1 Introduction

Secure multi-party computation (MPC) [3, 7, 16, 27] is perhaps the most popular paradigm in the area of cryptographic protocols. It requires that n parties compute some function f of their inputs without revealing any additional information, even when some of them may behave arbitrarily. More specifically, n parties P 1,…,P n , each holding input x i , must run a protocol such that at the end of the protocol, all “honest” (i.e., not misbehaving) parties obtain f(x 1,…,x n ), while any set of colluding malicious parties \(\mathcal {T}_{\mathrm {nodes}}\subset [n]\) learn nothing more than what can be learnt from f(x 1,…,x n ) and the x i values for all \(P_{i} \in \mathcal {T}_{\mathrm {nodes}}\).

Traditionally, MPC protocols assume that any two of the n parties share a private and authenticated channel which they can use for communication. In the case of information-theoretic MPC, the channel between two honest nodes is assumed to be a secure physical link which the adversary cannot eavesdrop or tamper with; in the computational case, this channel is provided via a public-key infrastructure.

However, in many settings, the assumption of incorruptible pairwise secure channels is unrealistic and overoptimistic. Think for example, of the communication subsystem of a networked computer (e.g., network interface controller card) being infected by malicious software designed to disrupt or alter operation. This would affect the communication between honest parties. Or worse, of a scenario where the secret keys shared by two parties in the system is compromised, yet the parties themselves are honest. In fact, it is much easier for an adversary to corrupt a communication channel (as it only requires the adversary to capture the session key used for communicating over that link) than it is to corrupt and take complete control over the end terminal. In light of this, one first question we can ask is whether we can obtain MPC protocols when both parties as well as communication channels are corrupted.

Naturally, we must assume some bound on the number of parties as well as the number of communication channels that the adversary can corrupt. In this work, we focus our attention on information-theoretic protocols (as in the context of large networks requiring nodes to maintain certified public keys of all other nodes might be unrealistic). First, observe that we cannot hope to obtain a protocol that is secure against an adversary that corrupts at least \(\frac{1}{3}{n \choose 2}\) of the \(n \choose 2\) communication channels (a constant fraction of the edges in the network), even if all the parties are honest. This is because such an adversary can effectively “simulate” the corruption of \(\frac{n}{3}\) out of the n parties (in the standard setting where only parties can be corrupted),Footnote 1 and in this case information-theoretically secure MPC is known to be impossible [3]. On the positive side, it is quite easy to construct protocols that asymptotically match these bounds of edge corruptions; i.e., protocols tolerating corruption of a constant fraction of communication channels as well as a constant fraction of parties (for constants \(< \frac{1}{3}\)).Footnote 2

However, all the protocols discussed so far assume that any two parties share a secure channel to begin with! (These channels may later on be corrupted, but the connectivity of every party is still n.) For protocols that are executed over large networks such as the Internet, in which nodes are typically connected by a communication graph of small degree, this assumption is unreasonable. Thus, we turn our attention to the problem of constructing information-theoretically secure MPC protocols (secure against corruption of both parties and communication channels) in which parties (or nodes) have low connectivity.

1.1 Almost-Everywhere Secure Computation

Before we describe our model in more detail, we remark that the setting of constructing protocols on networks that are not fully connected is not new. Obtaining protocols on networks that are of low degree (in the presence of node corruptions alone), was first considered for the task of Byzantine agreement [19, 20] in the seminal work of Dwork, Peleg, Pippenger, and Upfal [12]. More formally, in the Dwork et al.’s formulation, the n parties (or nodes) are connected by a communication network G. Nodes that are connected by an edge in G share a reliable and authentic channel, but other nodes must communicate via paths in the graphs that may not be available to them (due to the adversarial “corruption” of some of the nodes).

Naturally, in such a setting, one may not be able to guarantee agreement among all honest parties; for example, one cannot hope to be able to communicate at all with an honest party whose neighbors are all adversarial. Given this fact—and ubiquitously—Dwork et al. termed the new problem almost-everywhere (a.e.) agreement, wherein the number of such abandoned nodes (which henceforth will be called “doomed”) introduces another parameter of interest, in addition to the degree of the communication graph (which we wish to minimize), and the number of adversarial nodes that can be tolerated (which we wish to maximize) in reaching agreement.

Indeed, in [12], Dwork et al. provide a.e. agreement protocols for various classes of low-degree graphs and bounds on the number of adversarial nodes as well as abandoned nodes. For example, they construct a graph of constant degree and show an agreement protocol on this graph tolerating a \(\frac{\alpha}{\log n}\) fraction of corrupted nodes (for constant 0<α<1), guaranteeing agreement among (1−αμ)n of the honest nodes (for constant 0<μ<1). In another construction, they give a graph of degree \(\mathcal {O}(n^{\epsilon})\) (for constant 0<ϵ<1) and show an agreement protocol on this graph tolerating a constant α (0<α<1) fraction of corrupted nodes, and again guaranteeing agreement among (1−αμ)n nodes. In a subsequent and remarkable result, Upfal [23] constructed a constant-degree graph and showed the existence of an a.e. agreement protocol on this graph tolerating a constant fraction of corrupted nodes, while giving up a constant fraction of the honest nodes. Unfortunately, the protocol of [23] runs in exponential time (in n).

Garay and Ostrovsky [15] were the first to consider the problem of unconditional MPC in the context of partially connected networks with adversarial nodes, and obtained results with bounds similar to those in [12]. More recently, Chandran, Garay, and Ostrovsky [6] constructed a graph of degree \(\mathcal {O}(\log^{k} n)\) (for constant k>1) and show an agreement, as well as an MPC protocol on this graph tolerating a constant fraction of corrupted nodes, while giving up only \(\mathcal {O}(\frac{n}{\log n})\) of the honest nodes.

1.2 Almost-Everywhere Secure Computation with Edge Corruptions

All existing work on a.e. agreement and a.e. secure computation mentioned above considers the case where only nodes may be corrupted and misbehave.Footnote 3 Furthermore, all existing work, construct specific graphs (of low degree) on which one can obtain an a.e. secure computation protocol. In an ideal scenario, we would like to construct a.e. computation protocols on arbitrary adversarially chosen communication networks. Unfortunately, this is impossible in general.Footnote 4 However, we can take a step in this direction by allowing the adversary to corrupt edges in the network that we design. That is, we will still construct a specific graph (on which we will obtain a.e. computation protocols); however, we will allow the adversary to “modify” this graph by corrupting a constant fraction of edges in it, thereby taking down (and even actively corrupting) certain channels in the communication network.

In more detail, in this work we will endow the adversary with additional powers which allow him, in addition to corrupting nodes, to corrupt some of the edges in the network—i.e., we consider a.e. agreement and computation with edge corruptions. When he does (corrupt an edge), he is able to completely control the communication channel between the two honest nodes, from simply preventing them to communicate, to injecting arbitrary messages that the receiving end will accept as valid. As in the node-only corruption case, in this case also some of the honest nodes in the network must be abandoned. In this work, we ask the following question:

Can we obtain a.e. secure computation protocols on a network of low (i.e., sublinear) degree when a constant fraction of nodes as well as communication channels are corrupted?

Which we answer in the affirmative. To put things in perspective, observe that an a.e. agreement or a.e. secure computation protocol for node corruptions can be readily transformed into a corresponding a.e. protocol also tolerating edge corruptions, albeit for a reduced fraction of edge corruptions. More specifically, let d be the maximum degree of any node in a graph \(\mathcal {G}\) on n nodes that admits an a.e. agreement (a.e. computation) protocol Π among p<n nodes, in the presence of x corrupt nodes. Then, it is easy to see that \(\mathcal {G}\) admits an a.e. agreement (a.e. computation) protocol Π′ among p nodes in the presence of x corrupt edges.Footnote 5 However, this means that the graph will only admit an agreement/computation protocol for an \(\frac{x}{nd}\) fraction of corrupted edges, as opposed to an \(\frac{x}{n}\) fraction of corrupted nodes in the former case. Therefore, the result that we get for the case of edge corruptions using this naïve method is asymptotically weaker than in the case of node corruptions (except when d is a constant). Indeed, by applying this method, none of the existing protocols for a.e. agreement/computation against node corruptions give us a solution tolerating a constant fraction of edge corruptions. This is depicted in Table 1, where we outline the results one would obtain by applying this approach to the a.e. agreement/computation protocols for node corruptions of [6, 12, 15, 18, 23], and compare them with the results we obtain in this work. In all the results listed in the table, 0<α<1 is a constant, 0<ϵ<1 can be any arbitrary constant, and k>1 is a constant.

Table 1. A.e. secure computation against edge corruptions from a.e. secure computation against node corruptions.
Full size table

Note that all the previous results (except for the result obtained as a corollary to [23], in which the protocol’s running time is exponential) cannot handle the case where we have a constant fraction of corrupted edges. Here we are precisely interested in this case. Specifically, we construct the first efficient (i.e., polynomial-time) protocols for a.e. agreement and a.e. secure computation on graphs with sublinear degree that can tolerate a constant fraction of edge corruptions. We remark that while the above graph constructions are deterministic, we construct our graph probabilistically, and our result holds with high probability. However, a graph satisfying the conditions required for our protocols to be successful can be sampled with probability 1−neg(n), where neg(n) denotes a function that is negligible in n, and furthermore, one can also efficiently check if the graph thus sampled satisfies the necessary conditions for our protocols.

1.3 Overview of Our Results

We show that for every constant ϵ, 0<ϵ<1, there exists a graph, call it \(\mathcal {G}_{\mathrm {{main}}}\), on n nodes, with maximum degree \(d_{m} = \mathcal {O}(n^{\epsilon})\), such that it admits a.e. agreement and a.e. secure computation protocols that guarantee agreement/computation among γ m n honest nodes (for some constant 0<γ m <1), even in the presence of an α m fraction of corrupted edges (i.e., at most \(\frac{\alpha_{m} n d_{m}}{2}\) corrupted edges), for some constant 0<α m <1. Our protocols work against an adversary that is adaptive (i.e., the adversary can decide which edges to corrupt on the fly during the protocol after observing messages of honest parties) and rushing (i.e., in every round, the adversary can decide on its messages after seeing the messages from the honest parties).

First, note that the problem of a.e. secure computation can be reduced to the problem of obtaining a public and authentic channel between any two pair of nodes in the set of privileged nodes (i.e., the set of honest nodes from which the set of doomed nodes have been excludedFootnote 6) due to techniques developed in [15], and the problem of a.e. agreement trivially reduces to the problem of obtaining such a public channel. Hence, our main focus will be on constructing a protocol for this task. We now outline the high-level ideas behind our construction:

  1. 1.

    The first step in our construction is to build a graph with higher degree, \(\mathcal {O}(\sqrt{n}\log n)\), on which we obtain a public channel (between any two nodes in a set of size \(\mathcal {O}(n)\)) tolerating a constant fraction of corrupted edges.

    • To do this, we first observe a property of a graph that is sufficient for such a construction (besides, obviously, every node having degree \(\mathcal {O}(\sqrt{n}\log n)\)), namely, that any two nodes in the graph have \(\mathcal {O}(\log^{2} n)\) number of paths of length 2 between them.

    • Second, we observe that the Erdős–Renyi random graph \(G(n,\frac{\log n}{\sqrt{n}})\) satisfies the above two properties with high probability. That is, a graph \(\mathcal {G}\) on n nodes satisfying the above two properties can be easily sampled by putting an edge (u,v) in \(\mathcal {G}\), independently, with probability \(p = \frac{\log n}{\sqrt{n}}\).

    • Once we have a graph satisfying these properties, the construction is fairly straightforward: to obtain a public channel between any two nodes, say, u and v, u simply sends the message to all nodes in the network via all the paths of length 2, and all the nodes then send the message to v, again via all their paths of length 2. One can then show that if v takes a simple majority of the received values, then a constant fraction of the nodes can build a public channel even in the presence of a constant fraction of corrupted edges.

  2. 2.

    Next, we show how to construct a graph, \(\mathcal {G}'\), recursively from \(\mathcal {G}\leftarrow G(n,\frac{\log n}{\sqrt{n}})\) above such that the new graph is of size n 2 and its degree at most twice that of \(\mathcal {G}\), and yet we can have a public channel on \(\mathcal {G}'\) (between every pair of privileged nodes) tolerating a constant fraction of corrupted edges.

    • We construct \(\mathcal {G}'\) by taking n “copies” of \(\mathcal {G}\) to form n “clouds,” and then connecting the clouds using another copy of \(\mathcal {G}\). We connect two clouds by connecting the ith node in one cloud with the ith node in the other.

    • Now our hope is to be able to simulate the communication between two nodes, u and v, in the following way: u will send the message to all nodes in its cloud (call this cloud C u ). Cloud C u will then send the message to cloud C v (the cloud which v is a part of). Finally, v will somehow receive the message from cloud C v .

    • The problem with this approach is that we need to have a protocol that will allow two clouds to communicate reliably. But clouds themselves are comprised of nodes, some of which might be corrupted or doomed; hence, the transmission from cloud C u to cloud C v might end up being unreliable. To get over this problem, we make use of a specific type of agreement protocol known as differential agreement [13], which, informally and whenever possible, allows parties to agree on the majority value of the honest parties’ inputs. Careful application of this protocol allows us to perform a type of “error-correction” of the message when it is being transferred from one cloud to another.

    • Combining the above techniques leads us to our main result, the construction of a public channel between any two nodes in a set of size \(\mathcal {O}(n)\), on graphs of degree \(\mathcal {O}(n^{\epsilon})\) (for all constants 0<ϵ<1), tolerating a constant fraction of corrupted edges, while giving up μn honest nodes (for a constant 0<μ<1).

Our new public channel construction directly gives us an a.e. agreement protocol tolerating both node and edge corruptions (with the required parameters), and by applying our protocol to the construction in [15], we also obtain an a.e. MPC protocol tolerating both node and edge corruptions for graphs of degree \(\mathcal {O}(n^{\epsilon})\) and same parameters as above.

Finally, our work should be viewed as conceptually introducing the model of adversarial edge corruptions in secure computation and Byzantine agreement, as we do not make any attempts to optimize the constants in the bounds achieved by our protocol. As a rough estimate, our a.e. agreement (resp. MPC) protocol on graphs of degree \(\mathcal{O}(\sqrt{n}\log n)\) can tolerate an \(\alpha < \frac{1}{192}\) fraction of corrupted edges and guarantees agreement/MPC among at least \(\frac{2}{3}\)rd fraction of the nodes. Regarding efficiency bottlenecks, executing differential agreement for every hop, as required by our communication protocol, would qualify as our construction’s most expensive component.

1.4 Related Work

As mentioned above, the problem we consider is most closely related to the problem of almost-everywhere agreement tolerating node corruptions [5, 6, 12, 23]. To our knowledge, the problem of agreement or secure computation on networks with faulty (Byzantine or benign) edges has been only considered before either in the setting of random faults or where there are limited edge faults in a complete network. We now present a brief overview of other related works.

Information-Theoretic Setting.

The work of Lamport, Shostak, and Pease [19] introduced the problem of Byzantine agreement and showed that a solution to the problem (in the fully connected setting) exists if and only if more than two thirds of the parties are honest. Dolev [10] and Dolev et al. [11] were the first to consider the issue of connectivity in executing distributed tasks and showed that if there are t faulty processors in a network, then every pair of processors can communicate reliably if and only if every node has connectivity at least 2t+1 (using a protocol for reliable communication, one can then construct protocols for Byzantine agreement). This work also assumes that whenever a connection is present between two nodes, the connection is reliable and not under the control of an adversary (unlike in our work).

Regarding work on edge corruptions, Diks and Pelc [9] and Chlebus et al. [8] consider the problem of obtaining an agreement protocol (among all nodes) in a complete network when every edge in the network can fail independently with constant probability p f (this in turn means that the expected degree of every node is linear (in n)). These works, apart from only considering random faults, also deal only with non-Byzantine (or non-malicious) faults. The work of Pelc [21] also considers only random edge corruptions (where the failure probability is a constant less than 0.29), but considers Byzantine faulty edges. Shanbhogue and Yung [22] study the necessary and sufficient conditions for asynchronous agreement protocols among n nodes on a complete graph in the presence of Byzantine edges (and show a tight upper and lower bound of \(\lfloor \frac{n-2}{2} \rfloor\) on the total number of corrupted edges). Similarly, the work of Yan et al. [24, 26] also considers malicious faulty links in complete networks with the aim of constructing protocols for optimal-round Byzantine agreement, while Wang and Yan [25] additionally consider fault detection in a similar setting. Berman, Diks and Pelc [4] consider agreement on protocols with random Byzantine edge faults (with a probability of failure \(< \frac{1}{2}\)) and show a broadcasting algorithm that works for n nodes in time \(\mathcal {O}(\log n)\), with probability of correctness \(1-\frac{1}{n}\).

Zikas, Hauser and Maurer [28] consider a model of secure computation where an adversary can, in addition to corrupting parties, also block honest parties’ outgoing or incoming messages. Their setting differs from ours in the following two ways. Firstly, their model allows the adversary to only block messages of honest parties, whereas, in our setting, when an adversary takes over a channel, he completely controls all messages being communicated on it. Secondly, their setting allows the adversary to either block a party’s all incoming or outgoing messages, or none, whereas we allow the adversary to selectively corrupt the edges incident on any node.

Computational Setting.

We first remark that, in the computational setting, if we assume a reliable public-key infrastructure, then executing distributed tasks (and performing secure computation) among most honest nodes over low-degree networks, reduces to whether or not the honest nodes form a connected component (after removing adversarially corrupted nodes and edges). In order to overcome the barrier on the maximum number of nodes that can be corrupted for the case of reliable message transmission in the information-theoretic setting [10, 11], Beimel and Franklin [2], considered a model in which some pairs of processors (other than the pairs that are already connected by reliable channels), are also given authentication keys. The reliable channels define a natural “communication graph” and the pairs of parties sharing authentication keys define a natural “authentication graph.” Beimel and Franklin show that every pair of processors can communicate reliably if and only if all nodes in the communication graph have connectivity at least t+1 and the union of the two graphs has connectivity at least 2t+1.

The work of Barak et al. [1] considered the problem of secure computation in the computational setting where parties are not authenticated to each other by any means. In this setting, parties wish to run secure computation protocols when no two of them share an authenticated channel, and, furthermore, the adversary controls the delivery of messages. In this setting, the adversary can trivially partition the parties into various sets of parties, with each set running its own “secure” computation protocol. Barak et al. show that, essentially, this is all that an adversary can do. We remark that our setting is different: while some pairs of parties share authenticated channels in our setting (namely, those that are connected by an edge in the communication network), we wish to include a much larger fraction of honest nodes in the computation protocol (by making use of other nodes in the network to perform secure message transmission).

Finally, the work of Gordon et al. [17] considered the problem of broadcast with a partially compromised public-key infrastructure. Their work is limited to networks that are initially fully connected (and in the computational setting).

2 Model, Definitions, and Building Blocks

Let \(\mathcal {G}= (\mathcal {V},\mathcal {E})\) denote a graph with n nodes (i.e., \(|\mathcal {V}| = n\)). The nodes of the graph represent the processors (parties) participating in the protocol, while the edges represent the communication links connecting them. We assume a synchronous network and that the protocol communication is divided into rounds. In every round, all parties can send a message on all of their communication links (i.e., on all edges incident on the corresponding node); these messages are delivered before the next round.

An adversary \(\mathcal {A}\) can “corrupt” a set of nodes (as in taking over them and completely control their behavior), \(\mathcal {T}_{\mathrm {nodes}}\subset \mathcal {V}\), as well as a set of edges, \(\mathcal {T}_{\mathrm {edges}}\subset \mathcal {E}\), in the network such that \(|\mathcal {T}_{\mathrm {nodes}}| \leq t_{n}\) and \(|\mathcal {T}_{\mathrm {edges}}| \leq t_{e}\). \(\mathcal {A}\) has unbounded computational power and can corrupt both nodes and edges adaptively (that is, the adversary can decide which nodes and edges to corrupt on the fly during the course of the protocol, after observing the messages from honest parties). Furthermore, \(\mathcal {A}\) is rushing, meaning that it can decide the messages to be sent by adversarial parties (or on adversarial edges) in a particular round after observing the messages sent by honest parties in the same round.

Almost-Everywhere Agreement.

The problem of almost-everywhere agreement (“a.e. agreement” for short) was introduced by Dwork et al. [12] in the (traditional) context of node corruptions. A.e. agreement “gives up” some of the non-faulty nodes in the network from reaching agreement, which is unavoidable due to their poor connectivity with other non-faulty nodes. We refer to the given-up nodes as doomed nodes, and to the honest nodes for which we guarantee agreement as privileged nodes. Let the set of doomed nodes be denoted by \(\mathcal {X}\) and the set of privileged nodes by \(\mathcal {P}\); note that the sets \(\mathcal {P}\) and \(\mathcal {X}\) are a function of the set of corrupted nodes (\(\mathcal {T}_{\mathrm {nodes}}\)) and the underlying graph. Let \(|\mathcal {X}| = x\) and \(|\mathcal {P}|\) = p. Clearly, we have p+x+t=n. We now present a definition of a.e. agreement.

Definition 1

A protocol for parties {P 1,P 2,…,P n }, each holding initial value v i , is an almost-everywhere agreement protocol for node corruptions if for any adversary \(\mathcal {A}\) that corrupts a set of nodes \(\mathcal {T}_{\mathrm {nodes}}\) with \(|\mathcal {T}_{\mathrm {nodes}}| \leq t\), there exists a set of honest nodes \(\mathcal {P}\), such that the following two conditions hold:

  • Agreement: All nodes in \(\mathcal {P}\) output the same value.

  • Validity: If for all nodes in \(\mathcal {P}\), v i =v, then all nodes in \(\mathcal {P}\) output v.

The difference with respect to standard Byzantine agreement [19, 20] is that in the latter the two conditions above are enforced on all honest nodes, as opposed to only the nodes in \(\mathcal {P}\). For brevity, we keep the same names.

In the context of a.e. agreement, one would like the graph \(\mathcal {G}\) to have as small a degree as possible (in relation to the size of the graph and to the number of corrupted parties), while tolerating a high value for t n (a constant fraction of n is the best possible), while minimizing x.

In [12], Dwork et al. constructed graphs with degree \(\mathcal {O}(n^{\epsilon})\) (for constant 0<ϵ<1) tolerating at most t n =α n n (for constant 0<α n <1) corruptions and at the same time guaranteeing agreement among \(n - \mathcal{O}(t_{n})\) nodes in the network, with a number of doomed nodes a constant times t n ; call such a graph \(\mathcal {G}_{\mathrm {{DPPU}}}= (\mathcal {V}_{\mathrm {{DPPU}}},\mathcal {E}_{\mathrm {{DPPU}}})\). The idea behind the a.e. agreement protocol is to simulate a complete graph on the set of privileged nodes. The theorem from [12] is as follows:

Theorem 1

[12]

There exist constants 0<α,μ<1 independent of n and t n , an n-vertex \(\mathcal {O}(n^{\epsilon})\)-regular graph \(\mathcal {G}_{\mathrm {{DPPU}}}\) which can be explicitly constructed, and a communication protocol (transmission scheme) TS DPPU, such that for any set of adversarial nodes \(\mathcal {T}_{\mathrm {nodes}}\) in \(\mathcal {G}_{\mathrm {{DPPU}}}\) such that \(|\mathcal {T}_{\mathrm {nodes}}| = t_{n} = \alpha_{n} n\), TS DPPU guarantees reliable communication between all pairs of nodes in a set of non-faulty nodes \(\mathcal {P}\) of size \(|\mathcal {P}| \geq n - t_{n} - \mu n\). The protocol generates a polynomial (in n) number of messages and has polynomial (in n) running time.

Given the above theorem, Dwork et al. observed that one can run any Byzantine agreement protocol designed for a fully connected graph on \(\mathcal {G}_{\mathrm {{DPPU}}}\) by simulating all communication between nodes in the network with the communication protocol TS DPPU. We refer the reader to [12] for further details.

As a result, let μ,d, and t n be as defined above and let \(\mathsf {BA}(n,t_{n}')\) be a Byzantine agreement protocol for a complete network tolerating up to \(t_{n}' = \mu n + t_{n}\) faulty processors. Then, simulating the protocol \(\mathsf {BA}(n,t_{n}')\) on the network \(\mathcal {G}_{\mathrm {{DPPU}}}\) using the communication protocol TS DPPU, guarantees agreement among at least nt n μn honest nodes in the presence of up to t n =α n n faulty nodes.

Differential Agreement.

In [13], Fitzi and Garay introduced the problem of δ-differential agreement. In the standard Byzantine agreement problem, n parties attempt to reach agreement on some value v (for simplicity, we assume v∈{0,1}). Let c v denote the number of honest parties whose initial value is v, and δ be a non-negative integer. δ-differential agreement is defined as follows:

Definition 2

A protocol for parties {P 1,P 2,…,P n }, each holding initial value v i , is a δ-differential agreement protocol if the following conditions hold for any adversary \(\mathcal {A}\) that corrupts a set \(\mathcal {T}_{\mathrm {nodes}}\) of parties with \(|\mathcal {T}_{\mathrm {nodes}}| \leq t_{n}\):

  • Agreement: All honest parties output the same value.

  • δ-Differential Validity: If the honest parties output v, then \(c_{v} + \delta \geq c_{\bar{v}}\).

Theorem 2

[13]

In a synchronous, fully connected network, δ-differential agreement is impossible if n≤3t n or δ<t n . On the other hand, there exists an efficient (i.e., polynomial-time) protocol that achieves t n -differential agreement for n>3t n in t n +1 rounds.

We will use DA(n,t n ,δ) to denote a δ-differential agreement protocol for a fully connected network tolerating up to t n faulty processors.

The Edge-Corruption Model.

In this work we additionally allow the adversary to corrupt edges on the network graph—the set \(\mathcal {T}_{\mathrm {edges}}\subset \mathcal {E}\), \(|\mathcal {T}_{\mathrm {edges}}| \leq t_{e}\). We will bound this quantity, as well as the total number of nodes that the adversary can corrupt, and attempt to construct a network graph \(\mathcal {G}\) of small (sublinear) degree on which a significant number of honest nodes can still perform MPC. We now give some definitions and make some remarks about a.e. agreement and a.e. MPC for this setting.

We first observe that since we are working with (asymptotically) regular graphs, obtaining an a.e. (agreement, MPC) protocol in the presence of a constant fraction of corrupted edges will also imply a protocol in the presence of a constant fraction of corrupted edges and a constant fraction of corrupted nodes, as every corrupted node can be “simulated” by corrupting all the edges incident on this node. Thus, we will henceforth consider only adversarial edges and assume that all the nodes are honest.

As in the case of a.e. MPC on sparse networks in the presence of adversarial nodes, a.e. MPC in the presence of adversarial edges also “gives up” certain honest nodes in the network, which, as argued before, is unavoidable due to their poor connectivity with other honest nodes. Let the set of such doomed nodes be denoted by \(\mathcal {X}\) and the set of privileged nodes by \(\mathcal {P}\). Note that the sets \(\mathcal {P}\) and \(\mathcal {X}\) are a function of both the set of corrupted edges (\(\mathcal {T}_{\mathrm {edges}}\)) and the underlying graph. Let \(|\mathcal {X}| = x\) and \(|\mathcal {P}|\) = p; we let the fraction of corrupt edges be α e . The definition of a.e. agreement with corrupted edges, in particular, now readily follows in the same manner as in Definition 1.

Next, we remark that the problem of a.e. agreement for edge corruptions also reduces to that of constructing a reliable and authentic channel between any two nodes \(u,v \in \mathcal {P}\), in particular those which are not directly connected by an edge in \(\mathcal {E}\). (With foresight, we will be calling such a channel a public channel.) Furthermore, Garay and Ostrovsky showed that, given such a public channel between two nodes u and v \(\in \mathcal {P}\), plus some additional paths, most of which (i.e., all but one) might be corrupted, it is possible to construct a (unidirectional) secure (i.e., private and reliable) channel between them. The construction is via a protocol known as secure message transmission by public discussion (SMT-PD) [14, 15]. In turn, from the protocol for a secure channel, an a.e. MPC protocol among the nodes in \(\mathcal {P}\), satisfying the same notion of security as in [15], readily follows (see Theorem 7 in Appendix A).

The definition of a secure channel between two nodes, which are not necessarily directly connected, and in the presence of adversarial edges, essentially paraphrases the more general definition of secure message transmission (see, e.g., [14]), where the channel is parameterized by a privacy error (κ 1) and a reliability error (κ 2).

More formally, an execution of a (unidirectional) secure channel protocol between two nodes \(u,v \in \mathcal {V}\), with u as the sender and u as the receiver, is determined by the random coins of the two nodes and the adversary \(\mathcal {A}\) controlling the set of edges \(\mathcal {T}_{\mathrm {edges}}\), and the message m (without loss of generality, we will assume that m∈{0,1}). Let \(\mathsf {View}_{\mathcal {A}}\) denote the view of the adversary in the execution of the protocol between u and v; this view includes all messages seen by \(\mathcal {A}\) (on edges in the set \(\mathcal {T}_{\mathrm {edges}}\)), as well as the adversary’s random coins. Let \(\mathsf {View}_{\mathcal {A}}(b)\) denote the view of the adversary. In each execution, v will output a message m v . We now describe the security of secure-channel protocol:

Definition 3

We say that a protocol Π between nodes \(u,v \in \mathcal {P}\), is a (κ 1,κ 2)-secure channel protocol if it satisfies:

  • Privacy: \(\mathsf {View}_{\mathcal {A}}(0)\) and \(\mathsf {View}_{\mathcal {A}}(1)\) are κ 1-close.

  • Reliability: For m∈{0,1}, Pr[m v =m]≥1−κ 2. (The probability is taken over all players’ coins.)

Similarly, we say a protocol Π between nodes \(u,v \in \mathcal {P}\), is a κ-public channel protocol between u and v if it satisfies the reliability property (as defined above) with probability at least 1−κ.

For completeness, we also provide the security definition of a.e. MPC (for node-corruptions) given in [15] in Appendix A.

Finally, we remark that one can define the notion of a.e. differential agreement (for edge corruptions) in the same manner as a.e. agreement by replacing the set of honest parties with the set of privileged parties in Definition 2 (i.e., by treating doomed parties also as adversarial). Furthermore, note that one can also obtain an a.e. differential agreement protocol (for edge corruptions) from the construction of a public channel between any two nodes \(u,v \in \mathcal {P}\): simply, execute a standard differential agreement protocol and replace every communication between nodes with an execution of the public channel protocol. We will use AE-DA(n,t n ,δ) to denote an a.e. δ-differential agreement protocol for a partially connected network where the number of privileged parties is nt n .

3 Remote and Secure Channels on Low-Degree Networks

In this section we construct a graph in which the maximum degree of any node is low, and yet, there exists a set of nodes (of size a constant times the total number of nodes), such that any two nodes in this set can communicate with each other privately and reliably, even when an adaptive and rushing adversary corrupts a constant fraction of the edges in the graph. More specifically, our goal is to construct a graph \(\mathcal {G}= (\mathcal {V},\mathcal {E})\) on n nodes with maximum degree d, and a protocol for a secure channel, SC u,v (m), with the following properties. Let the set of edges that are corrupted by an adversary be denoted by \(\mathcal {T}_{\mathrm {edges}}\subset \mathcal {E}, |\mathcal {T}_{\mathrm {edges}}| \leq \alpha nd\). We shall show that there exists a set of nodes \(\mathcal {P}\subseteq \mathcal {V}\), such that \(|\mathcal {P}| \geq \gamma n\), and any two nodes \(u,v\in \mathcal {P}\) can communicate using SC u,v (m). As mentioned earlier, our main focus will be on building a public channel \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\) that can be used by any two nodes \(u,v \in \mathcal {P}\) to communicate authentically, but publicly, as this will be sufficient to obtain a protocol for secure channel using the techniques from Garay and Ostrovsky [15]. Our graph will have maximum degree \(\mathcal {O}(n^{\epsilon})\), for arbitrary constants 0<ϵ<1, such that \(|\mathcal {P}| \geq \gamma n\), for constant 0<γ<1.

We begin this section by constructing such a public channel scheme on a graph of larger degree, \(\mathcal {O}(\sqrt{n}\log n)\), and then show how to use that construction to obtain a scheme on a graph of maximum degree \(\mathcal {O}(n^{\epsilon})\). Finally, we show how to obtain a secure channel between any two nodes in \(\mathcal {P}\).

3.1 Public Channels on \(\mathcal {O}(\sqrt{n}\log n)\)-Degree Graphs

We now show how to construct a graph of maximum degree \(\mathcal {O}(\sqrt{n}\log n)\), and then present a protocol for a public channel between any two nodes \(u,v \in \mathcal {P}\), tolerating a constant fraction of corrupted edges. For simplicity, we will assume that all messages in our protocols are binary. We remark that this restriction can be easily removed.

Let \(\mathcal {G}= (\mathcal {V},\mathcal {E})\) denote a graph on n nodes, d v the degree of vertex \(v \in \mathcal {V}\), and Paths 2(u,v) the set of all paths between any two vertices \(u,v \in \mathcal {V}\) of length exactly 2. Let \(\mathcal {G}\) satisfy the following two properties:

  1. 1.

    \(\frac{\sqrt{n}\log n}{2} \leq d_{v} \leq 2\sqrt{n}\log n\) for all \(v \in \mathcal {V}\); and

  2. 2.

    \(|\mathsf {Paths}_{2}(u,v)| \geq \frac{\log^{2} n}{2}\) for all \(u,v \in \mathcal {V}\).

We will construct our public channel on any graph \(\mathcal {G}\) satisfying the above properties. We first observe that such a graph is easy to construct probabilistically. Consider the Erdős–Renyi random graph G(n,p), with \(p = \frac{\log n}{\sqrt{n}}\); that is, construct the graph \(\mathcal {G}\) such that there is an edge between every pair of nodes u and v, independently with probability \(p = \frac{\log n}{\sqrt{n}}\) (for simplicity, we allow self-edges). Then, except with negligible (in n) probability, G(n,p) satisfies the conditions that we require of graph \(\mathcal {G}\). (For completeness, we provide the proof of this in Appendix B.) For brevity, sometimes we will denote this process by \(\mathcal {G}\leftarrow G(n,p)\). We now present two lemmas for graph \(\mathcal {G}\) satisfying the two properties above.

Lemma 1

In graph \(\mathcal {G}\), no edge participates in more than \(4\sqrt{n}\log n\) paths of length exactly 2 (Paths 2(u,v)) between any two vertices \(u,v \in \mathcal {V}\).

Proof

Since paths in any Paths 2(u,v) are of length exactly 2, an edge (w,t) can participate only in paths of the form {x,y,z} where either (x,y)=(w,t) or (y,z)=(w,t). From graph \(\mathcal {G}\)’s property 1 above, every vertex has degree \(\leq 2\sqrt{n}\log n\). Hence, edge (w,t) participates in no more than \(4\sqrt{n}\log n\) paths. □

Let 0<α e ,α n <1 be constants denoting the fraction of corrupt edges and corrupt nodes in the graph, respectively. Note that if we are able to design a protocol that can tolerate \(\alpha_{e} \sqrt{n}(n-1)\log n + 2\alpha_{n} \sqrt{n}(n-1)\log n\) edge corruptions, then we will automatically get a protocol that can tolerate an α e fraction of corrupt edges and an α n fraction of corrupt nodes.Footnote 7 Hence, let α=α e +2α n ; we will construct a protocol that can tolerate an α fraction of corrupt edges (and no corrupt nodes). The next lemma bounds the number of nodes in \(\mathcal {G}\) with poor connectivity.

Lemma 2

Let \(\mathcal {Y}_{u}\) denote the set of nodes v such that the fraction of paths in Paths 2(u,v) with no corrupt edges is \(\leq \frac{1}{2}\). We say that a node \(u \in \mathcal {V}\) is doomed if \(|\mathcal {Y}_{u}| \geq \frac{n}{4}\). Then, in graph \(\mathcal {G}\), at most 64αn nodes are doomed.

Proof

Consider a particular node u. In order to make u doomed, an adversary must corrupt at least \(\frac{\log^{2} n}{4}\cdot\frac{n}{4}\) paths. Recall (Lemma 1) that every edge can participate in at most \(4\sqrt{n}\log n\) paths. Since at most \(\alpha \sqrt{n}(n-1)\log n\) edges can be corrupt, this contributes to at most 4αn(n−1)log2 n corrupt paths. Hence, the total number of nodes that can be doomed is at most 64α(n−1)<64αn. □

The set of privileged nodes \(\mathcal {P}\) in \(\mathcal {G}\) will simply be the nodes that are not doomed. By Lemma 2 above, we have that \(|\mathcal {P}| \geq (1-64\alpha)n = \gamma n\) (for some constant 0<γ<1). We now present the construction of a public channel between any two nodes \(u, v \in \mathcal {P}\):

\(\underline{\mathsf {PC}^{\mathcal {G}}_{u,v}(m)}\).

  1. 1.

    For every node \(w\in \mathcal {V}\), u sends m over all paths in Paths 2(u,w).

  2. 2.

    Every node \(w\in \mathcal {V}\), upon receiving m over the different paths, takes the majority of the values received, and sends this value to v over all paths in Paths 2(w,v).

  3. 3.

    For every w, v takes the majority value of all messages received over Paths 2(w,v) as the message received from w. Then, v takes the majority (over all w) of the received values as the value sent by u.

We now show that if nodes u and v are not doomed, then the protocol described above is a 0-public channel protocol.

Lemma 3

Let \(u,v \in \mathcal {P}\) (i.e., any two nodes in \(\mathcal {G}\) that are not doomed), Then, after an execution of \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\), v outputs m with probability 1.

Proof

Since u is not doomed, when u sends m to every node w in the first step of the protocol, the number of nodes that will receive the value m correctly is more than \(\frac{3n}{4}\) (since more than half of the paths from u to each of these nodes is not corrupted). Note that in this analysis, it does not matter when an adversary corrupts an edge or whether an adversary sees the message before deciding his next move and hence we handle adaptive as well as rushing adversaries. Consider now one of these nodes w that receives the value correctly from u. Let us discount those nodes w that do not have a majority of uncorrupted paths to v. Since there can be only less than \(\frac{n}{4}\) such nodes (as otherwise, v would be doomed), this leaves us with \(> \frac{3n}{4} - \frac{n}{4} = \frac{n}{2}\) nodes. Each of these nodes have a majority of uncorrupted paths to v and hence values sent by these nodes to v in step 2 will be received correctly by v. Hence, v will receive, out of the n values,Footnote 8 more than \(\frac{n}{2}\) values correctly, and hence when v takes the majority of values received in step 3 it will output m correctly. Note also, that our protocol is deterministic, and hence v will furthermore output m correctly with probability 1 when it takes the majority of values received. □

3.2 Public Channels and Secure Channels on \(\mathcal {O}(n^{\epsilon})\)-Degree Graphs

In this section we present our main technical result: we show how to recursively increase the number of nodes in graph \(\mathcal {G}\) from the previous section, while not increasing its degree (asymptotically), and show how to implement a public channel on such graphs. We will do this in two steps. Let γ=(1−64α). We will first show the following:

Lemma 4

Let \(\mathcal {G}\) be a graph on n nodes with maximum degree d. Furthermore, let \(\mathcal {G}\) be such that it admits a public channel protocol, \(\mathsf {PC}^{\mathcal {G}}_{u,v}(\cdot)\), between any two nodes u and v from a set of size at least γn nodes even in the presence of αnd corrupt edges. Then, there exists a graph \(\mathcal {G}'\) on n 2 nodes of maximum degree 2d, such that \(\mathcal {G}'\) admits a public channel protocol between any two nodes u and v from a set of size at least γ 2 n 2 nodes even in the presence of α 2 n 2 d corrupt edges.

Later on, we will show how to apply the \(\mathcal {G}'\) construction from \(\mathcal {G}\) recursively to obtain the desired result on graphs of degree \(\mathcal {O}(n^{\epsilon})\).

Construction of \(\mathcal {G}'\).

We construct \(\mathcal {G}'\) as follows. Take n copies of graph \(\mathcal {G}\); we will call each copy a cloud, and denote them C 1,…,C n . Connect the n clouds using another copy of graph \(\mathcal {G}\). We do this by connecting the ith node in cloud C j to the ith node in cloud C k by an edge, whenever there is an edge between C j and C k in \(\mathcal {G}\). We will call such a collection of edges between cloud C j and cloud C k as a cloud-edge. Note that the maximum degree of any node in \(\mathcal {G}'\) is 2d.

We now describe how a node u in cloud C j will communicate with a node v in cloud C k —call this protocol \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\). To do this, we will first describe how two clouds that share a cloud-edge will communicate. Let every node iC j hold a value m i as input (note that every node need not hold the same value m i ) and assume cloud C j wishes to communicate with cloud C k . We describe a protocol such that, assuming a large-enough fraction of nodes in C j , hold the same input value, say m, then at the end of this protocol’s execution a large-enough fraction of nodes in cloud C k will output m. We call this protocol \(\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})\). Let δ be such that 64αn<δ<(γ−130α)n.

\(\underline{\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})}\).

  1. 1.

    For every node 1≤in, the ith node in C j sends m to the ith node in C k through the edge connecting these two nodes.

  2. 2.

    The nodes in C k execute a.e. differential agreement protocol AE-DA(n,64αn,δ) using the value they received from their counterpart node in C j as input. (Recall that the existence of protocol \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\) between privileged nodes in \(\mathcal {G}\) guarantees that one can construct an a.e. differential agreement protocol; see Sect. 4 for more details on constructing an a.e. agreement protocol on \(\mathcal {G}\).)

  3. 3.

    Each node takes the output of protocol AE-DA(n,64αn,δ) as its output in this protocol.

We are now ready to describe \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\):

\(\underline{\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)}\).

  1. 1.

    u sends m to i for all nodes i in cloud C j using \(\mathsf {PC}^{\mathcal {G}}_{u,i}(m)\) from Sect. 3.1. The ith node in C j receives message m i .

  2. 2.

    Clouds C j and C k now execute protocol \(\mathsf {PC}^{\mathcal {G}}_{C_{j},C_{k}}(m_{i})\) over the graph \(\mathcal {G}\) connecting the n clouds.Footnote 9 Whenever cloud C w is supposed to send a message to C z according to the protocol, they use protocol \(\mathsf {CloudTransmit}_{C_{w},C_{z}}(\cdot)\) over the cloud-edge connecting C w and C z .

  3. 3.

    Node vC k takes its output in the protocol \(\mathsf {PC}^{\mathcal {G}}_{C_{j},C_{k}}(m_{i})\) as the value sent by u.

We prove the correctness of the transmission scheme above through a series of lemmas. At a high level, our proof goes as follows. We will call a cloud C j as good if it does not have too many corrupt edges within it (that is, corrupt edges of the form (u,v) with both u and v in C j ); otherwise we will call the cloud as bad (Definition 4). We first show that an adversary cannot create too many bad clouds (Lemma 5). Next, we define what it means for a cloud-edge between two clouds C j and C k to be good in Definition 5 (informally, the cloud-edge is good if both C j and C k are good clouds and there are sufficient number of edges connecting privileged nodes in C j and C k ). We then show that the adversary cannot create too many bad cloud-edges (Lemma 6). Next, we show that two good clouds can communicate reliably across a good cloud-edge (Lemma 7). Finally, we show that there exists a large set of clouds such that any two privileged nodes in any two clouds from this set, can communicate reliably (Lemma 8). From this, the proof of Lemma 4 readily follows.

We begin with a few definitions. First, let \(t_{C_{j}}\) denote the number of edges that an adversary corrupts within cloud C j (that is, any corrupt edge of the form (u,v) with both u and v in C j adds to this count); let \(t_{c} = \sum_{1\leq j\leq n} t_{C_{j}}\) be the total number of such “intra-cloud” corrupted edges. In addition, let t ce denote the total number of corrupt edges that connect two clouds—that is, any corrupt edge (call these “inter-cloud” edges) of the form (u,v) with uC j and vC k , for jk, adds to this count. (Thus, the total number of corrupt edges t e =t c +t ce .) We proceed with a few definitions:

Definition 4

We say that a cloud C j , 1≤jn, is good if \(t_{C_{j}} \leq \alpha nd\). Otherwise, we say that the cloud is bad.

Lemma 5

The number of bad clouds in \(\mathcal {G}'\) is at most \(\lfloor\frac{t_{c}}{\alpha nd}\rfloor\).

Proof

By Lemma 2, in order to make a cloud bad, \(\mathcal {A}\) must corrupt more than αnd edges within the cloud. Since the total number of edges that the adversary corrupts within clouds is t c , the total number of bad clouds is at most \(\lfloor\frac{t_{c}}{\alpha nd}\rfloor\). □

Definition 5

We say that a cloud-edge between two clouds C j and C k is good if:

  1. 1.

    Both C j and C k are good; and

  2. 2.

    The number of nodes i such that the ith node in C j as well as the ith node in C k are both not doomed (in the graph \(\mathcal {G}\) connecting the nodes in the respective cloud), while the edge connecting these two nodes is corrupt, is ≤αn.

Otherwise, we say that the cloud-edge is bad.

Lemma 6

The number of bad cloud-edges is at most \(\lfloor\frac{t_{ce}}{\alpha n}\rfloor\).

Proof

In order to make a cloud-edge between two good clouds C j and C k bad, \(\mathcal {A}\) must corrupt at least αn edges connecting them. Since the total number of corrupt inter-cloud edges is t ce , the total number of bad cloud-edges is at most \(\lfloor\frac{t_{ce}}{\alpha n}\rfloor\). □

Lemma 7

Let C j and C k be two good clouds connected by a good cloud-edge. Further, let all nodes in C j that are not doomed (in \(\mathcal {G}\)) hold value m i =m as input. Then, after executing protocol \(\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})\), all nodes in C k that are not doomed (in \(\mathcal {G}\)) output m.

Proof

Since C j is a good cloud, at most αnd edges in cloud C j are corrupt. Hence, there are at least γn nodes in C j that are not doomed, and that hold value m as input. When \(\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})\) is executed, all these nodes will send m across their edges to their counterpart nodes in C k . Now, since a node that is not doomed in C j may be connected to a node that is doomed in C k , and some of the edges connecting two nodes that are not doomed may also be corrupted, the number of nodes that are not doomed in C k that receive the value m correctly is at least γn−64αnαn=(γ−65α)n.

Next, in step 2 of protocol \(\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})\), the nodes in C k execute protocol AE-DA(n,64αn,δ). In cloud C k , we shall consider every doomed node as corrupt and every node that is not doomed as honest. By the property of the a.e. differential agreement protocol (cf. Definition 2), we have that whenever the honest nodes output a value, say, v, we have \(c_{v} + \delta \geq c_{\bar{v}}\), where c v denotes the number of honest nodes with initial value v (recall that, for simplicity, we are considering the binary case). From the calculation above, the number of nodes that are not doomed with the correct value m is at least (γ−65α)n. Hence, the number of nodes with the wrong value (\(\bar{m}\)) is at most 65αn. Since 65αn+δ<(γ−65α)n by the way δ is picked (in transmission scheme for \(\mathcal {G}'\)), we have that the nodes that are not doomed will never output \(\bar{m}\) in protocol AE-DA(n,64αn,δ) and hence all the nodes in C k that are not doomed will output m after protocol \(\mathsf {CloudTransmit}_{C_{j},C_{k}}(m_{i})\). □

Lemma 8

There exists a set of clouds \(\mathcal{P}_{C}\), \(|\mathcal{P}_{C}| = \gamma n\), such that for all \(C_{j}, C_{k} \in \mathcal{P}_{C}\) and for all nodes uC j and vC k that are not doomed, v always outputs m after protocol \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\).

Proof

Let us consider the graph \(\mathcal {G}\) that connects the n clouds in graph \(\mathcal {G}'\). By Lemma 5 we know that at most \(\lfloor\frac{t_{c}}{\alpha nd}\rfloor\) clouds are bad. Furthermore, we know by Lemma 6 that in this graph \(\mathcal {G}\) at most \(\lfloor\frac{t_{\mathrm{{ce}}}}{\alpha n}\rfloor\) cloud-edges are bad. Thus, in total, in graph \(\mathcal {G}\) connecting the n clouds \(\mathcal {A}\) can corrupt \(\lfloor\frac{t_{c}}{\alpha nd}\rfloor\) clouds and \(\lfloor\frac{t_{ce}}{\alpha n}\rfloor\) cloud-edges. Now, such an adversary can be perfectly simulated by an adversary that corrupts \(\frac{t_{c}}{\alpha nd}\cdot d + \frac{t_{\mathrm{{ce}}}}{\alpha n}\) cloud-edges in total. Since, the total number of edges that \(\mathcal {A}\) is allowed to corrupt in \(\mathcal {G}'\) is t c +t cex and is bounded by α 2 n 2 d, we get that this new adversary can corrupt at most α fraction of cloud-edges.

Now assume, as in Lemma 4, that the graph \(\mathcal {G}\) that connects the n clouds, admits a public channel between any two clouds in a set of clouds of size at least γn (since at most α fraction of cloud-edges are corrupted), provided that any two clouds that are connected by a good cloud-edge can communicate reliably. Let this set of γn clouds be \(\mathcal{P}_{C}\). By now applying Lemma 7 which precisely gives us the guarantee that any two clouds that are connected by a good cloud-edge can communicate reliably, the lemma follows. □

Public Channels and Secure Channels on \(\mathcal {O}(n^{\epsilon})\)-Degree Graphs.

We now arrive at our main result by applying the construction of \(\mathcal {G}'\) from \(\mathcal {G}\) recursively, a constant number of times, beginning with graph \(\mathcal {G}\) described in Sect. 3.1. We first show:

Theorem 3

For all constants 0<ϵ<1 and sufficiently large n, there exists a graph, call it \(\mathcal {G}_{\mathrm {{main}}}\), on n nodes, of degree at most \(d_{m} = \mathcal {O}(n^{\epsilon})\), admitting a 0-public channel protocol between any two nodes in a set of size at least γ m n (for some constant 0<γ m <1) even in the presence of an α m fraction of edge corruptions (for some constant 0<α m <1).

Proof

Applying Lemma 4 recursively, in conjunction with Theorem 5 (that states that we can obtain a.e. agreement on any graph that admits a public channel between the nodes in the privileged set), we get that there exists a graph \(\mathcal {G}''\) on n k (for constant k≥1) nodes, with maximum degree at most \(d'' = 2^{k-1}\sqrt{n}\log n\) and such that \(\mathcal {G}''\) admits a public channel between any two nodes in a set of size at least γ k n k nodes even in the presence of α k n k d″ corrupted edges (for constants 0<α,γ<1). Setting n m =n k, we get that there exists a graph \(\mathcal {G}_{\mathrm {{main}}}\) on n m nodes, with maximum degree at most \(d_{m} = \frac{2^{k-1}}{k}n_{m}^{\frac{1}{2k}}\log n_{m} = \mathcal {O}(n^{\epsilon})\) (for all constants k≥1 and appropriately chosen 0<ϵ<1) admitting a public channel between any two nodes in a set of size at least γ m n m nodes even in the presence of α m n m d m corruptions (for some constants 0<α m ,γ n <1). □

As mentioned in the beginning of the section, the availability of public channels in \(\mathcal {G}_{\mathrm {{main}}}\) for a constant fraction of nodes, together with the techniques in [15], allow those nodes to communicate securely even in the presence of a constant fraction of corrupted edges.

Theorem 4

For all constants 0<ϵ<1 and sufficiently large n, there exists a graph, call it \(\mathcal {G}_{\mathrm {{main}}}\), on n nodes, of degree at most \(d_{m} = \mathcal {O}(n^{\epsilon})\), admitting a (0,κ 2)-secure channel protocol (for negligible κ 2) between any two nodes in a set of size at least γ m n (for some constant 0<γ m <1) even in the presence of an α m fraction of edge corruptions (for some constant 0<α m <1).

The proof of the theorem follows directly from Theorems 3 and 7 (from [15]). The reliability error, κ 2, comes from the SMT-PD (secure message transmission by public discussion) protocol used in [15], and it is unavoidable when a majority of paths between sender and receiver are corrupted (see, e.g., [14]), which is the case for privileged nodes in our low-degree setting.

4 A.E. Agreement and Secure Computation with Edge Corruptions on Low-Degree Networks

In this section, we describe our protocols and derive our conclusions for a.e. agreement and secure computation on \(\mathcal {O}(n^{\epsilon})\)-degree networks, achieving security even in the presence of a constant fraction of edge corruptions.

We start by showing a.e. agreement on graph \(\mathcal {G}\), of degree \(\mathcal {O}(\sqrt{n}\log n)\) (Sect. 3.1). The nodes in \(\mathcal {G}\) simply execute any standard Byzantine agreement protocol BA(n,64αn) (α defined below), executing \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\) whenever node u is supposed to send message m to node v according to BA(n,64αn). Let Priv be the set of nodes in \(\mathcal {V}\) that are not doomed at the end of the execution of the protocol. We then have the following.

Lemma 9

Let \(\alpha < \frac{1}{192}\). Then there exists a set \(\mathcal {P}\subset \mathcal {V}\), \(|\mathcal {P}| \geq \gamma n\) (for some constant 0<γ<1), such that all nodes in \(\mathcal {P}\) can reach agreement in the presence of an α fraction of edge corruptions in \(\mathcal {G}\). Since the number of doomed nodes is 64αn, we can obtain agreement when \(64\alpha < \frac{1}{3}\).

Proof

Let \(\mathcal{P} = \mathsf {Priv}\). From Lemma 3, we have that any two nodes \(u, v \in \mathcal{P}\) can reliably communicate with each other using protocol \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\) in the presence of an α fraction of edge corruptions in \(\mathcal {G}\). Hence, nodes in \(\mathcal{P}\) can reach agreement by executing any standard Byzantine agreement protocol BA(n,64αn) (that is, treating the number of doomed nodes as corrupt nodes—recall Lemma 2) and by simply executing \(\mathsf {PC}^{\mathcal {G}}_{u,v}(m)\) whenever u is supposed to send message m to v in BA, and provided that \(64\alpha < \frac{1}{3}\) (necessary condition on the number of faulty players for Byzantine agreement in the fully connected setting, yielding \(\alpha < \frac{1}{192}\)). Hence, we have that \(|\mathcal{P}| \geq (1 - 64\alpha) n = \gamma n\). □

The following theorem establishes the soundness of our construction.

Theorem 5

Let \(\mathcal {G}\) be a graph as specified in Sect3.1. Then \(\mathcal {G}\) is a graph of maximum degree \(d = \mathcal{O}(\sqrt{n}\log n)\) such that γn nodes in \(\mathcal {V}\) can reach agreement even in the presence of an α fraction of edge corruptions (for constant 0<α<1).

The proof of the theorem follows from Lemma 9. As a corollary, we get:

Corollary 1

\(\mathcal {G}\) is a graph of maximum degree \(d = \mathcal{O}(\sqrt{n}\log n)\) such that γn nodes in \(\mathcal {V}\) can reach agreement even in the presence of an α e fraction of edge corruptions and an α n fraction of node corruptions (with α e +2α n α).

We now turn to our target degree: \(\mathcal {O}(n^{\epsilon})\), for constant 0<ϵ<1. We first describe an agreement protocol on graph \(\mathcal {G}'\) (Sect. 3.2), with n 2 nodes and degree same as that of \(\mathcal {G}\). Applying this recursively, we will obtain our agreement protocol on \(\mathcal {G}_{\mathrm {{main}}}\). To reach agreement on \(\mathcal {G}'\), the n 2 nodes execute any standard agreement protocol BA(n 2,(1−γ 2)n 2) for a complete graph, replacing the sending of a message between any two nodes, say, u and v, by an invocation to protocol \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\). We now show that almost all nodes in \(\mathcal {G}'\) can reach agreement.

Lemma 10

There exists a set \(\mathcal {P}\subset \mathcal {V}\), \(|\mathcal {P}| \geq \gamma^{2} n^{2}\) (for some constant 0<γ<1), such that all nodes in \(\mathcal {P}\) can reach agreement in the presence of an α 2 fraction of edge corruptions in \(\mathcal {G}'\).

Proof

We put a vertex u in \(\mathcal {P}\) if the following conditions hold:

  1. 1.

    uC j such that \(C_{j} \in \mathcal{P}_{C}\) (from Lemma 8); and

  2. 2.

    u is not doomed in graph \(\mathcal {G}\) which connects C j .

By Lemma 8, since at most αnd cloud-edges are bad, we get that \(|\mathcal{P}_{C}| \geq \gamma n\). Furthermore, since all clouds in \(\mathcal{P}_{C}\) are good, we have (from Definition 4) that for any given cloud in \(\mathcal{P}_{C}\) at most αnd edges are corrupted, and therefore at least γn nodes in each cloud in \(\mathcal{P}_{C}\) are not doomed. Hence, \(|\mathcal {P}| \geq \gamma^{2} n^{2}\).

Also by Lemma 8, any two nodes in \(\mathcal {P}\), say, u and v, can communicate reliably using protocol \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\) in the presence of an α 2 fraction of edge corruptions in \(\mathcal {G}'\). Hence, nodes in \(\mathcal {P}\) can reach agreement by executing any standard Byzantine agreement protocol BA(n 2,(1−γ 2)n 2) for complete networks, and simply executing \(\mathsf {PC}^{\mathcal {G}'}_{u,v}(m)\) whenever u is supposed to send message m to v in BA. □

Applying this protocol recursively (similarly to what is done in the proof of Theorem 3), we get our a.e. agreement protocol on \(\mathcal {G}_{\mathrm {{main}}}\), which is a graph on n nodes with maximum degree \(\mathcal {O}(n^{\epsilon})\) (for constant 0<ϵ<1). We now state our main conclusion, whose proof follows from Theorems 3 and 7.

Theorem 6

For all sufficiently large n and all constant 0<ϵ<1, there exists a graph \(\mathcal {G}_{\mathrm {{main}}}= (\mathcal {V},\mathcal {E})\) with maximum degree \(\mathcal {O}(n^{\epsilon})\), and a set of nodes \(\mathcal {P}\subseteq \mathcal {V}\), with \(|\mathcal {P}| \geq \mu n\) (for constant 0<μ<1), such that the nodes in \(\mathcal {P}\) can execute a secure multi-party computation protocol (satisfying the security definition of [15]), even in the presence of an α fraction of edge corruptions in \(\mathcal {G}_{\mathrm {{main}}}\) (for some constant 0<α<1).

5 Summary and Open Problems

In this work, we considered the problem of a.e. secure computation in the presence of edge corruptions, and in particular focussed on the case when a constant fraction of the edges in the network can be corrupted. We presented (probabilistic constructions of) graphs of degree \(\mathcal {O}(n^{\epsilon})\) (for arbitrary constant 0<ϵ<1) on which such protocols for a.e. secure computation are possible. Several natural questions remain.

While it is easy to show that one can obtain an a.e. secure computation protocol (among a constant fraction of the honest nodes) in the presence of a constant fraction of corrupted edges when the network is fully connected, whether one can obtain such a protocol when less than a \(\frac{1}{3}\)rd fraction of the edges are corrupted remains an interesting open problem.Footnote 10

Together, the results of Upfal [23], and Garay and Ostrovsky [15], show a protocol for a.e. secure computation on networks of constant degree when a constant fraction of the edges are corrupted. The running time of the parties in the protocol thus obtained, however, is exponential (in n). Another interesting question is whether we can obtain polynomial-time protocols for a.e. secure computation in such a setting.