but make errors with negligible probability. We continue with a detailed account of our results starting with the two-round hybrid model.

1.1 Two-Round Protocols in a Single-Input First-Round Hybrid Model

Single-Input First-Round Hybrid (SIFR) Model. We present a new Single-Input First-Round Hybrid Model (SIFR). In this model the communication network, which contains the usual peer-to-peer/broadcast channels, is augmented with some ideal n-party functionalities $\mathcal {F}$ that are restricted in two ways: (1) Every party $P_i$ is allowed to invoke the functionalities multiple times but only during the first round; and (2) The ideal functionalities must be single-input functionalities, that is, when $P_i$ invokes a functionality $\mathcal {F}_{\mathsf {si}}^i:\{0,1\}^*\rightarrow \left( \{0,1\}^*\right) ^n$ the functionality delivers an output that depends only on the input of $P_i$. For example, both the authenticated-private channel functionality (that delivers a message from $P_i$ to $P_j$) and the broadcast functionality (that delivers a message from $P_i$ to all other parties) are simple instances of single-input functionalities. A more interesting example is the polynomial-VSS functionality that takes from $P_i$ a degree-t polynomial Q over some finite field ${\mathbb {F}}$, and delivers to every party $P_j$ an evaluation of Q in some canonical point $\alpha _j\in {\mathbb {F}}$. We refer to this model as the $\mathcal {F}$-SIFR model or simply as the SIFR model when we wish to keep the oracles $\mathcal {F}$ unspecified.

We will be interested in two-round protocols in the SIFR model. In such protocols, all the first-round messages depend solely on the input of a single party and the only “mixing” (between different inputs of different parties) occurs during the second round. Hence, two rounds are indeed essential for computing any non-trivial functionality. As an additional feature, we note that single-input functionalities can be trivially implemented with passive security via a single-round protocol, and so any two-round protocol in the SIFR model immediately translates into a two-round passively-secure protocol in the plain model.

Limitations of Perfect protocols in SIFR Model. To get a sense of the model, note that one can perfectly compute any degree-2 functionality over any finite field ${\mathbb {F}}$ of size larger than n with resiliency of $t=\left\lfloor (n-1)/4 \right\rfloor $. Roughly speaking, at the first round each party uses the single-input $\mathcal {F}_{\mathsf {poly}}$ functionality to share each input via Shamir-based secret-sharing with polynomials of degree t; then each party locally computes the functionality over the shares (making an arbitrary number of additions and a single multiplication). At the end of this local computation, each party holds a share of the output that lies on a degree-2t polynomial. At the second round, the parties broadcast the output shares and apply Reed-Solomon decoding to overcome the effect of at most t adversarial corruptions.^{Footnote 1} In fact, it was recently showed in [8] (building on [5]) that degree-2 functionalities over any binary extension field are complete under non-interactive reductions either with perfect resiliency of $\left\lfloor (n-1)/3 \right\rfloor $ or with statistical resiliency of $\left\lfloor (n-1)/2 \right\rfloor $. Therefore, the above observation yields an $\left\lfloor (n-1)/4 \right\rfloor $-perfect protocol in our model for an arbitrary functionality. In the full version [7], we prove that for perfect protocols this is the best achievable threshold.

Theorem 1 (perfect 2-round SIFR-protocols)

General n-party functionalities can be perfectly-computed in two rounds in the SIFR Model with resiliency of t if and only if $t\le \left\lfloor (n-1)/4 \right\rfloor $.

The upper-bound holds in the $\mathcal {F}_{\mathsf {poly}}$-SIFR model. The lower-bound holds relative to any (vector of) computationally-unbounded single-input functionalities and applies even when the adversary is non-rushing. In fact, the negative result shows that even the AND functionality cannot be computed in this model. As a corollary, for any $t\ge n/4$, the theorem rules out the existence of t-private secret sharing scheme that is robustly-multiplicative in the sense that parties can locally convert shares of x and shares of y to shares of xy that are t-robust, i.e., they are recoverable even at the presence of t-corruptions. (This notion of multiplicative secret-sharing is stronger than the standard variants of multiplicative and strongly-multiplicative secret sharing, see [26].) The negative part of Theorem 1 is proved by turning a two-round n/4-perfectly secure protocol for the AND-functionality in the SIFR hybrid model into a two-party protocol in the plain model for AND with perfect security against semi-honest adversaries, contradicting the impossibility result of [22].

Statistical Protocols in $\mathcal {F}_{\mathsf {vsh}}$-SIFR Model. We show that the n/4 lower-bound can be bypassed by allowing the protocol to make negligible correctness errors while preserving perfect secrecy.^{Footnote 2} Our protocol makes use of the bivariate version of the VSS functionality, denoted by $\mathcal {F}_{\mathsf {vsh}}$. Roughly speaking, this single-input functionality receives a symmetric bivariate polynomial F(x, y) of degree less than or equal to t from a dealer and sends the polynomial $f_i(x) = F(x,i)$ to every party $P_i$. (See Fig. 2 in Sect. 3 for a formal definition.)

Theorem 2 (statistical 2-round SIFR-protocols)

Any n-party functionality f of degree-2 over some finite field ${\mathbb {F}}$ of cardinality larger than n can be computed by a two-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol with $\left\lfloor (n-1)/3 \right\rfloor $-resiliency, perfect-secrecy, statistical-correctness and complexity of $\mathrm{poly}(S,n, \log |{\mathbb {F}}|,\log (1/\epsilon ))$ where S is the circuit size of f and $\epsilon $ is the error probability.

Moreover, a similar result applies to any functionality f except that the complexity is also exponential in the depth of the Boolean circuit that computes f. The dependency in the depth can be avoided at the expense of downgrading security to computational and under the assumption that one-way functions exist.

The “Moreover” part follows from the first part by using the aforementioned completeness of degree-2 functionalities [8, Theorem. 5.23] whose overhead is exponential in the circuit’s depth in the case of information-theoretic security. This makes the statistical variant of the theorem efficient only for $\text {NC}^1$ functionalities.^{Footnote 3} Similar limitations apply to all known constant-round protocols in the information-theoretic setting even for the case of passively-secure protocols. Let us further mention that even inefficient protocols are non-trivial since security holds against a computationally-unbounded adversary.

On the proof of Theorem. 2: Round Compression via Guards. The proof of Theorem 2 is based on several novel components. In a nutshell, following a blue-print suggested in [8], we derive a three-round protocol $\pi $ in the SIFR-hybrid model. We then exploit the special structure of the last two-rounds and show how to compress them into a single round. In slightly more concrete terms, at the end of the first round, some party, say Alice, holds two values a and b and some other party, say Bob, also has a copy of b. (Think of b as a secret-share that was shared by Alice in the first round of $\pi $.) The purpose of the remaining rounds is to release to all parties a value $c=g(a,b)$ that depends on Alice’s a and Bob’s b while keeping b private. This is done by using two additional rounds: First Alice broadcasts a, and then Bob computes the value c based on (a, b) and broadcasts the result. The key observation is that all the relevant information (a and b) is known to Alice, and the role of Bob is to make sure that the outcome c is computed properly with respect to his own copy of b. (Other consistency mechanisms take care of the “correctness” of a). We abstract this notion via a new form of Secure Computation with a Guard (SCG) and show that if one is willing to tolerate statistical errors, then any function g can be realized (in the plain model) by a single-round protocol that employs correlated randomness. Furthermore, the correlated randomness can be sampled by Bob in a single preprocessing round. This allows us to collapse the last two rounds of $\pi $ into a single round (plus an additional offline preprocessing that is being handled during the first round.) Overall, our single-round SCG’s allow us to compress the three-round SIFR-protocol into a two-round SIFR-protocol. The resulting protocol makes use of the $\mathcal {F}_{\mathsf {vsh}}$ functionality and an additional single-input functionality $\mathcal {F}_{\mathsf {tsh}}$ that essentially deals the shares of a random multiplicative triple $(a,b,c=ab)$. In order to remove the $\mathcal {F}_{\mathsf {tsh}}$ oracle, we first implement it in three-rounds in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, and then compress the last round via an additional use of SCG. (See Sect. 3 for further details.) Our SCG constructions are based on a combination of message-authentication codes (MACs) and multiparty private-simultaneous-message protocols [28, 38] (also known as fully-decomposable randomized encoding of functions [6, 39]). (See Sect. 2 for details.)

1.2 Two-Round Verifiable Secret Sharing

Motivated by Theorem 2, our next goal is to realize the $\mathcal {F}_{\mathsf {vsh}}$ functionality in the standard model within a minimal number of rounds. The round complexity of VSS was extensively studied in the literature [1, 10, 30, 32, 37, 42, 43, 46, 49]. In the perfect setting, we have a complete answer: In order to achieve a linear resiliency t, one must use a two-round protocol, and within this “budget” the best achievable resiliency is $t= \left\lfloor (n-1)/4 \right\rfloor $ [32]. Patra et al. [46] were the first to suggest that this bound may be bypassed by allowing negligible statistical errors. Specifically, they view VSS as a stand-alone two-phase primitive, and showed that the sharing phase of VSS with statistical error and perfect secrecy can be realized in two rounds if and only if $t\le \left\lfloor (n-1)/3 \right\rfloor $.

Unfortunately, the resulting protocol does not implement the polynomial-based $\mathcal {F}_{\mathsf {vsh}}$-functionality and so we cannot plug it into Theorem 2. Indeed, the existing protocol suffer from several caveats that make it less suitable for MPC applications. Specifically, after the sharing phase some of the honest parties may not hold a valid share, let alone a “second-level share”. In addition, the sub-protocol needed for the “reconstruction” phase is relatively complicated and requires two rounds. In contrast, existing perfect VSS protocols [32, 42] realize the $\mathcal {F}_{\mathsf {vsh}}$ functionality, and correspondingly enable a trivial single-round reconstruction in which the parties broadcast their views. The possibility of an analogous statistical realization of $\mathcal {F}_{\mathsf {vsh}}$ in two rounds and resiliency threshold of $\left\lfloor (n-1)/3 \right\rfloor $ was left open by previous works. We answer this question in the affirmative. (See Sect. 4 for further details.)

Theorem 3

(2-round statistical protocols for $\mathcal {F}_{\mathsf {vsh}}$ ). There exists a 2-round protocol that $\left\lfloor (n-1)/3 \right\rfloor $-securely realizes the n-party functionality $\mathcal {F}_{\mathsf {vsh}}$ over an arbitrary finite field ${\mathbb {F}}$ with perfect-secrecy and statistical-correctness. The communication complexity is polynomial in $n,\log |{\mathbb {F}}|$ and $\log (1/\epsilon )$ where $\epsilon $ is the error-probability. The computational complexity is polynomial in $\log |{\mathbb {F}}|,\log (1/\epsilon )$ and exponential in the number of parties.

The exponential dependency in the number of parties is due to the use of a clique finding algorithm over an “agreement graph” of size n. While this dependency is unfortunate, the protocol is still meaningful since it provides security against unbounded adversaries. The existence of a similar protocol with polynomial dependency in n is left as an interesting open question.

Resiliency Lower-bounds. We further strengthen the lower-bounds of [46] and show that any resiliency of $t\ge n/3$ cannot be achieved by a VSS with a two-round sharing phase even if both secrecy and correctness are statistical, and even if the adversary is non-rushing. This result applies to the more general setting where the VSS is viewed as a two-phase primitive, as opposed to an MPC functionality. (See the full version [7] for further details.) We also reveal an additional qualitative difference for the $t\ge n/3$ regime: No matter how many rounds are used in the sharing phase, the reconstruction phase cannot be implemented by letting the parties broadcast their local view. That is, even during the reconstruction some secrecy must be maintained. (See the full version [7] for further details.) Indeed, existing constructions in this regime [43, 51], employ information-theoretic MACs or signatures and keep some of the secret-key information private even during reconstruction. Our lower-bound shows that this is inherent.

1.3 Three-Round MPC in the Standard Model

We can now get back to the case of three-round plain-model protocols for general functionalities. Recall that in Q1 we asked what is the best resiliency that can be achieved by 3 rounds protocols. This question was recently resolved in the perfect setting. Specifically, it was shown that 3 rounds can achieve a resiliency of $t=\left\lfloor (n-1)/4 \right\rfloor $ [5]^{Footnote 4}, and that even a slightly better resiliency threshold of $t=\left\lfloor (n-1)/4 \right\rfloor +1$ requires at least four rounds [8].^{Footnote 5}

Again, we show that a small statistical error allows us to bypass the lower-bound. Specifically, by taking the two-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol from Theorem 2 and instantiating the $\mathcal {F}_{\mathsf {vsh}}$ oracle with the two-round implementation from Theorem 3, we derive a three-round statistical protocol that remains secure as long as at most $\left\lfloor (n-1)/3 \right\rfloor $ of the parties are being corrupted. We further prove a matching lower bound on the resiliency of three-round statistical protocols by showing that a 3-round protocol with $(\left\lfloor (n-1)/3 \right\rfloor +1)$-resiliency for an authenticated-VSS functionality can be collapsed into a VSS with a 2-round sharing phase, contradicting our VSS negative results. (See full version [7] for further details.) Overall we derive the following theorem.

Theorem 4 (3-round protocols with optimal resiliency)

Every n-party functionality can be computed in three-rounds with statistical security against an active rushing computationally-unbounded adversary that corrupts at most $\left\lfloor (n-1)/3 \right\rfloor $ of the parties. The communication complexity of the protocol is polynomial in $n,2^D$ and S and the computational complexity is polynomial in $2^n,2^D$ and S where S and D are the size and depth of the Boolean circuit that computes f.

Furthermore, the security threshold is tight for three-round protocols. That is, there is a finite functionality that cannot be computed in three rounds at the presence of an active (non-rushing) computationally-unbounded adversary that corrupts $\left\lfloor (n-1)/3 \right\rfloor +1$ of the parties.

Theorem 4 fully characterizes the feasible security threshold of three-round protocols with information-theoretic active security. As already mentioned the exponential dependency in the depth is expected, and seems to be unavoidable given the current state of the art. The exponential dependency in n is derived from our VSS construction (Theorem 3), and we hope that future works will be able to improve it and get a polynomial overhead.

Downgrading to Computational Security. One way to bypass the exponential blow-up in n is to replace the two-round $\left\lfloor (n-1)/3 \right\rfloor $-statistical VSS with the cryptographic VSS of [10]. The latter achieves the same $\left\lfloor (n-1)/3 \right\rfloor $-resiliency against computationally-bounded adversaries assuming the existence of a non-interactive commitment (NICOM). Specifically, by plugging this VSS into the computational part of Theorem 2, we get the following theorem. (See full version [7] for further details.)

Theorem 5 (3-round computational MPC)

Assuming the existence of NICOM, every n-party functionality f admits a three-round protocol with computational security against a computationally-bounded adversary that actively corrupts up to $t\le \left\lfloor (n-1)/3 \right\rfloor $ of the parties. The complexity is polynomial in n and in the circuit’s size of f. Moreover, if f is a single-input functionality the round complexity can be reduced to 2.

The optimality of three rounds for any $t > 1$ is owing to the two-round impossibility result of [34] that remains valid even in the cryptographic setting. For the special case of $t= 1$ and $n=4$, [37] shows a two-round construction from any one-way function. Other existing round-optimal constructions [2, 11] work with $t < n/2$, albeit rely on public-key encryption schemes and two-round witness indistinguishable proofs (ZAPs). These assumptions are believed to be strictly stronger than NICOM that can be based on injective one-way functions [18, 36, 55] or even on general one-way functions assuming standard complexity-theoretic de-randomization assumptions [13].

We further mention that if one employs a perfectly-hiding NICOM, then our protocol achieves everlasting security, i.e., it is secure against adversaries that are computationally unlimited after the protocol execution [54]. For this result one has to invoke the statistical variant of Theorem 2, and so the protocol is efficient only for $\text {NC}^1$ functionalities or general single-input functionalities. Perfectly-hiding NICOM can be based on collision-resistance hash functions at the CRS model. Even in this model, the round-complexity lower-bounds of [34] hold, and one cannot hope for two-round protocols.

The “moreover” part of the theorem covers an interesting family of “single-input” functionalities including important tasks such as distributed ZK, multiplication triple generation (modellled via $\mathcal {F}_{\mathsf {tsh}}$) and VSS. Our two-round protocol complements the incomparable result of [34] that achieves a similar round-complexity with perfect-security, but with a smaller resiliency threshold of $t < n/6$. The proof of Theorem 5 of appears in the full version [7].

1.4 Discussion: The Benefit of Errors

Since the works of Rabin and Ben-Or [51] and Beaver [15], it is known that statistical protocols can achieve a resiliency threshold $t_s=\left\lfloor (n-1)/2 \right\rfloor $ that is strictly larger than the best resiliency threshold $t_p=\left\lfloor (n-1)/3 \right\rfloor $ that is achievable by perfect protocols [17, 50]. Patra et al. [46] were the first to suggest that the statistical setting may lead to better round complexity even for thresholds of $t\le t_p$ which are perfectly realizable (i.e., realizable with perfect security). Specifically, they showed that the sharing phase of statistical VSS with $t=\left\lfloor (n-1)/3 \right\rfloor $ can be carried in two rounds, bypassing a three-round lower-bound of [34]. Another indication for a possible advantage was given by [37] who showed that 4-party linear functions can be statistically computed in two rounds with threshold of $t=1$ which is impossible in the perfect setting as shown by [33, Thm 8].^{Footnote 6} However, to the best of our knowledge, so far we did not have a single example of an infinite MPC functionality whose statistical round complexity is strictly smaller than its perfect round complexity under a perfectly-realizable threshold $t\le t_p$. Theorem 4 settles this question in a strong way showing that, for any $n/4 \le t\le \left\lfloor (n-1)/3 \right\rfloor $, statistical t-security can be achieved for all functions in three rounds, whereas perfect t-security cannot be achieved in three rounds even for simple finite functionalities [8].

The separation proved in the SIFR model (Theorem 1 vs. Theorem 2) should be taken with more care. An immediate corollary of Theorem 1 asserts that for any perfect resiliency-threshold t that is larger than $\left\lfloor (n-1)/4 \right\rfloor $, one cannot transform an r-round perfect-VSS (modeled as some ideal sharing functionality) into an $r+1$-round general MPC in a “black-box” way. Furthermore, since it is known that for $t_p=\left\lfloor (n-1)/3 \right\rfloor $ perfect VSS takes exactly 3 rounds, one can naively conclude that for such resiliency general perfectly-secure MPC cannot be implemented in less than $3+2=5$ rounds. Nevertheless, [8] constructed a 4-round perfectly-secure $t_p$-resilient MPC protocol in the plain model. This construction is based on a 3-round implementation of the $\mathcal {F}_{\mathsf {vsh}}$ functionality in a fairly complicated way that exploits the concrete properties of the underlying $\mathcal {F}_{\mathsf {vsh}}$-protocol. Specifically, the transformation makes use of intermediate values that are available before the $\mathcal {F}_{\mathsf {vsh}}$-protocol terminates. The impossibility of perfect two-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol for general functionalities (Theorem 1) should therefore be interpreted as saying that such a complication is inherent! In contrast, the statistical relaxation allows us to obtain a significantly simpler reduction (i.e., two-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR) as shown in Theorem 2.

We end up the introduction, by depicting in Fig. 1 the resiliency-vs-round landscape of MPC in various models.

Organization. In the extended abstract version, we present a succinct version of the upper bounds. Section 2 presents the high-level idea of the Secure-Computation-with-Guard primitive, which is being employed in Sect. 3 towards the construction of 2-round statistical $\mathcal {F}_{\mathsf {vsh}}$-SIFR Protocols. In Sect. 4 we construct 2-round VSS protocols.

2 Secure Computation with a Guard

In this section we present a new Secure Computation with a Guard (SCG) primitive that will be employed later in our constructions. In SCG, there are two senders, Alice and Bob, with asymmetric roles: Bob knows a single input $b\in B$ whereas Alice knows both inputs $a\in A$ and $b\in B$. The goal is to release the value of f(a, b) to a receiver Carol who holds no input. (This can be formalized by the 3-party functionality $F((a,b),b,\bot )=(\bot ,\bot ,f(a,b))$.) Syntactically, the protocol consists of an offline phase, denoted $\mathsf {scg.off}$, and an online phase, $\mathsf {scg.on}$. In the offline phase, Bob sends a single message to Carol and a single message to Alice, these messages depend only on the randomness of Bob and do not depend on his input. In the online phase, both Alice and Bob send a single message to Carol based on the offline messages and on their inputs a, b. At the end Carol should output the value f(a, b) or a special abort symbol. As in the setting of private simultaneous message (PSM) protocols [28], we require security against an adversary that corrupts the receiver. In addition, if Alice (resp., Bob) is malicious, the receiver must abort or terminate with an output of the form $f(a',b)$ for some $a'\in A$ (resp., $f(a',b)$). In this sense, “Bob guards the computation” against corrupted Alice and “Alice guards the computation” against a corrupted Bob.

Roughly speaking, in our construction Bob samples, in the offline phase, randomness r for a 2-party f-PSM protocol and sends it to Alice. In addition, Bob signs all the possible messages that Alice may send in the PSM protocol via an information-theoretic message authentication code, sends the tags to Alice and delivers to Carol a permuted version of all the keys. In the online phase, Bob sends the PSM message $s_B(b;r)$ that corresponds to his input b, whereas Alice sends the messages $s_A(a;r),s_B(b;r)$ together with their tags. Carol aborts if the tags do not match or if the B-part of the messages is inconsistent, otherwise it used the PSM decoder to recover the output. A naive implementation of this idea yields an overhead which is linear in the domain size, however, by using multiparty PSM, we can reduce the overhead to be poly-logarithmic in the domain-size. Overall, we prove the following theorem. (See full version [7] for a proof.)

Lemma 1 (Polynomial-time SCG Protocols)

Let $A = {\mathbb {F}}_2^{m_1}$, $B = {\mathbb {F}}_2^{m_2}$ and $C = {\mathbb {F}}_2^p$. Let $m = m_1 + m_2$ and let $f:A\times B\rightarrow C$ be a Boolean circuit with depth logarithmic in m, size polynomial in m and bounded fan-in and fan-out. Then, for every statistical parameter $\epsilon $, there exists an SCG protocol with complexity $\mathrm{poly}(m)\cdot \log (1/\epsilon ).$

3 A Two-Round Statistically-Secure $\mathcal {F}_{\mathsf {vsh}}$-SIFR Protocol

In this section, we prove Theorem 2. For an integer x, we use $ \mathbf {\Vert }x \mathbf {\Vert }$ to denote the set $\{1,\ldots ,x\}$. Let us denote the set of n parties by $\mathsf {P}$.

3.1 Definitions

The following definitions are parameterized by a resiliency threshold t, a finite field ${\mathbb {F}}$ of size $q>n$, and a tuple of n non-zero elements in ${\mathbb {F}}$, one for each party in $\mathsf {P}$, which are denoted (with a slight abuse of notation) by $1,\ldots , n$. Throughout this section, we fix t to $\left\lfloor (n-1)/3 \right\rfloor $.

Definition 1

($\lfloor \cdot \rceil $-sharing). A value s is said to be committed amongst $\mathsf {P}$, denoted as $\lfloor s \rceil $, if there exists a polynomial f(x) of degree at most t with $f(0)=s$ such that every honest party $P_i$ either holds f(i) or $\bot $ and at least $t+1$ honest parties hold non-$\bot $ values.

Definition 2

($[ \cdot ]$-sharing). A value s is said to be t-shared amongst $\mathsf {P}$, denoted as $[ s ]$, if there exists a polynomial f(x) of degree at most t with $f(0)=s$ such that every honest party $P_i$ holds f(i).

Definition 3

($ [[ \cdot ]]$-sharing). A value s is said to be doubly t-shared amongst $\mathsf {P}$, denoted as $ [[ s ]]$, if there exist polynomials $f(x),\{f_i(x)\}_{i \in \{1,\ldots , n \}}$, all of degree at most t with $f(0)=s$ and $f(i) = f_i(0)$ for $i\in \{1,\ldots , n \}$ such that $f(0), \{f_i(0)\}_{i \in \{1,\ldots , n \}}$ are t-shared via polynomials $f(x),\{f_i(x)\}_{i \in \{1,\ldots , n \}}$ and every honest $P_i$ holds $f_i(x)$.

Definition 4

($ {\langle \cdot \rangle } $-sharing). A value s is said to be doubly 2t-shared amongst $\mathsf {P}$, denoted as $ {\langle s \rangle } $, if there exist a degree-2t polynomial f(x) and degree-t polynomials $\{f_i(x)\}_{i \in \{1,\ldots , n \}}$ with $f(0)=s$ and $f(i) = f_i(0)$ for every honest party $P_i$ such that $ \{f_i(0)\}_{i \in \{1,\ldots , n \}}$ are t-shared via polynomials $\{f_i(x)\}_{i \in \{1,\ldots , n \}}$ and every honest $P_i$ holds f(i) and $f_i(x)$.

Definition 5 (First-level and Second-level sharing, Shares and Share-shares)

In the double secret sharing definitions ($ [[ \cdot ]]$ and $ {\langle \cdot \rangle } $), the sharings done for the shares of the secret are referred as second-level sharings, while the sharing for the actual secret is termed as first-level sharing and the shares of the shares are termed as share-shares. The ith share of s is denoted as $s_i$ (the context will make it clear whether the shares correspond to t or 2t sharing). The jth share-share of the ith share $s_i$ of s is denoted as $s_{ij}$.

The sharings $[ \cdot ], [[ \cdot ]] $ and $ {\langle \cdot \rangle } $ are linear i.e. local addition of the shares of $[ a ]$ and $[ b ]$ results in $[ a+b ]$ (similarly for the other types of sharing). Furthermore, addition of $ {\langle a \rangle } $ and $ [[ b ]]$ results in $ {\langle a+b \rangle } $.

3.2 The High-Level Idea

Our goal is to build a 2-round statistical protocol in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, that can evaluate any n-party degree-2 functionality (over a field larger than n).

Prologue. Our starting point is the following completeness theorem from [8, Prop. 4.5 and Theorem. 5.23].

Proposition 1

[8]. Let $\mathcal {F}$ be an n-party functionality that can be computed by a Boolean circuit of size S and depth D and let ${\mathbb {F}}$ be an arbitrary extension field of the binary field ${\mathbb {F}}_2$. Then, the task of securely-computing $\mathcal {F}$ non-interactively reduces to the task of securely-computing the degree-2 n-party functionality f over ${\mathbb {F}}$ that each of its outputs is of the form

$$\begin{aligned} x^\alpha x^\beta + \sum _{j=1}^n r^j, \end{aligned}$$

(1)

where $x^\alpha $ and $x^\beta $ are the inputs of party $P_\alpha $ and $P_\beta $ respectively and $r^j$ is an input of party $P_j$ for $j \in \{1,\ldots , n \}$.

The reduction preserves active perfect-security (resp., statistical-security) with resiliency threshold of $\left\lfloor (n-1)/3 \right\rfloor $ (resp., $\left\lfloor (n-1)/2 \right\rfloor $) and the complexity of the function f and the overhead of the reduction is $\mathrm{poly}(n,S,2^D,\log |{\mathbb {F}}|)$. Furthermore, assuming one-way functions, one can get a similar reduction that preserves computational-security with resiliency threshold of $\left\lfloor (n-1)/2 \right\rfloor $ and complexity/security-loss of $\mathrm{poly}(n,S,\log |{\mathbb {F}}|)$.

Throughout this section we fix ${\mathbb {F}}$ to an $\mathbb {F}_2$-extension field of size larger than n, and assume that all the sharing functionalities are defined with respect to ${\mathbb {F}}$. (Specifically, we can take the smallest such field.) By Proposition 1, it suffices to focus on functionalities whose output can be written as (1). From now on, we focus on such a functionality f and construct a 2-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol whose complexity is polynomial n and in the description of f. For simplicity, we will discuss computation of one degree-2 term as above. The extension, guaranteeing that the same x values are used across different degree-2 terms, will follow easily.

2-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR Protocol. Given access to an ideal VSS functionality, denoted $\mathcal {F}_{\mathsf {vsh}}$, that can generate a $ [[ \cdot ]]$-sharing of a party’s secret, we show how to construct a 2-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol for degree-2 computation. The $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol is efficient and statistically-secure for threshold $t < n/3$. Therefore, when the protocol is instantiated with a realisation of VSS, the security (statistical vs. cryptographic) and efficiency of the final MPC protocol reduce to that of underlying realisation of VSS.

Building on $\mathcal {F}_{\mathsf {vsh}}$, we first design a 2-round triple secret sharing (TSS) protocol in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, that verifiably generates $[ \cdot ]$-sharing of a party’s triple secrets a, b, c satisfying the product relation $c= ab$. The TSS completes the sharing in the first round, and the verification of the product relation is done in the second round. Subsequently, we use both the VSS functionality $\mathcal {F}_{\mathsf {vsh}}$ and the TSS protocol, in order to obtain a protocol for degree-2 computation in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, which is both efficient and statistically secure.

Partial Degree-reduction. Traditionally, evaluating a degree-2 function involves secret-sharing the values and multiplying them distributively. The secret sharing takes the form of t-sharing and the share-wise multiplication results in a non-random 2t-sharing of the product. The latter is transformed to a t-sharing via degree-reduction and randomization, and lastly the t-shared product is reconstructed robustly to complete degree-2 function evaluation. The degree-reduction in each step of multiplication seems necessary to keep the degree inflation in check when a sequence of multiplications needs to be performed. With degree-two functions as the end goal, we ditch full-fledged round-expensive degree-reduction. Rather we settle for generating a randomized double 2t-sharing of the product which enables robust reconstruction via the second-level t-sharings. That is, we perform one-time degree reduction for the second-level sharings alone. This idea is borrowed from [8]. As we demonstrate in this work, the degree reduction is an easier task than the degree-reduction of the first-level sharing. The key idea is to have $P_i$ monitor the degree reduction for the ith second-level sharings. We elaborate more below, starting with the description of a 3-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol, and then showing how to shave a round in order to obtain a 2-round protocol.

A 3-round $\mathcal {F}_{\mathsf {vsh}}$ -SIFR protocol. Our aim is to compute $ {\langle x^\alpha x^\beta + \sum _{k=1}^n r^k \rangle } $ and reconstruct the output via robust reconstruction of its second-level t-sharings. For simplicity, we ignore the additive terms and focus on producing $ {\langle y \rangle } = {\langle x^\alpha x^\beta \rangle } $ and reconstructing the product. First, the $\mathcal {F}_{\mathsf {vsh}}$ functionality is used to generate $ [[ x^\alpha ]]$ and $ [[ x^\beta ]]$ in the first round. A local multiplication over the shares generates a non-random 2t-sharing of the product $x^\alpha x^\beta $. Generating $ {\langle y \rangle } $ is then done in two steps– randomization of the sharing and degree-reduction of the second-level sharing. The former requires generating a $ {\langle 0 \rangle } $ and adding to the non-random second-level degree-reduced sharing of y. Generating a $ {\langle 0 \rangle } $ requires producing t $ [[ \cdot ]]$-sharing via the $\mathcal {F}_{\mathsf {vsh}}$ functionality and can be concluded in the first round. Next, the degree reduction for the ith second-level sharing is conducted under the supervision of $P_i$ that produces an independent triple sharing $([ a^i ],[ b^i ],[ c^i ])$ which is then used to turn the t-sharing of the ith shares of $x^\alpha $ and $x^\beta $ (respectively, $x^\alpha _i$ and $x^\beta _i$) to a t-sharing of their product via Beaver’s circuit randomization technique [14]. The TSS generates the triple sharings in the first round via $\mathcal {F}_{\mathsf {vsh}}$ and completes the verification of product relation in the second round. Having all the material ready by the first round (except the verification of the product-relation), Beaver’s technique can be initiated in the second round, and it requires the reconstruction of $u_i = (x^\alpha _i -a^i)$, $v_i = (x^\beta -b^i)$ to compute $[ y_i ] = [ x^\alpha _i x^\beta _i ]$ as $ u_i v_i + u_i [ b^i ] + v_i [ a^i ] + [ c^i ]$. Subsequently, degree-2 computation requires reconstruction of $y_i$ (the randomized version of it) which, if correct, is a share of the first-level 2t-sharing of the product $x^\alpha x^\beta $. The above approach leads to a 3-round protocol. We compress the two sequential reconstructions, each of which typically achieved via a single round communication followed by error correction, into a single-round affair.

Shaving a Round using 3-party Secure Computation with a Guard (SCG). Our approach takes note that the jth share-share $y_{ij}$ is expressed as $ u_i v_i + u_i b^{i}_j + v_i a^{i}_j + c^{i}_j$ (where $a^i_j,b^i_j$ and $c^i_j$ are the j-th shares of $a^i,b^i$ and $c^i$), and the parties $P_i,P_j$ jointly hold all the inputs before the start of round 2. Specifically, the two values $u_i,v_i$ that can be publicly reconstructed earliest at round 2 are already available to $P_i$ in the end of round 1 (as she herself generated the triples and $\mathcal {F}_{\mathsf {vsh}}$ instances for $x^\alpha ,x^\beta $ conclude in round 1). The shares of a, b, c, on the other hand, is known to both $P_i,P_j$ in the end of round 1 as soon as the relevant $\mathcal {F}_{\mathsf {vsh}}$ conclude. This perfectly creates a vacuum for a 3-party primitive between Alice, Bob and Carol. Alice holds inputs $\mathsf{x},\mathsf{y}$ respectively from sets X and Y and Bob holds $\mathsf{y}$. Together, they would like to enable Carol to compute $f(\mathsf{x},\mathsf{y})$ (and nothing else) with a one-shot communication. While Alice alone can do this, having Bob allows us to conduct a ‘secure computation with a guard’ (SCG). Between Alice and Bob, the honest party guards the computation ensuring certain level of correctness. Specifically, Carol outputs either $f(\mathsf{x'},\mathsf{y})$ or $\bot $ when Alice is corrupt, whereas $f(\mathsf{x},\mathsf{y})$ or $\bot $ when Bob is corrupt. Using a SCG for a slightly tweaked function $g(\mathsf{x},\mathsf{y}) = (\mathsf{x},f(\mathsf{x},\mathsf{y}))$ and ensuring that correct $\mathsf{x}$ is made available to Carol in round 2, it is possible to make Carol output either $f(\mathsf{x},\mathsf{y})$ or $\bot $ in the Alice-corrupt case. We plug in an SCG, for every triple (i, j, k), with $P_i$ in the shoes of Alice with inputs $\mathsf{x} = (u_i,v_i)$, $\mathsf{y} = (a^i_{j},b^i_{j},c^i_{j})$, $P_j$ in the shoes of Bob with input $\mathsf{y}$, and the function g outputting $(u_i,v_i, y_{ij})$ to $P_k$ (Carol). We reconstruct $u_i,v_i$ from their t-sharing in round 2 to make them available with every $P_k$, to make sure that either $f(\mathsf{x},\mathsf{y})$ or $\bot $ are extracted from the reconstruction of the SCG of g. For an honest $P_i$, SCG with every honest $P_j$ will disclose $y_{ij}$, while with that of a corrupt $P_j$ is guaranteed to output either $y_{ij}$ or $\bot $. Denoting a SCG leading to $\bot $ as a silent one, the reconstruction of $y_i$ for an honest $P_i$ reduces to fitting the unique t-degree polynomial over the disclosed $y_{ij}$. On the other hand, a corrupt $P_i$ needs to keep at least $n-t$ SCGs non-silent (which is the case for an honest $P_i$), and consequently it must agree to the inputs fed by the $n-2t$ honest parties. Furthermore, the SCG, together with the reconstructed $u_i$ and $v_i$, ensure that nothing but $y_{ij}$ or $\bot $ can make way to the output. Thus, if some value is reconstructed in this case, it will be $y_i$. Lastly, $P_i$ can cheat by not ensuring $c^i = a^ib^i$ for its triple. However, TSS offers a mechanism to detect this mischief in round 2. Therefore, the reconstruction, if at all successful, results in the correct $y_i$ for a corrupt $P_i$. Leveraging super-honest majority, we will always have enough $y_i$ ($n-t \ge 2t+1$) for the reconstruction of y.

Employing the SCGs. Recall that apart from the single-round communication, SCGs need an offline input-independent communication round. In our protocols, the offline can be run in round 1. Furthermore, we apply the SCG’s only to functions whose formula size is polynomial in n, and our construct is polynomial-time. SCG also plays a key role in our TSS protocol.

Epilogue. For the degree-2 completeness, we need every party to output different y (yet with the same form). To ensure that the same x inputs are used for computation of all the y values, the same secret sharing of the x values needs to be used for computation of $ {\langle y \rangle } $ as above for all y values. With the above high-level idea, we first present the notion of secure computation with a guard, and then use this notion to derive a 2-round statistically-secure degree-2 protocol in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model.

3.3 $\mathcal {F}_{\mathsf {vsh}}$-SIFR Protocol for Degree-2 Computation

For the $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol, we use an idealized version of VSS given in Fig 2, which is used in the first round of the $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol.

We further require a reconstruction protocol for $[ s ]$. We define two variants of reconstruction– $\mathsf {rec}$ for public reconstruction and $\mathsf {rec}_j$ for private reconstruction to party $P_j$. $\mathsf {rec}_j$ is given below and $\mathsf {rec}$ can be realized by running n copies of $\mathsf {rec}_j$ for every $P_j$. Both require one round. In $\mathsf {rec}_j$, on holding $s_i$ (ith share of s), $P_i$ sends $s_i$ to $P_j$ who applies RS error correction to correct t errors and reconstruct the underlying polynomial f(x) and output $s=f(0)$.

We now move on to present a TSS protocol and then building on it, a degree-2 computation protocol, both in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model.

Triple Secret Sharing. The goal of this protocol is to allow a dealer to share three values (a, b, c) via VSS such that $c= ab$ holds. Given access to an ideal VSS in the first round, we achieve our goal in 2 rounds. We abstract out the need in a functionality $\mathcal {F}_{\mathsf {tsh}}$ given in Fig. 3 and present our protocol subsequently.

Following the idea proposed in [17] and recalled in [9], the dealer chooses two polynomials of degree at most t, $f^a(x)$ and $f^b(x)$ with $f^a(0) = a$ and $f^b(0) = b$. It then picks a sequence of t polynomials $f^{1}(x),\ldots ,f^t(x)$, all of degree at most t such that $f^c(x)$ which is equal to $f^a(x) f^b(x) - \sum _{\alpha =1}^{t} x^\alpha f^\alpha (x)$ is a random polynomial of degree at most t with the constant term equalling ab. Both [9, 17] elucidate the idea of choosing the coefficients of $f^{1}(x),\ldots ,f^t(x)$ in a way that simultaneously cancels out the higher order coefficients and randomizes the remaining coefficients of the product polynomial $f^a(x) f^b(x)$. The dealer hides these $t+3$ polynomials in symmetric bivariate polynomials and invokes $t+3$ instances of $\mathcal {F}_{\mathsf {vsh}}$. At the end of the first round the sharings are returned by the $\mathcal {F}_{\mathsf {vsh}}$ functionalities, and the check for the product relation $c = ab$ is enabled by letting every party $P_i$ verify if $f^c(i) = f^a(i) f^b(i) - \sum _{\alpha =1}^{t} x^\alpha f^\alpha (i)$. Therefore, a complaint can be raised in round 2 and reconstruction of the shares of the complainant can be done in round 3 to enable public verification. To conclude the verification in round 2, we need to shave a round, or compress the rounds 2 and 3 into a single one. Given that, the complaint bit (indicating whether $P_i$’s verification succeeds or not) is known to $P_j$ and the jth share-shares are known to both $P_i$ and $P_j$ at the end of round 1, round 2 can be used for running (the online phase) of an SCG protocol to reveal the jth share-shares when the complaint bit is true. So the function of our interest is $f:{\mathbb {F}}_2\times {\mathbb {F}}^{t+3}\rightarrow {\mathbb {F}}^{t+4}$ defined by

$$\begin{aligned} f(\mathsf{x}, \{\mathsf{x}^{\alpha }\}_{\alpha \in \mathbf {\Vert }t+3 \mathbf {\Vert } }) = {\left\{ \begin{array}{ll} (\mathsf{x},0,\ldots ,0)&{} \text {if } \mathsf {x}= 0,\\ (\mathsf{x}, \{ \mathsf{x}^{\alpha }\}_{\alpha \in \mathbf {\Vert }t+3 \mathbf {\Vert }})&{} \text {otherwise}, \end{array}\right. } \end{aligned}$$

(2)

with $A := {\mathbb {F}}_2$, $B := {\mathbb {F}}^{t+3}$ and $C := {\mathbb {F}}^{t+4}$ (as per Lemma 1). To conduct $P_i$’s verification, we plug in SCGs between every triple (i, j, k) varying over all j, k, with $P_i$ as Alice $P_j$ as Bob and $P_k$ as carol. $P_i$ and $P_j$ together allow $P_k$ to compute the jth share-shares of all the $t+3$ $ [[ \cdot ]]$-sharing if $P_i$’s complaint bit is on. Precisely, $P_i$’s inputs are the complaint bit and the share-shares, whereas $P_j$’s input is just the share-shares. The offline of the SCGs are run during the first round, and the online in round 2. An SCG instance that leads to $\bot $ for a Carol, is labelled as silent.

For an honest $P_i$ with genuine complaint, $n-t$ SCGs corresponding to the honest $P_j$s will spit out the correct share-shares (via correctness), while the rest will either be silent or spit out correct share-shares (via correctness with a guard for honest-Alice case). This enables public reconstruction of the ith shares of all the $t+3$ $ [[ \cdot ]]$-sharing and so subsequent public verification will instate the compliant publicly. Thus an honest party can always convince others about its complaint and can ensure D’s disqualification. A corrupt $P_i$, on the other hand, can only force the SCGs to output f on either $\mathsf{x} = 0$ or 1, apart from turning them silent. A corrupt $P_i$ needs to keep at least $n-t$ SCGs non-silent (which is the case for an honest $P_i$) for not to be disqualified. Among these, it must allow every $P_k$ to receive at least $n-2t$ correct share-shares corresponding to the SCGs with honest $P_j$s. Therefore, the reconstruction, if at all successful, results in reconstructing the correct shares, ensuring a successful public verification and absolution of D. Therefore, a corrupt $P_i$ cannot make a false allegation against an honest D. Protocol $\mathsf {tsh}$ is described in Fig. 4 and is proven to realize functionality $\mathcal {F}_{\mathsf {tsh}}$ (Lemma 2) in the full version [7]. Finally, note that the function, that is computed using SCG is a formula of constant multiplicative depth and therefore has an efficient realization.

Lemma 2 (Security)

Protocol $\mathsf {tsh}$ realises functionality $\mathcal {F}_{\mathsf {tsh}}$, except with probability $\epsilon $, tolerating a static, active adversary $\mathcal {A}$ corrupting t parties, possibly including the dealer D. Moreover, it is a statistically-correct and perfectly-secret protocol. Assuming the error probability of protocols $\mathsf {scg}$ and $\mathsf {vsh}$, as $\epsilon _\mathsf {scg}$ and respectively $\epsilon _\mathsf {vsh}$, we have $\epsilon \le t(2t+1) \epsilon _\mathsf {scg}+ (t+3)\epsilon _\mathsf {vsh}$.

Lemma 3 (Efficiency)

In $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, protocol $\mathsf {tsh}$ has a complexity of $O\Big ( \mathsf {poly}(n\log {|{\mathbb {F}}|})\log {(1/\epsilon )}\Big )$.

Simplifications in Cryptographic Setting. Protocol $\mathsf {tsh}$ can be simplified in the cryptographic setting significantly, using the specifics of the VSS realization. In particular, the SCGs can be avoided altogether and further two rounds are enough to complete theTSS protocol. In fact, we prove a stronger statement– VSS and any single-input functionality has the same round complexity in cryptographic setting. However, the latter uses the VSS in a non-black-box way (hence does not lead to a one-round protocol in $\mathcal {F}_{\mathsf {vsh}}$-SIFR model). We postpone these details to the full version [7].

Degree-2 Computation. Here we show how to compute a degree-2 computation of the following form: $y = x^\alpha x^\beta + \sum _{k=1}^n r^k$, where $x^\alpha $ and $x^\beta $ are the inputs of $P_\alpha $ and $P_\beta $ respectively and $r^k$ is an input of $P_k$ for $k \in \{1,\ldots , n \}$. This extended computation was proven to be complete for any polynomial-time computation. The goal is abstracted as a functionality $\mathcal {F}_{\mathsf {deg2c}}$ below and the protocol appears subsequently for the computation of a single y. We assume the output is given to everyone for simplicity. The functionality can be modified to take a random input from the rightful recipient $P_\gamma $ and y can be sent out in blinded form using the randomness as the blinder. The realisation of this slightly modified functionality can obtained relying on the realisation of the below functionality and additionally asking $P_\gamma $ to run a VSS on a random polynomial (with a uniform random element $m^\gamma $ in the constant term). The value y is then reconstructed in blinded form to everyone with $m^\gamma $ as the blinder, which only $P_\gamma $ can unblind. Thus, we assume y be dispatched to all in $\mathcal {F}_{\mathsf {deg2c}}$.

Recall that the high-level idea our protocol is to generate $ {\langle x^\alpha x^\beta + \sum _{\ell =1}^n r^\ell \rangle } $ from $ [[ x^\alpha ]], [[ x^\beta ]], \{ [[ r^\ell ]]\}_{\ell \in \{1,\ldots , n \}}$ and reconstruct the secret $x^\alpha x^\beta + \sum _{\ell =1}^n r^\ell $ via its second-level t-sharings. A bunch of VSS instances are invoked to generate $ [[ x^\alpha ]], [[ x^\beta ]], \{ [[ r^\ell ]]\}_{\ell \in \{1,\ldots , n \}}$ in the first round. Ignoring the additive terms, the major task boils down to generating $ {\langle x^\alpha x^\beta \rangle } $ from $ [[ x^\alpha ]]$ and $ [[ x^\beta ]]$. Local product of the shares and share-shares of these two sharings results in a non-randomized 2t-sharing in both the first and second level. To compute a $ {\langle \cdot \rangle } $-sharing, we (a) use the Beaver’s trick to compute t-sharing of the product-share $x^\alpha _ix^\beta _i$ from the t-sharing of shares $x^\alpha _i$ and $x^\beta _i$ and then (b) randomize the first-level 2t-degree product polynomial. For the latter, we use the existing techniques via VSS (for example see [8]). We only recall the functionality $\mathcal {F}_{\mathsf { {\langle 0 \rangle } }}$ responsible for generating a $ {\langle 0 \rangle } $, and mention that it can be implemented in one round in the $\mathcal {F}_{\mathsf {vsh}}$-SIFR model. Let $\mathsf {zsh}$ denote a one-round $\mathcal {F}_{\mathsf {vsh}}$-SIFR protocol for zero-sharing (these protocols are termed as ZSS protocols).

To achieve the former task, every $P_i$ generates $([ a^i ],[ b^i ],[ c^i ])$ such that $(a^i,b^i,c^i)$ are random and independent of the actual inputs and satisfy $c^i = a^ib^i$ using an instance of protocol $\mathsf {tsh}$. Recall that while generating the sharings takes is done in the first round, the verification of the product relation takes place in the second round. Beaver’s trick requires reconstruction of $u_i = (x^\alpha _i -a^i)$, $v_i = (x^\beta _i-b^i)$ first to compute $[ y_i ] = [ x^\alpha _i x^\beta _i ]$ as $ u_i v_i + u_i [ b^i ] + v_i [ a^i ] + [ c^i ]$ and subsequently, degree-2 computation requires reconstruction of $y_i$ (the randomized version of it) which, if correct, is a share of the first-level 2t-sharing of the product $x^\alpha x^\beta $. Therefore, the above approach leads a 3 round protocol. To conclude within 2 rounds, we need a reconstruction mechanism that achieves– (a) for an honest $P_i$, the reconstruction is robust and $y_i$ is the correct share (b) for a corrupt $P_i$, either the reconstruction fails or $y_i$ is the correct share. This reconstruction is enabled via SCGs. For the reconstruction of $y_i$, $P_i$ in the role of Alice, $P_j$ in the role of Bob run an SCG to allow every $P_k$ learn $y_{ij}$, the jth share-share of $y_i$. The input of $P_i$ is $(u_i,v_i)$ and the jth share-shares, $a_{j}^i,b_{j}^i,c_{j}^i$ of a, b, c. The input of $P_j$ is jth share-shares of a, b, c. The function f computes $y_{ij} = u_i v_i + u_i b^{i}_j + v_i a^{i}_j + c^{i}_j$ and outputs $(u_i,v_i,y_{ij})$. With all the inputs ready at the end of the first round, we compute the offline phase in the first round as well, while the online phase can be executed in the second round. During the online phase, we also make sure $P_k$, as Carol, holds $u_i,v_i$, by reconstructing these values from their t-sharing. This allows $P_k$ to make sure that $P_i$ used the values $u_i$ and $v_i$ as an input to the SCG, thus making sure that the value extracted from the SCG is either $y_{ij}$ or $\bot $, even when $P_i$ is corrupt. The protocol appears in Fig. 7 and the proof that it realizes functionality $\mathcal {F}_{\mathsf {deg2c}}$ (Theorem 6) in the full version of the paper [7].

Theorem 6 (Security)

Protocol $\mathsf {deg2c}$ realises functionality $\mathcal {F}_{\mathsf {deg2c}}$, except with probability $\epsilon $, tolerating a static adversary $\mathcal {A}$ corrupting t parties. Moreover, it is a statistically-correct and perfectly-secret protocol. Assuming the error probability of protocols $\mathsf {scg}$ and $\mathsf {vsh}$, as $\epsilon _\mathsf {scg}$ and respectively $\epsilon _\mathsf {vsh}$, we have $\epsilon \le (nt+5n+2)\epsilon _\mathsf {vsh}+ (n+1)t(2t+1)\epsilon _\mathsf {scg}$.

Theorem 7 (Efficiency)

In $\mathcal {F}_{\mathsf {vsh}}$-SIFR model, protocol $\mathsf {deg2c}$ has a complexity of $O\Big ( \mathsf {poly}(n\log {|{\mathbb {F}}|})\log {1/\epsilon )}\Big )$.

4 Verifiable Secret Sharing

Here, we introduce a new statistical VSS and recall the existing cryptographic VSS of [10]. In the latter section, we also suggest a simplified computational TSS protocol that is devoid of the SCGs.

In this section, the underlying field for sharing, ${\mathbb {F}}$, can be taken to be an arbitrary finite field of size $q>n$. We let $\kappa $ denote a statistical security parameter that guarantees a correctness error of $2^{-\varOmega (\kappa )}$ (and perfect secrecy), and always take $\kappa $ to be super-logarithmic in the number of parties, i.e., $\kappa =\omega (\log n)$. We assume without loss of generality that $\log |{\mathbb {F}}|>\varOmega (\kappa )$, and if this is not the case, we lift ${\mathbb {F}}$ up to a sufficiently-large extension field. Finally, we assume that basic arithmetic operations over ${\mathbb {F}}$ can be implemented with polynomial complexity in the $\log |{\mathbb {F}}|$. As usual, we fix the resiliency t to $\left\lfloor (n-1)/3 \right\rfloor $.

4.1 Statistical VSS

In this section, we construct the first 2-round statistical VSS that produces $ [[ s ]]$ of D’s secret from ${\mathbb {F}}$. The existing 2-round VSS of [1, 46] does not generate $ [[ \cdot ]]$-sharing and further the set of secrets that are allowed to be committed is ${\mathbb {F}}\cup \{\bot \}$. The latter implies that a corrupt D has the liberty of not committing to any secret or put differently, the committed secret can be $\bot $. A natural consequence of being able to produce $ [[ \cdot ]]$-sharing is that the reconstruction turns to a mere one-round communication of shares followed by error correction, unlike the complicated approach taken in [1, 46].

As a stepping stone towards a statistical VSS, we first build two weaker primitives–interactive signature and weak commitment. Interactive Signature. An interactive signature protocol is a three-phase protocol (distribute, verify and open), involving four entities–a dealer $D \in \mathsf {P}$, an intermediary $I \in \mathsf {P}$, a receiver $R\in \mathsf {P}$ and a set of verifiers $\mathsf {P}$. In the distribute phase, the dealer D, on holding a secret, distributes the secret and a signature on the secret to intermediary I and private verification information to each party $P_i$ in $\mathsf {P}$. In the verify phase, I and the verifiers $ \mathsf {P}$ together verify if the secret and signature verify with the verification information. In the open phase, I opens the message and signature to R and the verifiers open verification information to R who verifies and accepts the message if it verifies correctly. Intuitively, we require four properties from the primitive–(a) privacy of the secret till the end of execution of the three phases when D, I, R are honest and at most t of the verifiers are corrupt; (b) unforgeability of honest D’s secret in the open phase against the collusion of a corrupt I and at most t corrupt verifiers; (c) nonrepudiation of the secret after the verify phase succeeds against the collusion of a corrupt D and at most t corrupt verifiers, i.e. an honest R accepts an honest I’s secret and signature after a successful verify phase and a corrupt D, colluding with t verifiers cannot repudiate to not have sent the message to I during distribute phase; and lastly (a) correctness i.e. R outputs D’s secret when D and I are honest. We give the formal definition below.

Definition 6

(Interactive Signature Scheme (ISS)). In an interactive signature scheme (ISS) amongst a set of n parties $\mathsf {P}$, there is a distinguished party $D \in \mathsf {P}$ that holds an input s picked over a field ${\mathbb {F}}$, referred to as a secret. The scheme involves three more entities apart from D, an intermediary $I \in \mathsf {P}$, a receiver $R \in \mathsf {P}$ and a set of verifiers $\mathsf {P}$ and consists of three phases, a distribute, a verify and an open phase. In the beginning, D holds s and each party including the dealer holds an independent random input.

Distribute: In this phase, D sends private information (computed based on its secret and randomness) to a designated intermediary $I \in \mathsf {P}$ and to each of the verifiers in $\mathsf {P}$.
Verify: In this phase, I and the verifiers interact to ensure that the information received from D are consistent. This phase ends with a public accept or reject, indicating whether verification is successful or not.
Open: Here, I and each verifier in $\mathsf {P}$ send the information received from D in distribute phase to a designated receiver $R \in \mathsf {P}$ that applies a verification function to conclude if the message sent by I can be accepted or not. The output of this phase is considered only upon a successful execution of verify phase.

A three-phase, n-party protocol as above is called a $(1 - \epsilon )$-secure ISS scheme, if for any adversary $\mathcal {A}$ corrupting at most t parties amongst $\mathsf {P}$, the following holds:

Correctness: If D and I are honest, the verify phase will complete with a success and an honest R accepts and outputs s in the open phase.
$\epsilon $-nonrepudiation: If I and R are honest and the verify phase has completed with a success, then R accepts and outputs $s'$ sent by I in the open phase, except with probability $\epsilon $.
$\epsilon $-unforgeability: If D and R are honest, then R accepts and outputs $s'$ sent by I in the open phase only if $s' = s$, except with probability $\epsilon $.
Privacy: If D, I, R are honest, then at the end of the protocol the adversary’s view is identical for any two secrets s and $s'$. Denoting $\mathcal{D}_{s}$ as $\mathcal {A}$’s view during the ISS scheme when D’s secret is s, the privacy property demands $\mathcal{D}_s \equiv \mathcal{D}_{s'}$ for any $s \ne s'$.

We would like to note that the existence of a similar primitive, known as information-checking protocol (ICP) [20, 25, 51]. ICP is played amongst three entities a dealer D, an intermmediary INT and a receiver R, where the verification information is held by R alone. In a variant of ICP [47, 48], R is replaced with the set of parties $\mathsf {P}$, similar to our definition, but the secret and the signature are disclosed in the public. We introduce the definition above that suits best for our protocols using ISS as the building block.

We now present an ISS scheme where the three phases will require one round each and importantly the verify and open phase can be run in parallel, making the whole scheme consume only two rounds. At a very high level, D hides its secret in a high-degree polynomial and gives out the polynomial as its signature to I. A bunch of secret evaluation points and evaluation of the signature polynomial on those points are given out as verification information to the verifiers. The idea of using secret evaluation points dates back to Tompa and Woll [53]. The verification is now enabled via cut-and-choose proof, though public disclosure of a padded form of the signature polynomial by I and evaluations of it by the verifiers on a set of randomly selected points. The high-degree of the polynomial and the padding ensure that the privacy of the secret and signature is maintained during the verification. Lastly, the opening simply involves revealing the signature polynomial and the remaining secret evaluation points and the evaluations to the designated receiver R that simply checks if the polynomial and the evaluations are consistent or not. It should be noted that a cheating I, exercising its rushing capability, may try to foil the cut-and-choose proof during the verify phase. Nevertheless, we show that such an adversary will be caught, with overwhelming probability, during the opening phase. We present our protocol $\mathsf {iSig}$ and state its properties below. For more details, see the full version of this paper [7].

Lemma 4

The Protocol $\mathsf {iSig}$ is $(1 - 2^{-\varOmega (\kappa )})$-secure ISS tolerating a static adversary $\mathcal {A}$ corrupting t parties, possibly including the dealer D, I and R. Moreover, the protocol achieves perfect privacy, and perfect correctness, and can be implemented in time $\mathrm{poly}(n,\kappa ,\log |{\mathbb {F}}|)$.

Weak Commitment. As a stepping stone towards VSS, we first build a weaker primitive called weak commitment (WC) [8]. WC and opening are distributed information-theoretic variant of cryptographic commitment schemes. It also can be viewed as a (weaker) variant of the typical building block of VSS, known as Weak Secret Sharing (WSS). WC has a clean goal of ensuring that– for a unique secret s, at least $t+1$ honest parties must hold the shares of the secret. WSS, on the other hand, ensures that a unique secret must be committed in the sharing phase so that either the secret or $\bot $ will be reconstructed latter during the distributed reconstruction phase. It is noted that a committed secret in WC needs the help of the dealer for its opening, unlike the secret committed in WSS. With a simpler instantiation, weak commitment and opening are sufficient to build a VSS scheme.

The dealer D starts with a polynomial of degree at most t and generates $\lfloor \cdot \rceil $-sharing of its constant term through the input polynomial. For an honest D, WC in fact produces $[ \cdot ]$-sharing of the constant term. We abstract out the need in terms of a functionality $\mathcal {F}_{\mathsf {wcom}}$ given in Fig. 9 and present the protocol realizing the functionality below. The dealer sends a polynomial g(x) and a set $\mathsf {P}'$, indicating who should receive a share, to the functionality. An honest D will send g(x) of degree at most t and $\mathsf {P}' = \mathsf {P}$. When a corrupt D sends either a polynomial which is of degree more than t or a set of size less than $n-t$ (denying shares to at least $t+1$ honest parties), all the parties receive $\bot $ from the functionality.

At a high level, D, on holding a polynomial g(x) of degree at most t, initiates the protocol by picking a symmetric bivariate polynomial G(x, y) of degree t in both variables uniformly at random over $\mathbb {F}$ such that G(x, 0) and G(0, y) are the same as the input polynomial g(x) (with change of variable for G(0, y)). Following some of the existing WSS/VSS protocols based on bivariate polynomials [32, 42], D sends $g_i(x) = G(x,i)$ to party $P_i$ and in parallel the parties exchange random pads to be used for pairwise consistency checking of their common shares. When a bivariate polynomial is distributed as above, a pair of parties $(P_i,P_j)$ will hold the common share G(i, j) via their respective polynomials $g_i(x)$ and $g_j(x)$. Namely, $g_i(j) = g_j(i) = G(i,j)$. A pair $(P_i,P_j)$ is marked to be in conflict when the padded consistency check fails. In addition, D runs an ISS protocol for every ordered pair (i, j) with $P_i$ as the intermediary and $P_j$ as the receiver for secret G(i, j). This allows D to pass a signature on G(i, j) to $P_i$ who can later use the signature to convince $P_j$ of the receipt of G(i, j). $(D,P_i)$ are marked to be in conflict when one of the n instances with $P_i$ as the intermediary results in failure. Now a set of non-conflicting parties, $\mathsf {W}$, of size $n-t$, including D, is computed (using a deterministic clique finding algorithm). Due to pair-wise consistency of the honest parties in $\mathsf {W}$, their polynomials together define a unique symmetric bivariate polynomial, say $G'(x,y)$ and an underlying degree t univariate polynomial $g'(x) = G'(x,0)$, the latter of which is taken as D’s committed input. For an honest D, such a set exists and can be computed (in exponential time in n), albeit, it may exclude some honest parties. The possibility of exclusion of some of the honest parties makes this protocol different from existing 3-round constructions where D gets to resolve inconsistencies in round 3 and therefore an honest party is never left out of such a set. The honest parties in $\mathsf {W}$ output the constant term of their $g_i(x)$ polynomials received from D as the share of $g'(x)$. An honest outsider recomputes its $g'_i(x)$ interpolating over the non-$\bot $ outcomes from interactive signatures (as a receiver) corresponding to intermediaries residing in set $\mathsf {W}$. When D is honest, the correct $g_i(x)$ can be recovered this way, thanks to the unforgeability of the signature and as a result, every honest party will hold a share of g(x). For a corrupt D, while non-repudiation allows honest parties in $\mathsf {W}$ to convey and convince an honest outsider about their common share, the corrupt parties in $\mathsf {W}$ can inject any value as their common share. As a result, the interpolated polynomial may be an incorrect polynomial of degree more than t. In this case, an honest outsider may not be able to recover its polynomial $g'_i(x)$ and share of $g'(x)$. Protocol $\mathsf {swcom}$, which realizes functionality $\mathcal {F}_{\mathsf {wcom}}$ (Lemma 5) is described in Fig. 10. For more details, see the full version of this paper [7].

We point out that the error in the outputs of the honest parties in WC are totally inherited from the underlying ISS instances.

Lemma 5

Protocol $\mathsf {swcom}$ realises functionality $\mathcal {F}_{\mathsf {wcom}}$, except with probability $\epsilon $, tolerating a static adversary $\mathcal {A}$ corrupting t parties, possibly including the dealer D. Moreover, it is a statistically-correct and perfectly-secret protocol. Assuming the error probability of protocol $\mathsf {iSig}$ as $\epsilon _\mathsf {iSig}$, we have $\epsilon \le (2t+1)^2\epsilon _\mathsf {iSig}= O(n^2 \epsilon _\mathsf {iSig})$. The communication complexity is $\mathrm{poly}(n,\kappa ,\log |{\mathbb {F}}|)$, and the computational complexity is exponential in n and polynomial in $\kappa $ and $\log |{\mathbb {F}}|$.

While we never need to reconstruct a $\lfloor \cdot \rceil $-shared secret, non-robust reconstruction can be enabled by allowing D to broadcast the committed polynomial and the parties their shares. The D’s polynomial is taken as the committed one if $n-t$ parties’ share match with it. Clearly an honest D’s opened polynomial will be accepted and a non-committed polynomial will always get rejected.

The Statistical VSS. VSS allows a dealer to distributedly commit to a secret in a way that the committed secret can be recovered robustly in a reconstruction phase. Our VSS protocol $\mathsf {vsh}$ allows a dealer D to generate double t-sharing of the constant term of D’s input bivariate polynomial F(x, y) of degree at most t and therefore allows robust reconstruction via Read-Solomon (RS) error correction, unlike the weak commitment scheme $\mathsf {swcom}$.

At a high level, protocol $\mathsf {svsh}$ proceeds in the same way as the weak commitment scheme $\mathsf {wcom}$, except that each blinder polynomial is now committed via an instance of $\mathsf {swcom}$. A happy set, $\mathsf {V}$, is formed in the same way. Two conflicting honest parties cannot belong to $\mathsf {V}$, implying all the honest parties in $\mathsf {V}$ are pairwise consistent and together define a unique symmetric bivariate polynomial, say $F'(x,y)$ and an underlying degree t univariate polynomial $f'(x) = F'(x,0)$, the latter of which is taken as D’s committed input. A crucial feature that $\mathsf {vsh}$ offers by enforcing the $\mathsf {W}$ set of every party in $\mathsf {V}$ to have an intersection of size at least $n-t$ with $\mathsf {V}$, is that the blinded polynomial of a corrupt party from $\mathsf {V}$ is consistent with $F'(x,y)$. This follows from the fact that the shares (pads) that the parties in $\mathsf {W}$ receive as a part of $\mathsf {wcom}$ remain unchanged, implying $n-2t\ge t+1 $ of the honest parties in $\mathsf {V}$ ensure the consistency of the blinded polynomial of the corrupt party. This feature crucially enables an honest party $P_i$ that lies outside $\mathsf {V}$ (in case of a corrupt dealer) to extract out her polynomial $f'_i(x) = F'(x,i)$ and thereby completing the double t-sharing of $f'(0)$. To reconstruct $f'_i(x)$, $P_i$ looks at the blinded polynomial of all the parties in $\mathsf {V}$ who kept her happy in their respective weak commitment instances (implying her share did not change). For each such party, the blinded polynomial evaluated at i and subtracted from $P_i$’s share/pad from the underlying $\mathsf {wcom}$ instance, allows $P_i$ to recover one value on $f'_i(x)$. All the honest parties in $\mathsf {V}$ (which is at least $t+1$) contribute to one value each, making sure $P_i$ has enough values to reconstruct $f'_i(x)$. A corrupt party in $\mathsf {V}$, being committed to the correct polynomial as per $F'(x,y)$, with respect to the parties in its $\mathsf {W}$ set, cannot inject a wrong value. Protocol $\mathsf {vsh}$, which realizes functionality $\mathcal {F}_{\mathsf {vsh}}$ (Theorem 8), is now described in Fig. 11. See the full version of this paper [7] for more details.

We point out that the error in the outputs of the honest parties in VSS are totally inherited from the underlying WC and in turn the ISS instances.

Theorem 8

Protocol $\mathsf {svsh}$ realises functionality $\mathcal {F}_{\mathsf {vsh}}$, except with probability $\epsilon $, tolerating a static adversary $\mathcal {A}$ corrupting t parties, possibly including the dealer D. Moreover, it is a statistically-correct and perfectly-secret protocol. Assuming the error probability of protocol $\mathsf {iSig}$ as $\epsilon _\mathsf {iSig}$, we have $\epsilon \le n(2t+1)^2\epsilon _\mathsf {iSig}$. The communication complexity is $\mathrm{poly}(n,\kappa ,\log |{\mathbb {F}}|)$, and the computational complexity is exponential in n and polynomial in $\kappa $ and $\log |{\mathbb {F}}|$.

It is easy to note that $\mathsf {svsh}$ generates $ [[ F(0,0) ]]$ via the set of polynomials $\big \{F(x,0),\{f_i(x)\}_{i \in \{1,\ldots , n \}}\big \}$. Plugging in the above VSS in the $\mathsf {deg2c}$ protocol, we get a 3-round MPC for degree-2 computation.

4.2 Cryptographic VSS and Computation of Any Single-Input Functions

We briefly recall the construction of [10]. In Round 1, D publicly commits to a symmetric bivariate polynomial F(x, y) using a NICOM and delivers the opening corresponding to $f_i(x) =F(x,i)$ to $P_i$. The commitments are computed in a way that simple public verification suffice for the checking of pairwise consistency between the common points (such as $f_i(j)$ and $f_j(i)$). To ensure that the commitments correspond to a polynomial of degree at most t in both x and y, it suffices if the honest parties (which are $n-t$ in number) confirm that their received polynomials are consistent with their commitments and they are of degree at most t. If this is not true, then $P_i$’s goal is to make D publicly reveal the polynomial consistent with the commitments in the second round. Towards realizing the goal, $P_i$ commits to a pad publicly and send the opening to D alone during Round 1. If D finds the opening inconsistent to the public commitment, then it turns unhappy towards $P_i$ and opens the commitments corresponding to $f_i(x)$ publicly. Otherwise, it blinds the opening of $f_i(x)$ using the pad and makes it public. When $P_i$’s check about $f_i(x)$ fails, she similarly turns unhappy with D and opens the pad which in turn unmask the opening for $f_i(x)$. A corrupt $P_i$ cannot change the pad and dismiss an honest D, owing to the binding property of NICOM. A corrupt D however may choose not to hand $P_i$ the correct $f_i(x)$ in Round 1 and reveal $f_i(x)$ correctly in Round 2. The above technique therefore makes the $f_i(x)$ that is consistent with the public commitment of D publicly known when D and $P_i$ are in conflict (and $P_i$ is honest).

In the cryptographic setting, the VSS of [10] has the special feature of making the share (the entire univariate polynomial) of a party public when they are in conflict. We can tweak the TSS protocol (Sect. 3.3) so that the shares for all the $t+3$ instances are made public for party $P_i$ in round 2, if $P_i$ is in conflict with D (which also includes the reason that $P_i$’s share do not satisfy the relation). This allows the public verification for corrupt parties in round 2 itself and thus TSS concludes in 2 rounds, like the VSS. We, in fact, can prove a stronger version of the result– any single-input function takes 2 rounds in cryptographic setting. TSS is a special case. We present this general result below. Plugging in the above VSS, and TSS in the $\mathsf {deg2c}$ protocol, we get a 3-round MPC for degree-2 computation.

Cryptographic MPC for Single-Input Functions. In this section, we obtain a 2-round protocol for every function whose outputs are determined by the input of a single party (single-input functions). This class of functions include important tasks such as distributed ZK and VSS. While a VSS protocol will be implied from our result from this section, we have separated out VSS in the previous section, as the VSS of [10] is used in a non-blackbox way for MPC for single-input functions.

[34] reduces secure computation of a single-input function to that of degree-2 polynomials and subsequently show a 2-round construct to evaluate the latter with perfect security and threshold $t < n/6$. In this work, we complement their reduction with a 2-round protocol to evaluate a degree-2 polynomial with threshold $t < n/3$ and relying on NICOMs. Let the sole input-owner be denoted as $D \in \mathsf {P}$, the inputs be $x^1,\ldots ,x^m$ and the degree-2 polynomial be p (in most general form, there can be a vector of such polynomials). Broadly, the goal is to compute 2t-sharing of $p(x^1,\ldots ,x^m)$ and reconstruct the secret relying on the guidance of D in 2 rounds. The protocol starts with D sharing all the inputs using m instances of VSS. For the guided reconstruction, D locally computes the shares $p(x^1_i,\ldots ,x^m_i)$ (p applied on the ith shares of the inputs) of the degree 2t polynomial holding $p(x^1,\ldots ,x^m)$ in the constant term and broadcasts all the n points. In Round 2, apart from the checks $P_i$ conducts inside the VSS instances, it also verifies if the broadcast of D is consistent with her received polynomials. If the check fails, then it becomes unhappy with D in all the instances and opens the pads distributed in the VSS instances to expose all the polynomials in her share. This allows public reconstruction of the correct $p(x^1_i,\ldots ,x^m_i)$. The reconstruction in Round 2 is then achieved simply by fitting a degree 2t polynomial over the values $p(x^1_i,\ldots ,x^m_i)$– (i) if $P_i$ is not in conflict with D, this value is taken from D’s broadcast (ii) otherwise, this value is publicly recomputed as explained. If there is no such 2t degree polynomial, then D is concluded to be corrupt and is discarded. An honest D will always broadcast the correct values $p(x^1_i,\ldots ,x^m_i)$ that lie on a 2t degree polynomial and a corrupt unhappy $P_i$ cannot open a different value than this (due to binding property of NICOM). Lastly, since these values correspond to a non-random 2t degree polynomial, they are randomized using a $ {\langle 0 \rangle } $ before broadcast. The $ {\langle 0 \rangle } $ sharing is created by D by running t additional instances of VSS.

We present the functionality and the protocol below, the security proof of the latter (Lemma 6) is deferred to the full version of this paper [7]. We assume the output is given to everyone for simplicity. For a function that outputs distinct values for the parties, say $y^i$ to $P_i$, the functionality can be modified to deliver $y^i$ to $P_i$. This can be implemented by D t-sharing ($[ \cdot ]$-sharing) a random pad, $pad^i$ for every party $P_i$, where the bivariate polynomial (used for sharing) and all the commitment opening are disclosed to $P_i$, who becomes unhappy when there is any inconsistency. D broadcasts masked values $p(x^1_j,\ldots ,x^m_j) + pad^i_j$ so that $y^i + pad^i$ gets publicly reconstructed and $y^i$ gets privately reconstructed by $P_i$ alone.

Lemma 6

Protocol $\mathsf {sif}$ realizes $\mathcal {F}_{\mathsf {sif}}$ tolerating a static adversary $\mathcal {A}$ corrupting t parties, relying on NICOM.

Notes

1.
The above description ignores some technical details such as output randomization which can be easily applied in the $\mathcal {F}_{\mathsf {poly}}$-SIFR model; see for example [5].
2.
Formally, this means that, in addition to standard statistical security, the output distribution of the simulator $\mathcal {S}$ in the ideal world and the output distribution of the adversary $\mathcal {A} $ in the real world are identically distributed. This additional property (which is common to all our positive results) does not seem to be very useful as a feature, but it indicates more accurately what is needed in order to bypass the lower-bounds in the perfect setting.
3.
As usual in such settings, the exponential dependency in the depth can be replaced by an exponential dependency in the (non-deterministic) branching-program complexity of f.
4.
The positive result can now be obtained by combining the simple 2-round VSS-hybrid protocol for quadratic functions (Theorem 1) with the 2-round perfect-VSS of [32] and with the completeness of degree-2 arithmetic functionalities [8]. The original proof from [5] was significantly more complicated since it relied on a weaker degree-2 completeness result that was applicable only over the binary field.
5.
The impossibility of three-round plain-model perfect protocols with resiliency $t\ge \left\lfloor (n-1)/4 \right\rfloor +1$ seems to be incomparable to the impossibility of two-round perfect SIFR-model protocols (Theorem 1). One could deduce the latter result from the former with the aid of two-round protocols for single-input functionalities with perfect resiliency of $t\ge \left\lfloor (n-1)/4 \right\rfloor +1$. However, such protocols do not exist even for the special case of the VSS functionality [32].
6.
We thank Yuval Ishai for pointing this out.

References

Agrawal, S.: Verifiable secret sharing in a total of three rounds. Inf. Process. Lett. 112(22), 856–859 (2012). https://doi.org/10.1016/j.ipl.2012.08.003
Article MathSciNet MATH Google Scholar
Ananth, P., Choudhuri, A.R., Goel, A., Jain, A.: Round-optimal secure multiparty computation with honest majority. In: Advances in Cryptology - CRYPTO 2018–38th Annual International Cryptology Conference Proceedings, Part II. pp. 395–424, Santa Barbara, CA, USA, August 19–23 (2018)
Google Scholar
Ananth, P., Choudhuri, A.R., Goel, A., Jain, A.: Two round information-theoretic MPC with malicious security. In: Advances in Cryptology - EUROCRYPT 2019–38th Annual International Conference on the Theory and Applications of Cryptographic Techniques Proceedings, Part II. pp. 532–561, Darmstadt, Germany, May 19–23(2019)
Google Scholar
Applebaum, B., Brakerski, Z., Tsabary, R.: Perfect secure computation in two rounds. In: Theory of Cryptography - 16th International Conference Proceedings, Part I. TCC 2018, pp. 152–174, Panaji, India, November 11–14 (2018)
Google Scholar
Applebaum, B., Brakerski, Z., Tsabary, R.: Degree 2 is complete for the round-complexity of malicious MPC. In: Advances in Cryptology - EUROCRYPT 2019–38th Annual International Conference on the Theory and Applications of Cryptographic Techniques Proceedings, Part II. pp. 504–531, Darmstadt, Germany, May 19–23(2019)
Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC$^0$. SIAM J. Comput. 36(4), 845–888 (2006)
Article MathSciNet Google Scholar
Applebaum, B., Kachlon, E., Patra, A.: The resiliency of mpc with low interaction: The benefit of making errors (2020)
Google Scholar
Applebaum, B., Kachlon, E., Patra, A.: The round complexity of perfect mpc with active security and optimal resiliency. In: Proceedings of 61st FOCS (2020). https://eprint.iacr.org/2020/581
Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly secure multiparty computation. J. Cryptol. 30(1), 58–151 (2017)
Article MathSciNet Google Scholar
Backes, M., Kate, A., Patra, A.: Computational verifiable secret sharing revisited. In: Advances in Cryptology - ASIACRYPT 2011–17th International Conference on the Theory and Application of Cryptology and Information Security Proceedings. pp. 590–609, Seoul, South Korea, December 4–8 (2011)
Google Scholar
Badrinarayanan, S., Jain, A., Manohar, N., Sahai, A.: Secure MPC: laziness leads to GOD. IACR Cryptology ePrint Archive 2018, 580 (2018). https://eprint.iacr.org/2018/580
Bar-Ilan, J., Beaver, D.: Non-cryptographic fault-tolerant computing in constant number of rounds of interaction. In: Proceedings of the Eighth Annual ACM Symposium on Principles of Distributed Computing, pp. 201–209, Edmonton, Alberta, Canada, August 14–16 (1989)
Google Scholar
Barak, B., Ong, S.J., Vadhan, S.P.: Derandomization in cryptography. SIAM J. Comput. 37(2), 380–400 (2007). https://doi.org/10.1137/050641958
Article MathSciNet MATH Google Scholar
Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_34
Beaver, D.: Multiparty protocols tolerating half faulty processors. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 560–572. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_49
Chapter Google Scholar
Beaver, D., Feigenbaum, J., Kilian, J., Rogaway, P.: Security with low communication overhead. In: Advances in Cryptology - CRYPTO 1990, 10th Annual International Cryptology Conference, pp. 62–76, Santa Barbara, California, USA, August 11–15 (1990)
Google Scholar
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 1–10, Chicago, Illinois, USA, May 2–4 (1988)
Google Scholar
Blum, M.: Coin flipping by telephone. In: Advances in Cryptology: A Report on CRYPTO 81, CRYPTO 81, IEEE Workshop on Communications Security, pp. 11–15, Santa Barbara, California, USA, August 24–26 (1981)
Google Scholar
Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires omega (log n) rounds. In: Proceedings on 33rd Annual ACM Symposium on Theory of Computing. pp. 570–579, Heraklion, Crete, Greece, July 6–8 (2001)
Google Scholar
Canetti, R., Rabin, T.: Fast asynchronous byzantine agreement with optimal resilience. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing. pp. 42–51, San Diego, CA, USA, May 16–18 (1993)
Google Scholar
Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, pp. 11–19, Chicago, Illinois, USA, May 2–4 (1988)
Google Scholar
Chor, B., Kushilevitz, E.: A zero-one law for boolean privacy. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing. pp. 62–72. STOC 1989, Association for Computing Machinery, New York, USA (1989). https://doi.org/10.1145/73007.73013
Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In: 26th Annual Symposium on Foundations of Computer Science, Portland, Oregon, pp. 383–395 USA, October 21–23 (1985)
Google Scholar
Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: Proceedings of the 18th Annual ACM Symposium on Theory of Computing, pp. 364–369, Berkeley, California, USA, May 28–30 (1986)
Google Scholar
Cramer, R., Damgård, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient multiparty computations secure against an adaptive adversary. In: Advances in Cryptology - EUROCRYPT 1999, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, pp. 311–326, May 2–6(1999)
Google Scholar
Cramer, R., Damgård, I., Maurer, U.M.: General secure multi-party computation from any linear secret-sharing scheme. In: Advances in Cryptology - EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, pp. 316–334, Bruges, Belgium, May 14–18 (2000)
Google Scholar
Dolev, D., Reischuk, R.: Bounds on information exchange for byzantine agreement. J. ACM 32(1), 191–204 (1985)
Article MathSciNet Google Scholar
Feige, U., Kilian, J., Naor, M.: A minimal model for secure computation (extended abstract). In: Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, pp. 554–563, Montréal, Québec, Canada, May 23–25 (1994)
Google Scholar
Feldman, P., Micali, S.: Byzantine agreement in constant expected time (and trusting no one). In: 26th Annual Symposium on Foundations of Computer Science, pp. 267–276, Portland, Oregon, USA, October 21–23 (1985)
Google Scholar
Fitzi, M., Garay, J.A., Gollakota, S., Rangan, C.P., Srinathan, K.: Round-optimal and efficient verifiable secret sharing. In: Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, pp. 329–342, New York, USA, March 4–7 (2006)
Google Scholar
Garg, S., Ishai, Y., Srinivasan, A.: Two-round mpc: information-theoretic and black-box. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 123–151. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_5
Chapter Google Scholar
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: The round complexity of verifiable secret sharing and secure multicast. In: Proceedings on 33rd Annual ACM Symposium on Theory of Computing, pp. 580–589, Heraklion, Crete, Greece, July 6–8 (2001)
Google Scholar
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: The round complexity of verifiable secret sharing and secure multicast. In: Proceedings of the thirty-third annual ACM symposium on Theory of computing. pp. 580–589. ACM (2001)
Google Scholar
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: On 2-round secure multiparty computation. In: Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference, pp. 178–193, Santa Barbara, California, USA, August 18–22 (2002)
Google Scholar
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Article MathSciNet Google Scholar
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 25–32, Seattle, Washigton, USA May 14–17 (1989)
Google Scholar
Ishai, Y., Kumaresan, R., Kushilevitz, E., Paskin-Cherniavsky, A.: Secure computation with minimal interaction, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 359–378. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_18
Chapter Google Scholar
Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: Fifth Israel Symposium on Theory of Computing and Systems, ISTCS 1997, pp. 174–184, Ramat-Gan, Israel, June 17–19 (1997)
Google Scholar
Ishai, Y., Kushilevitz, E.: Randomizing polynomials: A new representation with applications to round-efficient secure computation. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, pp. 294–304, Redondo Beach, California, USA, November 12–14 (2000)
Google Scholar
Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45465-9_22
Chapter Google Scholar
Ishai, Y., Kushilevitz, E., Paskin, A.: Secure multiparty computation with minimal interaction. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_31
Chapter Google Scholar
Katz, J., Koo, C., Kumaresan, R.: Improving the round complexity of VSS in point-to-point networks. Inf. Comput. 207(8), 889–899 (2009)
Article MathSciNet Google Scholar
Kumaresan, R., Patra, A., Rangan, C.P.: The round complexity of verifiable secret sharing: the statistical case. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 431–447. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_25
Chapter Google Scholar
Lamport, L., Fischer, M.: Byzantine generals and transaction commit protocols. Technical Report 62, SRI International (1982)
Google Scholar
Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. J. Cryptology 29(3), 491–513 (2016). https://doi.org/10.1007/s00145-015-9199-z
Article MathSciNet MATH Google Scholar
Patra, A., Choudhary, A., Rabin, T., Rangan, C.P.: The round complexity of verifiable secret sharing revisited. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 487–504. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_29
Chapter Google Scholar
Patra, A., Choudhary, A., Rangan, C.P.: Simple and efficient asynchronous byzantine agreement with optimal resilience. In: Proceedings of the 28th Annual ACM Symposium on Principles of Distributed Computing, PODC 2009, pp. 92–101, Calgary, Alberta, Canada, August 10–12 (2009)
Google Scholar
Patra, A., Rangan, C.P.: Communication and round efficient information checking protocol. CoRR abs/1004.3504 (2010). http://arxiv.org/abs/1004.3504
Patra, A., Ravi, D.: On the power of hybrid networks in multi-party computation. IEEE Trans. Inf. Theory 64(6), 4207–4227 (2018)
Article MathSciNet Google Scholar
Pease, M.C., Shostak, R.E., Lamport, L.: Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)
Article MathSciNet Google Scholar
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 73–85, Seattle, Washigton, USA, May 14–17 (1989)
Google Scholar
Sander, T., Young, A.L., Yung, M.: Non-interactive cryptocomputing for NC1. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, pp. 554–567, New York, USA, October 17–18 (1999)
Google Scholar
Tompa, M., Woll, H.: How to share a secret with cheaters. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 261–265. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_20
Chapter Google Scholar
Unruh, D.: Everlasting multi-party computation. J. Cryptology 31(4), 965–1011 (2018). https://doi.org/10.1007/s00145-018-9278-z
Article MathSciNet MATH Google Scholar
Yao, A.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd Annual Symposium on Foundations of Computer Science, pp. 80–91, Chicago, Illinois, USA, November 3–5 (1982)
Google Scholar

Download references

Author information

Authors and Affiliations

Tel-Aviv University, Tel-Aviv, Israel
Benny Applebaum & Eliran Kachlon
Indian Institute of Science, Bangalore, India
Arpita Patra

Authors

Benny Applebaum
View author publications
You can also search for this author in PubMed Google Scholar
Eliran Kachlon
View author publications
You can also search for this author in PubMed Google Scholar
Arpita Patra
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eliran Kachlon .

Editor information

Editors and Affiliations

Cornell Tech, New York, NY, USA
Rafael Pass
Institute of Science and Technology Austria, Klosterneuburg, Austria
Krzysztof Pietrzak

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Applebaum, B., Kachlon, E., Patra, A. (2020). The Resiliency of MPC with Low Interaction: The Benefit of Making Errors (Extended Abstract). In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_20

Download citation

DOI: https://doi.org/10.1007/978-3-030-64378-2_20
Published: 09 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64377-5
Online ISBN: 978-3-030-64378-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)