Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Secure multi-party computation (MPC) is one of the central topics around which modern cryptography has been shaped. Research in MPC has led to major innovations in cryptography, including effective definitional approaches (e.g., simulation-based security [16, 17]), powerful and vastly applicable algorithmic techniques (starting with secret-sharing [29] and garbling schemes [31]), sharp impossibility results (e.g., [9]) and even several cryptographic concepts ahead of their time (like fully-homomorphic encryption [30]). Significantly, in recent years, some of these results have started moving from theory to practice, spurring significant further theoretical and engineering effort to optimize their performance and usability.

Over 35 years of active research, MPC has grown into a rich and complex topic, with many incomparable flavors and numerous protocols and techniques. Indeed, just cataloguing the state of the art results is a non-trivial research project in itself, as exemplified by the recent work of Perry et al. [26], which proposes classifying the existing protocols using 22 dimensions.

This diversity of models and questions forms a wide spectrum of possible tradeoffs between functionality, security, and efficiency, which partially explains the massive amount of research in the area. But this diversity also poses the risk of misdirected research efforts. For instance, if a new technique is introduced in order to obtain an efficiency improvement in one model, it is not clear a-priori to which other models the same technique may apply; and even when the same technique directly applies to other models, one typically needs to manually modify protocols and their analysis to ensure it.

While developing and maintaining a systematic database like the one in [26] is certainly helpful, we propose a complementary approach to taming the complex landscape of MPC protocols. Our approach is to relate the various flavors of MPC problems to each other by means of general protocol transformations. More concretely, our work studies the following high level question:

To what extent can results in one MPC model be “automatically” transformed to other models?

This question is motivated by the following goals.

  • Simplicity. The current proofs of the main feasibility results in the area of MPC are quite involved, and results for different models share few common ingredients. We would like to obtain a simpler and more modular joint derivation of different feasibility results from the 1980s [3, 7, 16, 25, 27, 32], which were originally proved using very different techniques.

  • Efficiency. Despite a lot of progress on the efficiency of MPC, there are still significant gaps between the efficiency of the best known protocols in different models. For instance, viewing the number of parties n as a constant, n-party protocols that offer full-security (with guaranteed output delivery) against \(t<n/2\) malicious parties [10, 27] are asymptotically less efficient compared to similar protocols with security against \(t<n/3\) parties [3], or even to protocols that offer “security with abort” against \(t<n\) malicious parties [22].

A classical example of a general protocol transformation is the well known “GMW compiler,” [16], which transforms any MPC protocol that offers security against passive corruptions into one that offers security against active corruptions, with the help of zero-knowledge proofs. Considering that this transformation has been behind several subsequent feasibility results, one may legitimately consider that the GMW transformation is as important as – if not more important than – the GMW protocol itself is, as an object of study. More recent examples include the IKOS transformation using “MPC-in-the-head” [20] and the IPS transformation that combines player-virtualization with “watchlists” [22]. Common to all these techniques is the idea that they generically transform any set of protocols that are secure for some (“easier”) flavors of MPC into a protocol that is secure for another (“harder”) flavor.

While these previous results demonstrate the plausibility of general MPC protocol transformations in some interesting cases, they are still far from covering the space of all desirable transformations between different MPC models and leave open several natural questions.

In this work, we initiate a systematic study of such MPC protocol transformations. We define a framework to formalize these transformations, and present a few positive and negative results. We are interested in obtaining conceptually simpler alternative proofs for known feasibility results by means of new transformations, as well as in obtaining new results. We now discuss the goals of this research in more detail.

The main theoretical motivation for studying protocol transformations is that they highlight the essential new challenges presented in a harder flavor of MPC compared to an easier flavor. For instance, the GMW-transformation distilled out verifying claims in zero-knowledge as the essential challenge in moving from semi-honest security to security against active corruption. As another example, in this work, we present a new transformation, that can recover the classical feasibility result of Rabin and Ben-Or [27] regarding security with guaranteed output delivery with an honest majority, from two simpler feasibility results (both of which were solved in [3, 7]): (i) security against passive corruption with an honest majority and (ii) security with guaranteed output delivery but only with an arbitrarily large fraction of honest parties. We identify achieving an intermediate security notion – security with partially identifiable abort – as the key challenge in this transformation.

As noted above, another important motivation behind studying protocol transformations is the possibility of efficiency improvements. On the face of it, protocol transformations are not ideal for obtaining efficient protocols, as one can hope to obtain extra efficiency by engineering fine details of the protocols as applicable to the specific flavor of MPC. While that may indeed be true, a protocol transformation can leverage advances in one flavor of MPC to obtain efficiency improvements in another flavor. As it turns out, this lets us obtain several new asymptotic efficiency results based on a single new transformation. Considering that efficiency of MPC is a well-studied area, obtaining several new result at once illustrates the power of such transformations.

There are other practical and theoretical motivations that led to this work, which we mention below.

From a pragmatic point of view, understanding the connections across flavors of MPC will help in modular implementations of protocols. Indeed, the implementation of a transformation from one flavor to another would tend to be significantly simpler than an entire protocol in the latter flavor, specified and implemented from scratch.

Roles of important techniques can often be encapsulated as transformations among appropriate intermediate security notions (e.g., “player elimination” can be encapsulated as implementing a transformation from “identifiable-abort-security” to full-security). In the absence of such abstraction, these techniques remain enmeshed within more complex protocols, and may not benefit from research focus that a transformation can attract.

More generally, transformations are important in reducing duplicated research effort. For instance, if a new technique is introduced in order to obtain an efficiency improvement in one model, it is not clear a priori to which other models the same technique may apply; and even when the same technique directly applies to other models, one typically needs to manually modify protocols and their analysis to ensure it. On the other hand, if generic transformations are available across models, techniques can be easily adapted across models.

Finally, a theoretical framework is necessary to understand the limitations of protocol transformations, via formal impossibility theorems. Indeed, without a rigorous notion of “black-box” transformations, it is not clear how to rule out the possibility of a “transformation” which simply discards the protocol it is given and builds one from scratch. This is especially the case for unconditional security, where the standard notions of black-box use of computational assumptions are not helpful in differentiating a legitimate transformation from one which builds its own (unconditionally secure) protocol from scratch.

A Motivating Example. As an illustration of the use of protocol transformations in simplifying the landscape of MPC protocols, we consider two protocol schemes from Goldreich’s book [15, Chapter 7]. The first one obtains (stand-alone) security-with-abort against arbitrary number of corruptions by an active, probabilistic polynomial time (PPT) adversaryFootnote 1 (under standard cryptographic assumptions), for general function evaluation, in a model with broadcast channels only. The second one obtains full-security (i.e., guaranteed output delivery) in the same setting, but restricting the adversary to corrupt less than half the parties. Both these protocol schemes are obtained using the GMW transformation. However, the latter feasibility result does not take advantage of the former, but instead uses verifiable secret-sharing (VSS) and several other techniques to achieve full-security, while retaining certain elements from the previous construction.

We point out that in fact, one could avoid the duplicated effort by giving a protocol transformation from the former flavor to the latter flavor of MPC. For this, we abstract out a slightly stronger security guarantee provided by the first protocol: while it allows an adversary to abort the protocol after learning its own input, aborting always leads to identification of at least one party that is corrupted by the adversary. This notion of security is often referred to as security with identifiable-abort [21]. In Sect. 4.1, we show that one can easily transform such a protocol into a protocol with full-security.

Security Augmentation and Efficiency Leveraging. Typically, an MPC protocol transformation falls into one of two broad (informally defined) classes: security augmentation and efficiency leveraging. Security augmentation refers to building MPC protocols with strong security guarantees by transforming MPC protocols with weaker security guarantees. The IPS compiler [22] is an instance of security augmentation. Efficiency leveraging, on the other hand, aims to improve the efficiency of MPC protocols, without necessarily increasing their security guarantee. In such a transformation, the original (inefficient) protocol will typically be used on a “small” sub-computation task, in combination with other cheaper (but less secure) protocols applied to the original “large” computation task. The goal of the sub-computation task is usually to ensure that the strong attacks on the final protocol has the effect of weak attacks on an execution of the cheaper, less secure protocol. An instance of efficiency leveraging is given by Bracha’s transformation [5], in which the strength of the security guarantee corresponds to the corruption-threshold (i.e., what fraction of parties are corrupted) that can be tolerated.

1.1 Our Contributions

Framework. Firstly, we formalize the notion of a Black-Box Transformation (\(\text {BBT}\)) from protocol schemes satisfying some security (or efficiency) requirements to a protocol scheme satisfying some other requirements.Footnote 2 Towards this, we formalize notions like protocol schemes (which map functionalities to protocols) and security definitions (which are just sets of pairs of functionalities and protocols), all in a fairly abstract fashion. A \(\text {BBT}\) itself is modeled using a circuit that describes a protocol’s structure as a program built from various components.

The framework is general enough to cast all of the above mentioned transformation (GMW, Bracha, IKOS and IPS) as instances of \(\text {BBT}\).

We remark that we treat security notions highly abstractly, and do not impose any conditions on how security is proven. However, in all our positive results and examples, security definitions use a simulation paradigm, and one could define a “fully” blackbox transformation by requiring that the simulator of the protcol resulting from the transformation be constructed in a black-box manner from the simulators of the given protocols. For the sake of simplicity, and to keep the focus on the structure of the constructions rather than on the proofs of security, we do not formally include this restriction in our definition of \(\text {BBT}\). We also point out that this strengthens our impossibility results.

New Transformations and Consequences. We present a new transformation which can be used to obtain known and new results about (information-theoretically) secure MPC for general function evaluation, with guaranteed output delivery, given an honest-majority and a broadcast channel. Our transformation yields such an MPC scheme starting from two protocol schemes – one achieving full-security, but for a lower threshold (\(\beta n\) corruption threshold, for some \(\beta >0\)) and one achieving semi-honest security under honest-majority (Corollary 1). (See the next section for an overview of the transformation, and the various intermediate transformations that lead to it.) From this transformation we obtain the following results:

  1. 1.

    We readily obtain the result of Rabin and Ben-Or [27] as a consequence of the earlier work of Ben-Or et al. and Chaum et al. [3, 7], via the above transformation.

  2. 2.

    We obtain the first “constant-rate” MPC protocol scheme with guaranteed output delivery against corruption of less than n / 2 parties, provided the number of parties is constant (Corollary 2). That is, the total communication in this protocol is at most \(c_n |C|\), where C is the circuit representation of the function, and \(c_n\) is a constant independent of the security parameter and C but dependent only on the number of parties. This result is obtained – following the lead of [22]Footnote 3 – by applying our transformation to the scheme of [12] (combined with a secret-sharing scheme due to [8]) and the semi-honest secure scheme of [3].

  3. 3.

    Next, we present an efficiency leveraging transformation, which is designed to improve the efficiency of a protocol scheme with full-security, by combining it with a (cheaper) protocol which achieves security-with-abort (Theorem 8). By applying this transformation to the above protocol with full-security and an efficient protocol with security-with-abort from [14], we obtain a “scalable” MPC protocol with full-security and optimal corruption-threshold – i.e., tolerating corruption of less than n / 2 parties (Corollary 3).Footnote 4 For an arguably natural class of functions (namely, sequential computations, where the size of a circuit implementing the function is comparable to its depth), this is the first scalable protocol with full-security and optimal threshold (complementing a result of [4], which obtains similar efficiency for circuits which are of relatively low depth).

  4. 4.

    We present an efficient new transformation from two-party protocols in the OT-hybrid or OLE-hybrid model that offer security against passive corruptions to zero-knowledge proofs in the commitment-hybrid model, improving over a recent similar transformation of Hazay and Venkitasubramaniam [18] for the case of static zero-knowledge. (We note that the IKOS transformation for protocols in such hybrid models requires at least 3 parties.) The transformation from [18] cannot be applied in the OLE-hybrid model, and when applied to natural protocols in the OT-hybrid model such as the GMW protocol, it requires several separate commitments for each gate in the circuit. Our transformation for the OLE-hybrid model can be applied towards efficient zero-knowledge proofs for arithmetic circuits and in both hybrids our transformation requires just a constant number of commitments overall (for a constant soundness error). This transformation may have relevance to the recent line of work on practical zero-knowledge proofs initiated in [24]. In contrast to [18], we do not consider here the goal of adaptive zero-knowledge in the plain model.

  5. 5.

    Our final application considers the problem of relaxing the corruption threshold from the optimal n / 2 to \(n(\nicefrac 12-\epsilon )\), for any constant \(\epsilon >0\). In this case, we obtain a highly scalable protocol in which the total communication for evaluating a circuit C is \(\tilde{O}(|C|)\), ignoring additive terms that depend on the number of parties, but not the size of the circuit (Corollary 4). This improves over a result of [13].Footnote 5 For this, we apply Bracha’s transformation [5] to one of the above protocols. Specifically, we use Bracha’s transformation to combine an outer protocol that has a relatively low corruption threshold but is highly scalable with respect to communication and computation (in our case the one from [13]), and an inner protocol with optimal threshold (in our case, the one from item 2 above), to obtain a protocol with a near-optimal threshold.

Impossibility Results. One may ask if security against active corruption can solely be based on security against semi-honest adversaries. Such questions can be formalized as questions about the existence of a \(\text {BBT}\). We present two impossibility results:

  1. 1.

    We consider the question of functionally-black-box protocol schemes, introduced by Rosulek [28]. (This is a special case of protocol transformations where no protocol scheme is provided to the transformation.) Rosulek demonstrated a two-party functionality family for which there is no functionally black-box protocol, assuming the existence of one-way functions. We present an unconditional version of this result (Theorem 1).

  2. 2.

    We show a functionality family – namely, zero-knowledge proof functionalities – for which there is no \(\text {BBT}\) from semi-honest security to security (with abort) against active adversaries (Theorem 2).

We remark that the proof of our second result breaks down if we expanded the family of functionalities from ZK functionalities to all efficient functionalities. We leave it as an important open problem to prove broader impossibility results for general computation (in which the family considered is the family of all functionalities).

1.2 Technical Overview

Black-Box Transformations. We make precise a notion of a black-box transformation among protocol schemes. Given a functionality f, a black-box transformation can define new functionalities (which are syntactically just programs) that access f in a black-box manner. Then, it can invoke a given protocol scheme on any such functionality, to obtain a protocol (which is, again, a program). The transformation can repeat these steps of defining new functionalities in terms of programs it already has, and of invoking given protocol schemes on such functionalities any number of times. At the end, it outputs one of the programs as its protocol.

We point out that the “protocol step” (invoking a protocol scheme on a functionality) is not limited to using the functionality as a black-box. However, it is a black-box step in the sense that the transformation can be instantiated with any protocol scheme with the requisite security guarantees.

Example: IPS Transformation. An example of a black-box transformation (that we shall build on later) is the IPS transformation [22]. We shall graphically represent a transformation using a circuit diagram like the one in Fig. 1.

Fig. 1.
figure 1

Black-Box Transformation in the IPS compiler

Full size image

Here, each rectangular node (labeled \(T^{\mathrm {IPS}}_{0}\), \(T^{\mathrm {IPS}}_{1}\) and \(T^{\mathrm {IPS}}_{2}\)) outputs a program which makes black-box access to one or more programs input to that node. \(T^{\mathrm {IPS}}_{0}\) converts an n-party functionality f into a functionality \(f_\mathrm {out}\) involving n “clients” and N “servers”. \(T^{\mathrm {IPS}}_{1}\) defines \(f_\mathrm {in}\) to be an n-party functionality in which the trusted party carries out the program of a server in the protocol \(\pi _{\mathrm {out}}\). The bulk of the compiler is part of the transformation \(T^{\mathrm {IPS}}_{2}\), which combines the programs of two protocols \(\pi _{\mathrm {out}}\) and \(\pi _{\mathrm {in}}\) in a black-box way to define the final protocol.

The diagram also shows two other nodes, labeled \({\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}}\) and \({\varLambda _{{{\mathsf{sh/}}} {\mathsf{OT}} }}\), each of which take as input a functionality (\(f_\mathrm {out}\) and \(f_\mathrm {in}\) resp.) and produces a protocol (\(\pi _\mathrm {out}\) and \(\pi _\mathrm {in}\) resp.). The labels on the nodes indicate the security guarantees required of these protocols (security against active corruption of strictly less than a \(\beta >0\) fraction of the parties, and security against semi-honest corruption, in the OT hybrid model resp.). [22] show that irrespective of what protocol schemes are used to define the protocols produced by these nodes, as long as those schemes meet the required security conditions, the resulting protocol will be a protocol for f with security against active corruption of any number of parties.

Table 1. A summary of the main black-box transformations in this paper. The first column lists the type of the protocol scheme(s) given, and the second column lists the type of protocol scheme obtained. t stands for the number of parties that can be corrupted. \({{{\mathsf{id}}} _{\alpha }} \)-security denotes partially-identifiable-abort security, in which, in the event of an abort, a set of parties, at least \(\alpha \) fraction of which are corrupt, is identified by all honest parties. \({{\mathsf{sh}}} \)-security stands for security against semi-honest corruption, \({\mathsf{abort}}\) and \({\mathsf{full}}\)-security stand for security against active corruption, with the latter having guaranteed output delivery.
Full size table

New Transformations. We present several new transformations, some of which are summarized in Table 1. In particular, we show how to transform a low-threshold fully-secure protocol scheme and a high/optimal-threshold semi-honest secure protocol scheme to a high/optimal-threshold protocol with full-security (presented as Corollary 1). The main step is to achieve a weaker notion of security (called “security with partially-identifiable-abort”) against the same high fraction of corruption. Then, we show how a protocol with partially-identifiable-abort security can be transformed to one with full-security.

The second of these two transformations turns out to be easy, using “Error-Correcting Secret-Sharing” or ECSS (also known as robust secret-sharing) [6], which can be realized easily using ordinary Secret-Sharing and one-time message authentication codes (MAC) (see the full version). Partially-identifiable-abort-security allows us to perform, in case of an abort, a player elimination process, so that an honest majority is maintained. By carrying this out not on the original function, but on a function which accepts ECSS-shared inputs and produces ECSS-shared outputs, we show how to obtain full-security. The more challenging transformations is obtaining partially-identifiable-abort-security in the first place, as discussed below.

Obtaining Partially-Identifiable-Abort Security. This transformation is based on the IPS transformation [22] which, however, was not designed for the setting with an honest majority. Hence, it relied on an OT-hybrid model, and could obtain only “security with abort.” We modify this transformation in a couple of ways to obtain partially-identifiable-abort security in the honest-majority setting, in the plain model (with a broadcast channel). There are two major modifications we introduce, summarized below.

Watchlist Channels in the Plain Model. An important aspect of the IPS transformation is a collection of “watchlist channels” used by each party to monitor secretly chosen instances of a semi-honest secure inner protocol. In the IPS transformation, Rabin OT is used to implement the watchlist channel. Instead, we rely on a weaker variant, \(\widetilde{{\mathsf{OT}}}\), which we can directly implement in the honest-majority setting (without even broadcast channels), using Shamir’s secret-sharing. \(\widetilde{{\mathsf{OT}}}\) allows an adversary to selectively cause aborts when there is no erasure. The reason this suffices for building a watchlist channel is that this functionality will be applied to random inputs, and when an abort occurs, we can safely identify a pair of inconsistent parties – at least one of which is corrupt – by having all parties reveal their views in the protocol (over a broadcast channel).Footnote 6

Obtaining Partially-Identifiable Abort Instead of Abort. In the original IPS transformation, even if the outer protocol has security with guaranteed output delivery, the final protocol offers only security with abort (without any identification of the corrupt parties). This is due to the fact that when a party detects an inconsistency, it simply aborts the protocol. In the setting with honest majority, we show how to modify the IPS transformation, so as to obtain partially-identifiable abort, such that a set of two parties can be identified of which at least one is guaranteed to be corrupt.

Consider when \(P_i\) detects an inconsistency in the messages reported over a watchlist channel that it has access to, in an inner protocol session. In this case, \(P_i\) cannot exactly identify the source of inconsistency, but only localize it to a pair of parties \(P_{i_1},P_{i_2}\), one of which is corrupt. However, since \(P_i\) itself could be a corrupt party, at this point the honest parties can agree on one of \((P_i,P_{i_1},P_{i_2})\) being corrupt. But being able to identify a set in which only 1 / 3 fraction is guaranteed to be corrupt falls below our required guarantee of 1 out of 2 being corrupt.

To further localize corruption, we require all the parties to broadcast their views in the inner-protocol session in which an inconsistency was detected, as they had earlier communicated over the watchlist channel to \(P_i\). If an inconsistency is detected among the broadcast views, then all parties can identify a pair \((P_{i_1},P_{i_2})\) which are inconsistent with each other. On the other hand, if all the views that are broadcast are consistent with each other, then, if \(P_i\) had indeed observed an inconsistency earlier, it can point out one party \(P_{i_1}\) which reported a view over the watchlist channel different from the one it reported over the broadcast channel. Then \(P_i\) is required to broadcast this party’s identity, and all parties agree on the pair \((P_i,P_{i_1})\).

To see that this transformation retains security, note that by causing an abort, the adversary can cause at most one server’s computation to be revealed over the broadcast channel. This corresponds to the adversary corrupting one extra server in the outer protocol. Since the choice of parameters in the IPS compiler leaves a comfortable margin for the number of server corruptions, this does not affect the overall security.

Efficiency Improvements. When considering a non-constant number of parties, there are a couple of major sources of inefficiency in the transformation above, which we can address.

Firstly, in the transformation from partially-identifiable-abort security to full security, the protocol could be restarted \(\varTheta (n)\) times. To avoid this overhead, we require the function to be given in the form of a composition of \(\varTheta (n)\) functions (for instance, a layered circuit with \(\varTheta (n)\) layers), each one of approximately the same size complexity. Then, one can restrict the duplicated effort for each restart to correspond to a single component, and can ensure that overall O(n) restarts can only about double the cost.

Secondly, in the IPS compiler, every party can potentially watch every inner protocol session. This requires that all the communication in each inner-protocol session is sent out (encrypted with one-time pads) to all the n parties. To avoid this overhead, we can use an expander graph to define which parties may watch the execution of which servers. Specifically, we can use an expander graph between the set of parties and the set of servers in the outer protocol, in which the degree of each server is a constant, but any subset of n / 2 parties has in its neighborhood (i.e., will potentially watch) almost all of the servers. Thus, the communication in each inner-protocol session (corresponding to the servers in the outer protocol) is sent out to only a constant number of parties.

Efficiency Leveraging: Transformations for Improving Efficiency. We present a new instance of efficiency leveraging, in which an MPC protocol scheme with full-security is “extended” by leveraging the efficiency of cheaper MPC protocols which only offer security with abort. Specifically, we show how to combine a protocol which guarantees only security with abort given an honest majority (e.g., from [14]) and a protocol with full-security given honest majority (like the one we constructed above) to obtain one which approaches the efficiency of the former protocol while enjoying full-security like the latter.

The basic idea is simple. We can obtain a protocol with \(\nicefrac 12\)-identifiable-abort security as follows: given a functionality, we will run a protocol with security-with-abort to compute it; if the protocol terminates without aborting (as confirmed with the help of broadcast messages), then our protocol terminates successfully. If it aborts, then we run an (inefficient) MPC protocol with full-security for a functionality which accepts the views in the first protocol and detects a pair of parties with conflicting views, at least one of which is corrupt (if no conflict is detected, then a party who aborted in the first place can be identified as a corrupt party, since, as part of the security guarantees, we shall require zero probability for abort if all parties run honestly). To make this idea work, we need to ensure that the inefficient MPC is called only on a small piece of computation. With appropriate parameters for decomposition of the function, this indeed gives new asymptotic results (for relatively “narrow” circuits).

Negative Results. We prove two negative results. Firstly, we show that there is a function family \({\mathcal F}\) such that there is no “functionally blackbox” protocol scheme [28] for \({\mathcal F}\) (even for semi-honest security). The family \({\mathcal F}\) consists of boolean functions of the form \(f_\alpha \), where \(\alpha \in \{0,1\}^k\) and \(f_\alpha (x,y)=1\) if and only if \(x\oplus y = \alpha \).

Our second negative result shows a function family \({\mathcal G}\) such that semi-honest secure protocol schemes for \({\mathcal G}\) cannot be converted in a blackbox manner to protocols with active security (with abort). We choose \({\mathcal G}\) to be the family of zero-knowledge proofs for a class of relations. Then, there is a semi-honest secure protocol for \({\mathcal G}\) which only accesses the given functionality \(f\in {\mathcal G} \) in a blackbox manner. Hence, a blackbox transformation from semi-honest secure protocol schemes to schemes with active security translates to a functionally blackbox protocol scheme for \({\mathcal G}\) with active security.

To complete the proof, we show how to define \({\mathcal G}\) (assuming the existence of a pseudorandom function) such that there is no active secure, functionally blackbox protocol scheme for \({\mathcal G}\).

1.3 Organization of the Paper

The rest of the paper is organized as follows (with some of the details deferred to the full version). Section 2 includes several basic definitions of the framework, and Sect. 3 defines the notion of a blackbox transformation. In Sect. 4, we give some simple transformations, including a new transformation that improves on a recent result by [18]. Section 5 presents two impossibility results regarding blackbox transformations. Section 6 through Sect. 8 present several transformations, which are summarized in Table 1. Section 9 presents the results we obtain by applying these transformations to protocol schemes in the literature.

2 Preliminaries

The basic objects in our framework are protocols. Technically, a protocol is specified by a single program (say, Turing Machine) for the “next-message function” of all the parties in the protocol (formally defined in the full version). We shall write \(\varPi \) to denote the set of all protocols.

A functionality is technically just a special instance of a protocol, involving a trusted party. We often abuse our notation and refer to the trusted party’s program as the functionality. We shall often refer to a functionality family \({\mathcal F}\), which is simply a set of functionalities, i.e., \({\mathcal F} \subseteq \varPi \). We denote the family of all probabilistic polynomial time computable secure function evaluation functionalities by \({\mathcal F}^*\) (represented by circuits).

We use a synchronous model of communication (with rushing adversaries), so that all parties in a protocol proceed in a round-by-round fashion. Note that this is applicable to ideal functionalities too. However, typically we are not interested in the exact number of rounds in the ideal functionality, as long as it finishes within a polynomial number of rounds.

Table 2. Terminology used for guarantees from protocols.
Full size table

2.1 Security Definitions

Technically, a security definition for a functionality family \({\mathcal F}\) is formalized as a relation \(\varLambda \subseteq {\mathcal F} \times \varPi \). The intention is that \((f,\pi )\in \varLambda \) iff \(\pi \) is a secure protocol for f. For a security notion named \({\mathsf{secure}}\), the corresponding relation will typically be written as \(\varLambda _{{\mathsf{secure}}} \).

In Table 2 we name some of the main security definitions considered in our results. For instance, \({\varLambda _{{{{\alpha }{{\mathsf{\text {-}full}}}}}/{\mathsf{BC}}}^{{\mathcal F}}} \) includes all pairs \((f,\pi )\) such that f is a functionality in the family \({\mathcal F}\), and \(\pi \) is a UC-secure protocol with guaranteed output delivery (within a polynomial number of rounds), against computationally unbounded adversaries who may adaptively corrupt strictly less than \(\alpha \) fraction of the parties, and BC means that the protocol uses a broadcast channel. In all our security notions, for simplicity of our transformations, we require that an honest party aborts the protocol only if there is no possible honest execution of the protocol that is consistent with its view. We also define a security notion generalizing the notion of security with identifiable abort:

Security with \(\theta \) -Identifiable Abort. Given a functionality f, we define a functionality \({f}^{\langle {{{{\mathsf{id}}} _{\theta }} }\rangle } \) to formalize the notion of security with \(\theta \)-identifiable abort. As defined in the full version, we require the functionalities to be in a normal form, involving a computation phase and an output delivery phase.

figure a

2.2 Protocol Schemes

A protocol scheme maps a functionality to a protocol (with a desired security property).

Definition 1

( \(\varLambda \) -scheme). \(\mathcal P:{\mathcal F} \rightarrow \varPi \) is said to be a \(\varLambda \) -scheme if \({\mathcal F}\) is a functionality family such that \(\varLambda \subseteq {\mathcal F}^* \times \varPi \), and for every \(f\in {\mathcal F} \), \((f,\mathcal P (f))\in \varLambda \).

For example, the semi-honest BGW-protocol scheme is a \({\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}^{{\mathcal F}}}\)-scheme where \({\mathcal F}\) is the family of all circuit-evaluation functionalities and \(\alpha =\frac{1}{2}\). Typical protocol schemes are uniform, in that there is a Turing Machine which, on input a standardized description of f, for \(f\in {\mathcal F} \), outputs the code of \(\mathcal P (f)\).

Complexity Notation. To discuss asymptotic efficiency guarantees of protocol schemes, we augment the notation for security definitions to include protocols’ communication (and sometimes, computational) cost. Typically, a protocol’s complexity is measured as a function of some complexity measure of the functionality f that it is realizing, as well as the number of parties n and the security parameter k of the protocol execution. For each functionality family, we shall require a cost measure \({\mathsf{size}}:{\mathcal F} \rightarrow \mathbb Z ^+\), that maps \(f\in {\mathcal F} \) to a positive integer. We stress that a functionality f denotes a specific implementation (of a trusted party in a protocol), and so there can be different \(f\in {\mathcal F} \) which are all functionally equivalent, but with differing values of \({\mathsf{size}} (f)\).

To capture the typical efficiency guarantees in the literature, we define a \({p}{\text {-}}{{\varLambda _{{{\mathsf{secure}}}}^{{\mathcal F}}}} \) scheme as a \({\varLambda _{{{\mathsf{secure}}}}^{{\mathcal F}}} \) scheme \(\mathcal P\) such that for any \(f\in {\mathcal F} \), \(\mathcal P (f)\) is a protocol whose communication cost (for n parties, and security parameter k) is

$$\begin{aligned} O(p(n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k)). \end{aligned}$$
(1)

For typical functionality families \({\mathcal F}\), a functionality \(f\in {\mathcal F} \) is represented as a circuit \(C_f\), and \({\mathsf{size}} (f)\) is the size of \(C_f\). The function p(nk) reflects the multiplicative overhead of secure computation, on top of the size of the (insecure) computation.

Often, protocol schemes which offer a smaller value for p(nk) incur additive costs. To denote protocol schemes with such complexities, we use a more detailed notation: \({(p,q,r;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\mathsf{secure}}}}^{{\mathcal F}}}} \) schemes are \({\varLambda _{{{\mathsf{secure}}}}^{{\mathcal F}}} \) schemes \(\mathcal P \) such that for all \(f\in {\mathcal F} \), the communication cost of \(\mathcal P (f)\) is \(O(p(n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k)\cdot {\mathsf{D}} (f))\), its computation cost is \(O(q(n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k)\cdot {\mathsf{D}} (f))\), and its randomness cost is \(O(r(n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k)\cdot {\mathsf{D}} (f))\). Here \({\mathsf{D}} \) is a secondary cost measure – typically the depth of the circuit \(C_f\) – which is often much smaller than \({\mathsf{size}} (f)\). We omit \({\mathsf{D}}\) to indicate that \({\mathsf{D}} (f)\) is a constant and omit q and/or r to leave them as unspecified \(\mathrm {poly} (n,k)\) functions. We omit \({\mathcal F} \) if it equals \({\mathcal F}^* \), the family of all probabilistic polynomial time function evaluation functionalities.

For functionality families using circuit representation, a traditional choice for \({\mathsf{D}}\) is \({\mathsf{depth}}\): \({\mathsf{depth}} (f)\) denotes the depth of the circuit \(C_f\) representing f. We shall find it useful to define another function \({\mathsf{width}}\), defined as follows. For any topological sorting of the gates in the circuit, define a sorted-cut as a partition of the gates into two sets so that all the gates in one part appear before any gate in the other part, in the topologically sorted order; the max-sorted-cut for a sort order is the maximum number of wires crossing a sorted-cut. \({\mathsf{width}} (f)\) is the value of the max-sorted-cut of \(C_f\) minimized over all topological sorts of \(C_f\). (Alternately, we could require the topological sort to be part of the circuit specification. In this case, an appropriate model of computation would be a linear bijection straight-line program [2], and \({\mathsf{width}}\) would correspond to the number of “registers” in the program.)

For protocol schemes providing partially-identifiable security, like \({{\alpha }{{\mathsf{\text {-}id}}}} \)-schemes, we sometimes want to distinguish the cost of an execution without an abort event and that with an abort event (and identification): a \({\langle \gamma ,\delta \rangle }{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \) scheme denotes a \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}} \) scheme \(\mathcal P\) such that the communication cost of \(\mathcal P (f)\) is \(O(\gamma (n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k))\) without abort events and \(O(\delta (n,k) \cdot {\mathsf{size}} (f) + \mathrm {poly} (n,k))\) with abort.

Finally, we write instead of \({(p,q,r;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\mathsf{secure}}}}^{{\mathcal F}}}} \) and so on, if we intend to use \(\widetilde{O}(\cdot )\) instead of \(O(\cdot )\) in the above costs.Footnote 7 The notation is summarized in Table 3.

Table 3. Additional notation for protocol schemes (for n parties, and security parameter k).
Full size table

2.3 Error-Correcting Secret-Sharing

Some of our transformations rely on a simple variant of secret-sharing that has been referred to as robust secret-sharing or as honest-dealer VSS [6, 11, 27]. To clarify the nature of this primitive, we shall call it Error-Correcting Secret-Sharing (ECSS), and define it formally below.

Definition 2

(Error-Correcting Secret Sharing). A pair of algorithms \(({\mathsf{share}},\) \({\mathsf{reconstruct}})\) is said to be an (nt)-Error-Correcting Secret Sharing (ECSS) scheme over a message space \(\mathcal {M}\) if the following hold:

  1. 1.

    Secrecy: For all \(s\in \mathcal {M} \) and \(N_c\subseteq [n], |N_c|<t\), the distribution of \(\{\sigma _i\}_{i\in N_c}\) is independent of s, where \((\sigma _1,...,\sigma _n)\leftarrow {\mathsf{share}} (s)\).

  2. 2.

    Reconstruction from upto t Erroneous Shares: For all \(s\in \mathcal {M} \), and all \((\sigma _1,...,\sigma _n)\) and \((\sigma '_1,...,\sigma '_n)\) such that \({\mathrm {Pr}}[(\sigma _1,...,\sigma _n)\leftarrow {\mathsf{share}} (s)]>0\) and \(|\{ i \mid \sigma '_i=\sigma _i \} | \ge n-t\), it holds that \({\mathsf{reconstruct}} (\sigma _1',...,\sigma _n')=s\).

3 Defining Black-Box Transformations

In this section, we present our framework of black-box transformations, which operates on protocol schemes (Definition 1). More specifically, a black-box transformation defines a \(\varLambda \)-scheme in terms of \(\varLambda '\)-schemes, for one or more other security notions \(\varLambda '\). We present our definition in two parts – first the syntax of a transformation, followed by its security requirements.

Definition 3

(Black-Box Transformation (BBT): Syntax). A \(\text {BBT}\)  for a functionality family \({\mathcal F}\) is defined as a circuit C with

  • a single input wire taking a functionality \(f\in {\mathcal F} \),

  • a single output wire outputting a protocol \(\pi \in \varPi \),

  • one or more black-box nodes labeled with oracle TMs \(T_1,\cdots ,T_s\),

  • one or more protocol nodes labeled with relations \(\varLambda _1,\cdots ,\varLambda _t\) where \(\varLambda _i \subseteq {\mathcal F} _i\times \varPi \) for some functionality family \({\mathcal F} _i\).

For a black-box node labeled with \(T_i\) we require that the number of oracles accessed by \(T_i\) is equal to the number of input wires to that node. For a protocol node, we require that there is only one input wire.

Given such a circuit C and protocol schemes \(\mathcal P _1,\cdots ,\mathcal P _t\) such that each \(\mathcal P _i\) is a \(\varLambda _i\)-scheme, we define \(C^{\mathcal P _1,\ldots ,\mathcal P _t}(f)\in \varPi \) as follows. We shall set the value on each wire in C to be a protocol in \(\varPi \) (possibly a functionality), starting with the input wire and ending with the output wire, which is taken as the value \(C^{\mathcal P _1,\ldots ,\mathcal P _t}(f)\). First, set the value on the input wire to be f. Then, for any black-box node with all its input wires’ values already set to values \(\pi _1,\cdots ,\pi _d\), set its output wire’s value to \(T_i^{\pi _1,\cdots ,\pi _d}\), where \(T_i\) is the label on the node. For any protocol node with its input wire’s value set to \(\pi \), set its output wire’s value to \(\mathcal P _i(\pi )\), where i is the index of the protocol node in C (if \(\mathcal P _i(\pi )\) is undefined, then \(C^{\mathcal P _1,\ldots ,\mathcal P _t}(f)\) is undefined).

Definition 4

(Black-Box Transformation (BBT)). We say that a \(\text {BBT}\) C, for a functionality family \({\mathcal F}\), is a \(\text {BBT}\)  from \(\{\varLambda _1,\cdots ,\varLambda _t\}\) to \(\varLambda \), if C has t protocol nodes labeled with \((\varLambda _1,\cdots ,\varLambda _t)\) and, for all \(f\in {\mathcal F} \) and all \((\mathcal P _1,\cdots ,\mathcal P _t)\) such that each \(\mathcal P _i\) is a \(\varLambda _i\)-scheme, we have \((f,C^{\mathcal P _1,\ldots ,\mathcal P _t}(f))\in \varLambda \).

4 Examples of Black-Box Transformations

In the full version, we illustrate how several important constructions from the literature are in fact \(\text {BBT}\) s from simpler security notions or simpler function families, to more demanding ones. This list includes Bracha’s compiler [5] (from high-threshold (and low-efficiency) security and low-threshold (and high-efficiency) security to a high-threshold (and high-efficiency) security), the IKOS compiler [20] (from semi-honest secure MPC and and honest-majority secure MPC to active security for Zero-Knowledge proofs) and the IPS compiler [22] (as above, but for arbitrary MPC). The GMW compiler [16] could also be viewed as a \(\text {BBT}\) (from semi-honest security and active security specialized to zero-knowledge functionality, to active security).

It is helpful to visualize these transformations using “circuit diagrams.” An example of the IPS transformation was given in Fig. 1. Similar diagrams for the other examples mentioned above are given in the full version.

Below we discuss two new simple \(\text {BBT}\) s, which yield much simpler alternatives to more complex constructions in the literature.

Improving Over [18]. Very recently, Hazay and Venkitasubramaniam [18], presented an IKOS-like transformation that starts from any (semi-honest) two-party protocol in the OT-hybrid model and gives a zero-knowledge proof system in the commitment-hybrid model. We present a different transformation that has several advantages over [18]: our transformation may start with a two-party protocol in the OLE-hybrid model,Footnote 8 whereas the one from [18] seems inherently restricted to the OT-hybrid model. Perhaps more importantly, to achieve a constant level of soundness our transformation uses only a constant number of commitments (to long strings), compared to the protocol in [18] that uses as many commitments as the number of OT calls. For the simplest case of the GMW protocol applied to a boolean circuit of size s, our protocol requires only 6 commitments whose total length is O(|C|) whereas the protocol from [18] requires O(|C|) separate bit-commitments. These features of our transformation make it appealing for the design of practical ZK protocols based on OT-hybrid and OLE-hybrid protocols such as GMW.

Our transformation, as well as the IKOS transformation on which it is based, are presented in the full version. At a high-level, we give a simple \(\text {BBT}\) from a 2-party semi-honest MPC protocol scheme in the OLE-hybrid model to a 3-party 1-private MPC protocol scheme in the plain model; this transformation is then readily composed with the IKOS transformation (which can be applied to a 1-private protocol) to obtain our full transformation.

4.1 A Pedagogical Application

One of the results from Goldreich’s textbook [15] can be simplified using a \(\text {BBT}\). In [15], two separate protocols for \({\varLambda _{{{\mathsf{abort\text {-}ppt\text {-}sa\text {-}id}}} }}\) (i.e., security-with-identifiable-abort) and \({\varLambda _{\nicefrac 12-{{\mathsf{full\text {-}ppt\text {-}sa}}} }}\) (i.e., security with guaranteed output delivery, with an honest majority) are presented, with the latter relying on VSS. Below, we give a \(\text {BBT}\) from \({\varLambda _{{{\mathsf{abort\text {-}ppt\text {-}sa\text {-}id}}} }} \) to \({\varLambda _{\nicefrac 12-{{\mathsf{full\text {-}ppt\text {-}sa}}} }} \), that uses ECSS (see Sect. 2.3) instead of VSS.

To evaluate an n-party function f, each party shares its input using an \(\lceil n/2\rceil \)-out-of-n error-correcting secret-sharing (ECSS) scheme (see Sect. 2.3), and sends the resulting shares to the n parties. We remark that an ECSS is much simpler than, say, a VSS protocol, and can be constructed readily by adding message authentication code (MAC) tags to the shares of any threshold secret sharing scheme (such as Shamir’s scheme). Then, the parties use a protocol \(\pi \) from the protocol scheme with security-with-identifiable-abort to evaluate a function \(f'\), which takes shares as its inputs, reconstructs them to get inputs for f, evaluates f and reshares the outputs among all parties, again using ECSS. If the shares given as inputs have fewer than n / 2 errors, \(f'\) can error-correct and recover the original input being shared; otherwise it defines the reconstructed value to be a default value (this corresponds to the shares not being generated correctly in the first place). If the protocol \(\pi \) for \(f'\) does not abort, then all the parties are expected to redistribute the shares they received from \(\pi \), so that each party gets all the shares of its output; due to the error-correcting property, and since the adversary can corrupt less than n / 2 of the shares received by each honest party, every honest party will be able to correctly recover its output. On the other hand, if the protocol \(\pi \) aborts, due to the identifiable-abort security guarantee, all honest parties will agree on the identity of one corrupt party. Note that at this point, even though the adversary may learn its outputs from \(\pi \) (i.e., outputs of \(f'\)), these carry no information and can be efficiently simulated (by a simulator running the protocol with arbitrary inputs for the honest parties). Hence, the parties can simply eliminate the identified party (and still retain honest majority), and restart the entire protocol on a smaller functionality in which the eliminated party’s input is replaced by a default value. This process must eventually terminate, after at most \(\lceil n/2 \rceil \) attempts, guaranteeing output for all honest parties.

An ad-hoc use of the above “player elimination” technique was made in several previous MPC protocols (see, e.g., [19] and references therein). In contrast, our use of this technique yields a completely general transformation from a weaker flavor of MPC to a stronger one.

5 Impossibility of Black-Box Transformations

In this section, we present some impossibility results for \(\text {BBT}\). Before proceeding, we emphasize that in the definition of \(\text {BBT}\), we do not require the security proofs to be black-box in any form. In particular, the simulators used to define security can arbitrarily depend on the functionality in a non-black-box manner. As such, the impossibility results on \(\text {BBT}\) are of a rather strong nature.

Our first impossibility results relates to an interesting special case of a \(\text {BBT}\), namely, \(\text {BBT}\) from \(\emptyset \) to \(\varLambda \). This corresponds to the notion of a functionally-black-box protocol introduced by Rosulek [28], wherein there is an oracle TM such that for all \(f\in {\mathcal F} \), \(T^f\) is a secure protocol (according to \(\varLambda \)) for f. Rosulek demontrated a two-party functionality family for which there is no functionally black-box protocol, assuming the existence of one-way functions. We present an unconditional version of this result.

Theorem 1

There exists a two-party functionality family \({\mathcal F} \) such that there is no \(\text {BBT}\) from \(\emptyset \) to \({\varLambda _{{{\mathsf{sh}}} }^{{\mathcal F}}}\). In particular, there is no \(\text {BBT}\) from \(\emptyset \) to \({\varLambda _{{{\mathsf{sh}}} }^{{\mathcal F}^*}}\).

The detailed proof is given in the full version. Here we sketch the main ideas of the proof.

Proof Sketch

The family \({\mathcal F}\) we shall use to prove the theorem consists of boolean functions of the form \(f_\alpha \), \(\alpha \in \{0,1\}^k\), where \(f_\alpha (x,y)=1\) if and only if \(x\oplus y = \alpha \). To show that there can be no secure protocol for \(f_\alpha \), in which the two parties access the function only in a blackbox manner, we consider the following experiment. Pick \(x,y,\alpha \) uniformly and independently at random, and run the protocol for \(f_\alpha \) with inputs xy. Then we argue that the probability for both of the following events should be negligible:

  1. (A)

    Either party queries their oracle with (pq) such that \(p\oplus q = \alpha \).

  2. (B)

    Either party queries their oracle with (pq) such that \(p\oplus q = x\oplus y\).

The probability of event A is negligible since \(\alpha \) is chosen uniformly at random, and the parties make only a polynomial number of queries. The reason for the probability of event B being negligible is the security of the protocol: in an ideal world, since \(x\oplus y \not =\alpha \), a corrupt party (simulator), even given \(\alpha \), can learn only a negligible amount of information about the other party’s input. Now, we consider a “coupled” experiment in which instead of \(\alpha \), we pick \(\alpha ^*=x\oplus y\), and run the same protocol but now for \(f_{\alpha ^*}\). It can be argued that for the random tapes in the protocol for which events (A) and (B) does not occur in the first case, they will not occur in the second run too. Thus with high probability, both the executions produce the same output, violating the correctness of the protocol.    \(\Box \)

Also, we consider the question of showing impossibility of \(\text {BBT}\) from semi-honest security to active security. We present such a result conditioned on the existence of one-way functions.

Theorem 2

Assuming the existence of one-way functions, there exists a two-party functionality family \({\mathcal G} \) such that there is no \(\text {BBT}\) from \(\{{\varLambda _{{{\mathsf{sh}}} }^{{\mathcal G}}} \}\) to \({\varLambda _{{\mathsf{abort}}}^{{\mathcal G}}}\).

We present the intuition behind the proof below, and defer the detailed proof to the full version.

Proof Sketch

We will let \({\mathcal G}\) to be the family of zero-knowledge proofs for a class of relations. Then, there is a semi-honest secure protcol for \({\mathcal G}\) which only access the given functionality \(f\in {\mathcal G} \) in a blackbox manner. Hence, a blackbox transform from semi-honest secure protocol schemes to schemes with active security translates to a functionally blackbox protocol scheme for \({\mathcal G}\) with active security. To show that this does not exist, we assume the existence of a pseudorandom function F and define \({\mathcal G}\) as follows. The relations associated with \({\mathcal G}\) are \(R_s=\{(x,w) \mid F_s(w)=x \}\), where \(F_s\) denotes F with seed s.

To show that there can be no ZK protocol for this relation in which the parties only have blackbox access to an oracle for the relation \(R_s\) (but the simulator may depend on s), we consider a cheating prover as follows. When given (xw) and access to \(R_s\), it uses a wrapper around \(R_s\) to turn it into relation which accepts (xw) (and does not accept \((x',w)\) for \(x'\not =x\)), but otherwise behaves like \(R_s\). Then the cheating prover runs the honest prover with access to the modified oracle. Using the ZK property we can argue that an honest verifier, when given a random x, cannot detect the difference between interacting with the real prover and the cheating prover. Thus, if the protocol is complete, the cheating prover will be able to break soundness.    \(\Box \)

6 A BBT from Partially-Identifiable-Abort to Full Security

We present a simple black-box transformation from partially-identifiable abort security (formalized using \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}} }} \) below) to full security. This will be an important ingredient in our applications in Sect. 9. First, we present a simple but general version of this transformation (which suffices for feasibility results); in Theorem 4, we shall present a more efficient variant.

Theorem 3

For any \(0\le \alpha \le \nicefrac 12 \), there exists a \(\text {BBT}\) from \({\varLambda _{{{\alpha }{{\mathsf{-id/{\mathsf{BC}}}}}}}} \) to \({\varLambda _{{{{\alpha }{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}}} \). Specifically, there is a \(\text {BBT}\) from \({p}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{-id/{\mathsf{BC}}}}}}}^{}}} \) to \({(np;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}}^{}}} \), where \({\mathsf{D}} (f)\) is the input plus output size of f.

Our tools behind this construction are relatively simple. In particular, we do not use verifiable secret-sharing (VSS), but instead use the much simpler primitive Error-Correcting Secret-Sharing (ECSS) (see Sect. 2.3), which can be realized easily using ordinary Secret-Sharing and one-time message authentication codes (MAC).

Here we give a high level overview of the construction, with a complete description defered to the full version. The idea behind this BBT is that if we have a protocol which either completes the computation or identifies a set of parties such that at least \(\alpha \) fraction of which are corrupt, then, in the event of an abort, we can remove the identified set of parties from active computation and restart the computation. Note that this preserves the corruption threshold of \(\alpha \) (i.e., strictly less than \(\alpha \) fraction remains corrupt) among the set of “active” parties.

For this idea to work, we need to keep the outputs secret-shared (so that by aborting, the adversary does not learn any useful information, even though it receives its outputs from the computation), and after the computation finishes, guarantee reconstruction. Further, we need to use secret-sharing to let all the parties deliver their inputs to the set of active parties. All this will be achieved using ECSS in a straightforward manner, for \(\alpha \le \nicefrac 12 \).

A More Efficient Variant. In the above BBT, we restarted the entire computation in the event of an abort. To avoid this, we rely on having access to a “layered representation” of the function. Formally, consider a parametrized functionality \(\hat{f}\), parametrized by an index \(i\in \{1,\cdots ,d\}\), such that \(f=\hat{f}[d]\circ ...\circ \hat{f}[1]\), such that \({\mathsf{size}} ({\hat{f}[i]})=O({\mathsf{size}} (f)/d)\), for all i. We define \({\mathsf{width}} _{d}({f}) \) to be the smallest number w such that there exists a decomposition of f into d layers, each of size \(O({\mathsf{size}} (f)/d)\), such that the number of output wires from any layer is at most w. We shall typically take d to be a polynomial d(nk). Note that \({\mathsf{width}} (f)\) defined in Sect. 2.2 is an upper-bound on \({\mathsf{width}} _{d}({f}) \) for all d.

Since decomposing f into \(\hat{f}\) is not a black-box operation, we require a “protocol scheme” that carries out this decomposition. For this we define a \({\varLambda _{{\mathsf{layer}} [d]}}\) scheme to be one which maps f to a parametrized function \(\hat{f}\) such that

$$\begin{aligned} f=\hat{f}[d]\circ \cdots \circ \hat{f}[1], \end{aligned}$$

and \(\forall i\in [d]\), \({\mathsf{size}} (\hat{f}[i]) = O({\mathsf{size}} (f)/d)\) and the number of bits output by \(\hat{f}[i] \le {\mathsf{width}} _{d}({f}) \).

Then, as shown in the full version, we obtain the following efficiency improvement over Theorem 3.

Theorem 4

For any \(0<\alpha \le \nicefrac 12 \), there exists a \(\text {BBT}\) from \(\{{\varLambda _{{\mathsf{layer}} [d]}},{\langle \gamma , \delta \rangle }{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \}\) to \({(\gamma ;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}^{}}} \), where \(d(n,k)= n\cdot \frac{\delta (n,k)}{\gamma (n,k)}\) and \({\mathsf{D}} (f)={\mathsf{width}} _{d}({f}) \).

7 A BBT from \(\{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}},{\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}} \}\) to \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}}\)

Our goal in this section is to obtain a BBT that increases the corruption threshold of a fully secure protocol, by combining it with a semi-honest protocol which has the higher threshold. Given Theorem 3, it suffices to obtain a protocol with partially-identifiable-abort against the higher corruption threshold. Formally, we shall prove the following theorem, which is interesting when \(\beta <\alpha \).

Theorem 5

For any \(0<\alpha ,\beta \le \nicefrac 12 \), there exists a \(\text {BBT}\) from \(\{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}},{\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}} \}\) to \({\varLambda _{{{\alpha }{{\mathsf{-id/{\mathsf{BC}}}}}} }} \).

This \(\text {BBT}\) (detailed in the full version) resembles the IPS compiler, but achieves \(\nicefrac 12\)-identification in case of abort, and also avoids the use of OT in watchlists. For this, it replaces \(T^{\mathrm {IPS}}_{2}\) in IPS (see Fig. 1) with a black-box transformation \(T_2\). Figure 2 compares \(T^{\mathrm {IPS}}_{2}\) and \(T_2\). \(T^{\mathrm {IPS}}_{2}\) consists of a “core” compiler \({\mathrm {IPS}}_{\mathrm {core}}\), which produces a protocol in a “watchlist-channel hybrid” model (also using OT if it is needed by the inner protocol). Separately, a watchlist-channel functionality \({\mathcal W} \) was realized using a protocol \(w_{\mathrm {IPS}} \) in the OT-hybrid model. Finally, the former was composed with the latter to obtain a protocol in the OT-hybrid model.

In \(T_2\), firstly the OT used in the watchlist protocol is replaced with a functionality \(\widetilde{{\mathsf{OT}}} \), which is then implemented by a protocol \(\pi _{\widetilde{{\mathsf{OT}}}}\) in the honest-majority setting; further this watchlist protocol is modified in a simple manner to achieve \(\nicefrac 12\)-identification. The functionality of the resulting protocol is captured by \({\mathcal W} ^*\). Next, the protocol generated by \({\mathrm {IPS}}_{\mathrm {core}}\) is modified to facilitate \(\nicefrac 12\)-identification (even if given the watchlist functionality \({\mathcal W} ^*\) instead of \({\mathcal W} \)), following the outline sketched in Sect. 1.2 (see paragraph Obtaining Partially-Identifiable-Abort Security). The final protocol is obtained by composing this protocol with the watchlist protocol for \({\mathcal W} ^*\).

Fig. 2.
figure 2

\(T^{\mathrm {IPS}}_{2}\) and \(T_2\). The shaded region shows the new components in \(T_2\). Note that \(T_2\) retains \({\mathrm {IPS}}_{\mathrm {core}}\) and \({\mathrm {IPS}}_{\mathrm {WL}}\) from \(T^{\mathrm {IPS}}_{2}\) as it is.

Full size image

7.1 Using a Sparse Watchlist

The \(\text {BBT}\) in Theorem 5 is in fact a \(\text {BBT}\) from \(\{{(p_{\mathrm {in}},q_{\mathrm {in}},r_{\mathrm {in}})}{\text {-}}{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}^{}}},\) \({(p_{\mathrm {out}},q_{\mathrm {out}})}{\text {-}}{{\varLambda _{{{\beta }{{\mathsf{\text {-}full}}}}}^{}}} \}\) to \({p}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{-id/{\mathsf{BC}}}}}} }^{}}}\), where \(p=n^2\cdot (p_{\mathrm {in}} +r_{\mathrm {in}})\cdot (q_{\mathrm {out}} +n\cdot p_{\mathrm {out}})\). But by exploiting the honest majority guarantee which was absent in the setting of [22], we can state the following version.

Theorem 6

For any \(0<\alpha ,\beta \le \nicefrac 12 \), and polynomials \(p_{\mathrm {in}},q_{\mathrm {in}},r_{\mathrm {in}},p_{\mathrm {out}},q_{\mathrm {out}} \), there exists a \(\text {BBT}\) from \(\{{(p_{\mathrm {in}},q_{\mathrm {in}},r_{\mathrm {in}})}{\text {-}}{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}^{}}}, {(p_{\mathrm {out}},q_{\mathrm {out}})}{\text {-}}{{\varLambda _{{{\beta }{{\mathsf{\text {-}full}}}}}^{}}} \}\) to \({p}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}/{\mathsf{BC}}}^{}}}\), where \(p=n\cdot (p_{\mathrm {in}} +r_{\mathrm {in}})\cdot (q_{\mathrm {out}} +n\cdot p_{\mathrm {out}})\).

The above result saves a factor of n compared to the previous transformation. The efficiency improvement comes from a sparser watchlist mechanism (using an expander graph to define which parties may watch the execution of which servers) in the \(\text {BBT}\) from \(({\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}},{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}})\) to \({\varLambda _{{{\alpha }{{\mathsf{-id/{\mathsf{BC}}}}}} }}\). We present the details in the full version.

8 Efficiency Leveraging

Bracha’s transformation is a classical example of efficiency leveraging. It was originally proposed in the context of byzantine agreement [5], and later applied to MPC protocols (see, e.g., [13]). Below, we record a version of this result that is sufficient for our applications.

Proposition 1

(Bracha’s Transformation [5]). Let \(0 < \epsilon , \beta \le \alpha \le \nicefrac 12 \), and let \(p'(n,k)=c_n\) be independent of k. Then, for each \({{\mathsf{secure}}} \in \{{{\mathsf{sh}}} ,{\mathsf{abort}},{{\mathsf{full}}} \}\) and any function \({\mathsf{D}}\), there exists a \(\text {BBT}\) from \(\{{(p,q;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\beta }{{\mathsf{-secure}}}}}^{{\mathcal F}}}} \), \({p'}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{-secure}}}}}^{}}} \}\) to \({(p'';{\mathsf{D}})}{\text {-}}{{\varLambda _{{{(\alpha -\epsilon )}{{\mathsf{-secure}}}}}^{{\mathcal F}}}}\), where \(p''(n,k)=p(n,k) + q(n,k)\).

In this section, we present a new instance of efficiency leveraging for full-security: a simple \(\text {BBT}\) from \(\{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}},{\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}} \}\) to \({\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}} \), in which the resulting protocol’s efficiency is comparable to that of the protocol in \({\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}} \).

First we present a efficiency leveraging transformation for \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}} \) which can then be combined with Theorem 4 to obtain efficiency leveraging for \({\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}} \). In our efficiency leveraging transformation for \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}}\) the efficiency of the resulting protocol, when there is no abort event, is comparable to that of a cheaper \({\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}}\) protocol. Formally, we have the following theorem.

Theorem 7

For any \(0\le \alpha \le \nicefrac 12 \), and functions \(p,q,p'\in \mathrm {poly} (n,k)\), there exists a \(\text {BBT}\) from \(\{{(p,q)}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}^{}}}, {p'}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \}\) to \({\langle \gamma ,\delta \rangle }{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}}\), where \(\gamma =p\) and \(\delta =p'\cdot (p+q)\).

Fig. 3.
figure 3

Black-Box Transformation from \(\{{(p,q)}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}^{}}}, {p'}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \}\) to \({\langle \gamma ,\delta \rangle }{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}}\), where \(\gamma =p\) and \(\delta =p'\cdot (p+q)\).

Full size image

The protocol scheme claimed in Theorem 7 is shown in Fig. 3. The first node is a protocol node of \({p}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}^{}}}\), which converts a functionality f into a protocol \(\pi _{{\mathsf{abort}}}\).

The second node is a black-box node \(T_1\), which converts the protocol \(\pi _{{\mathsf{abort}}}\) to an (n-party) functionality \(f^*\), in which the trusted party takes the view of each party in an execution of \(\pi _{{\mathsf{abort}}}\) as the input, carries out the execution of \(\pi _{{\mathsf{abort}}}\), and identifies a set of two parties which have inconsistent views, if it exists.Footnote 9 When there is none, it outputs \(\emptyset \). The third node \({\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}} \) compiles \(f^*\) into a protocol \(\pi _{{{\mathsf{id}}} }\).

Finally, a black-box node \(T_2\) combines \(\pi _{{\mathsf{abort}}}\) and \(\pi _{{{\mathsf{id}}} }\) together and transforms them into a protocol \(\pi \), which works as follows: initially the parties execute \(\pi _{{\mathsf{abort}}}\) on the given input, and on finishing this execution successfully, each party broadcasts “done.” If all parties broadcast “done,” then each party outputs the output from the execution of \(\pi _{\mathsf{abort}} \) and terminates. If not, they execute \(\pi _{{\mathsf{id}}} \) with their views in the execution of \(\pi _{\mathsf{abort}} \) as input. If this latter execution itself aborts, \(\pi _{{{\mathsf{id}}} }\) identifies a set of parties S at least an \(\alpha \) fraction of which is corrupt (where \(\alpha \le \nicefrac 12 \)). otherwise (i.e., if \(\pi _{{\mathsf{id}}} \) finishes without an abort event), then all parties agree on the output of \(f^*\), namely a set S of two parties at least one of which is corrupt, or the emptyset \(\emptyset \); if the output is \(\emptyset \), the parties set S to be the singleton set consisting of the lexicographically smallest party who did not broadcast “done” after the execution of \(\pi _{\mathsf{abort}} \). In all cases, if \(\pi _{\mathsf{abort}} \) resulted in an abort, the honest parties agree on a set of parties S of which at least an \(\alpha \) fraction is corrupt.

We verify that the complexity of \(\pi \) is as claimed in the theorem. When there is no abort event, the communication cost is essentially the same as that of \(\pi _{{\mathsf{abort}}}\), namely p(nk); otherwise, there is an additional the cost from \(\pi _{{{\mathsf{id}}} }\), which is \(\widetilde{O}(p(n,k)+p'(n,k)\cdot {\mathsf{size}} (f^*))\), where \({\mathsf{size}} (f^*)=\widetilde{O}((p(n,k)+q(n,k))\cdot {\mathsf{size}} (f))\). Hence the whole scheme is in \({\langle \gamma ,\delta \rangle }{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \) with \(\gamma =p\) and \(\delta '=p'\cdot (p+q)\).

Combining Theorem 7 with Theorem 4 we get the following result. Here we state it as efficiency leveraging for full-security; however, the result holds as a \(\text {BBT}\) from \(\{{\varLambda _{{\mathsf{layer}} [d]}},{(p,q)}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}^{}}}, {p'}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}id}}}}}^{}}} \}\) as well.

Theorem 8

For all \(0\le \alpha \le \nicefrac 12 \), and for all functions \(p,q,p'\in \mathrm {poly} (n,k)\), there exists a \(\text {BBT}\) from \(\{{\varLambda _{{\mathsf{layer}} [d]}},{(p,q)}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}abort}}}}}^{}}}, {p'}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}^{}}} \}\) to \({(p;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\alpha }{{\mathsf{\text {-}full}}}}}^{}}}\), where \(d=\frac{n\cdot p'\cdot (p+q)}{p}\) and \({\mathsf{D}} (f)={\mathsf{width}} _{d}({f}) \).

9 Applications

In Sect. 4.1, we already saw a pedagogical application of \(\text {BBT}\), in simplifying the exposition of security with guaranteed output delivery (with computationally bounded adversaries). In this section, we give several interesting examples regarding how to use the \(\text {BBT}\) s in the previous sections for deriving both feasibility and efficiency results.

\(\circ \) Rabin and Ben-Or without Honest-Majority VSS. As our first example, we reproduce the classic feasibility result of Rabin and Ben-Or [27] for fully secure MPC for corruption against \(t<n/2\) parties. The core new tool developed in this paper (and used in subsequent results in this regime of corruption) was Verifiable Secret-Sharing (VSS) that is secure against corruption of \(t<n/2\) parties. Interestingly, our construction by-passes the need for an explicit VSS protocol for this corruption regime, instead showing that one can directly use fully secure MPC from prior work [3, 7]. Our construction is based on the following direct corollary of Theorems 3 and 5.

Corollary 1

For any \(0<\alpha ,\beta \le \nicefrac 12 \), there exists a \(\text {BBT}\) from \(\{{\varLambda _{{{{\alpha }{{\mathsf{\text {-}sh}}}}}}},{\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}} \}\) to \({\varLambda _{{{{\alpha }{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}}} \).

To obtain the result of [27] we simply apply Corollary 1 to the protocols in [3, 7].

\(\circ \) Constant-Rate MPC with Full-Security for Small Number of Parties. Our first quantitative result is a “constant-rate” honest-majority MPC protocol with guaranteed output delivery, when the number of parties involved is constant. That is, as the size of the function grows, the communication complexity of the protocol grows linearly at a rate that is independent of the security parameter. For MPC of large circuits, against the optimal corruption threshold n / 2, this gives an amortized complexity of O(1) per gate, compared to O(k) per gate in the previously best result from [4].

Corollary 2

There exists a \({p}{\text {-}}{{\varLambda _{{{\nicefrac 12}{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}^{}}}\)-scheme, where \(p(n,k)=c_n\) is independent of k.

This result is obtained as a corollary of Theorems 3 and 6 Footnote 10 First we obtain a \({p}{\text {-}}{{\varLambda _{{{\nicefrac 12}{{\mathsf{-id/{\mathsf{BC}}}}}}}^{}}}\) scheme by applying the \(\text {BBT}\) from Theorem 6 to the \({\varLambda _{{{\nicefrac 12}{{\mathsf{\text {-}sh}}}}}} \)-scheme from [3] and the constant rate \({\varLambda _{{{{\beta }{{\mathsf{\text {-}full}}}}}}} \)-scheme (for some \(\beta >0\)) that is obtained by instantiating the protocol scheme from [12] using the constant-rate ramp scheme of [8]. (The same “outer protocol” was used in [22] to obtain a constant-rate \({\varLambda _{{\mathsf{abort}}/{\mathsf{OT}}}}\)-scheme.) Then by further applying the \(\text {BBT}\) from Theorem 3, we obtain the \({p}{\text {-}}{{\varLambda _{{{\nicefrac 12}{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}^{}}}\) protocol as claimed.

\(\circ \) Scalable MPC with Full-Security, Optimal Threshold. Our next result is a “scalable” honest-majority MPC protocol with guaranteed output delivery. We define the function class \({\mathcal F}_{\mathrm {arith}}\) of functions represented as arithmetic circuits over a field \(\mathbb {F}\) such that \(\log |\mathbb {F} | > k\). For \(f\in {\mathcal F}_{\mathrm {arith}} \), \({\mathsf{size}} (f)\) refers to \(\log |\mathbb {F} | \cdot |C_f|\), where \(|C_f|\) is the number of gates in the circuit \(C_f\) representing f. Equivalently, \({\mathsf{size}} (f)\) measures the number of binary wires in the circuit \(C_f\); similarly \({\mathsf{width}} (f)\) measures the width of \(C_f\) in bits.

Corollary 3

There exists a \({(p;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{\frac{1}{2}}{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}^{{\mathcal F}_{\mathrm {arith}}}}}\)-scheme, where \(p(n,k)=n\) and \({\mathsf{D}} ={\mathsf{width}} (f)\).

That is, for MPC of large arithmetic circuits over a large field, with security against the optimal corruption threshold n / 2, we get an amortized communication cost of O(n) bits per binary wire in the circuit. This result is obtained as a corollary of Theorems 4 and 7, by applying the \(\text {BBT}\)s to the \({\varLambda _{{{\nicefrac 12}{{\mathsf{\text {-}abort}}}}}^{{\mathcal F}_{\mathrm {arith}}}} \)-scheme from [14] and the \({p}{\text {-}}{{\varLambda _{{{\nicefrac 12}{{\mathsf{\text {-}id}}}}}^{}}}\)-scheme from Corollary 2. Note that we have used \({\mathsf{width}} (f)\) as an upper-bound on \({\mathsf{width}} _{d}({f}) \) over all d.

Our result complements a similar result of Ben-Sasson et al. [4] in which the secondary complexity measure is \({\mathsf{depth}}\), instead of \({\mathsf{width}}\). We remark that a natural regime for scalable MPC involves long sequential computations (carried out by a small or moderate number of parties), so that a circuit for the computation would be deep and narrow. In such a regime, the above result, which yields a cost of \(O(n\cdot {\mathsf{size}} (f)+\mathrm {poly} (n,k))\), compares favorably to the protocols of [4] which yield a cost of \(\widetilde{\varOmega }(n\cdot {\mathsf{size}} (f) + n^2\cdot {\mathsf{depth}} (f) + \mathrm {poly} (n,k))\).

\(\circ \) Highly Scalable MPC with Full-Security, Near Optimal Threshold. Our final application considers the problem of relaxing the corruption threshold from the optimal \(\alpha =\nicefrac 12 \) to \(\alpha =\nicefrac 12-\epsilon \), for any constant \(\epsilon \).

Corollary 4

For every \(\epsilon >0\), there exists a \({(p_\epsilon ;{\mathsf{D}})}{\text {-}}{{\varLambda _{{{(\frac{1}{2}-\epsilon )}{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}^{}}}\)-scheme, where \(p_\epsilon (n,k)=c_\epsilon \) is independent of n and k and \({\mathsf{D}} (f)={\mathsf{depth}} (f)\).

This generalizes a result in [13], which obtained a similar result (without using a broadcast channel) for the threshold \(\frac{1}{3}-\epsilon \). We obtain this result by applying Proposition 1 (Bracha’s efficiency leveraging transformation) to our \({c_n}{\text {-}}{{\varLambda _{{{\frac{1}{2}}{{\mathsf{\text {-}full/{\mathsf{BC}}}}}}}^{}}}\) scheme from Corollary 2 and the \({(c_1,c_2;{\mathsf{depth}})}{\text {-}}{{\varLambda _{{{\beta }{{\mathsf{\text {-}full}}}}}^{}}} \) scheme from [13] (for, say, \(\beta =\nicefrac 16\) and \(c_1,c_2\) being constants), with \(\alpha =\nicefrac 12 \).