Cryptographic Asynchronous Multi-party Computation with Optimal Resilience [chapter]

Martin Hirt, Jesper Buus Nielsen, Bartosz Przydatek
2005 Lecture Notes in Computer Science  
We consider secure multi-party computation in the asynchronous model and present an efficient protocol with optimal resilience. For n parties, up to t < n/3 of them being corrupted, and security parameter κ, a circuit with c gates can be securely computed with communication complexity O(cn 3 κ) bits. In contrast to all previous asynchronous protocols with optimal resilience, our protocol requires access to an expensive broadcast primitive only O(n) times -independently of the size c of the
more » ... it. This results in a practical protocol with a very low communication overhead. One major drawback of a purely asynchronous network is that the inputs of up to t honest parties cannot be considered for the evaluation of the circuit. Waiting for all inputs could take infinitely long when the missing inputs belong to corrupted parties. Our protocol can easily be extended to a hybrid model, in which we have one round of synchronicity at the end of the input stage, but are fully asynchronous afterwards. In this model, our protocol allows to evaluate the circuit on the inputs of every honest party. The full version of this paper is available at Cryptology ePrint Archive [HNP04]. We consider a static active t-adversary who can corrupt up to t of the players and take full control over them. Furthermore, we focus on asynchronous communication, i.e., the messages in the network can be delayed for an arbitrary amount of time (but eventually, all messages are delivered). As a worst-case assumption, we give the ability of controlling the delay of messages to the adversary. Asynchronous communication models real-world networks (like the Internet) much better than synchronous communication. However, it turns out that MPC protocols for asynchronous networks are significantly more involved than their synchronous counterparts. One reason for this is that in an asynchronous network, when a player does not receive an expected message, he cannot distinguish whether the sender is corrupted and did not send the message, or the message was sent but delayed in the network. This implies also that in a fully asynchronous setting it is impossible to consider the inputs of all uncorrupted players when evaluating the function. The inputs of up to t (potentially honest) players have to be ignored, because waiting for them could turn out to be endless [Bec54] .
doi:10.1007/11426639_19 fatcat:l2qcmqk4pfg7lb63jlr56isa2a