The Price of Low Communication in Secure Multi-party Computation

Juan A. Garay

The Price of Low Communication in Secure Multi-Party Computation∗ Juan Garay1 , Yuval Ishai2 , Rafail Ostrovsky3 , and Vassilis Zikas4 1 2 Yahoo Research, juan.a.garay@gmail.com Dept. of Computer Science, Technion and UCLA, yuvali@cs.technion.ac.il 3 Department of Computer Science, UCLA, rafail@cs.ucla.edu 4 Department of Computer Science, RPI, vzikas@cs.rpi.edu Abstract. Traditional protocols for secure multi-party computation among n parties communicate at least a linear (in n) number of bits, even when computing very simple functions. In this work we investigate the feasibility of protocols with sublinear communication complexity. Concretely, we consider two clients, one of which may be corrupted, who wish to perform some “small” joint computation using n servers but without any trusted setup. We show that enforcing sublinear communication complexity drastically affects the feasibility bounds on the number of corrupted parties that can be tolerated in the setting of informationtheoretic security. We provide a complete investigation of security in the presence of semihonest adversaries—static and adaptive, with and without erasures—and initiate the study of security in the presence of malicious adversaries. For semi-honest static adversaries, our bounds essentially match the corresponding bounds when there is no communication restriction—i.e., we can tolerate up to t < (1/2 − ǫ)n corrupted parties. For the adaptive case, however, the situation is different. We prove that without erasures even a small constant fraction of corruptions is intolerable, and—more √ surprisingly—when erasures are allowed, we prove that t < (1− 0.5−ǫ)n corruptions can be tolerated, which we also show to be essentially optimal. The latter optimality proof hinges on a new treatment of probabilistic adversary structures that may be of independent interest. In the case of active corruptions in the sublinear communication setting, we prove that static “security with abort” is feasible when t < (1/2 − ǫ)n, namely, the bound that is tight for semi-honest security. All of our negative results in fact rule out protocols with sublinear message complexity. 1 Introduction Secure multi-party computation (MPC) allows a set of parties to compute a function on their joint inputs in a secure way. Roughly speaking, security means that even when some of the parties misbehave, they can ∗ The full version of this paper can be found at the Cryptology ePrint Archive [28]. neither disrupt the output of honest parties (correctness), nor can they obtain more information than their specified inputs and outputs (privacy). Misbehaving parties are captured by assuming an adversary that corrupts some of the parties and uses them to attack the protocol. The usual types of adversary are semi-honest (aka “passive”), where the adversary just observes the view of corrupted parties, and malicious (aka “active”), where the adversary takes full control of the corrupted parties. The seminal results from the ’80s [32, 53] proved that under standard cryptographic assumption, any multi-party functionality can be securely computed in the presence of a polynomially bounded semi-honest adversary corrupting arbitrarily many parties. For the malicious case, Goldreich, Micali and Wigderson [32] proved that arbitrarily many corruptions can be tolerated if we are willing to give up on fairness, and achieve so-called security with abort; otherwise, an honest majority is required. In the information-theoretic (IT) model—where there are no restrictions on the adversary’s computational power—the situation is different. Ben-Or, Goldwasser, and Wigderson [4] and independently Chaum, Crépeau, and Damgård [14] proved that IT security is possible if and only if t < n/3 parties are actively corrupted (or t < n/2 are passively corrupted, respectively). The solutions in [4] are perfectly secure, i.e., there is a zero-error probability. Rabin and Ben-Or [51] proved that if a negligible error probability is allowed, and a broadcast channel is available to the parties, then any function can be IT-securely computed if and only if t < n/2 parties are actively corrupted. All the above bounds hold both for a static adversary, who chooses which parties to corrupt at the beginning of the protocol execution, and for an adaptive adversary, who might corrupt more parties as the protocol evolves and depending on his view of the protocol so far. In addition to their unconditional security and good concrete efficiency, information theoretic protocols typically enjoy strong composability guarantees. Concretely, the above conditions for the IT setting allow for universally composable (UC) protocols [10]. This is known to be impossible in the plain model—i.e., without assuming access to a trusted setup functionality such as a common reference string (CRS) [12], even if one settles for computational security. Given the above advantages of IT protocols, it is natural to investigate alternative models that allow for IT-secure protocols without an honest majority. It is well known that assuming a strong setup such as oblivious transfer (OT) [50], we can construct IT secure protocols tolerating an arbitrary number of corruptions both in the semi-honest setting [32] and in the 2 malicious setting [43, 45]. However, these solutions require trusting (a centralized party that serves as) an OT functionality. An alternative approach is for the parties to procure help from other servers in a network they have access to, such as the Internet. This naturally leads to the formulation of the problem in the so-called client-server model [16, 18, 19, 36]. This model refines the standard MPC model by separating parties into clients, who wish to perform some computation and provide the inputs to and receive outputs from it, and servers, who help the clients perform their computation. (The same party can play both roles, as is the case in the standard model of secure computation.) The main advantage of this refinement is that it allows to decouple the number of clients from the expected “level of security,” which depends on the number of servers and the security threshold, and, importantly, it allows us to address the question of how the communication complexity (CC) of the protocol increases with the number n of servers. A direct approach to obtain security in the client/server model would be to have the clients share their input to all the servers (denoted by n from now on), who would perform the computation on these inputs and return to the clients their respective outputs. Using [4, 14, 32, 51], this approach yields a protocol tolerating t < n/2 semi-honest corrupted servers, or, for the malicious setting, t < n/2 corrupted servers if broadcast is available, and t < n/3, otherwise. (Recall that the above bounds are required in addition to arbitrarily many corruptions of clients.) Despite its simplicity, however, the above approach incurs a high overhead in communication when the number of clients is small in comparison to the number of servers, which is often the case in natural application scenarios. Indeed, the communication complexity of the above protocol would be polynomial in n. In this work we investigate the question of how to devise IT protocols with near-optimal resilience in the client/server model, where the communication complexity is sublinear in the number of servers n. As we prove, this low-communication requirement comes at a cost, inducing a different—and somewhat surprising—landscape of feasibility bounds. Our contributions. In this work we study the feasibility of informationtheoretic MPC in the client-server model with sublinear communication complexity. We consider the case of two clients and n servers, which we refer to as the (2, n)-client/server model, and prove exact feasibility bounds on the number of corrupted servers that can be tolerated for MPC in 3 addition to a corrupted client.5 We provide a complete investigation of security against semi-honest adversaries—static and adaptive, with and without erasures—and also initiate the study of malicious adversaries. Our results can be summarized as follows: As a warmup, for the simplest possible case of static semi-honest corruptions, we confirm that the folklore protocol which has one of the clients ask a random sublinear-size server “committee” [8] to help the clients perform their computation, is secure and has sublinear message complexity against t < (1/2 − ǫ)n corrupted servers, for any given constant 0 < ǫ < 1/2. Further, we prove that this bound is tight. Thus, up to an arbitrarily small constant fraction, the situation is the same as in the case of MPC with unrestricted communication. In the case of adaptive semi-honest corruptions we distinguish between two cases, depending on whether or not the (honest) parties are allowed to erase their state. Naturally, allowing erasures makes it more difficult for the adversary to attack a protocol. However, restricting to sublinear communication complexity introduces a counterintuitive complication in providing optimally resilient protocols. Specifically, in communication-unrestricted MPC (e.g., MPC with linear or polynomial CC), the introduction of erasures does not affect the exact feasibility bound t < n/2 and typically makes it easier6 to come up with a provably secure protocol against any tolerable adversary. In contrast, in the sublinear-communication realm erasures have a big effect on the feasibility bound and make the design of an optimal protocol a far more challenging task. In fact, proving upper and lower bounds for this (the erasures) setting is the most technically challenging part of this work. In more detail, when no erasures are assumed, we show that an adversary corrupting a constant fraction of the servers (in addition to one of the clients, say, c1 ), cannot be tolerated. The reason for this is intuitive: Since there is a sublinear number of messages, there can only be a sublinear number of servers that are activated (i.e., send or receive messages) during the protocol. Thus, if the adversary has a linear corruption budget, then if he manages to find the identities of these active servers, he can adaptively corrupt all of them. Since 5 6 Our bounds are for the two-client case, but can be easily extended to the multi-client setting with constantly many clients, as such an extension will just incur a constant multiplicative increase in CC. As opposed to requiring the use of more complex cryptographic tools such as noncommitting encryption [11, 21] as in the non-erasure setting. 4 the parties cannot erase anything (and in particular they cannot erase their communication history), the adversary corrupting c1 can “jump” to all servers whose view depends on c1 ’s view, by traversing the communication graph which includes the corrupted client. Symmetrically, the adversary corrupting the other client c2 , can corrupt the remainder “protocol-relevant” parties (i.e., parties whose view depends on the joint view of the clients). Security in the presence of such an adversary contradicts classical MPC impossibility results [35], which prove that if there is a two-set partition of the party-set and the adversary might corrupt either of the sets (this is called the Q2 condition in [35]) then this adversary cannot be tolerated for general MPC—i.e., there are functions that cannot be computed securely against such an adversary. Most surprising is the setting when erasures are allowed. We prove that, √ for any constant ǫ > 0, an adversary corrupting at most t < (1 − 0.5 − ǫ)n servers can be tolerated, and moreover that this bound is essentially tight. The idea of our protocol is as follows. Instead of having the clients contact the servers for help—which would lead, as above, to the adversary corrupting too many helpers—every server probabilistically “wakes up” and volunteers to help. However, a volunteer cannot talk to both clients as with good probability the corrupted client will be the first he talks to which will result in the volunteer being corrupted before erasing. Instead, each volunteer asks a random server, called the intermediary, to serve as his point of contact with one of the two clients. By an appropriate scheduling of messagesending and erasures, we can ensure that if the adversary jumps and corrupts a volunteer or an intermediary because he communicated with the corrupted client, then he might at most learn √ the message that was already sent to this client. The choice of 1 − 0.5 is an optimal choice that will ensure that no adaptive adversary can corrupt more than 1/2 of the active servers set in this protocol. The intuition behind √ it is that if the adversary corrupts each party with probability 1 − 0.5, then for any volunteer-intermediary pair, the probability that the adversary corrupts both of them before they erase (by being lucky and corrupting any on of them at random) is 1/2. Although proving the above is far from straightforward, √ the most challenging part is the proof of impossibility for t = (1 − 0.5 + ǫ)n corruptions. In a nutshell, this proof works as follows: Every adaptive adversary attacking a protocol induces a probability distribution on the set of corrupted parties; this distribution might depend on the 5 coins of the adversary and the inputs and coins of all parties. This is because the protocol’s coins and inputs define the sequence of pointto-point communication channels in the protocol, which in turn can be exploited by the adversary to expand his corruption set, by for example jumping to parties that communicate with the already corrupted set. Such a probability distribution induces a probabilistic adversary structure that assigns to each subset of parties the probability that this subset gets corrupted. We provide a natural definition of what it means for such a probabilistic adversary structure to be intolerable and define a suitable “domination” condition which ensures that any structure that dominates an intolerable structure is also intolerable. We then use this machinery to prove √ that the adversary that randomly corrupts (approximately) (1− 0.5)n servers and then corrupts everyone that talks to the corrupted parties in every protocol round induces a probabilistic structure that dominates an intolerable structure and is, therefore, also intolerable. We believe that the developed machinery might be useful for analyzing other situations in which party corruption is probabilistic. Finally, we initiate the study of actively secure MPC with sublinear communication. Here we look at static corruptions and provide a protocol which is IT secure with abort [32, 42] against any adversary corrupting a client and t < (1/2 − ǫ)n servers for a constant 0 < ǫ < 1/2. This matches the semi-honest lower bound for static security, at the cost, however, of allowing the protocol to abort, a price which seems inevitable in our setting. We leave open the questions of obtaining full security or adaptive security with erasures in the case of actively secure MPC. We finally note that both our positive and negative results are of the strongest possible form. Specifically, our designed protocols communicate a sublinear number of bits, whereas our impossibility proofs apply to all protocols that communicate a sublinear number of messages (independently of how long these messages are). Related work. The literature on communication complexity (CC) of MPC is vast. To put out results in perspective, we now discuss some of the most relevant literature on IT MPC with low communication complexity. For simplicity, in our discussion we shall exclude factors that depend only on the security parameter which has no dependency on n, as well as factors that are poly-logarithmic in n. 6 The CC of the original protocols from the ’80s was polynomial (in the best case quadratic) in n, in particular, poly(n) · |C| where |C| denotes the size of the circuit C that computes the given function. A long line of work ensued that reduced this complexity down to linear in the size of the party set by shifting the dependency on different parameters [2, 3, 6, 17, 22, 24–27, 37–39, 43, 44]. In the IT setting in particular, Damgård and Nielsen [23] achieve a CC of O(n|C|+n2 ) messages—i.e., their CC scales in a linear fashion with the number of parties. Their protocol is perfectly secure in the presence of t < n/2 semi-honest corruptions. In the malicious setting, they provide a protocol tolerating t < n/3 corruptions with a CC of O(n|C| + d · n2 ) + poly(n) messages, where d is the multiplicative depth of the circuit C. Beerliova and Hirt [3] extended this result to perfect security, achieving CC of O(n|C| + d · n2 + n3 ). Later on, Ben-Sasson, Fehr and Ostrovsky [5] achieved CC O(n|C| + d · n2 ) + poly(n) messages against t < n/2 active corruptions, which was brought down to O(n|C|+n2 ) by Genkin et al. [29]. Note that with the exception of the maliciously secure protocol in [23], all the above works tolerate a number of corruptions which is tight even when there is no bound on the communication complexity. Settling for a near-optimal resilience of t < (1/2 − ǫ)n, the above bounds can be improved by a factor of n, making the communication complexity grow at most polylogarithmically with the number of parties. This was first shown for client-server protocols with a constant number of clients by Damgård and Ishai [19] (see also [43]) and later in the standard MPC model by Damgård et al. [20]. The latter protocol can in fact achieve perfect security if t < (1/3 − ǫ)n. We point out that all the above communication bounds include polynomial (in n) additive terms in their CC. This means that even for circuits that are small relative to the number of parties (e.g., even when |C| = o(n)), they communicate a number of bits (or, worse, messages) which is polynomial in n. Instead, in this work we are interested in achieving overall (bit) communication complexity of o(n)|C| without such additive (polynomial or even linear in n) terms, and are willing to settle for statistical (rather than perfect) security. Finally, a different line of work studies the problem of reducing the communication locality of MPC protocols [6, 7, 13]. This measure corresponds to the maximum number of neighbors/parties that any party communicates with directly, i.e., via a bilateral channel, throughout the protocol execution. Although these works achieve a sublinear (in n) communication locality, their model assumes each party to have an input, 7 which requires the communication complexity to grow (at least) linearly with the number of parties. Moreover, the protocols presented in these works either assume a trusted setup or are restricted to static adversaries. Organization of the paper. In Section 2 we present the model (network, security) used in this work and establish the necessary terminology and notation. Section 3 presents our treatment of semi-honest static security, while Section 4 is dedicated to semi-honest adaptive corruptions, with erasures (Section 4.1) and without erasures (Section 4.2). Finally, Section 5 includes our feasibility result for malicious (static) adversaries. 2 Model, Definitions and Building Blocks We consider n + 2 parties, where two special parties, called the clients, wish to securely compute a function on their joint inputs with the help of the remaining n parties, called the servers. We denote by C = {c1 , c2 } and by S = {s1 , . . . , sn } the sets of clients and servers, respectively. We shall denote by P the set of all parties, i.e., P = C ∪ S. The parties are connected by a complete network of (secure) point-to-point channel as in standard unconditionally secure MPC protocols [4,14]. We call this model the (2, n)-client/server model. The parties wish to compute a given two-party function f , described as an arithmetic circuit Cf , on inputs from the clients by invoking a synchronous protocol Π. (Wlog, we assume that f is a public-output function f (x1 , x2 ) = y, where xi is ci ’s input; using standard techniques, this can be extended to multi-input and private-output functions—cf. [47].) Such a protocol proceeds in synchronous rounds where in each round any party might send messages to other parties and the guarantee is that any message sent in some round is delivered by the beginning of the following round. Security of the protocol is defined as security against an adversary that gets to corrupt parties and uses them to attack the protocol. We will consider both a semi-honest (aka passive) and a malicious (aka active) adversary. A semi-honest adversary gets to observe the view of parties it corrupts—and attempts to extract information from it—but allows parties to correctly execute their protocol. In contrast, a malicious adversary takes full control of corrupted parties. Furthermore, we consider both static and adaptive corruptions. A static adversary chooses the set of corrupted parties at the beginning of the protocol execution, whereas and adaptive adversary chooses this set dynamically by corrupting (additional) parties as the protocol evolves (and depending on his view of the protocol). A threshold (tc , ts )-adversary in the client/server model is an 8 adversary that corrupts in total up to tc clients and additionally up to ts servers. The adversary is rushing [9, 40], i.e., in each round he first receives the messages that are sent to corrupted parties, and then has the corrupted parties send their messages for that round. For adaptive security with erasures we adopt the natural model in which each of the operations “send-message,” “receive-message,” and “erase-messages from state” is atomic and the adversary is able to corrupt after any such atomic operation. This, in particular, means that when a party sends a message to a corrupted party, then the adversary can corrupt the sender before he erases this message. In more detail, every round is partitioned into “mini-rounds,” where in each mini-round the party can send a message, or receive a message, or erase a message from its state—exclusively. This is not only a natural erasure model, but ensures that one does not design protocols whose security relies on the assumption that honest parties can send and erase a message simultaneously, as an atomic operation (see [40] for a related discussion about atomicity of sending messages). The communication complexity (CC) of a protocol is the number of bits sent by honest parties during a protocol execution.7 Throughout this work we will consider sublinear-communication protocols, i.e., protocols in which the honest ( and semi-honest) parties send at most o(n)|Cf | number of messages, were the message size is independent of n. Furthermore, we will only consider information-theoretic security (see below). Simulation-based security. We will use the standard simulation-based definition of security from [9]. At a high level, a protocol for a given function is rendered secure against a given class of adversaries if for any adversary in this class, there exists a simulator that can emulate, in an ideal evaluation experiment, the adversary’s attack to the protocol. In more detail, the simulator participates in an ideal evaluation experiment of the given function, where the parties have access to a trusted third party— often referred to as the ideal functionality—that receives their inputs, performs the computation and returns their outputs. The simulator takes over (“corrupts”) the same set of parties as the adversary does (statically or adaptively), and has the same control as the (semi-honest or malicious) 7 Note that in the semi-honest setting this number equals the total number of bits received during the protocol. However, in the malicious setting, corrupted parties might attempt to send more bits to honest parties than what the protocol specifies, thereby flooding the network and increasing the total number of bits received. As we shall see, our malicious protocol defends even against such an attack by having the parties abort if they receive too many bits/messages. 9 adversary has on the corrupted parties. His goal is to simulate the view of the adversary and choose inputs for corrupted parties so that for any initial input distribution, the joint distribution of the honest parties’ outputs and adversarial view in the protocol execution is indistinguishable from the joint distribution of honest outputs and the simulated view in an ideal evaluation of the function. Refer to [9] for a detailed specification of the simulation-based security definition. In this work we consider information-theoretic security and therefore we will require statistical indistinguishability. Using the standard definitions of negligible functions [30], we say that a pair of distribution ensembles X and Y indexed by n ∈ N are (statistically) indistinguishable if for all (not necessarily efficient) distinguishers D the following function with domain S: ∆X ,Y (n) := |Pr[D(Xn ) = 1] − Pr[D(Yn ) = 1]| is negligible in s. In this case we write X ≈ Y to denote this relation. We will further use X ≡ Y to denote the fact that X and Y are identically distributed. The view of the adversary in an execution of a protocol consists of the inputs and randomness of all corrupted parties and all the messages sent and received during the protocol execution. We will use ViewA,Π to denote the random variable (ensemble) corresponding to the view of the adversary when the parties run protocol Π. The view Viewσ,f of the simulator σ in an ideal evaluation of f is defined analogously. For a probability distribution Pr over a sample space T and for any T ∈ T we will denote by Pr(T ) the probability of T . We will further denote by T ← Pr the action of sampling the set T from the distribution Pr. In slight abuse of notation, for an event E we will denote by Pr(E) the probability that E occurs. Finally, for random variables X and Y we will denote by PrX (x) the probability that X = x and by PrX |Y (x|y) the probability that X = x conditioned on Y = y. Oblivious Transfer and OT combiners. Oblivious Transfer (OT) [50] is a two-party functionality between a sender and a receiver. In its most common variant called 1-out-of-2-OT,8 the sender has two inputs x0 , x1 ∈ {0, 1} and the receiver has one bit input b ∈ {0, 1}, called the selection bit. The functionality allows the sender to transmit the input xb to the receiver so that (1) the sender does not learn which bit was transmitted (i.e., learns nothing), and (2) the receiver does not learn anything about the input xb̄ . 8 In this work we will use OT to refer to 1-out-of-2 OT. 10 As proved by Kilian and Goldreich, Micali, and Wigderson [32,46], the OT primitive is complete for secure xtwo-party computation (2PC), even against malicious adversaries. Specifically, Kilian’s result shows that given the ability to call an ideal oracle/functionality fOT that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. The efficiency of these protocols was later improved by Ishai et al. [43]. Beaver [1] showed how OT can be pre-computed, i.e., how parties can, in an offline phase, compute correlated randomness that allows, during the online phase, to implement OT by simply the sender sending to the receiver two messages of the same length as the messages he wishes to input to the OT hybrid (and the receiver sending no message). Thus, a trusted party which is equivalent (in terms of functionality) to OT, is one that internally pre-computes the above correlated randomness and hands to the sender and the receiver their “parts” of it. We will refer to such a correlated randomness setup where the sender receives Rs and the receiver Rr as an (Rs , Rr ) OT pair. The size of each component in such an OT pair is the same as (or linear in) the size of the messages (inputs) that the parties would hand to the OT functionality. A fair amount of work has been devoted to so-called OT combiners, namely, protocols that can access several, say, m OT protocols, out of which ℓ might be insecure, and combine them into a secure OT protocol (e.g., [33, 34, 48]). OT combiners with linear rate (i.e., where the total communication of the combiner is linear in the total communication of the OT protocol) exist both for semi-honest and for malicious security as long as ℓ < m/2. Such an OT combiner can be applied to the precomputed OT protocol to transform m precomputed OT strings out of which ℓ are sampled from the appropriate distribution by a trusted party, into one securely pre-computed OT string, which can then be used to implement a secure instance of OT. 3 Sublinear Communication with Static Corruptions As a warm up, we start our treatment of secure computation in the (2, n)client/server model with the case of a static adversary, where, as we show, requiring sublinear communication complexity comes almost at no cost in terms of how many corrupted parties can be tolerated. We consider the case of a semi-honest adversary and confirm that using a “folklore” protocol any (1, t)-adversary with t < ( 21 − ǫ)n corruptions can be tolerated, for an arbitrary constant 0 < ǫ < 12 . We further prove that this bound is 11 tight (up to an arbitrary small constant fraction of corruptions); i.e., if for some ǫ > 0, t = ( 21 + ǫ)n, then a semi-honest (1, t)-adversary cannot be tolerated.9 Specifically, in the static semi-honest case the following folklore protocol based on the approach of selecting a random committee [8] is secure and has sublinear message complexity. This protocol has any of the two clients, say, c1 , choose (with high probability) a random committee/subset of the servers of at most polylogarithmic size and inform the other client about his choice. These servers are given as input secret sharings of the clients’ inputs, and are requested to run a standard MPC protocol that is secure in the presence of an honest majority, for example, the semi-honest MPC protocol by Ben-Or, Goldwasser and Wigderson [4], hereafter referred to as the “BGW” protocol. The random choice of the servers that execute the BGW protocol will ensure that, except with negligible (in n) probability, a majority of them will be honest. Furthermore, because the BGW protocol’s complexity is polynomial in the party size, which in this case is polylogarithmic, the total communication complexity in this case is polylogarithmic. We denote the above protocol as Πstat and state its security in Theorem 1. The proof is simple and follows the above idea. We refer to the full version [28] for details. Theorem 1. Protocol Πstat unconditionally securely computes any given 2-party function f in the (2, n)-client/server model in the presence of a passive and static (1, t)-adversary with t < (1/2 − ǫ)n, for any given ′ constant 0 < ǫ < 1/2. Moreover, Πstat communicates O(logδ (n)|Cf |) messages, for a constant δ ′ > 1. Next, we prove that Theorem 1 is tight. The proof idea is as follows: If the adversary can corrupt a majority of the servers, i.e., t ≥ n/2, then no matter which subset of the servers is actually activated (i.e., sends or receives a message) in the protocol10 , an adversary that randomly chooses the parties to corrupt has a good chance of corrupting any half of the active server set. Thus, existence of a protocol for computing, e.g., the OR function while tolerating such an adversary would contradict the impossibility result by Hirt and Maurer [35] which implies that an adversary who can corrupt a set and its complement—or supersets thereof—is intolerable for the OR function. The actual theorem statement is tighter, 9 10 Wlog we can assume that the semi-honest adversary just outputs his entire view [9]; hence semi-honest adversaries only differ in the set of parties they corrupt. Note that not all servers can be activated as the number of active servers is naturally bounded by the (sublinear) communication complexity. 12 and excludes even adversaries that corrupt t ≥ n/2 − δ, for some constant δ ≥ 0. The proof uses the above idea with the additional observation that due to the small (sublinear) size of the set S̄ of active servers, i.e., servers that send or receive a message in the protocol, a random set of δ = O(1) servers has noticeable chance to include no such active server. We refer to the full version of this work [28] for a formal proof. Theorem 2. Assuming a static adversary, there exists no information theoretically secure protocol for computing the boolean OR of the (two) clients’ inputs with message complexity m = o(n) tolerating a (1, t)adversary with t ≥ n/2 − δ, for some δ = O(1). 4 Sublinear Communication with Adaptive Corruptions In this section we consider an adaptive semi-honest adversary and prove corresponding tight bounds for security with erasures—the protocol can instruct parties to erase their state so as to protect information from an adaptive adversary who has not yet corrupted the party—and without erasures—everything that the parties see stays in their state. 4.1 Security with Erasures We start with the setting where erasures of the parties’ states are allowed, which prominently demonstrates that sublinear communication comes at an unexpected cost in the number of tolerable corruptions. √ Specifically, in this section we show that for any constant 0 < ǫ < 1− 0.5, there exists a protocol that computes any√ given two-party function f in the presence of a (1, t)-adversary if t < (1− 0.5−ǫ)n (Theorem 3). Most surprisingly, we prove that this bound is tight up to any arbitrary small constant fraction of corruptions (Theorem 4). The technique used in proving the lower bound introduces a novel treatment of (and a toolboox for) probabilistic adversary structures that we believe can be of independent interest. We start with the protocol construction. First, observe that the idea behind protocol Πstat cannot work here as an adaptive adversary can corrupt client c1 , wait for him to choose the servers in S̄, and then corrupt all of them adaptively since he has a linear corruption budget. (Note that erasures cannot help here as the adversary sees the list of all receivers by observing the corrupted sender’s state.) This attack would render any protocol non-private. Instead, we will present a protocol which allows clients c1 and c2 to pre-compute sufficiently many 1-out-of-2 OT functionalities 13 fOT ((m0 , m1 ), b) = (⊥, mb ) in the (2, n)-client/server model with sublinear communication complexity. The completeness of OT ensures that this allows c1 and c2 to compute any given function. A first attempt towards the above goal is as follows. Every server δ independently decides with probability p = logn n (based on his own local randomness) to “volunteer” in helping the clients by acting as an OT dealer (i.e., acting as a trusted party that prepares and sends to the clients an OT pair). The choice of p can be such that with overwhelming probability not too many honest servers volunteer (at most sublinear in n) and the majority of the volunteers are honest. Thus, the majority of the distributed OT pairs will be honest, which implies that the parties can use an OT-combiner that is secure for a majority of good OTs (e.g., [34]) on the received OT pairs to derive a secure implementation of OT. Unfortunately, the above idea does not quite work. To see why, consider an adversary who randomly corrupts one of the clients and as soon as any honest volunteer sends a messages to the corrupted client, the adversary corrupts him as well and reads his state. (Recall that send and erase are atomic operations.) It is not hard then to verify that even if the volunteer erases part of its state between contacting each of the two clients, with probability (at least) 1/2 such an adversary learns the entire internal state of the volunteer before he gets a chance to erase it. So instead of the above idea, our approach is as follows. Every server, δ as above, decides with probability p = logn n to volunteer in helping the clients by acting as an OT dealer and computes the OT pair, but does not send it. Instead, it first chooses another server, which we refer to as his intermediary, uniformly at random, and forwards him one of the components in the OT pairs (say, the one intended for the receiver); then, it erases the sent component and the identity of the intermediary along with the coins used to sample it (so that now his state only includes the sender’s component of the OT pair); finally, both the volunteer and his intermediary forward their values to their intended recipient. It is straightforward to verify that with the above strategy the adversary does not gain anything by corrupting a helping server—whether a volunteer or his associated intermediary—when he talks to the corrupted client. Indeed, at the point when such a helper contacts the client, the part of the OT pair that is not intended for that client and the identity of the other associated helper have both been erased. But now we have introduced an extra point of possible corruption: The adversary can learn any given OT pair by corrupting either the corresponding volunteer or his intermediary before the round where the clients are contacted. How14 √ ever, as we will show, when t < (1 − 0.5 − ǫ)n, the probability that the adversary corrupts more than half of such pairs is negligible. The complete specification of the above sketched protocol, denoted OT , and the corresponding security statement are shown below. Πadap OT Protocol Πadap (C = {c1 , c2 }, S = {s1 , . . . , sn }) δ 1. Every server si ∈ S locally decides to become active with probability p = logn n for a publicly known constant δ > 1. Let S̄1 denote the set of parties that become active in this round. Every si ∈ S̄1 prepares an OT pair ((mi , ri ), otidi ), δ where otidi ∈ {0, 1}log n is a uniformly chosen identifier. 2. Every si ∈ S̄1 choses an intermediary sij ∈ S uniformly at random and sends (ri , otidi ) to sij . Denote by S̄2 = {sij |si ∈ S̄} the set of all relayers. 3. Every si ∈ S̄1 erases ri , the identity of sij , and the randomness used to select sij ; and every sij ∈ S̄2 erases the identity of si . 4. Every si ∈ S̄1 sends (mi , otidi ) to c1 and every sij ∈ S̄2 sends (ri , otidi ) to c2 . 5. Every si ∈ S̄1 and every sij ∈ S̄2 erase their entire internal state. 6. The clients c1 and c2 use the OT pairs with matching otid’s within a (semihonest) (n/2, n) OT-combiner [34] to obtain a secure OT protocol. OT unconditionally securely computes the funcTheorem 3. Protocol Πadap tion fOT ((m0 , m1 ), b) = (⊥, mb ) in the (2, n)-client/server model √ in the presence of a passive and adaptive (1, √ t)-adversary with t < (1− 0.5−ǫ)n, for any given constant 0 < ǫ < 1 − 0.5 and assuming erasures. MoreOT communicates O(logδ (n)) messages, with δ > 1, except with over, Πadap negligible probability. Proof. Every server s ∈ S is included in the set of servers that become δ active in the first round, i.e., S̄1 , with probability p = logn n independent of the other servers. Thus by application of the Chernoff bound we get that for every 0 < γ < 1/2: Pr[|S̄1 | > (1 + γ) logδ n] < e− γ logδ n 3 (1) which is negligible. Moreover, each si ∈ S̄1 chooses one additional relayparty sij which means that for any constant 1/2 < γ ′ < 1: |S̄| = |S̄1 ∪ S̄2 | ≤ (2 + γ ′ ) logδ n 15 with overwhelming probability. (As in the proof of Theorem 2, S̄ denotes the set of active servers at the end of the protocol.) Since each such party communicates at most two messages, the total message complexity is O(logδ n) plus the messages exchanged in the OT combiner which are polynomial in the number of OT pairs. Thus, with overwhelming ′ probability, the total number of messages is O(logδ (n)) for some constant δ ′ > δ. To prove security, it suffices to ensure that for the uncorrupted client, the adversary does not learn at least half of the received OT setups. Assume wlog that c2 is corrupted. (The case of a corrupted c1 is handled symmetrically, because, wlog, we can assume that an adversary corrupting some party in S̄1 also corrupts all parties in S̄2 which this party sends messages to after its corruption.) We show that the probability that the adversary learns more than half of the mi ’s is negligible. First, we can assume, wlog, that the adversary does not corrupt any servers after Step 5, i.e., after the states of the servers have been erased. Indeed, for any such adversary A there exists an adversary A′ who outputs a view with the same distribution as A but does not corrupt any of the parties that A corrupts after Step 5; in particular A′ uses A as a blackbox and follows A’s instructions, and until Step 5 corrupts every server that A requests to corrupt, but after that step, any request from A to corrupt a new server s is replied by A′ simulating s without corrupting him. (This simulation is trivially perfect since at Step 5, s will have erased its local state so A′ needs just to simulate the unused randomness.) Second, we observe that, since the adversary does not corrupt c1 , the only way to learn some mi is by corrupting the party in S̄1 that sent it to c1 . Hence to prove that the adversary learns less than 1/2 of the mi ’s it suffices to prove that the adversary corrupts less than 1/2 of S̄1 . Next, we observe that the adversary does not gain any advantage in corrupting parties in S̄1 by corrupting client c2 , since (1) parties in S̄1 do not communicate with c2 , and (2) by the time an honest party sij ∈ S̄2 communicates with c2 he has already erased the identity of si . (Thus, corrupting sij after he communicates with c2 yields no advantage in finding si .) Stated differently, if there is an adversary who corrupts more than 1/2 servers in S̄1 , then there exists an adversary that does the same without even corrupting c2 . Thus, to complete the proof it suffices to show that any adversary who does not corrupt c2 , corrupts less than 1/2 of the servers in |S̄1 |. This is stated in Lemma 2, which is proved using the following strategy: First, we isolate a “bad” subset S̄1′ of S̄1 which we call over-connected parties, for which we cannot give helpful guarantees 16 on the number of corruptions. Nonetheless, we prove in Lemma 1 that this “bad” set is “sufficiently small” compared to S̄1 . By this we mean that we can bound the fraction of corrupted parties in S̄1 sufficiently far from 1/2 so that even if give this bad set S̄1′ to the adversary to corrupt for free, his chances of corrupting a majority in S̄1 are still negligible. The formal arguments follow. Let E = {(s, s′ ) | s ∈ S̄1 ∨ s′ ∈ S̄2 } and let G denote the graph with vertex-set S and edge-set E. We say that server si ∈ S̄1 is an overconnected server if the set {si , sij } has neighbors in G. Intuitively, the set of over-connected servers is chosen so that if we remove these servers from G we get a perfect matching between S̄1 and S̄2 . Next, we show that even if we give up all over-connected servers in S̄1 (i.e., allow the adversary to corrupt all of them for free) we still have a majority of uncorrupted servers in S̄1 . For this purpose, we first prove in Lemma 1 that the fraction of S̄1 servers that are over-connected is an arbitrary small constant. Lemma 1. Let S̄1′ ⊆ S̄1 denote the set of over-connected servers as defined above. For any constant 1 > ǫ′ > 0 and for large enough n, |S̄1′ | < ǫ′ |S̄1 | except with negligible probability. Proof. To prove the bound [49]. For each dom variable that is si ∈ S̄1 we denote by the protocol. claim we make use of the generalized Chernoff si ∈ S̄1 let Xi ∈ {0, 1} denote the indicator ran1 if si ∈ S̄1′ and 0 otherwise. As above for each sij the party that si chooses as its intermediary in Pr[Xi = 1] = Pr[(sij ∈ S̄1 ) ∪ (∃sk ∈ S̄1 : skj ∈ {si , sij })] ≤ Pr[sij ∈ S̄1 ] + Pr[∃sk ∈ S̄1 : skj = si ] ≤3 |S̄1 | , n + Pr[∃sk ∈ S̄1 : skj = sij ] where both inequalities follow by a direct union bound since sij is chosen uniformly at random, and for each of the servers si and sij there are at most |S̄1 | servers that might choose them as an intermediary. But from Equation 1, |S̄1 | < (1 + γ) logδ n except with negligible probability. Thus, for large enough n, Pr[Xi = 1] < ǫ′ . Next, we observe that for any subset V Q of indices of parties in S̄1 and for any i ∈ Q it holds that Pr[Xi = 1 | j∈Q\{i} Xj = 1] ≤ Pr[Xi = 1]. This is the case because the number of edges (sk , skj ) is equal to the size of S̄1 and 17 any connected component in G with ℓ nodes must Q include at least ℓ such edges. Hence, for any such Q, Pr[∧i∈Q Xi = 1] ≤ i∈Q Pr[Xi = 1] ≤ ǫ1 |Q| . Therefore, by an application of the generalized Chernoff bound [49], for δ = ǫ1 < ǫ′ and γ = ǫ′ , we obtain Pr[ n X i=1 ′ 2 Xi ≥ ǫ′ n] ≤ e−n2(ǫ −ǫ1 ) , ⊔ ⊓ which is negligible. Now, let A be an adaptive (1, t)-adversary and let C be the total set of servers corrupted by A (at the end of Step 5). We want to prove that |C ∩ S̄1 | < 12 |S̄1 | except with negligible probability. Towards this objective, we consider the adversary A′ who is given access to the identities of all servers in S̄1′ , corrupts all these parties and, additionally, corrupts the first t − |S̄1′ | parties that adversary A corrupts. Let C ′ denote the set of parties that A′ corrupts. It is easy to verify that if |C ∩ S̄1 | ≥ 21 |S̄1 | then |C ′ ∩ S̄1 | ≥ 12 |S̄1 |. Indeed, A′ corrupts all but the last |S̄1′ | of the parties that A corrupts; if all these last parties end up in S̄1 then we will have |C ′ ∩ S̄1 | = |C ∩ S̄1 |, otherwise, at least one of them will not be in C ∩ S̄1 in which case we will have |C ′ ∩ S̄1 | > |C ∩ S̄1 |. Hence, to prove that |C ∩ S̄1 | < 21 |S̄1 | it suffices to prove that |C ′ ∩ S̄1 | < 12 |S̄1 |. Lemma 2. The set C ′ of servers corrupted by A′ as above has size |C ′ ∩ S̄1 | < 21 |S̄1 |, except with negligible probability. Proof. Consider the gaph G′ which results by deleting from G the vertices/servers in S̄1′ . By construction, G′ is a perfect pairing between parties in S̄1 \ S̄1′ and parties in S̄2 \ S̄1′ . For each si ∈ S̄1 \ S̄1′ , let Xi denote the Boolean random variable with Xi = 1 if {si , sij } ∩ (C ′ \ S̄1′ ) 6= ∅ and Xi = 0 otherwise. When Xi = 1, we say that the adversary has corrupted the edge ei = (si , sij ). Clearly, the number of corrupted edges is an upper bound on the corresponding number of corrupted servers in S̄1 \ S̄1′ . Thus, we will show that the number of corrupted edges is bounded away from 1/2. By construction of G′ the Xi ’s are independent, identically distributed random variables. Every edge in G′ is equally likely, thus the adversary gets no information on the rest of the graph by corrupting some edge. Therefore we can assume wlog that A′ chooses the servers in C ′ \ S̄1′ at the beginning of the protocol execution. In this case we get the following for C1′ = C ′ \ S̄1′ : 18 Pr[Xi = 1] = Pr[si ∈ C1′ ] + Pr[sij ∈ C1′ ] − Pr[{si , sij } ⊆ C1′ ] 2 |C| − |S̄1′ | |C| − |S̄1′ | − =2 n − |S̄1′ | n − |S̄1′ | !2 √ √ (1 − 0.5 − ǫ)n − |S̄1′ | 2(1 − 0.5 − ǫ)n . − ≤ n − |S̄1′ | n − |S̄1′ | √ To make the notation more compact, let λ = 1 − 0.5 − ǫ. Because, from Lemma 1, |S̄1′ | ≤ ǫ′ n (and thus n − |S̄1′ | > (1 − ǫ′ )n) except with negligible probability, we have that for large enough n and some negligible function µ: 2 λn − |S̄1′ | 2λn (2) Pr[Xi = 1] ≤ − + µ. (1 − ǫ′ )n n − |S̄1′ | Moreover, λn − |S̄1′ | n − |S̄1′ | 2 2 2 |S̄1′ | λn − |S̄1′ | ≥ = λ− n n ′ 2λ|S̄1 | ≥ λ2 − . n (3) But because, from Equation 1, |S̄1 | = O(logδ n) with overwhelming probability, we have that for every constant 0 < ǫ1 < 1 and every negligible 2λ|S̄ ′ | function µ′ , and for all sufficiently large n, n 1 + µ′ < ǫ1 holds. Thus, combining Equations 2 and 3 we get that for all such ǫ1 and for sufficiently large n: 2 Pr[Xi = 1] ≤ λ − λ2 + ǫ 1 (1 − ǫ′ ) √ √ 2 = (1 − 0.5 − ǫ) − 1.5 − ǫ2 + 2ǫ + 2(1 − ǫ) 0.5 + ǫ1 ′ (1 − ǫ ) 2 2ǫ ≤ − − 1.5 − ǫ2 + 2ǫ + ǫ1 (1 − ǫ′ ) (1 − ǫ′ ) 2 − 1.5 − ǫ2 + ǫ1 . ≤ (1 − ǫ′ ) For ǫ′ ≤ 1 − 2 2+ǫ2 /4 and ǫ1 = ǫ2 /4, the last equation gives Pr[Xi = 1] ≤ 19 1 ǫ2 − . 2 2 Furthermore, because the Xi ’s are independent, the assumptions in [49] 2 are satisfied for δ = 21 − ǫ2 , hence, X 2 Pr[ Xi ≥ (1/2 − ǫ2 /3)|S̄1 \ S̄1′ |] ≤ e−n(ǫ /6) , si ∈S̄1 \S̄1′ which is negligible. Note that, by Lemma 1, for large enough n, with over2ǫ2 whelming probability |S̄1′ | < 3+2ǫ 2 |S̄1 |. Thus, with overwhelming probability the total number of corrupted servers in S̄1 is less than 12 |S̄1 |. ⊔ ⊓ The above lemma ensures that the adversary cannot corrupt a majority of the OT pairs. Furthermore, with overwhelming probability, all the otid’s chosen by the parties in S̄ are distinct. Thus, the security of the protocol follows from the security of the OT combiner. This concludes the proof of Theorem 3. ⊔ ⊓ Next, we turn to the proof of the lower bound. We prove that there exists √ an adaptive (1, t)-adversary that cannot be tolerated when t = (1 − 0.5 + ǫ)n for any (arbitrarily small) constant ǫ > 0. To this end, we start with the observation that every adaptive adversary attacking a protocol induces a probability distribution on the set of corrupted parties, which might depend on the coins of the adversary and on the inputs and coins of all parties. Such a probability distribution induces a probabilistic adversary structures that assigns to each subset of parties the probability that this subset gets corrupted. Hence, it suffices to prove that this probabilistic adversary structure is what we call intolerable, which, roughly, means that there are functions that cannot be computed when the corrupted sets are chosen from this structure. Before sketching our proof strategy, it is useful to give some intuition about the main challenge one encounters when attempting to prove such a statement. This is best demonstrated by the following counterexample. A counterexample. It is tempting to conjecture that for every probabilistic adversary A who corrupts each party i with probability pi > 1/2, there is no (general purpose) information-theoretic MPC protocol which achieves security against A. While this is true if the corruption probabilities are independent, we show that this is far from being true in general. k Let fk denote the boolean function fk : {0, 1}3 → {0, 1} computed by a depth-k complete tree of 3-input majority gates. It follows from [15, 36] that there is a perfectly secure information-theoretic MPC protocol that tolerates every set of corrupted parties T whose characteristic vector χT satisfies f (χT ) = 0. We show the following. 20 Proposition 1. There exists a sequence of distributions Xk , where Xk k is distributed over {0, 1}3 , such that for every positive integer k we have (1) fk (Xk ) is identically 0, and (2) each entry of Xk takes the value 1 with probability 1 − (2/3)k . Proof. Define the sequence Xk inductively as follows. X1 is a uniformly random over {100, 010, 001}. The bit-string Xk is obtained as follows. Associate the entries of Xk with the leaves of a complete ternary tree of depth k. Randomly pick Xk by assigning 1 to all leaves of one of the three sub-trees of the root (the identity of which is chosen at random), and assigning values to each of the two other sub-trees according to Xk−1 . Both properties can be easily proved by induction on k. ⊔ ⊓ Letting Ak denote the probabilistic adversary corresponding to Xk , we get a strong version of the desired counterexample, thus contradicting the aforementioned conjecture for k ≥ 2. The above counterexample demonstrates that even seemingly straightforward arguments when considering probabilistic adversary structures can be false, because of correlation in the corruption events. Next, we present the high-level structure of our lower bound proof. We consider an adversary A who works as follows: At the beginning of the protocol, √ A corrupts each of the n servers independently with probability 1− 0.5 and corrupts one of the two clients, say, c1 , at random; denote the set of initially corrupted servers by C0 and initialize C := C0 . Subsequently, in every round, if any server sends or/receives a message to/from one of the servers in C, then the adversary corrupts him as well and adds him to C. Observe that A does not corrupt servers when they send or receive messages to the clients. (Such an adversary would in fact be stronger but we will show that even the above weaker adversary cannot be tolerated.) We also note √ that the above adversary might exceed his corruption budget t = (1 − 0.5 − ǫ)n. However, an application of the Chernoff bound shows that the probability that this happens in negligible in n so we can simply have the adversary abort in the unlikely case of such an overflow. We next observe that because A corrupts servers independently at the beginning of the protocol, we can consider an equivalent random experiment where first the communication pattern (i.e., the sequence of edges) is decided and then the adversary A chooses his initial sets and follows the above corruption paths (where edges are processed in the given order). For each such sequence of edges, A defines a probability distribution on the (active) edge set that is fully corrupted, namely, both 21 its end-points are corrupted at the latest when they send any message in the protocol (and before they get a chance to erase it). Shifting the analysis from probabilistic party-corruption structures to probabilistic edge-corruption structures yields a simpler way to analyze the view of the experiment. Moreover, we provide a definition of what it means for an edge-corruption structure to be intolerable, which allows us to move back from edge to party corruptions. Next, we define a domination relation which, intuitively, says that a probabilistic structure PrAE dominates another probabilistic structure 1 PrAE on the same set of edges, if there exist a monotone probabilis2 tic mapping F among sets of edges—i.e., a mapping from sets to their subsets—that transforms PrAE into PrAE . Conceptually, for an adver1 2 sary that corrupts according to PrAE (hereafter referred to as a PrAE 1 1 adversary), the use of F can be thought as “forgetting” some of the corrupted edges.11 Hence, intuitively, an adversary who corrupts edge sets according to PrAE (or, equivalently, according to “PrAE with forget”) is 2 1 easier to simulate than a PrAE -adversary, as if there is a simulator for 1 the latter, we can apply the forget predicate F on the (simulated) set of corrupted edges to get a simulator for PrAE . Thus, if PrAE is intolerable, 2 2 then so is PrAE . 1 Having such a domination relation in place, we next look for a simple probabilistic structure that is intolerable and can be dominated by the structure induced by our adversary A. To this end, we prove intolerability of a special structure, where each edge set is sampled according to the following experiment: Let E be a collection of edge sets such that no E ∈ E can be derived as a union of the remaining sets; we choose to add each set from E to the corrupted-edge set independently with probability 1/2. The key feature of the resulting probabilistic corruption structure that enables us to prove intolerability and avoid missteps as in the above counterexample, is the independence of the above sampling strategy. The final step, i.e., proving that the probabilistic edge-corruption structure induced by our adversary A dominates the above special structure, goes through a delicate combinatorial argument. We define a special graph traversing algorithm for the given edge sequence that yields a collection of potentially fully corruptible subsets of edges in this sequence, and prove that the maximal elements in this collection can be used to derive such a dominating probabilistic corruption structure. 11 Here, “forgetting” means removing the view of their end-points from the adversary’s view. 22 The complete proof of our impossibility (stated in Theorem 4 below) can be found in [28]. Theorem 4. Assume an adaptive passive adversary and that erasures are allowed. There exists no information theoretically secure protocol for computing the boolean OR function in the (2, n)-client/server model with message √ complexity m = o(n) tolerating a (1, t)−adversary, where t = (1 − 0.5 + ǫ)n for any constant ǫ > 0. 4.2 Security without Erasures We next turn to the case of adaptive corruptions (still for semi-honest adversaries) in a setting where parties do not erase any part of their state (and thus an adaptive adversary who corrupts any party gets to see the party’s entire protocol view from the beginning of the protocol execution). This is another instance which demonstrates that requiring sublinear communication induces unexpected costs on the adversarial tolerance of MPC protocols. In particular, when we do not restrict the communication complexity, then any (1, t)-adversary can be tolerated for information-theoretic MPC in the (2, n)-client/server model, as long as t < n/2 [4]. Instead, as we now show, when restricting to sublinear communication, there are functions that cannot be securely computed when any (arbitrary small) linear number of servers is corrupted (Theorem 5). If, on the other hand, we restrict the number of corruptions to be sublinear, a straightforward protocol computes any given function (Theorem 6). The intuition behind the impossibility can be demonstrated by looking at protocol Πstat from Section 3: An adaptive adversary can corrupt client c1 , wait for him to choose the servers in S̄, and then corrupt all of them rendering any protocol among them non-private. In fact, as we show below, this is not a problem of the protocol but an inherent limitation in the setting of adaptive security without erasures. Specifically, the following theorem shows that if the adversary is adaptive and has the ability to corrupt as many servers as the protocols’ message complexity, along with any one of the clients, then there are functions that cannot be privately computed. The basic idea is that such an adversary can wait until the end of the protocol, corrupt any of the two clients, say, ci , and, by following the messages’ paths, also corrupt all servers whose view is correlated to that of ci . As we show, existence of a protocol tolerating such an adversary contradicts classical impossibility results in the MPC literature [4, 35]. 23 Theorem 5. In the non-erasure model, there exists no informationtheoretically secure protocol for computing the boolean OR function in the (2, n)-client/server model with message complexity m = o(n) tolerating an adaptive (1, m + 1)-adversary. Proof. Assume towards contradiction that such a protocol Π exists. First we make the following observation: Let G denote the effective communication graph of the protocol defined as follows: G = (V, E) is an undirected graph where the set V of nodes is the set of all parties, i.e., V = S ∪ {c1 , c2 }, and the set E of edge includes of pairs of parties that exchanged a message in the protocol execution; i.e., E := {(pi , pj ) ∈ V 2 s.t. pi exchanged a message with pj in the execution of Π}.12 By definition, the set S̄ of active parties is the set of nodes in G with degree d > 0. Let S̄ ′ denote the set of active parties that do not have a path to any of the two clients. (In other words, nodes in S̄ ′ do not belong in a connected component including c1 or c2 .) We observe that if a protocol is private against an adversary A, then it remains private even if A gets access to the entire view of parties in S̄ ′ and of the inactive servers S \ S̄. Indeed, the states of these parties are independent of the states of active parties and depend only on their internal randomness, hence they are perfectly simulatable. Let A1 denote the adversary that attacks at the end of the protocol and chooses the parties A1 to corrupt by the following greedy strategy: Initially A1 := {c1 }, i.e., A1 always corrupts the first client. For j = 1 . . . , m, A1 adds to A1 all servers that are not already in A1 and exchanged a message with some party in A1 during the protocol execution. (Observe that A1 does not corrupt the second client c2 .) Note that the corruption budget of the adversary is at least as big as the total message complexity, hence he is able to corrupt every active server (if they all happen to be in the same connected component as c1 ). Symmetrically, we define the adversary A2 that starts with A2 = {c2 } and corrupts servers using the same greedy strategy. Clearly, A1 ∪ A2 = S̄ \ S̄ ′ . Furthermore, as argued above, if Π can tolerate Ai , then it can also tolerate A′i which in addition to Ai learns the state of all servers in S̄ ′ ∪ (S \ S̄); denote by A′i the set of parties whose view A′i learns. Clearly, A′1 ∪ A′2 = S, and thus, existence of such a Π contradicts the impossibility of computing the OR against non-Q2 adversary structures [35]. ⊔ ⊓ Corollary 1. In the non-erasure model, there exists no information theoretically secure protocol for computing the boolean OR function of the 12 Note that G is fully defined at the end of the protocol execution. 24 (two) clients’ inputs with message complexity m = o(n) tolerating an adaptive (1, t)-adversary, where t = ǫn for some constant ǫ > 0. For completeness, we show that if the adversary is restricted to a sublinear number t of corrupions, then there is a straightforward secure protocol with sublinear communication. Indeed, in this case we simply need to use Πstat , with the modification that c1 chooses n′ = 2t + 1 servers to form a committee. Because t = o(n), this committee is trivially of sublinear size, and because n′ > 2t a majority of the servers in the committee will be honest. Hence, the same argument as in Theorem 1 applies also here. This proves the following theorem; the proof uses the same structure as the proof of Theorem 1 and is therefore omitted. Theorem 6. Assuming t = o(n), there exists an unconditionally secure (privately) protocol that computes any given 2-party function f in the (2, n)-client/server model in the presence of a passive adaptive (1, t)adversary and communicates o(n)|Cf | messages. The statement holds even when no erasures are allowed.13 5 Sublinear Communication with Active (Static) Corruptions Finally, we initiate the study of malicious adversaries in MPC with sublinear communication, restricting our attention to static security. Since the bound from Section 3 is necessary for semi-honest security, it is also necessary for malicious security (since a possible strategy of a malicious adversary is to play semi-honestly). In this section we show that if t < (1/2 − ǫ)n, then there exists a maliciously secure protocol for computing every two-party function with abort. To this end, we present a protocol which allows clients c1 and c2 to compute the 1-out-of-2 OT functionality fOT ((m0 , m1 ), b) = (⊥, mb ) in the (2, n)-client/server model with sublinear communication complexity. As before, the completeness of OT ensures that this allows c1 and c2 to compute any function. We remark that the impossibility result from Section 3 implies that no fully secure protocol (i.e., without abort) can tolerate a malicious (1, t)adversary as above. As we argue below, the ability of the adversary to force an abort seems inherent in protocols with sublinear communication tolerating an active adversary with a linear number of corruptions. It is 13 A protocol that is secure when no erasures are allowed is also secure when erasures are allowed. 25 an interesting open question whether the impossibility of full security can be extended to malicious security with abort. Towards designing a protocol for the malicious setting, one might be tempted to think that the semi-honest approach of one of the clients choosing a committee might work here as well. This is not the case, as this client might be corrupted (and malicious) and only pick servers that are also corrupted. Instead, here we use the following idea, inspired by the adaptive protocol with erasures (but without intermediaries): Every δ server independently decides with probability p = logn n (based on his own local randomness) to volunteer in helping the clients by acting as an OT dealer. The choice of p is such that with overwhelming probability not too many honest servers (at most sublinear in n) volunteer. The clients then use the OT-combiner on the received pre-computed OT pairs to implement a secure OT. Note that this solution does not require any intermediaries as we have static corruptions. But now we have a new problem to solve: The adversary might pretend to volunteer with more parties than the honest volunteers. (The adversary can do that since he is allowed a linear number of corruptions.) If the clients listen to all of them, then they will end up with precomputed OTs a majority of which is generated by the adversary. This is problematic since no OT combiner exists that will yield a secure OT protocol when the majority of the combined OTs is corrupted (cf. [34, 48]). We solve this problem as follows: We will have each of the clients abort during the OT pre-computation phase if he receives OT pairs from more than a (sublinear) number q of parties. By an appropriate choice of q we can ensure that if the adversary attempts to contact the clients with more corrupted parties than the honest volunteers, then with overwhelming probability he will provoke an abort. As a desirable added feature, this technique also protects against adversaries that try to increase the overall CC by sending more or longer messages. We note in passing that such an abort seems inevitable when trying to block such a message overflow by the adversary as the adversary is rushing and can make sure that his messages are always delivered before the honest parties’ messages. The OT , is given below along with its security statement. resulting protocol, Πact OT unconditionally securely computes the funcTheorem 7. Protocol Πact tion fOT ((m0 , m1 ), b) = (⊥, mb ) with abort in the (2, n)-client/server model in the presence of an active and static (1, t)-adversary with t ≤ OT communicates (1/2 − ǫ)n, for any given 0 < ǫ < 1/2. Moreover, Πact 26 OT Protocol Πact (C = {c1 , c2 }, S = {s1 , . . . , sn }) δ 1. Every server si ∈ S locally decides to become active with probability p = logn n for a given (public) constant δ > 1. Let S̄ denote the set of active servers. 2. Every si ∈ S̄ prepares an OT pair (mi , ri ) and sends mi to c1 and ri to c2 . 3. Each ci , i ∈ {1, 2}, sends ⊥ to c2−i and aborts the protocol execution if ci was contacted by more than (1 − 16ǫ4 ) logδ n parties in the previous step. 4. If ci , i ∈ {1, 2}, received a ⊥ from c2−i in the previous step then he aborts. 5. The clients use the ℓ received OT pairs in a malicious (ℓ/2, ℓ) OT-combiner [34] to obtain a secure OT protocol. O(logδ (n)) messages, for a given constant δ > 1, except with negligible probability. Proof. Without loss of generality we can assume that adversary A corrupts T = ⌊( 21 − ǫ)n⌋ parties. Indeed, if the protocol can tolerate such an adversary then it can also tolerate any adversary corrupting t ≤ T parties. OT let S̄ denote the set of servers that would For a given execution of Πact become active if the adversary would behave semi-honestly (i.e., allow all corrupted parties to play according to the protocol). Then, each server δ s ∈ S is included in the set S̄ with probability p = logn n independently of the other servers. Thus, by application of the Chernoff bound we get that for any constant 1 < γ < 0: Pr[|S̄| ≤ (1 − γ) logδ n] < e− γ 2 logδ n 3 . For γ = 4ǫ2 he above equation implies that with overwhelming probability: |S̄| > (1 − 4ǫ2 ) logδ n. (4) Now let C ⊆ S denote the set of servers who are corrupted by the (static) adversary A. (Recall that A corrupts T = ⌊( 12 − ǫ)n⌋ parties.) For each si ∈ S̄, let Xi denote the random variable which is 1 if si ∈ C and 0 otherwise. Because the parties become OT dealers independently of the corruptions and the adversary corrupts T parties, X1 , . . . , X|S̄| are i.i.d. P|S̄| random variables with Pr[Xi = 1] = T /n. Thus, X = i=1 Xi = |S̄ ∩ C| with mean µ = |S̄|T n . By another application of the Chernoff bound we get that for any 0 < ǫ1 < 1: 27 Pr[|S̄ ∩ C| ≥ (1 + ǫ1 )µ] < e− ǫ2 1T 3 . (5) Hence, with overwhelming probability for ǫ1 = 2ǫ: T 1 1 |S̄ ∩ C| < (1 + ǫ1 ) |S̄| ≤ (1 + ǫ1 )( − ǫ)|S̄| = ( − 2ǫ2 )|S̄|. n 2 2 Therefore, again with overwhelming probability the number h of honest parties that contact each of the parties as OT dealers is: h = |S̄ \ C| ≥ (4) 1 1 2 2 + 2ǫ |S̄| > + 2ǫ (1 − 4ǫ2 ) logδ n. 2 2 (6) However, unless the honest client aborts, he accepts at most ρ = (1 + ǫ2 ) logδ n offers for dealers; therefore, the fraction of honest OT dealers among these ρ dealers is ( 1 + 2ǫ2 )(1 − 4ǫ2 ) 1 (1 + 4ǫ2 )(1 − 4ǫ2 ) 1 h > 2 = · = . 4 4 ρ 1 − 16ǫ 2 1 − 16ǫ 2 Thus, at least a 1/2 fraction of the OT vectors that an honest client OT receives is private and correct, in which case the security of protocol Πact follows from the security of the underlying OT-combiner used in the last protocol step. ⊔ ⊓ Acknowledgements. This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. The second and third authors were supported in part by NSFBSF grant 2015782 and BSF grant 2012366. The second author was additionally supported by ISF grant 1709/14, DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the DARPA through the ARL under Contract W911NF-15-C-0205. The third author was additionally supported by NSF grant 1619348, DARPA, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, and Lockheed-Martin Corporation Research Award. The views expressed are those of the authors and do not reflect the official policy or position of the DoD, the NSF, or the U.S. Government. 28 References 1. Donald Beaver. Precomputing oblivious transfer. In Don Coppersmith, editor, Advances in Cryptology — CRYPTO’ 95: 15th Annual International Cryptology Conference Santa Barbara, California, USA, August 27–31, 1995 Proceedings, pages 97–109, Berlin, Heidelberg, 1995. Springer Berlin Heidelberg. 2. Zuzana Beerliová-Trubı́niová and Martin Hirt. Efficient multi-party computation with dispute control. In Shai Halevi and Tal Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 305–328. Springer, Heidelberg, March 2006. 3. Zuzana Beerliová-Trubı́niová and Martin Hirt. Perfectly-secure MPC with linear communication complexity. In Ran Canetti, editor, TCC 2008, volume 4948 of LNCS, pages 213–230. Springer, Heidelberg, March 2008. 4. Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In 20th ACM STOC, pages 1–10. ACM Press, May 1988. 5. Eli Ben-Sasson, Serge Fehr, and Rafail Ostrovsky. Near-linear unconditionallysecure multiparty computation with a dishonest minority. In Reihaneh Safavi-Naini and Ran Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 663–680. Springer, Heidelberg, August 2012. 6. Elette Boyle, Kai-Min Chung, and Rafael Pass. Large-scale secure computation: Multi-party computation for (parallel) RAM programs. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pages 742–762. Springer, Heidelberg, August 2015. 7. Elette Boyle, Shafi Goldwasser, and Stefano Tessaro. Communication locality in secure multi-party computation - how to run sublinear algorithms in a distributed setting. In Amit Sahai, editor, TCC 2013, volume 7785 of LNCS, pages 356–376. Springer, Heidelberg, March 2013. 8. Gabriel Bracha. An o(log n) expected rounds randomized byzantine generals protocol. J. ACM, 34(4):910–920, October 1987. 9. Ran Canetti. Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, 2000. 10. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd FOCS, pages 136–145. IEEE Computer Society Press, October 2001. 11. Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In 28th ACM STOC, pages 639–648. ACM Press, May 1996. 12. Ran Canetti and Marc Fischlin. Universally composable commitments. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 19–40. Springer, Heidelberg, August 2001. 13. Nishanth Chandran, Wutichai Chongchitmate, Juan A. Garay, Shafi Goldwasser, Rafail Ostrovsky, and Vassilis Zikas. The hidden graph model: Communication locality and optimal resiliency with adaptive faults. In Tim Roughgarden, editor, ITCS 2015, pages 153–162. ACM, January 2015. 14. David Chaum, Claude Crépeau, and Ivan Damgård. Multiparty unconditionally secure protocols (extended abstract). In 20th ACM STOC, pages 11–19. ACM Press, May 1988. 15. Gil Cohen, Ivan Bjerre Damgård, Yuval Ishai, Jonas Kölker, Peter Bro Miltersen, Ran Raz, and Ron D. Rothblum. Efficient multiparty protocols via log-depth 29 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. threshold formulae - (extended abstract). In Ran Canetti and Juan A. Garay, editors, Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, volume 8043 of Lecture Notes in Computer Science, pages 185–202. Springer, 2013. Ronald Cramer, Ivan Damgård, and Yuval Ishai. Share conversion, pseudorandom secret-sharing and applications to secure computation. In Joe Kilian, editor, TCC 2005, volume 3378 of LNCS, pages 342–362. Springer, Heidelberg, February 2005. Ronald Cramer, Ivan Damgård, and Jesper Buus Nielsen. Multiparty computation from threshold homomorphic encryption. In Birgit Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, pages 280–299. Springer, Heidelberg, May 2001. Ivan Damgård and Yuval Ishai. Constant-round multiparty computation using a black-box pseudorandom generator. In Victor Shoup, editor, CRYPTO 2005, volume 3621 of LNCS, pages 378–394. Springer, Heidelberg, August 2005. Ivan Damgård and Yuval Ishai. Scalable secure multiparty computation. In Cynthia Dwork, editor, CRYPTO 2006, volume 4117 of LNCS, pages 501–520. Springer, Heidelberg, August 2006. Ivan Damgård, Yuval Ishai, and Mikkel Krøigaard. Perfectly secure multiparty computation and the computational overhead of cryptography. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 445–465. Springer, Heidelberg, May 2010. Ivan Damgård and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In Mihir Bellare, editor, CRYPTO 2000, volume 1880 of LNCS, pages 432–450. Springer, Heidelberg, August 2000. Ivan Damgård and Jesper Buus Nielsen. Universally composable efficient multiparty computation from threshold homomorphic encryption. In Dan Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 247–264. Springer, Heidelberg, August 2003. Ivan Damgård and Jesper Buus Nielsen. Scalable and unconditionally secure multiparty computation. In Alfred Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 572–590. Springer, Heidelberg, August 2007. Varsha Dani, Valerie King, Mahnush Movahedi, and Jared Saia. Brief announcement: breaking the o(nm) bit barrier, secure multiparty computation with a static adversary. In Darek Kowalski and Alessandro Panconesi, editors, ACM Symposium on Principles of Distributed Computing, PODC ’12, Funchal, Madeira, Portugal, July 16-18, 2012, pages 227–228. ACM, 2012. Varsha Dani, Valerie King, Mahnush Movahedi, and Jared Saia. Quorums quicken queries: Efficient asynchronous secure multiparty computation. In Mainak Chatterjee, Jian-Nong Cao, Kishore Kothapalli, and Sergio Rajsbaum, editors, Distributed Computing and Networking - 15th International Conference, ICDCN 2014, Coimbatore, India, January 4-7, 2014. Proceedings, volume 8314 of Lecture Notes in Computer Science, pages 242–256. Springer, 2014. Matthew K. Franklin and Stuart Haber. Joint encryption and message-efficient secure computation. In Douglas R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 266–277. Springer, Heidelberg, August 1994. Matthew K. Franklin and Moti Yung. Communication complexity of secure computation (extended abstract). In 24th ACM STOC, pages 699–710. ACM Press, May 1992. 30 28. Juan Garay, Yuval Ishai, Rafail Ostrovsky, and Vassilis Zikas. The price of low communication in secure multi-party computation. Cryptology ePrint Archive, Report 2017/520, 2017. http://eprint.iacr.org/2017/520. 29. Daniel Genkin, Yuval Ishai, Manoj Prabhakaran, Amit Sahai, and Eran Tromer. Circuits resilient to additive attacks with applications to secure computation. In David B. Shmoys, editor, 46th ACM STOC, pages 495–504. ACM Press, May / June 2014. 30. Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press, 2001. 31. Oded Goldreich. Foundations of Cryptography: Basic Applications, volume 2. Cambridge University Press, Cambridge, UK, 2004. 32. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Alfred Aho, editor, 19th ACM STOC, pages 218–229. ACM Press, May 1987. 33. Danny Harnik, Yuval Ishai, Eyal Kushilevitz, and Jesper Buus Nielsen. Otcombiners via secure computation. In Ran Canetti, editor, Theory of Cryptography: Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 1921, 2008. Proceedings, pages 393–411, Berlin, Heidelberg, 2008. Springer Berlin Heidelberg. 34. Danny Harnik, Joe Kilian, Moni Naor, Omer Reingold, and Alon Rosen. On robust combiners for oblivious transfer and other primitives. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 96–113. Springer, Heidelberg, May 2005. 35. Martin Hirt and Ueli M. Maurer. Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract). In James E. Burns and Hagit Attiya, editors, 16th ACM PODC, pages 25–34. ACM, August 1997. 36. Martin Hirt and Ueli M. Maurer. Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology, 13(1):31–60, 2000. 37. Martin Hirt and Ueli M. Maurer. Robustness for free in unconditional multi-party computation. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 101–118. Springer, Heidelberg, August 2001. 38. Martin Hirt, Ueli M. Maurer, and Bartosz Przydatek. Efficient secure multi-party computation. In Tatsuaki Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 143–161. Springer, Heidelberg, December 2000. 39. Martin Hirt and Jesper Buus Nielsen. Upper bounds on the communication complexity of optimally resilient cryptographic multiparty computation. In Bimal K. Roy, editor, ASIACRYPT 2005, volume 3788 of LNCS, pages 79–99. Springer, Heidelberg, December 2005. 40. Martin Hirt and Vassilis Zikas. Adaptively secure broadcast. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 466–485. Springer, Heidelberg, May 2010. 41. Wassily Hoeffding. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association, 58(301):pp. 13–30, 1963. 42. Yuval Ishai, Rafail Ostrovsky, and Vassilis Zikas. Secure multi-party computation with identifiable abort. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part II, volume 8617 of LNCS, pages 369–386. Springer, Heidelberg, August 2014. 43. Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In David Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 572–591. Springer, Heidelberg, August 2008. 31 44. Markus Jakobsson and Ari Juels. Mix and match: Secure function evaluation via ciphertexts. In Tatsuaki Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 162–177. Springer, Heidelberg, December 2000. 45. Joe Kilian. Founding cryptography on oblivious transfer. In 20th ACM STOC, pages 20–31. ACM Press, May 1988. 46. Joe Kilian. Founding crytpography on oblivious transfer. In Proceedings of the twentieth annual ACM symposium on Theory of computing, pages 20–31, New York, NY, USA, 1988. ACM. 47. Yehuda Lindell and Benny Pinkas. A proof of security of Yao’s protocol for twoparty computation. Journal of Cryptology, 22(2):161–188, April 2009. 48. Remo Meier, Bartosz Przydatek, and Jürg Wullschleger. Robuster combiners for oblivious transfer. In Salil P. Vadhan, editor, TCC 2007, volume 4392 of LNCS, pages 404–418. Springer, Heidelberg, February 2007. 49. Alessandro Panconesi and Aravind Srinivasan. Randomized distributed edge coloring via an extension of the chernoff-hoeffding bounds. SIAM J. Comput., 26(2):350–368, 1997. 50. Michael O. Rabin. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University, 1981. 51. Tal Rabin and Michael Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In 21st ACM STOC, pages 73–85. ACM Press, May 1989. 52. Adi Shamir. How to share a secret. Communications of the Association for Computing Machinery, 22(11):612–613, November 1979. 53. Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd FOCS, pages 160–164. IEEE Computer Society Press, November 1982. 32

RELATED PAPERS

RELATED TOPICS

Log In

The Price of Low Communication in Secure Multi-party Computation

The Price of Low Communication in Secure Multi-party Computation