# Efficient Multiparty Protocols Using Circuit Randomization

## Abstract

The difference between theory and practice often rests on one major factor: efficiency. In distributed systems, communication is usually expensive, and protocols designed for practical use must require as few rounds of communication and as small messages as possible.

A secure multiparty protocol to compute function *F* is a protocol that, when each player *i* of *n* players starts with private input *x*_{i}, provides each participant *i* with *F*(*x*_{1},...*x*_{n}) without revealing more information than what can be derived from learning the function value. Some number *l* of players may be corrupted by an adversary who may then change the messages they send. Recent solutions to this problem have suffered in practical terms: while theoretically using only polynomially-many rounds, in practice the constants and exponents of such polynomials are too great. Normally, such protocols express *F* as a circuit *C*_{F}, call on each player to secretly share*x*_{i}, and proceed to perform “secret addition and multiplication” on secretly shared values. The cost is proportional to the depth of *C*_{F} times the cost of secret multiplication; and multiplication requires several rounds of interaction.

We present a protocol that simplifies the body of such a protocol and significantly reduces the number of rounds of interaction. The steps of our protocol take advantage of a new and counterintuitive technique for evaluating a circuit; set every input to every gate in the circuit completely at random, and then make corrections. Our protocol replaces each secret multiplication — multiplication that requires further sharing, addition, zero-knowledge proofs, and secret reconstruction — that is used during the body of a standard protocol by a simple reconstruction of secretly shared values, thereby reducing rounds by an order of magnitude. Furthermore, these reconstructions require only broadcast messages (but do *not* require Byzantine Agreement). The simplicity of broadcast and reconstruction provides efficiency and ease of implementation. Our transformation is simple and compatible with other techniques for reducing rounds.

### References

- [1]J. Bar-Ilan, D. Beaver. “Non-Cryptographic Fault-Tolerant Computing in a Constant Expected Number of Rounds of Interaction.”
*Proceedings of PODC*, ACM, 1989, 201–209.Google Scholar - [2]D. Beaver. “Secure Multiparty Protocols and Zero Knowledge Proof Systems Tolerating a Faulty Minority.” To appear,
*J. Cryptology*. An earlier version appeared as “Secure Multiparty Protocols Tolerating Half Faulty Processors.”*Proceedings of Crypto 1989*, ACM, 1989.Google Scholar - [3]D. Beaver.
*Security, Fault Tolerance, and Communication Complexity in Distributed Systems*. PhD Thesis, Harvard University, Cambridge, 1990.Google Scholar - [4]D. Beaver, S. Goldwasser. “Multiparty Computation with Faulty Majority.”
*Proceedings of the*30^{th}*FOCS*, IEEE, 1989, 468–473.Google Scholar - [5]D. Beaver, S. Haber. “Cryptographic Protocols Provably Secure Against Dynamic Adversaries.” Submitted to FOCS 91.Google Scholar
- [6]D. Beaver, S. Micali, P. Rogaway. “The Round Complexity of Secure Protocols.”
*Proceedings of the*22^{st}*STOC*, ACM, 1990, 503–513.Google Scholar - [7]M. Ben-Or, S. Goldwasser, A. Wigderson. “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation.”
*Proceedings of the*20^{th}*STOC*, ACM, 1988, 1–10.Google Scholar - [8]D. Chaum, C. Crépeau, I. Damgård. “Multiparty Unconditionally Secure Protocols.”
*Proceedings of the*20^{th}*STOC*, ACM, 1988, 11–19.Google Scholar - [9]Z. Galil, S. Haber, M. Yung. “Cryptographic Computation: Secure Fault-Tolerant Protocols and the Public-Key Model.”
*Proceedings of Crypto 1987*, Springer-Verlag, 1988, 135–155.Google Scholar - [10]O. Goldreich, S. Micali, A. Wigderson. “Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design.”
*Proceedings of the*27^{th}*FOCS*, IEEE, 1986, 174–187.Google Scholar - [11]O. Goldreich, S. Micali, A. Wigderson. “How to Play Any Mental Game, or A Completeness Theorem for Protocols with Honest Majority.”
*Proceedings of the*19^{th}*STOC*, ACM, 1987, 218–229.Google Scholar - [12]S. Goldwasser, L. Levin. “Fair Computation of General Functions in Presence of Immoral Majority.”
*Proceedings of Crypto 1990*.Google Scholar - [13]S. Haber.
*Multi-Party Cryptographic Computation: Techniques and Applications*, PhD Thesis, Columbia University, 1988.Google Scholar - [14]T. Rabin, M. Ben-Or. “Verifiable Secret Sharing and Multiparty Protocols with Honest Majority.”
*Proceedings of the*21^{st}*STOC*, ACM, 1989, 73–85.Google Scholar - [15]A. Shamir. “How to Share a Secret.”
*Communications of the ACM*,**22**(1979), 612–613.MATHCrossRefMathSciNetGoogle Scholar