Abstract
Recently, there has been huge progress in the field of concretely efficient secure computation, even while providing security in the presence of malicious adversaries. This is especially the case in the twoparty setting, where constantround protocols exist that remain fast even over slow networks. However, in the multiparty setting, all concretely efficient fully secure protocols, such as SPDZ, require many rounds of communication. In this paper, we present a constantround multiparty secure computation protocol that is fully secure in the presence of malicious adversaries and for any number of corrupted parties. Our construction is based on the constantround protocol of Beaver et al. (the BMR protocol) and is the first version of that protocol that is concretely efficient for the dishonest majority case. Our protocol includes an online phase that is extremely fast and mainly consists of each party locally evaluating a garbled circuit. For the offline phase, we present both a generic construction (using any underlying MPC protocol) and a highly efficient instantiation based on the SPDZ protocol. Our estimates show the protocol to be considerably more efficient than previous fully secure multiparty protocols.
This is a preview of subscription content, log in to check access.
Access options
Buy single article
Instant unlimited access to the full article PDF.
US$ 39.95
Price includes VAT for USA
Notes
 1.
In our construction, we use a pseudorandom function as opposed to a pseudorandom generator used in the original BMR [1].
 2.
Their original work also offers a version against a malicious adversary; however, it requires an honest majority and is not concretely efficient.
 3.
We assume that the parties interact over a pointtopoint network.
 4.
 5.
Recall that we write our protocol assuming a broadcast channel. Thus, even though we write that in the output stage all parties receive output if \(i=0\), when instantiating the broadcast channel with the simple echobroadcast described in Sect. 2, some of the honest parties may receive the output and some may abort.
 6.
Multiplication (Beaver) triples are a standard part of the implementation of the SPDZ protocol; we assume familiarity with this method in this paper.
 7.
By “MPC Engine,” we refer to the underlying secure computation, the SPDZ functionality in this case.
 8.
This analysis refers to the complexity of the circuit that the parties garble in the offline phase, not the circuit that the parties wish to compute over their private inputs (i.e., \(C_f\)).
 9.
These Random calls are followed immediately with an Open to a party. However, in SPDZ Random followed by Open has roughly the same cost as Random alone.
 10.
Note that unlike [29] and other Yaobased techniques we cannot process XOR gates for free. On the other hand, we are not restricted to only two parties.
 11.
In this section, we actually refer to the execution in the hybrid model where the parties have access to the underlying MPC functionality. We denote it as real execution for convenience.
 12.
Note that the correctness property has shown earlier holds for every input of the honest parties \(x_J\); thus, in order to decide whether to instruct the trusted party to “halt” or “continue” \(\mathcal {S'_{{\text {OUR}}}}\) can just use some fake input \(x_J=0^{J}\).
 13.
The decision whether to abort or not is not based on whether the adversary cheated or not, but is rather based on the actual evaluation of the circuit because there might be cases where the adversary cheats and influences only the corrupted parties, for example, when cheating in ith PRF values used in a garbled gate of some gate whose output wire is a circuitoutput wire (where \(i\in I\)).
References
 1.
D. Beaver, S. Micali, P. Rogaway, The round complexity of secure protocols, in 22nd STOC, pp. 503–513, 1990
 2.
A. BenDavid, N. Nisan, B. Pinkas, M. P. Fairplay, A system for secure multiparty computation, in ACM CCS, pp. 257–266, 2008
 3.
A. BenEfraim, Y. Lindell, E. Omri, Optimizing semihonest secure multiparty computation for the internet, in ACM CCS, pp. 578–590, 2016
 4.
A. BenEfraim, Y. Lindell, E. Omri, Efficient scalable constantround MPC via garbled circuits, in ASIACRYPT, pp. 471–498, 2017
 5.
M. BenOr, S. Goldwasser, A. Wigderson, Completeness theorems for noncryptographic faulttolerant distributed computation, in 20th STOC, pp. 1–10, 1988
 6.
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols, in 20th STOC, pp. 11–19, 1988
 7.
S. G. Choi, J. Katz, A. J. Malozemoff, V. Zikas, Efficient threeparty computation from cutandchoose, in CRYPTO, pp. 513–530, 2014
 8.
R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in 18th STOC, pp. 364–369, 1986
 9.
I. Damgård, Y. Ishai, Constantround multiparty computation using a blackbox pseudorandom generator, in CRYPTO, pp. 378–394, 2005
 10.
I. Damgård, M. Keller, E. Larraia, C. Miles, N. P. Smart, Implementing AES via an actively/covertly secure dishonestmajority MPC protocol, in SCN, pp. 241–263, 2012
 11.
I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N. P. Smart, Practical covertly secure MPC for dishonest majority—or: Breaking the SPDZ limits, in ESORICS, pp. 1–18, 2013
 12.
I. Damgård, V. Pastro, N. P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in CRYPTO, pp. 643–662, 2012
 13.
P. Feldman, S. Micali, An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal on Computing 26(4), 873–933 (1997)
 14.
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or A completeness theorem for protocols with honest majority, in 19th STOC, pp. 218–229, 1987
 15.
S. Goldwasser, Y. Lindell, Secure computation without agreement, in DISC, pp. 17–32, 2002
 16.
C. Hazay, P. Scholl, E. SoriaVazquez, Low cost constant round MPC combining BMR and oblivious transfer, in ASIACRYPT, pp. 598–628, 2017
 17.
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in CRYPTO, pp. 572–591, 2008
 18.
J. Katz, R. Ostrovsky, A. D. Smith, Round efficiency of multiparty computation with a dishonest majority, in EUROCRYPT, pp. 578–595, 2003
 19.
M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer, in ACM CCS, 2016, pp. 830–842, 2016
 20.
M. Keller, P. Scholl, N. P. Smart, An architecture for practical actively secure MPC with dishonest majority, in ACM CCS, pp. 549–560, 2013
 21.
M. Keller, A. Yanai, Efficient maliciously secure multiparty computation for RAM, in EUROCRYPT, 2018, pp. 91–124, 2018
 22.
E. Larraia, E. Orsini, N. P. Smart, Dishonest majority multiparty computation for binary circuits, in CRYPTO, 2014, pp. 495–512, 2014
 23.
Y. Lindell, Fast cutandchoose based protocols for malicious and covert adversaries, in CRYPTO, pp. 1–17, 2013
 24.
Y. Lindell, B. Riva, Cutandchoose yaobased secure computation in the online/offline and batch settings, in CRYPTO, pp. 476–494, 2014
 25.
Y. Lindell, N. P. Smart, E. SoriaVazquez, More efficient constantround multiparty computation from BMR and SHE, in 14th TCC 2016B, pp. 554–581, 2016
 26.
J. B. Nielsen, P. S. Nordholt, C. Orlandi, S. S. Burra, A new approach to practical activesecure twoparty computation, in CRYPTO, pp. 681–700, 2012
 27.
R. Pass, Boundedconcurrent secure multiparty computation with a dishonest majority, in 36th STOC, pp. 232–241, 2004
 28.
M. C. Pease, R. E. Shostak, L. Lamport, Reaching agreement in the presence of faults. Journal of ACM 27(2), 228–234 (1980)
 29.
B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams, Secure twoparty computation is practical, in ASIACRYPT, pp. 250–267, 2009
 30.
T. Rabin, M. BenOr, Verifiable secret sharing and multiparty protocols with honest majority, in 21st STOC, pp. 73–85, 1989
 31.
P. Rogaway, The round complexity of secure protocols. PhD thesis, Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1991
 32.
A. C. Yao, Protocols for secure computations, in 23rd FOCS, pp. 160–164, 1982
Acknowledgements
The first and fourth authors were supported in part by the European Research Council under the European Union’s Seventh Framework Programme (FP/20072013)/ERC consolidators grant agreement no. 615172 (HIPS). The second author was supported under the European Union’s Seventh Framework Program (FP7/20072013) grant agreement no. 609611 (PRACTICE), and by a grant from the Israel Ministry of Science, Technology and Space (grant 310883). The third author was supported in part by ERC Advanced Grant ERC2010AdG267188CRIPTO, by EPSRC via grant EP/I03126X and by ERC Advanced Grant ERC2015AdGIMPaCT. The first and third authors were also supported by an award from EPSRC (grant EP/M012824), from the Ministry of Science, Technology and Space, Israel, and the UK Research Initiative in Cyber Security. The first, second and fourth authors were supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Directorate in the Prime Minister’s Office.
Author information
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
An extended abstract of this paper appeared at CRYPTO 2015; this is the full version.
Communicated by Jonathan Katz.
Appendix: A Generic Protocol to Implement \(\mathcal {F}_{\mathsf {offline}}\)
Appendix: A Generic Protocol to Implement \(\mathcal {F}_{\mathsf {offline}}\)
In this appendix, we give a generic protocol \(\Pi _{\mathsf {offline}}\) which implements \(\mathcal {F}_{\mathsf {offline}}\) using any protocol which implements the generic MPC functionality \(\mathcal {F}_{\mathsf {MPC}}\). The protocol is very similar to the protocol in the main body which is based on the SPDZ protocol; however, this generic functionality requires more rounds of communication (but still requires constant rounds). Phase Two is implemented exactly as in Sect. 4, so the only change we need is to alter the implementation of Phase One, which is implemented as follows:

1.
Initialize the MPC Engine: Call Initialize on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) with input p, a prime with \(2^\kappa<p < 2^{\kappa +1}\).

2.
Generate wire masks: For every circuit wire w, we need to generate a sharing of the (secret) masking values \(\lambda _{w}\). Thus, for all wires w the players execute the following commands

Player i calls InputData on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) for a random value \(\lambda ^{i}_{w}\) of his choosing.

The players compute
$$\begin{aligned}{}[\mu _w]&= \prod _{i=1}^n [\lambda ^{i}_{w}], \\ [\lambda _{w}]&= \frac{[\mu _w]+1}{2}, \\ [\tau _w]&= [\mu _w] \cdot [\mu _w]1. \end{aligned}$$ 
The players open \([\tau _w]\) and if \(\tau _w \ne 0\) for any wire w they abort.


3.
Generate garbled wire values: For every wire w, each party \(i \in [1,\ldots ,n]\) and for \(j \in \{0,1\}\), player i generates a random value \(k^{i}_{w,j} \in {\mathbb {F}}_p\) and call InputData on the functionality \(\mathcal {F}_{\mathsf {MPC}}\) so as to obtain \([k^{i}_{w,j}]\). The vector of shares \([k^{i}_{w,j}]_{i=1}^n\) we shall denote by \([\mathbf{k}_{w,j}]\).
Rights and permissions
About this article
Cite this article
Lindell, Y., Pinkas, B., Smart, N.P. et al. Efficient ConstantRound Multiparty Computation Combining BMR and SPDZ. J Cryptol 32, 1026–1069 (2019). https://doi.org/10.1007/s00145019093222
Received:
Revised:
Published:
Issue Date:
Keywords
 Secure multiparty computation (MPC)
 Garbled circuits
 Concrete efficiency
 BMR
 SPDZ