On the Communication Efficiency of Statistically Secure Asynchronous MPC with Optimal Resilience

Abstract

Secure multi-party computation (MPC) is a fundamental problem in secure distributed computing. An MPC protocol allows a set of n mutually distrusting parties with private inputs to securely compute any publicly known function of their inputs, by keeping their respective inputs as private as possible. While several works in the past have addressed the problem of designing communication-efficient MPC protocols in the synchronous communication setting, not much attention has been paid to the design of efficient MPC protocols in the asynchronous communication setting. In this work, we focus on the design of efficient asynchronous MPC (AMPC) protocol with statistical security, tolerating a computationally unbounded adversary, capable of corrupting up to t parties out of the n parties. The seminal work of Ben-Or, Kelmer and Rabin (PODC 1994) and later Abraham, Dolev and Stern (PODC 2020) showed that the optimal resilience for statistically secure AMPC is \(t < n/3\). Unfortunately, the communication complexity of the protocol presented by Ben-Or et al. is significantly high, where the communication complexity per multiplication is \(\Omega (n^{13} \kappa ^2 \log n)\) bits (where \(\kappa \) is the statistical-security parameter). To the best of our knowledge, no work has addressed the problem of improving the communication complexity of the protocol of Ben-Or et al. In this work, our main contributions are the following.

• We present a new statistically secure AMPC protocol with the optimal resilience \(t < n/3\), where the communication complexity is \(\mathcal {O}(n^4 \kappa )\) bits per multiplication. Apart from improving upon the communication complexity of the protocol of Ben-Or et al., our protocol is relatively simpler and based on very few sub-protocols, unlike the protocol of Ben-Or et al. which involves several layers of sub-protocols. A central component of our AMPC protocol is a new and simple protocol for verifiable asynchronous complete secret-sharing (ACSS), which is of independent interest.

• As a side result, we give the security proof for our AMPC protocol in the standard universal composability (UC) framework of Canetti (FOCS 2001, JACM 2020), which is now the de facto standard for proving the security of cryptographic protocols. This is unlike the protocol of Ben-Or et al., which was missing the formal security proofs.

A Bracha’s ACast Protocol

We first recall the formal steps of Bracha’s ACast protocol from [20]. The protocol is presented in Fig. 23.

Fig. 23

Bracha’s asynchronous reliable broadcast protocol for session id \(\textsf{sid}\). The above code is executed by every \(P_i \in \mathcal {P}\) including \(P_S\)

Theorem A.1

Protocol \(\Pi _{\textsf{ACast}}\) UC-securely realizes the ideal functionality \(\mathcal {F}_{\textsf{ACast}}\) with perfect security in the presence of any static malicious adversary, corrupting at most \(t < n/3\). The protocol incurs a communication complexity of \(\mathcal {O}(n^2 \cdot |m|)\) bits, where |m| denotes the number of bits in the message m.

Proof

The communication complexity trivially follows from the protocol steps, since each party needs to send m to every other party. For security, let \(\textsf{Adv}\) be an arbitrary real-world adversary, attacking the protocol in Fig. 23 and let \(\mathcal {Z}\) be an arbitrary environment. We show the existence of a simulator \(\mathcal {S}_{\textsf{ACast}}\), such that for any set of corrupted parties \(\mathcal {C}\) with \(|\mathcal {C}| \le t\), the output of all parties and the adversary in an execution of \(\Pi _{\textsf{ACast}}\) with \(\textsf{Adv}\) is identical to the output in an execution with \(\mathcal {S}_{\textsf{ACast}}\) involving \(\mathcal {F}_{\textsf{ACast}}\) in the ideal model. This further implies that \(\mathcal {Z}\) cannot distinguish between the two executions. The simulator constructs virtual real-world honest parties and invokes the real-world adversary \(\textsf{Adv}\). The simulator simulates the environment and the honest parties toward \(\textsf{Adv}\) as follows. In order to simulate \(\mathcal {Z}\), the simulator \(\mathcal {S}_{\textsf{ACast}}\) forwards every message it receives from \(\mathcal {Z}\) to \(\textsf{Adv}\) and vice versa. To simulate the honest parties, we consider the following two cases, depending upon whether the sender \(P_S\) is under the control of \(\textsf{Adv}\) or not.

Case I: \(P_S\) is honest. In this case, the simulator \(\mathcal {S}_{\textsf{ACast}}\) first interacts with the ideal functionality \(\mathcal {F}_{\textsf{ACast}}\) and receives the output m from the functionality. The simulator then plays the role of \(P_S\) with input m, as well as the role of the honest parties and interact with \(\textsf{Adv}\) as per the steps of \(\Pi _{\textsf{ACast}}\).

It is easy to see that view of \(\textsf{Adv}\) is identical, both in the real world and in the ideal world. This is because only \(P_S\) has the input in the protocol and in the ideal world, \(\mathcal {S}_{\textsf{ACast}}\) plays the role of \(P_S\) as per \(\Pi _{\textsf{ACast}}\) after learning the input of \(P_S\) from \(\mathcal {F}_{\textsf{ACast}}\). Now conditioned on the view of \(\textsf{Adv}\), we show that the outputs of the honest parties are identical in the real world and ideal world. So consider an arbitrary \(\textsf{View}\) of \(\textsf{Adv}\). Conditioned on \(\textsf{View}\), all honest parties eventually obtain a request-based delayed output m in the ideal world, where m is the input of \(P_S\) as per \(\textsf{View}\). We show that even in the real world, all honest parties eventually output m. This is because all honest parties complete steps \(2-5\) in the protocol, even if the corrupt parties do not send their messages, as there are at least \(n - t\) honest parties, whose messages are eventually selected for delivery. Moreover, \(\textsf{Adv}\) may send at most t \(\texttt {echo}\) messages for \(m'\), where \(m' \ne m\), on behalf of corrupt parties. Similarly, \(\textsf{Adv}\) may send at most t \(\texttt {ready}\) messages for \(m'\), where \(m' \ne m\), on behalf of corrupt parties. Consequently, no honest party ever generates a \(\texttt {ready}\) message for \(m'\), neither in step 3, nor in step 4. Thus, the output of the honest parties is identically distributed in both the worlds. Consequently, in this case, we conclude that \(\Big \{\text{ REAL}_{\Pi _{\textsf{ACast}}, \textsf{Adv}(z), \mathcal {Z}}(m) \Big \}_{m, z \in \{0, 1 \}^{\star }} \equiv \Big \{\text{ IDEAL}_{\mathcal {F}_{\textsf{ACast}}, \mathcal {S}_{\textsf{ACast}}(z), \mathcal {Z}}(m) \Big \}_{m, z \in \{0, 1 \}^{\star }}\) holds, thus completing the proof for the case when \(P_S\) is honest.

Case II: \(P_S\) is corrupt. In this case, the simulator \(\mathcal {S}_{\textsf{ACast}}\) first plays the role of the honest parties and interacts with \(\textsf{Adv}\), as per the protocol \(\Pi _{\textsf{ACast}}\). If in the simulated execution, \(\mathcal {S}_{\textsf{ACast}}\) finds that some honest party, say \(P_h\), outputs \(m^{\star }\), then \(\mathcal {S}_{\textsf{ACast}}\) interacts with the functionality \(\mathcal {F}_{\textsf{ACast}}\) by sending \(m^{\star }\) as the input to \(\mathcal {F}_{\textsf{ACast}}\), on behalf of \(P_S\). Else \(\mathcal {S}_{\textsf{ACast}}\) does not provide any input to \(\mathcal {F}_{\textsf{ACast}}\) on behalf of \(P_S\).

It is easy to see that the view of \(\textsf{Adv}\) is identically distributed, both in the real world and in the ideal world. This is because only \(P_S\) has the input in the protocol which is under the control of \(\textsf{Adv}\) and \(\mathcal {S}_{\textsf{ACast}}\) plays the role of the honest parties, exactly as per the protocol \(\Pi _{\textsf{ACast}}\). We next show that conditioned on the view of \(\textsf{Adv}\), the output of the honest parties is identically distributed in both the worlds.

Let \(\textsf{View}\) be an arbitrary view of \(\textsf{Adv}\), corresponding to some execution of \(\Pi _{\textsf{ACast}}\). Now, there are two possible cases. If according to \(\textsf{View}\), no honest party obtains an output during the execution of \(\Pi _{\textsf{ACast}}\), then the honest parties do not obtain any output in the ideal world as well. This is because in this case, the simulator \(\mathcal {S}_{\textsf{ACast}}\) does not provide any input on behalf of \(P_S\) to \(\mathcal {F}_{\textsf{ACast}}\). On the other hand, consider the case when according to \(\textsf{View}\), some honest party \(P_h\) outputs \(m^{\star }\). In this case, in the ideal world, all honest parties eventually obtain an output \(m^{\star }\) since \(\mathcal {S}_{\textsf{ACast}}\) provides \(m^{\star }\) as the input to \(\mathcal {F}_{\textsf{ACast}}\) on behalf of \(P_S\). We next show that even in the real world, all honest parties eventually obtain the output \(m^{\star }\), thus showing that the output of the honest parties is identically distributed.

Since \(P_h\) obtains the output \(m^{\star }\), it implies that it receives \(n - t\) \(\texttt {ready}\) messages for \(m^{\star }\) during step 5 of the protocol. Let \(\mathcal {H}_h\) be the set of honest parties whose \(\texttt {ready}\) messages are received by \(P_h\) during step 5. It is easy to see that \(|\mathcal {H}_h| \ge t+1\). The \(\texttt {ready}\) messages of the parties in \(\mathcal {H}_h\) are eventually delivered to every honest party and hence each honest party (including \(P_h\)) eventually executes step 4 and sends a \(\texttt {ready}\) message for \(m^{\star }\). As there are at least \(n - t\) honest parties, it follows that eventually \(n - t\) \(\texttt {ready}\) messages for \(m^{\star }\) are delivered to every honest party (irrespective of whether \(\textsf{Adv}\) sends all the required messages), consequently guaranteeing that all honest parties eventually obtain some output. To complete the proof of the claim, we show that this output is the same as \(m^{\star }\).

On contrary, let \(P_{h'}\) be another honest party, different from \(P_h\), who outputs \(m^{\star \star } \ne m^{\star }\). This implies that \(P_{h'}\) received \(\texttt {ready}\) messages for \(m^{\star \star }\) from at least \(t+1\) honest parties during step 5 of the protocol. Now from the protocol steps, it follow that an honest party generates a \(\texttt {ready}\) message for some potential m, only if it receives \(n - t\) \(\texttt {echo}\) messages for the m during step 3 or \(t+1\) \(\texttt {ready}\) messages for the m (one of which has to come from an honest party) during step 4. So all in all, in order that \(n - t\) \(\texttt {ready}\) messages are eventually generated for some potential m during step 5, it must be the case that some honest party has to receive \(n - t\) \(\texttt {echo}\) messages for m during step 2 and generate a \(\texttt {ready}\) message for m. Since \(P_h\) receives \(n - t\) \(\texttt {ready}\) messages for \(m^{\star }\), some honest party must have received \(n - t\) \(\texttt {echo}\) messages for \(m^{\star }\), at most t of which could come from the corrupt parties. Similarly, since \(P_{h'}\) receives \(n - t\) \(\texttt {ready}\) messages for \(m^{\star \star }\), some honest party must have received \(n - t\) \(\texttt {echo}\) messages for \(m^{\star \star }\). However, since \(n - t > 2t\), it follows that in order that \(n - t\) \(\texttt {echo}\) messages are produced for both \(m^{\star }\) and \(m^{\star \star }\), it must be the case that some honest party must have generated an \(\texttt {echo}\) message, both for \(m^{\star }\) and for \(m^{\star \star }\) during step 2, which is impossible. This is because an honest party executes step 2 at most once and hence generates an \(\texttt {echo}\) message at most once.

Consequently, \(\Big \{\text{ REAL}_{\Pi _{\textsf{ACast}}, \textsf{Adv}(z)}(m)\! \Big \}_{m, z \in \{0, 1 \}^{\star }}{\equiv }\Big \{\text{ IDEAL}_{\mathcal {F}_{\textsf{ACast}}, \mathcal {S}_{\textsf{ACast}}(z)}(m)\! \Big \}_{m, z \in \{0, 1 \}^{\star }}\) holds even in this case, thus completing the proof. \(\square \)