\({\varvec{1/p}}\)-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Abstract

A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more harm than in an ideal computation, where parties give their inputs to a trusted party that returns the output of the functionality to all parties. In particular, in the ideal model, such computation is fair—if the corrupted parties get the output, then the honest parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible without an honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested a relaxed definition—1/p-secure computation—which guarantees partial fairness. For two parties, they constructed 1/p-secure protocols for functionalities for which the size of either their domain or their range is polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended to multiparty protocols. We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result is constructions of 1/p-secure protocols that are resilient against any number of corrupted parties provided that the number of parties is constant and the size of the range of the functionality is at most polynomial (in the security parameter \({n}\)). If fewer than 2/3 of the parties are corrupted, the size of the domain of each party is constant, and the functionality is deterministic, then our protocols are efficient even when the number of parties is \(\log \log {n}\). On the negative side, we show that when the number of parties is super-constant, 1/p-secure protocols are not possible when the size of the domain of each party is polynomial. Thus, our feasibility results for 1/p-secure computation are essentially tight. We further motivate our results by constructing protocols with stronger guarantees: If in the execution of the protocol there is a majority of honest parties, then our protocols provide full security. However, if only a minority of the parties are honest, then our protocols are 1/p-secure. Thus, our protocols provide the best of both worlds, where the 1/p-security is only a fall-back option if there is no honest majority.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Notes

  1. 1.

    A non-rushing adversary decides upon its action in each round, only given its view in all previous rounds. A rushing adversary is one that in each round of the protocol can wait for all honest parties to send their messages and decide upon its reaction, depending also on these messages.

  2. 2.

    Cohen et al. [21] showed that broadcast is necessary, even for the elementary task of coin-tossing with non-trivial bias and even when up to two-thirds of the parties are honest.

  3. 3.

    For the simplicity of the presentation of our protocols, we present a slightly different ideal world than the traditional one. In our model there is no default input in the case of an “abort.” However, the protocol can be presented in the traditional model, where a predefined default input is used if a party aborts.

  4. 4.

    In [9, 11], such protocols are called secure with abort with cheat detection. The term identifiable abort is taken from [40].

  5. 5.

    Furthermore, the adversary might have some auxiliary information on the inputs of the honest parties; thus, the adversary might be able to deduce that a round is not \(i^\star \) even if all the values that it gets are equal, however they are not equal to a “correct” output.

  6. 6.

    For a randomized functionality, this probability also depends on the size of the range.

  7. 7.

    In [11], the number of parties may be polynomial in the security parameter. Thus, to keep the preprocessing phase constant round, there, the compilation into a secure with identifiable abort preprocessing protocol follows through using the zero knowledge proofs of [45]. This requires assuming the existence of collision resistant hash functions on top of the assumption that enhanced trapdoor permutations exist.

  8. 8.

    These shares are temporary and will later be opened for the actual values during the interaction rounds using the properties of Shamir’s secret-sharing scheme.

  9. 9.

    In Steps (2)–(5), the simulator \({{\mathcal {S}}}\) constructs the messages of the honest parties in order to allow the corrupted parties in each \({L}\in {{\mathcal {J}}}\) to reconstruct \({ \tau _{{L}}^{i} }\).

  10. 10.

    For example, there might not be possible inputs of the corrupted parties causing the honest parties to output such output.

  11. 11.

    For example, there might not be possible inputs of the corrupted parties that together with inputs of the honest parties result in such output.

References

  1. 1.

    B. Alon, E. Omri, Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious, in Proceedings of the 14th Theory of Cryptography Conference, TCC 2016-B, part I (2016), pp. 307–335

  2. 2.

    G. Asharov, Towards characterizing complete fairness in secure two-party computation, in Proceedings of the Eleventh Theory of Cryptography Conference—TCC 2014, volume 8349 (Springer, 2014), pp. 291–316

  3. 3.

    G. Asharov, A. Beimel, N. Makriyannis, E. Omri, Complete characterization of fairness in secure two-party computation of Boolean functions, in Proceedings of the Twelfth Theory of Cryptography Conference—TCC 2015, volume 9014 of Lecture Notes in Computer Science (Springer, 2015), pp. 199–228

  4. 4.

    G. Asharov, Y. Lindell, T. Rabin, A full characterization of functions that imply fair coin tossing and ramifications to fairness, in A. Sahai, editor, Proceedings of the Tenth Theory of Cryptography Conference—TCC 2013, volume 7785 of Lecture Notes in Computer Science (2013), pp. 243–262

  5. 5.

    Y. Aumann, Y. Lindell, Security against covert adversaries: Efficient protocols for realistic adversaries. J. Cryptol.23(2), 281–343 (2010)

    MathSciNet  Article  Google Scholar 

  6. 6.

    B. Awerbuch, M. Blum, B. Chor, S. Goldwasser, S. Micali, How to implement Bracha’s \({O}(\log n)\) byzantine agreement algorithm, in Unpublished manuscript (1985)

  7. 7.

    D. Beaver, S. Goldwasser. Multiparty computation with faulty majority, in Proceedings of the 30th IEEE Symposium on Foundations of Computer Science (1989), pp. 468–473

  8. 8.

    D. Beaver, S. Micali, P. Rogaway. The round complexity of secure protocols, in Proceedings of the 22nd ACM Symposium on the Theory of Computing (1990), pp. 503–513

  9. 9.

    A. Beimel, Y. Lindell, E. Omri, I. Orlov, 1/p-secure multiparty computation without honest majority and the best of both worlds, in P. Rogaway, editor, Advances in Cryptology—CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science (Springer, 2011), pp. 277–296

  10. 10.

    A. Beimel, E. Omri, I. Orlov, Protocols for multiparty coin toss with dishonest majority, in T. Rabin, editor, Advances in Cryptology—CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science (Springer, 2010), pp. 538–557

  11. 11.

    A. Beimel, E. Omri, I. Orlov, Protocols for multiparty coin toss with dishonest majority. J. Cryptol.28(3), 551–600 (2015)

    MathSciNet  Article  Google Scholar 

  12. 12.

    A. Beimel, I. Haitner, N. Makriyannis, E. Omri, Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling, in Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018)

  13. 13.

    M. Ben-Or, O. Goldreich, S. Micali, R. Rivest, A fair protocol for signing contracts, in Proceedings of the 12th Colloquium on Automata, Languages and Programming, volume 194 of Lecture Notes in Computer Science (Springer, 1985), pp. 43–52

  14. 14.

    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for noncryptographic fault-tolerant distributed computations, in Proceedings of the 20th ACM Symposium on the Theory of Computing (1988), pp. 1–10

  15. 15.

    M. Blum. How to exchange (secret) keys. ACM Trans. Comput. Syst.1(2), 175–193 (1983)

    MathSciNet  Article  Google Scholar 

  16. 16.

    D. Boneh, M. Naor, Timed commitments, in M. Bellare, editor, Advances in Cryptology—CRYPTO 2000, volume 1880 of Lecture Notes in Computer Science (Springer, 2000), pp. 236–254

  17. 17.

    N. Buchbinder, I. Haitner, N. Levi, E. Tsfadia, Fair coin flipping: Tighter analysis and the many-party case, in Proceedings of the 28th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA) (2017), pp. 2580–2600

  18. 18.

    R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol.13(1), 143–202 (2000)

    MathSciNet  Article  Google Scholar 

  19. 19.

    R. Cleve, Limits on the security of coin flips when half the processors are faulty, in Proceedings of the 18th ACM Symposium on the Theory of Computing (1986), pp. 364–369

  20. 20.

    R. Cleve, Controlled gradual disclosure schemes for random bits and their applications, in G. Brassard, editor, Advances in Cryptology—CRYPTO ’89, volume 435 of Lecture Notes in Computer Science (Springer, 1990), pp. 573–588

  21. 21.

    R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast, in Theory of Cryptography: 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I (2016), pp. 596–616

  22. 22.

    I. Damgård, Practical and provably secure release of a secret and exchange of signatures. J. Cryptol.8(4), 201–222 (1995)

    MathSciNet  Article  Google Scholar 

  23. 23.

    V. Daza, N. Makriyannis, Designing fully secure protocols for secure two-party computation of constant-domain functions, in Proceedings of the 15th Theory of Cryptography Conference—TCC 2017 (2017), pp. 581–611

  24. 24.

    S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts. Commun. ACM28(6), 637–647 (1985)

    MathSciNet  Article  Google Scholar 

  25. 25.

    Z. Galil, S. Haber, M. Yung, Cryptographic computation: Secure fault-tolerant protocols and the public-key model, in C. Pomerance, editor, Advances in Cryptology—CRYPTO ’87, volume 293 of Lecture Notes in Computer Science (Springer, 1988), pp. 135–155

  26. 26.

    J.A. Garay, P.D. MacKenzie, M. Prabhakaran, K. Yang, Resource fairness and composability of cryptographic protocols. J. Cryptol.24(4), 615–658 (2011)

    MathSciNet  Article  Google Scholar 

  27. 27.

    O. Goldreich. Foundations of Cryptography, Voume I—Basic Tools. Cambridge University Press, Cambridge (2001)

    Google Scholar 

  28. 28.

    O. Goldreich. Foundations of Cryptography, Voume II - Basic Applications. Cambridge University Press, Cambridge (2004)

    Google Scholar 

  29. 29.

    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game, in Proceedings of the 19th ACM Symposium on the Theory of Computing (1987), pp. 218–229

  30. 30.

    O. Goldreich, R.D. Rothblum, Enhancements of trapdoor permutations. J. Cryptol.26(3), 484–512 (2013)

    MathSciNet  Article  Google Scholar 

  31. 31.

    S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in A.J. Menezes, S.A. Vanstone, editors, Advances in Cryptology—CRYPTO ’90, volume 537 of Lecture Notes in Computer Science (Springer, 1991), pp. 77–93

  32. 32.

    S. Goldwasser, Y. Lindell, Secure multi-party computation without agreement. J. Cryptol.18(3), 247–287 (2005)

    MathSciNet  Article  Google Scholar 

  33. 33.

    S.D. Gordon, C. Hazay, J. Katz, Y. Lindell, Complete fairness in secure two-party computation. J. ACM, 58(6), 24 (2011)

    MathSciNet  Article  Google Scholar 

  34. 34.

    S.D. Gordon, Y. Ishai, T. Moran, R. Ostrovsky, A. Sahai, On complete primitives for fairness, in D. Micciancio, editor, Proceedings of the Seventh Theory of Cryptography Conference—TCC 2010, volume 5978 of Lecture Notes in Computer Science (Springer, 2010), pp. 91–108

  35. 35.

    S.D. Gordon, J. Katz, Complete fairness in multi-party computation without an honest majority, in O. Reingold, editor, Proceedings of the Sixth Theory of Cryptography Conference—TCC 2009. Lecture Notes in Computer Science (2009), pp. 19–35

  36. 36.

    S.D. Gordon, J. Katz, Partial fairness in secure two-party computation. J. Cryptol.25(1), 14–40 (2012)

    MathSciNet  Article  Google Scholar 

  37. 37.

    I. Haitner, E. Tsfadia, An almost-optimally fair three-party coin-flipping protocol. SIAM J. Comput, 46(2), 479–542 (2017)

    MathSciNet  Article  Google Scholar 

  38. 38.

    Y. Ishai, J. Katz, E. Kushilevitz, Y. Lindell, E. Petrank, On achieving the “best of both worlds” in secure multiparty computation. SIAM J. Comput. 40(1), 2011. Journal version of [39, 41]

  39. 39.

    Y. Ishai, E. Kushilevitz, Y. Lindell, E. Petrank, On combining privacy with guaranteed output delivery in secure multiparty computation, in Advances in Cryptology—CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science (Springer, 2006), pp. 483–500

  40. 40.

    Y. Ishai, R. Ostrovsky, V. Zikas, Secure multi-party computation with identifiable abort. In J.A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014, volume 8617 of Lecture Notes in Computer Science (Springer, 2014), pp. 369–386

  41. 41.

    J. Katz, On achieving the “best of both worlds” in secure multiparty computation, in Proceedings of the 39th ACM Symposium on the Theory of Computing (2007), pp. 11–20

  42. 42.

    M. Luby, S. Micali, C. Rackoff, How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin, in Proceedings of the 24th IEEE Symposium on Foundations of Computer Science (1983), pp. 11–21

  43. 43.

    N. Makriyannis, On the classification of finite Boolean functions up to fairness, in Security and Cryptography for Networks—9th International Conference, SCN 2014, volume 8642 of Lecture Notes in Computer Science (Springer, 2014), pp. 135–154

  44. 44.

    T. Moran, M. Naor, G. Segev, An optimally fair coin toss, in O. Reingold, editor, Proceedings of the Sixth Theory of Cryptography Conference—TCC 2009, Lecture Notes in Computer Science (2009), pp. 1–18

  45. 45.

    R. Pass, Bounded-concurrent secure multi-party computation with a dishonest majority, in Proceedings of the 36th ACM Symposium on the Theory of Computing (2004), pp. 232–241

  46. 46.

    B. Pinkas, Fair secure two-party computation, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science (Springer, 2003), pp. 87–105

  47. 47.

    A. Shamir. How to share a secret. Commun. ACM22, 612–613 (1979)

    MathSciNet  Article  Google Scholar 

  48. 48.

    A.C. Yao, How to generate and exchange secrets, in Proceedings of the 27th IEEE Symposium on Foundations of Computer Science (1986), pp. 162–167

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Eran Omri.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A preliminary version of this work appeared in CRYPTO 2011 [9].

Amos Beimel: Generously supported by ISF Grant 938/09 and by the Frankel Center for Computer Science.

Yehuda Lindell: Generously supported by the European Research Council as part of the ERC project LAST, and by the Israel science foundation (Grant No. 781/07).

Eran Omri: Ariel Cyber Innovation Center. Generously supported by the European Research Council as part of the ERC project LAST, and by the Israel science foundation (Grant No. 781/07).

Ilan Orlov: Generously supported by ISF Grant 938/09 and by the Frankel Center for Computer Science.

Communicated by Jonathan Katz.

Appendix A: Proof of Lemma 2.6

Appendix A: Proof of Lemma 2.6

Proof

Fix \(D_1,D_2\) satisfying Inequality (1). We prove the lemma by induction on \({r}\). When \({r}=1\) the lemma is trivially true; Assume \({\text {win}}({r})\le 1/\alpha {r}+ \beta \); we upper-bound \({\text {win}}({r}+1)\). As \({{\mathcal {A}}}\) is unbounded, we can assume without loss of generality that \({{\mathcal {A}}}\) is deterministic. Let S be the set in the support of \(D_2\) such that \({{\mathcal {A}}}\) aborts in the first iteration if and only if \(a_1\in S\). We define \(S_h\) as all the elements \(z\in S\) s.t. \(\Pr _{a\leftarrow D_1}[a=z] \ge \alpha \Pr _{a\leftarrow D_2}[a=z]\) holds for them and \(S_\ell = S {\setminus } S_h\). Observe that \(\Pr _{a\leftarrow D_2}[a_1\in S_\ell ]\le \beta \). If \({{\mathcal {A}}}\) does not abort in the first iteration, and the game does not end, then the conditional distribution of \(i^\star \) is uniform in \(\left\{ 2,\ldots ,{r}\right\} \) and the game \(\Gamma ({r}+1)\) from this point forward is exactly equivalent to the game \(\Gamma ({r})\). In particular, conditioned on the game \(\Gamma ({r}+1)\) not ending after the first iteration, the probability that \({{\mathcal {A}}}\) wins is at most \({\text {win}}({r})\). We thus have

$$\begin{aligned}&\Pr [{\text {win}}({r}+1)] \nonumber \\&\quad = \Pr [{{\mathcal {A}}}{\text {wins}} \wedge a_1 \in S_\ell \wedge i^\star =1] + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge a_1 \in S_h \wedge i^\star =1] \nonumber \\&\qquad + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge i^\star>1] \nonumber \\&\quad \le \Pr [a_1 \in S_\ell \wedge i^\star =1] + \Pr [ a_1 \in S_h \wedge i^\star =1] + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge i^\star >1] \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S]\right) {\text {win}}({r}) \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S_h]\right) \left( \frac{1}{\alpha {r}}+\beta \right) \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S_h]\right) \frac{1}{\alpha {r}}+ \frac{{r}}{{r}+1}\beta \nonumber \\&\quad \le \beta + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\alpha \Pr _{a_1\leftarrow D_2}[a_1 \in S_h]\right) \frac{1}{\alpha {r}} \nonumber \\&= \beta + \frac{1}{\alpha ({r}+1)}. \end{aligned}$$

\(\square \)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Beimel, A., Lindell, Y., Omri, E. et al. \({\varvec{1/p}}\)-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds. J Cryptol 33, 1659–1731 (2020). https://doi.org/10.1007/s00145-020-09354-z

Download citation

Keywords

  • Secure multiparty computation
  • 1/p-Security
  • Partial-fairness
  • Best-of-both-worlds