Skip to main content
SpringerLink
Log in

Round-Optimal Secure Multi-party Computation

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Secure multi-party computation (MPC) is a central cryptographic task that allows a set of mutually distrustful parties to jointly compute some function of their private inputs where security should hold in the presence of an active (i.e. malicious) adversary that can corrupt any number of parties. Despite extensive research, the precise round complexity of this “standard-bearer” cryptographic primitive, under polynomial-time hardness assumptions, is unknown. Recently, Garg, Mukherjee, Pandey and Polychroniadou, in Eurocrypt 2016 demonstrated that the round complexity of any MPC protocol relying on black-box proofs of security in the plain model must be at least four. Following this work, independently Ananth, Choudhuri and Jain, CRYPTO 2017 and Brakerski, Halevi, and Polychroniadou, TCC 2017 made progress towards solving this question and constructed four-round protocols based on the DDH and LWE assumptions, respectively, albeit with super-polynomial hardness. More recently, Ciampi, Ostrovsky, Siniscalchi and Visconti in TCC 2017 closed the gap for two-party protocols by constructing a four-round protocol from polynomial-time assumptions, concretely, trapdoor permutations. In another work, Ciampi, Ostrovsky, Siniscalchi and Visconti TCC 2017 showed how to design a four-round multi-party protocol for the specific case of multi-party coin-tossing based on one-way functions. In this work, we resolve this question by designing a four-round actively secure multi-party (two or more parties) protocol for general functionalities under standard polynomial-time hardness assumptions with a black-box proof of security, specifically, under the assumptions LWE, DDH, QR and DCR.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Where in this model the lower bound is two rounds.

  2. A semi-malicious adversary is allowed to invoke a corrupted party with arbitrary chosen input and random tape, but otherwise follows the protocol specification honestly as a passive adversary.

  3. We do not need to apply a similar trick to the sender role in the OT subprotocols, since the sender bits are always random.

  4. To get it by then, the ZAPs are performed in parallel to the second and third rounds of the three-bit multiplication protocol.

  5. The reduction will still need to use u in the fourth round of the simulation, but by then we have already extracted the information that we need from the adversary.

  6. The name “defensible” simulation is adapted from the “defensible adversaries” of Haitner et al. [37].

  7. This is where we use the assumption about the validity of \(\mathsf {C_{\gamma }^{1}}[{1}]=\mathsf {Enc}(x_3)\), for the same value \(x_3\) that the challenger use to compute \(w_1:=u^{1}_{\gamma }\cdot x_3+s^{1}_{\gamma }\).

  8. Even if a particular gate computation is correctly evaluated, it does not necessarily mean this is the correct wire value as the input wire values to the gate could themselves be incorrect due to additive errors that occur earlier in the circuit.

  9. The errors are bits and are extracted for each monomial where the corrupted party plays the role of \(P_1\). For simplicity of notation we lump them all in a single vector.

  10. This is essentially the technique of Ciampi et al. [16], adjusting these commitment schemes to handle delayed inputs.

  11. It is important to include a proof that \(\mathsf {nmcom}^b_{i,j}\) is a valid commitment in the ZAP, since the GRRV subprotocol does not ensure this.

  12. In our proof of security we assume that the challenger knows \(\varepsilon \). This allows us to prematurely rewind only a fixed (but sufficiently more than \(1/\varepsilon \)) number of times.

References

  1. P. Ananth, A.R. Choudhuri, A. Goel, A. Jain, Round-optimal secure multiparty computation with honest majority, in CRYPTO (2018), pp. 395–424

  2. P. Ananth, A.R. Choudhuri, A. Jain, A new approach to round-optimal secure multiparty computation, in CRYPTO (2017), pp. 468–499

  3. B. Applebaum, Y. Ishai, E. Kushilevitz, Computationally private randomizing polynomials and their applications. Computational Complexity, 15(2):115–162 (2006)

    Article  MathSciNet  Google Scholar 

  4. B. Applebaum, Y. Ishai, E.Kushilevitz, Cryptography in nc\({}^{\text{0 }}\). SIAM J. Comput., 36(4):845–888 (2006)

    Article  MathSciNet  Google Scholar 

  5. G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, D. Wichs, Multiparty computation with low communication, computation and interaction via threshold FHE, in EUROCRYPT (2012), pp. 483–501

  6. B. Barak, How to go beyond the black-box simulation barrier, in FOCS (2001), pp. 106–115

  7. S. Badrinarayanan, V. Goyal, A. Jain, D. Khurana, A. Sahai, Round optimal concurrent MPC via strong simulation, in TCC (2017), pp. 743–775

  8. S. Badrinarayanan, V. Goyal, A. Jain, Y.T. Kalai, D. Khurana, A. Sahai, Promise zero knowledge and its applications to round optimal MPC, in CRYPTO (2018), pp. 459–487

  9. M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in STOC (1988), pp. 1–10

  10. Z. Brakerski, S. Halevi, A. Polychroniadou, Four round secure computation without setup, in TCC (2017), pp. 645–677

  11. F. Benhamouda, H. Lin, k-round multiparty computation from k-round oblivious transfer via garbled interactive circuits, in EUROCRYPT (2018), pp. 500–532

  12. D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols (extended abstract), in STOC (1990), pp. 503–513

  13. D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (abstract), in CRYPTO (1987), p. 462

  14. A.R. Choudhuri, M. Ciampi, V. Goyal, A. Jain, R. Ostrovsky, On round optimal secure multiparty computation from minimal assumptions. IACR Cryptol. ePrint Arch., 2019:216 (2019)

  15. R. Cramer, Y. Dodis, S. Fehr, C. Padró, D. Wichs, Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors, in EUROCRYPT (2008), pp. 471–488

  16. M. Ciampi, R. Ostrovsky, L. Siniscalchi, I. Visconti, Concurrent non-malleable commitments (and more) in 3 rounds, in CRYPTO (2016), pp. 270–299

  17. M. Ciampi, R. Ostrovsky, L. Siniscalchi, I. Visconti, Delayed-input non-malleable zero knowledge and multi-party coin tossing in four rounds, in TCC 2017 (2017)

  18. M. Ciampi, R. Ostrovsky, L. Siniscalchi, I. Visconti. Round-optimal secure two-party computation from trapdoor permutations, in TCC (2017), pp. 678–710

  19. I. Damgård, Y. Ishai, Constant-round multiparty computation using a black-box pseudorandom generator, in CRYPTO (2005), pp. 378–394

  20. I. Damgård, Y. Ishai, Scalable secure multiparty computation, in CRYPTO (2006), pp. 501–520

  21. I. Damgård , M. Jurik, A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system, in Public Key Cryptography (2001), pp. 119–136

  22. C. Dwork, M. Naor, Zaps and their applications. SIAM J. Comput., 36(6):1513–1543 (2007)

    Article  MathSciNet  Google Scholar 

  23. T. El Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472 (1985)

    Article  MathSciNet  Google Scholar 

  24. S. Garg, C. Gentry, S. Halevi, M. Raykova, Two-round secure MPC from indistinguishability obfuscation, in TCC (2014), pp. 74–94

  25. D. Genkin, Y. Ishai, M. Prabhakaran, A. Sahai, E. Tromer, Circuits resilient to additive attacks with applications to secure computation, in STOC (2014), pp. 495–504

  26. D. Genkin, Y. Ishai, A. Polychroniadou, Efficient multi-party computation: From passive to active security via secure SIMD circuits, in CRYPTO (2015), pp. 721–741

  27. D. Genkin, Y. Ishai, M. Weiss, Binary amd circuits from secure multiparty computation, in TCC (2016), pp. 336–366

  28. S. Garg, S. Kiyoshima, O. Pandey, On the exact round complexity of self-composable two-party computation, in EUROCRYPT (2017), pp. 194–224

  29. S. Goldwasser, S, Micali, Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299 (1984)

    Article  MathSciNet  Google Scholar 

  30. S. Garg, P. Mukherjee, O. Pandey, A. Polychroniadou, The exact round complexity of secure computation, in EUROCRYPT (2016), pp. 448–476

  31. O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in STOC, (1987) pp. 218–229

  32. O. Goldreich, Foundations of Cryptography: Basic Tools. Cambridge University Press (2001)

  33. O. Goldreich, Foundations of Cryptography: Basic Applications. Cambridge University Press (2004)

  34. V. Goyal, Constant round non-malleable protocols using one way functions, in STOC (2011), pp. 695–704

  35. V. Goyal, S. Richelson, A. Rosen, M. Vald, An algebraic approach to non-malleability, in FOCS (2014), pp. 41–50

  36. S. Garg, A. Srinivasan, Two-round multiparty secure computation from minimal assumptions, in EUROCRYPT (2018), pp. 468–499

  37. I. Haitner, Y. Ishai, E. Kushilevitz, Y. Lindell, E. Petrank, Black-box constructions of protocols for secure computation. SIAM J. Comput., 40(2):225–266 (2011)

    Article  MathSciNet  Google Scholar 

  38. C. Hazay, A. Polychroniadou, M. Venkitasubramaniam, Composable security in the tamper-proof hardware model under minimal complexity, in TCC (2016), pp. 367–399

  39. C. Hazay, P. Scholl, E. Soria-Vazquez, Low cost constant round MPC combining BMR and oblivious transfer, in ASIACRYPT (2017), pp. 598–628

  40. R. Impagliazzo, L.A. Levin, M. Luby, Pseudo-random generation from one-way functions (extended abstracts), in STOC (1989), pp. 12–24

  41. D. Khurana, Round optimal concurrent non-malleability from polynomial hardness, in TCC (2017), pp. 139–171

  42. J. Katz, R. Ostrovsky, A.D. Smith, Round efficiency of multi-party computation with a dishonest majority, in EUROCRYPT (2003), pp. 578–595

  43. H. Lin, R. Pass, Constant-round non-malleable commitments from any one-way function, in STOC (2011), pp. 705–714

  44. Y. Lindell, B. Pinkas, N.P. Smart, A. Yanai, Efficient constant round multi-party computation combining BMR and SPDZ, in CRYPTO, pp. 319–338, (2015)

  45. P. Mukherjee, D. Wichs, Two round multiparty computation via multi-key FHE, in EUROCRYPT (2016), pp. 735–763

  46. M. Naor, Bit commitment using pseudorandomness. J. Cryptology, 4(2):151–158 (1991)

    Article  Google Scholar 

  47. R. Ostrovsky, A. Paskin-Cherniavsky, B. Paskin-Cherniavsky, Maliciously circuit-private FHE, in CRYPTO (2014), pp. 536–553

  48. P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in EUROCRYPT (1999), pp. 223–238

  49. R. Pass, Bounded-concurrent secure multi-party computation with a dishonest majority, in STOC (2004), pp. 232–241

  50. O. Regev, On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34:1–34:40 (2009)

  51. A.C.C. Yao, How to generate and exchange secrets (extended abstract), in FOCS (1986), pp. 162–167

Download references

Author information

Authors and Affiliations

  1. Algorand Foundation, Yorktown Heights, USA

    Shai Halevi

  2. Bar-Ilan University, Ramat Gan, Israel

    Carmit Hazay

  3. J.P. Morgan AI Research, New York, USA

    Antigoni Polychroniadou

  4. University of Rochester, Rochester, USA

    Muthuramakrishnan Venkitasubramaniam

Authors
  1. Shai Halevi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Carmit Hazay
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antigoni Polychroniadou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Muthuramakrishnan Venkitasubramaniam
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Carmit Hazay.

Additional information

Communicated by Nigel Smart.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

S. Halevi: Research supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office(ARO) under Contract No. W911NF-15-C-0236. C. Hazay: Research supported the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office. A. Polychroniadou: This work was supported in part by the Artificial Intelligence Research group of JPMorgan Chase & Co and its affiliates (“JP Morgan”), and is not a product of the Research Department of JP Morgan. JP Morgan makes no representation and warranty whatsoever and disclaims all liability, for the completeness, accuracy or reliability of the information contained herein. M. Venkitasubramaniam: Research supported by Google Faculty Research Grant and NSF Award CNS-1526377.

Secure Multi-party Computation

Secure Multi-party Computation

We briefly present the standard definition for secure multi-party computation and refer to [33, Chapter 7] for more details and motivating discussions. A multi-party protocol problem is cast by specifying a random process that maps pairs of inputs to pairs of outputs (one for each party). We refer to such a process as a functionality and denote it \(f:\{0,1\}^*\times \cdots \times \{0,1\}^*\rightarrow \{0,1\}^*\times \cdots \times \{0,1\}^*\), where \(f = (f_1,\ldots ,f_n)\). That is, for every tuple of inputs \((x_1,\ldots ,x_n)\), the output-vector is a random variable \((f_1(x_1,\ldots ,x_n),\ldots ,f_n(x_1,\ldots ,x_n))\) ranging over tuples of strings where \(P_i\) receives \(f_i(x_1,\ldots ,x_n)\). We use the notation \((x_1,\ldots ,x_n) \mapsto (f_1(x_1,\ldots ,x_n),\ldots ,f_n(x_1,\ldots ,x_n))\) to describe a functionality.

We prove the security of our protocols in the presence of an adversary that may actively (i.e. maliciously) or passively (i.e. semi-honest) corrupt parties. Security is analyzed by comparing what an adversary can do in a real protocol execution to what it can do in an ideal scenario. In the ideal scenario, the computation involves an incorruptible trusted third party to whom the parties send their inputs. The trusted party computes the functionality on the inputs and returns to each party its respective output. Informally, the protocol is secure if any adversary interacting in the real protocol (i.e., where no trusted third party exists) can do no more harm than what it could do in the ideal scenario.

1.1 The Honest-but-Curious Setting

In this model the adversary controls one of the parties and follows the protocol specification. However, it may try to learn more information than allowed by looking at the transcript of messages that it received and its internal state. Let \(f = (f_1,\ldots , f_n)\) be a multi-party functionality and let \(\pi \) be a multi-party protocol for computing f. The view of the ith party in an execution of \(\pi \) on inputs \((x_1,\ldots ,x_n)\) is

$$\begin{aligned} {\mathbf{View}}_{\pi ,i}(x_1,\ldots ,x_n) = (x_i, r_i, m^i_1, \ldots ,m^i_t), \end{aligned}$$

where \(r_i\) is the content of the first party’s internal random tape, and \(m_j^i\) represents the jth message that it received. The output of the ith party in an execution of \(\pi \) on \((x_1,\ldots ,x_n)\) is denoted \(\mathbf{Output}_{\pi ,i}(x_1,\ldots ,x_n)\) and can be computed from \(\mathbf{View}_{\pi ,i}(x_1,\ldots ,x_n)\). We denote the set of corrupted parties by \(I\subset [n]\) and the set of honest parties by \({\bar{I}}\). We extend the above view notation to capture any subset of parties, denoting by \(\mathbf{View}_{\pi ,T}(\kappa ,x_1,\ldots ,x_n)\) the joint views of all parties in T on \((\kappa ,x_1,\ldots ,x_n)\).

Definition A.1

Let f and \(\pi \) be as above. Protocol \(\pi \) is said to securely compute f in the presence of honest-but-curious adversaries if for every \(I\subset [n]\) there exists a probabilistic polynomial-time algorithm \({\mathcal{S}}\) such that

$$\begin{aligned}&{({\mathcal{S}}(\{x_i,f_i(\kappa ,x_1,\ldots ,x_n)\}_{i\in I}), \{f_i(\kappa ,x_1,\ldots ,x_n)\}_{i\notin I})}_{\kappa \in {\mathbb {N}},x_i\in \{0,1\}^*}\\&{\mathop {\approx }\limits ^{\mathrm{c}}}\{(\mathbf{View}_{\pi ,I}(\kappa ,x_1,\ldots ,x_n), \mathbf{Output}_{\pi ,{\bar{I}}}(\kappa ,x_1,\ldots ,x_n))\}_{\kappa \in {\mathbb {N}},x_i\in \{0,1\}^*} \end{aligned}$$

where \(\kappa \) is the security parameter.

1.2 The Active Setting

Execution in the ideal model. In an ideal execution, the parties submit inputs to a trusted party, that computes the output. An honest party receives its input for the computation and just directs it to the trusted party, whereas a corrupted party can replace its input with any other value of the same length. Since we do not consider fairness, the trusted party first sends the outputs of the corrupted parties to the adversary, and the adversary then decides whether the honest parties would receive their outputs from the trusted party or an abort symbol \(\bot \). Let f be a multi-party functionality where \(f = (f_1,\ldots ,f_n)\), let \(\mathcal{A}\) be a non-uniform probabilistic polynomial-time machine, and let \(I\subset [n]\) be the set of corrupted parties. Then, the ideal execution of f on inputs \((\kappa ,x_1,\ldots ,x_n)\), auxiliary input z to \(\mathcal{A}\) and security parameter \(\kappa \), denoted \(\mathbf{IDEAL }_{f,\mathcal{A}(z),I}(\kappa ,x_1,\ldots ,x_n)\), is defined as the output pair of the honest party and the adversary \(\mathcal{A}\) from the above ideal execution.

Execution in the real model. In the real model there is no trusted third party and the parties interact directly. The adversary \(\mathcal{A}\) sends all messages in place of the corrupted party, and may follow an arbitrary polynomial-time strategy. The honest parties follow the instructions of the specified protocol \(\pi \).

Let f be as above and let \(\pi \) be a multi-party protocol for computing f. Furthermore, let \(\mathcal{A}\) be a non-uniform probabilistic polynomial-time machine and let I be the set of corrupted parties. Then, the real execution of \(\pi \) on inputs \((\kappa ,x_1,\ldots ,x_n)\), auxiliary input z to \(\mathcal{A}\) and security parameter \(\kappa \), denoted \(\mathbf{REAL }_{\pi ,\mathcal{A}(z),I}(\kappa ,x_1,\ldots ,x_n)\), is defined as the output vector of the honest parties and the adversary \(\mathcal{A}\) from the real execution of \(\pi \).

Security as emulation of a real execution in the ideal model. Having defined the ideal and real models, we can now define security of protocols. Loosely speaking, the definition asserts that a secure protocol (in the real model) emulates the ideal model (in which a trusted party exists). This is formulated by saying that adversaries in the ideal model are able to simulate executions of the real-model protocol.

Definition A.2

Let f and \(\pi \) be as above. Protocol \(\pi \) is said to securely compute f with abort in the presence of active adversaries if for every non-uniform probabilistic polynomial-time adversary \(\mathcal{A}\) for the real model, there exists a non-uniform probabilistic polynomial-time adversary \({\mathcal{S}}\) for the ideal model, such that for every \(I\subset [n]\),

$$\begin{aligned} \left\{ \mathbf{IDEAL }_{f,{\mathcal{S}}(z),I}(\kappa ,x_1,\ldots ,x_n)\right\} _{\kappa \in {\mathbb {N}},x_i,z\in \{0,1\}^*} {\mathop {\approx }\limits ^{\mathrm{c}}}\left\{ \mathbf{REAL }_{\pi ,\mathcal{A}(z),I}(\kappa ,x,y)\right\} _ {\kappa \in {\mathbb {N}},x_i,z\in \{0,1\}^*} \end{aligned}$$

where \(\kappa \) is the security parameter.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Halevi, S., Hazay, C., Polychroniadou, A. et al. Round-Optimal Secure Multi-party Computation. J Cryptol 34, 19 (2021). https://doi.org/10.1007/s00145-021-09382-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-021-09382-3

Keywords

Search

Navigation