Two-Round Multiparty Secure Computation from Minimal Assumptions

Garg, Sanjam; Srinivasan, Akshayaram

doi:10.1007/978-3-319-78375-8_16

Sanjam Garg¹⁵ &
Akshayaram Srinivasan¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10821))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

3467 Accesses
91 Citations

Abstract

We provide new two-round multiparty secure computation (MPC) protocols assuming the minimal assumption that two-round oblivious transfer (OT) exists. If the assumed two-round OT protocol is secure against semi-honest adversaries (in the plain model) then so is our two-round MPC protocol. Similarly, if the assumed two-round OT protocol is secure against malicious adversaries (in the common random/reference string model) then so is our two-round MPC protocol. Previously, two-round MPC protocols were only known under relatively stronger computational assumptions. Finally, we provide several extensions.

Research supported in part from AFOSR YIP Award, DARPA/ARL SAFEWARE Award W911NF15C0210, AFOSR Award FA9550-15-1-0274, and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies.

You have full access to this open access chapter, Download conference paper PDF

Three-Round Secure Multiparty Computation from Black-Box Two-Round Oblivious Transfer

Round Optimal Secure Multiparty Computation from Minimal Assumptions

Two-Round Adaptively Secure Multiparty Computation from Standard Assumptions

1 Introduction

Can a group of n mutually distrusting parties compute a joint function of their private inputs without revealing anything more than the output to each other? This is the classical problem of secure computation in cryptography. Yao [Yao86] and Goldreich et al. [GMW87] provided protocols for solving this problem in the two-party (2PC) and the multiparty (MPC) cases, respectively.

A remarkable aspect of the 2PC protocol based on Yao’s garbled circuit construction is its simplicity and the fact that it requires only two-rounds of communication. Moreover, this protocol can be based just on the minimal assumption that two-round 1-out-of-2 oblivious transfer (OT) exists. Two-round OT can itself be based on a variety of computational assumptions such as the Decisional Diffie-Hellman Assumption [AIR01, NP01, PVW08], quadratic residuosity assumption [HK12, PVW08] or the learning-with-errors assumption [PVW08].

In contrast, much less is known about the assumptions that two-round MPC can be based on (constant-round MPC protocols based on any OT protocol are well-known [BMR90]). In particular, two-round MPC protocols are only known under assumptions such as indistinguishability obfuscation [GGHR14, GGH+13] (or, witness encryption [GLS15, GGSW13]), LWE [CM15, MW16, BP16, PS16], or bilinear maps [GS17, BF01, Jou04]. In summary, there is a significant gap between assumptions known to be sufficient for two-round MPC and the assumptions that known to be sufficient for two-round 2PC (or, two-round OT). This brings us to the following main question:

1.1 Our Result

In this work, we give two-round MPC protocols assuming only the necessary assumption that two-round OT exists. In a bit more detail, our main theorem is:

Theorem 1

(Main Theorem). Let $\mathcal {X} \in \{$semi-honest in plain model, malicious in common random/reference sting model$\}$. Assuming the existence of a two-round $\mathcal {X}$-OT protocol, there exists a compiler that transforms any polynomial round, $\mathcal {X}$-MPC protocol into a two-round, $\mathcal {X}$-MPC protocol.

Previously, such compilers [GGHR14, GLS15, GS17] were only known under comparatively stronger computational assumptions such as indistinguishability obfuscation [BGI+01, GGH+13], witness encryption [GGSW13], or using bilinear maps [GS17, BF01, Jou04]. Additionally, two-round MPC protocols assuming the learning-with-errors assumptions were known [MW16, PS16, BP16] in the CRS model satisfying semi-malicious security.^{Footnote 1} We now discuss instantiations of the above compiler with known protocols (with larger round complexity) that yield two-round MPC protocols in various settings under minimal assumptions.

Semi-honest Case. Plugging in the semi-honest secure MPC protocol by Goldreich, Micali, and Wigderson [GMW87], we get the following result:

Corollary 1

Assuming the existence of semi-honest, two-round oblivious transfer in the plain model, there exists a semi-honest, two-round multiparty computation protocol in the plain model.

Previously, two-round plain model semi-honest MPC protocols were only known assuming indistinguishability obfuscation [BGI+01, GGH+13], or witness encryption [GGSW13] or bilinear maps [GS17] or from DDH for a constant number of parties [BGI17]. Thus, using two-round plain model OT [NP01, AIR01, HK12] based on standard number theoretic assumptions such as DDH or QR, this work yields the first two-round semi-honest MPC protocol for polynomial number of parties in the plain model under the same assumptions.

Malicious Case. Plugging in the maliciously secure MPC protocol by Kilian [Kil88] or by Ishai et al. [IPS08] based on any oblivious transfer, we get the following corollary:

Corollary 2

Assuming the existence of UC secure, two-round oblivious transfer against static, malicious adversaries, there exists a UC secure, two-round multiparty computation protocol against static, malicious adversaries.

Previously, all known two-round maliciously secure MPC protocols required additional use of non-interactive zero-knowledge proofs. As a special case, using a DDH based two-round OT protocol (e.g., [PVW08]), this work yields the first two-round malicious MPC protocol in the common random string model under the DDH assumption.

Extensions. In addition to the above main results we obtain several extensions and refer the reader to the main body for details.

Concurrent Work. In a concurrent and independent work, Benhamouda and Lin [BL18] also construct two-round multiparty computation from two-round oblivious transfer. Their construction against semi-honest adversaries is proven under the minimal assumption that two-round, semi-honest oblivious transfer exists. However, their construction against malicious adversaries additionally requires the existence of non-interactive zero-knowledge proofs. Additionally, in the plain model they give a construction of 5-round maliciously secure MPC from 5-round maliciously secure oblivious transfer.

2 Technical Overview

Towards demonstrating the intuition behind our result, in this section, we show how to squish the round complexity of a very simple “toy” protocol to two. Additionally, we sketch how these ideas extend to the general setting and also work in the malicious case. We postpone the details to later sections.

Background: “Garbled Circuits that talk.” The starting point of this work is a recent work of Garg and Srinivasan [GS17] that obtains constructions of two-round MPC from bilinear maps. Building on [GGHR14, GLS15], the key idea behind [GS17] is a new method for enabling “garbled circuits to talk,” which the authors call “garbled protocols.” It is natural to imagine how “garbled circuits that can talk” might be useful for squishing the round complexity of any protocol. By employing this technique, a party can avoid multiple rounds of interaction just by sending a garbled circuit that interacts with the other parties on its behalf. At a technical level, a garbled circuit can “speak” by just outputting a value. However, the idea of enabling garbled circuits to “listen” without incurring any additional interaction poses new challenges. A bit more precisely, “listen” means that a garbled circuit can take as input a bit obtained via a joint computation on its secret state and the secret states of two or more other parties.

In [GS17], this idea was implemented by constructing a special purpose witness encryption [GGSW13, BH15, GOVW12, CDG+17, DG17] using specific algebraic properties of non-interactive zero-knowledge (NIZK) proofs by Gorth, Ostrovsky and Sahai [GOS06]. The key contribution of this work is a realization of the intuition of “garbled circuits that talk” using any two-round OT protocols rather than a specific NIZK proof system. In particular, we avoid using any specialized algebraic properties of the underlying primitives. At the heart of our construction is the following novel use of two-round OT protocols: in our MPC protocol multiple instances of the underlying two-round OT protocol are executed and the secret receiver’s random coins used in some of these executed OT instances are revealed to the other parties. As we explain later, this is done carefully so that the security of the MPC protocol is not jeopardized.

A “toy” protocol for successive ANDs. Stripping away technical details, we highlight our core new idea in the context of a “toy” example, where a garbled circuit will need to listen to one bit. Later, we briefly sketch how this core idea can be used to squish the round complexity of any arbitrary round MPC protocol to two. Recall that, in one round, each party sends a message depending on its secret state and the messages received in prior rounds.

Consider three parties $P_1, P_2$ and $P_3$ with inputs $\alpha ,\beta ,$ and $\gamma $ (which are single bits), respectively. Can we realize a protocol such that the parties learn $f(\alpha ,\beta ,\gamma ) = (\alpha ,\alpha \wedge \beta ,\alpha \wedge \beta \wedge \gamma )$ and nothing more? Can we realize a two-round protocol for the same task? Here is a very simple three-round information theoretic protocol $\varPhi $ (in the semi-honest setting) for this task: In the first round, $P_1$ sends its input $\alpha $ to $P_2$ and $P_3$. In the second round, $P_2$ computes $\delta = \alpha \wedge \beta $ and sends it to $P_1$ and $P_3$. Finally, in the third round, $P_3$ computes $\gamma \wedge \delta $ and sends it to $P_1$ and $P_2$.

Compiling $\varPhi $ into a two-round protocol. The key challenge that we face is that the third party’s message depends on the second party’s message, and the second party’s message depends on the first party’s message. We will now describe our approach to overcome this three-way dependence using two-round oblivious transfer and thus squish this protocol $\varPhi $ into a two-round protocol.

We assume the following notation for a two-round OT protocol. In the first round, the receiver with choice bit $\beta $ generates $c = \mathsf {OT}_1(\beta ;\omega )$ using $\omega $ as the randomness and passes c to the sender. Then in the second round, the sender responds with its OT response $d = \mathsf {OT}_2(c, s_0,s_1)$ where $s_0$ and $s_1$ are its input strings. Finally, using the OT response d and its randomness $\omega $, the receiver recovers $s_\beta $. In our protocol below, we will use a circuit $C[\gamma ]$ that has a bit $\gamma $ hardwired in it and that on input a bit $\delta $ outputs $\gamma \wedge \delta $. At a high level in our protocol, we will have $P_2$ and $P_3$ send extra messages in the first and the second rounds, respectively, so that the third round can be avoided. Here is our protocol:

Round 1: $P_1$ sends $\alpha $ to $P_2$ and $P_3$. $P_2$ prepares $c_0 = \mathsf {OT}_1(0 \wedge \beta ; \omega _0)$ and $c_1 = \mathsf {OT}_1(1 \wedge \beta ; \omega _1)$ and sends $(c_0,c_1)$ to $P_2$ and $P_3$.
Round 2: $P_2$ sends $(\alpha \wedge \beta ,\omega _\alpha )$ to $P_1$ and $P_3$. $P_3$ garbles $\mathsf {C}[\gamma ]$ obtaining $\tilde{\mathsf {C}}$ and input labels $\mathsf {lab}_0$ and $\mathsf {lab}_1$. It computes $d = \mathsf {OT}_2 (c_\alpha , \mathsf {lab}_0,\mathsf {lab}_1)$ and sends $(\tilde{\mathsf {C}},d)$ to $P_1$ and $P_2$.
Output Evaluation: Every party recovers $\mathsf {lab}_{\delta }$ where $\delta = \alpha \wedge \beta $ from d using $\omega _\alpha $. Next, it evaluates the garbled circuit $\tilde{\mathsf {C}}$ using $\mathsf {lab}_\delta $ which outputs $\gamma \wedge \delta $ as desired.

Intuitively, in the protocol above $P_2$ sends two first OT messages $c_0$ and $c_1$ that are prepared assuming $\alpha $ is 0 and assuming $\alpha $ is 1, respectively. Note that $P_3$ does not know $\alpha $ at the beginning of the first round, but $P_3$ does know it at the end of the first round. Thus, $P_3$ just uses $c_\alpha $ while discarding $c_{1-\alpha }$ in preparing its messages for the second round. This achieves the three-way dependency while only using two-rounds. Furthermore, $P_2$’s second round message reveals the randomness $\omega _\alpha $ enabling all parties (and not just $P_2$ and $P_3$) to obtain the label $\mathsf {lab}_\delta $ which can then be used for evaluation of $\tilde{\mathsf {C}}$. In summary, via this mechanism, the garbled circuit $\tilde{\mathsf {C}}$ was able to “listen” to the bit $\delta $ that $P_3$ did not know when generating the garbled circuit.

The above description highlights our ideas for squishing round complexity of an incredibly simple toy protocol where only one bit was being “listened to.” Moreover, the garbled circuit “speaks” or outputs $\gamma \wedge \delta $, which is obtained by all parties. In the above “toy” example, $P_3$’s garbled circuit computes a gate that takes only one bit as input. To compute a gate with two bit inputs, $P_2$ will need to send four first OT messages in the first round instead of two.

Squishing arbitrary protocols. Our approach to enable garbled circuits to “listen to” a larger number of bits with complex dependencies is as follows. We show that any MPC protocol $\varPhi $ between parties $P_1,\cdots P_n$ can be transformed into one satisfying the following format. First, the parties execute a pre-processing step; namely, each party $P_i$ computes some randomized function of its input $x_i$ obtaining public value $z_i$ which is shared with everyone else and private value $v_i$. $z_i$ is roughly an encryption of $x_i$ using randomness from $v_i$ as a one-time pad. $v_i$ also contains random bits that will be used as one-time pad to encrypt bits sent later by $P_i$. Second, each party sets its local state $\mathsf {st}_i = (z_1\Vert \ldots \Vert z_n) \oplus v_i$. That places us at the beginning of the protocol execution phase. In our transformed protocol $\varPhi $ can be written as a sequence of T actions. For each $t \in [T]$ the $t^{th}$ action $\phi _t = (i,f, g,h)$ involves party $P_i$ computing one $\mathsf {NAND}$ gate; it sets $\mathsf {st}_{i,h} = \mathsf {NAND}(\mathsf {st}_{i,f} , \mathsf {st}_{i,g})$ and sends $v_{i,h}\oplus \mathsf {st}_{i,h}$ to all the other parties. Our transformed protocol is such that for any bit $\mathsf {st}_{i,h}$, the bit $v_{i,h}$ is unique and acts as the one-time pad to hide it from the other parties. (Some of the bits in $v_{i}$ are set to 0. These bits do not need to be hidden from other parties.) To complete this action, each party $P_j$ for $j \ne i$ sets $\mathsf {st}_{j,h}$ to be the received bit. After all the actions are completed, each party $P_j$ outputs a function of its local state $\mathsf {st}_j$. In this transformed MPC protocol, in any round only one bit is sent based on just one gate (i.e., the gate obtained as $v_{i,h}\oplus \mathsf {NAND}(\mathsf {st}_{i,f}, \mathsf {st}_{i,g})$ with inputs $\mathsf {st}_{i,f}$ and $\mathsf {st}_{i,g}$, where $v_{i,h}$ is hardwired inside it) computation on two bits. Thus, we can use the above “toy” protocol to achieve this effect.

To squish the round complexity of this transformed protocol, in the first round, we will have each party follow the pre-processing step from above along with a bunch of carefully crafted first OT messages as in our “toy” protocol. In the second round, parties will send a garbled circuit that is expected to “speak” and “listen” to the garbled circuits of the other parties. So when $\phi _1 = (i,f,g,h)$ is executed, we have that the garbled circuit sent by party $P_i$ speaks and all the others listen. Each of these listening garbled circuits uses our “toy” protocol idea from above. After completion of the first action, all the garbled circuits will have read the transcript of communication (which is just the one bit communicated in the first action $\phi _1$). Next, the parties need to execute action $\phi _2= (i,f,g,h)$ and this is done like the first action, and the process continues. This completes the main idea of our construction. Building on this idea, we obtain a compiler that assuming semi-honest two-round OT transforms any semi-honest MPC protocol into a two-round semi-honest MPC protocol. Furthermore, if the assumed semi-honest two-round OT protocol is in the plain model then so will be the resulting MPC protocol.

Compilation in the Malicious Case. The protocol ideas described above only achieve semi-honest security and additional use of non-interactive zero-knowledge (NIZK) proofs [BFM88, FLS90] is required to upgrade security to malicious [AJL+12, MW16]. This has been the case for all known two-round MPC protocol constructions. In a bit more detail, by using NIZKs parties can (without increasing the round complexity) prove in zero-knowledge that they are following protocol specifications. The use of NIZKs might seem essential to such protocols. However, we show that this can be avoided. Our main idea is as follows: instead of proving that the garbled circuits are honestly generated, we require that the garbled circuits prove to each other that the messages they send are honestly generated. Since our garbled circuits can “speak” and “listen” over several rounds without increasing the round complexity of the squished protocol, therefore we can instead use interactive zero-knowledge proof system and avoid NIZKs. Building on this idea we obtain two-round MPC protocols secure against malicious adversaries. We elaborate on this new idea and other issues involved in subsequent sections.

3 Preliminaries

We recall some standard cryptographic definitions in this section. Let $\lambda $ denote the security parameter. A function $\mu (\cdot ) : \mathbb {N} \rightarrow \mathbb {R}^+$ is said to be negligible if for any polynomial $\mathsf {poly}(\cdot )$ there exists $\lambda _0$ such that for all $\lambda > \lambda _0$ we have $\mu (\lambda ) < \frac{1}{\mathsf {poly}(\lambda )}$. We will use $\mathsf {negl}(\cdot )$ to denote an unspecified negligible function and $\mathsf {poly}(\cdot )$ to denote an unspecified polynomial function.

For a probabilistic algorithm A, we denote A(x; r) to be the output of A on input x with the content of the random tape being r. When r is omitted, A(x) denotes a distribution. For a finite set S, we denote $x \leftarrow S$ as the process of sampling x uniformly from the set S. We will use PPT to denote Probabilistic Polynomial Time algorithm.

3.1 Garbled Circuits

Below we recall the definition of garbling scheme for circuits [Yao86] (see Applebaum et al. [AIK04, AIK05], Lindell and Pinkas [LP09] and Bellare et al. [BHR12] for a detailed proof and further discussion). A garbling scheme for circuits is a tuple of PPT algorithms $(\mathsf {Garble}, \mathsf {Eval})$. $\mathsf {Garble}$ is the circuit garbling procedure and $\mathsf {Eval}$ is the corresponding evaluation procedure. More formally:

$(\widetilde{\mathsf {C}},\{{{\mathsf {lbl}}}_{w,b}\}_{w\in \mathsf {inp}(C), b\in \{0,1\}}) \leftarrow \mathsf {Garble}\left( 1^\lambda , C\right) $: $\mathsf {Garble}$ takes as input a security parameter $1^\lambda $, a circuit $C$, and outputs a garbled circuit $\widetilde{\mathsf {C}}$ along with labels ${{\mathsf {lbl}}}_{w,b}$ where $w\in \mathsf {inp}(C)$ ($\mathsf {inp}(C)$ is the set of input wires of C) and $b \in \{0,1\}$. Each label ${{\mathsf {lbl}}}_{w,b}$ is assumed to be in $\{0,1\}^\lambda $.
$y\leftarrow \mathsf {Eval}\left( \widetilde{\mathsf {C}}, \{{{\mathsf {lbl}}}_{w,x_w}\}_{w\in \mathsf {inp}(C)}\right) $: Given a garbled circuit $\widetilde{\mathsf {C}}$ and a sequence of input labels $\{ {{\mathsf {lbl}}}_{w,x_w}\}_{w\in \mathsf {inp}(C)}$ (referred to as the garbled input), $\mathsf {Eval}$ outputs a string $y$.

Correctness. For correctness, we require that for any circuit $C$ and input $x\in \{0,1\}^{|\mathsf {inp}(C)|}$ we have that:

$$\begin{aligned} \Pr \left[ C(x) = \mathsf {Eval}\left( \widetilde{\mathsf {C}}, \{\mathsf{lbl}_{w,x_w}\}_{w\in \mathsf {inp}(C)}\right) \right] = 1 \end{aligned}$$

where $(\widetilde{\mathsf {C}}, \{\mathsf{lbl}_{w,b}\}_{w\in \mathsf {inp}(C), b\in \{0,1\}}) \leftarrow \mathsf {Garble}\left( 1^\lambda , C\right) $.

Security. For security, we require that there exists a PPT simulator $\mathsf {Sim}$ such that for any circuit $C$ and input $x\in \{0,1\}^{|\mathsf {inp}(C)|}$, we have that

$$\begin{aligned} \left( \widetilde{\mathsf {C}}, \{{{\mathsf {lbl}}}_{w,x_w}\}_{w\in \mathsf {inp}(C)}\right) \overset{c}{\approx }\mathsf {Sim}\left( 1^{|C|}, 1^{|x|},C(x)\right) \end{aligned}$$

where $(\widetilde{\mathsf {C}}, \{{{\mathsf {lbl}}}_{w,b}\}_{w\in \mathsf {inp}(C), b\in \{0,1\}}) \leftarrow \mathsf {Garble}\left( 1^{\lambda },C\right) $ and $\overset{c}{\approx }$ denotes that the two distributions are computationally indistinguishable.

3.2 Universal Composability Framework

We work in the Universal Composition (UC) framework [Can01] to formalize and analyze the security of our protocols. (Our protocols can also be analyzed in the stand-alone setting, using the composability framework of [Can00a], or in other UC-like frameworks, like that of [PW00].) We refer the reader to [Can00b] for details.

3.3 Oblivious Transfer

In this paper, we consider a 1-out-of-2 oblivious transfer protocol (OT), similar to [CCM98, NP01, AIR01, DHRS04, HK12] where one party, the sender, has input composed of two strings $(s_0, s_1)$ and the input of the second party, the receiver, is a bit $\beta $. The receiver should learn $s_{\beta }$ and nothing regarding $s_{1-\beta }$ while the sender should gain no information about $\beta $.

Security of the oblivious transfer (OT) functionality can be described easily by an ideal functionality $\mathcal {F}_\mathsf {OT}$ as is done in [CLOS02]. However, in our constructions the receiver needs to reveal the randomness (or a part of the randomness) it uses in an instance of two-round OT to other parties. Therefore, defining security as an ideal functionality raises issues require care and issues similar to one involved in defining ideal public-key encryption functionality [Can05, p. 96] arrise. Thus, in our context, it is much easier to directly work with a two-round OT protocol. We define the syntax and the security guarantees of a two-round OT protocol below.

Semi-honest Two-Round Oblivious Transfer. A two-round semi-honest OT protocol $\langle S,R\rangle $ is defined by three probabilistic algorithms $(\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$ as follows. The receiver runs the algorithm $\mathsf {OT}_1$ which takes the security parameter $1^\lambda $, and the receiver’s input $\beta \in \{0,1\}$ as input and outputs $\mathsf {ots}_1$ and $\omega $.^{Footnote 2} The receiver then sends $\mathsf {ots}_1$ to the sender, who obtains $\mathsf {ots}_2$ by evaluating $\mathsf {OT}_2(\mathsf {ots}_1, (s_0, s_1))$, where $s_0, s_1 \in \{0,1\}^{\lambda }$ are the sender’s input messages. The sender then sends $\mathsf {ots}_2$ to the receiver who obtains $s_\beta $ by evaluating $\mathsf {OT}_3(\mathsf {ots}_2, (\beta , \omega ))$.

Correctness. For every choice bit $\beta \in \{0,1\}$ of the receiver and input messages $s_0$ and $s_1$ of the sender we require that, if $(\mathsf {ots}_1, \omega ) \leftarrow \mathsf {OT}_1(1^\lambda ,\beta )$, $\mathsf {ots}_2 \leftarrow \mathsf {OT}_2(\mathsf {ots}_1, (s_0, s_1))$, then $\mathsf {OT}_3(\mathsf {ots}_2,(\beta ,\omega )) = s_\beta $ with overwhelming probability.
Receiver’s security. We require that
$$\left\{ \mathsf {ots}_{1}: (\mathsf {ots}_{1}, \omega ) \leftarrow \mathsf {OT}_1(1^\lambda ,0)\right\} {\mathop {\approx }\limits ^{c}} \left\{ \mathsf {ots}_{1}: (\mathsf {ots}_{1}, \omega ) \leftarrow \mathsf {OT}_1(1^\lambda ,1)\right\} .$$
Sender’s security. We require that for any choice of $\beta \in \{0,1\}$, overwhelming choices of $\omega '$ and any strings $K_0,K_1,L_0,L_1 \in \{0,1\}^\lambda $ with $K_{\beta }=L_{\beta }$, we have that
$$\left\{ \beta , \omega ', \mathsf {OT}_2(1^\lambda ,\mathsf {ots}_1,K_0,K_1)\right\} {\mathop {\approx }\limits ^{c}} \left\{ \beta , \omega ', \mathsf {OT}_2(1^\lambda ,\mathsf {ots}_1,L_0,L_1)\right\} $$
where $(\mathsf {ots}_1,\omega ):=\mathsf {OT}_1(1^\lambda , \beta ;\omega ').$

Constructions of semi-honest two-round OT are known in the plain model under assumptions such as DDH [AIR01, NP01] and quadratic residuosity [HK12].

Maliciously Secure Two-Round Oblivious Transfer. We consider the stronger notion of oblivious transfer in the common random/reference string model. In terms of syntax, we supplement the syntax of semi-honest oblivious transfer with an algorithm $K_\mathsf {OT}$ that takes the security parameter $1^\lambda $ as input and outputs the common random/reference string $\sigma $. Also, the three algorithms $\mathsf {OT}_1,\mathsf {OT}_2$ and $\mathsf {OT}_3$ additionally take $\sigma $ as input. Correctness and receiver’s security properties in the malicious case are the same as the semi-honest case. However, we strengthen the sender’s security as described below.

Correctness. For every choice bit $\beta \in \{0,1\}$ of the receiver and input messages $s_0$ and $s_1$ of the sender we require that, if $\sigma \leftarrow K_\mathsf {OT}(1^\lambda )$, $(\mathsf {ots}_1, \omega ) \leftarrow \mathsf {OT}_1(\sigma ,\beta )$, $\mathsf {ots}_2 \leftarrow \mathsf {OT}_2(\sigma ,\mathsf {ots}_1, (s_0, s_1))$, then $\mathsf {OT}_3(\sigma ,\mathsf {ots}_2,(\beta ,\omega )) = s_\beta $ with overwhelming probability.
Receiver’s security. We require that
$$\begin{aligned}&\left\{ (\sigma ,\mathsf {ots}_{1}): \sigma \leftarrow K_\mathsf {OT}(1^\lambda ), (\mathsf {ots}_{1}, \omega ) \leftarrow OT_1(\sigma ,0)\right\} \\&\quad {\mathop {\approx }\limits ^{c}} \left\{ (\sigma ,\mathsf {ots}_{1}): \sigma \leftarrow K_\mathsf {OT}(1^\lambda ), (\mathsf {ots}_{1}, \omega ) \leftarrow OT_1(\sigma ,1)\right\} \end{aligned}$$
Sender’s security. We require the existence of PPT algorithm $\mathsf {Ext}= (\mathsf {Ext}_1, \mathsf {Ext}_2)$ such that for any choice of $K_0, K_1 \in \{0,1\}^\lambda $ and PPT adversary $\mathcal {A}$ we have that
$$\left| \Pr [\text {IND}_\mathcal {A}^{\text {REAL}}(1^\lambda , K_0, K_1) = 1] -\Pr [\text {IND}_\mathcal {A}^{\text {IDEAL}}(1^\lambda , K_0, K_1) = 1] \right| \le \frac{1}{2} + \mathsf {negl}(\lambda ).$$

Constructions of maliciously secure two-round OT are known in the common random string model under assumptions such as DDH, quadratic residuosity, and LWE [PVW08].

Equivocal Receiver’s Security. We also consider a strengthened notion of malicious receiver’s security where we require the existence of a PPT simulator $\mathsf {Sim}_{Eq}$ such that the for any $\beta \in \{0,1\}$:

$$\left\{ (\sigma , (\mathsf {ots}_1, \omega _\beta )): (\sigma , \mathsf {ots}_1, \omega _0, \omega _1)\leftarrow \mathsf {Sim}_{Eq}(1^\lambda )\right\} {\mathop {\approx }\limits ^{c}} \left\{ (\sigma , \mathsf {OT}_1(\sigma , \beta )): \sigma \leftarrow K_\mathsf {OT}(1^\lambda )\right\} .$$

Using standard techniques in the literature (e.g., [CLOS02]) it is possible to add equivocal receiver’s security to any OT protocol. We refer the reader to the full-version of our paper [GS18] for details.

4 Conforming Protocols

Our protocol compilers work for protocols satisfying certain syntactic structure. We refer to protocols satisfying this syntax as conforming protocols. In this subsection, we describe this notion and prove that any MPC protocol can be transformed into a conforming protocol while preserving its correctness and security properties.

4.1 Specifications for a Conforming Protocol

Consider an n party deterministic^{Footnote 3} MPC protocol $\varPhi $ between parties $P_1, \ldots , P_n$ with inputs $x_1, \ldots , x_n$, respectively. For each $i \in [n]$, we let $x_i \in \{0,1\}^m$ denote the input of party $P_i$. A conforming protocol $\varPhi $ is defined by functions $\mathsf {pre}$, $\mathsf {post}$, and computations steps or what we call actions $\phi _1,\cdots \phi _T$. The protocol $\varPhi $ proceeds in three stages: the pre-processing stage, the computation stage and the output stage.

Pre-processing phase: For each $i \in [n]$, party $P_i$ computes
$$(z_i,v_i) \leftarrow \mathsf {pre}(1^{\lambda },i,x_i)$$
where $\mathsf {pre}$ is a randomized algorithm. The algorithm $\mathsf {pre}$ takes as input the index i of the party, its input $x_i$ and outputs $z_i \in \{0,1\}^{\ell /n}$ and $v_i \in \{0,1\}^\ell $ (where $\ell $ is a parameter of the protocol). Finally, $P_i$ retains $v_i$ as the secret information and broadcasts $z_i$ to every other party. We require that $v_{i,k} = 0$ for all $k \in [\ell ]\backslash \left\{ (i-1)\ell /n +1,\ldots , i\ell /n\right\} $.
Computation phase: For each $i \in [n]$, party $P_i$ sets
$$\mathsf {st}_i := (z_1 \Vert \cdots \Vert z_n) \oplus v_i.$$
Next, for each $t \in \{1\cdots T\}$ parties proceed as follows:
1. 1.
  Parse action $ \phi _t$ as (i, f, g, h) where $i \in [n]$ and $f,g,h \in [\ell ]$.
2. 2.
  Party $P_{i}$ computes one $\mathsf {NAND}$ gate as
  $$\mathsf {st}_{i,h} = \mathsf {NAND}(\mathsf {st}_{i,f} , \mathsf {st}_{i,g})$$
  and broadcasts $\mathsf {st}_{i,h} \oplus v_{i,h}$ to every other party.
3. 3.
  Every party $P_j$ for $j \ne i$ updates $\mathsf {st}_{j,h}$ to the bit value received from $P_i$.
We require that for all $t, t' \in [T]$ such that $t \ne t'$, we have that if $\phi _t = (\cdot ,\cdot ,\cdot ,h)$ and $\phi _{t'} = (\cdot ,\cdot ,\cdot ,h')$ then $h \ne h'$. Also, we denote $A_i \subset [T]$ to be the set of rounds in with party $P_i$ sends a bit. Namely, $A_i = \left\{ t \in T\mid \phi _t = (i, \cdot , \cdot , \cdot )\right\} .$
Output phase: For each $i \in [n]$, party $P_i$ outputs $\mathsf {post}(\mathsf {st}_i)$.

4.2 Transformation for Making a Protocol Conforming

We show that any MPC protocol can made conforming by making only some syntactic changes. Our transformed protocols retains the correctness or security properties of the original protocol.

Lemma 1

Any MPC protocol $\varPi $ can be written as a conforming protocol $\varPhi $ while inheriting the correctness and the security of the original protocol.

Proof

Let $\varPi $ be any given MPC protocol. Without loss of generality we assume that in each round of $\varPi $, one party broadcasts one bit that is obtained by computing a circuit on its initial state and the messages it has received so far from other parties. Note that this restriction can be easily enforced by increasing the round complexity of the protocol to the communication complexity of the protocol. Let the round complexity (and also communication complexity) of $\varPi $ be p. In every round $r \in [p]$ of $\varPi $, a single bit is sent by one of the parties by computing a circuit. Let the circuit computed in round r be $C_r$. Without loss of generality we assume that (i) these exists q such that for each $r \in [p]$, we have that $q = |C_r|$, (ii) each $C_r$ is composed of just NAND gates with fan-in two, and (iii) each party sends an equal number of bits in the execution of $\varPi $. All three of these conditions can be met by adding dummy gates and dummy round of interaction.

We are now ready to describe our transformed conforming protocol $\varPhi $. The protocol $\varPhi $ will have $T = pq$ rounds. We let $\ell = mn + pq$ and $\ell ' = pq/n$ and depending on $\ell $ the compiled protocol $\varPhi $ is as follows.

$\mathsf {pre}(i,x_i)$: Sample $r_i \leftarrow \{0,1\}^{m}$ and $s_i \leftarrow (\{0,1\}^{q-1}\Vert 0)^{p/n}$. (Observe that $s_i$ is a pq / n bit random string such that its $q^{th}, 2q^{th}\cdots $ locations are set to 0.) Output $z_i := x_i \oplus r_i \Vert 0^{\ell '}$ and $v_i := 0^{\ell /n} \Vert \ldots \Vert r_{i}\Vert s_i \Vert \ldots \Vert 0^{\ell /n}$.
We are now ready to describe the actions $\phi _1,\cdots \phi _T$. For each $r \in [p]$, round r in $\varPi $ party is expanded into q actions in $\varPhi $ — namely, actions $\{\phi _j\}_j$ where $j \in \{(r-1) q + 1 \cdots r q\}$. Let $P_{i}$ be the party that computes the circuit $C_r$ and broadcast the output bit broadcast in round r of $\varPi $. We now describe the $\phi _{j}$ for $j \in \{(r-1) q + 1 \cdots r q\}$. For each j, we set $\phi _j = (i, f,g,h)$ where f and g are the locations in $\mathsf {st}_{i}$ that the $j^{th}$ gate of $C_r$ is computed on (recall that initially $\mathsf {st}_i$ is set to $z_i \oplus v_i$). Moreover, we set h to be the first location in $\mathsf {st}_i$ among the locations $(i-1)\ell /n + m+ 1$ to $i\ell /n$ that has previously not been assigned to an action. (Note that this is $\ell '$ locations which is exactly equal to the number of bits computed and broadcast by $P_i$.)

Recall from before than on the execution of $\phi _j$, party $P_{i}$ sets $\mathsf {st}_{i,h} := \mathsf {NAND}(\mathsf {st}_{i,{f}},\mathsf {st}_{i,{g}})$ and broadcasts $\mathsf {st}_{i,h}\oplus v_{i,h}$ to all parties.
$\mathsf {post}(i,\mathsf {st}_i)$: Gather the local state of $P_i$ and the messages sent by the other parties in $\varPi $ from $\mathsf {st}_i$ and output the output of $\varPi $.

Now we need to argue that $\varPhi $ preserves the correctness and security properties of $\varPi $. Observe that $\varPhi $ is essentially the same as the protocol $\varPi $ except that in $\varPhi $ some additional bits are sent. Specifically, in addition to the messages that were sent in $\varPi $, in $\varPhi $ parties send $z_i$ in the preprocessing step and $q-1$ additional bits per every bit sent in $\varPi $. Note that these additional bits sent are not used in the computation of $\varPhi $. Thus these bits do not affect the functionality of $\varPi $ if dropped. This ensures that $\varPhi $ inherits the correctness properties of $\varPi $. Next note that each of these bits is masked by a uniform independent bit. This ensures that $\varPhi $ achieves the same security properties as the underlying properties of $\varPi $.

Finally, note that by construction for all $t, t' \in [T]$ such that $t \ne t'$, we have that if $\phi _t = (\cdot ,\cdot ,\cdot ,h)$ and $\phi _{t'} = (\cdot ,\cdot ,\cdot ,h')$ then $h \ne h'$ as required.

5 Two-Round MPC: Semi-honest Case

In this section, we give our construction of two-round multiparty computation protocol in the semi-honest case with security against static corruptions based on any two-round semi-honest oblivious transfer protocol in the plain model. This is achieved by designing a compiler that takes any conforming arbitrary (polynomial) round MPC protocol $\varPhi $ and squishes it to two rounds.

5.1 Our Compiler

We give our construction of two-round MPC in Fig. 1 and the circuit that needs to be garbled (repeatedly) is shown in Fig. 2. We start by providing intuition behind this construction.

Overview. In the first round of our compiled protocol, each party runs the preprocessing phase of the protocol $\varPhi $ and obtains $z_i$ and $v_i$ and broadcasts $z_i$ to every other party. In the second round, each party sends a set of garbled circuits that “non-interactively” implement the entire computation phase of the protocol $\varPhi $. In other words, any party with the set of garbled circuits sent by every other party, can use them to compute the entire transcript of the computation phase of the protocol $\varPhi $. This allows each party to obtain the output of the protocol $\varPhi $. In the following paragraphs, we give more details on how this is achieved.

To understand the main idea, let us concentrate on a particular round (let us say the $t^{th}$ round) of the computation phase of the conforming protocol $\varPhi $ and see how this step is implemented using garbled circuits. Recall that before starting the computation phase, each party locally computes $\mathsf {st}_i := (z_1 \Vert \ldots \Vert z_n) \oplus v_i$ using the first round messages sent by the other parties. This local state is updated (recall that only one bit location is updated) at the end of each round based on the bit that is sent in that round. We start with some notations.

Notations. Let us say that the party $P_{i^*}$ is the designated party in round t. Let $\mathsf {st}^t_i$ be the updated local state of party $P_i$ at the beginning of the $t^{th}$ round of the computation phase. In the $t^{th}$ round, the designated party $P_{i^*}$ computes $\gamma := \mathsf {NAND}(\mathsf {st}^t_{i^*,f},\mathsf {st}^t_{i^*,g})$, writes this bit to position h of $\mathsf {st}^t_{i^*}$ and broadcasts $\gamma \oplus v_{i^*,h}$ to every other party. Every other party $P_i$ (where $i \ne i^*$) updates its local state by writing the received bit at position h in its state $\mathsf {st}^t_i$.

Implementing the Computation Phase. The $t^{th}$ round of the computation phase is implemented by the $t^{th}$ garbled circuit in each of these sequences. In a bit more details, the garbled circuit of party $P_i$ takes as input $\mathsf {st}^t_i$ which is the state of the party $P_i$ at the beginning of the t-th round and outputs or, aids the process of outputting the labels corresponding to the updated local state at the end of the $t^{th}$ round. These labels are then used to evaluate the garbled circuit corresponding to the $(t+1)^{th}$ round of the computation phase and this process continues. Finally, at the end each party can just compute output function on the final local state to obtain its output. Next, we describe how the $t^{th}$ garbled circuits in each of the n sequences can be used to complete the $t^{th}$ action of the computation phase.

The $t^{th}$ garbled circuit of party $P_{i^*}$ is executed first and is the most natural one as in this round party $P_{i^*}$ is the one that sends a bit to the other parties. Starting with the easy part, this garbled circuit takes as input $\mathsf {st}^t_{i^*}$, updates the local state by writing the bit $\gamma $ in the position h of $\mathsf {st}^t_{i^*}$ and outputs the labels corresponding to its updated state. However, the main challenge is that this garbled circuit needs to communicate the bit $\gamma \oplus v_{i^*,h}$ to other garbled circuits of the other parties. Specifically, those garbled circuits also need to output the correct labels corresponding to the their updated local state. Note that only the $h^{th}$ bit of each of their local state needs to be updated. This was achieved in [GS17] by using specific properties of Groth, Ostrovsky and Sahai proofs and in this work, we only rely on oblivious transfer. This is our key new idea and we provide the details next.

Relying on Oblivious Transfer. In addition to broadcasting the encoded input $z_i$ in the first round, the party $P_i$ sends a set of 4 OT messages (acting as the receiver) for every round in the computation phase where $P_i$ is the designated party. Thus, if the number of rounds in the computation phase where $P_i$ is the designated party is $a_i$, then the party $P_i$ sends $4a_i$ receiver OT messages. Specifically, in our running example from above $P_{i^*}$ will generate 4 first OT messages to help in $t^{th}$ round of $\varPhi $. In particular, for each value of $\alpha ,\beta \in \{0,1\}$, $P_{i^*}$ generates the first OT message with $v_{i^*,h} \oplus \mathsf {NAND}(v_{i^*,f}\oplus \alpha ,v_{i^*,g} \oplus \beta )$ as its choice bit. Every other party $P_i$ for $i \ne i^*$ acts as the sender and prepares four OT responses corresponding to each of the four OT messages using labels corresponding to the h-th input wire (say $(\mathsf{label}^{i,t+1}_{h,0},\mathsf{label}^{i,t+1}_{h,1})$) of its next (i.e., $(t+1)^{th}$) garbled circuit. However, these values aren’t sent to anyone yet! Because sending them all to $P_{i^*} $ would lead to complete loss of security. Specifically, for every choice of $v_{i^*,f},v_{i^*,g},v_{i^*,h}$ there exists different choices of $\alpha ,\beta $ such that $v_{i^*,h} \oplus \mathsf {NAND}(v_{i^*,f}\oplus \alpha ,v_{i^*,g} \oplus \beta )$ is 0 and 1, respectively. Thus, if all these OT responses were reveled to $P_{i^*}$ then $P_{i^*}$ would learn both the input labels $\mathsf{label}^{i,t+1}_{h,0},\mathsf{label}^{i,t+1}_{h,1}$ potentially breaking the security of garbled circuits. Our key idea here is that party $P_i$ hardcodes these OT responses in its $t^{th}$ garbled circuit and only one of them is revealed to $P_{i^*}$. We now elaborate this.

The t-th garbled circuit of party $P_i$ (where $i \ne i^*$) outputs the set of labels corresponding to the state bits $\{\mathsf {st}^t_{i,k}\}_{k \in [\ell ]\setminus \{h\}}$ (as these bits do not change at the end of the t-th round) and additionally outputs the sender OT response for $\alpha = \mathsf {st}^t_{i,f}$ and $\beta = \mathsf {st}^t_{i,g}$ with the messages being set to the labels corresponding to h-th bit of $\mathsf {st}^t_i$. It follows from the invariant of the protocol, that the choice bit in this $\mathsf {OT}_1$ message is indeed $\gamma \oplus v_{i^*,h}$ which is exactly the bit $P_{i^*}$ wants to communicate to the other parties. However, this leaves us with another problem. The OT responses only allow $P_{i^*}$ to learn the labels of the next garbled circuits and it is unclear how a party $j \ne i^*$ obtains the labels of the garbled circuits generated by $P_i$.

Enabling all Parties to Compute. The party $P_{i^*}$’s $t^{th}$ garbled circuit, in addition to outputting the labels corresponding to the updated state of $P_{i^*}$, outputs the randomness it used to prepare the first OT message for which all $P_i$ for $i \ne i^*$ output OT responses; namely, $\alpha = \mathsf {st}^t_{i^*,f} \oplus v_{i^*,f}, \beta = \mathsf {st}^t_{i^*,g} \oplus v_{i^*,g}$. It again follows from the invariant of the protocol $\varPhi $ that this allows every party $P_j$ with $j \ne i^*$ to evaluate the recover $\mathsf{label}^{i,t+1}_{h,\gamma \oplus v_{i^*,h}}$ which is indeed the label corresponding to the correct updated state. Thus, using the randomness output by the garbled circuit of $P_{i^*}$ all other parties can recover the label $\mathsf{label}^{i,t+1}_{h,\gamma \oplus v_{i^*,h}}$.

We stress that this process of revealing the randomness of the OT leads to complete loss of security for the particular instance OT. Nevertheless, since the randomness of only one of the four OT messages of $P_{i^*}$ is reveled, overall security is ensured. In particular, our construction ensures that the learned choice bit is $\gamma \oplus v_{i^*,h}$ which is in fact the message that is broadcasted in the underlying protocol $\varPhi $. Thus, it follows from the security of the protocol $\varPhi $ that learning this message does not cause any vulnerabilities.

Theorem 2

Let $\varPhi $ be a polynomial round, n-party semi-honest MPC protocol computing a function $f: (\{0,1\}^m)^n \rightarrow \{0,1\}^*$, $(\mathsf {Garble},\mathsf {Eval})$ be a garbling scheme for circuits, and $(\mathsf {OT}_1, \mathsf {OT}_2, \mathsf {OT}_3)$ be a semi-honest two-round OT protocol. The protocol described in Fig. 1 is a two-round, n-party semi-honest MPC protocol computing f against static corruptions.

This theorem is proved in the rest of this section.

5.2 Correctness

In order to prove correctness, it is sufficient to show that the label computed in Step 2(d)(ii) of the evaluation procedure corresponds to the bit $\mathsf {NAND}(\mathsf {st}_{i^*,f},\mathsf {st}_{i^*,g}) \oplus v_{i^*,h}$. Notice that by the assumption on the structure of $v_{i^*}$ (recall that $v_{i^*}$ is such that $v_{i^*,k} = 0$ for all $k \in [\ell ]\backslash \left\{ (i^*-1)\ell /n +1,\ldots , i^*\ell /n\right\} $) we deduce that for every $i \ne i^*$, $\mathsf {st}_{i,f} = \mathsf {st}_{i^*,f} \oplus v_{i^*,f}$ and $\mathsf {st}_{i,g} = \mathsf {st}_{i^*,g} \oplus v_{i^*,g}$. Thus, the label obtained by ${\mathsf {OT}_2}$ corresponds to the bit $\mathsf {NAND}(v_{i^*,f}\oplus \underbrace{\mathsf {st}_{i^*,f} \oplus v_{i^*,f}}_\alpha ,v_{i^*,g} \oplus \underbrace{\mathsf {st}_{i^*,g}\oplus v_{i^*,g}}_\beta ) \oplus v_{i^*,h} = \mathsf {NAND}(\mathsf {st}_{i^*,f},\mathsf {st}_{i^*,g}) \oplus v_{i^*,h}$ and correctness follows.

Via the same argument as above it is useful to keep in mind that for every $i,j \in [n]$ and $k \in [\ell ]$, we have that $\mathsf {st}_{i,k} \oplus v_{i,k} = \mathsf {st}_{j,k} \oplus v_{j,k}$. Let us denote this shared value by $\mathsf {st}^*$. Also, we denote the transcript of the interaction in the computation phase by $\mathsf {Z}\in \{0,1\}^t$.

5.3 Simulator

Let $\mathcal {A}$ be a semi-honest adversary corrupting a subset of parties and let $H \subseteq [n]$ be the set of honest/uncorrupted parties. Since we assume that the adversary is static, this set is fixed before the execution of the protocol. Below we provide the simulator.

Description of the Simulator. We give the description of the ideal world adversary $\mathcal {S}$ that simulates the view of the real world adversary $\mathcal {A}$. $\mathcal {S}$ will internally use the semi-honest simulator $\mathsf {Sim}_{\varPhi }$ for $\varPhi $ and the simulator $\mathsf {Sim}_\mathsf {G}$ for garbling scheme for circuits. Recall that $\mathcal {A}$ is static and hence the set of honest parties H is known before the execution of the protocol.

Simulating the interaction with $\mathcal {Z}$. For every input value for the set of corrupted parties that $\mathcal {S}$ receives from $\mathcal {Z}$, $\mathcal {S}$ writes that value to $\mathcal {A}$’s input tape. Similarly, the output of $\mathcal {A}$ is written as the output on $\mathcal {S}$’s output tape.

Simulating the interaction with $\mathcal {A}$: For every concurrent interaction with the session identifier $\mathsf {sid}$ that $\mathcal {A}$ may start, the simulator does the following:

Initialization: $\mathcal {S}$ uses the inputs of the corrupted parties $\{x_i\}_{i \not \in H}$ and output y of the functionality f to generate a simulated view of the adversary.^{Footnote 4} More formally, for each $i \in [n]\setminus H$ $\mathcal {S}$ sends $(\mathsf {input}, \mathsf {sid}, \{P_1\cdots P_n\}, P_i, x_i)$ to the ideal functionality implementing f and obtains the output y. Next, it executes $\mathsf {Sim}_{\varPhi }(1^{\lambda },\{x_i\}_{i \not \in H}, y)$ to obtain $\{z_i\}_{i \in H},$ the random tapes for the corrupted parties, the transcript of the computation phase denoted by $\mathsf {Z} \in \{0,1\}^t$ where $\mathsf {Z}_t$ is the bit sent in the $t^{th}$ round of the computation phase of $\varPhi $, and the value $\mathsf {st}^*$ (which for each $i \in [n]$ and $k \in [\ell ]$ is equal to $\mathsf {st}_{i,k} \oplus v_{i,k}$). $\mathcal {S}$ starts the real-world adversary $\mathcal {A}$ with the inputs $\{z_i\}_{i \in H}$ and random tape generated by $\mathsf {Sim}_\varPhi $.
Round-1 messages from $\mathcal {S}$ to $\mathcal {A}$: Next $\mathcal {S}$ generates the OT messages on behalf of honest parties as follows. For each $i \in H, t \in A_i, \alpha , \beta \in \{0,1\}$, generate $\mathsf {ots}_{1,t,\alpha ,\beta } \leftarrow \mathsf {OT}_1(1^\lambda ,\mathsf {Z}_t;\omega _{t,\alpha ,\beta })$. For each $i \in H$, $\mathcal {S}$ sends $(z_i, \{\mathsf {ots}_{1,t, \alpha ,\beta }\}_{t \in A_i, \alpha , \beta \in \{0,1\}})$ to the adversary $\mathcal {A}$ on behalf of the honest party $P_i$.
Round-1 messages from $\mathcal {A}$ to $\mathcal {S}$: Corresponding to every $i \in [n]\setminus H$, $\mathcal {S}$ receives from the adversary $\mathcal {A}$ the value $(z_i, \{\mathsf {ots}_{1,t,\alpha ,\beta }\}_{t \in A_i, \alpha , \beta \in \{0,1\}})$ on behalf of the corrupted party $P_i$.
Round-2 messages from $\mathcal {S}$ to $\mathcal {A}$: For each $i \in H$, the simulator $\mathcal {S}$ generates the second round message on behalf of party $P_i$ as follows:
1. 1.
  For each $k \in [\ell ]$ set ${\mathsf {lab}}_{k}^{i,T+1} := 0^\lambda $.
2. 2.
  $\mathbf{for}$ each t from T down to 1,
  1. (a)
    Parse $\phi _t$ as $(i^*,f,g,h)$.
  2. (b)
    Set $\alpha ^*:= \mathsf {st}^*_{f}$, $\beta ^*:= \mathsf {st}^*_{g}$, and $\gamma ^*:= \mathsf {st}^*_{h}$.
  3. (c)
    If $i = i^*$ then compute
    $$\big (\widetilde{\mathsf {P}}^{i,t}, \{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*),\omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k}^{i,t+1}\}_{k \in [\ell ]}\right) \right) }.$$
  4. (d)
    If $i \ne i^*$ then set $\mathsf {ots}^i_{2,t,\alpha ^*,\beta ^*} \leftarrow \mathsf {OT}_2(\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h},{\mathsf {lab}}^{i,t+1}_{h})$ and compute
    $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}^i_{2,t,\alpha ^*,\beta ^*},\{{{\mathsf {lab}}}^{i,t+1}_{k}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) }.$$
3. 3.
  Send $\big (\{\widetilde{\mathsf {P}}^{i,t}\}_{t \in [T]}$,$\{{\mathsf {lab}}^{i,1}_{k}\}_{k \in [\ell ]} \big )$ to every other party.
Round-2 messages from $\mathcal {A}$ to $\mathcal {S}$: For every $i \in [n]\setminus H$, $\mathcal {S}$ obtains the second round message from $\mathcal {A}$ on behalf of the malicious parties. Subsequent to obtaining these messages, for each $i \in H,$ $\mathcal {S}$ sends $(\mathsf {generateOutput},\mathsf {sid},\{P_1\cdots P_n\}, P_i)$ to the ideal functionality.

5.4 Proof of Indistinguishability

We now show that no environment $\mathcal {Z}$ can distinguish whether it is interacting with a real world adversary $\mathcal {A}$ or an ideal world adversary $\mathcal {S}$. We prove this via an hybrid argument with $T+1$ hybrids.

$\mathcal {H}_{Real}$: This hybrid is the same as the real world execution. Note that this hybrid is the same as hybrid $\mathcal {H}_t$ below with $t=0$.
$\mathcal {H}_t$ (where $t \in \{0,\ldots T\}$): Hybrid $\mathcal {H}_t$ (for $t \in \{1\cdots T\}$) is the same as hybrid $\mathcal {H}_{t-1}$ except we change the distribution of the OT messages (both from the first and the second round of the protocol) and the garbled circuits (from the second round) that play a role in the execution of the $t^{th}$ round of the protocol $\varPhi $; namely, the action $\phi _t = (i^*,f,g,h)$. We describe the changes more formally below.

We start by executing the protocol $\varPhi $ on the inputs and the random coins of the honest and the corrupted parties. This yields a transcript $\mathsf {Z} \in \{0,1\}^T$ of the computation phase. Since the adversary is assumed to be semi-honest the execution of the protocol $\varPhi $ with $\mathcal {A}$ will be consistent with $\mathsf {Z}$. Let $\mathsf {st}^*$ be the local state of the end of execution of $\mathsf {Faithful}$. Finally, let $\alpha ^* := \mathsf {st}^*_{f}$, $\beta ^* := \mathsf {st}^*_{g}$ and $\gamma ^* := \mathsf {st}^*_{h}$. In hybrid $\mathcal {H}_t$ we make the following changes with respect to hybrid $\mathcal {H}_{t-1}$:
- If $i^* \not \in H$ then skip these changes. $\mathcal {S}$ makes two changes in how it generates messages on behalf of $P_{i^*}$. First, for all $\alpha ,\beta \in \{0,1\}$, $\mathcal {S}$ generates $\mathsf {ots}_{1,t,\alpha ,\beta }$ as $\mathsf {OT}_1(1^\lambda , \mathsf {Z}_t; \omega _{t,\alpha ,\beta })$ (note that only one of these four values is subsequently used) rather than $\mathsf {OT}_1(1^\lambda , v_{i,h} \oplus \mathsf {NAND}(v_{i,f} \oplus \alpha , v_{i,g} \oplus \beta );\omega _{t,\alpha ,\beta })$. Second, it generates the garbled circuit
  $$\big (\widetilde{\mathsf {P}}^{i^*,t}, \{{{\mathsf {lab}}}^{i^*,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*), \omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i^*,t+1}\}_{k \in [\ell ]}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k, \mathsf {st}_{i,k}}^{i^*,t+1}\}_{k \in [\ell ]}$ are the honestly generates input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i^*,t+1}$.
- $\mathcal {S}$ makes the following two changes in how it generates messages for other honest parties $P_i$ (i.e., $i \in H\setminus \{i^*\}$). $\mathcal {S}$ does not generate four $\mathsf {ots}_{2,t,\alpha ,\beta }^i$ values but just one of them; namely, $\mathcal {S}$ generates $\mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i$ as $\mathsf {OT}_2(\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t}, {\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t})$ rather than $\mathsf {OT}_2(\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,0}, {\mathsf {lab}}^{i,t+1}_{h,1})$. Second it generates the garbled circuit
  $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i, \{{{\mathsf {lab}}}^{i,t+1}_{k,\mathsf {st}_{i,k}}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generated input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
Indistinguishability between $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ is proved in Lemma 2.
$\mathcal {H}_{T+1}$: In this hybrid we just change how the transcript $\mathsf {Z}$, $\{z_{i}\}_{i\in H}$, random coins of malicious parties and value $\mathsf {st}^*$ are generated. Instead of generating these using honest party inputs we generate these values by executing the simulator $\mathsf {Sim}_\varPhi $ on input $\left\{ x_i \right\} _{i \in [n]\setminus H}$ and the output y obtained from the ideal functionality.

The indistinguishability between hybrids $\mathcal {H}_T$ and $\mathcal {H}_{T+1}$ follows directly from the semi-honest security of the protocol $\varPhi $. Finally note that $\mathcal {H}_{T+1}$ is same as the ideal execution (i.e., the simulator described in the previous subsection).

Lemma 2

Assuming semi-honest security of the two-round OT protocol and the security of the garbling scheme, for all $t \in \{1\ldots T\}$ hybrids $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ are computationally indistinguishable.

Proof

Using the same notation as before, let $\phi _t = (i^*,f,g,h)$, $\mathsf {st}_{i^*}$ be the state of $P_{i^*}$ at the end of round t, and $\alpha ^* := \mathsf {st}_{i^*,f}\oplus v_{i^*,f}$, $\beta ^* := \mathsf {st}_{i^*,g}\oplus v_{i^*,g}$ and $\gamma ^* := \mathsf {st}_{i^*,h} \oplus v_{i^*,h}$. The indistinguishability between hybrids $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ follows by a sequence of three sub-hybrids $\mathcal {H}_{t,1}$, $\mathcal {H}_{t,2}$, and $\mathcal {H}_{t,3}$.

$\mathcal {H}_{t,1}$: Hybrid $\mathcal {H}_{t,1}$ is same as hybrid $\mathcal {H}_{t-1}$ except that $\mathcal {S}$ now generates the garbled circuits $\widetilde{\mathsf {P}}^{i,t}$ for each $i \in H$ in a simulated manner (rather than generating them honestly). Specifically, instead of generating each garbled circuit and input labels $\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big )$ honestly, they are generated via the simulator by hard coding the output of the circuit itself. In a bit more details, parse $\phi _t$ as $(i^*,f,g,h)$.
- If $i = i^*$ then
  $$\big (\widetilde{\mathsf {P}}^{i,t}, \{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*), \omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k, \mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generates input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
- If $i \ne i^*$ then
  $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i, \{{{\mathsf {lab}}}^{i,t+1}_{k,\mathsf {st}_{i,k}}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generated input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
The indistinguishability between hybrids $\mathcal {H}_{t,1}$ and $\mathcal {H}_{t-1}$ follows by |H| invocations of security of the garbling scheme.
$\mathcal {H}_{t,2}$: Skip this hybrid, if $i^* \not \in H$. This hybrid is same as $\mathcal {H}_{t,1}$ except that we change how $\mathcal {S}$ generates the Round-1 message on behalf of $P_{i^*}$. Specifically, the simulator $\mathcal {S}$ generates $\mathsf {ots}_{1,t,\alpha ,\beta }$ as is done in the $\mathcal {H}_t$. In a bit more detail, for all $\alpha ,\beta \in \{0,1\}$, $\mathcal {S}$ generates $\mathsf {ots}_{1,t,\alpha ,\beta }$ as $\mathsf {OT}_1(1^\lambda ,\mathsf {Z}_t; \omega _{t,\alpha ,\beta })$ rather than $\mathsf {OT}_1(1^\lambda ,v_{i,h} \oplus \mathsf {NAND}(v_{i,f} \oplus \alpha , v_{i,g} \oplus \beta );\omega _{t,\alpha ,\beta })$.

Indistinguishability between hybrids $\mathcal {H}_{t,1}$ and $\mathcal {H}_{t,2}$ follows directly by a sequence of 3 sub-hybrids each one relying on the receiver’s security of underlying semi-honest oblivious transfer protocol. Observe here that the security reduction crucially relies on the fact that $\widetilde{\mathsf {P}}^{i,t}$ only contains $\omega _{t,\alpha ^*,\beta ^*}$ (i.e., does not have $\omega _{t,\alpha ,\beta }$ for $\alpha \ne \alpha ^*$ or $\beta \ne \beta ^*$).
$\mathcal {H}_{t,3}$: Skip this hybrid if there does not exist $i \ne i^*$ such that $i \in H$. In this hybrid, we change how $\mathcal {S}$ generates the $\mathsf {ots}_{2,t,\alpha ,\beta }^i$ on behalf of every honest party $P_i$ such that $i \in H\setminus \{i^*\}$ for all choices of $\alpha ,\beta \in \{0,1\}$. More specifically, $\mathcal {S}$ only generates one of these four values; namely, $\mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i$ which is now generated as $\mathsf {OT}_2(\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t}, {\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t})$ instead of $\mathsf {OT}_2(\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,0}, {\mathsf {lab}}^{i,t+1}_{h,1})$.

Indistinguishability between hybrids $\mathcal {H}_{t,2}$ and $\mathcal {H}_{t,3}$ follows directly from the sender’s security of underlying semi-honest oblivious transfer protocol. Finally, observe that $\mathcal {H}_{t,3}$ is the same as hybrid $\mathcal {H}_{t}$.

5.5 Extensions

The protocol presented above is very general and can be extended in different ways to obtain several other additional properties. We list some of the simple extensions below.

Multi-round OT. We note that plugging in any multi-round (say, r-round) OT scheme with semi-honest security we obtain an r-round MPC for semi-honest adversaries. More specifically, this can be achieved as follows. We run the first $r-2$ rounds of the protocol as a pre-processing phase with the receiver’s choice bits set as in the protocol and the sender’s message being randomly chosen labels. We then run the first round of our MPC protocol with the $(r-1)^{th}$ round of OT from the receiver and run the second round using the last round message from the sender hardwired inside the garbled circuits. The proof of security follows identically to proof given above for a two-round OT. A direct corollary of this construction is a construction of three round MPC for semi-honest adversaries from enhanced trapdoor permutations.

Two-Round MPC for RAM programs. In the previous section, we described how protocol compilation can be done for the case of conforming MPC protocols for circuits. Specifically, the protocol communication depends on the lengths of the secret state of the parties. We note that we can extend this framework for securely evaluating RAM programs [OS97, GKK+12, GGMP16, HY16] in two-rounds. In this setting, each party has a huge database as its private input and the parties wishes to compute a RAM program on their private databases. We consider the persistent memory setting [LO13, GHL+14, GLOS15, GLO15] where several programs are evaluated on the same databases. We allow an (expensive) pre-processing phase where the parties communicate to get a shared garbled database and the programs must be evaluated with communication and computation costs that grow with the running time of the programs. In our construction of two-round MPC for RAM programs, the pre-processing phase involves the parties executing a two-round MPC to obtain garbled databases of all the parties using a garbled RAM scheme (say, [GLOS15]) along with the shared secret state. Next, when a program needs to be executed, then the parties execute our two-round MPC to obtain a garbled program. Finally, the obtained garbled program can be executed with the garbled database to obtain the output.

Reducing the Communication Complexity. Finally, we note that in our two-round protocol each party can reduce the communication complexity [Gen09, BGI16, CDG+17] of either one of its two messages (with size dependent just on the security parameter) using Laconic Oblivious Transfer (OT) [CDG+17]. Roughly, laconic OT allows one party to commit to a large message by a short hash string (depending just on the security parameter) such that the knowledge of the laconic hash suffices for generating a garbled circuit that can be executed on the large committed string as input. Next, we give simple transformations using which the first party in any two-round MPC protocol can make either its first message or its second message short, respectively. The general case can also be handled in a similar manner.

We start by providing a transformation by which the first party can make its first message short. The idea is that in the transformed protocol the first party now only sends a laconic hash of the first message of the underlying protocol, which is disclosed in the second round message of the transformed protocol. The first round of messages of all other parties in the transformed protocol remains unchanged. However, their second round messages are now obtained by sending garbled circuits that generate the second round message of the original protocol using the first round message of the first party as input. This can be done using laconic OT.

Using a similar transformation the first party can make its second message short. Specifically, in this case, the first party appends its first round message with a garbled circuit that generated its second round message given as input the laconic OT hash for the first round messages of all the other parties. Now in the second round, the first party only needs to disclose the labels for the garbled circuit corresponding to laconic OT hash of the first round messages of all the other parties. The messages of all the other parties remain unchanged.

6 Two-Round MPC: Malicious Case

In this section, we give our construction of two-round multiparty computation protocol in the malicious case with security against static corruptions based on any two-round malicious oblivious transfer protocol (with equivocal receiver security which as argued earlier can be added with need for any additional assumptions) This is achieved by designing a compiler that takes any conforming arbitrary (polynomial) round MPC protocol $\varPhi $ and squishes it to two rounds.

6.1 Our Compiler

We give our construction of two-round MPC in Fig. 3 and the circuit that needs to be garbled (repeatedly) is shown in Fig. 2 (same as the semi-honest case). We start by providing intuition behind this construction. Our compiler is essentially the same as the semi-honest case. In addition to the minor syntactic changes, the main difference is that we compile malicious secure conforming protocols instead of semi-honest ones.

Another technical issue arises because the adversary may wait to receiver first round messages that $\mathcal {S}$ sends on the behalf of honest parties before the corrupted parties send out their first round messages. Recall that by sending the receiver OT messages in the first round, every party “commits” to all its future messages that it will send in the computation phase of the protocol. Thus, the ideal world simulator $\mathcal {S}$ must somehow commit to the messages generated on behalf of the honest party before extracting the adversary’s effective input. To get around this issue, we use the equivocability property of the OT using which the simulator can equivocate its first round messages after learning the malicious adversary’s effective input.

Theorem 3

Let $\varPhi $ be a polynomial round, n-party malicious MPC protocol computing a function $f: (\{0,1\}^m)^n \rightarrow \{0,1\}^*$, $(\mathsf {Garble},\mathsf {Eval})$ be a garbling scheme for circuits, and $(K_\mathsf {OT},\mathsf {OT}_1, \mathsf {OT}_2, \mathsf {OT}_3)$ be a maliciously secure (with equivocal receiver security) two-round OT protocol. The protocol described in Fig. 3 is a two-round, n-party malicious MPC protocol computing f against static corruptions.

We prove the security of our compiler in the rest of the section. The proof of correctness is the same as for the case of semi-honest security (see Sect. 5.2).

As in the semi-honest case Via the same argument as above it is useful to keep in mind that for every $i,j \in [n]$ and $k \in [\ell ]$, we have that $\mathsf {st}_{i,k} \oplus v_{i,k} = \mathsf {st}_{j,k} \oplus v_{j,k}$. Let us denote this shared value by $\mathsf {st}^*$. Also, we denote the transcript of the interaction in the computation phase by $\mathsf {Z}\in \{0,1\}^t$.

6.2 Simulator

Let $\mathcal {A}$ be a malicious adversary corrupting a subset of parties and let $H \subseteq [n]$ be the set of honest/uncorrupted parties. Since we assume that the adversary is static, this set is fixed before the execution of the protocol. Below we provide thenotion of faithful execution and then describe our simulator.

Faithful Execution. In the first round of our compiled protocol, $\mathcal {A}$ provides $z_i$ for every $i \in [n]\setminus H$ and $\mathsf {ots}_{1,t,\alpha ,\beta }$ for every $t \in \cup _{i \in [n]\setminus h}$ and $\alpha ,\beta \in \{0,1\}$. These values act as “binding” commitments to all of the adversary’s future choices. All these committed choices can be extracted using the extractor $\mathsf {Ext}_2$. Let $b_{t,\alpha ,\beta }$ be the value extracted from $\mathsf {ots}_{1,t,\alpha ,\beta }$. Intuitively speaking, a faithful execution is an execution that is consistent with these extracted values.

More formally, we define an interactive procedure $\mathsf {Faithful}(i, \{z_i\}_{i \in [n]},$$ \{b_{t,\alpha ,\beta }\}_{t \in A_i,\alpha ,\beta })$ that on input $i \in [n]$, $\{z_i\}_{i \in [n]}$, $\{b_{t,\alpha ,\beta }\}_{t\in A_i,\alpha ,\beta \in \{0,1\}}$ produces protocol $\varPhi $ message on behalf of party $P_i$ (acting consistently/faithfully with the extracted values) as follows:

1.
Set $\mathsf {st}^* := z_1 \Vert \ldots \Vert z_n$.
2.
For $t \in \left\{ 1\cdots T \right\} $
1. (a)
  Parse $\phi _t = (i^*,f,g,h)$.
2. (b)
  If $i \ne i^*$ then it waits for a bit from $P_{i^*} $ and sets $\mathsf {st}_{h}^*$ to be the received bit once it is received.
3. (c)
  Set ${\mathsf {st}}^* := b_{t,\mathsf {st}_{f}^*,{\mathsf {st}}_{g}^*}$ and output it to all the other parties.

We will later argue that any deviation from the faithful execution by the adversary $\mathcal {A}$ on behalf of the corrupted parties (during the second round of our compiled protocol) will be be detected. Additionally, we prove that such deviations do not hurt the security of the honest parties.

Description of the Simulator. We give the description of the ideal world adversary $\mathcal {S}$ that simulates the view of the real world adversary $\mathcal {A}$. $\mathcal {S}$ will internally use the malicious simulator $\mathsf {Sim}_{\varPhi }$ for $\varPhi $, the extractor $\mathsf {Ext}= (\mathsf {Ext}_1,\mathsf {Ext}_2)$ implied by the sender security of two-round OT, the simulator $\mathsf {Sim}_{Eq}$ implied by the equivocal receiver’s security and the simulator $\mathsf {Sim}_\mathsf {G}$ for garbling scheme for circuits. Recall that $\mathcal {A}$ is static and hence the set of honest parties H is known before the execution of the protocol.

Simulating the interaction with $\mathcal {Z}$. For every input value for the set of corrupted parties that $\mathcal {S}$ receives from $\mathcal {Z}$, $\mathcal {S}$ writes that value to $\mathcal {A}$’s input tape. Similarly, the output of $\mathcal {A}$ is written as the output on $\mathcal {S}$’s output tape.

Simulating the interaction with $\mathcal {A}$: For every concurrent interaction with the session identifier $\mathsf {sid}$ that $\mathcal {A}$ may start, the simulator does the following:

Generation of the common random/reference string: $\mathcal {S}$ generates the common random/reference string as follows:
1. 1.
  For each $i \in H, t \in A_i, \alpha ,\beta \in \{0,1\}$ set $(\sigma _{t,\alpha ,\beta }, (\mathsf {ots}_{1,t,\alpha ,\beta }, \omega _{t,\alpha ,\beta }^0, \omega _{t,\alpha ,\beta }^1))$ $\leftarrow \mathsf {Sim}_{Eq}(1^\lambda )$ (using equivocal simulator).
2. 2.
  For each $i \in [n]\setminus H,\alpha ,\beta \in \{0,1\}$ and $t \in A_i$ generate $(\sigma _{t,\alpha ,\beta }, \tau _{t,\alpha ,\beta }) \leftarrow \mathsf {Ext}_1(1^\lambda )$ (using the extractor of the OT protocol).
3. 3.
  Output the common random/reference string as $\left\{ \sigma _{t,\alpha ,\beta } \right\} _{t,\alpha ,\beta }$.
Initialization: $\mathcal {S}$ executes the simulator (against malicious adversary’s) $\mathsf {Sim}_{\varPhi }(1^{\lambda })$ to obtain $\{z_i\}_{i \in H}$. Moreover, $\mathcal {S}$ starts the real-world adversary $\mathcal {A}$. We next describe how $\mathcal {S}$ provides its messages to $\mathsf {Sim}_\varPhi $ and $\mathcal {A}$.
Round-1 messages from $\mathcal {S}$ to $\mathcal {A}$: For each $i \in H$, $\mathcal {S}$ sends $(z_i, \{\mathsf {ots}_{1,t, \alpha ,\beta }\}_{t \in A_i, \alpha , \beta \in \{0,1\}})$ to the adversary $\mathcal {A}$ on behalf of the honest party $P_i$.
Round-1 messages from $\mathcal {A}$ to $\mathcal {S}$: Corresponding to every $i \in [n]\setminus H$, $\mathcal {S}$ receives from the adversary $\mathcal {A}$ the value $(z_i, \{\mathsf {ots}_{1,t,\alpha ,\beta }\}_{t \in A_i, \alpha , \beta \in \{0,1\}})$ on behalf of the corrupted party $P_i$. Next, for each $i \in [n]\setminus H, t \in A_i, \alpha , \beta \in \{0,1\}$ extract $b_{t,\alpha ,\beta } := \mathsf {Ext}_2(\tau _{t,\alpha ,\beta }, \mathsf {ots}_{1,t,\alpha ,\beta })$.
Completing the execution with the $\mathsf {Sim}_\varPhi $: For each $i \in [n]\setminus H$, $\mathcal {S}$ sends $z_i$ to $\mathsf {Sim}_\varPhi $ on behalf of the corrupted party $P_i$. This starts the computation phase of $\varPhi $ with the simulator $\mathsf {Sim}_\varPhi $. $\mathcal {S}$ provides computation phase messages to $\mathsf {Sim}_\varPhi $ by following a faithful execution. More formally, for every corrupted party $P_i$ where $i \in [n]\setminus H$, $\mathcal {S}$ generates messages on behalf of $P_i$ for $\mathsf {Sim}_\varPhi $ using the procedure $\mathsf {Faithful}(i,\{z_i\}_{i \in [n]}, \{b_{t,\alpha ,\beta }\}_{t \in A_i,\alpha ,\beta })$. At some point during the execution, $\mathsf {Sim}_\varPhi $ will return the extracted inputs $\{x_i\}_{i \in [n]\setminus H}$ of the corrupted parties. For each $i \in [n]\setminus H$, $\mathcal {S}$ sends $(\mathsf {input}, \mathsf {sid}, \{P_1\cdots P_n\}, P_i, x_i)$ to the ideal functionality implementing f and obtains the output y which is provided to $\mathsf {Sim}_\varPhi $. Finally, at some point the faithful execution completes.

Let $\mathsf {Z} \in \{0,1\}^t$ where $\mathsf {Z}_t$ is the bit sent in the $t^{th}$ round of the computation phase of $\varPhi $ be output of this execution. And let $\mathsf {st}^*$ be the state value at the end of execution of one of the corrupted parties (this value is the same for all the parties). Also, set for each $t \in \cup _{i \in H} A_i$ and $\alpha ,\beta \in \{0,1\}$ set $\omega _{t,\alpha ,\beta } := \omega _{t,\alpha ,\beta }^{\mathsf {Z}_t}$.
Round-2 messages from $\mathcal {S}$ to $\mathcal {A}$: For each $i \in H$, the simulator $\mathcal {S}$ generates the second round message on behalf of party $P_i$ as follows:
1. 1.
  For each $k \in [\ell ]$ set ${\mathsf {lab}}_{k}^{i,T+1} := 0^\lambda $.
2. 2.
  $\mathbf{for}$ each t from T down to 1,
  1. (a)
    Parse $\phi _t$ as $(i^*,f,g,h)$.
  2. (b)
    Set $\alpha ^*:= \mathsf {st}^*_{f}$, $\beta ^*:= \mathsf {st}^*_{g}$, and $\gamma ^*:= \mathsf {st}^*_{h}$.
  3. (c)
    If $i = i^*$ then compute
    $$\big (\widetilde{\mathsf {P}}^{i,t}, \{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*),\omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k}^{i,t+1}\}_{k \in [\ell ]}\right) \right) }.$$
  4. (d)
    If $i \ne i^*$ then set $\mathsf {ots}^i_{2,t,\alpha ^*,\beta ^*} \leftarrow \mathsf {OT}_2(\sigma _{t,\alpha ^*,\beta ^*}, \mathsf {ots}_{1,t,\alpha ^*,\beta ^*}, {\mathsf {lab}}^{i,t+1}_{h},$ ${\mathsf {lab}}^{i,t+1}_{h})$ and compute
    $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}^i_{2,t,\alpha ^*,\beta ^*},\{{{\mathsf {lab}}}^{i,t+1}_{k}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) }.$$
3. 3.
  Send $\big (\{\widetilde{\mathsf {P}}^{i,t}\}_{t \in [T]}$,$\{{\mathsf {lab}}^{i,1}_{k}\}_{k \in [\ell ]} \big )$ to every other party.
Round-2 messages from $\mathcal {A}$ to $\mathcal {S}$: For every $i \in [n]\setminus H$, $\mathcal {S}$ obtains the second round message from $\mathcal {A}$ on behalf of the malicious parties. Subsequent to obtaining these messages, $\mathcal {S}$ executes the garbled circuits provided by $\mathcal {A}$ on behalf of the corrupted parties to see the execution of garbled circuits proceeds consistently with the expected faithful execution. If the computation succeeds then for each $i \in H,$ $\mathcal {S}$ sends $(\mathsf {generateOutput},\mathsf {sid},\{P_1\cdots P_n\}, P_i)$ to the ideal functionality.

6.3 Proof of Indistinguishability

We now show that no environment $\mathcal {Z}$ can distinguish whether it is interacting with a real world adversary $\mathcal {A}$ or an ideal world adversary $\mathcal {S}$. We prove this via an hybrid argument with $T+2$ hybrids.

$\mathcal {H}_{Real}$: This hybrid is the same as the real world execution.
$\mathcal {H}_{0}$: In this hybrid we start by changing the distribution of the common random string. Specifically, the common random string is generated as is done in the simulation. More formally, $\mathcal {S}$ generates the common random/reference string as follows:
1. 1.
  For each $i \in H, t \in A_i, \alpha ,\beta \in \{0,1\}$ set $(\sigma _{t,\alpha ,\beta }, (\mathsf {ots}_{1,t,\alpha ,\beta }, \omega _{t,\alpha ,\beta }^0,$ $\omega _{t,\alpha ,\beta }^1)) \leftarrow \mathsf {Sim}_{Eq}(1^\lambda )$ (using equivocal simulator).
  
  For all $t \in \cup _{i \in H} A_i$ and $\alpha ,\beta \in \{0,1\}$ set $\omega _{t,\alpha ,\beta } := \omega _{t,\alpha ,\beta }^{v_{i,h} \oplus \mathsf {NAND}(v_{i,f} \oplus \alpha , v_{i,g} \oplus \beta )}$ where $v_i$ is the secret value of party $P_i$ generated in the pre-processing phase of $\varPhi $.
2. 2.
  For each $i \in [n]\setminus H,\alpha ,\beta \in \{0,1\}$ and $t \in A_i$ generate $(\sigma _{t,\alpha ,\beta }, \tau _{t,\alpha ,\beta }) \leftarrow \mathsf {Ext}_1(1^\lambda )$ (using the extractor of the OT protocol).
  
  Corresponding to every $i \in [n]\setminus H$, $\mathcal {A}$ sends $(z_i, \{\mathsf {ots}_{1,t,\alpha ,\beta }\}_{t \in A_i, \alpha , \beta \in \{0,1\}})$ on behalf of the corrupted party $P_i$ as its first round message. For each $i \in [n]\setminus H, t \in A_i, \alpha , \beta \in \{0,1\}$ in this hybrid we extract $b_{t,\alpha ,\beta } := \mathsf {Ext}(\tau _{t,\alpha ,\beta }, \mathsf {ots}_{1,t,\alpha ,\beta })$.
Note that this hybrid is the same as hybrid $\mathcal {H}_t$ below with $t=0$.

The indistinguishability between hybrids $\mathcal {H}_{Real}$ and $\mathcal {H}_0$ follow from a reduction to the sender’s security and the equivocal receiver’s security of the two-round OT protocol.
$\mathcal {H}_t$ (where $t \in \{0,\ldots T\}$): Hybrid $\mathcal {H}_t$ (for $t \in \{1\cdots T\}$) is the same as hybrid $\mathcal {H}_{t-1}$ except we change the distribution of the OT messages (both from the first and the second round of the protocol) and the garbled circuits (from the second round) that play a role in the execution of the $t^{th}$ round of the protocol $\varPhi $; namely, the action $\phi _t = (i^*,f,g,h)$. We describe the changes more formally below.

For each $i \in [n]\setminus H$, in this hybrid $\mathcal {S}$ (in his head) completes an execution of $\varPhi $ using honest party inputs and randomness. In this execution, the messages on behalf of corrupted parties are generated via faithful execution. Specifically, $\mathcal {S}$ sends $\{z_i\}_{i \in [n]\setminus H}$ to the honest parties on behalf of the corrupted party $P_i$ in this mental execution of $\varPhi $. This starts the computation phase of $\varPhi $. In this computation phase, $\mathcal {S}$ generates honest party messages using the inputs and random coins of the honest parties and generates the messages of the each malicious party $P_i$ by executing $\mathsf {Faithful}\left( i, \{z_i\}_{i \in [n]\setminus H}, \{b_{t,\alpha ,\beta }\}_{t \in A_i,\alpha ,\beta }\right) $. Let $\mathsf {st}^*$ be the local state of the end of execution of $\mathsf {Faithful}$. Finally, let $\alpha ^* := \mathsf {st}^*_{f}$, $\beta ^* := \mathsf {st}^*_{g}$ and $\gamma ^* := \mathsf {st}^*_{h}$. In hybrid $\mathcal {H}_t$ we make the following changes with respect to hybrid $\mathcal {H}_{t-1}$:
- If $i^* \not \in H$ then skip these changes. $\mathcal {S}$ makes two changes in how it generates messages on behalf of $P_{i^*}$. First, for all $\alpha ,\beta \in \{0,1\}$, $\mathcal {S}$ sets $\omega _{t,\alpha ,\beta } $ as $\omega _{t,\alpha ,\beta }^{\mathsf {Z}_t}$ rather than $\omega _{t,\alpha ,\beta }^{v_{i,h} \oplus \mathsf {NAND}(v_{i,f} \oplus \alpha , v_{i,g} \oplus \beta )}$ (note that these two values are the same when using the honest party’s input and randomness). Second, it generates the garbled circuit
  $$\big (\widetilde{\mathsf {P}}^{i^*,t}, \{{{\mathsf {lab}}}^{i^*,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*), \omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i^*,t+1}\}_{k \in [\ell ]}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k, \mathsf {st}_{i,k}}^{i^*,t+1}\}_{k \in [\ell ]}$ are the honestly generates input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i^*,t+1}$.
- $\mathcal {S}$ makes the following two changes in how it generates messages for other honest parties $P_i$ (i.e., $i \in H\setminus \{i^*\}$). $\mathcal {S}$ does not generate four $\mathsf {ots}_{2,t,\alpha ,\beta }^i$ values but just one of them; namely, $\mathcal {S}$ generates $\mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i$ as $\mathsf {OT}_2( \sigma _{t,\alpha ^*,\beta ^*},$ $\mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t},{\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t})$ rather than $\mathsf {OT}_2( \sigma _{t,\alpha ^*,\beta ^*}, \mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,0},$ $ {\mathsf {lab}}^{i,t+1}_{h,1})$. Second it generates the garbled circuit
  $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i, \{{{\mathsf {lab}}}^{i,t+1}_{k,\mathsf {st}_{i,k}}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generated input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
Indistinguishability between $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ is proved in Lemma 2.
$\mathcal {H}_{T+1}$: In this hybrid we just change how the transcript $\mathsf {Z}$, $\{z_{i}\}_{i\in H}$, random coins of malicious parties and value $\mathsf {st}^*$ are generated. Instead of generating these using honest party inputs in execution with a faithful execution of $\varPhi $, we generate it via the simulator $\mathsf {Sim}_\varPhi $ (of the maliciously secure protocol $\varPhi $). In other words, we execute the simulator $\mathsf {Sim}_\varPhi $ where messages on behalf of each corrupted party $P_i$ are generated using $\mathsf {Faithful}(i,\{z_i\}_{i \in [n]\setminus H}, \{b_{t,\alpha ,\beta }\}_{t\in A_i,\alpha ,\beta })$. (Note that $\mathsf {Sim}_\varPhi $ might rewind $\mathsf {Faithful}$. This can be achieved since $\mathsf {Faithful}$ is just a polynomial time interactive procedure that can also be rewound.)

The indistinguishability between hybrids $\mathcal {H}_T$ and $\mathcal {H}_{T+1}$ follows directly from the malicious security of the protocol $\varPhi $. Finally note that $\mathcal {H}_{T+1}$ is same as the ideal execution (i.e., the simulator described in the previous subsection).

Lemma 3

Assuming malicious security of the two-round OT protocol and the security of the garbling scheme, for all $t \in \{1\ldots T\}$ hybrids $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ are computationally indistinguishable.

Proof

Using the same notation as before, let $\phi _t = (i^*,f,g,h)$, $\mathsf {st}_{i^*}$ be the state of $P_{i^*}$ at the end of round t, and $\alpha ^* := \mathsf {st}_{i^*,f}\oplus v_{i^*,f}$, $\beta ^* := \mathsf {st}_{i^*,g}\oplus v_{i^*,g}$ and $\gamma ^* := \mathsf {st}_{i^*,h} \oplus v_{i^*,h}$. The indistinguishability between hybrids $\mathcal {H}_{t-1}$ and $\mathcal {H}_{t}$ follows by a sequence of three sub-hybrids $\mathcal {H}_{t,1}$, $\mathcal {H}_{t,2}$, and $\mathcal {H}_{t,3}$.

$\mathcal {H}_{t,1}$: Hybrid $\mathcal {H}_{t,1}$ is same as hybrid $\mathcal {H}_{t-1}$ except that $\mathcal {S}$ now generates the garbled circuits $\widetilde{\mathsf {P}}^{i,t}$ for each $i \in H$ in a simulated manner (rather than generating them honestly). Specifically, instead of generating each garbled circuit and input labels $\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big )$ honestly, they are generated via the simulator by hard coding the output of the circuit itself. In a bit more details, parse $\phi _t$ as $(i^*,f,g,h)$.
- If $i = i^*$ then
  $$\big (\widetilde{\mathsf {P}}^{i,t}, \{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( (\alpha ^*,\beta ^*,\gamma ^*), \omega _{t,\alpha ^*,\beta ^*}, \{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k, \mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generates input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
- If $i \ne i^*$ then
  $$\big (\widetilde{\mathsf {P}}^{i,t},\{{{\mathsf {lab}}}^{i,t}_{k}\}_{k\in [\ell ]} \big ) \leftarrow { \mathsf {Sim}_{\mathsf {G}}\left( 1^{\lambda },\left( \mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i, \{{{\mathsf {lab}}}^{i,t+1}_{k,\mathsf {st}_{i,k}}\}_{k \in [\ell ] \setminus \{h\}}\right) \right) },$$
  where $\{{\mathsf {lab}}_{k,\mathsf {st}_{i,k}}^{i,t+1}\}_{k \in [\ell ]}$ are the honestly generated input labels for the garbled circuit $\widetilde{\mathsf {P}}^{i,t+1}$.
The indistinguishability between hybrids $\mathcal {H}_{t,1}$ and $\mathcal {H}_{t-1}$ follows by |H| invocations of security of the garbling scheme.
$\mathcal {H}_{t,2}$: Skip this hybrid, if $i^* \not \in H$. This hybrid is same as $\mathcal {H}_{t,1}$ except that we change how $\mathcal {S}$ generates the Round-1 message on behalf of $P_{i^*}$. Specifically, the simulator $\mathcal {S}$ generates $\mathsf {ots}_{1,t,\alpha ,\beta }$ as is done in the $\mathcal {H}_t$. In a bit more detail, for all $\alpha ,\beta \in \{0,1\}$, $\mathcal {S}$ generates $\mathsf {ots}_{1,t,\alpha ,\beta }$ as $\mathsf {OT}_1( \sigma _{t,\alpha ,\beta },\mathsf {Z}_t; \omega _{t,\alpha ,\beta })$ rather than $\mathsf {OT}_1(\sigma {t,\alpha ,\beta },v_{i,h} \oplus \mathsf {NAND}(v_{i,f} \oplus \alpha , v_{i,g} \oplus \beta );\omega _{t,\alpha ,\beta })$.

Indistinguishability between hybrids $\mathcal {H}_{t,1}$ and $\mathcal {H}_{t,2}$ follows directly by a sequence of 3 sub-hybrids each one relying on the receiver’s security of underlying semi-honest oblivious transfer protocol. Observe here that the security reduction crucially relies on the fact that $\widetilde{\mathsf {P}}^{i,t}$ only contains $\omega _{t,\alpha ^*,\beta ^*}$ (i.e., does not have $\omega _{t,\alpha ,\beta }$ for $\alpha \ne \alpha ^*$ or $\beta \ne \beta ^*$).
$\mathcal {H}_{t,3}$: Skip this hybrid if there does not exist $i \ne i^*$ such that $i \in H$. In this hybrid, we change how $\mathcal {S}$ generates the $\mathsf {ots}_{2,t,\alpha ,\beta }^i$ on behalf of every honest party $P_i$ such that $i \in H\setminus \{i^*\}$ for all choices of $\alpha ,\beta \in \{0,1\}$. More specifically, $\mathcal {S}$ only generates one of these four values; namely, $\mathsf {ots}_{2,t,\alpha ^*,\beta ^*}^i$ which is now generated as $\mathsf {OT}_2( \sigma _{t,\alpha ^*,\beta ^*}, \mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t}, {\mathsf {lab}}^{i,t+1}_{h,\mathsf {Z}_t})$ instead of $\mathsf {OT}_2(\sigma _{t,\alpha ^*,\beta ^*}, \mathsf {ots}_{1,t,\alpha ^*,\beta ^*},{\mathsf {lab}}^{i,t+1}_{h,0}, {\mathsf {lab}}^{i,t+1}_{h,1})$.

Indistinguishability between hybrids $\mathcal {H}_{t,2}$ and $\mathcal {H}_{t,3}$ follows directly from the sender’s security of underlying malicious oblivious transfer protocol. Finally, observe that $\mathcal {H}_{t,3}$ is the same as hybrid $\mathcal {H}_{t}$.

6.4 Extensions

As in the semi-honest case, we discuss several extensions to the construction of two-round maliciously secure MPC.

Fairness. Assuming honest majority we obtain fairness in three rounds using techniques from [GLS15]. Specifically, we can change the function description to output a n / 2-out-of-n secret sharing of the output. In the last round, the parties exchange their shares to reconstruct the output. Note that since the corrupted parties is in minority, it cannot learn the output of the function even if it obtains the second round messages from all the parties. Note that Gordon et al. [GLS15] showed that three rounds are necessary to achieve fairness. Thus this is optimal.

Semi-malicious security in Plain Model. We note that a simple modification of our construction in Fig. 3 can be made semi-maliciously secure in the plain model. The modification is to use a two-round OT secure against semi-malicious receiver and semi-honest sender (e.g., [NP01]) and achieve equivocability by sending two $\mathsf {OT}_1$ messages in the first round having the same receiver’s choice bit. Note that this is trivially equivocal since a simulator can use different choice bits in the $\mathsf {OT}_1$ message. On the other hand, since a semi-malicious party is required to follow the protocol, it will always use the same choice bit in both the $\mathsf {OT}_1$ messages.

Notes

1.
Semi-malicious security is a strengthening of the semi-honest security wherein the adversary is allowed to choose its random tape arbitrarily. Ashrov et al. [AJL+12] showed that any protocol satisfying semi-malicious security could be upgraded to one with malicious security additionally using Non-Interactive Zero-Knowledge proofs (NIZKs).
2.
We note that $\omega $ in the output of $\mathsf {OT}_1$ need not contain all the random coins used by $\mathsf {OT}_1$. This fact will be useful in the stronger equivocal security notion of oblivious transfer.
3.
Randomized protocols can be handled by including the randomness used by a party as part of its input.
4.
For simplicity of exposition, we only consider the case where every party gets the same output. The proof in the more general case where parties get different outputs follows analogously.

References

Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC$^0$. In: 45th FOCS, Rome, Italy, 17–19 October 2004, pp. 166–175. IEEE Computer Society Press (2004)
Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: 20th Annual IEEE Conference on Computational Complexity (CCC 2005), San Jose, CA, USA, 11–15 June 2005, pp. 260–274 (2005)
Google Scholar
Aiello, B., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_8
Chapter Google Scholar
Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_29
Chapter Google Scholar
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Chapter Google Scholar
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: 20th ACM STOC, Chicago, IL, USA, 2–4 May 1988, pp. 103–112. ACM Press (1988)
Google Scholar
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Chapter Google Scholar
Boyle, E., Gilboa, N., Ishai, Y.: Breaking the circuit size barrier for secure computation under DDH. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 509–539. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_19
Chapter Google Scholar
Boyle, E., Gilboa, N., Ishai, Y.: Group-based secure computation: optimizing rounds, communication, and computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 163–193. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_6
Chapter Google Scholar
Bellare, M., Hoang, V.T.: Adaptive witness encryption and asymmetric password-based cryptography. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 308–331. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_14
Google Scholar
Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 12, Raleigh, NC, USA, 16–18 October 2012, pp. 784–796. ACM Press (2012)
Google Scholar
Benhamouda, F., Lin, H.: k-round multiparty computation from k-round oblivious transfer via garbled interactive circuits. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 500–532. Springer, Cham (2018). https://eprint.iacr.org/2017/1125
Google Scholar
Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: 22nd ACM STOC, Baltimore, MD, USA, 14–16 May 1990, pp. 503–513. ACM Press (1990)
Google Scholar
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 190–213. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_8
Chapter Google Scholar
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
Article MathSciNet MATH Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). http://eprint.iacr.org/2000/067
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, Las Vegas, NV, USA, 14–17 October 2001, pp. 136–145. IEEE Computer Society Press (2001)
Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols, Version of December 2005 (2005). http://eccc.uni-trier.de/eccc-reports/2001/TR01-016
Cachin, C., Crépeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: 39th FOCS, Palo Alto, CA, USA, 8–11 November 1998, pp. 493–502. IEEE Computer Society Press (1998)
Google Scholar
Cho, C., Döttling, N., Garg, S., Gupta, D., Miao, P., Polychroniadou, A.: Laconic oblivious transfer and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 33–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_2
Chapter Google Scholar
Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th ACM STOC, Montréal, Québec, Canada, 19–21 May 2002, pp. 494–503. ACM Press (2002)
Google Scholar
Clear, M., McGoldrick, C.: Multi-identity and multi-key leveled FHE from learning with errors. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 630–656. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_31
Chapter Google Scholar
Döttling, N., Garg, S.: Identity-based encryption from the Diffie-Hellman assumption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 537–569. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_18
Chapter Google Scholar
Ding, Y.Z., Harnik, D., Rosen, A., Shaltiel, R.: Constant-round oblivious transfer in the bounded storage model. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 446–472. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_25
Chapter Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, St. Louis, Missouri, 22–24 October 1990, pp. 308–317. IEEE Computer Society Press (1990)
Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st ACM STOC, Bethesda, MD, USA, 31 May–2 June 2009, pp. 169–178. ACM Press (2009)
Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th FOCS, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49. IEEE Computer Society Press (2013)
Google Scholar
Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_4
Chapter Google Scholar
Garg, S., Gupta, D., Miao, P., Pandey, O.: Secure multiparty RAM computation in constant rounds. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 491–520. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_19
Chapter Google Scholar
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, Palo Alto, CA, USA, 1–4 June 2013, pp. 467–476. ACM Press (2013)
Google Scholar
Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_23
Chapter Google Scholar
Dov Gordon, S., Katz, J., Kolesnikov, V., Krell, F., Malkin, T., Raykova, M., Vahlis, Y.: Secure two-party computation in sublinear (amortized) time. In: Yu, T., Danezis, G., Gligor, V.D. (eds.) ACM CCS 2012, Raleigh, NC, USA, 16–18 October 2012, pp. 513–524. ACM Press (2012)
Google Scholar
Garg, S., Lu, S., Ostrovsky, R.: Black-box garbled RAM. In: Guruswami, V. (ed.) 56th FOCS, Berkeley, CA, USA, 17–20 October 2015, pp. 210–229. IEEE Computer Society Press (2015)
Google Scholar
Garg, S., Lu, S., Ostrovsky, R., Scafuro, A.: Garbled RAM from one-way functions. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, Portland, OR, USA, 14–17 June 2015, pp. 449–458. ACM Press (2015)
Google Scholar
Dov Gordon, S., Liu, F.-H., Shi, E.: Constant-round MPC with fairness and guarantee of output delivery. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 63–82. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_4
Chapter Google Scholar
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, New York City, NY, USA, 25–27 May 1987, pp. 218–229. ACM Press (1987)
Google Scholar
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_21
Chapter Google Scholar
Garg, S., Ostrovsky, R., Visconti, I., Wadia, A.: Resettable statistical zero knowledge. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 494–511. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_28
Chapter Google Scholar
Garg, S., Srinivasan, A.: Garbled protocols and two-round MPC from bilinear maps. In: 58th FOCS, pp. 588–599. IEEE Computer Society Press (2017)
Google Scholar
Garg, S., Srinivasan, A.: Two-round multiparty secure computation from minimal assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 468–499. Springer, Cham (2018). https://eprint.iacr.org/2017/1156
Google Scholar
Halevi, S., Kalai, Y.T.: Smooth projective hashing and two message oblivious transfer. J. Cryptol. 25(1), 158–193 (2012)
Article MathSciNet MATH Google Scholar
Hazay, C., Yanai, A.: Constant-round maliciously secure two-party computation in the RAM model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 521–553. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_20
Chapter Google Scholar
Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_32
Chapter Google Scholar
Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17(4), 263–276 (2004)
Article MathSciNet MATH Google Scholar
Kilian, J.: Founding cryptography on oblivious transfer. In: 20th ACM STOC, Chicago, IL, USA, 2–4 May 1988, pp. 20–31. ACM Press (1988)
Google Scholar
Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_42
Chapter Google Scholar
Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptol. 22(2), 161–188 (2009)
Article MathSciNet MATH Google Scholar
Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_26
Chapter Google Scholar
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Rao Kosaraju, S. (ed.) 12th SODA, Washington, DC, USA, 7–9 January 2001, pp. 448–457. ACM-SIAM (2001)
Google Scholar
Ostrovsky, R., Shoup, V.: Private information storage (extended abstract). In: 29th ACM STOC, El Paso, TX, USA, 4–6 May 1997, pp. 294–303. ACM Press (1997)
Google Scholar
Peikert, C., Shiehian, S.: Multi-key FHE from LWE, revisited. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 217–238. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_9
Chapter Google Scholar
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Chapter Google Scholar
Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Jajodia, S., Samarati, P. (eds.) ACM CCS 2000, Athens, Greece, 1–4 November 2000, pp. 245–254. ACM Press (2000)
Google Scholar
Yao, A.C.-C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, Toronto, Ontario, Canada, 27–29 October 1986, pp. 162–167. IEEE Computer Society Press (1986)
Google Scholar

Download references

Author information

Authors and Affiliations

University of California, Berkeley, USA
Sanjam Garg & Akshayaram Srinivasan

Authors

Sanjam Garg
View author publications
You can also search for this author in PubMed Google Scholar
Akshayaram Srinivasan
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sanjam Garg .

Editor information

Editors and Affiliations

Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen
University of Leuven, Leuven, Belgium
Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Garg, S., Srinivasan, A. (2018). Two-Round Multiparty Secure Computation from Minimal Assumptions. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018 . EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10821. Springer, Cham. https://doi.org/10.1007/978-3-319-78375-8_16

Download citation

DOI: https://doi.org/10.1007/978-3-319-78375-8_16
Published: 31 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78374-1
Online ISBN: 978-3-319-78375-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Two-Round Multiparty Secure Computation from Minimal Assumptions

Abstract

Similar content being viewed by others

Three-Round Secure Multiparty Computation from Black-Box Two-Round Oblivious Transfer

Round Optimal Secure Multiparty Computation from Minimal Assumptions

Two-Round Adaptively Secure Multiparty Computation from Standard Assumptions

1 Introduction

1.1 Our Result

Theorem 1

Corollary 1

Corollary 2

2 Technical Overview

3 Preliminaries

3.1 Garbled Circuits

3.2 Universal Composability Framework

3.3 Oblivious Transfer

4 Conforming Protocols

4.1 Specifications for a Conforming Protocol

4.2 Transformation for Making a Protocol Conforming

Lemma 1

Proof

5 Two-Round MPC: Semi-honest Case

5.1 Our Compiler

Theorem 2

5.2 Correctness

5.3 Simulator

5.4 Proof of Indistinguishability

Lemma 2

Proof

5.5 Extensions

6 Two-Round MPC: Malicious Case

6.1 Our Compiler

Theorem 3

6.2 Simulator

6.3 Proof of Indistinguishability

Lemma 3

Proof

6.4 Extensions

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation