1 Introduction

The problem of Secure Multi-party Computation (MPC) considers a set of parties with private inputs that wish to jointly compute a function of their inputs while simultaneously preserving correctness of the outputs, and guaranteeing privacy of the inputs, i.e., nothing but the output is revealed. These properties are required to hold in the presence of an adversary that controls a subset of the parties and attacks the protocol in an attempt to breach its security, e.g., learn more than it should about the honest parties’ inputs.

Secure computation was first defined and explored in the mid 80 s [11, 14, 32, 69] and has been the focus of intensive study ever since. In the first two decades, research focused mainly on theoretical foundations, establishing the boundaries of feasibility and complexity. More recently, the focus has shifted to making MPC efficient and reducing its overhead over insecure implementations, both in terms of asymptotic and concrete efficiency (See [24, 31, 41, 44, 45, 49, 67, 68], and references therein.)

A basic classification in MPC considers protocols in which security is guaranteed with: (1) an honest majority, namely when the adversary corrupts a minority of the participants; or (2) a dishonest majority, where the adversary can corrupt arbitrarily many parties. The second category, which captures two-party protocols as a special case, has the advantage that any single party need not trust anyone but itself. Designing protocols from the second category is significantly more challenging, and they can only guarantee computational security, i.e., against computationally bounded adversaries. On the other hand, the first category admits conceptually simpler solutions with statistical (or even perfect) security, namely against computationally unbounded adversaries.

An orthogonal classification of MPC protocols is based on the adversarial behavior: (1) passive adversaries that follow the protocol’s instructions but try to learn more than the prescribed information and (2) active adversaries that may arbitrarily deviate from the protocol. A common paradigm in MPC is to design first a passively-secure protocol and then compile it into an actively-secure one.

Hence, an important efficiency metric for MPC protocols is the overhead of actively-secure protocols over (the best) passively-secure ones. A primary goal in MPC today is to reduce this overhead and specifically to design actively-secure protocols with constant overhead over state-of-the-art passively-secure protocols. That is, to design protocols whose communication and computation overheads grow only by a constant factor compared to the underlying passive protocols.

This work focuses on one of the most challenging MPC settings: active security with an arbitrary number of parties. Ideally, we would like the price of achieving active security to be minimal compared to the passively-secure counterparts.

The past decade has seen tremendous progress in the design of concretely efficient actively-secure protocols for arbitrary functions, specified as Boolean or arithmetic circuits, in either the two-party [30, 37, 39, 47, 49, 50, 53, 55, 56, 60, 64,65,66,67, 70], or the multi-party setting with an arbitrary number of parties [22, 24, 41, 44, 46, 52, 68]. See Sect. 1.2 for more details.

Despite this impressive progress there still remain important gaps between what is achievable with passive and active security. Indeed, no protocols for Boolean computations with an arbitrary number of parties and constant communication overhead (even asymptotically) are known, both in the honest and the dishonest majority settings. For arithmetic computations with an arbitrary number of parties and over sufficiently large fields, the best concrete overhead (of 12x [27]) still seems large. In the honest majority setting an overhead of 2 has been achieved only for large fields [18].

Given this state of affairs, in this work we set out to answer the following fundamental open problem:

Can actively-secure protocols over an arbitrary field match the complexity of passively-secure protocols, in the dishonest and honest majority settings, with an arbitrary number of parties?

We resolve this open problem in terms of communication complexity in the affirmative, designing an asymptotically efficient actively-secure protocol for Boolean circuits (as well as arithmetic circuits over any field) in both the honest majority and dishonest majority settings, with constant communication overhead over the (best known) passively-secure counterparts.

We note that constant-overhead protocols are known based on general zero-knowledge proofs [32], but these solutions rely on “heavy” tools and are practically inefficient. Instead, we focus on designing protocols that make black-box use of simpler (and lightweight) primitives such as One-Way Functions (OWFs), and parallel Oblivious-Transfer (OT) or parallel Oblivious Linear function Evaluation (OLE) in the Boolean and arithmetic settings (resp.). Relying on OTs/OLEs is, in a sense, necessary since these are special cases of secure computation in their respective settings. Moreover, since our protocols make black-box use of these primitives, they will benefit from future improvements in the costs of OT/OLE implementations, which have been steadily decreasing.

Moreover, to frame a clean theoretical question, we focus on designing modular protocols in which the (relatively) computationally-expensive “cryptographic” component is separated from the rest of the protocol, and abstracted as an ideal functionality. Specifically, the “cryptographic” abstraction we consider in this work is a (constant-round) parallel protocol for computing distributed multiplication. Relying on a general multiplication functionality instead of OT/OLE allows us to simultaneously capture many settings of interest (Boolean/arithmetic computations, two/multi-party, honest/dishonest majority) in a unified way. More specifically, we abstract distributed multiplication as an \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) functionality that is parameterized by a secret sharing scheme \({{{\mathcal {S}}}}\) over some field \({\mathbb {F}}\), takes \({{{\mathcal {S}}}}\)-shares of two secrets and produces \({{{\mathcal {S}}}}\)-shares of their product. It is easy to see that one can use a general reduction from OT (resp. OLE) to a random instance \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) (which generates additive shares of random multiplication triples in the sense of Beaver’s triples [6]) for Boolean (resp. arithmetic) computations. In the multi-party setting, one can also realize \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) using more general protocols based on threshold additively-homomorphic encryption schemes [16].

Given the previous discussion, we can rephrase our motivating question as follows:

Can actively-secure protocols over an arbitrary field match the complexity of passively-secure implementations of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), in the dishonest and honest majority settings, with an arbitrary number of parties?

1.1 Our Results: A New Framework

In this work, we answer the open problem stated above with respect to communication complexity on the affirmative, introducing the first actively-secure protocol with constant communication overhead over passive GMW [32], for any number of parties and over any field, in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-hybrid model.

We obtain our result via a new compiler which transforms a passively-secure protocol for \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) into an actively-secure protocol for arbitrary functionalities, while inheriting the setting of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) protocol (i.e., Boolean/arithmetic, two/multi-party and honest/dishonest majority). Specifically, the compiler is described in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-hybrid model, and using different instantiations of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) we obtain actively-secure protocols with constant communication overhead in the Boolean and arithmetic, two-party and multi-party and honest and dishonest majority settings. Moreover, for large fields and “typical” circuits,Footnote 1 the overhead of our protocols is 2.

Working in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-hybrid model allows us to preserve a clear separation between the “passive” (alternatively, cryptographic) components of our protocol, namely the implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), which relies on cryptographic assumptions, and the “correctness-enforcing” (alternatively, non-cryptographic) components which involve tools from the literature of honest-majority protocols, employing consistency tests to enforce honest behavior. Besides scalability (and reduced communication complexity), we believe our approach is simple and modular.

Our compiler improves over the state of the art in several settings; see Table 1 for a summary and Sect. 6 for a detailed discussion.

Table 1 Asymptotic communication overheads of our results in both the dishonest and honest majority settings for Boolean and arithmetic computations. The “best passive” column refers to the passively-secure protocol over which the overhead is computed. The “theorem number” column specifies the theorem which implies the corresponding result
Full size table

1.1.1 New Protocols in the Dishonest Majority Setting

Our complier exhibits the most substantial improvements in the dishonest majority setting, yielding the first constant-overhead actively-secure protocol with a dishonest majority over an arbitrary number of parties for Boolean circuits. The concrete constants of our compiler are yet unknown since they depend on the concrete efficiency of Algebraic Geometric (AG) secret sharing schemes over constant-size fields [13]. The result is summarized in the following informal theorem; see Theorem 5 for the formal statement.

Theorem 1

(Informal) Any m-party function f over a constant-size field (resp., arbitrary size field) can be securely realized by an O(d)-round protocol in the OT-hybrid (resp., OLE-hybrid) model against an active adversary corrupting an arbitrary number of parties with total communication \(O(m^2\left| {\textrm{C}}\right| ) + {\textsf{poly}}(\kappa , d, m)\) field elements, where \(\textrm{C}\) is a depth-d circuit for f, and \(\kappa \) is a computational security parameter.

For arithmetic computations, we can concretely analyze the constants introduced by our compiler and show that they can be as small as 2 for moderately wide circuits and sufficiently large fields. This improves over [27] in two aspects. First, their work requires at least 12 invocations of an active implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), while ours requires only two invocation of a passive implementation. This allows us to instantiate our compiler with passive implementations of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) based on threshold additively homomorphic encryption schemes [5, 16]. Second, their result is only useful for computations over sufficiently large fields (where the statistical error \(O\left( \left| {\textrm{C}}\right| /\left| {{\mathbb {F}}}\right| \right) \) is small), whereas our result applies to fields of arbitrary size.

Building on the recent result of Hazay et al. [36], we can extend our compiler to rely on a weaker-than-passive (e.g., imperfect or leaky) implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\). Consequently, \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) can be instantiated with lattice-based protocols with “aggressive” (weaker) parameters, yielding actively-secure compiled protocols whose communication cost almost matches that of the best passive protocols, namely essentially achieving active security at the cost of passive!

Additionally, we achieve an interesting corollary in the constant-round regime for Boolean computations. By viewing distributed garbling [12] as an arithmetic functionality over \({{\mathbb {G}}}{{\mathbb {F}}}(2^\kappa )\), we can instantiate our compiler for arithmetic circuits to achieve constant-overhead over that passive variant of [12] instantiated with \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) over \({{\mathbb {G}}}{{\mathbb {F}}}(2^\kappa )\). See Sect. 7.2 for details.

We believe our protocols can also be made to tolerate adaptive corruptions by instantiating the underlying cryptographic primitives (namely \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) and \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}}\)) with their adaptively-secure counterparts and leave this to future work.

1.1.2 New Protocols in the Honest Majority Setting

In the honest majority regime for \(t < n/2\) (\(t<(1-\varepsilon )n/3\), respectively), our compiler gives an actively-secure protocol for arithmetic (Boolean, respectively) circuits with constant overhead over a variant of [23] that is instantiated using AG secret sharing schemes (see Theorems 6 and 8). This should be contrasted with the recent protocol by Chida et al. [18], which only achieves constant overhead for large fields (introducing an extra statistical security parameter s for small fields with an overhead of \(s/\log _2(\left| {{\mathbb {F}}}\right| )\)), and with Ishai et al. [43] who achieve constant-overhead for arbitrary fields, but only for few parties. We note that these two results are in the honest majority setting \(t<n/2\), whereas for Boolean circuits our corruption threshold is \(t<(1-\varepsilon )n/3\). We further note that [21] achieves constant-rate secure protocols, but only for some constant corruption threshold. For Boolean computation with an arbitrary number of parties and optimal threshold, the best protocols are due to Genkin et al. [29] and achieve a \({\textsf{polylog}}(\left| {\textrm{C}}\right| ,s)\) overhead, where \(\left| {\textrm{C}}\right| \) is the circuit size.

On Concrete Efficiency The work of [36] demonstrated that in the dishonest majority setting, IPS-style compilation yields the best communication and computation in the two-party setting for computations over large-prime finite fields. To date, even with the recent advances in PCGs [9, 10], this remains the most competitive protocol with practical efficiency. A main drawback with PCG-based approaches is that there does not exist a passive-to-active compiler based on standard assumptions. The recent work of Boyle et al. [10] provides two compilers, one that is based on lattice assumption with a “linear-only” homomorphism property, and a second compiler that is not practically feasible as it uses the generic GMW paradigm, employing sublinear zero-knowledge proofs in a non black-box way. Making this line of work practical against active adversaries remains an open question.

Our work generalizes the work of [36] to the multi-party setting, with similar computation and communication efficiency, and we believe it will be competitive with the state of the art (cf. Table 3 for a concrete analysis of the communication complexity of our protocol.) In the honest majority setting, the recent works based on so-called distributed zero-knowledge proofs and replicated secret sharing have been able to achieve tight compilation from passive to active, with some protocols achieving communication overheads that are only additive and even sublinear in the cost of the passive protocol additive [7, 8, 19]. However, all these works are efficient only when there is a constant number of parties, and it is an open question to make them practical for an arbitrary number of parties. Our protocol, on the other hand, will yield an efficient protocol for an arbitrary number of parties.

For constant-sized fields, our work relies on AG codes which have not yet been demonstrated to be practical as they do not admit efficiency similar to FFTs.

1.2 Related Work

We give a brief overview of recent efficient protocols, summarized in Table 2.

1.2.1 The State of the Art: Boolean Multi-Party Setting

For Boolean circuits, secure protocols against a dishonest majority with an (asymptotic) constant overhead over passively-secure protocols were achieved for a constant number of parties by Ishai, Prabhakaran and Sahai [44] (referred to as the “IPS-compiler”). Their protocol operates in the OT-hybrid model, achieving constant overhead over passive-GMW. It also achieves constant rate; namely, the communication complexity of evaluating a circuit \(\textrm{C}\) is \(O\left( \left| {\textrm{C}}\right| \right) +{\textsf{poly}}\left( \log \left| {\textrm{C}}\right| ,d,m,\kappa \right) \), where \(d,m,\kappa \) are the depth of \(\textrm{C}\), the number of parties, and a security parameter, respectively. For an arbitrary number of parties, the protocol of Genkin et al. [29] obtains \({\textsf{polylog}}\left( \left| {\textrm{C}}\right| ,s\right) \) overhead over passive-GMW, where s is a statistical security parameter. This result is obtained by converting a Boolean circuit \(\textrm{C}\) into a functionally-equivalent randomized circuit \(\textrm{C}'\) that is immune against so-called additive attacks, and evaluating \(\textrm{C}'\) using the semi-honest protocol of [32]. (This technique was originally introduced by [27], but was essentially only useful over large fields, see discussion below.) In the honest-majority setting for the special case of 3 parties and 1 corruption, Boneh et al. [3] design a protocol with communication complexity \(O(\left| {C}\right| )\) making black-box use of a Pseudo-Random Generator. (We note that [3] actually obtain a stronger result: Their 3-party protocol works for any field or ring \({\mathbb {Z}}_w\), and they also have extensions for n-party honest-majority protocols, as long as the underlying passively-secure protocol has a specific structure, which is satisfied by, e.g., [32].)

1.2.2 The State of the Art: Arithmetic Multi-Party Setting3

In the arithmetic setting in which the computation is performed over an arbitrary field \({\mathbb {F}}\), Genkin et al. [27] designed MPC protocols in the OLE-hybrid model, with a statistical error of \(O(|\textrm{C}|/{\mathbb {F}})\), and constant communication overhead compared to an algebraic variant of passive-GMW [32], for sufficiently large fields \({\mathbb {F}}\). As described above, their result is obtained by converting a circuit \(\textrm{C}\) over some field \({\mathbb {F}}\) into its additively-secure variant \(\textrm{C}'\), and evaluating \(\textrm{C}'\) using passive-GMW and actively secure implementation of OLE. In practice, the constant in the communication overhead of their protocol is 12, and moreover their protocol is only useful for circuits over large fields (for which \(O(|\textrm{C}|/{\mathbb {F}})\) is sufficiently small). For arbitrary fields, the work of Döttling et al. [20] gives an actively secure protocol where the overhead is 22 invocations of an actively secure implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) per multiplication gate of the circuit. A practical implementation for arbitrary number of parties was given in [46] based on “tailor-made” zero-knowledge proofs to achieve active security.

We note that in the honest majority setting, the recent work by Chida et al. [18] presents a new actively-secure protocol for arithmetic circuits that obtains overhead 2 over passive protocols for sufficiently large fields. Similar to our protocol, their protocol is in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-hybrid model, where \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) can be instantiated with any passively-secure protocol that further guarantees a notion of “security up to additive attacks” in the presence of active adversaries. It is unclear whether their paradigm extends to the dishonest majority setting, since their model of additive attacks is weaker than the standard one formulated in [27], where in all natural candidates an active attack translates into an additive attack in the latter (stronger) attack model and is therefore not protected against by the framework of [18].

In an orthogonal vein, we note that Applebaum et al. [1] designed the first (variant of) passively-secure OLE based on LPN-style assumptions, implying secure arithmetic computation with asymptotic constant computational overhead over an insecure evaluation of the circuit.

1.2.3 The State of the Art: Two-Party Setting

In the Boolean setting, the protocols of [44] and [37] achieve (asymptotic) constant communication overhead over the passive protocols of [32] and [69], respectively. The latter has the added benefit of matching the number of OT calls in [69], which (unlike [32]) is sublinear in the circuit size. Practical implementations of [44] have been studied in [48], who identified bottlenecks in obtaining concretely efficient protocols based on the IPS protocol due to the implementation of the so-called watchlist channels. In the arithmetic setting, a recent work by Hazay et al. [36] instantiated the framework of [44] with a concretely efficient honest majority protocol, obtaining small multiplicative overheads (between 2 and 8) compared to the passive protocol of [32].

1.3 Subsequent Work

Following the original publication of this work, several works [9, 10, 17] obtained MPC protocols over arbitrary fields in the dishonest majority setting, withstanding an arbitrary number of corruptions with total communication \(O(n\left| {\textrm{C}}\right| )\). (The result of [17] is over small fields, and the communication complexity is obtained for sufficiently wide circuits, or amortized over multiple executions of the circuit.) We note that these works focused on orthogonal research questions in the context of MPC, such as obtaining general GMW-style compilers for MPC protocols with preprocessing [9] or having the preprocessing communication complexity be sublinear in the circuit size [10], and the MPC protocols mentioned above are obtained as a corollary of their more general results. We note that another subsequent work [33] also employed packed secret sharing to obtain constant overhead. However, their techniques and results differ significantly from this work. In particular, their protocols are in the preprocessing model, withstand \(t=(1-\varepsilon )n\) corruptions, for an arbitrary constant \(\varepsilon >0\), and the communication complexity of the online phase is \(O(\left| {\textrm{C}}\right| /\varepsilon )\).

In the honest majority setting, Polychroniadou and Song [58] designed a concrete protocol for Boolean circuits with an amortized communication complexity of O(n) bits per gate where n is the number of parties. Similar to our protocol, they also use two types of secret sharing schemes, but they use the double sharing to build a new authentication mechanism of a secret that is shared additively.

Table 2 Asymptotic and concrete communication overheads of state-of-the-art 2PC and MPC protocols in the dishonest majority setting. The overhead is measured as the number of calls to the underlying (passively or actively secure) OT or OLE functionality, compared to the number of calls made by the passive-GMW to the corresponding (passively secure) functionality (OT or OLE). The concrete overhead column is specified only when the overhead is constant and holds over sufficiently large fields. s denotes a statistical security parameter, and \(\textrm{C}\) is the circuit being evaluated
Full size table

2 Our Techniques

We first recall the so-called IPS framework of Ishai, Prabhakaran and Sahai [44], that constructs actively-secure m-party protocols for a function f using the following two weaker ingredients as a black-box: (1) an actively-secure honest-majority protocol (the “outer protocol”) for f with m clients and n servers, tolerating active corruption of a minority \(t<n/2\) of the servers and an arbitrary number of clients; and (2) a passively secure m-party protocol (the “inner protocol”) for a “simpler” functionality, tolerating an arbitrary number of corruptions.

Using appropriate instantiations of the outer and inner protocols, this framework yields a constant-overhead (in fact, constant rate) actively-secure protocol for Boolean functionalities in the dishonest majority setting with a constant number of parties m. However, it does not obtain constant overhead for a super-constant m, as we now explain.

2.1 To Watch or not to Watch?

The high-level idea of the IPS compiler it to have the m parties “virtually” executes the outer protocol by emulating its n servers. Specifically, the parties first obtain (through some joint computation) secret shares of the initial server states and then use the inner protocol on the shared states to generate (secret shares) of the outputs of the “next message” functions of each server. Since the outer protocol is only secure when a majority of the servers are honest, the parties must insure that most servers were correctly emulated, for which it suffices to verify that the parties behave honestly in sufficiently many of the inner protocol executions. The IPS compiler introduces a novel “watchlist” mechanism in which parties “watch” each other to enforce such honest behavior. More precisely, every party \(P_i\) picks a random subset of t servers for which it learns the entire internal state throughout the computation. Consequently, \(P_i\) can check that all parties honestly emulated the t servers and abort if some party misbehaves. The identity of servers watched by honest parties remains hidden from the adversary, and thus, even a single honest party forces the adversary to honestly emulate most (specifically, a majority) of the servers. In terms of parameters, obtaining a \(2^{-\Omega (s)}\) soundness error for a statistical security parameter s requires \(t,n=\Omega (s)\). Since each corrupted party can choose an arbitrary subset of t watched servers, and there could be \(m-1\) corrupted parties, privacy is only preserved when \((m-1)t < n/2\). Since achieving constant-overhead requires \(n = O(s)\), this is only possible for \(m = O(1)\).

2.2 Compute First, Check Later

To solve this problem, our first idea is to have a single random subset of t servers which are simultaneously watched by all parties. Of course, now that the identity of the watched servers is known to all parties, it cannot be revealed before the computation has been completed. Instead, the subset is chosen using joint coin tossing after the circuit has been evaluated, but before the output is reconstructed from the output shares. Correctness is preserved similarly to the original IPS compiler, but checking honest behavior after-the-fact might violate privacy. Indeed, unlike the IPS compiler we can no longer “catch” the adversary as soon as it deviates from the protocol, which raises two privacy concerns. First, by actively deviating from the protocol, the adversary can potentially violate the inner protocol privacy and learn intermediate values during the circuit evaluation. Second, the adversary can potentially violate the privacy of the outer protocol, by “corrupting” a majority of the servers in the outer protocol (i.e., by not emulating them correctly). We note that even if the inner protocol has the stronger guarantee of remaining private even against active adversaries, this does not resolve the second issue because as long as the inner protocol is not actively-secure, active corruptions in it might violate correctness, which corresponds to corrupting servers in the outer protocol. Thus, an active adversary might still violate privacy in the outer protocol by violating correctness in the inner protocol (thus, in effect, corrupting possibly a majority of the servers).

2.3 Which Outer Protocol to Use?

Even if we could somehow overcome these issues, the overhead for \(m=\omega (1)\) parties might still be large due to the communication complexity of the outer protocol. Specifically, [44] obtain constant overhead by instantiating the outer protocol with the protocol of [21]. In this protocol, the servers compute over secret shares, and they need to perform a global operation on their shares (specifically, degree reduction). This is achieved by having the servers execute a randomized protocol, where the randomness is provided by the clients. Thus, the communication complexity scales with the number of clients and cannot be constant for \(m=\omega (1)\).

2.4 Our Approach

Due to these issues, we take a step back and (instead of extending the IPS framework) focus on designing a new compiler that amplifies the security of a passively-secure inner protocol via a tailor-made outer protocol. Since we use different instantiates of the inner protocol, we model it more generally, assuming the parties have oracle access to an ideal multiplication functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) that works over some agreed-upon secret sharing scheme \({{{\mathcal {S}}}}\). We note that in our compiler, we will not refer to “servers” (or an “outer” protocol), but rather think of these as “copies” of the circuit.

2.5 The Combined Protocol

To highlight the main components of our framework, we describe a basic MPC variant that will loosely rely on the passive-BGW [11] protocol. Though this does not yield our asymptotic results, it will serve as a good starting point, which we build on to obtain our final framework (as described toward the end of the section).

At the onset of the computation each party \(P_i\) secret shares its input \(x_i\) using Shamir’s secret sharing scheme with privacy parameter t, to obtain the shares \(\left( X^1,\ldots ,X^n\right) \) (as in the passive-BGW protocol). Then, \(P_i\) generates additive shares \(\left( x^l_j\right) \) of each Shamir share \(X^l\) and sends \(\left( x^l_j\right) _{l\in [n]}\) to \(P_j\). The protocol will evaluates the circuit gate-by-gate as in passive-BGW, where addition gates are locally computed. We will preserve the invariant that when parties evaluate a gate G, they collectively hold additive shares of the Shamir shares of the values of \(G'\)s input wires. That is, if G’s inputs are values ab which in the passive-BGW protocol have Shamir shares \(\left( A^1,\ldots ,A^n\right) \), \(\left( B^1,\ldots ,B^n\right) \) (respectively), then for every \(l\in [n]\), party \(P_i\) holds values \(a^l_i,b^l_i\) such that \(\sum _ia^l_i=A^l\) and \(\sum _ib^l_i=B^l\).

In passive-BGW, multiplications are performed by having each party locally multiply its Shamir shares \(A^l,B^l\), followed by all parties jointly running a degree reduction sub-protocol on these products. However, in our modified protocol parties can no longer locally compute the products \(A^l\cdot B^l\), because no party knows \(A^l,B^l\). (Parties only know additive shares of these values.) To solve this issue, we use an ideal distributed-multiplication functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) which takes as input additive shares of two values xy and outputs a (fresh) additive sharing of their product \(x\cdot y\). (We discuss \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) instantiations below.) This allows parties to learn additive shares of each product \(A^l\cdot B^l\).

Once (additive shares of) the products \(A^l\cdot B^l\) have been computed, degree reduction should be performed. In the classical passive-BGW protocol, degree reduction requires expensive communication, which is improved by protocols such as [23]. We use a new approach that significantly reduces the communication complexity, leveraging the fact that degree reduction is a linear operation over the Shamir shares.

2.6 Local Degree Reduction

Each party locally performs degree reduction over its additive shares of the Shamir shares. Across all parties, the additive shares obtained as a result of this procedure constitute a valid Shamir sharing of the “right” value, due to the linearity properties of Shamir’s secret sharing scheme. Intuitively, the second secret sharing layer allows parties to locally perform degree reduction, because it gives each party a global “view” of the protocol execution, as an additive share of the global view of the protocol execution. We note that performing degree reduction locally also has the advantage of eliminating the need for global randomness which should be generated from the contributions of all parties. (As discussed above, this was one of the causes of super-constant overhead in [44] when \(m=\omega (1)\).)

2.7 Enforcing Correctness

Once the computation is completed in all copies, we ensure it was performed correctly by incorporating a “correctness-enforcing” mechanism into the protocol. Specifically, before opening the output shares obtained at the outputs of all copies, we first run some correctness tests which will check that (with high probability) all parties honestly executed the computation. The output shares are revealed (and the output is reconstructed from these shares) only if all correctness tests pass.

To explain our correctness tests, we first analyze possible malicious strategies of corrupted parties. Roughly, a corrupted party can deviate from the protocol in one of four ways. First, it can incorrectly share its input (i.e., the “sharing” isn’t of the right degree t). Second, it can incorrectly perform the degree reduction procedure, by generating a fresh sharing that either isn’t of the right degree (i.e., t), or doesn’t share the right value (i.e., the value shared before degree reduction). Third, when evaluating a multiplication gate (i.e., computing the product of Shamir shares as described above), it can use different values than the ones provided by \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\). Fourth, it can incorrectly perform the local linear computations.

To handle such deviations from the protocol, we introduce three tests. The first is a degree test, which checks that the secrets sharings used by all parties, either to share their inputs or as input to multiplication gates, have the right degree. The second is an equality test, which checks that the secret sharings before and after degree reduction share the same value. The degree and equality tests jointly guarantee that with overwhelming probability, the input sharings are valid, and the degree reduction procedure was executed correctly (in most copies). Similar degree and equality tests were used in [2, 36] to check similar conditions. The last test is a consistency test, which verifies that (with high probability) parties correctly performed the local computations in (most) copies of the circuit. This checks that the values used by the parties when evaluating a multiplication gate are consistent with the values they obtained from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), that the local linear operations were performed correctly, and will also guarantee the soundness of the degree and equality tests. For this test, a random subset of copies is chosen, each party reveals its local view of the computation in those copies, and all parties check that the views are consistent with each other. Similar tests were used in the context of MPC-in-the-head [42, 44].

We note that this high-level overview omits important details (see Sect. 4). For example, the order in which parties commit and reveal the correctness tests’ values is crucial to preserving privacy even when the computations in most copies are incorrect. Using this combination of correctness tests and proving the security of this approach are novel to our work and require subtle analysis.

2.8 Achieving Constant Communication Overhead

Our basic MPC protocol does not achieve constant communication overhead since it increases the communication complexity of the underlying BGW protocol [11] by O(s), where s is a security parameter. We reduce this overhead to constant by replacing [11] with the protocol of Franklin and Yung [26] that uses packed secret sharing.

Loosely speaking, packed secret sharing extends Shamir’s secret sharing, allowing a block of \({{{\mathcal {B}}}}\) secrets to be shared within a single set of shares. To exploit the advantages of packed secret sharing, we will assume the circuit is arranged in layers that contain only one type (addition/multiplication) of gates, where each phase of the protocol evaluates the gates in one layer.

Using packed secret sharing introduces two main differences from the basic protocol. First, before evaluating a specific layer the parties need to rearrange (repack) the shared secrets corresponding to the input wire values of that layer, to align the packing in blocks with the order of gates within the layer. Then, the layer can be evaluated similarly to the basic protocol (where additions are computed locally, and multiplications involve a call to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), followed by a local degree reduction step). The second difference from the basic protocol is that to insure correctness we must now check that the parties correctly rearranged the shared secrets between layers. This is checked through an additional “permutation test” [2, 21]. See Sect. 5 for further details.

This protocol reduces the amortized per-gate communication overhead to constant, because in effect the packed secret sharing allows us to evaluate many gates in one “shot.” In particular, the wider the circuit to be evaluated, the larger the gains from employing packed secret sharing.

2.9 Instantiating the Multiplication Functionality

\({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\). We instantiate \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) through a reduction to a simpler functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) which generates (unauthenticated) random triples. All prior protocols that relied on this abstraction (apart from [44]), used actively-secure multiplication protocols to instantiate \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\). Interestingly, we can greatly weaken the security of the multiplication protocol, requiring only a passively-secure instantiation, together with a coin tossing protocol to ensure correctly-sampled randomness. Moreover, our protocol can benefit from a preprocessing stage in an offline/online setting, where the triples are generated in the offline phase, and used in the online phase. The consistency test (described for our basic MPC protocol) will ensure, at the cost of a small overhead, that the triples were correctly generated with respect to the tossed coins. We note that unlike prior works, our security analysis can tolerate a small number of ill-formed triples without violating secrecy.

2.10 Related Techniques

Conceptually, our consistency test can be viewed as a combination of the cut-and-choose approach [49] and the watchlist mechanism of [44]. Indeed, on the one hand we maintain multiple copies of the computed circuit, yet unlike the cut-and-choose technique the checked copies are not discarded, but rather used in the remainder of the computation to reconstruct the outputs. On the other hand, the purpose of our consistency test is similar to the watchlist channels, which add privacy and correctness to passively-secure protocols. The main difference between our tests and the watchlists of [44] is that in IPS these channels are used to constantly enforce correct behavior throughout the protocol execution (and consequently also cause a high overhead), whereas we perform a single consistency test after the protocol execution has (essentially) ended, right before the output is reconstructed. These correctness enforcement mechanisms are known to have limitations to achieving scalable MPC. Specifically, the asymptotic limit of cut-and-choose is \(O(s/\log \left| {\textrm{C}}\right| )\) [68], whereas the watchlists mechanism requires \(O(s\cdot n)\) virtual servers for the outer protocol [48]. In both cases, the communication grows with some statistical parameter and is hence neither constant-overhead nor scalable.

3 Preliminaries

Basic notations We denote a security parameter by \(\kappa \). We say that a function \(\mu :{\mathbb {N}}\rightarrow {\mathbb {N}}\) is negligible if for every positive polynomial \(p(\cdot )\) and all sufficiently large \(\kappa \)’s it holds that \(\mu (\kappa )<\frac{1}{p(\kappa )}\). We use the abbreviation PPT to denote probabilistic polynomial-time and denote by [n] the set of elements \(\{1,\ldots ,n\}\) for some \(n\in {\mathbb {N}}\). We assume functions to be represented by an arithmetic circuit \(\textrm{C}\) (with addition and multiplication gates of fan-in 2) and denote the size of \(\textrm{C}\) by \(|\textrm{C}|\). By default we define the size of the circuit to include the total number of gates including input gates. For a random variable X, we use \({\textsf {Supp}}(X)\) to denote the set of values which X takes with positive probability.

In this work, we focus on designing actively-secure protocols with constant communication overhead over the best passively-secure protocols. More specifically, we say that an MPC protocol \(\Pi \) for a functionality \({{{\mathcal {F}}}}\) has communication overhead o over an MPC protocol \(\Pi '\) for \({{{\mathcal {F}}}}\) if \(\frac{\textsf{CC}_\Pi }{\textsf{CC}_{\Pi '}}=o\), where \(\textsf{CC}_\Pi ,\textsf{CC}_{\Pi '}\) are the communication complexities of \(\Pi ,\Pi '\), respectively. If \(\Pi '\) is the passively-secure protocol for \({{{\mathcal {F}}}}\) with smallest known communication complexity, then we say that \(\Pi \) has communication overhead o over the best passively-secure protocol.

3.1 Layered Arithmetic Circuits

An arithmetic circuit defined over a finite field \({\mathbb {F}}\) is a directed acyclic graph, where nodes (or gates) are labeled either as input gates, output gates or computation gates. Input gates have no incoming edges (or wires), while output gates have a single incoming wire and no outgoing wires. Computation gates are labeled with a field operations (either addition or multiplication),Footnote 2 and have exactly two incoming wires, which we denote as the left and right wire. A circuit with i input gates and o output gates over a field \({\mathbb {F}}\) represents a function \(f:{\mathbb {F}}^i\rightarrow {\mathbb {F}}^o\) whose value on input \(x=\left( x_1,\dots ,x_i\right) \) can be computed by assigning a value to each wire of the circuit. Note that this abstraction captures Boolean circuits as well, by setting \({\mathbb {F}}= {{\mathbb {G}}}{{\mathbb {F}}}(2)\). In this work, we will exploit an additional structure of the circuit. Specifically, the gates of an arithmetic circuit can be partitioned into ordered layers \({{{\mathcal {L}}}}_1,\dots ,{{{\mathcal {L}}}}_d\), such that i) a layer only consists of gates of the same type (i.e., addition, multiplication, input or output gates belonging to the same party), and ii) the incoming wires of all gates of layer i originate from gates in layers 0 to \(i-1\).

3.2 Oblivious Transfer

1-out-of-2 oblivious transfer (OT) [25, 59] is a fundamental functionality in secure computation between a sender S and a receiver R, which allows R to learn only one of the S’s inputs while S learns nothing about R’s input. In this paper, we consider the basic 1-out-of-2 OT functionality and employ it to implement a product of two values using their additive shares; see Fig. 1 for the formal description.

Fig. 1
figure 1

The oblivious transfer functionality

Full size image

3.3 Oblivious Linear Evaluation

An extension of the oblivious transfer functionality for larger fields is the Oblivious Linear Evaluation functionality (OLE) [57]. More concretely, OLE over a field \({\mathbb {F}}\) takes a field element \(x\in {\mathbb {F}}\) from the receiver and a pair \((a,b)\in {\mathbb {F}}^2\) from the sender and delivers \(ax+b\) to the receiver. Note that in the case of binary fields, OLE can be realized via a single call to the standard (bit-) 1-out-of-2 OT functionality; see Fig. 2 for the formal description.

Fig. 2
figure 2

The oblivious linear evaluation functionality

Full size image

3.4 Commitment Schemes

A commitment scheme is a two-phase protocol that allows a sender S to commit some value v to a receiver R while simultaneously hiding v from R during the first “Commit” phase (the hiding property), and guaranteeing that the commit phase determines a unique value which can be later revealed in the second “Opening” phase (this property is called binding, the sender can always refuse to open the commitment, but cannot open it to a different value). The formal description of functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}}\) is depicted in Fig. 3.

Fig. 3
figure 3

The string commitment functionality

Full size image

3.5 Multiplication Functionalities

A core building block in our protocols is a multiplication functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) shown in Fig. 4 that takes additive shares of two secrets over some field \({\mathbb {F}}\) and produces additive shares of their product. In fact, we will reduce \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to a random instance \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\), shown in Fig. 5, where all shares are chosen uniformly at random from \({\mathbb {F}}\). The reduction, due to Beaver [6], is as follows. Denote by [a] the additive sharing of some value \(a\in {\mathbb {F}}\), namely the tuple \((a_1,\ldots ,a_m)\). Then, given a random triple [a], [b], [c] obtained as the output of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\), and inputs [x], [y] for \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), we can compute [xy] by first reconstructing \(e = [x+a]\) and \(d = [y+b]\). Next, the parties compute a (trivial) secret sharing [ed] of ed by having \(P_1\) set its share to ed, and the rest of the parties set their shares to 0. Finally, the parties compute the following equation (each party locally computes the equation on its own shares)

$$\begin{aligned}{}[xy] = [c] + e[y] + d[x] - [ed] = [ab] + (x+a)[y] + (y+b)[x] - (x+a)(y+b). \end{aligned}$$
Fig. 4
figure 4

The multiplication functionality

Full size image
Fig. 5
figure 5

The random multiplication functionality

Full size image

3.6 Secret Sharing

A secret sharing scheme allows a dealer to distribute a secret among n parties, where each party receives a share (or piece) of the secret during a sharing phase. In its simplest form, the goal of (threshold) secret sharing is to allow only subsets of players of size at least \(t+1\) to reconstruct the secret. More formally a \(t+1\)-out-of-n secret sharing scheme comes with a sharing algorithm that on input a secret s outputs n shares \(s_1,\ldots ,s_n\) and a reconstruction algorithm that takes as input \(((s_i)_{i \in S},S)\) where \(|S| > t\) and outputs either a secret \(s'\) or \(\bot \). In this work, we will use Shamir’s secret sharing scheme [63] with secrets in \({\mathbb {F}}= {{\mathbb {G}}}{{\mathbb {F}}}(2^\kappa )\). We present the sharing and reconstruction algorithms below:

  • Sharing algorithm: For any input \(s \in {\mathbb {F}}\), pick a random polynomial \(p(\cdot )\) of degree t in the polynomial-field \({\mathbb {F}}[x]\) with the condition that \(p(0) = s\) and output \(p(1),\ldots ,p(n)\).

  • Reconstruction algorithm: For any input \((s_i')_{i \in S}\) where none of the \(s_i'\) are \(\bot \) and \(|S| > t\), compute a polynomial g(x) such that \(g(i) = s_i'\) for every \(i \in S\). This is possible using Lagrange interpolation where g is given by

    $$\begin{aligned} g(x) = \sum _{i \in S} s_i' \prod _{j \in S/\{i\}} \frac{x - j}{i-j}~. \end{aligned}$$

    Finally the reconstruction algorithm outputs g(0).

3.6.1 Packed Secret Sharing

The concept of packed secret sharing was introduced by Franking and Yung in [26] in order to reduce the communication complexity of secure multi-party protocols and is an extension of standard secret sharing. In particular, the authors considered Shamir’s secret sharing with the difference that the number of secrets \(s_1,\ldots ,s_\ell \) is now \(\ell \) instead of a single secret, where the secrets are represented as the evaluations of a polynomial \(p(\cdot )\) at \(\ell \) distinct points. To ensure privacy in case of t colluding corrupted parties, \(p(\cdot )\) must have degree at least \(t+\ell \). Packed secret sharing inherits the linearity property of Shamir’s secret sharing, with the added benefit that it supports batch (block-wise) multiplications. This was used to design secure computation protocols with an honest majority and constant amortized overhead [21]. For this reason, we use this tool in our honest majority MPC protocol embedded within our dishonest majority protocol from Sect. 4, leveraging its advantages to improve the overhead of the former protocol.

3.7 Error-Correcting Codes

A crucial ingredient in our construction is the use of Reed–Solomon codes as a packed secret sharing scheme [26] (as defined in Sect. 3.6). In what follows, we provide our coding notations and related definitions.

3.7.1 Coding Notation

For a code \(C\subseteq \Sigma ^n\) and vector \(v\in \Sigma ^n\), we denote by d(vC) the minimal distance of v from C, namely the number of positions in which v differs from the closest codeword in C, and by \(\Delta (v,C)\) the set of positions in which v differs from such a closest codeword. (In case of a tie, take the lexicographically first closest codeword.) For any \(k\le d(v,C)\), we say that v is k-close to C, and for every \(k> d(v,C)\), we say that v is k-far from C. We further denote by d(VC) the minimal distance between a vector set V and a code C, namely \(d(V,C) = \min _{v\in V}\{d(v,C)\}\).

Definition 1

(Reed–Solomon code) For positive integers nk, finite field \({\mathbb {F}}\), and a vector \(\eta =(\eta _1,\ldots ,\eta _n)\in {\mathbb {F}}^n\) of distinct field elements, the code \({{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k,\eta }\) is the \([n,k,n-k+1]\)-linear codeFootnote 3 over \({\mathbb {F}}\) that consists of all n-tuples \((p(\eta _1),\ldots ,p(\eta _n))\) where p is a polynomial of degree \(<k\) over \({\mathbb {F}}\).

Definition 2

(Encoded message) Let \(L={{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k,\eta }\) be an RS code and \(\zeta =(\zeta _1,\ldots ,\zeta _w)\) be a sequence of distinct elements of \({\mathbb {F}}\) for \(w\le k\). For \(u\in L\) we define the message \(\textsf{Decode}_\zeta (u)\) to be \((p_u(\zeta _1),\ldots ,p_u(\zeta _w))\), where \(p_u\) is the polynomial (of degree \(<k\)) corresponding to u. For \(U\in L^m\) with rows \(u^1,\ldots ,u^m\in L\), we let \(\textsf{Decode}_\zeta (U)\) be the length mw vector \(x = (x_{11},\ldots ,x_{1w},\ldots ,x_{m1},\ldots ,x_{mw})\) such that \((x_{i1},\ldots ,x_{iw})=\textsf{Decode}_\zeta (u^i)\) for \(i\in [m]\). We say that u L-encodes x (or simply encodes x) if \(x=\textsf{Decode}_\zeta (u)\).

Moreover, we recall that \(\textsf{Decode}_\zeta (\cdot )\) is a linear operation, i.e., for any \(a,b \in {\mathbb {F}}^n\) (even if ab are not in L), \(\textsf{Decode}_\zeta (a+b) = \textsf{Decode}_\zeta (a) + \textsf{Decode}_\zeta (b)\).

It will be convenient to view m-tuples of codewords in L as codewords in an interleaved code \(L^m\). We formally define this notion below.

Definition 3

(Interleaved code) Let \(L\subset {\mathbb {F}}^n\) be an [nkd] linear code over \({\mathbb {F}}\). We let \(L^m\) denote the [nmkd] (interleaved) code over \({\mathbb {F}}^m\) whose codewords are all \(m\times n\) matrices U such that every row \(U_i\) of U satisfies \(U_i\in L\). For \(U\in L^m\) and \(j\in [n]\), we denote by U[j] the j’th symbol (column) of U.

3.8 Packed Secret Sharing over Constant-Sized Fields

Using a Reed–Solomon (i.e., Shamir sharing)-based scheme will require an underlying field of size at least as large as the “length of the code plus the number of packed secrets.” Thus, Reed–Solomon codes as described in the previous section will suffice for our main results over large fields, but for small fields (including, the Boolean field), this results in a multiplicative overhead which is logarithmic in the field size and will increase the overhead by too much. We will instead rely on a packed secret sharing scheme based on Algebraic-Geometric (AG) Codes whose use in MPC was first identified by Chen and Cramer [13].

The precise object that we need in our results is a strongly-multiplicative linear secret sharing scheme that admits packing. We use the following definitions that are almost verbatim from [54].

Definition 4

(Packed Secret Sharing) For integers nw, and finite field \({\mathbb {F}}\), a packed secret sharing over \({\mathbb {F}}\) with t-privacy and r-reconstruction is a vector of random variables \({\textbf{X}} = (X_0,X_1,\ldots ,X_n)\) where \(X_0\) is over \({\mathbb {F}}^w\) and each \(X_i\), for \(i > 0\), is over \({\mathbb {F}}\) such that:

  1. 1.

    \(X_0\) is uniformly distributed over \({\mathbb {F}}^w\).

  2. 2.

    t-privacy: For any subset \(B\subseteq [n]\) of size at most t, \(x \in X_0\), \(x_B \in {\mathbb {F}}^{|B|}\), it holds that

    $$\begin{aligned} \Pr [X_B = x_B | X_0 = x] > 0 \text{ and } \Pr [X_0 = x | X_B = x_B] = 1/|{\mathbb {F}}| \end{aligned}$$

    where \(X_B = (X_i)_{i \in B}\).

  3. 3.

    r-reconstruction: Given any subset \(B \subseteq [n]\) of size at least \(t+1\), and any \(x_B \in {\mathbb {F}}^{|B|}\) in the support of \(X_B\), there is a unique \(x_0\in {\mathbb {F}}^w\) with \(Pr[X_0 = x_0|X_B = x_B] = 1\).

Definition 5

(Packed Secret Sharing scheme with strong multiplicativity) We say that a packed secret sharing scheme \({\textbf{X}} = (X_0,X_1,\ldots ,X_n)\) is t-strongly multiplicative if it has t-privacy, \((n-t)\)-reconstruction and additionally satisfies:

  • product reconstruction: The secret sharing scheme obtained by considering the uniform distribution over \(\text{ span}_{{\mathbb {F}}}\{c_1 \odot c_2 | c_1, c_2 \in {\textbf{X}}\}\) has \((n-t)\)-reconstruction.

We will be interested only in linear secret sharing schemes where sharing, reconstruction and product reconstruction are affine functions over a prime power finite field, i.e., \({\mathbb {F}}= {\mathbb {F}}_q\) for some prime power q. We rely on the following theorem stated in [54] that is instantiated using Garcia–Stichtenoth tower [62] based on AG codes.

Theorem 1

(Corollary 4 [54]) Let \(0< \epsilon < 1\), \(q \approx \frac{144}{\epsilon ^2}\) be an even power of a prime, and \(\gamma = \frac{\epsilon }{6}\). There exists a family of \(\frac{(1-\epsilon )n_i}{3}\)-strongly multiplicative linear secret sharing schemes with \(X_0 \in {\mathbb {F}}_q^{\frac{\epsilon n_i}{6}}\) when \(n_i \rightarrow \infty \).

We note that for any small prime p, we can embed the field \({\mathbb {F}}_p\) in \({\mathbb {F}}_q\) for q being an even prime power of p.

3.9 Secure Multi-party Computation (MPC)

We use a standard stand-alone definition of secure multi-party computation protocols. In this work, we only consider static corruptions, i.e., the adversary decides which parties it corrupts before the execution begins. Following [40], we use two security parameters in our definition: a computational security parameter \(\kappa \), and a statistical security parameter s that captures a statistical error of up to \(2^{-s}\). We assume that \(s\le \kappa \). We let \({{{\mathcal {F}}}}\) be a multi-party functionality that maps a set of n inputs to an output over some field \({\mathbb {F}}\) (w.l.o.g).

Let \(\Pi = \langle P_1,\ldots ,P_n \rangle \) denote a multi-party protocol, where each party is given an input \(x_i\) and security parameters \(1^s\) and \(1^\kappa \). We allow honest parties to be PPT in the entire input length (this is needed to ensure correctness when no party is corrupted), but bound adversaries to time \({\textsf{poly}}(\kappa )\). (This effectively means that we only require security when the input length is bounded by some polynomial in \(\kappa \).) We denote by \(\textbf{REAL}_{\Pi ,{{{\mathcal {A}}}}(z)}(x_1,\ldots ,x_n,\kappa ,s)\) the output of the honest parties and the adversary \({{{\mathcal {A}}}}\) controlling a subset \(I\subset [n]\) of parties in the real execution of \(\Pi \), where z is the auxiliary input, \(x_i\) is \(P_i\)’s initial input, \(\kappa \) is the computational security parameter, and s is the statistical security parameter. We denote by \(\textbf{IDEAL}_{{{{\mathcal {F}}}},{{{\mathcal {S}}}}(z)}(x_1,\ldots ,x_n,\kappa ,s)\) the output of the honest parties and the simulator \({{{\mathcal {S}}}}\) in the ideal model where \({{{\mathcal {F}}}}\) is computed by a trusted party. In some of our protocols, the parties have access to ideal model implementations of certain cryptographic primitives such as ideal oblivious transfer (\({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{OT}}\)). We denote such executions by \(\textbf{REAL}^{{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{OT}}}_{\Pi ,{{{\mathcal {A}}}}(z)}(x_1,\ldots ,x_n,\kappa ,s)\).

Definition 6

A protocol \(\Pi = \langle P_1,\ldots ,P_n \rangle \) is said to securely compute a functionality \({{{\mathcal {F}}}}\) in the presence of active adversaries if the parties always have the correct output \({{{\mathcal {F}}}}(x_1,\ldots ,x_n)\) when neither party is corrupted, and moreover, the following security requirement holds. For any probabilistic \({\textsf{poly}}(\kappa )\)-time adversary \({{{\mathcal {A}}}}\) controlling a subset \(I\subset [n]\) of parties in the real world, there exists a probabilistic \({\textsf{poly}}(\kappa )\)-time adversary (simulator) \({{{\mathcal {S}}}}\) controlling I in the ideal model, such that for every non-uniform \({\textsf{poly}}(\kappa )\)-time distinguisher \({{{\mathcal {D}}}}\) there exists a negligible function \(\nu (\cdot )\) such that the following ensembles are distinguished by \({{{\mathcal {D}}}}\) with at most \(\nu (\kappa )+2^{-s}\) advantage:

  • \(\{\textbf{REAL}_{\Pi ,{{{\mathcal {A}}}}(z),P_i}(x_1,\ldots ,x_n,\kappa ,s)\}_{\kappa \in {\mathbb {N}},s \in {\mathbb {N}},x_1,\ldots ,x_n,z \in \{0,1\}^*}\)

  • \(\{\textbf{IDEAL}_{{{{\mathcal {F}}}},{{{\mathcal {S}}}}(z),P_i}(x_1,\ldots ,x_n,\kappa ,s)\}_{\kappa \in {\mathbb {N}},s \in {\mathbb {N}},x_1,\ldots ,x_n,z \in \{0,1\}^*}\)

3.9.1 Secure Circuit Evaluation

The above definition considers \({{{\mathcal {F}}}}\) to be an infinite functionality, taking inputs of an arbitrary length. However, our protocols (similarly to other protocols from the literature) are formulated for a finite functionality \({{{\mathcal {F}}}}:{\mathbb {F}}^{\alpha _1}\times \cdots \times {\mathbb {F}}^{\alpha _n}\rightarrow {\mathbb {F}}\) described by an arithmetic circuit \(\textrm{C}\) (where the computation is performed over a finite field \({\mathbb {F}}\)). Such protocols are formally captured by a polynomial-time protocol compiler that, given security parameters \(1^\kappa ,1^s\) and a circuit \(\textrm{C}\), outputs n circuits \((P_1,\ldots ,P_n)\) that implement the next message function of n parties in the protocol (possibly using oracle calls to a cryptographic primitive or an ideal functionality oracle). Similar to Definition 6, the correctness requirement (when no party is corrupted) holds for any choice of \(\kappa ,s,\textrm{C}\), while the security requirement only considers adversaries that run in time \({\textsf{poly}}(\kappa )\). That is, we require indistinguishability (in the sense of Definition 6) between

  • \(\{\textbf{REAL}_{\Pi ,{{{\mathcal {A}}}}(z)}(\textrm{C},x_1,\ldots ,x_n,\kappa ,s)\}_{\kappa \in {\mathbb {N}},s \in {\mathbb {N}},\textrm{C}\in {{{{\mathcal {C}}}}},x_1,\ldots ,x_n,z \in \{0,1\}^*}\)

  • \(\{\textbf{IDEAL}_{{{{\mathcal {F}}}},{{{\mathcal {S}}}}(z),P_i}(\textrm{C},x_1,\ldots ,x_n,\kappa ,s)\}_{\kappa \in {\mathbb {N}},s \in {\mathbb {N}},\textrm{C}\in {{{{\mathcal {C}}}}},x_1,\ldots ,x_n,z \in \{0,1\}^*}\)

where \({{{\mathcal {C}}}}\) is the class of arithmetic circuits that take n vectors of field elements as inputs and output a field element, \(x_1,\ldots ,x_n\) are of lengths corresponding to the inputs of \(\textrm{C}\), \({{{\mathcal {F}}}}\) is the functionality computed by \(\textrm{C}\), and the next message functions of the parties \(P_1,\ldots ,P_n\) are as specified by the protocol compiler on inputs \(1^\kappa ,1^s,\textrm{C}\). We assume that \(\textrm{C}\) is arranged in d layers where each layer contains only multiplication gates or only addition gates over \({\mathbb {F}}\). We further assume that each layer takes its input only from the previous layers and provides output to subsequent layers. The size of the circuit \(\textrm{C}\), denoted by \(\left| {\textrm{C}}\right| \), is defined as the number of gates plus the number of wires. Its depth is the length of the longest path from an input to an output which, in the case of layered circuits, is equal to the number of layers.

4 Basic MPC Protocol

In this section, we describe a simple variant of our MPC protocol, which we build on in Sect. 5 to achieve constant overhead.

Our starting point is a passively-secure variant of the BGW protocol [11], which we amplify to the actively-secure dishonest-majority setting. Amplifying the security of this protocol requires facing three challenges: (1) high overhead due to the degree reduction sub-protocol; (2) security holds only with a dishonest minority; and (3) security holds only against passive corruptions.

Our strategy toward addressing the first issue is to have parties locally perform the degree reduction procedure which the degree reduction sub-protocol implements, thus (almost) eliminating the interaction it requires. This is achieved by using a second layer of secret sharing.

Concretely, our MPC protocol with m parties relies on two layers of secret sharing schemes: (1) first layer sharing: Reed–Solomon codes (which can be thought of as Shamir’s secret sharing), denoted by L-encoding, where \(L={{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k,\eta }\) (cf. Sect. 3.7); and (2) second layer sharing: additive secret sharing.Footnote 4 Throughout the execution, the parties hold additive shares of the L-encodings of the wires of the evaluated circuit \(\textrm{C}\). We note that using this two-layer secret sharing decouples the number of parties m from the length of the encoding n, since (unlike passive-BGW) parties no longer hold the symbols of the L-encodings. In fact, it will be useful to have \(m\ne n\). Intuitively, this can be thought of as having the parties emulate n copies of \(\textrm{C}\), where the wires of the l’th copy carry the l’th symbol in the L-encodings of the wire values of \(\textrm{C}\), and these symbols are additively shared among the parties. The execution maintains the invariant that when evaluating the gates in layer \({{{\mathcal {L}}}}\), the parties hold for each copy l additive shares of the l’th symbols in the L-encodings of the outputs of previous layers.

Our protocol is described in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)-hybrid model (cf. Sect. 3.5) which generates m additive shares of random triples and is used to execute multiplications. In more detail, the parties evaluate the n copies of \(\textrm{C}\) layer by layer, locally performing additions, substractions and multiplications by a constant (this is possible due to the linear nature of our secret sharing schemes), whereas multiplication gates require communication.

Roughly, a multiplication gate G in the l’th copy of \(\textrm{C}\) is evaluated as follows. The parties hold additive shares of the l’th symbols \(A^l,B^l\) at the inputs of G and use \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) (and a reduction from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\), described in Sect. 3.5) to obtain additive shares of the product \(A^l B^l\). Across all copies, these products form an \({\tilde{L}}\)-encoding of the output wire of G, where \({\tilde{L}}={{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,2 k,\eta }\). To obtain a fresh L-encoding of the output wire, each party interprets its additive shares of the \({\tilde{L}}\)-encoding (across all copies) as an encoding in \({{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,n,\eta }\), decodes it and then generates a fresh L-encoding of this decoded value. The additive shares obtained through this procedure reconstruct to the correct value because degree reduction is a linear operation.

Employing a second secret sharing layer solves the second challenge (that passive-BGW is only private in the honest majority setting) since a subset of parties learn only a strict subset of additive shares. The third challenge (passive-BGW is only secure against passive corruptions) is handled by incorporating correctness-enforcing tests into the protocol, as described in Sect. 2.

Our detailed protocol is given in Figs. 6, 7, 8. We next state the following theorem:

Fig. 6
figure 6

Actively Secure MPC \(\Phi \)—Part 1 (Circuit Emulation)

Full size image
Fig. 7
figure 7

Actively Secure MPC \(\Phi \)—Part 2 (Correctness Tests Commitments)

Full size image
Fig. 8
figure 8

Actively Secure MPC \(\Phi \)—Part 3 (Correctness Tests)

Full size image

Theorem 2

Protocol \(\Phi \) described in Figs. 6, 7, 8 securely realizes \({{{\mathcal {F}}}}\) in the (\({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\))-hybrid model, tolerating \(m-1\) active (static) corruptions, with statistical security error

$$\begin{aligned} \left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)} \end{aligned}$$

where \(k > \delta +4e\),\(n>2k + 4e\) and \(e\le (n-k+1)/3\).

We first give an overview of the proof.

4.1 Proof Overview

The simulation follows by having the simulator \({\textsf {Sim}}\) execute the protocol with the adversary, emulating the ideal functionalities for it, and emulating the honest parties on dummy 0-inputs. Before executing the output decommitment step, \({\textsf {Sim}}\) performs several checks regarding the actions of the corrupted parties. Specifically, the simulator determines the set E of copies for which, if they were chosen during the consistency test, the test would fail. It also identifies the set \(E'\) of copies in which the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) values the corrupted parties committed to are inconsistent with the ones \({\textsf {Sim}}\) provided to them. Then, it verifies that \(\left| {E}\right| \le e,\left| {E}\right| '\le 3e\), and that there exist \({\hat{U}},\hat{\vec {X}}_i,i\in [m]\), and \(\hat{\vec {z}}\) which are valid encodings in the appropriate (interleaved) codes that agree with \(\sum _{i\in [m]}U_i,\vec {X}_i,i\in [m]\), and \(\sum _{i\in [m]}\vec {z}_i\) (respectively) except for the copies in E. It also verifies that there exists a \({\hat{V}}\) in the interleaved code over \({\tilde{L}}\) that agrees with \(\sum _{i\in [m]}V_i\) except for the copies in \(E\cup E'\). We note that \({\textsf {Sim}}\) can perform these checks because it emulated the internal ideal functionalities for the adversary, whereas the honest parties in the protocol cannot perform these checks. If all checks pass, then \({\textsf {Sim}}\) can extract effective inputs for the corrupted parties and use them to obtain the output from the trusted party. Finally, \({\textsf {Sim}}\) “corrects” the output shares of the honest parties to share the correct outputs.

Next, we highlight some of the challenges we face when proving indistinguishability of the simulated and real views. Recall that unlike [44] we run a single consistency test, right before output reconstruction. Thus, we essentially have one “shot” to catch the adversary, causing the test to be more involved. Another challenge is that parties are only committed to small portions of the execution, whereas in [44] parties commit to all their messages via the watchlists channels. Consequently, \({\textsf {Sim}}\) cannot verify correct behavior directly by checking the messages, and instead we need to show that the messages can be extracted from the partial information which parties commit to. Fortunately, we show that correctness can be defined based on the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) inputs, and the transcript of the reduction from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\). Finally, correctness is guaranteed by the combination of local and global checks in our protocol. Specifically, the consistency test verifies local correctness of the computation within each copy, by inspecting a subset of copies; and the degree and equality tests verify that some global relation holds over all copies (i.e., all additive shares).

In the proof, we show that if all the protocol tests pass then except with negligible probability, all the conditions checked by the simulator before the output reconstruction phase hold, and moreover, the output is consistent with the outputs of the honest parties, and the effective outputs that \({\textsf {Sim}}\) extracts for the corrupted parties. Thus, it suffices to prove indistinguishability of the simulated distribution and a hybrid distribution which is obtained from the real execution by performing \({\textsf {Sim}}\)’s checks, and aborting if they are violated. The difference between the hybrid and simulated distributions is that the honest parties use their real inputs in the former, and 0-inputs in the latter. We prove indistinguishability by a case analysis based on which tests pass. Intuitively, the views revealed during the consistency tests are identically distributed due to the secrecy of Shamir’s secret sharing scheme (alternatively, Reed–Solomon codes). The degree test values are indistinguishable because the honest parties’ values are valid L-encodings, which are uniformly random due to the masking by the \(\vec {\gamma }_i\)’s. The equality test values are indistinguishable because the sum of honest parties’ values is valid \({\tilde{L}}\)-encodings of \(\vec {0}\), which are uniformly random subject to this constraint due to the masking by the \(\vec {{\widetilde{\gamma }}}_i\)’s. Since the equality test values are masked by additive shares of \(\vec {0}\), the values themselves are identically distributed. Finally, conditioned on all tests passing, the output shares are uniformly random L-encodings whose sum encodes the correct output, due to the masking by the \(\vec {\nu }_i\)’s. We note that the \(\vec {\nu }_i\)’s are used only to mask the output shares. They are included in the degree and equality tests to guarantee they form a correct sharing (i.e., a sharing of 0 of the appropriate degree), but are not used for privacy of these latter tests. Instead, the \(\vec {\gamma }_i\)’s and \(\vec {{{\tilde{\gamma }}}}_i\)’s are used to guarantee the privacy of the degree and equality tests, respectively. We proceed to formally prove Theorem 2.

Proof of Theorem 2

We begin by defining the simulator and then prove indistinguishability of the real and simulated views. \(\square \)

4.1.1 Simulation overview

On a high-level, the simulator \({\textsf {Sim}}\) will emulate an execution of the protocol with the adversary \({{{\mathcal {A}}}}\) by honestly playing the role of the honest parties with arbitrary inputs (specifically, 0). If all the tests pass, it will extract effective inputs for the adversary, use them to obtain the output from the functionality and manipulate the output to reveal the correct values.

More formally, let \({{{\mathcal {A}}}}\) be an adversary corrupting a set \({{{\mathcal {T}}}}\) of at most \(m-1\) parties. We describe the simulator \({\textsf {Sim}}\) for \({{{\mathcal {A}}}}\). \({\textsf {Sim}}\) begins an emulation with \({{{\mathcal {A}}}}\) and emulates \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\) and \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) for the adversary.

  1. 1.

    In the initialization phase, \({\textsf {Sim}}\) emulates the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) and \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}}\) oracles for \({{{\mathcal {A}}}}\) while honestly simulating the uncorrupted parties. Then, it obtains from \({{{\mathcal {A}}}}\) the randomness which the corrupted parties send to the commitment oracle and records these values.

  2. 2.

    In the input sharing step, \({\textsf {Sim}}\) obtains from the corrupted parties the purported L-encoding which they send to the commitment oracle, as well as the messages they send to the honest parties (i.e., the additive shares), and records these values. Additionally, \({\textsf {Sim}}\) honestly emulates the honest parties with input 0 to generate the L-encodings of their inputs, and the additive shares of these encodings. Finally, \({\textsf {Sim}}\) sends the corrupted parties’ shares (of the input encodings of the honest parties) to the adversary.

  3. 3.

    In the emulation phase, \({\textsf {Sim}}\) emulates the computation gate by gate. Notice that messages are only exchanged for multiplication gates. For multiplication gates, the simulator emulates the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reduction with the adversary, honestly playing the role of the honest parties (with the values computed for them so far).

  4. 4.

    In the output commitment step, \({\textsf {Sim}}\) records the output commitments sent by the corrupted parties to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}}\). Then, \({\textsf {Sim}}\) honestly emulates the honest parties and records their re-randomized output shares they would have committed to.

  5. 5.

    In the commit to degree and equality test steps, the simulator emulates the coin tossing oracle for the parties and sends its output to the adversary. Then, \({\textsf {Sim}}\) obtains and records the degree and equality test values which the corrupted parties send to the commitment oracle.

  6. 6.

    In the consistency test, the simulator honestly emulates the coin tossing oracle for the parties and sends \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\)’s output \(\Gamma \subseteq \left[ n\right] ,\left| {\Gamma }\right| =\delta \) to the adversary. Then, for every \(l\in \Gamma \) it sends to \({{{\mathcal {A}}}}\) the view of the honest parties in the execution of the l’th copy of \(\textrm{C}\). Next, \({{{\mathcal {A}}}}\) decides whether to open the commitments to the corresponding views of the corrupted parties. If \({{{\mathcal {A}}}}\) decides not to open the views, or an inconsistency is detected, the simulator halts and outputs the view generated so far.

  7. 7.

    In the degree test check, \({\textsf {Sim}}\) sends to \({{{\mathcal {A}}}}\) the values generated by the honest parties for the degree test. Then, \({{{\mathcal {A}}}}\) decides whether to open the commitments to the degree test. If \({{{\mathcal {A}}}}\) decides not to open, or the degree test fails (i.e., the decommitted values do not constitute a valid L-encoding), then \({\textsf {Sim}}\) halts and outputs the view generated so far.

  8. 8.

    In the equality test check, \({\textsf {Sim}}\) sends to \({{{\mathcal {A}}}}\) the values generated by the honest parties for the equality test. Then, \({{{\mathcal {A}}}}\) decides whether to open the commitments to the equality test. If \({{{\mathcal {A}}}}\) decides not to open, or the equality test fails (i.e., the decommitted values do not constitute a valid \({\tilde{L}}\)-encoding of 0), then \({\textsf {Sim}}\) halts and outputs the view generated so far.

  9. 9.

    Let \(\Gamma \) be the set of indices that were opened in the consistency test. Before proceeding to the output decommitment phase, the simulator performs the following tests, aborting with output \(\mathsf fail\) if any of them fail:

    1. (a)

      Consistency of local computations: There exists a set E of size at most e, such that in all but the copies in E the views of all parties are locally consistent. We say that the view of \(P_i\) in a copy l is locally consistent if the consistency test passes for copy l when it is chosen in \(\Gamma \).

    2. (b)

      Consistency with L-encodings: Let \(U_i\) be the matrix that \(P_i\) computed and committed to during the degree test. Let \(\vec {X}_i,\vec {z}_i\) be the input and output shares committed by party \(P_i\) during the input sharing and output steps (respectively), and let \(U = \sum _{i=1}^{m} U_i\) and \(\vec {z}=\sum _{i=1}^{m}\vec {z}_i\). \({\textsf {Sim}}\) checks if \(\Delta (U,L^h) \subseteq E\), \(\Delta (\vec {X}_i,L) \subseteq E\) for every \(i\in [m]\), and \(\Delta (\vec {z},L) \subseteq E\). (See Sect. 3.7 for the \(\Delta \left( \cdot ,\cdot \right) \) notation.)

    3. (c)

      Consistency of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) inputs with commitments: There exists a set \(E'\) of size at most 3e, such that except for the copies in \(E'\), the inputs provided by \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) to the corrupted parties are consistent with the commitments they made in the initialization step. (We note that the simulator can perform this check because it simulates \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) for the corrupted parties, whereas the honest parties in a real execution cannot perform this check since the messages exchanged with \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) cannot be monitored in the real world.)

    4. (d)

      Input extraction: For every \(i\in {{{\mathcal {T}}}}\), \({\textsf {Sim}}\) can extract an effective input for \(P_i\). Specifically, let \(\vec {X}_i=\left( X_i^1,\ldots ,X_i^n\right) \) denote the purported L-encoding to which \(P_i\) committed to in Step 2 of the simulation, and notice that \(\vec {X}_i\) is \(|E|\le e\) close to a valid L-encoding (because the tests in Steps 9a and 9b above passed). Since \(n - 4e> k\), there exists a unique \(\vec {{{\hat{X}}}}_i \in L\) that agrees with \(\vec {X}_i\) on all columns except those in \(E\cup E'\) (and \(\vec {{\hat{X}}}_i\) can be efficiently computed given \(E,E'\) and \(\vec {X}_i\)). \({\textsf {Sim}}\) computes \(\vec {{{\hat{X}}}}_i\) and decodes it to obtain \(x_i^*\).

    5. (e)

      Correctness of degree-reduction: The simulator verifies that the degree reduction step following each multiplication step was performed correctly. In more detail, the simulator reconstructs \(V_i\) for every party \(P_i\) as in the equality test. (For corrupted parties \(P_i\), \(V_i\) can be inferred from the transcript and the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) inputs committed to in the initialization step.) Then, \({\textsf {Sim}}\) decodes each row in U and \(V=\sum _{i=1}^m V_i\) by computing the unique \({\hat{U}}\in L^h\) and \({\hat{V}}\in {\tilde{L}}^h\) that agree with UV (respectively) in all columns except those in \(E, E\cup E'\) (respectively), and decoding \({\hat{U}},{\hat{V}}\). Next, \({\textsf {Sim}}\) verifies that the decoded vectors are equal. We now use the fact that the previous tests have passed, to argue that decoding succeeds and is unique. Specifically, since Steps 9a and 9b passed, we have

      $$\begin{aligned} |\Delta (U,L^{h})| \le |E| \le e < (n-k+1)/3. \end{aligned}$$

      In particular, \(n-e>k\) so \({\hat{U}}\) is unique. As for V, the fact that Steps 9a and 9c passed implies that all multiplications were correctly computed by all parties in all copies excluding \(E \cup E'\). Using also the fact that \(n-4e > 2k\) (so \(n-4e\) columns of V uniquely determine the encoded value), \({\hat{V}}\) is unique. Following a similar decoding procedure, \({\textsf {Sim}}\) decodes \(\vec {w} = \sum _j \vec {w}_j\) and \(\vec {z} = \sum _j \vec {z}_j\) w.r.t L by excluding the columns in E, constructing L-encodings \(\vec {{{\hat{w}}}}\) and \(\vec {{{\hat{z}}}}\) and checking if the decoded values are equal.

  10. 10.

    In the output decommitment phase, for all honest parties but one, denoted by \(P_{i^*}\), \({\textsf {Sim}}\) reveals the output values computed for these parties during the simulation. For \(P_{i^*}\) it proceeds as follows. Since the simulator did not abort in Step 9, an effective input \(x_i^*\) was determined in Step 9d of the simulation for every \(i\in {{{\mathcal {T}}}}\). \({\textsf {Sim}}\) provides \(\left\{ x_i^*\right\} _{i\in {{{\mathcal {T}}}}}\) to the trusted party and obtains the output y. Next, it extracts the value o encoded in the output obtained in the simulation. This can be done in the same way as the rows of U are decoded (because Steps 9a and 9b passed). \({\textsf {Sim}}\) computes an L-encoding \(\vec {o}\) of the value \(y-o\) in which the entries corresponding to the columns in \(\Gamma \cup E \cup E'\) are 0 (this is possible because \(k>\delta +4e\)) and adds \(\vec {o}\) to the output shares of \(P_{i^*}\) before revealing them.

4.1.2 Indistinguishability

Next, we prove indistinguishability of the real and simulated views. Intuitively, the secrecy of the encoding and secret sharing scheme guarantees that the adversary learns nothing beyond the output. (Recall that the encoding we use can be thought of as Shamir’s secret sharing scheme, so it guarantees secrecy.) The consistency, degree and equality tests further ensure, with overwhelming probability, the correct behavior of the adversary.

We proceed to formally prove indistinguishability through a sequence of hybrids, where in each hybrid we output the view of the adversary.

  • \({\mathcal {H}}_0 = \textbf{REAL}\): This is the real-world adversarial view.

We first prove that there exists a set of effective inputs for the corrupted parties such that with high probability either one of the tests in the protocol execution fails, or the output is consistent with the output of \({{{\mathcal {F}}}}\) on the inputs of the honest parties, and the effective inputs for the corrupted parties. Thus, if all the tests pass then with overwhelming probability the computation was correct. Formally,

Claim 4.1

Suppose \(e < (n-k+1)/3\). Then, except with probability

$$\begin{aligned} \left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)} \end{aligned}$$

either one of the degree, equality or consistency test fails, or all of the following holds:

  1. (a)

    There exists a set E of size at most e such that all parties correctly performed the local computations in all copies except those in E.

  2. (b)

    \(\Delta (U,L^h), \Delta (\vec {X}_i,L), \Delta (\vec {\nu },L) \subseteq E\), where \(U = \sum _i U_i\) and \(U_i\) is the matrix which \(P_i\) committed to during the degree test; and \(\vec {X}_i,\vec {\nu }_i\) are the input and output-masking shares committed by party \(P_i\) during the input sharing and initialization steps (respectively).

  3. (c)

    There exists a set \(E'\) of size at most 3e such that except for the copies in \(E'\), the initial commitments of all parties (during the initialization step) are consistent with the values they received from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\).

  4. (d)

    There exist unique \({{\hat{U}}} \in L^h\), \({{\hat{V}}} \in {\tilde{L}}^h\), \(\vec {{{\hat{X}}}}_i \in L\) for all i, \(\vec {{{\hat{w}}}}_i \in L\) and \(\vec {{{\hat{\nu }}}}_i \in L\) that agree with \(U = \sum _i U_i\), \(V = \sum _i V_i\), \(\vec {X}_i\), \(\sum _i \vec {w}_i\) and \( \vec {\nu }_i\), respectively, on all columns except \(E \cup E'\). Moreover, \({{\hat{U}}}\) and \({{\hat{V}}}\) decode to the same value w.r.t L and \({\tilde{L}}\), respectively, and \(\vec {{{\hat{\nu }}}}\) decodes to 0. Furthermore, the output reconstructed in \({\mathcal {H}}_0\) is \({{{\mathcal {F}}}}(\vec {x}^*_{{{{\mathcal {T}}}}},\vec {x}_{{\overline{{{{\mathcal {T}}}}}}})\), where \(\vec {x}_{{\overline{{{{\mathcal {T}}}}}}}\) denotes the inputs of the honest parties, and \(\vec {x}^*_{{{{{\mathcal {T}}}}}}\) are effective inputs for the corrupted parties, encoded in the \(\vec {{{\hat{X}}}}_i\)’s (i.e., following the procedure described in Step 9d of the simulation.)

Proof

We identify a set of bad events, bound their probabilities and conclude using a union bound.

  • Event \(\left| {E}\right| >e\). Then except with probability \(\left( 1-e/n\right) ^\delta \), the consistency test fails because it checks at least one of the inconsistent copies.

For the next event, we define the matrix

$$M = \left[ \begin{array}{c}U \\ \vec {X}_1 \\ \vdots \\ \vec {X}_m \\ \sum _i \vec {\nu }_i \end{array} \right] .$$

  • Event \(\left| {E}\right| \le e\), and \(d(M,L^{h+m+1}) > e\). Since \(e < (n-k+1)/3\), then [2, Lemma 4.4]Footnote 5 guarantees that

    $$\begin{aligned} \Pr _r\left[ d\left( \vec {r}^T U+\sum _{i=1}^m r'_i\vec {X}_i+ r''\sum _{i=1}^m \vec {\nu }_i,L\right) \le e \right] \le (n-k+1)/{\left| {{\mathbb {F}}}\right| }. \end{aligned}$$

    Furthermore, whenever \(d(\vec {r}^T U+\sum _{i=1}^m r'_i\vec {X}_i+r''\sum _{i=1}^m \vec {\nu }_i,L) > e\) and \(\left| {E}\right| \le e\), then the degree test fails (because the degree test was correctly computed in all copies not in E.) Overall, the degree test fails except with probability \((n-k+1)/{\left| {{\mathbb {F}}}\right| }\).

  • Event \(\left| {E}\right| \le e\), \(d(M,L^{h+m+1}) \le e\) and \(\emptyset \ne \Delta (M,L^{h+m+1}) \not \subseteq E\). We show that in this case the degree test fails except with probability \(1/\left| {{\mathbb {F}}}\right| \). Since \(d(M,L^{h+m+1}) \le e\), \(|E| \le e\) and \(n-2e > k\), then there exists a unique \({\hat{M}}\in L^{h+m+1}\) that agrees with M on all columns except those in \(\Delta (M,L^{h+m+1}) \cup E\). Moreover, since the degree test was computed correctly in all columns excluding E (and therefore excluding \(E\cup \Delta (M,L^{h+m+1})\)) then for every column \(l\notin E\cup \Delta (M,L^{h+m+1})\), the restriction of the linear combination computed during the degree test to column l is equal to this linear combination applied to the l’th column of \({\hat{M}}\). Let \(\vec {v}\) denote the word constructed during the degree test (i.e., obtained through the aforementioned linear combination), and let \(\vec {v}'\in L\) denote the word that would have been constructed had the degree test been applied to \({\hat{M}}\). Then, the degree test passes only if \(\vec {v}\in L\), and since \(d\left( \vec {v},\vec {v}'\right) \le 2e\) and \(n-2e>k\), then \(\vec {v}=\vec {v}'\). Therefore, if there exist \(j\in [h+m+1],l\in [n]\) such that the j’th row \(\vec {w}\) of M has \(l \in \Delta (\vec {w},L) {\setminus } E\), then the degree test was performed correctly for the l’th copy (i.e., column), and moreover, the linear combination it computed on the l’th column was consistent with this linear combination over the l’th column of \({\hat{M}}\) (i.e., \(v_l=v_l'\)). This happens only with probability \(1/\left| {{\mathbb {F}}}\right| \) (because for every \(\vec {r}=\left( r_1,\ldots ,r_{j-1},r_{j+1},\ldots ,r_n\right) \) chosen by \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\) for the degree test, there is at most one value of \(r_j\) for which this happens).

  • Event \(\left| {E}\right| \le e\) and \(\left| {E'}\right| > 3e\). For every copy \(l\in E'\), if \(l\in \Gamma \) then the consistency test passes only if \({{{\mathcal {A}}}}\) successfully performed a selective attack on the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reduction, which happens with probability at most \(1/\left| {{\mathbb {F}}}\right| \). Moreover, an unsuccessful selective attack in copy l causes a local inconsistency in that copy, so \(\left| {E}\right| \le e\) implies that the selective attack failed in at most e copies. However, using a Chernoff–Hoeffding bound, if \(\left| {E'}\right| >3e\) then the probability that the selective attacks failed in at most e copies is at most

    $$\begin{aligned} 2^{-2(3e)(\frac{2e-3e/\left| {{\mathbb {F}}}\right| -1}{3e})^2} = 2^{-\Omega (e)}. \end{aligned}$$

Footnote 6We now assume that \(\left| {E}\right| \le e, \Delta \left( M,L^{h+m+1}\right) \subseteq E\), and \(\left| {E'}\right| \le 3e\), and show that \(U,V=\sum _iV_i,\vec {X_i},\vec {\nu }_i\) can be uniquely “corrected” to valid encodings. More formally, since \(\left| {E}\right| \le e\), \(\Delta (U,L^h) \subseteq E\) and \(n-e > k\), there exists a unique matrix \({{\hat{U}}} \in L^h\) that agrees with U on all columns except those in E. Similarly, there are unique L-encodings \(\vec {{{\hat{X}}}}_i\) and \(\vec {{{\hat{\nu }}}}_i\) that agree with \(\vec {X}_i\) and \(\vec {\nu }_i\) on all columns excluding those in E. Since multiplications were correctly performed in every column except those in \(E \cup E'\), and \(n-4e > 2k\), then there exists a unique matrix \({{\hat{V}}} \in {\tilde{L}}^h\) that agrees with \(V = \sum _i V_i\) on all columns except those in \(E \cup E'\).

Now, since the equality test was performed correctly in all columns excluding those in \(E \cup E'\) (in particular, \(\sum _j\vec {\psi }_i^{j,l}=\vec {0}\) for every \(l\notin E\cup E'\), so the \(\vec {b}\) element in the equality test does not affect the encoded value) then for every \(l\notin E\cup E'\), the restriction to the l’th column of the linear combination computed during the equality test is equal to this linear combination computed over the l’th columns of \({{\hat{U}}},{{\hat{V}}},\) and \(\sum _i \vec {{{\hat{\nu }}}}_i\). Therefore, the soundness of the equality test guarantees that except with probability \(1/\left| {{\mathbb {F}}}\right| \), if the equality test passes then the values decoded in each row of \({{\hat{U}}}\) and \({{\hat{V}}}\) are equal, and the value decoded from \(\vec {{{\hat{\nu }}}}_i\) is 0. Since addition gates were correctly executed on all columns except those in E, it follows that in all columns excluding those in \(E\cup E'\) the entire computation was computed correctly according to the inputs decoded from \(\vec {{{\hat{X}}}}_i\). Consequently, since \(n-\left| {E\cup E'}\right| \ge n-4e> k\), the output reconstructed in \({\mathcal {H}}_0\) is \({{{\mathcal {F}}}}(\vec {x}^*_{{{{\mathcal {T}}}}},\vec {x}_{{\overline{{{{\mathcal {T}}}}}}})\), where \(\vec {x}_{{\overline{{{{\mathcal {T}}}}}}}\) denotes the inputs of the honest parties, and \(\vec {x}^*_{{{{{\mathcal {T}}}}}}\) are effective inputs for the corrupted parties obtained by decoding \(\vec {{{\hat{X}}}}_{{{\mathcal {T}}}}\).

Using a union bound, we can now conclude that, except with probability

$$\begin{aligned} \left( 1-\frac{e}{n}\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)} \end{aligned}$$

either all the tests pass, or the four conditions in the claim hold. \(\square \)

\({\mathcal {H}}_1\)::

In \({\mathcal {H}}_1\), we check the conditions of Step 9 of the simulation above before the output decommitment phase and abort with output \(\textsf{fail}\) if any of them fail. Observe that conditioned on any of the degree, equality, or consistency tests failing, the two hybrids are identically distributed as they proceed identically. Therefore, it suffices to bound the statistical distance of the hybrids when all the tests pass.

Conditioned on the tests passing, the two hybrids differ only if one of the tests of Step 9 fails, which we now show happens only with negligible probability. By Claim 4.1, except with probability

$$\begin{aligned} \left( 1-\frac{e}{n}\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)} \end{aligned}$$

all the conditions of the claim hold (since the tests pass). In particular, since conditions (a)- (c) of Claim 4.1 hold then Steps 9a-9c hold (respectively). For the test of Step 9b, we also use the fact that the output encoding \(\vec {z}=\sum _i\vec {z}_i\) satisfies \(\vec {z}=\vec {w}+\vec {\nu }\), where \(\vec {w}=\sum _i\vec {w}_i\) is the sum of rows of U and the \(\vec {X}_i\)’s (and therefore differs from a valid encoding only in the columns in E). Moreover, since condition (d) holds then the tests in Steps 9d and 9e pass (here, we also use the fact that conditions (a) and (c) hold, so \(\left| {E\cup E'}\right| \le 4e\), and that \(n-4e>2k\)). Therefore, the two hybrids are statistically close.

\({\mathcal {H}}_2\)::

In this hybrid, we switch to the \(\textbf{IDEAL}\) experiment. Notice that this is equivalent to the following experiment: first, run the protocol with \({{{\mathcal {A}}}}\), where the honest parties use 0 instead of their inputs. Second, before decommitting the outputs, check whether the conditions of Step 9 of the simulation hold, and abort if not. Finally, reveal the output, but manipulate the shares of one honest party as the simulator does in Step 10 of the simulation to reveal the correct output.

We prove indistinguishability of \({\mathcal {H}}_1\) and \({\mathcal {H}}_2\) by considering the following mutually disjoint cases. Let \(\textsf{hyb}_1\) and \(\textsf{hyb}_2\) denote the random variables representing the outputs of hybrid experiments \({\mathcal {H}}_1\) and \({\mathcal {H}}_2\), respectively.

C::

Consistency test fails: The view of the adversary until (including) the consistency test contains: (1) messages from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\); (2) messages exchanged during the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reduction (computed for each multiplication gate across all copies); (3) input shares obtained from the honest parties; and (4) the decommitments made during the consistency test. We analyze each of these separately and show they are identically distributed in both hybrids.

(1) and (2): messages from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\), and the transcripts of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reductions, are identically distributed in both hybrids as \({{{\mathcal {A}}}}\) only learns additive shares of the outputs.

(3): the input shares of the honest parties are similarly uniformly random in both hybrids.

(4): the values decommitted by \(P_i\) during the consistency test are the restriction to \(\Gamma \) of: his input encoding \(\vec {X}_i\), the matrix \(U_i\), the values provided by \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) (during the initialization step), the randomness \(\vec {\gamma }_i,\vec {{\widetilde{\gamma }}}_i,\vec {\nu }_i, \left( \vec {\psi }_i^{j}\right) _{j\in [m]}\), the degree and equality test values \(q_i,{\tilde{q}}_i\), and the output shares \(\vec {z}_i\). The entries of the inputs \(\vec {X}_i\) of honest parties \(P_i\) revealed during the consistency test are uniformly random, because only \(\left| {\Gamma }\right| < k\) entries are decommitted, and \(\vec {X}_i\) is a random valid L-encoding. Similarly, the columns of \(U_i\) decommitted during the consistency test are also distributed uniformly at random, since each row of \(U_i\) is a fresh L-encoding sampled by \(P_i\), and only \(\left| {\Gamma }\right| \) columns are revealed. The values provided by \({{{\mathcal {R}}}}_{\scriptscriptstyle \textrm{RMULT}}\) are generated in the same way in both hybrids and are therefore identically distributed.

As for the degree test equality test outcomes of honest parties \(P_i\) for copies \(l\in \Gamma \), they are uniquely determined by \(X_i^l\), the l’th columns of \(U_i,V_i\) and the l’th entries of \(\vec {\nu }_i,\vec {\gamma }_i,\vec {{\widetilde{\gamma }}}_i,\vec {b}_i\) (and the coin tosses of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\)). Notice that the l’th column of \(V_i\) is uniquely determined by the values decommitted by \(P_i\) during the consistency check, and \(b_i^l\) is uniquely determined by the values decommitted by all parties for the l’th copy. Moreover, \(\vec {\gamma }_i,\vec {{\widetilde{\gamma }}}_i\) are uniformly sampled L- and \({\tilde{L}}\)-encodings (respectively) in both hybrids, and \(\vec {\nu }_i\) is a random valid L-encoding in both hybrids, so the restriction of \(\vec {\gamma }_i,\vec {{\widetilde{\gamma }}}_i\), and \(\vec {\nu }_i\) to \(\left| {\Gamma }\right| \) copies are uniformly random, and consequently, the degree and equality test outcomes are identically distributed in both hybrids. Finally, the decommitted output shares of honest parties \(P_i\) for columns in \(\Gamma \) are uniquely determined by the restriction of \(U_i,\vec {\nu }_i\) to the columns in \(\Gamma \), and the input shares \(\left\{ x_{j,i}^l\right\} _{j\in [m],l\in \Gamma }\) (because \(\vec {z}_i=\vec {w}_i+\vec {\nu }_i\), where \(\vec {w}_i\) is a sum over the rows of \(U_i\) and the input shares provided to \(P_i\) by all parties). Since \(U_i\) and the input shares are identically distributed in both hybrids, and (as noted above) the restriction of \(\vec {\nu }_i\) to the columns in \(\Gamma \) is uniformly random in both hybrids, the decommitted output shares are identically distributed in both hybrids.

Therefore, conditioned on the consistency test failing, the hybrids are identically distributed. Moreover, the probability that the consistency test fails is independent of the honest parties’ inputs. Indeed, whether or not the test fails depends only on the view of the adversary, which at the end of the consistency test includes the values computed during the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reductions (thorough this reduction, the adversary learns only subsets of additive shares, which are independent of the inputs of the honest parties), and the views of all honest parties in \(\left| {\Gamma }\right| \) copies (which are independent of the inputs of honest parties due to the secrecy parameter of the L-encodings, alternatively Shamir’s secret sharing scheme).

D::

Degree test fails: In this case the consistency test passes, so the degree test outcomes \(q_i\) are revealed by all parties \(P_i\). Recall from case C above that the adversarial views up to (including) the consistency test are identically distributed in both hybrids. We claim that conditioned on the consistency test passing, the degree test outcomes are L-encodings that are distributed uniformly at random subject to the constraint that they are consistent with the values revealed during the consistency test. Indeed, for every honest party \(P_i\), \(\vec {r}^T U_i + r'_i \vec {X}_i+r''\vec {\nu }_i \in L\), and this value is blinded by a uniformly random L-encoding \(\vec {\gamma }_i\).

Therefore, conditioned on the degree test failing, the hybrids are identically distributed. Again, the probability that the degree test fails is independent of the honest parties’ inputs, as it only depends on the \(q_i\) supplied by the corrupted parties for the degree test outcome.

EQ::

Equality test fails: First, by the analysis in cases C and D above, the two hybrids are identically distributed up to (including) the opening of the degree test commitments. Conditioned on the consistency and degree tests passing, the proof of Claim 4.1 shows that conditions (a)-(c) of the claim hold except with probability \(\left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)}\). Therefore, \(\left| {E \cup E'}\right| \le 4e\), and there exists a unique \({\tilde{L}}\)-encoding \(\vec {{\tilde{q}}}\) that agrees with \(\sum {\tilde{q}}_i\) on all columns except those in \(E \cup E'\).

Consequently, to show that the two hybrids are statistically close conditioned on EQ, it suffices to argue that they are identically distributed conditioned on EQ and conditions (a–c) of Claim 4.1. Let W be the set of executions where both EQ and these conditions hold. Then,

$$\begin{aligned} \left| {\Gamma \cup E \cup E'}\right| \le \delta +4e < k \end{aligned}$$

for all executions in W, so similar arguments to case C above show that the adversarial view up to (including) the degree test check, together with the view of the honest parties in the executions of all copies in \(\Gamma \cup E\cup E'\), are identically distributed in both hybrids.

For an execution in W, let \(\textsf {view}\) denote the view of the adversary up to (including) the degree test check, together with the view of the honest parties in the executions of all copies in \(\Gamma \cup E\cup E'\). Let \(Q_i\) and \(Q'_i\) be the distribution of the equality test outcome \(\vec {{\tilde{q}}}_i\) revealed by party \(P_i\) in hybrids \({\mathcal {H}}_1\) and \({\mathcal {H}}_2\), respectively, conditioned on the partial view \(\textsf {view}\). Recall that

$$ \sum _i \vec {{\tilde{q}}}_i = \sum _i \vec {\alpha }^T (V_i - U_i) + \beta \vec {\nu }_i + \vec {{\widetilde{\gamma }}}_i +\vec {b}_i$$

where \(\vec {b}_i=\sum _{j\in [m]}\vec {\psi }_j^i\), and \(\sum _{i\in [m]}\vec {\psi }_i^j=\vec {0}\). We want to prove that \(\left( Q_i\right) _{i\in [m]}\) and \(\left( Q_i'\right) _{i\in [m]}\) are identically distributed conditioned on \(\textsf {view}\), but since the \(Q_i\)’s and \(Q_i'\)’s are blinded by the additive \(\vec {0}\)-sharings \(\vec {\psi }_j\)’s of all \(P_j\)’s, this will follow from proving that \(\sum _{i\notin {{{\mathcal {T}}}}}Q_i\) and \(\sum _{i\notin {{{\mathcal {T}}}}}Q_i'\) are identically distributed conditioned on \(\textsf {view}\). We proceed to prove the latter claim. Recall that there exist unique \({\hat{V}}\in {\tilde{L}}^h,{\hat{U}}\in L^h,\vec {{\hat{\nu }}}\in L,\vec {{\hat{{\widetilde{\gamma }}}}}\in L\) that agree with \(\sum _i V_i,\sum _iU_i,\sum _i\vec {\nu }_i,\sum _i\vec {{\widetilde{\gamma }}}_i\) (respectively) except for the columns in \(E \cup E'\). Therefore, conditioned on \(\textsf {view}\) then \(\sum _{i} Q_i - \sum _{i} Q'_i\) are valid \({\tilde{L}}\)-encoding of 0 in which the entries in \(\Gamma \cup E \cup E'\) are all 0. Moreover, the equality test values \(\vec {{\tilde{q}}}_i\) of corrupted \(P_i\)’s are committed to before the consistency test, so they depend on the adversarial view up to that point, which we have already shown is identically distributed. Therefore, \(\left( Q_i\right) _{i\in {{{\mathcal {T}}}}}\) and \(\left( Q_i'\right) _{i\in {{{\mathcal {T}}}}}\) are identically distributed point distributions (since they are conditioned on \(\textsf {view}\)). Therefore, conditioned on \(\textsf {view}\), \(\sum _{i\in {\bar{{{{\mathcal {T}}}}}}} Q_i - \sum _{i\in {\bar{{{{\mathcal {T}}}}}}} Q'_i\) are valid \({\tilde{L}}\)-encoding of 0 in which the entries in \(\Gamma \cup E \cup E'\) are all 0. Since \(\vec {{\widetilde{\gamma }}}_i\) are random valid \({\tilde{L}}\)-encodings of 0, this implies that \(\sum _{i\in {\bar{{{{\mathcal {T}}}}}}} Q_i\) and \(\sum _{i\in {\bar{{{{\mathcal {T}}}}}}} Q'_i\) are identically distributed conditioned on \(\textsf {view}\), as we set out to prove. We conclude that the hybrids are statistically close conditioned on the equality test failing.

O::

All tests pass: By Claim 4.1, conditioned on all tests passing then except with probability \(\left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)}\) the final outputs \(\sum _i \vec {z}_i\) are valid L-encoding of \(y={{{\mathcal {F}}}}(\vec {x}_{{\bar{{{{\mathcal {T}}}}}}},\vec {x}^*_{{{\mathcal {T}}}})\) (in \({\mathcal {H}}_1\)) and \(o={{{\mathcal {F}}}}(\vec {0}_{{\bar{{{{\mathcal {T}}}}}}},\vec {x}^*_{{{\mathcal {T}}}})\) (in \({\mathcal {H}}_2\)), where \(\vec {x}^*_{{{\mathcal {T}}}}\) are the effective inputs extracted for the corrupted parties in these hybrids. Thus, it suffices to prove indistinguishability of the hybrids conditioned on O and all the conditions of Claim 4.1. The remainder of the argument is similar to that of case EQ above. Let \(\textsf {view}\) denote the view of the adversary up to (including) the equality test check, together with the view of the honest parties in the executions of all copies in \(\Gamma \cup E\cup E'\). Let \(Z_i\) and \(Z_i'\) be the distributions of the outputs \(\vec {z}_i\) of party \(P_i\) in hybrids \({\mathcal {H}}_1,{\mathcal {H}}_2\) (respectively), conditioned on \(\textsf {view}\). (Notice that in \({\mathcal {H}}_2\) these shares are manipulated before they are revealed.) Then \(\sum _iZ_i-\sum _iZ_i'\) is distributed as a random L-encoding of \(y-o\) conditioned on the entries in \(\Gamma \cup E \cup E'\) being 0, because the shares are blinded using the random L-encodings \(\vec {\nu }_i\) of 0. Therefore, the two hybrids are identically distributed conditioned on \(\textsf {view}\), because the output manipulation exactly adds a random L-encoding of \(y-o\) to the output shares.

This concludes the proof of indistinguishability of the last two hybrids, and the proof of security. \(\square \)

4.2 Communication Complexity of Protocol \(\Phi \)

Assuming the existence of a PRG, parties can commit to their \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) triples by committing (during the initialization step) to a PRG seed for each copy. (The other initialization-phase commitments are generated as in Fig. 6.) Consequently, the total communication, assuming rate-1 commitments, is:

$$\begin{aligned}&\underbrace{n\cdot m\cdot (\kappa +(3+m)\cdot \log _2\left| {{\mathbb {F}}}\right| )}_{{{\text {rnd/blind com.}}}}~ + \underbrace{m\cdot n\cdot \log _2\left| {{\mathbb {F}}}\right| }_{{{\text {input commitments}}}} + \underbrace{m^2\cdot n\cdot \log _2\left| {{\mathbb {F}}}\right| }_{{{\text {input sharing}}}}\\&\quad + \underbrace{n\cdot h\cdot \textrm{CC}_{\scriptscriptstyle \textrm{MULT}}}_{{{\text {multiplication}}}} + \underbrace{\left| {\Gamma }\right| \cdot m\cdot (\kappa +(4+m)\cdot \log _2\left| {{\mathbb {F}}}\right| )}_{{{\text {consistency test}}}} \\&\quad + \underbrace{2\cdot m\cdot n\cdot \log _2\left| {{\mathbb {F}}}\right| }_{{{\text {degree test com. and dec.}}}} + \underbrace{2\cdot m\cdot n\cdot \log _2\left| {{\mathbb {F}}}\right| }_{{{\text {equality test com. and dec.}}}} + \underbrace{2\cdot n\cdot m\cdot \log _2\left| {{\mathbb {F}}}\right| }_{{{\text {output com. and dec.}}}} \end{aligned}$$

where \(\textrm{CC}_{\scriptscriptstyle \textrm{MULT}}\) is the communication complexity of the m-party multiplication protocol (implementing \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) and the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reduction), and h is the number of multiplication gates in the circuit. (We note that the degree and equality test commitments revealed during the consistency test are counted as part of the degree and equality test terms, resp.) In order to get \(2^{-\Omega (s)}\) soundness, we need to set \(n = O(s)\). Assuming \(s \le \kappa \), the overall communication complexity can be bounded by \(O(s\cdot h \cdot \textrm{CC}_{\scriptscriptstyle \textrm{MULT}})+ {\textsf{poly}}(m,\kappa ,\log _2\left| {{\mathbb {F}}}\right| )\). Since h represents the size of the circuit (i.e., number of multiplication gates), the best passive protocol in the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-hybrid can be bounded by \(O(h) \cdot \textrm{CC}_{\scriptscriptstyle \textrm{MULT}}\). Therefore, the communication overhead of our basic variant is O(s).

4.3 Instantiating \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)

Recall from Sect. 3.5 (Fig. 5) that \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) is the multiplication functionality that outputs three tuples of additive shares \(\vec {a},\vec {b},\vec {c}\) such that the “inputs” \(\vec {a},\vec {b}\) share random values ab, and the “output” \(\vec {c}\) shares the product \(a\cdot b\). In this section, we discuss how to realize this functionality, while identifying the minimal security properties required from it.

Our first observation is that we do not need an actively-secure implementation of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) functionality. In fact, it suffices to consider a protocol that is only “private” against active adversaries, in the sense that throughout the protocol execution, an actively corrupted party cannot violate the privacy of the honest parties’ inputs. In particular, the underlying implementation does not have to retain correctness in this case, or provide a mechanism for extracting the adversary’s inputs. Extraction in our protocol is achieved by requiring the adversary to commit to its input and randomness used for the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)-functionality. Correctness, on the other hand, is enforced through our consistency test that ensures correctness of the computations in most of the copies, by checking a random subset of \(\delta \) copies.

When computing a Boolean circuit, the pairwise products of the shares can be computed using Oblivious Transfer (OT) [6, 55]. Based on the discussion above, it suffices to use a private OT protocol [38]. Indeed, consistency between the different OT executions will be verified during the consistency test of our protocol, as discussed above.Footnote 7 Intuitively, privacy is guaranteed because an OT sender has no output in the execution, and the security/privacy of OT ensures that even if the sender cheats it learns nothing about the receiver’s input. Moreover, though an OT receiver can use inconsistent inputs in the OT executions with different honest parties, this can only violate correctness, and not privacy, since the output of each OT execution is an additive share of the cross product (e.g., \(a_i\cdot b_j\)), which reveals nothing about the other party’s share. Similarly, when working over large fields, \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) can be realized using private OLE (cf. Sect. 3.3), where private OLE can be defined analogously to private OT, requiring that parties do not infer any additional information (except what can be inferred from their inputs and outputs).

4.3.1 Relaxing to Passive Implementation of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)-Functionality

We can further weaken the security requirement on the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) implementation, by incorporating the reduction from defensible privacy to passive security. We first informally review the notion of defensible privacy which was introduced by Haitner in [34, 35]; see [35] for the formal definitions. Let \(\pi \) be a two-party protocol between \(P_1\) and \(P_2\), and let \(\textsf{trans}=(q_1,a_1,\ldots ,q_\ell ,a_\ell )\) be a transcript of an execution of \(\pi \) when \(P_1\) is controlled by an adversary \({{{\mathcal {A}}}}\), where \(q_i\) denotes the i’th message from \(P_1\), and \(a_i\) denotes the i’th message from \(P_2\). (That is, \(a_i\) is the response to \(q_i\).) Informally, a defense of \({{{\mathcal {A}}}}\) relative to \(\textsf{trans}\), which is provided after the protocol execution ends, is a pair \(\left( x,r\right) \) of input and random tape for \(P_1\). We say that a defense (xr) of \({{{\mathcal {A}}}}\) relative to \(\textsf{trans}\) is good if the transcript generated by running the honest \(P_1\) with input x and random tape r against \(P_2\)’s messages \(a_1,\ldots ,a_\ell \) results exactly in \(\textsf{trans}\). Intuitively, a defense (xr) is good relative to \(\textsf{trans}\) if, whenever \(P_i\) uses (xr) in an honest execution of \(\pi \), the messages sent by \(P_i\) are identical to the messages sent by the adversary in \(\textsf{trans}\). Thus, in essence, a defense serves as a “proof” of honest behavior. Defensible privacy guarantees that when the adversary provides a good defense, then it learns nothing beyond what can be inferred from its input and prescribed output.Footnote 8 We note that in our protocols, the consistency tests guarantee that (if the tests pass) the adversary has a good defense, so defensible privacy implies privacy against active corruptions.

The security of a passive protocol can be amplified to defensible privacy by adding a coin tossing phase (which, in our case, samples the inputs to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)), and ensuring that these coins were indeed used in the passive execution. The latter can be checked as part of our consistency test, however to guarantee privacy we cannot postpone this check until the consistency test is performed at the end of the circuit emulation, since by that time the adversary could have already violated privacy by using badly-sampled randomness. Thus, we include in our protocol two consistency tests: The first is the consistency test described in Fig. 7, and the second checks consistency of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) inputs and the tossed coins and is executed during the initialization phase. This second consistency test ensures that with overwhelming probability, all but (possibly) a small subset of random triples are correct (namely, the aggregated parties’ shares correspond to \(c = a\cdot b\)), and consistent with the random coins. This will suffice for our security analysis, because the number of copies will be sufficiently large such that by cheating in a small number (\(<k\)) of copies, the adversary learns nothing. See Appendix A for further details and the concrete overhead our protocols achieve. In summary, we obtain the following from Theorem 2 and the discussion above:

Corollary 3

Let \(\phi \) be a passively-secure protocol realizing \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\). Then Protocol \(\Phi \) described in Figs. 6, 7, 8, when the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) oracle is replaced with \(\phi \), securely realizes \({{{\mathcal {F}}}}\) in the (\({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\))-hybrid model, tolerating \(m-1\) active (static) corruptions, with statistical security error

$$\begin{aligned} \left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)} + (1-e/(n+\delta '))^{\delta '} \end{aligned}$$

where \(k > \delta +4e\),\(n>2k + 4e\), \(e\le (n-k+1)/3\), and \(\delta '>0\).

4.3.2 Relaxing Further to Weaker than Passive

Following ideas from [36], our protocol can, in fact, tolerate an imperfect passive OLE, namely one that has a non-negligible statistical privacy or correctness error. This security feature can be turned into an efficiency advantage. For example, imperfect \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) can be implemented more efficiently by aggressively setting the parameters in existing LWE-based OLE constructions, see Sect. 7.1 for details.

5 Actively Secure MPC with Constant Communication Overhead

In this section, we present our main result, namely an MPC protocol for an arbitrary number of parties that achieves constant communication overhead over the passive GMW protocol.

On a high-level, we will incorporate a variant of the protocol of Frankling and Yung [26] instead of [11] in our basic MPC protocol. Recall that the main overhead in the basic MPC protocol is caused by the \(n = O(s)\) copies of the circuit used to perform the computation, where s is a statistical security parameter. Then, similar to [26] we improve the communication overhead, achieving constant overhead, by having all copies evaluate multiple gates in parallel using packed secret sharing. Our protocol will achieve constant-overhead for moderately wide circuits (See Sect. 6 for a more detailed discussion.)

In more detail, given a circuit \(\textrm{C}\), and block-width parameter \({{{\mathcal {B}}}}\), the parties agree on a divisions of the circuit evaluation into layers, where at most \({{{\mathcal {B}}}}\) multiplication gates are evaluated in parallel in each layer, and arbitrary linear operations are performed between layers. During the evaluation of the protocol on a specific input, we can associate with each layer of gates G a vector (block) \(B_O^G\) of \({{{\mathcal {B}}}}\) values whose i’th position contains the output value assigned to the i’th gate in the layer (or 0 if the block has less than \({{{\mathcal {B}}}}\) gates). For each layer (except blocks of input gates), we will associate two additional blocks: a “left” block \(B^G_L\) and “right” block \(B^G_R\) whose i’th position contains the value of the left input wire and right input wire of the i’th gate, respectively. In other words, the value of the i’th gate of a multiplication block can be expressed as \((B^G_{O})_i = (B^G_{L})_i(B^G_{R})_i\). In the protocol, the parties will collectively operate on an efficient (constant rate) Reed–Solomon encoding (equivalently, packed secret shares) of each block. The protocol parameters include a description of the Reed–Solomon code \(L={{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k,\eta }\), and a vector of elements \(\zeta =(\zeta _1,\ldots ,\zeta _{{{\mathcal {B}}}}) \in {\mathbb {F}}^{{{\mathcal {B}}}}\) which is used for decoding.

Next, we describe our protocol, simulation and proof by specifying the main differences from the description of the basic protocol from Sect. 4.

  • Initialization. Recall that each party generates \(\vec {\gamma }_i,\vec {\nu }_i,\vec {{\widetilde{\gamma }}}_i\) and \((\vec {\psi }_i^1,\ldots ,\vec {\psi }_i^m)\). The parties generate the same vectors except that \(\vec {\gamma }_i\) is a random L-encoding of a random block of values, and \(\vec {\nu }_i\) and \(\vec {{\widetilde{\gamma }}}_i\) are random L and \({\tilde{L}}\) encodings of the all 0’s block. In addition, the parties generate a random \(L'\)-encoding \(\vec {\gamma '}^i=({\gamma '}^i_1,\ldots ,{\gamma '}^i_n)\) of a block of values that are random subject to the condition that they add up to 0, where \(L'={{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k+{{{\mathcal {B}}}},\eta }\).

  • Input sharing. The parties share a block rather than a single element. Namely, the parties embed their input value(s) into a block of length \({{{\mathcal {B}}}}\) and generate a packed secret sharing L-encoding for this block (as described in Section 3.6), distributing the outcome as in the basic protocol.

  • Emulating the computation. The computation proceed in layers of multiplication gates, where for each layer, we maintain the invariant that the parties hold additive shares of the inputs to the (at most) \({{{\mathcal {B}}}}\) multiplication gates in the layer. The difference from the basic protocol is that before evaluating a layer, the parties need to repack the inputs to the layer. (See discussion below on why repacking might be needed.)

    Concretely, to evaluate a layer, each party first rearranges the left wire values and right wire values of the multiplication gates in the layer into blocks \(B_L\) and \(B_R\) and generates an L-encoding of each block. For every i, let \(a_i^l,b_i^l\) denote \(P_i\)’s shares of \(B_L,B_R\) (respectively) corresponding to the l’th copy. Then the parties compute (via the reduction from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\)) additive shares \(\left( {\tilde{c}}_1^{l},\ldots ,{\tilde{c}}_m^{l}\right) \) of \((\sum _{i=1}^m a_i^l)(\sum _{i=1}^m b_i^l)\), where \(P_i\) receives \({\tilde{c}}_i^{l}\), just as in the basic MPC protocol. Then, each \(P_i\) locally performs the degree reduction procedure as in the basic MPC protocol, with the difference that \(P_i\) decodes \(({\tilde{c}}_i^{1},\ldots ,{\tilde{c}}_i^{n})\) to obtain a block of values which it uses as the additive shares of the outputs of the multiplication gates in the layer.

    Why repacking is needed. To see why rearranging the values within and between blocks might be necessary, consider a circuit that has a wire connecting the 3’rd value in the 2’nd block in layer 1 with the 5’th value in the 3’rd block in layer 2; or a wire connecting the 4’th value in the 1’st block in layer 1 with the 2’nd value in the 1’st block in layer 2. We note that addition gates do not require repacking, because the following invariant is maintained throughout the evaluation: Parties hold additive shares of the wire values (essentially, after a degree reduction step parties can “unpack” the shared values to obtain additive shares of each individual wire). Therefore, additions can be computed locally per gate, then repacked for the next multiplication layer.

  • Correctness tests.

    We will employ the equality test as before, modify the degree test to also check the repacked encodings and add an additional permutation test, as described next.

    The modified degree test. As in the basic protocol, the degree test will compute a random linear combination of the tested encodings. These encodings include the blocks \(\vec {X}_i\) encoding the parties’ inputs (which were committed in the input sharing step), the block of 0s encoded in \(\vec {\nu }_i\) (which was committed in the initialization step), and the matrix \(U_i\) which contains L-encodings of the blocks of additive shares that were obtained from the degree reduction step following a multiplication step. (\(U_i\) was committed to during the commit to degree test step.) The difference from the degree test of the basic MPC protocol is that the linear combination will now also include an additional matrix \(U_i''\) which contains the L-encodings of the repacked blocks of additive shares that were used as inputs to multiplication gates. (We note that these values are never committed to, but as explained in the proof of Corollary 4, can be extracted by the simulator from the transcript of the execution.) More formally, the parties will obtain from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\) random vectors \(\vec {r},\vec {r}',\vec {r}'''\), and a random value \(r''\), and party \(P_i\) will compute

    $$\begin{aligned} q_i = \vec {r}^T U_i + \vec {r}^{\prime \prime \prime T}U_i'' + r'_i \vec {X}_i+r''\vec {\nu }_i+ \vec {\gamma }_i. \end{aligned}$$

    Permutation test: this test verifies that the parties correctly permute (i.e., rearrange) the additive shares of wire values between layers. In particular, the test verifies that the encodings of the left and right input blocks of each computation layer correctly encode the values from the previous layers (and similarly for the output blocks). Note that the set of constraints that the blocks of values have to satisfy can be expressed as a set of linear equations in at most \(m{{{\mathcal {B}}}}\) equations and \(m{{{\mathcal {B}}}}\) variables (where w is the width, d is the depth of the computed circuit, and \(m = dw/{{{\mathcal {B}}}}\)), where variable \(x_{i,j}\) represents the j’th value in the i’th block. (For example, if the circuit has a wire between the 3’rd value of the 2’nd block and the 5’th value in the 3’rd block, the corresponding constraint would be \(x_{2,3} - x_{3,5} = 0\).) These linear equations can be represented in matrix form as \(Ax = 0^{m{{{\mathcal {B}}}}}\), where \(A \in {\mathbb {F}}^{m{{{\mathcal {B}}}}\times m{{{\mathcal {B}}}}}\) is a public matrix which only depends on the circuit being computed. The permutation test simply picks a random vector \(\vec {r}\in {\mathbb {F}}^{m{{{\mathcal {B}}}}}\) and checks that \((\vec {r}^TA)x = 0\). To check these constraints, the parties obtain from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\) a random vector \(\vec {r}\in {\mathbb {F}}^{m{{{\mathcal {B}}}}}\) and compute

    $$\begin{aligned} \vec {r}^TA = (r_{11}',\ldots ,r_{1{{{\mathcal {B}}}}}',\ldots ,r_{m1}',\ldots ,r_{m{{{\mathcal {B}}}}}'). \end{aligned}$$

    Now, let \(r_j(\cdot )\) be the unique polynomial of degree \(<{{{\mathcal {B}}}}\) such that \(r_j(\zeta _Q) = r_{jQ}'\) for every \(Q \in [{{{\mathcal {B}}}}]\) and \(j \in [m]\). Then party \(P_i\) locally computes \(q'_i = (r_1(\zeta _i),\ldots , r_m(\zeta _i))^T U'_i + \gamma '_i\), where \(\gamma '_i\) is the blinding encoding from the initialization step (that encode in \({{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k+{{{\mathcal {B}}}},\eta }\) random blocks of values that sum to 0), and \(U'_i\) is the matrix obtained by concatenating the rows of \(U_i\) and \(U_i''\) from the degree test. Notice that the rows of \(U_i'\) consist of the L-encodings which \(P_i\) obtained at the output of multiplication layers (after degree reduction), and the L-encodings it used as inputs to multiplication layers (after repacking). Finally, \(P_i\) commits to each element of \(q_i'\) using \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}}\).

  • Consistency test check. In the consistency test, we also check for all \(l\in \Gamma \) that the permutation test values of copy l were computed correctly. Specifically, each party checks that for every \(i\in [m]\), the l’th element of \(q_i'\) is consistent with the l’th element of \(\gamma _i'\), the l’th column of \(U_i'\), and \(\vec {r}\) (the coins obtained from \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\) for the permutation test).

  • Permutation test check. The parties decommit their permutation test commitments for all copies \(l\notin \Gamma \), namely each \(P_i\) opens the commitment to the value \(q_i'\) computed above. Each party computes \(q'_i = (q_1'+\ldots +q_m')\) and aborts if \(q' = (q'_1,\ldots ,q'_n) \not \in {{\textsf{R}}}{{\textsf{S}}}_{{\mathbb {F}},n,k+{{{\mathcal {B}}}},\eta }\) or \(x_1+\cdots +x_w \ne 0\) where \(x = (x_1,\ldots ,x_w) = \textsf{Decode}_\zeta (q')\).

The following Theorem follows from Theorem 2 and the discussion above.

Theorem 4

The packed variant of protocol \(\Phi \) of Figs. 6, 7, 8 securely realizes \({{{\mathcal {F}}}}\) in the (\({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COM}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}},{{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{COIN}}\))-hybrid model, tolerating \(m-1\) active (static) corruptions, with statistical security error

$$\begin{aligned} (1-e/n)^{\delta }+((e+k+{{{\mathcal {B}}}})/n)^{\delta } + (n-k+3)/\left| {{\mathbb {F}}}\right| +2^{-\Omega (e)} \end{aligned}$$

where \(k > \delta +4e+{{{\mathcal {B}}}}\), \(n>2k + 4e\), and \(e<(n-k+1)/3\).

We only sketch the proof, which is very similar to that of Theorem 2.

Proof sketch

The proof follows similarly to that of Theorem 2. We highlight the difference below.

First, we revise the simulator description by modifying two of the tests it performs in Step 9. First, in Step 9b \({\textsf {Sim}}\) additionally checks that \(\Delta \left( U',L^{\ell }\right) \subseteq E\), where \(U'=\sum _{i\in [m]}U_i'\), \(U_i'\) is the matrix which \(P_i\) (should have) used during the permutation test, and \(\ell \) denotes the number of rows in \(U'\). (Notice that the simulator can determine \(U_i'\) even for corrupted parties: \(U_i\) was committed to, and \(U_i''\) can be extracted from the messages exchanged with the corrupted parties during the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reductions.) Second, in Step 9e, \({\textsf {Sim}}\) additionally checks that repacking was performed correctly. This is done by decoding the values of \(U'\) similarly to how the simulator decodes UV (by constructing the unique \(L^{\ell }\)-encoding \({\hat{U}}'\) that agrees with \(U'\) on all columns except those in E, and decoding \({\hat{U}}'\); such a \({\hat{U}}'\) exists because \(\left| {\Delta \left( U',L^{\ell }\right) }\right| \le \left| {E}\right| \le e<n-k+1\)), and uses the decoded values to verify that repacking was performed correctly. (That is, if the decoded values are \(\vec {x}\), it verifies that \(A\vec {x}=\vec {0}\).) We also note that in Step 10 the simulator is able to “correct” the output shares as in the proof of Theorem 2, even though the shares might pack \({{{\mathcal {B}}}}\) values, because \(k>\delta +4e+{{{\mathcal {B}}}}\).

Second, we revise the statement of Claim 4.1, where the soundness error increases by an additive \(1/\left| {{\mathbb {F}}}\right| +((e+k+{{{\mathcal {B}}}})/n)^{\delta }\) term,Footnote 9 and except with this probability, either one of the consistency, degree, equality or permutation tests fails, or all the conditions stated in the claim hold. We additionally change Condition (b) to include \(\Delta \left( U',L^{\ell }\right) \subseteq E\), and Condition (d) to include the existence of a unique \({\hat{U}}'\in L^{\ell }\) that agrees with \(U'\) on all columns except those in E and decodes to values \(\vec {x}\) such that \(A\vec {x}=\vec {0}\).

Then, we modify the proof of Claim 4.1 to account for the probability that the permutation test fails. In more detail, we change the case \(\left| {E}\right| \le e\), \(d\left( M,L^{h+m+1}\right) >e\) in the proof of Claim 4.1 to the case \(\left| {E}\right| \le e\), \(d\left( M',L^{\ell + m+1}\right) >e\), where the rows of \(M'\) consist of \(U,U''=\sum _{i\in [m]}U_i'',\vec {X}_1,\ldots ,\vec {X}_m\) and \(\sum _{i\in [m]}\vec {\nu }_i\). Since our modified degree test computes a linear combination over \(M'\) (instead of M), an analogous analysis to that of case \(\left| {E}\right| \le e\), \(d\left( M,L^{h+m+1}\right) >e\) in the proof of Claim 4.1 guarantees that the modified degree test fails except with probability \((n-k+1)/\left| {{\mathbb {F}}}\right| \), because \(e<(n-k+1)/3\).

Similarly, we replace the case \(\left| {E}\right| \le e\), \(d\left( M,L^{h+m+1}\right) \le e\) and \(\Delta \left( M,L^{h+m+1}\right) \nsubseteq E\) in the proof of Claim 4.1 with the case \(\left| {E}\right| \le e\), \(d\left( M',L^{\ell +m+1}\right) \le e\), and \(\Delta \left( M',L^{\ell +m+1}\right) \nsubseteq E\), and an analogous analysis to one provided in the proof of Claim 4.1 shows that in this case the degree test fails except with probability \(1/\left| {{\mathbb {F}}}\right| \).

Conditioned on none of the (modified) bad events (from the proof of Claim 4.1, modified as described above) occurring, then U can be uniquely extended to a \({\hat{U}}\in L^{h}\) that agrees with U on all columns except those in E, and V can be uniquely extended to a \({\hat{V}}\in {\tilde{L}}^{h}\) that agrees with V on all columns except those in \(E\cup E'\). This follows identically to the analysis in the proof of Claim 4.1. Moreover, a similar analysis shows that \(U'\) can be uniquely extended to a \({\hat{U}}'\in L^{\ell }\) that agrees with \(U'\) on all columns except those in E. Now, since \(\left| {E}\right| \le e\), then \(d\left( U',{\hat{U}}'\right) \le e\). If \({\hat{U}}'\) decodes to values \(\vec {x}\) such that \(A\vec {x}\ne \vec {0}\), then by [2, Lemma 4.6], either the permutation or the consistency tests fail except with probability \(1/\left| {{\mathbb {F}}}\right| +((e+k+{{{\mathcal {B}}}})/n)^{\delta }\). Therefore, except for this probability, \({\hat{U}}'\) encodes values \(\vec {x}\) such that \(A\vec {x}=\vec {0}\), i.e., repacking was computed correctly in all columns except those in E. Thus, it follows similarly to the proof of Claim 4.1 that the output reconstructed in \({\mathcal {H}}_0\) is \({{{\mathcal {F}}}}\left( x_{{\overline{{{{\mathcal {T}}}}}}},x_{{{{\mathcal {T}}}}}^*\right) \).

The description and analysis of hybrid \({\mathcal {H}}_1\) follows identically to Theorem 2.

The description of \({\mathcal {H}}_2\) is identical to the proof of Theorem 2, where in the case analysis we add after case EQ the case “P: permutation test fails.” The analysis of cases C, D and O follows identically to the proof of Theorem 2. The analysis of case EQ only differs in the following point. The claim that for all executions in W the joint view of the adversary up to (including) the degree test check, together with the views of the honest parties in copies \(\Gamma \cup E\cup E'\) are identically distributed in \({\mathcal {H}}_1,{\mathcal {H}}_2\), holds because \(\left| {\Gamma \cup E\cup E'}\right| + {{{\mathcal {B}}}}\le \delta +4e+{{{\mathcal {B}}}}<k\).

We now analyze case P. In this case, the equality test passes, so the permutation test outcomes \(q_i'\) are revealed by all parties \(P_i\). From the analysis of cases C, D and EQ in the proof of Theorem 2, except with probability \(\left( 1-e/n\right) ^\delta + \frac{n-k+2}{\left| {{\mathbb {F}}}\right| } + 2^{-\Omega (e)}\), conditions (a)-(c) of Claim 4.1 hold, in which case the adversarial views up to (including) the equality test check are identically distributed in \({\mathcal {H}}_1,{\mathcal {H}}_2\). We claim that conditioned on the consistency test passing, the permutation test outcomes of honest parties are L-encodings that are distributed uniformly at random subject to the constraint that they are consistent with the values revealed during the consistency test, and the values they encode sum to 0. Indeed, for every honest party \(P_i\), \(p_i=(r_1(\zeta _i),\ldots , r_m(\zeta _i))^T U'_i \in L'\), and \(p_i\) decodes to values that sum to 0. Therefore, since \(p_i\) is blinded by an \(L'\)-encoding \(\vec {\gamma }_i'\) that is uniformly random subject to the constraint that it encodes random values that sum to 0, then \(q_i'\) is uniformly random in \(L'\) subject to the constraint that the values it encodes sum to 0.

Therefore, conditioned on the permutation test failing, and on conditions (a–c) of Claim 4.1, the hybrids are identically distributed. Moreover, the probability that the permutation test fails is independent of the honest parties’ inputs, as it only depends on the \(q_i'\)’s supplied by the corrupted parties as their degree test outcomes. Therefore, the hybrids are statistically close in this case. \(\square \)

5.1 Communication Complexity

Assuming that each layer of the circuit has at least \({{{\mathcal {B}}}}\) parallel multiplications, the communication complexity of this variant is given by \(O(n\cdot \frac{h}{ {{{\mathcal {B}}}}} \cdot \textrm{CC}_{\scriptscriptstyle \textrm{MULT}})+ {\textsf{poly}}(m,\kappa ,\log _2\left| {{\mathbb {F}}}\right| )\) since we amortize over \({{{\mathcal {B}}}}\) multiplications. By setting \(n = O(s)\), the amortized communication overhead of this protocol becomes O(1) per copy. Circuits of an arbitrary structure can be easily handled at a worst-case additional cost of \({\textsf{poly}}(s, d)\). The statistical error can be improved by repeating the tests.

5.2 Extending the Analysis for Small Fields

The analysis presented above works for fields of size larger than n, for smaller fields, we present a modified analysis, which is inspired by the analysis of [21, Appendix A]. Notice that the soundness error of our protocol depends on the field size due to the error probability of the degree, equality and permutation tests, where the error term is at most \((n-k+3)/\left| {{\mathbb {F}}}\right| \). These are all instances of tests that check membership in a linear (error-correcting) code, as well as checking that the encoded message satisfies certain constraints. We now show that the soundness error of these tests is \(1/\left| {{\mathbb {F}}}\right| \) and thus can be reduced to \(2^{-s}\) by standard soundness amplification. (We note that this analysis works for any field size, but will only be useful for small fields, since for large fields the analysis described above gives better parameters.)

Specifically, for the following analysis we assume that \(n>2k+8e+2\) and discuss a modified protocol in which we run \(\sigma \) independent instances of each of the degree, equality and permutation test.Footnote 10 We say that a test passes if all of its \(\sigma \) instances pass. (Each instance of a test is identical to the tests described in our protocol; notice that parties now need to commit during the initialization phase to blinding encodings for all instances.) We will show that except with probability \(3n\cdot 2^{-\sigma }+((e+k+{{{\mathcal {B}}}})/n)^{\delta }+(1-e/n)^{\delta }+2^{-\Omega (e)}\) either one of the tests fails, or \(U,V,U'\) are consistent (except for the coordinates in \(E\cup E'\)) with \({\hat{U}},{\hat{V}},{\hat{U}}'\) in the corresponding interleaved codes, and moreover, the messages encoded in these codewords satisfy the required constraints. (That is, \({\hat{U}},{\hat{V}}\) encode the same messages, and the messages \(\vec {x}\) encoded in \({\hat{U}}'\) satisfy the linear constraints \(A\vec {x}=\vec {0}\) defined by the circuit structure.) In particular, to reduce the \(3n\cdot 2^{-\sigma }\) term to soundness \(2^{-s}\), it suffices to choose \(\sigma =(s+2)\log ((h+3m)n)\). We show this bound by analyzing each test separately, conditioned on the event that \(\left| {E\cup E'}\right| \le 4e\). As shown in the proof of Theorem 2, if the consistency test passes then this holds except with probability \((1-e/n)^{\delta }+2^{-\Omega (e)}\). First, we consider the degree test. Let \({{{\mathcal {W}}}}\) denote the linear subspace spanned by the purported codewords checked during the degree test, namely by the rows of U, as well as \(\left( X_i,\nu _i,\gamma _i\right) _{i\in [m]}\). We consider two cases.

Case I: \({{{\mathcal {W}}}}\) contains a vector \(\vec {w}\) which is \((8e+2)\)-far from L. We claim that in this case, with probability at least \(1/\left| {{\mathbb {F}}}\right| \) over the coefficients of a random linear combination used in an instance of the degree test, the resultant linear combination is \((4e+1)\)-far from L. Notice that if this claim holds then with probability at least \(1/\left| {{\mathbb {F}}}\right| \) the resultant linear combination is not a valid L-encoding (causing this instance of the degree test to fail). Indeed, a random linear combination computed as part of the degree test was computed correctly in all but the (at most) 4e copies in \(E\cup E'\), and so the result will differ in at least one coordinate from the closest codeword. It remains, therefore, to prove the claim. For this, consider a basis for \({{{\mathcal {W}}}}\) in which one of the basis vectors is \(\vec {w}\). The linear combination computed in an instance of the degree test is simply a random vector in \({{{\mathcal {W}}}}\), and so is obtained by a random linear combination of the basis vectors. Fix some possible value \(\vec {w}'\) of the linear combination over all basis vectors excluding \(\vec {w}\). If \(\vec {w}'\) is \((4e+1)\)-far from L then with probability \(1/\left| {{\mathbb {F}}}\right| \) \(\vec {w}\) isn’t part of the linear combination (i.e., appears with coefficient 0) and consequently the linear combination is \((4e+1)\)-far from L. Otherwise, \(\vec {w}'\) is \((4e+1)\)-close to L, then with probability \((\left| {{\mathbb {F}}}\right| -1)/\left| {{\mathbb {F}}}\right| \ge 1/\left| {{\mathbb {F}}}\right| \), \(\vec {w}\) appears in the linear combination (i.e., with non-0 coefficient), and consequently the linear combination is \((4e+1)\)-far from L (because \(\vec {w}\) is \((8e+2)\)-far from L).

Case II: all vectors in \({{{\mathcal {W}}}}\) are \((8e+2)\)-close to L. In this case, we claim that all purported encodings tested during the degree test (i.e., the rows of U, and \(\left( X_i,\nu _i,\gamma _i\right) _{i\in [m]}\)) are consistent with L-encodings except for the coordinated in \(E\cup E'\). To prove this claim, it suffices to prove that for every such purported encoding \(\vec {v}\), if \(l\in \Delta (\vec {v},L)\) then \(l\in E\cup E'\) except with probability \(2^{-\sigma }\), since in this case the claim holds except with probability \((h+3m)\cdot n\cdot 2^{-\sigma }\) (by the union bound). Indeed, we show that if \(l\notin E\cup E'\), then each instance of the degree test fails with probability \(\ge 1/\left| {{\mathbb {F}}}\right| \), and conclude that if all instances of the degree test pass then \(l\in E\cup E'\) (with high probability). Consider some linear combination computed in an instance of the degree test, and let \(\vec {v}''\) denote the linear combination over all vectors except \(\vec {v}\). By the case assumption, \(\vec {v}''\) is \((8e+2)\)-close to L. We now consider two cases, based on whether or not \(\vec {v}''\) can “cancel out” the l’th coordinate in \(\vec {v}\). First, if \(l\in \Delta (\vec {v}'',L)\) then if \(\vec {v}\) isn’t part of the linear combination (i.e., appears with coefficient 0), which happens with probability \(1/\left| {{\mathbb {F}}}\right| \), then this instance of the degree test fails (because this instance simply checks whether \(\vec {v}''\in L\)). Second, assume that \(l\notin \Delta (\vec {v}'',L)\). In this case, if \(\vec {v}\) does appear in the linear combination (i.e., with a non-0 coefficient), which happens with probability \((\left| {{\mathbb {F}}}\right| -1)/\left| {{\mathbb {F}}}\right| \ge 1/\left| {{\mathbb {F}}}\right| \), then this instance of the degree test fails, because the tested value, which is \(\vec {v}''+c\vec {v}\) for some constant \(c\ne 0\), differs from the closest codeword in L in the l’th coordinate. (In particular, it is not a valid codeword.)

Next, we analyze the permutation and equality tests. These differ from the degree test since they check not only that the linear combination is a valid encoding, but also that the encoded messages satisfy certain constraints. The analysis follows similarly to the degree test analysis, where we define \({{{\mathcal {W}}}}\) to be the subspace spanned by the purported encodings checked during the corresponding test (either the degree or the equality test). We note that in the equality test, we disregard the \(b^l_i\) values (see bottom of Fig. 7 for the definition of \(b_i^l\)), which are not valid encodings. This does not affect the analysis since these are locally computed, and so are correctly computed in all copies except those in \(E\cup E'\). (Indeed, by the definition of E, the local computations in all copies not in E are correctly performed. In particular, \(\sum _i{b_i^l}\) for \(l\notin E\).) In particular, these don’t affect the linear combination in copies \(l\notin E\cup E'\) since in such copies these are additive shares of 0. The only other difference in the analysis is that we divide case II into two subcases depending on whether or not the encoded messages satisfy the constraints. (We note that in both subcases the message encoded by a purported codeword is well defined, because \(n>2k+8e+2\).)

Case II.1: all vectors in \({{{\mathcal {W}}}}\) are \((8e+2)\)-close to the code, and the encoded messages satisfy the constraints. In this case, the analysis follows similarly to case II above.

Case II.2: all vectors in \({{{\mathcal {W}}}}\) are \((8e+2)\)-close to the code, but the encoded messages don’t satisfy the constraints. In this case, by the analysis in the proof of Theorem 4, either the consistency or the permutation tests fail except with probability \((1/\left| {{\mathbb {F}}}\right| )^{\sigma }+((e+k+{{{\mathcal {B}}}})/n)^{\delta }\).

The Overhead. We note that the soundness amplification described above preserves constant overhead. Indeed, repeating the tests \(\sigma \) times adds an additive \(O(\sigma d)\) term, where d is the degree of the packed secret sharing. In our protocol, \(d\le k+{{{\mathcal {B}}}}\). Therefore, if the width of the circuit is at least \(\Omega (\sigma )\) then this additive term becomes \(O(\sigma ^2)\).

6 Corollaries and Applications

In this section, we consider several different instantiations of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) functionality, thus obtaining our main results in the different settings as instances of the generic protocol of Sect. 5.

6.1 Constant Overhead MPC for Constant-Size Fields

6.1.1 Dishonest Majority

Our main result is obtained by replacing the Reed–Solomon codes in our protocol with Algebraic Geometric (AG) secret sharing over fields of constant size [13], instantiating the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) functionality with pairwise calls to a passively-secure implementation of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{OT}}\) functionality, and instantiating commitments using a pseudorandom generator. Specifically our analysis and construction extends to packed secret sharing schemes that are linear and strongly multiplicative. From Theorem 1, we have such schemes for constant-size fields by embedding the secret in \({\mathbb {F}}_q\) where q is a (sufficiently large) even power of the underlying prime. Formally:

Theorem 5

(Theorem 1, restated) Let \(\kappa ,s\) denote computational and statistical security parameters (resp.), m denote the number of parties, and \({\mathbb {F}}\) be a constant-size field. Then there exists a protocol compiler that, given a pseudorandom generator G with seed length \(\kappa \), s, a constant-round implementation of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{OT}}\) functionality with total communication complexity \(\textrm{CC}_{\scriptscriptstyle \textrm{OT}}\), and a description of an m-party functionality expressed as a depth-d circuit \(\textrm{C}\) with constant fan-in, outputs a UC-secure O(d)-round m-party protocol realizing f with communication complexity \(O(m^2\left| {\textrm{C}}\right| \textrm{CC}_{\scriptscriptstyle \textrm{OT}}) + {\textsf{poly}}(m,\kappa ,d)\), where security holds against an active adversary corrupting an arbitrary number of parties.

We note that the exact constants in the overhead of Theorem 5 depend on the concrete constants of the underlying AG code, which have not been studied before. The communication complexity of our protocol using a bit-OT protocol for the Boolean setting asymptotically matches the communication complexity of the best known passively-secure protocol, namely [32] using a passively-secure OT protocol. The best known previous result for active security is due to Genkin et al. [29] who achieve \(O(m^2\left| {\textrm{C}}\right| {\textsf{poly}}\log (s))\) communication complexity, i.e., a multiplicative factor of \({\textsf{poly}}\log (s)\) over GMW.

6.1.2 Honest Majority

To obtain our main result for the honest majority setting, we need to slightly modify our protocol in two ways. First, we will rely on the passive variant of a protocol of Damgård and Nielsen [23], instantiated with secret sharing based on AG codes over constant-size finite fields, to instantiate the parallel \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) functionality (i.e., to generate the triples in the initialization phase). Specifically, we replace the underlying secret sharing used in our protocol with secret sharing based on AG codes for constant-size fields from Theorem 1. The passive protocol additionally requires ramp hyper-invertible matrices which we rely on the construction from [15, 54]. We note that the passively-secure honest-majority m-party protocol of [23] can generate \(T = \Omega (m)\) random triples with total communication complexity O(mT). Second, we will consider \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) and \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) whose underlying secret sharing scheme is based on the same AG secret sharing scheme. Specifically, parallel \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) distributes secret shares of many triples ab and c such that \(a\cdot b = c\). Then the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) reduction works essentially as described in Sect. 3.5, where the only difference is that the values ed are reconstructed using the reconstruction procedure of the AG secret sharing scheme. Consequently, we obtain the following theorem.

Theorem 6

Let \(\kappa ,s\) denote computational and statistical security parameters (resp.), m denote the number of parties, and \({\mathbb {F}}\) be a constant-size field. Then, for \(\epsilon >0\), there exists a protocol compiler that, given a pseudorandom generator G with seed length \(\kappa \), s, and a description of an m-party functionality expressed as a depth-d circuit \(\textrm{C}\) with constant fan-in, outputs a UC-secure O(d)-round m-party protocol realizing f with \(O(m|\textrm{C}|) + {\textsf{poly}}(m,\kappa , d)\) bits total communication complexity, and security against a static adversary corrupting at most \((1-\epsilon )n/3\) of parties.

A few remarks about the preceding theorem are in order. First, we do not achieve optimal threshold. From Theorem 1, we have that the required packed secret sharing scheme can only be instantiated with threshold \((1-\epsilon )n/3\). For this threshold, we remark that it improves over the result of Chida et al. [18] that achieves O(s) overhead for binary fields and generalizes the result of Ishai et al. [43] that achieves the same result, but only for a constant number of parties. We remark that the latter protocol additionally achieves constant-rate communication,Footnote 11 while our protocol only achieves constant-overhead.

6.2 Constant Overhead MPC over Fields of Arbitrary Size

6.2.1 Dishonest majority

To obtain our result for fields of arbitrary size, we realize the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{RMULT}}\) functionality using a passively-secure OLE protocol. For fields of size \(\le s\) we rely on AG sharing, whereas for fields of size \(\Omega (s)\) we use Reed–Solomon codes. Thus, we can re-derive a result of Genkin et al. [27] (Theorem 5.7 in the full version), who construct an actively-secure m-party protocol for arbitrary functionalities (represented by an arithmetic circuit \(\textrm{C}\)), in the dishonest majority setting, using \(O(m^2 \left| {\textrm{C}}\right| )\) calls to an OLE oracle. More precisely, we have the following theorem:

Theorem 7

Let \(\kappa ,s\) denote computational and statistical security parameters (resp.), m denote the number of parties, and \({\mathbb {F}}\) be a field. Then there exists a protocol compiler that, given a pseudorandom generator G with seed length \(\kappa \), s, a constant-round implementation of the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{OLE}}\) functionality over \({\mathbb {F}}\) with total communication complexity \(\textrm{CC}_{\scriptscriptstyle \textrm{OLE}}\), and a description of an m-party functionality expressed as a depth-d arithmetic circuit \(\textrm{C}\) over \({\mathbb {F}}\) with constant fan-in, outputs a UC-secure O(d)-round m-party protocol realizing f with communication complexity \(O(m^2 \left| {\textrm{C}}\right| \textrm{CC}_{\scriptscriptstyle \textrm{OLE}}) + {\textsf{poly}}(m,\kappa ,d)\) field elements, with security against an active adversary corrupting an arbitrary number of parties.

This result asymptotically matches the communication complexity of the best known passively-secure protocol [32] using a passively-secure OLE protocol. Furthermore, for sufficiently wide circuits, we can show that the overhead of our protocols is 2. We present the concrete parameters in Appendix A.

6.2.2 Honest majority

Just as in Sect. 6.1, we can obtain constant overhead over the best passively-secure protocol in the honest majority setting:

Theorem 8

Let \(\kappa ,s\) denote computational and statistical security parameters (resp.), m denote the number of parties, and \({\mathbb {F}}\) be a field. Then, for every \(\epsilon >0\) there exists a protocol compiler that, given a pseudorandom generator G with seed length \(\kappa \), s, and a description of an m-party functionality expressed as a depth-d arithmetic circuit \(\textrm{C}\) over \({\mathbb {F}}\) with constant fan-in, outputs a UC-secure O(d)-round m-party protocol realizing f with total communication complexity \(O(m|\textrm{C}|) + {\textsf{poly}}(m,\kappa , d)\) bits, where security holds against a static adversary corrupting a minority of parties for large fields \(|{\mathbb {F}}| = \Omega (\log n)\) and corrupting at most \((1-\epsilon )n/3\) parties for constant-sized fields.

Applying the concrete analysis from Appendix A we re-derive the result of Chida et al. [18] who show an overhead-2 actively-secure honest-majority protocol. Their result applies to arbitrary circuits over sufficiently large fields, whereas ours achieves overhead of 2 for sufficiently wide circuits.

7 Extensions and Further Corollaries

In this section, we discuss various generalizations and extensions of our compiler.

7.1 Imperfect \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)

As discussed in the introduction we can instantiate the \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\)-functionality via a protocol that only guarantees “weaker” than passive security.

In this section, we describe how to instantiate our compiler with an imperfect passive implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), which may have a non-negligible simulation error. This is particularly relevant to lattice-based implementations for which one can obtain better efficiency, at the cost of causing a simulation error, by setting the parameters more “aggressively.” Hazay et al. [36] show how to compile an imperfect OLE protocol into a fully-secure OLE protocol. In their work, “imperfectness” was modeled via a natural “exclusion set” model described below.

We will restrict our attention to \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) implementations based on OLEs, leaving more general discussions to future work. We also consider only the case of employing OLE over random inputs, since this suffices for our compiler. Furthermore, we will focus on the case of an OLE that is (fully) computationally secure against passive corruption of the sender and is \(\epsilon \)-statistically secure against passive corruption of the receiver on random inputs (see below). This will be sufficient to capture our OLE instantiations based on lattice assumptions. We start by defining the notion of \(\epsilon \)-secure OLE over uniformly random inputs. Let \(\Pi = \langle P_0,P_1 \rangle \) denote a two-party protocol, where each party is given an input (x for \(P_0\) and y for \(P_1\)). Denote by \(\textbf{View}_{P_i}(P_0(x),P_1(y))\) the view of the party \(P_i\) in the real execution of \(\Pi \) where x is \(P_0\)’s initial input, and y is \(P_1\)’s initial input.

Definition 7

(\(\epsilon \)-secure OLE) We say that a two party protocol \(\Pi =({{{\mathcal {S}}}},{{{\mathcal {R}}}})\) is an \(\epsilon \)-secure OLE implementation over \({\mathbb {F}}_p\) w.r.t the uniform distribution, if for every \(x\in {\mathbb {F}}_p\) the statistical distance between the following two distributions is bounded by \(\epsilon \):

  • \(\{(a,b,\textbf{View}_{{{{\mathcal {R}}}}}({{{\mathcal {S}}}}(a,b),{{{\mathcal {R}}}}(x)))\}\)

  • \(\{(a',b',\textbf{View}_{{{{\mathcal {R}}}}}({{{\mathcal {S}}}}(a,b),{{{\mathcal {R}}}}(x)))\}\)

over ab sampled uniformly from \({\mathbb {F}}_p\), and \(a',b'\) sampled uniformly from \({\mathbb {F}}_p\) subject to \(a'x+b' = ax+b\) over \({\mathbb {F}}_p\).

We conjecture that given an \(\epsilon \)-secure OLE, our compiler from Sect. 5 can compile it to a fully-secure OLE. We leave the question of proving/disproving this conjecture as an interesting open problem. For evidence in support of this conjecture, we refer to [36] who analyzed a similar compiler with an imperfect OLE that is an instance of an \(\epsilon \)-secure OLE. More precisely, they consider an ideal OLE functionality that asks the adversary to specify an exclusion set A and leaks to the adversary the single information bit of whether the honest party’s input belongs to A. They prove that if the exclusion set is relatively small compared to the field size, then security can be amplifies via the IPS compiler. On a high-level, they argue that in the IPS compiler, even if the adversary learns all the shares of servers on its watchlist, and a small amount of leakage (via exclusion sets) on each of the remaining shares, the actual secret remains hidden. More formally, they quantify leakage following the framework of Benhamouda et al. [4]. The bottom line in their analysis shows that an \(\epsilon \)-imperfect OLE (in the exclusion set model) additionally adds a statistical error of \(p^{-k+1}\cdot O((\epsilon \cdot p)^{n-t-e})\) where \(p = \left| {{\mathbb {F}}}\right| \).

7.1.1 Concrete LWE Parameters Based on our Conjecture

We repeat the crude analysis verbatim from [36] which suggests a choice of parameters for imperfect LWE-based OLE that the compiler can tolerate. To understand the leakage in standard Ring-LWE-based schemes [51], we recall some relevant parameters. Denote the plaintext modulus by p, and the ciphertext modulus by q. Then, the magnitude of the statistical error is bounded by \(\log _2(q) - \log _2(O(c\cdot p^2 \cdot \Phi ))\) where \(c \equiv q \bmod p\) (typically made small by choosing an appropriate q), and \(\Phi \) is the packing factor. In other words, the statistical distance between encryptions of different inputs is roughly \(c\cdot p^2 \cdot \Phi /q\), which could be large for aggressive parameter choices. Applying the standard implementation of (passive) OLE based on additively homomorphic encryption, instantiated with Ring-LWE encryption with these parameters, will result in an imperfect OLE where the amount of entropy from the sender’s inputs leaked to the receiver (on a random input) is roughly \(c\cdot p^2 \cdot \Phi /q\) bits. Our analysis only considers a simple leakage where the leakage functions are exclusion sets. We conjecture that this model is “complete” in the sense that (in the context of the IPS-style compiler of [36]) it captures a general leakage with the same amount of entropy, namely by setting \(\log _2(\epsilon )\) as \(c\cdot p^2 \cdot \Phi /q\).

In order to get a passive OLE, one needs the magnitude of this error to be at least the statistical parameter (e.g., 40, 80 or 128). For example, if p is a 20-bit prime and \(\Phi = 2^{13}\), then a 127-bit modulus q gives a passive OLE with 64-bit security (where typically c and the constant behind \(O(\cdot )\) are roughly \(2^5\)). However, if we use a 88-bit modulus q, the statistical error will be roughly \(2^{-25}\). For these parameters, the error is roughly \(1/\sqrt{p}\) and allows us to get negligible statistical error. Therefore, the compiler of [36] can amplify this to a fully-secure OLE. Since their compiler requires twice as many passive/imperfect OLEs, the communication overhead of an actively secure OLE protocol against the passive OLE protocol can be estimated by \(2\cdot 88/127 = 1.38 < 2\).

For some parameter regimes (e.g., larger statistical security parameters), their construction of actively-secure OLE is actually more communication efficient than a naive construction of passively-secure OLE with a larger security parameter. If we used the parameters described above but demanded 128-bit security, \(\log _2(q)\) will be 184 and 85, respectively, for passive and active and the overhead will be \(2\cdot 85/184 = 0.924 <1\).

7.2 Constant-Round Protocols in the Boolean Setting

We remark that our techniques also yields an interesting corollary for securely computing Boolean functionalities in the constant-round regime. This follows from two observations:

  1. 1.

    Securely evaluating a Boolean circuit can be reduced to securely computing a distributed garbling of the underlying circuit [12].

  2. 2.

    The BMR distributed garbling scheme can be expressed as an arithmetic circuit over the field \(GF(2^\kappa )\) with \(O(\left| {\textrm{C}}\right| )\) multiplication gates, and depth-2, where \(\textrm{C}\) is the circuit being garbled.

Now, we can rely on our protocol for arithmetic circuits to first securely compute a distributed garbling of the underlying functionality and then follow the standard protocol based on BMR garbling.

We highlight that distributed garbling would be an instance of a “very-wide” circuit, as the width of the garbling circuit is \(O(\left| {\textrm{C}}\right| )\).

In the regime of constant-round protocols, the state of the art is due to Wang et al. [68] who show how to achieve actively-secure multi-party computation for Boolean computations with \(s/\log \left| {\textrm{C}}\right| \) overhead over the best passive protocol, namely [12]. Their work is incomparable to ours, as theirs is in the OT-hybrid model, whereas ours requires OLE.