Abstract
Fully secure multiparty computation (MPC) allows a set of parties to compute some function of their inputs, while guaranteeing correctness, privacy, fairness, and output delivery. Understanding the necessary and sufficient assumptions that allow for fully secure MPC is an important goal. Cleve (STOC’86) showed that full security cannot be obtained in general without an honest majority. Conversely, by Rabin and Ben-Or (STOC’89), assuming a broadcast channel and an honest majority enables a fully secure computation of any function. Our goal is to characterize the set of functionalities that can be computed with full security, assuming an honest majority, but no broadcast. This question was fully answered by Cohen et al. (TCC’16)—for the restricted class of symmetric functionalities (where all parties receive the same output). Instructively, their results crucially rely on agreement and do not carry over to general asymmetric functionalities. In this work, we focus on the case of three-party asymmetric functionalities, providing a variety of necessary and sufficient conditions to enable fully secure computation. An interesting use-case of our results is server-aided computation, where an untrusted server helps two parties to carry out their computation. We show that without a broadcast assumption, the resource of an external non-colluding server provides no additional power. Namely, a functionality can be computed with the help of the server if and only if it can be computed without it. For fair coin tossing, we further show that the optimal bias for three-party (server-aided) r-round protocol remains \(\Theta \left( 1/r\right) \) (as in the two-party setting).
Similar content being viewed by others
Notes
The notion of full security is formally captured via the real vs. ideal paradigm, where the protocol is said to be secure if it emulates some ideal setting, in which the capabilities of the adversary are very limited.
Convergecast [25] is a three-party functionality where two of the parties start with a non-Boolean input, and the receiver learns exactly one of the input values. The receiver does not learn anything about the other input, and none of the senders learns the receiver’s choice as well as the input of the other sender.
The choice of giving \(\textsf{Adv}_3\) the input \(z_2\) as auxiliary is arbitrary.
Formally, the output in the two-party protocol \(\hat{\pi }\) is of the form \(((f_1(x,y,{\lambda }),f_3(x,y,{\lambda })),(f_2(x,y,{\lambda }),f_3(x,y,{\lambda })))\), while in the four-party protocol \(\pi '\) the output is of the form \((f_1(x,y,{\lambda }),f_2(x,y,{\lambda }),f_3(x,y,{\lambda }),f_3(x,y,{\lambda }))\). For the sake of simplicity we ignore such technicalities.
In an earlier version [3] it was inaccurately stated that the weaker requirement of CSB simulatability suffices.
If \(\textsf{Adv}_1\) sends an invalid value or doesn’t send any value, the simulator sets \(x''\) to be the default value used by the ideal functionality of \(f_{\mathcal {R}^*}\).
Here we abuse notations and view \(R\) as an ensemble consisting of only the uniform distribution.
If \(\textsf{Adv}_1\) sends an invalid value or does not send any value, the simulator sets \(x''\) to be the default value used by the ideal functionality of \(f_{R}\).
References
S. Agrawal, M. Prabhakaran, On fair exchange, fair coins and fair sampling, in 32nd Annual International Cryptology Conference (CRYPTO), Part I (2013), pp. 259–276
B. Alon, E. Omri, Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious, in Proceedings of the 14th Theory of Cryptography Conference (TCC 2016-B), Part I (2016), pp. 307–335
B. Alon, R. Cohen, E. Omri, T. Suad, On the power of an honest majority in three-party computation without broadcast, in Proceedings of the 18th Theory of Cryptography Conference (TCC), Part II (2020), pp. 621–651
G. Asharov, Towards characterizing complete fairness in secure two-party computation, in Proceedings of the 11th Theory of Cryptography Conference (TCC) (2014), pp. 291–316
G. Asharov, A. Beimel, N. Makriyannis, E. Omri, Complete characterization of fairness in secure two-party computation of Boolean functions, in Proceedings of the 12th Theory of Cryptography Conference (TCC), Part I (2015), pp. 199–228
N. Asokan, V. Shoup, M. Waidner, Optimistic fair exchange of digital signatures (extended abstract), in 17th International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT) (1998), pp. 591–606
A. Beimel, E. Omri, I. Orlov, Protocols for multiparty coin toss with a dishonest majority. J. Cryptol. 28(3), 551–600 (2015)
A. Beimel, I. Haitner, N. Makriyannis, E. Omri, Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling, in Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018), pp. 838–849
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC) (1988), pp. 1–10
M. Blum, Coin flipping by telephone, in 1st Annual International Cryptology Conference (CRYPTO) (1981), pp. 11–15
M. Borderding, Levels of authentication in distributed agreement, in 10th International Workshop on Distributed Algorithms WDAG (1996), pp. 40–55
G. Bracha, S. Toueg, Asynchronous consensus and broadcast protocols. J. ACM 32(4), 824–840 (1985)
N. Buchbinder, I. Haitner, N. Levi, E. Tsfadia, Fair coin flipping: Tighter analysis and the many-party case, in Proceedings of the 28th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA) (2017), pp. 2580–2600
C. Cachin, J. Camenisch, Optimistic fair secure computation, in 19th Annual International Cryptology Conference (CRYPTO) (2000), pp. 93–111
R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
D. Chaum, C. Crépeau, I. Damgård, Multiparty unconditionally secure protocols (extended abstract), in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC) (1988), pp. 11–19
R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in Proceedings of the 18th Annual ACM Symposium on Theory of Computing (STOC) (1986), pp. 364–369
R. Cohen, Y. Lindell, Fairness versus guaranteed output delivery in secure multiparty computation. J. Cryptol. 30(4), 1157–1186 (2017)
R. Cohen, I. Haitner, E. Omri, L. Rotem, Characterization of secure multiparty computation without broadcast. J. Cryptol. 31(2), 587–609 (2018)
R. Cohen, I. Haitner, E. Omri, L. Rotem, From fairness to full security in multiparty computation. J. Cryptol. 35(1), 4 (2022)
C. Dwork, N.A. Lynch, L.J. Stockmeyer, Consensus in the presence of partial synchrony. J. ACM 35(2), 288–323 (1988)
M.J. Fischer, N.A. Lynch, M. Merritt, Easy impossibility proofs for distributed consensus problems. Distrib. Comput. 1(1), 26–39 (1986)
M. Fitzi, N. Gisin, U.M. Maurer, O. von Rotz, Unconditional byzantine agreement and multi-party computation secure against dishonest minorities from scratch, in 21st International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT) (2002), pp. 482–501
M. Fitzi, D. Gottesman, M. Hirt, T. Holenstein, A.D. Smith, Detectable byzantine agreement secure against faulty majorities, in Proceedings of the 21th Annual ACM Symposium on Principles of Distributed Computing (PODC) (2002), pp. 118–126
M. Fitzi, J. A. Garay, U. M. Maurer, and R. Ostrovsky. Minimal complete primitives for secure multi-party computation. Journal of Cryptology, 18(1):37–61, 2005.
J.A. Garay, A. Kiayias, R.M. Ostrovsky, G. Panagiotakos, V. Zikas, Resource-restricted cryptography: Revisiting MPC bounds in the proof-of-work era, in 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), Part II (2020), pp. 129–158
O. Goldreich. Foundations of Cryptography – 2: Basic Applications. Cambridge University Press, , 2004.
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC) (1987), pp. 218–229
S.D. Gordon, C. Hazay, J. Katz, Y. Lindell, Complete fairness in secure two-party computation, in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC) (2008), pp. 413–422
I. Haitner, E. Tsfadia, An almost-optimally fair three-party coin-flipping protocol. SIAM J. Comput. 46(2), 479–542 (2017)
I. Haitner, N. Makriyannis, E. Omri, On the complexity of fair coin flipping, in Proceedings of the 16th Theory of Cryptography Conference (TCC), Part I (2018), pp. 539–562
S. Halevi, Y. Ishai, E. Kushilevitz, N. Makriyannis, T. Rabin, On fully secure MPC with solitary output, in Proceedings of the 17th Theory of Cryptography Conference (TCC), Part I (2019), pp. 312–340
J. Kilian, Founding cryptography on oblivious transfer, in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC) (1988), pp. 20–31
L. Lamport, R.E. Shostak, M.C. Pease. The byzantine generals problem. ACM Trans. Program. Lang. Syst. (TOPLAS) 4(3), 382–401 (1982)
N. Makriyannis, On the classification of finite Boolean functions up to fairness, in Proceedings of the 9th Conference on Security and Cryptography for Networks (SCN) (2014), pp. 135–154
T. Moran, M. Naor, G. Segev, An optimally fair coin toss. J. Cryptol. 29(3), 491–513 (2016)
M.C. Pease, R.E. Shostak, L. Lamport, Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)
T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority (extended abstract), in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC) (1989), pp. 73–85
A.C. Yao, Protocols for secure computations (extended abstract), in Proceedings of the 23rd Annual Symposium on Foundations of Computer Science (FOCS) (1982), pp. 160–164
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Elaine Shi.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work appeared in TCC 2020 [3].
This paper was reviewed by Dov Gordon and Feng-Hao Liu.
Research supported by ISF Grant 152/17, and by the Ariel Cyber Innovation Center in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office. Most of this work was done while the author was at Northeastern University, supported by NSF Grant 1646671.
Generalized Properties of Split-Brain Simulatable Functionalities
Generalized Properties of Split-Brain Simulatable Functionalities
In this section, we provide generalizations of the properties of \(\textsf{C}\)-split-brain functionalities from Sect. 3.1.1.
Proposition A.1
(Generalization of Proposition 3.7) Let \(f=(f_1,f_2,f_3)\) where \(f_1,f_2,f_3:\left( {\{0,1\}^*}\right) ^3\mapsto \left( {\{0,1\}^*}\right) ^3\), be a computationally CSB simulatable three-party functionality such that \(f_1=f_2\). Assume there exist inputs \(x,y,z_1,z_2\in {\{0,1\}^*}\), and two distribution ensembles \(\mathcal {W}_1=\left\{ W_{1,\kappa }\right\} _{\kappa \in {\mathbb {N}}}\), \(\mathcal {W}_2=\left\{ W_{2,\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) over \({\{0,1\}^*}\), such that \(f_1(x,\cdot ,z_1)\equiv W_{1,\kappa }\) and \(f_1(\cdot ,y,z_2)\equiv W_{2,\kappa }\), for all sufficiently large \(\kappa \in {\mathbb {N}}\). Then .
Proof
Let \(\mathcal {P}\), \(\mathcal {Q}\), and \(\mathcal {R}\), be the three ensembles guaranteed from the CSB simulatability of f. Then
where \(x^*\leftarrow P_{\kappa ,y,z_2}\) and \(y^*\leftarrow Q_{\kappa ,x,z_1}\). The claim follows from the assumption \(f_1(x,\cdot ,z_1)\equiv W_{1,\kappa }\) and \(f_1(\cdot ,y,z_2)\equiv W_{2,\kappa }\) for large enough \(\kappa \in {\mathbb {N}}\). \(\square \)
Proposition A.2
(Generalization of Proposition 3.8) Let \(f:\left( {\{0,1\}^*}\right) ^3\mapsto \left( {\{0,1\}^*}\right) ^3\) be a computationally \(\left( \mathcal {P},\mathcal {Q},\mathcal {R}\right) \)-CSB simulatable 2-output 3-party functionality. Assume there exist inputs \(x,z\in {\{0,1\}^*}\) and a distribution ensemble \(\mathcal {W}=\left\{ W_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) over \({\{0,1\}^*}\) such that \(f(x,\cdot ,z)\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Then there exists a sequence of inputs \(\left\{ x^*_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) such that \(f(x^*_{\kappa },\cdot ,\cdot )\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Similarly, assuming there exist inputs \(y,z\in {\{0,1\}^*}\) such that \(f(\cdot ,y,z)\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\), then there exists a sequence of inputs \(\left\{ y^*_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) such that \(f(\cdot ,y^*_{\kappa },\cdot )\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Moreover, if f and W are independent of \(\kappa \) then the sequences are constant.
Proof
We prove the first part of the claim. The second part is done using an analogous argument. Fix inputs \(x,z_1\in {\{0,1\}^*}\) such that \(f(x,y,z_1)=W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\) and \(y\in {\{0,1\}^*}\). Since f is perfectly CSB simulatable, it follows that for every \(\kappa \in {\mathbb {N}}\) and \(y,z_2\in {\{0,1\}^*}\)
where \(x^*\leftarrow P_{\kappa ,x,z_1}\) and \(y^*\leftarrow Q_{\kappa ,y,z_2}\). Since \(x^*\) is sampled independently of y and \(z_2\), it follows that \(f(x^*,y,z_2)\equiv W_{\kappa }\), for any \(x^*\in {\text {Supp}}\left( P_{\kappa ,x,z_1}\right) \) and any \(y,z_2\in {\{0,1\}^*}\) concluding the proof. To see the “moreover” part, observe that if f is independent of \(\kappa \), it follows that we can pick \(\mathcal {P}\) to be independent of \(\kappa \) and hence we can choose the same \(x^*\). \(\square \)
1.1 Split-Brain Simulatability as a System of Linear Equations
We next present a different way to view \(\textsf{C}\)-split-brain simulatability. Specifically, we write the condition for CSB simulatability in terms of a system of linear equations. We start with some notations.
Notations. For a vector \(\textbf{v}\), we use either \(v_i\) or v(i) for its \(i\)th coordinate. A vector \(\textbf{p}\in {\mathbb R}^{n}\) is called a probability vector, if all of its entries are non-negative and \(\sum _{i=1}^n p_i=1\). For a distribution P over a domain \(\mathcal {D}\in {\mathbb {N}}\) of size n, we write \(\textbf{p}\) for the probability vector associated with P, that is \(p_i=\Pr _{S\leftarrow P}[S=i]\) for all \(i\in \mathcal {D}\). The distribution ensemble \(\mathcal {P}\), \(\mathcal {Q}\), and \(\mathcal {R}\) will be replaced with a collection of probability vectors \(\{\textbf{p}_{x,z_1}\in {\mathbb R}^{|\mathcal {X}|}\}_{x\in \mathcal {X},z_1\in \mathcal {Z}}\), \(\{\textbf{q}_{y,z_2}\in {\mathbb R}^{|\mathcal {Y}|}\}_{y\in \mathcal {Y},z_2\in \mathcal {Z}}\), and \(\{\textbf{r}_{z_1,z_2}\in {\mathbb R}^{|\mathcal {Z}|}\}_{z_1,z_2\in \mathcal {Z}}\), respectively, representing those distributions. We next describe a way to view the functionality f and CSB simulatability in linear algebraic terms. For simplicity, we assume that f has a finite domain and range, and is perfectly CSB simulatable, where the ensembles are independent of \(\kappa \).
Symmetric Boolean functionalities. Let us start with Boolean functionalities \(f=(f_1,f_2,f_3)\), where \( f_1,f_2,f_3:\mathcal {X}\times \mathcal {Y}\times \mathcal {Z}\mapsto \{0,1\}\) and \(f_1\equiv f_2\). We denote it as a single function f. We associate with f a collection of \(|\mathcal {Z}|\) matrices \(\{M_z\in {\mathbb R}^{|\mathcal {X}|\times |\mathcal {Y}|}\}_{z\in \mathcal {Z}}\) defined as \(M_z(x,y)=\Pr \left[ f(x,y,z)=1\right] \). That is, we can think of the functionality as if \(\textsf{C}\) chooses a matrix, \(\textsf{A}\) chooses a row, and \(\textsf{B}\) chooses a column, and the entries represent the probability that the output is 1. Perfectly CSB simulatability asserts that for all \(x\in \mathcal {X}\), \(y\in \mathcal {Y}\), and \(z_1,z_2\in \mathcal {Z}\), it holds that
Observe that the left term can be written as \(\textbf{p}^T_{x,z_1}\cdot M_{z_2}\left( \cdot ,y\right) \), the middle term as \(M_{z_1}\left( x,\cdot \right) \cdot \textbf{q}_{y,z_2}\), and the right term as \(\sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}(z^*)\cdot M_{z^*}\left( x,y\right) \). Next, define the square \(|\mathcal {X}|\times |\mathcal {X}|\) matrix and the square \(|\mathcal {Y}|\times |\mathcal {Y}|\) matrix . Additionally, we define the \(|\mathcal {X}|\times |\mathcal {Y}|\) matrix . Then, Eq. 6 can be written as
for all \(z_1,z_2\in \mathcal {Z}\).
Asymmetric non-Boolean functionalities. We next generalize the above discussion to a broader class of functionalities, namely, asymmetric non-Boolean functionalities. This time, we associate two collection of matrices, one will represent the output of \(\textsf{A}\) and the other the output of \(\textsf{B}\) (recall that we ignore the output of \(\textsf{C}\)). Furthermore, the matrices will be indexed with a possible output w, to represent the probability that w is the output. Formally, we associate the \(2\cdot |\mathcal {Z}|\cdot |\mathcal {W}|\) matrices \(\{M^{\textsf{P}}_{z,w}\in {\mathbb R}^{|\mathcal {X}|\times |\mathcal {Y}|}\}_{z\in \mathcal {Z},w\in \mathcal {W},\textsf{P} \in \{\textsf{A},\textsf{B}\}}\), where each is defined as
Perfectly CSB simulatability asserts that for all \(x\in \mathcal {X}\), \(y\in \mathcal {Y}\), \(z_1,z_2\in \mathcal {Z}\), and \(w_1,w_2\in \mathcal {W}\), it holds that
and that
Observe that the left-hand side of Eq. (7) is equal to
and left-hand side of Eq. (8) is equal to
As for the right-hand side, notice that in Eq. (7) it equals to
and in Eq. (8) it equals to
We define the matrices \(P_{z_1}\) and \(Q_{z_2}\) as before, and for every \(\textsf{P} \in \{\textsf{A},\textsf{B}\}\) define the \(|\mathcal {X}|\times |\mathcal {Y}|\) matrix \(\widetilde{M}^{\textsf{P}}_{z_1,z_2,w}\left( x,y\right) :=\sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}\left( z^*\right) \cdot M^{\textsf{P}}_{z^*,w_1}\left( x,y\right) \). Then Eq. (7) can be written as
and Eq. (8) can be written as
for all \(z_1,z_2\in \mathcal {Z}\) and \(w_1,w_2\in \mathcal {W}\).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Alon, B., Cohen, R., Omri, E. et al. On the Power of an Honest Majority in Three-Party Computation Without Broadcast. J Cryptol 36, 25 (2023). https://doi.org/10.1007/s00145-023-09456-4
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145-023-09456-4