Robustness for Free in Unconditional Multi-party Computation [chapter]

Martin Hirt, Ueli Maurer
2001 Lecture Notes in Computer Science  
We present a very efficient multi-party computation protocol unconditionally secure against an active adversary. The security is maximal, i.e., active corruption of up to t < n/3 of the n players is tolerated. The communication complexity for securely evaluating a circuit with m multiplication gates over a finite field is O(mn 2 ) field elements, including the communication required for simulating broadcast. This corresponds to the complexity of the best known protocols for the passive model,
more » ... ere the corrupted players are guaranteed not to deviate from the protocol. Even in this model, it seems to be unavoidable that for every multiplication gate every player must send a value to every other player, and hence the complexity of our protocol may well be optimal. The constant overhead factor for robustness is small and the protocol is practical. Recently, Hirt, Maurer, and Przydatek [HMP00] proposed a new protocol for perfectly secure multi-party computation with considerably better communication complexity than previous protocols: A set of n players can compute any function (over a finite field F) which is specified as a circuit with m multiplication gates (and any number of linear gates) by communicating O(mn 3 ) field elements, contrasting the previously best complexity of O(mn 6 ). Subsequently, the same complexity was achieved by Cramer, Damgård, and Nielsen [CDN01] in the cryptographic model (where more cheaters can be tolerated). Contributions The main open question in this line of research was whether security against active cheaters can be achieved with the same communication complexity as security against passive cheaters, namely with O(mn 2 ). We answer this question in the affirmative: The only (and unavoidable) price to to pay for active security is a reduction in the number of tolerable cheaters (t < n/3 instead of t < n/2). The computation complexity of the new protocol is on the order of the communication complexity and hence not relevant. The achieved communication complexity of O(mn 2 ) appears to be optimal. Even in the passive case, it appears unavoidable that every player sends a value to every other player for each multiplication gate. The new protocol uses Beaver's circuit-randomization technique [Bea91a] and the playerelimination framework from [HMP00].
doi:10.1007/3-540-44647-8_6 fatcat:ooog6g3kujb3dopway6abdgx7y