Efficient Multiparty Protocols Using Circuit Randomization

  • Donald Beaver
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 576)


The difference between theory and practice often rests on one major factor: efficiency. In distributed systems, communication is usually expensive, and protocols designed for practical use must require as few rounds of communication and as small messages as possible.

A secure multiparty protocol to compute function F is a protocol that, when each player i of n players starts with private input x i, provides each participant i with F(x 1,...x n) without revealing more information than what can be derived from learning the function value. Some number l of players may be corrupted by an adversary who may then change the messages they send. Recent solutions to this problem have suffered in practical terms: while theoretically using only polynomially-many rounds, in practice the constants and exponents of such polynomials are too great. Normally, such protocols express F as a circuit C F, call on each player to secretly sharex i, and proceed to perform “secret addition and multiplication” on secretly shared values. The cost is proportional to the depth of C F times the cost of secret multiplication; and multiplication requires several rounds of interaction.

We present a protocol that simplifies the body of such a protocol and significantly reduces the number of rounds of interaction. The steps of our protocol take advantage of a new and counterintuitive technique for evaluating a circuit; set every input to every gate in the circuit completely at random, and then make corrections. Our protocol replaces each secret multiplication — multiplication that requires further sharing, addition, zero-knowledge proofs, and secret reconstruction — that is used during the body of a standard protocol by a simple reconstruction of secretly shared values, thereby reducing rounds by an order of magnitude. Furthermore, these reconstructions require only broadcast messages (but do not require Byzantine Agreement). The simplicity of broadcast and reconstruction provides efficiency and ease of implementation. Our transformation is simple and compatible with other techniques for reducing rounds.


Secret Sharing Auxiliary Input Random Polynomial Byzantine Agreement Input Wire 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    J. Bar-Ilan, D. Beaver. “Non-Cryptographic Fault-Tolerant Computing in a Constant Expected Number of Rounds of Interaction.” Proceedings of PODC, ACM, 1989, 201–209.Google Scholar
  2. [2]
    D. Beaver. “Secure Multiparty Protocols and Zero Knowledge Proof Systems Tolerating a Faulty Minority.” To appear, J. Cryptology. An earlier version appeared as “Secure Multiparty Protocols Tolerating Half Faulty Processors.” Proceedings of Crypto 1989, ACM, 1989.Google Scholar
  3. [3]
    D. Beaver. Security, Fault Tolerance, and Communication Complexity in Distributed Systems. PhD Thesis, Harvard University, Cambridge, 1990.Google Scholar
  4. [4]
    D. Beaver, S. Goldwasser. “Multiparty Computation with Faulty Majority.” Proceedings of the 30th FOCS, IEEE, 1989, 468–473.Google Scholar
  5. [5]
    D. Beaver, S. Haber. “Cryptographic Protocols Provably Secure Against Dynamic Adversaries.” Submitted to FOCS 91.Google Scholar
  6. [6]
    D. Beaver, S. Micali, P. Rogaway. “The Round Complexity of Secure Protocols.” Proceedings of the 22st STOC, ACM, 1990, 503–513.Google Scholar
  7. [7]
    M. Ben-Or, S. Goldwasser, A. Wigderson. “Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation.” Proceedings of the 20th STOC, ACM, 1988, 1–10.Google Scholar
  8. [8]
    D. Chaum, C. Crépeau, I. Damgård. “Multiparty Unconditionally Secure Protocols.” Proceedings of the 20th STOC, ACM, 1988, 11–19.Google Scholar
  9. [9]
    Z. Galil, S. Haber, M. Yung. “Cryptographic Computation: Secure Fault-Tolerant Protocols and the Public-Key Model.” Proceedings of Crypto 1987, Springer-Verlag, 1988, 135–155.Google Scholar
  10. [10]
    O. Goldreich, S. Micali, A. Wigderson. “Proofs that Yield Nothing but Their Validity and a Methodology of Cryptographic Protocol Design.” Proceedings of the 27th FOCS, IEEE, 1986, 174–187.Google Scholar
  11. [11]
    O. Goldreich, S. Micali, A. Wigderson. “How to Play Any Mental Game, or A Completeness Theorem for Protocols with Honest Majority.” Proceedings of the 19th STOC, ACM, 1987, 218–229.Google Scholar
  12. [12]
    S. Goldwasser, L. Levin. “Fair Computation of General Functions in Presence of Immoral Majority.” Proceedings of Crypto 1990.Google Scholar
  13. [13]
    S. Haber. Multi-Party Cryptographic Computation: Techniques and Applications, PhD Thesis, Columbia University, 1988.Google Scholar
  14. [14]
    T. Rabin, M. Ben-Or. “Verifiable Secret Sharing and Multiparty Protocols with Honest Majority.” Proceedings of the 21st STOC, ACM, 1989, 73–85.Google Scholar
  15. [15]
    A. Shamir. “How to Share a Secret.” Communications of the ACM, 22 (1979), 612–613.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1992

Authors and Affiliations

  • Donald Beaver
    • 1
    • 2
  1. 1.AT&T Bell LaboratoriesUSA
  2. 2.Penn State Univ.State College

Personalised recommendations