Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

In secure multi-party computation (MPC), a set of n parties \(p_1,\ldots ,p_n\), each holding some private input, wish to jointly compute a function on these inputs in a fashion such that even up to t colluding adversarial parties are unable to obtain any information beyond what they can extract from their inputs and outputs or to affect the computation in any way other than contributing their desired inputs. The problem of MPC has been studied in the two important settings of synchronous and asynchronous networks, respectively.

MPC protocols for the synchronous setting assume a network in which parties proceed in rounds, with the guarantee that messages sent by any party in any given round are delivered to all recipients in the same round. Consequently, in all such protocols the parties are assumed to be (at least partially) synchronized, i.e., to be in the same round at all times.

In real-world networks, such as the Internet, this synchrony assumption corresponds to assuming that the parties have (partially) synchronized clocks and communicate over channels with a known upper-bounded latency. The synchronous structure is then imposed by “timeouts,” i.e., in each round the parties wait for an amount T of time defined by their estimate of when other parties send their messages and the bound on the network latency. If their estimate is accurate and their clocks are indeed synchronized, this will ensure that parties receive all messages sent to them from honest senders before the end of the round (timeout). Thus, after time T has passed, they can safely assume that if a message was expected for the current round but has not been received, then the sender must be adversarial. The security of synchronous protocols heavily relies on this assumption. In fact, many of them would become completely insecure if there is even a single delayed message. As a result, the round length T must typically be set much higher than the average transmission time.

A natural question is therefore to study the security one can obtain if no synchrony assumption is made but merely under the assumption that messages sent by honest parties are eventually delivered.Footnote 1 In particular, messages sent by parties can be reordered arbitrarily and delayed by arbitrary (albeit finite) amounts of time in such an asynchronous network. Note that one could consider even more pessimistic networks where the adversary can block messages sent by honest parties; this is for example the case in the base network assumed in Canetti’s UC framework [13]. In such networks, however, protocols cannot be guaranteed to (eventually) terminate as the adversary can delay the computation indefinitely.

In asynchronous MPC protocols parties do not wait until a round times out. Rather, as soon as a party has received enough messages to compute its next messageFootnote 2, it computes that message, sends it, and moves on. In that sense, asynchronous MPC protocols are “opportunistic” and terminate essentially as quickly as the network allows. Hence, they can be much faster than their synchronous counterparts depending on the network latency.Footnote 3

In this work, unless explicitly stated otherwise, whenever we refer to the asynchronous (communication) model, we mean the above asynchronous model with eventual delivery.

On the importance of round complexity. The inherent need for waiting until each round times out clearly makes round complexity an important consideration for the performance of synchronous MPC protocols. Indicatively, Schneider and Zohner [34] have shown that as the latency between machines increases, the cost of each round becomes more and more significant.

Despite their opportunistic nature, round complexity is just as important a consideration for asynchronous protocols, since a protocol’s round complexity can be a more relevant efficiency metric than, for example, its bit complexity. Indeed, at the conceptual/theoretical level, having constant-round protocols allows us to use them as sub-routines in a higher level protocol without blowing up (asymptotically) the round complexity of the calling protocol, while at the practical level, communication time is often dominated by the round-trip times in the network and not by the size of the messages. For example, it takes about the same amount of time to transmit a byte and a megabyte, while sending a message from A to B over many intermediate nodes, computing something at B, and sending an answer back to A may take a (comparatively) long time.

Our contributions. In this paper, we first formalize the asynchronous model with eventual delivery in the universal composability (UC) framework  [13], introduce a suitable formal notion of asynchronous round complexity, and formulate the basic communication resources (such as asynchronous secure channel and asynchronous Byzantine agreement [A-BA]) as ideal functionalities in that model.Footnote 4 (See Sect. 3.) We then present the—to the best of our knowledge—first constant-round MPC protocol for this asynchronous setting (i.e., a protocol whose round complexity is independent of the multiplicative depth of the evaluated circuit and the number n of parties) based on standard assumptions, namely, the existence of pseudo-random functions (PRFs).Footnote 5 The protocol is UC-secure in the secure-channels model with A-BA, and makes black-box use of the underlying PRF, tolerating a computationally bounded, adaptive adversary actively corrupting up to \(t < n/3\) parties, which is optimal for this setting.Footnote 6

At a high level, here is how we construct our constant round protocol. First, we devise a constant-depth circuit for computing the keys, masked values, and (shares of the) garbled gates needed for a distributed evaluation of a Yao garbled circuit that encodes the function the parties wish to compute. This circuit is then evaluated by means of a linear-round (in the depth of the circuit and in n) asynchronous protocol. However, this circuit is Boolean whereas all existing asynchronous protocols evaluate arithmetic circuits. To deal with this mismatch we devise an asynchronous protocol for computing Boolean circuits by appropriately adapting the protocol by Ben-Or, Kelmer, and Rabin [8]. Any party who receives the output from the evaluation of the Boolean circuit uses it to encrypt shares of each garbled gate, which it sends to all other parties. Finally, each party locally evaluates the (distributed) garbled circuit by decrypting incoming encrypted shares of each gate and reconstructing the function table of the gate as soon as sufficiently many consistent shares have arrived until all gates are evaluated. Once all gates are evaluated in this fashion, the party is in possession of the output. The protocol and its analysis are presented in Sect. 4.

Related work. Beaver, Micali, and Rogaway [2] were the first to provide a constant-round MPC protocol in the synchronous stand-alone model. (Refer to Appendix A for a more detailed and historical account of the development of MPC protocols in both the synchronous and asynchronous settings, together with the tools that are used in each setting.) Their protocol is secure in the computational setting and tolerates an adaptive adversary who actively corrupts up to \(t<n/2\) parties. The complexity of [2] was improved by Damgård and Ishai [19], who provided the first constant-round protocol making black-box use of the underlying cryptographic primitive (a pseudo-random generator). Importantly, both [2] and [19] assume a broadcast channel, an assumption essential for obtaining constant-round MPC. Indeed, as proved in [20, 22], it is impossible to implement such a broadcast channel from point-to-point communication in a constant number of rounds, and although expected constant-round broadcast protocols exist in the literature (e.g., [21, 30]), using them to instantiate calls within the constructions of [2] or [19] would not yield an expected constant-round protocol [6]. The intuitive reason—formally argued by Ben-Or and El-Yaniv [6]—is that the process of running n such broadcast protocols (even in parallel) does not terminate in an expected constant number of rounds.

The model of asynchronous communication with eventual delivery was considered early on in seminal works on fault-tolerant distributed computing (e.g., [23]), although to our knowledge this paper is the first to formalize this capability in the UC framework. The study of optimally resilient MPC in this type of asynchronous networks was initiated by Ben-Or, Canetti, and Goldreich [5], who proved that any function can be computed by a perfectly secure asynchronous protocol if and only if at most \(t<n/4\) parties are corrupted. Following that result, Ben-Or, Kelmer, and Rabin [8] showed that if a negligible error probability is allowed, the bound \(t<n/3\) is necessary and sufficient for asynchronous MPC.Footnote 7 More recently, Hirt et al. [27, 28] provided computationally secure solutions (i.e., protocols tolerating a computationally bounded adversary) and Beerliová and Hirt [3] perfectly secure solutions with improved communication complexity.

The above asynchronous protocols are secure—according to simpler, stand-alone security definitions—if one assumes point-to-point communication and an A-BA protocol. Similarly to their synchronous counterparts, all the above protocols—even assuming an A-BA primitive—have round complexity linear in the multiplicative depth of the arithmetic circuit that computes the function, as they follow the standard gate-by-gate evaluation paradigm.

Concurrently and independently, Cohen [17] recently put forth an asynchronous MPC protocol that is secure against a computationally bounded attacker statically corrupting up to \(t < n/3\) parties and in which all parties run in constant time. Notably, the protocol from [17] relies on fully homomorphic encryption, thus leaving the question of constant-round MPC from standard assumptions open, which is answered in this work.

We note in passing that although in the synchronous setting BA implies broadcast, this is not the case in the asynchronous setting. Indeed, Canetti and Rabin [15] provide an asynchronous BA protocol tolerating \(t<n/3\) malicious parties, which if every honest party terminates at the latest after a poly-logarithmic number of rounds, securely implements asynchronous BA except with negligible probability. A broadcast protocol with similar guarantees is provably impossible [23], and existence of an asynchronous BA protocol which terminates in a strict constant number of rounds would contradict the impossibility from [20, 22]. Similarly to the synchronous case, although solutions for asynchronous BA with expected constant number of rounds exist [11, 15], using them in the above asynchronous protocol to replace invocations to asynchronous BA would not yield an expected constant-round MPC protocol [6].Footnote 8

2 Model and Building Blocks

We denote the player set by \(\mathcal {P} =\{p_{1},\ldots ,p_{n} \}\) and consider a computationally bounded adaptive t-adversary, i.e., the adversary gets to corrupt up to t parties dynamically during the protocol execution and depending on its protocol view. The most common network model for the execution of asynchronous protocols is secure channels with eventual delivery, where the adversary is allowed to delay the delivery of any message by an arbitrary but finite amount of time, i.e., he is not able to block messages sent among honest parties. Moreover, as argued in the introduction, existing asynchronous protocols rely on an additional resource, namely, an asynchronous version of Byzantine agreement (A-BA) instead of a broadcast channel, and such a resource is even necessary to obtain an (exact) constant number of rounds. We formalize this model and formulate the ideal functionalities corresponding to these communication resources separately in Sect. 3.

We now present some basic tools we use in our protocol.

Secret sharing. Our construction makes use of Shamir’s secret sharing scheme [35], which allows to encode a secret into \(n\) shares such that any subset of \(t\) shares gives no information about the secret and such that from any subset of \(t+1\) shares the secret can be reconstructed.

For a sharing of a secret s, let \([s]_i\) denote the \(i^{\text {th}}\) share. A set of shares are called \(t\) -consistent if they lie on a polynomial of degree at most \(t\). For a tuple of secrets \(s = (s_1,\ldots ,s_\ell )\), denote—in slight abuse of notation—by \([s]_i := \left( [s_1]_i,\ldots ,[s_\ell ]_i\right) \) the tuple of the \(i^{\text {th}}\) shares of the values and refer to it as the \(i^{\text {th}}\) share of s. A set of such tuples is called \(t\) -consistent if the property holds for all components.

A linear-round asynchronous MPC protocol. In [8], Ben-Or, Kelmer, and Rabin constructed a protocol, call it , that computes an arbitrary n-party function f in an asynchronous environment assuming asynchronous point-to-point (secure) channels and asynchronous BA.Footnote 9 The protocol follows the gate-by-gate evaluation paradigm [7, 16, 26], where the function to be evaluated is represented as an arithmetic circuit over a sufficiently large finite field, and the computation proceeds by evaluating sequentially the gates of depth one, then the gates of depth two, and so on. The evaluation of each gate requires a constant number of (asynchronous) rounds,Footnote 10 thus making the round complexity of the overall protocol linear in the depth of the circuit.

was designed for a simpler, stand-alone security definition, which only ensures sequential composition. In the next section we show how it can be cast in our eventual-delivery model to give UC-security guarantees.

3 A UC Model for Asynchronous Computation with Eventual Message Delivery

In this section we formalize the asynchronous network model with eventual message delivery in the UC framework. We start with the basic task of point-to-point communication and proceed with asynchronous SFE and BA. Note that the asynchronous model with evenutal delivery has previously been informally treated only in the stand-alone model without composition. Thus, although at first read one might consider our treatment pedantic, providing a UC proof of asynchronous MPC protocol with eventual termination/delivery requires the design of appropriate UC functionalities that can be used as hybrids. Indeed, while the plain UC framework is inherently asynchronous, the adversary has full control over message delivery and may even choose to delete messages sent between uncorrupted parties (by delaying them indefinitely). Hence, without the extensions in this section, the UC model does not capture eventual delivery.Footnote 11

Asynchronous communication with eventual delivery. Our formulation of communication with eventual delivery within the UC framework builds on ideas from [31]. In particular, we capture such communication by allowing the parties access to multi-use bilateral secure channels, where a sender \(p_{i} \in \mathcal {P} \) can input a messages to be delivered to some recipient \(p_{j} \in \mathcal {P} \); messages are buffered and delivered in an order specified by the adversary.

To ensure that when \(p_s\) and \(p_r\) are honest, the adversary cannot delay the delivery of submitted messages arbitrarily, we make the following modifications: We first turn the UC secure channels functionality to work in a “fetch message"mode, where the channel delivers the message to its intended recipient \(p_{j} \) if and only if \(p_{j} \) asks to receive it by issuing a special “fetch” command. If the adversary wishes to delay the delivery of some message, he needs to submit to the channel functionality an integer value T—the delay. This will have the effect of the channel ignoring the first T fetch attempts following the reception of the sender’s message. Importantly, we require the adversary send the delay T in unary notation; this will ensure that the delay will be bounded by the adversary’s running time,Footnote 12 and thus a polynomial environment will be able to observe the transmission through its completion. To allow the adversary freedom in scheduling delivery of messages, we allow him to input delays more than once, which are added to the current delay amount. (If the adversary wants to deliver the message in the next activation, all he needs to do is submit a negative delay.)

The detailed specification of secure channels with eventual delivery, denoted \(\mathcal {F}_{\textsc {a-smt}} \), is given in Fig. 1. In the description, we denote by \(\varvec{M}\) a vector of strings. We also use || to denote the operation which adds a string to \(\varvec{M}\); concretely, if \(\varvec{M}=(m_1,\ldots ,m_\ell )\), then \(\varvec{M}||m := (m_1,\ldots ,m_\ell ,m)\) and \(m||\varvec{M}=(m, m_1,\ldots ,m_\ell )\).

Fig. 1.
figure 1

Asynchronous secure channel with eventual delivery

Full size image

We refer to the model in which every two parties \(p_{i} \) and \(p_{j} \) in \(\mathcal {P}\) have access to an independent instance of \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\) as the \(\mathcal {F}_{\textsc {a-smt}} \) -hybrid model. An asynchronous protocol in such a model proceeds as follows: Whenever a party \(p_{j} \) gets activated, if its current protocol instructions include sending some message m to some other party \(p_{j} \), then the party inputs \((\texttt {send},m)\) to \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\); otherwise, \(p_{i} \) sends a \(\texttt {fetch}\) message to every channel \(\mathcal {F}_{\textsc {a-smt}} (p_j,p_i)\), \(j\in [n]\) in a round-robin fashion, i.e., if in the previous activation it sent a \((\texttt {fetch})\) message to \(\mathcal {F}_{\textsc {a-smt}} (p_j,p_i)\), then it sends a \((\texttt {fetch})\) message to \(\mathcal {F}_{\textsc {a-smt}} (p_{(j \mod n)+1},p_i)\).

Remark 1

(On permuting messages). Our formulation of an asynchronous channel captures the somewhat pessimistic view of asynchronous communication, implicit in many works on asynchronous distributed protocols, where the adversary has full scheduling power and can, in particular, reorder the messages sent by any party as he wishes. One could attempt to emulate a network which does not allow for reordering of the messages—the so-called first-in-first-out (FIFO) channel—by adding appropriate (publicly known) message identifiers and instructing the parties to wait until a specific identifier is delivered before outputting messages with other identifiers. However, we note that such an emulating protocol would be distinguished from the original when, for example, we consider an adversary that introduces no delay and an environment that inputs two messages in a row and corrupts the receiver as soon as the first message is supposed to have been delivered.

Fig. 2.
figure 2

Asynchronous SFE with eventual delivery

Full size image

Asynchronous secure function evaluation (SFE). In an asynchronous environment, it is impossible to get guaranteed (eventual) termination and input completeness, i.e., take into account all inputs in the computation of the function (cf. [31] and early work on fault-tolerant distributed computing). The reason is that if honest parties wait until the inputs of all parties are delivered, then the adversary can make them wait indefinitely for corrupted parties to give their inputs (honest parties have no way of distinguishing between an honest sender whose message is delayed and a corrupt sender who did not send a message). Thus, to ensure eventual termination, the parties cannot afford to wait for input from more than \(n-t\) parties, as the t remaining parties might be the corrupted ones. Therefore, protocols for asynchronous computation of a multi-party function f on inputs \(x_1,\ldots ,x_n\) from parties \(p_{1},\ldots ,p_{n} \) end up computing the function \(f|_{\mathcal {P} '}(x_1,\ldots ,x_n)=f(x_1',\ldots ,x_n')\) for some \(\mathcal {P} '\subseteq \mathcal {P} \) with \(|\mathcal {P} '|=t\), where \(x_i'=x_i\) if \(p_{i} \notin \mathcal {P} '\), and otherwise a default value (denoted \(\perp \)).

Moreover, by being able to schedule the delivery of messages from honest parties, the adversary can (in worst-case scenarios) choose exactly the set \(\mathcal {P} '\). Therefore, the ideal functionality corresponding to asynchronous SFE with eventual termination needs to allow the simulator to choose this set depending on the adversary’s strategy. Moreover, the simulator should be allowed to schedule delivery of the outputs depending on the adversary’s strategy, but not allowed to delay them arbitrarily. This last requirement can be achieved, as in the case of \(\mathcal {F}_{\textsc {a-smt}} \), by turning the SFE functionality into a “fetch message”-mode functionality and allowing the simulator to specify a delay on the delivery to every party.

The SFE functionality with the above properties is described in Fig. 2. In the description, we use \(\mathcal {H} \subseteq \mathcal {P} \) to denote the set of honest parties; note that \(\mathcal {H}\) is dynamically updated as the adversary corrupts new parties. Moreover, we use \(\mathcal {I}\) to denote the set of honest parties whose input is allowed to be considered in the computation, and require that \(|\mathcal {I}| \ge n-2t\). We provide a generic description of the functionality for an arbitrary number t of corruptions; however, and as implied by classical impossibility results, we are only able to realize it for \(t<n/3\) [5].

Fig. 3.
figure 3

Asynchronous BA with eventual delivery

Full size image

Asynchronous BA with eventual delivery. The last primitive we describe is (UC) asynchronous BA with eventual message delivery. In such a BA primitive, every party has an input, and we want to ensure the following properties: All honest parties (eventually) output the same value y (consistency), and if all honest parties have the same input x, then this output is \(y=x\). Intuitively, asynchronous BA can be cast as a version of asynchronous SFE for the function that looks at the set of received inputs and, if all inputs contributed by honest parties are identicalFootnote 13 and equal to some x, sets the output to x for every party; otherwise, it sets the output to the input of some corrupted party (for example, the first in any ordering, e.g., lexicographic). The formal definition of \(\mathcal {F}_{\textsc {a-ba}} \) is given in Fig. 3.

We will refer to the setting where every two parties \(p_{i} \) and \(p_{j} \) in \(\mathcal {P}\) have access to an independent instance of \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\) and, additionally, the parties have access to independent instances of \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\) as the \(\{\mathcal {F}_{\textsc {a-smt}} ,\mathcal {F}_{\textsc {a-ba}} \}\) -hybrid model. The execution in the \(\{\mathcal {F}_{\textsc {a-smt}} ,\mathcal {F}_{\textsc {a-ba}} \}\)-hybrid model is analogous to the execution in the \(\mathcal {F}_{\textsc {a-smt}} \)-hybrid model: Whenever a party \(p_{i} \) gets activated, if its current protocol instructions include sending some message m to some other party \(p_{j} \) or inputing a message \(m'\) to \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\), then the party inputs \((\texttt {send},m)\) to \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\) or \(m'\) to \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\), respectively; otherwise, \(p_{i} \) keeps sending (with each activation) a \(\texttt {fetch}\) to every channel \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\), \(j\in [n]\) and then to \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\) in a round-robin fashion.

Asynchronous rounds. We now briefly elaborate on the notion of rounds in an asynchronous environment. Unlike the situation in the synchronous case, where rounds are well specified by the protocol, the definition of rounds in an asynchronous setting requires a bit more care. Intuitively, two messages \(m_i\) and \(m_j\) sent by some party \(p_{i} \) in an asynchronous protocol are considered to be sent in rounds i and j, \(j>i\), if \(m_j\) is generated by computation which takes as input a message received after \(p_{i} \) sent \(m_i\). Following the above intuition, we define for each \(p_{i} \) and for each point in the protocol execution, the current round in which \(p_{i} \) is to be the number of times \(p_i\) alternated between sending \((\texttt {send},m)\) to some channel \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\), \(p_j\in \mathcal {P} \) (or to the asynchronous BA functionality \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\)) and sending \((\texttt {fetch})\) to some \(\mathcal {F}_{\textsc {a-smt}} (p_k,p_i)\), \(p_k\in \mathcal {P} \) or to \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\). That is, every round (except for the first one)Footnote 14 starts by sending a \((\texttt {send},m)\) to some \(\mathcal {F}_{\textsc {a-smt}} (p_i,p_j)\) or to \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\) after some \((\texttt {fetch})\) was sent by \(p_i\) and finishes with the first \((\texttt {fetch})\) command that \(p_i\) sends. The round complexity of the protocol is the maximum (over all honest parties) number of rounds that an honest party uses in the protocol execution.

We note in passing that, similarly to [31], the above formulation allows for any party to send several messages in each round: the party buffers the messages and while the buffer is not empty, in each activation the party pops the next message and sends it to its intended recipient.

A UC-secure linear-round MPC protocol with eventual delivery. Finally, we argue the security of protocol mentioned in Sect. 2 in our model. is information-theoretic and proved simulation-based secure, where the simulation is in fact black-box (i.e., the simulator uses the corresponding adversary in a black-box manner) and straight-line (the simulator does not rewind the adversary). Moreover, the protocol tolerates any adaptive t-adversary where \(t<n/3\), a bound which is also tight [5]. Thus, by casting in our UC \(\{\mathcal {F}_{\textsc {a-smt}} ,\mathcal {F}_{\textsc {a-ba}} \}\)-hybrid model—where every bilateral message exchange is implemented by the sender \(p_{i} \) and the receiver \(p_{j} \) using (an instance of the) channel \(\mathcal {F}_{\textsc {a-smt}} (p_{i},p_{j})\) and every call to asynchronous BA done by invocation of \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\)—we obtain a protocol for UC securely evaluating \(\mathcal {F}_{\textsc {a-sfe}} ^{f} (\mathcal {P})\), which is linear in the depth of the circuit computing f. More formally:

Theorem 1

([8]). Let f be an n-ary function and C be an arithmetic circuit for computing f by parties in \(\mathcal {P} \). Then there exists a protocol, , which UC-securely realizes \(\mathcal {F}_{\textsc {a-sfe}} ^{f} \) in the \(\{\mathcal {F}_{\textsc {a-smt}} ,\mathcal {F}_{\textsc {a-ba}} \}\)-hybrid model tolerating an adaptive t-adversary in a linear (in the depth of the circuit) number of rounds, provided \(t<n/3\).

4 Constant-Round Asynchronous SFE

In this section we present our asynchronous SFE protocol and prove its security and round complexity.

4.1 Description of the Protocol

Let \(\mathsf {Circ}\) be a Boolean circuit that is to be evaluated in a multi-party computation. In our protocol for securely evaluating the function that \(\mathsf {Circ}\) computes, denoted \(\pi _{\textsc {a-sfe}} (\mathsf {Circ},\mathcal {P})\), the parties first jointly compute a garbled version of \(\mathsf {Circ}\) (along the lines of [2, 4, 37]); every party then evaluates this garbled circuit locally to obtain the output of the computation. Computing the garbled circuit takes place in two phases: First, the parties evaluate a function \(f_\textsc {prep}^\mathsf {Circ}\) (described below) which is represented by a constant-depth arithmetic circuit over a finite field using a (non-constant-round) asynchronous MPC protocol. Given the outputs of this function, the parties can then complete the computation of the garbled circuit within one additional asynchronous round.Footnote 15 Since the evaluation of the garbled circuit takes place locally and \(f_\textsc {prep}^\mathsf {Circ}\) is computed via a constant-depth circuit, the entire protocol is a constant-round protocol.

We define and analyze our protocol in the \(\{\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}},\mathcal {F}_{\textsc {a-smt}} \}\)-hybrid model. Furthermore we provide a protocol for UC securely realizing the functionality \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) from asynchronous secure channels and BA with eventual delivery based on  [8] (cf. Lemma 1).

Fig. 4.
figure 4

The description of function \(f_\textsc {prep}^\mathsf {Circ}\) corresponding to the distributed version of circuit garbling.

Full size image

Circuit garbling. Before elaborating on the protocol, we describe what the garbled version of \(\mathsf {Circ}\) looks like.Footnote 16 Boolean circuit \(\mathsf {Circ}\) consists of wires and \( \mathtt {NAND} \) gates.Footnote 17 In the garbled version, every wire \(\omega \) of \(\mathsf {Circ}\) has a corresponding (secret) random mask \({m_{\omega }}\), which is used to hide the real value on that wire. Consequently, every gate \(g\), with input wires \(\alpha \) and \(\beta \) and output wire \(\gamma \), has a special function table \({T_{g}}\) that works on masked values. It contains four entries \({z^{xy}_{\gamma }}\), corresponding to the masked value on the outgoing wire \(\gamma \) under the four possible combinations of masked inputs \(x,y \in \{0,1\}\) on wires \(\alpha \) and \(\beta \). Each entry is obtained by unmasking the inputs, applying the gate function (\(\mathtt {NAND}\)), and re-masking the result with the mask of the outgoing wire. That is,

$$ {z^{xy}_{\gamma }} = ( (x \oplus {m_{\alpha }}) \mathtt {NAND} (y \oplus {m_{\beta }}) ) \oplus {m_{\gamma }}, $$

for \(x,y \in \{0,1\}\).

The entries of each function table need to be protected so that only the one entry necessary to evaluate the circuit can be accessed. To that end, for each wire \(\omega \) there are two (secret) keys \({k_{\omega ,0}}\) and \({k_{\omega ,1}}\). In the function tables \({T_{g}}\), each entry \({z^{xy}_{\gamma }}\) is now augmented by the corresponding key \({k_{\gamma ,{z^{xy}_{\gamma }}}}\) of the outgoing wire \(\gamma \). The pair \({t^{xy}_{g}} := ({z^{xy}_{\gamma }}, {k_{\gamma ,{z^{xy}_{\gamma }}}})\) is encrypted with \({k_{\alpha ,x}}\) and \({k_{\beta ,y}}\) under the “tweak” \((g,x,y)\). The resulting ciphertexts

$$ {c^{xy}_{g}} := \mathsf {Enc}^{g,x,y}_{{k_{\alpha ,x}},{k_{\beta ,y}}}\left( {t^{xy}_{g}}\right) = \mathsf {Enc}^{g,x,y}_{{k_{\alpha ,x}},{k_{\beta ,y}}}\left( {z^{xy}_{\gamma }}, {k_{\gamma ,{z^{xy}_{\gamma }}}}\right) $$

make up the garbled function table

$$ {C_{g}}:= ({c^{00}_{g}},{c^{01}_{g}},{c^{10}_{g}},{c^{11}_{g}}), $$

where \((\mathsf {Enc}^{T}_{k_1,k_2}\left( \cdot \right) ,\mathsf {Dec}^{T}_{k_1,k_2}\left( \cdot \right) )\) is a tweakable dual-key cipher. A suitable such cipher can be realized using a PRF [4].Footnote 18

In order to be compatible with the garbled function tables, inputs to the circuit must be garbled as well. That is, for the input bit \({b_{\omega }}\) on input wire \(\omega \), the garbled input is \({z_{\omega }}:= {b_{\omega }}\oplus {m_{\omega }}\) and the corresponding key is \({k_{\omega }} := {k_{\omega ,{z_{\omega }}}}\).

With the garbled inputs and function tables, any party can (locally) evaluate the circuit as follows: Given the masked values and the corresponding keys of the incoming wires of some gate, the party can decrypt the corresponding row, obtaining the masked value on the outgoing wire and the corresponding key. In the end, the values on the output wires can be unblinded if the corresponding masks are known.

Distributed encryption. Given the input bits \({b_{\omega }}\) for all input wires \(\omega \), computing the garbled circuit could be described by a constant-depth circuit, since the garbled function tables can be computed in parallel after choosing the wire masks and keys. This circuit, however, would be rather large since it entails evaluating the cipher. Therefore, to avoid evaluating the cipher within the asynchronous MPC, the parties use the distributed-encryption technique by Damgård and Ishai [19]: Instead of computing \(\mathsf {Enc}^{T}_{k_1,k_2}\left( m\right) \) for a message m, two keys \(k_1\) and \(k_2\), and a tweak T, the parties first jointly choose 2n subkeys \(k_1^1,\ldots ,k_1^n\) and \(k_2^1,\ldots ,k_2^n\), compute a Shamir sharing of \(m = ({[m]_{1}},\ldots ,{[m]_{n}})\), open \({[m]_{i}}\) as well as \(k_1^i\) and \(k_2^i\) to \(p_{i}\) for every i, and then each party encrypts its share \({[m]_{i}}\) of m using its two subkeys \(k_1^i\) and \(k_2^i\) and sends the resulting ciphertext \(\mathsf {Enc}^{T}_{k_1^1,k_2^1}\left( {[m]_{i}}\right) \) to all parties.

In order to decrypt, a party in possession of all keys recovers the shares by decrypting the ciphertexts received from other players and waits until it has \(2t+1\) \(t\)-consistent shares, which it uses to reconstruct m.Footnote 19

Fig. 5.
figure 5

Our constant-round asynchronous SFE protocol in the \(\{\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}},\mathcal {F}_{\textsc {a-smt}} \}\)-hybrid model

Full size image

Asynchronously evaluating Boolean circuits. Protocol  [8], which we wish to use to realize \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \), evaluates arithmetic circuits over fields with more than two elements; the circuit representing \(f_\textsc {prep}^\mathsf {Circ}\), however, is Boolean. Thus, in order to evaluate it via we transform it into an (arithmetic) circuit over an extension field F of \(\mathrm {GF}(2)\), denoted \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}} \), by having every \(\mathtt {NAND}\) gate with inputs \(x,y \in \{0,1\}\) replaced by the computation \(1 - xy\), which can be implemented using addition and multiplication over the extension field F. The above transformation, however, works only if all the inputs to the circuit corresponding to bits in the Boolean circuit are either 0 or 1 in the corresponding field F. For the honest parties this is easy to enforce: they encode a 0 (resp., 1) input bit into the 0 (resp., 1) element of F. The adversary, however, might try to cheat by giving “bad” inputs, namely, inputs in \(F\setminus \{0,1\}\). We now show an explicit construction to ensure that the adversary cannot give any value other than 0 or 1, resulting in a simple adaptation of protocol .Footnote 20

Before describing the solution we recall the reader how evaluates a given circuit. We omit several low-level details and keep the description at the level which is appropriate for a formal description of our adaptation; the interested reader is referred to [8] for further details. follows the gate-by-gate evaluation paradigm [7, 26]: The circuit is evaluated in a gate-by-gate fashion, where the invariant is that after the evaluation of each gate (in fact, of each bulk of gates that are at the same multiplicative depth), the output of the gates is verifiably shared among all the parties. In fact, [8] defines the notion of Ultimate Secret Sharing (USS) which is a version of VSS that is appropriate for asynchronous computation with \(t<n/3\);Footnote 21 More concretely, the first step is to process all input gates in parallel (i.e., receive inputs from all parties); this step finishes with every party holding a share of the input of each party \(p_i\). As already mentioned, due to asynchrony, the inputs of some, up to t, (honest) parties might not be considered. The set \(\texttt {Core}\) of these parties whose inputs are considered (the so-called core set [5, 8]) is decided by (and agreed upon by all parties) during the evaluation of the input gates, while the input of the parties not in the core set is set to a default value, in our case to 0 (i.e., a default USS of 0 is adopted as a sharing of these parties’ inputs [8]). Once any party has agreed on the core set parties giving input, it goes on to the evaluation of the next gate (in fact, of all gates which are one level deeper in the circuit in parallel).

Our modification to is as follows. For any party \(p_j\), as soon as \(p_j\) has processed all input gates (i.e., holds shares of inputs of all parties in the core set and default shares for the remaining parties), and before any other gate of the arithmetic circuit is computed, \(p_j\) does the following: For each party we denote by \(x_i'\) the value that is (eventually) shared as \(p_i\)’s input when all parties have evaluated the corresponding input gate, and denote by \([x_i']_j\) \(p_j\)’s share of this value.Footnote 22

Now, instead of continuing to process the original circuit \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}}\), we use the following trick from [9], which will allow us to enforce zero/one inputs. Each party uses the shared values \(x_i'\) to compute the circuit evaluating the following function: output \(\varvec{c}=(c_{1},\ldots ,c_{n})\), where \(c_i=x_i'-{x_i'}^2\) for each \(p_i\). Each party that received the output \(\varvec{c}\) does the following:Footnote 23 For each \(p_i\), if \(c_i\ne 0\), then the parties replace the sharing of \(x_i'\) with a default sharing of 0. (That is, as soon as \(p_j\) receives the vector \(\varvec{c}\), for each i with \(c_i\ne 0\) \(p_i\) replaces his share \([x_i]_j\) of \(x_i'\) with a default sharing of 0.) Once a party has completed this step (and replaced his local shares), he continues the execution of with the modified shares to compute the remainder of the circuit \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}}\).

We denote the above modification of protocol (in the \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\)-hybrid world where calls to A-BA are replaced by invocations of \(\mathcal {F}_{\textsc {a-ba}} (\mathcal {P})\)) with the above mechanism for enforcing inputs in \(\{0,1\}\) by . In order to evaluate the (Boolean) circuit for \(f_\textsc {prep}^\mathsf {Circ}\), the parties execute encoding their inputs and outputs with the following trivial encoding: An input-bit 0 (resp., 1) is encoded as the 0 (resp., 1) element in F, and output 0 (resp., 1) in F is decoded back to the bit 0 (resp., 1). The following lemma states the achieved security.

Lemma 1

Protocol for evaluating the circuit \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}}\) with the above trivial encoding UC-securely realizes \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \).

Proof

(sketch). First note that if the inputs of all (honest and corrupted) parties are 0 or 1 (in the arithmetic field F), then the (decoded) output of \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}} \) is the same as the output of the (Boolean) circuit for \(f_\textsc {prep}^\mathsf {Circ}\) since all \( \mathtt {NAND} \) gates with inputs \(x,y \in \{0,1\}\) are computed by \(1-xy\). Next, we argue that forces the inputs of the adversary to be 0 or 1 and does not modify the inputs of honest parties. Indeed, an honest party \(p_i\) in the core set will share inputs \(x_i'\in \{0,1\}\) and therefore \(c_i=0\), which means that his input sharing is not modified by . The same holds for any corrupted party that shares \(x_i'=0\) or \(x_i'=1\). On the other hand, any corrupted party sharing a value other than 0 or 1 will result into an output \(c_i\ne 0\) (since the non-zero elements in F form a multiplicative group of order \(|F|-1\)) and its input will be set to 0.

Note that the eventual termination of ensures that all parties will eventually receive the output vector c and will therefore resume the computation of the original circuit \(C^{F}_{f_\textsc {prep}^\mathsf {Circ}}\), which (also due to the eventual termination of ) will terminate. The simulation of is easily reduced to the simulation of : The evaluation of the extra component that computes the \(c_i\)’s can be easily simulated as they are random sharings of 0 for all honest parties in the core set, and for corrupted parties they are functions of the sharing of \(x_i'\) that the adversary creates in the input-processing phase, which for corrupted parties is fully simulatable. For the rest of the simulation, the simulator simply uses the simulator. Thus the indistinguishability of the simulation follows from the security of .    \(\square \)

Putting things together. The detailed description of protocol \(\pi _{\textsc {a-sfe}} (\mathsf {Circ},\mathcal {P})\) is presented in Fig. 5. As already said, we describe the protocol in the \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \)-hybrid model, where \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) can be replaced with using Lemma 1 and the universal composition theorem. At a high-level, the protocol proceeds as follows: In the first phase, the parties send their inputs to the functionality \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \). The (randomized) function \(f_\textsc {prep}^\mathsf {Circ}\) chooses the random masks, the subkeys, and computes Shamir sharings of the masked function tables (which are the values that need to be encrypted). Moreover, based on the inputs, it computes the masked value and the corresponding key of every input wire. The formal specification of \(f_\textsc {prep}^\mathsf {Circ}\) can be found in Fig. 4. The fact that \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) can be evaluated by a constant-depth circuit is illustrated in Fig. 6, which provides a diagram describing the structure of such a circuit. Each of the rectangles corresponds to a collection of independent constant-depth circuits that are evaluated in parallel.

In the second phase of the protocol, as soon as a party receives output from \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \), it encrypts all the shares obtained using the appropriate subkeys and sends the resulting ciphertexts to all parties, as shown in Fig. 5. Then, it proceeds to locally evaluate the gates. For each gate, the party waits for ciphertexts from other parties and decrypts them. For a specific entry in the function table, the party has to wait until it has \(2t+1\) \(t\)-consistent shares of that entry (see again Fig. 5).Footnote 24 Note that since all of the at least \(2t+1\) honest parties are guaranteed to obtain an output from \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \), they will all properly encrypt their function tables and send out the resulting ciphertexts. Therefore, the wait for \(2t+1\) \(t\)-consistent shares is finite.

Fig. 6.
figure 6

Bird’s-eye view of the arithmetic circuit \(\mathsf {Prep}\) computing function \(f_\textsc {prep}^\mathsf {Circ}\). Each box represents a constant-depth circuit.

Full size image

4.2 Analysis of the Protocol

Theorem 2

Let \(\mathsf {Circ}\) be a given boolean circuit and \(f_\mathsf {Circ}\) be the n-party function computed by \(\mathsf {Circ}\). Protocol \(\pi _{\textsc {a-sfe}} (\mathsf {Circ},\mathcal {P})\) securely realizes \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\mathsf {Circ}} \) in the \(\{\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}},\mathcal {F}_{\textsc {a-smt}} \}\)-hybrid model tolerating an adaptive adversary who corrupts up to \(t<n/3\) of the parties and making black-box use of a PRF.

A full proof of Theorem 2 can be found in the full version of this paper [18]. Here we only provide a high-level sketch.

Proof (sketch)

The output of each party from the evaluation of \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) contains (among other things) a t-out-of-n sharing of the garbled circuit for computing function \(f_\mathsf {Circ}\). After receiving the output from \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) and encrypting as described in Fig. 5, the only time the parties have to wait is for the encryptions of \(2t+1\) t-consistent shares of garbled function-table entries from other parties. Since all of the at least \(2t+1\) honest parties are guaranteed to obtain an output from \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \), they will all properly encrypt their function tables and send out the resulting ciphertexts at some point. Therefore, the wait for \(2t+1\) \(t\)-consistent shares is finite.

Moreover, the adversary cannot make an honest party accept a wrong value for any entry of the garbled gate: Observe that in any set of \(2t+1\) shares that a party receives, at least \(t+1\) are from honest parties. These \(t+1\) shares uniquely define the degree-t sharing polynomial F and, therefore, they can only be combined with correct shares (as output by \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \)). This implies that wrong shares sent by the adversary cannot make any honest party choose any other polynomial than F.

The simulator \(\mathcal {S} \) for an adversary \(\mathcal {A} \) roughly proceeds as follows: It emulates towards \(\mathcal {A} \) the behavior of \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \) and the channels \(\mathcal {F}_{\textsc {a-smt}} \). The security of the circuit-garbling technique and that of Shamir sharings allows \(\mathcal {S} \) to perfectly simulate the entries of the garbled function tables that one would decrypt during a local evaluation of the garbled circuit, even without knowing the actual inputs. Moreover, the security of the double-key cipher ensures that the remaining entries are hidden, and can thus be replaced by dummy values (which can again be done without knowing the inputs) without causing a noticeable difference in the view of \(\mathcal {A} \).    \(\square \)

We now turn to the analysis of the protocol’s round complexity. It is straightforward to verify that our protocol (assuming hybrid \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\textsc {prep}^\mathsf {Circ}} \)) needs only two communication rounds for each party \(p_i\): one round in which \(p_i\) sends its inputs to the functionality and receives its outputs, and one round in which \(p_i\) sends all its corresponding encryptions and receives the encryptions of other parties. Moreover, the function \(f_\textsc {prep}^\mathsf {Circ}\) can be represented by an arithmetic circuit \(\mathsf {Prep}\) over a finite field \(\mathbb F\) with constant (multiplicative) depth: The players first jointly generate the subkeys and the masks. A straightforward method for generating a random field element (such as the subkeys) is to take a random input from every party and computing the sum. Generating a random bit \(b \in \{0,1\} \subseteq \mathbb F\) can be reduced to generating random field elements as shown by Genkin et al. [24]. Given the masks and the subkeys, computing the function table and a Shamir sharing thereof can clearly be done in constant depth and, most importantly, in parallel for every gate.

Combining the above and Theorem 2 with Theorem 1 yields the following corollary:

Corollary 1

Let \(\mathsf {Circ}\) be a given boolean circuit and \(f_\mathsf {Circ}\) be the n-party function computed by \(\mathsf {Circ}\). There exists a constant-round protocol which securely realizes \(\mathcal {F}_{\textsc {a-sfe}} ^{f_\mathsf {Circ}} \) in the \(\{\mathcal {F}_{\textsc {a-ba}} ,\mathcal {F}_{\textsc {a-smt}} \}\)-hybrid model tolerating an adaptive adversary who corrupts up to \(t<n/3\) of the parties and making black-box use of a PRF.