On Communication-Efficient Asynchronous MPC with Adaptive Security

Abstract

Secure multi-party computation (MPC) allows a set of n parties to jointly compute an arbitrary computation over their private inputs. Two main variants have been considered in the literature according to the underlying communication model. Synchronous MPC protocols proceed in rounds, and rely on the fact that the communication network provides strong delivery guarantees within each round. Asynchronous MPC protocols achieve security guarantees even when the network delay is arbitrary.

While the problem of MPC has largely been studied in both variants with respect to both feasibility and efficiency results, there is still a substantial gap when it comes to communication complexity of adaptively secure protocols. Concretely, while adaptively secure synchronous MPC protocols with linear communication are known for a long time, the best asynchronous protocol communicates \(\mathcal {O}(n^4 \kappa )\) bits per multiplication.

In this paper, we make progress towards closing this gap by providing two protocols. First, we present an adaptively secure asynchronous protocol with optimal resilience \(t<n/3\) and \(\mathcal {O}(n^2 \kappa )\) bits of communication per multiplication, improving over the state of the art protocols in this setting by a quadratic factor in the number of parties. The protocol has cryptographic security and follows the CDN approach [Eurocrypt’01], based on additive threshold homomorphic encryption.

Second, we show an optimization of the above protocol that tolerates up to \(t<(1-\epsilon )n/3\) corruptions and communicates \(\mathcal {O}(n\cdot \mathsf {poly}(\kappa ))\) bits per multiplication under stronger assumptions.

This work was partially carried out while the author was at ETH Zurich.

Appendices

A Details of the Subprotocols

1.1 A.1 Decryption protocols

Private Decryption. The private decryption protocol PrivDec takes the public key pk, a ciphertext c and a party P as public input and the secret keys \(sk_1,\ldots ,sk_n\) as private inputs. The protocol has no public nor private output for all parties except for P, who privately outputs the plaintext underlying c. This section is along the lines of [BH08, CHP12, CP15].

Lemma 3

Every party that remains uncorrupted until the end of the execution terminates the PrivDec protocol. Furthermore, if P is honest at the end of the protocol, then its output m is the correct decryption of c even in the presence of an adaptive adversary actively corrupting up to \(t <n/3\) parties. The protocol has communication complexity \(\mathcal {O}(n\kappa )\).

Proof

In this whole proof, an honest party is a party that is never corrupted by the adversary and remains honest during the whole execution of the protocol.

Termination: Clearly all honest parties apart from P terminate as they only need to compute a decryption share and send it to P. Furthermore, if P is honest, then it terminates since all honest parties send correct decryption shares. Hence, P eventually receives at least \(n-t \geqslant t+1\) correct decryption shares from distinct parties, runs Comb and obtains and outputs a message m.

Correctness: As we saw above, P eventually receives at least \(t+1\) correct decryption shares from distinct parties. Hence, thanks to correctness of the threshold homomorphic encryption scheme, we can deduce that P can compute the correct decryption m of c. If P is honest, then it computes and outputs m.

It is easy to see that the communication complexity is indeed \(\mathcal {O}(n\kappa )\) .

The proof works for an adaptive adversary corrupting at most t parties because the reasoning above is independent of which parties the adversary corrupts at what point in time (we only talk about parties that remain honest during the whole execution of the protocol).

Amortized Public Decryption. The public reconstruction protocol PubDec takes the public key pk and \(T = n-2t\) ciphertexts \(c_1,\ldots , c_T\) as public inputs and the secret keys \(sk_1,\ldots ,sk_n\) as private inputs. The protocol publicly outputs the plaintexts \(m_1,\ldots ,m_T\) underlying the ciphertexts \(c_1,\ldots , c_T\). This section is along the lines of [DN07, CHP12, BH08, CP15].

Lemma 4

Every party that remains uncorrupted until the end of the execution terminates the PubDec protocol and outputs the correct decryptions of \(c_1,\ldots ,c_T\) even in the presence of an adaptive adversary actively corrupting up to \(t <n/3\) parties. The protocol has communication complexity \(\mathcal {O}(n^2\kappa )\).

Proof

In this whole proof, an honest party is a party that is never corrupted by the adversary and remains honest during the whole execution of the protocol.

Termination: (taken from [CHP12]) Since all honest parties participate in the PrivDec\((P_i,v_i)\) protocols for all \(i\in \{1,\ldots ,n\}\), termination of the PrivDec protocol implies that all honest parties terminate steps 1–3. Next, define the polynomial \(g'(x) = \sum _{j=1}^{T} x^{j-1} \cdot _{pk} m_j\). Since \(c_j\) is an encryption of \(m_j\) under pk for all \(j\in \{1,\ldots ,T\}\), the homomorphic property of the encryption scheme implies that g(x) is an encryption of \(g'(x)\) under pk for all \(x \in R_{pk}\). In particular, this holds for \(x = \alpha _k\) for all \(k\in \{1,\ldots ,n\}\). Hence, by the correctness of the PrivDec protocol and by definition of \(u_k\), we have \(u_k = g'(\alpha _k)\) for all honest parties \(P_k\). Now, let \(P_i\) be an arbitrary honest party and let \(\widehat{j}\) be the first iteration when all honest parties are in \(\mathcal {P}'_i\) (note that every honest party eventually includes all honest parties in \(\mathcal {P}'_i\) and since there are at most \(n = T+2t\) parties, we have \(\widehat{j} \leqslant t\)). Then, either PolyFind already found a polynomial in iteration j for \(j<\widehat{j}\) and \(P_i\) terminated before iteration \(\widehat{j}\) or in iteration \(\widehat{j}\), \(\mathcal {P}'_i\) is of size \(T+t+\widehat{j}\) and contains \(n-t = T+t\) honest parties. Hence, since \(g'\) is a polynomial of degree at most \(T-1\) and at least \(T+t\) input points (namely the points from honest parties) lie on \(g'\), we can be sure that the PolyFind algorithm finds a polynomial and \(P_i\) terminates in step \(\widehat{j}\). Hence, after at most \(\widehat{j} \leqslant t\) iterations, \(P_i\) terminates. Note that if in an iteration j the PolyFind algorithm fails to find a polynomial that passes the checks, then \(P_i\) has not received all the \(u_k'=u_k\)’s from honest parties as otherwise the PolyFind algorithm would have succeeded (see above). Hence, if in an iteration the PolyFind algorithm fails to compute a suitable polynomial, then it is ok for \(P_i\) to proceed with the next iteration because it is guaranteed that \(P_i\) can eventually add at least one party to \(\mathcal {P}'_i\) and as soon as \(P_i\) has all the \(u_k\)’s from honest parties (i.e. all honest parties are in \(\mathcal {P}'_i\)), it can terminate (and this will happen before the tth iteration ended).

Correctness: Let \(P_i\) be any honest party. As \(P_i\) terminates, it found a polynomial p of degree at most \(T-1\) and a set of parties \(\mathcal {P}''_i\) of size at least \(T+t\) such that \(P_i\) received a message \(u_k'\) from all \(P_k \in \mathcal {P}''_i\) and \(u_k' = p(\alpha _k)\) for all \(P_k \in \mathcal {P}''_i\). Since there are at most t corrupted parties, at least T of the parties in \(\mathcal {P}''_i\) are honest. In the proof for termination, we saw that for honest parties, \(u_k' = u_k = g'(\alpha _k)\). Therefore, there exist T distinct elements \(\alpha _k\) with \(p(\alpha _k) = g'(\alpha _k)\). Since T points uniquely define a polynomial of degree at most \(T-1\) and both p and \(g'\) are polynomials of degree at most \(T-1\), we can conclude that \(p = g'\) and \(P_i\) can correctly compute and output the messages \(m_1,\ldots ,m_T\) underlying the ciphertexts \(c_1,\ldots ,c_T\).

The claim about the communication complexity follows directly from the communication complexity of the PrivDec protocol.

Again, the proof works for an adaptive adversary corrupting at most t parties because the reasoning above is independent of which parties the adversary corrupts at what point in time (we only talk about parties that remain honest during the whole execution of the protocol).

Remark 8

In every instance of the PubDec protocol, each party executes the PolyFind algorithm up to \(t+1\) times. By using local player elimination, we can reduce the number of runs of the PolyFind algorithm in m instances of the PubDec protocol to \(t+m\) per party (instead of \(m(t+1)\)). More precisely, if in iteration j the run of the PolyFind algorithm of an honest party fails to output a polynomial that passes the checks, then at least \(j+1\) of the inputs must be wrong (otherwise the PolyFind algorithm would have succeeded). Since every party outputs a polynomial satisfying all the checks at latest in round t, each party can then detect which inputs were wrong and can locally eliminate the parties that sent those wrong values. In any future run of the PolyFind algorithm in the PubDec protocol, the party ignores the values sent from parties it locally eliminated (respectively, it does not include parties it locally eliminated in \(\mathcal {P}'_i\)).

Remark 9

By reduction and by Remark 2, we can deduce that for \(c_1^1,\ldots ,c_T^1\) and \(c_1^2,\ldots ,c_T^2\) two computationally indistinguishably distributed sets of T ciphertexts with computationally indistinguishably distributed sets of underlying plaintexts, an instance of the PubDec protocol with \((pk,c_1^1,\ldots , c_T^1)\) as public input (and \(sk_1,\ldots , sk_n\) as private inputs) is computationally indistinguishably distributed to an instance of the PubDec protocol with \((pk,c_1^2,\ldots ,c_T^2)\) as public input (and \(sk_1,\ldots , sk_n\) as private inputs) even in the presence of an active adaptive adversary corrupting up to \(t<n/3\) parties.

1.2 A.2 Multiplication

This subsection presents the multiplication protocol which is based on [DN07] and the Multiplication Gate in the Computation Phase protocol of [BH08]. The protocol uses circuit randomization which was originally introduced in [Bea92].

Let \(T = \lfloor \frac{n-2t}{2} \rfloor \). Our multiplication protocol processes up to T independent multiplication gates at the same time. To ensure independence of the gates, every run of the multiplication protocol only considers multiplication gates with a specific multiplicative depth.

The multiplication protocol takes as input T multiplication gates \(m_1,\ldots , m_T\) with the same multiplicative depth, the 2T inputs \(\{(X_i,Y_i)\}_{i \in \{1,\ldots ,T\}}\) (encrypting the values \(\{(x_i,y_i)\}_{i \in \{1,\ldots ,T\}}\)) to the given multiplication gates and the T encrypted multiplication triples \(\{(A_i,B_i,C_i)\}_{i \in \{1,\ldots ,T\}}\) (encrypting the values \(\{(a_i,b_i,a_i\cdot _{pk}b_i)\}_{i \in \{1,\ldots ,T\}}\)) associated with the given multiplication gates \(m_1,\ldots , m_T\). We require that the multiplication triples underlying the encrypted triples \(\{(A_i,B_i,C_i)\}_{i \in \{1,\ldots ,T\}}\) are unknown to the adversary and computationally uniformly and independently distributed over the space of all multiplication triples (the latter is equivalent to the plaintexts underlying the first and second components of the triples being computationally uniformly and independently distributed and the third component being the product of the first two). The protocol publicly outputs T encryptions \(\{Z_i\}_{i \in \{1,\ldots ,T\}}\), where the underlying plaintexts \(z_i\) are equal to \(x_i \cdot _{pk} y_i\) for all \(i \in \{1,\ldots ,T\}\).

Remark 10

1. 1.

   If \(n-2t\) is odd, then the parties only input \(n-2t-1\) ciphertexts to the PubDec protocol in step 2. In that case, the parties additionally give \({\textsf {Enc}}_{pk}(0_{pk},e)\) as input to the PubDec protocol, where e is again the neutral element of the randomness space, obtain the plaintext \(0_{pk}\) as one of the outputs of PubDec and simply disregard it in all further steps.

2. 2.

   If only \(T'<T\) multiplication gates are input to the multiplication protocol (for example when there are less than T multiplication gates with the same multiplicative depth in a given circuit), then the parties execute the protocol normally doing all the computations for indices in \(\{1,\ldots , T'\}\) instead of in \(\{1,\ldots , T\}\) and adding the encryption \({\textsf {Enc}}_{pk}(0_{pk},e)\) to the inputs of the PubDec protocol \(n-2t-2T'\) times (where e is again the neutral element of the randomness space).

The multiplication protocol achieves the following.

Proposition 1

Let \(m_1,\ldots , m_T\) be T multiplication gates with the same multiplicative depth and let \(\{(A_i,B_i,C_i)\}_{i \in \{1,\ldots ,T\}}\) be the encrypted multiplication triples associated with the given gates. Furthermore, let \(\{(X_i^1,Y_i^1)\}_{i \in \{1,\ldots ,T\}}\) and \(\{(X_i^2,Y_i^2)\}_{i \in \{1,\ldots ,T\}}\) be two computationally indistinguishably distributed sets of 2T ciphertexts. Then, even in the presence of an active adaptive adversary corrupting up to \(t<n/3\) parties, an execution of the multiplication protocol with \(\{(X_i^1,Y_i^1)\}_{i \in \{1,\ldots ,T\}}\) as inputs to the given gates is computationally indistinguishably distributed from an execution of the multiplication protocol with \(\{(X_i^2,Y_i^2)\}_{i \in \{1,\ldots ,T\}}\) as inputs to the given gates.

Proof

Using reduction it is easy to see that step 1 is computationally indistinguishably distributed in both executions (even if the adversary corrupts a party during step 1).

For step 2, we know by reduction that the ciphertexts \((\{X_i^1 \ominus _{pk} A_i\}_{i \in \{1,\ldots ,T\}},\) \(\{Y_i^1 \ominus _{pk} B_i\}_{i \in \{1,\ldots ,T\}})\) and \((\{X_i^2 \ominus _{pk} A_i\}_{i \in \{1,\ldots ,T\}},\{Y_i^2 \ominus _{pk} B_i\}_{i \in \{1,\ldots ,T\}})\) are computationally indistinguishably distributed. Furthermore, we know that the plaintexts underlying \(\{A_i\}_{i \in \{1,\ldots ,T\}}\) and the plaintexts underlying \(\{B_i\}_{i \in \{1,\ldots ,T\}}\) are unknown to the adversary and computationally uniformly and independently distributed. Therefore, the plaintexts underlying \(\{X_i^1 \ominus _{pk} A_i\}_{i \in \{1,\ldots ,T\}}\), \(\{Y_i^1 \ominus _{pk} B_i\}_{i \in \{1,\ldots ,T\}})\), \(\{X_i^2 \ominus _{pk} A_i\}_{i \in \{1,\ldots ,T\}}\) and \(\{Y_i^2 \ominus _{pk} B_i\}_{i \in \{1,\ldots ,T\}})\) are all unknown to the adversary and computationally uniformly and independently distributed and thus, they are computationally indistinguishably distributed. By Remark 9, we can conclude that step 2 of the multiplication protocol is computationally indistinguishably distributed in both executions, even if the adversary corrupts a party.

As for step 1, a reduction argument shows that steps 3 and 4 maintain computational indistinguishability (even if the adversary corrupts a party during these steps).

Proposition 2

The multiplication protocol communicates \(\mathcal {O}(n^2\kappa )\) bits.

B Protocol

The protocol we present uses a key generation oracle (KG) which sets up all the public and private keys used in our protocol, gives the keys to the entitled parties and provides public Lagrange arguments for all parties. We assume that the simulator has access to an efficient key generation algorithm (KGA) that computes a computationally indistinguishably distributed set of public and private keys and Lagrange arguments. Furthermore, we assume that the parties have access to an encoder and a decoder algorithm that transform values from the message space of the encryption scheme to \(\{0,1\}^*\) and vice versa. We do not explicitly mention when the parties use the encoder and decoder algorithms. They are implicitly used whenever a transformation is necessary.

The description of the protocol follows the structure of the FuncEval\(_f\) Algorithm in [CDN00].

BrACS. In this subsection, we discuss the BrACS protocol used in our MPC protocol. The subprotocol takes as public input the public key pk of the encryption scheme and an encryption M (in our protocol and simulation this is sometimes an encryption of \(1_{pk}\) and other times an encryption of \(0_{pk}\)). The message encrypted by M is denoted by m. For each party \(P_i\) the protocol takes as secret input a message \(a_i\), a randomness \(r_{a_i}\), n values \(c_{ij}\) and 2n commitments \(C_{j\rightarrow i}\) and \(C_{i\rightarrow j}\) for \(j \in \{1 \ldots , n\}\). The \(C_{j\rightarrow i}\)’s represent commitments from \(P_j\) towards \(P_i\). If \(P_i\) and \(P_j\) are both honest, \((a_i,c_{ij})\) is the opening information for the commitment \(C_{i\rightarrow j}\) that \(P_j\) holds. The protocol publicly outputs a set S of parties and for each party \(P_i \in S\) it publicly outputs an encryption of \(a_i\cdot _{pk}m\).

Proposition 3

The BrACS protocol achieves the following properties.

1. a)

   The protocol terminates for all honest parties.

2. b)

   All parties agree on the set S and the encryptions of parties in S.

3. c)

   The set S is of size at least \(n-t\).

4. d)

   Every honest party \(P_i\) in S succeeds to reliably broadcast a correct encryption \({\textsf {Enc}}_{pk}^M(a_i)\) of \(a_i\cdot _{pk} m\). This means that the reliable broadcast of \({\textsf {Enc}}_{pk}^M(a_i)\) terminates for all honest parties and that at least one honest party \(P_j\) accepts the proof given by \(P_i\) in step 2, namely that \(P_i\) knows a preimage of \({\textsf {Enc}}_{pk}^M(a_i)\) under (pk, M) and that the first component of this preimage is equal to the value \(P_i\) committed to with \(C_{i\rightarrow j}\). Furthermore, for every corrupted party \(P_i\) in S, the reliable broadcast of y of \(P_i\) in step 1 terminates for all honest parties and at least one honest party \(P_j\) accepts the proof (see above) given by \(P_i\) in step 2. Hence, with high probability, \(P_i\) knows values \((a_i',c_{ij}')\) such that \(y = {\textsf {Enc}}_{pk}^M(a_i')\) and \((a_i',c_{ij}')\) is the opening information to \(C_{i\rightarrow j}\).

The proof is straightforward and therefore omitted.