General Adversaries in Unconditional Multi-party Computation
We consider a generalized adversary model for unconditionally secure multi-party computation. The adversary can actively corrupt (i.e. take full control over) a subset D ⊆ P of the players, and, additionally, can passively corrupt (i.e. read the entire information of) another subset E ⊆ P of the players. The adversary is characterized by a generalized adversary structure, i.e. a set of pairs (D,E), where he may select one arbitrary pair from the structure and corrupt the players accordingly. This generalizes the classical threshold results of Ben-Or, Goldwasser and Wigderson, Chaum, Crépeau, and Damgård, and Rabin and Ben-Or, and the non-threshold results of Hirt and Maurer.
The generalizations and improvements on the results of Hirt and Maurer are three-fold: First, we generalize their model by considering mixed (active and passive) non-threshold adversaries and characterize completely the adversary structures for which unconditionally secure multi-party computation is possible, for four different models: Perfect security with and without broadcast, and unconditional security (with negligible error probability) with and without broadcast. All bounds are tight. Second, some of their protocols have complexity super-polynomial in the size of the adversary structure; we reduce the complexity to polynomial. Third, we prove the existence of adversary structures for which no polynomial (in the number of players) protocols exist.
The following two implications illustrate the usefulness of these results: The most powerful adversary that is unconditionally tolerated by previous protocols among three players is the one that passively corrupts one arbitrary player; using our protocols one can unconditionally tolerate an adversary that either passively corrupts the first player, or actively corrupts the second or the third player.
Moreover, in a setting with arbitrarily many cheating players who want to compute an agreed function with the help of a trusted party, we can relax the trust requirement into this helping party: Without support from the cheating players the helping party obtains no information about the honest players’ inputs and outputs.
KeywordsGeneral adversaries mixed model multi-party computation unconditional security
- Bea91.Beaver, D.: Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority. Journal of Cryptology, 75–122 (1991)Google Scholar
- BGW88.Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proc. 20th ACM Symposium on the Theory of Computing (STOC), pp. 1–10 (1988)Google Scholar
- BL88.Benaloh, J.C., Leichter, J.: Generalized secret sharing and monotone functions. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 27–35. Springer, Heidelberg (1990)Google Scholar
- Can98.Canetti, R.: Security and composition of multi-party cryptographic protocols. Manuscript (June 1998); Former (more general) version: Modular composition of multi-party cryptographic protocols (November 1997)Google Scholar
- CCD88.Chaum, D., Crépeau, C., Damgärd, I.: Multiparty unconditionally secure protocols(extended abstract). In: Proc. 20th ACM Symposium on the Theory of Computing (STOC), pp. 11–19 (1988)Google Scholar
- CDD+99.Cramer, R., Damgärd, I., Dziembowski, S., Hirt, M., Rabin, T.: Efficient multiparty computations with dishonest minority. In: Advances in Cryptology — EUROCRYPT 1999. LNCS, Springer, Heidelberg (1999)Google Scholar
- CDM99.Cramer, R., Damgärd, I., Maurer, U.: General secure multi-party computation from any linear secret sharing scheme. Manuscript (1999)Google Scholar
- Cha89.Chaum, D.: The spymasters double-agent problem. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 591–602. Springer, Heidelberg (1990)Google Scholar
- Dam99.Damgärd, I.: An error in the mixed adversary protocol by Fitzi, Hirt and Maurer. paper 99-03 (1999), available at http://philby.ucsd.edu/cryptolib.html
- FHM98.Fitzi, M., Hirt, M., Maurer, U.: Trading correctness for privacy in unconditional multi-party computation. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 121. Springer, Heidelberg (1998)Google Scholar
- FM98.Fitzi, M., Maurer, U.: Efficient Byzantine agreement secure against general adversaries. In: Distributed Computing — DISC 1998, September 1998. LNCS, vol. 1499, Springer, Heidelberg (1998)Google Scholar
- GHY87.Galil, Z., Haber, S., Yung, M.: Cryptographic computation: Secure faulttolerant protocolsa nd the public-key model. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 135–155. Springer, Heidelberg (1988)Google Scholar
- GMW87.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game —a completeness theorem for protocols with honest majority. In: Proc. 19th ACM Symposium on the Theory of Computing (STOC), pp. 218–229 (1987)Google Scholar
- HM97.Hirt, M., Maurer, U.: Complete characterization of adversaries tolerable in secure multi-party computation. In: Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC), August 1997, pp. 25–34 (1997)Google Scholar
- ISN87.Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. In: Proceedings IEEE Globecom 1987, pp. 99–102. IEEE, Los Alamitos (1987)Google Scholar
- KY.Karlin, A., Yao, A.C.: ManuscriptGoogle Scholar
- MR98.Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
- RB89.Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proc. 21st ACM Symposium on the Theory of Computing (STOC), pp. 73–85 (1989)Google Scholar
- SS98.Smith, A., Stiglic, A.: Multiparty computation unconditionally secure against Q2 adversary structures. Manuscript (July 1998)Google Scholar
- Yao82.Yao, A.C.: Protocols for secure computations. In: Proc. 23rd IEEE Symposium on the Foundations of Computer Science (FOCS), pp. 160–164. IEEE, Los Alamitos (1982)Google Scholar