# Efficient Multiparty Protocols Using Circuit Randomization

- First Online:

DOI: 10.1007/3-540-46766-1_34

- Cite this paper as:
- Beaver D. (1992) Efficient Multiparty Protocols Using Circuit Randomization. In: Feigenbaum J. (eds) Advances in Cryptology — CRYPTO ’91. CRYPTO 1991. Lecture Notes in Computer Science, vol 576. Springer, Berlin, Heidelberg

## Abstract

The difference between theory and practice often rests on one major factor: efficiency. In distributed systems, communication is usually expensive, and protocols designed for practical use must require as few rounds of communication and as small messages as possible.

A secure multiparty protocol to compute function *F* is a protocol that, when each player *i* of *n* players starts with private input *x*_{i}, provides each participant *i* with *F*(*x*_{1},...*x*_{n}) without revealing more information than what can be derived from learning the function value. Some number *l* of players may be corrupted by an adversary who may then change the messages they send. Recent solutions to this problem have suffered in practical terms: while theoretically using only polynomially-many rounds, in practice the constants and exponents of such polynomials are too great. Normally, such protocols express *F* as a circuit *C*_{F}, call on each player to secretly share*x*_{i}, and proceed to perform “secret addition and multiplication” on secretly shared values. The cost is proportional to the depth of *C*_{F} times the cost of secret multiplication; and multiplication requires several rounds of interaction.

We present a protocol that simplifies the body of such a protocol and significantly reduces the number of rounds of interaction. The steps of our protocol take advantage of a new and counterintuitive technique for evaluating a circuit; set every input to every gate in the circuit completely at random, and then make corrections. Our protocol replaces each secret multiplication — multiplication that requires further sharing, addition, zero-knowledge proofs, and secret reconstruction — that is used during the body of a standard protocol by a simple reconstruction of secretly shared values, thereby reducing rounds by an order of magnitude. Furthermore, these reconstructions require only broadcast messages (but do *not* require Byzantine Agreement). The simplicity of broadcast and reconstruction provides efficiency and ease of implementation. Our transformation is simple and compatible with other techniques for reducing rounds.