On Communication Models and Best-Achievable Security in Two-Round MPC

Goel, Aarushi; Jain, Abhishek; Prabhakaran, Manoj; Raghunath, Rajeev

doi:10.1007/978-3-030-90453-1_4

Aarushi Goel¹⁰,
Abhishek Jain¹⁰,
Manoj Prabhakaran¹¹ &
…
Rajeev Raghunath¹¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13043))

Included in the following conference series:

Theory of Cryptography Conference

757 Accesses
3 Citations

Abstract

Recently, a sequence of works have made strong advances in two-round (i.e., round-optimal) secure multi-party computation (MPC). In the honest-majority setting – the focus of this work – Ananth et al. [CRYPTO’18, EC’19], Applebaum et al. [TCC’18, EC’19] and Garg et al. [TCC’18] have established the feasibility of general two-round MPC in standard communication models involving broadcast ($\mathcal {BC}$) and private point-to-point ($\mathcal {P}\mathrm {2}\mathcal {P}$) channels.

In this work, we set out to understand what features of the communication model are necessary for these results, and more broadly the design of two-round MPC. Focusing our study on the plain model – the most natural model for honest-majority MPC – we obtain the following results:

Dishonest majority from Honest majority: In the two round setting, honest-majority MPC and dishonest-majority MPC are surprisingly close, and often equivalent. This follows from our results that the former implies 2-message oblivious transfer, in many settings. (i) We show that without private point-to-point ($\mathcal {P}\mathrm {2}\mathcal {P}$) channels, i.e., when we use only broadcast ($\mathcal {BC}$) channels, honest-majority MPC implies 2-message oblivious transfer. (ii) Furthermore, this implication holds even when we use both $\mathcal {P}\mathrm {2}\mathcal {P}$ and $\mathcal {BC}$, provided that the MPC protocol is robust against “fail-stop” adversaries.
Best-Achievable Security: While security with guaranteed output delivery (and even fairness) against malicious adversaries is impossible in two rounds, nothing is known with regards to the “next best” security notion, namely, security with identifiable abort (IA). We show that IA is also impossible to achieve with honest-majority even if we use both $\mathcal {P}\mathrm {2}\mathcal {P}$ and $\mathcal {BC}$ channels. However, if we replace $\mathcal {P}\mathrm {2}\mathcal {P}$ channels with a “bare” (i.e., untrusted) public-key infrastructure ($\mathcal {PKI}$), then even security with guaranteed output delivery (and hence $\texttt {IA} $) is possible to achieve.

These results “explain” that the reliance on $\mathcal {P}\mathrm {2}\mathcal {P}$ channels (together with $\mathcal {BC}$) in the recent two-round protocols in the plain model was in fact necessary, and that these protocols couldn’t have achieved a stronger security guarantee, namely, $\texttt {IA} $. Overall, our results (put together with prior works) fully determine the best-achievable security for honest-majority MPC in different communication models in two rounds. As a consequence, they yield the following hierarchy of communication models:

$$\begin{aligned} \mathcal {BC}< \mathcal {P}\mathrm {2}\mathcal {P}< \mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}< \mathcal {BC}+\mathcal {PKI}. \end{aligned}$$

This shows that $\mathcal {BC}$ channel is the weakest communication model, and that $\mathcal {BC}+\mathcal {PKI}$ model is strictly stronger than $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model.

Access provided by Autonomous University of Puebla. Download conference paper PDF

Minimizing Setup in Broadcast-Optimal Two Round MPC

Broadcast-Optimal Two-Round MPC

Guaranteed Output Delivery Comes Free in Honest Majority MPC

1 Introduction

Recently, a sequence of works [1,2,3,4, 9, 12, 18, 19, 30] have made strong advances in two-round secure multi-party computation (MPC). These works have established the feasibility of general two-round (i.e., round-optimal) MPC, relying on essentially minimal computational assumptions.

Such round optimality is of both theoretical and practical interest. In particular, it opens up the possibility of using MPC in scenarios where more rounds of interaction leads to significant costs, or in tools where a third round is simply inadmissible (e.g., if the communication is over blockchains, or if the first round messages are to be interpreted as “public keys” used to create “ciphertexts” in the second round). On the theoretical front, the separation between 1, 2 or more round protocols is arguably as fundamental as the separation between minicrypt, cryptomania or obfustopia, in that they admit only some cryptographic tools and not others. Indeed, the round complexity of protocols (e.g., of zero-knowledge proofs [23] and MPC) has always been a central theoretical question.

The practical and theoretical significance of round complexity is intertwined with the specific communication models employed. There are two major models of communication channels – broadcast ($\mathcal {BC}$) channels and secure point-to-point ($\mathcal {P}\mathrm {2}\mathcal {P}$) channels – that have been central in the MPC literature, starting from early results in the multi-party setting [8, 11, 21, 31]. In the honest-majority setting – the focus of this work – these channels can provide varying “powers”: e.g., $\mathcal {P}\mathrm {2}\mathcal {P}$ channels are necessary for achieving information-theoretic security [8, 11], and broadcast channels are necessary for achieving security against $t>n/3$ corruptions [17]. They can also provide different use cases, e.g., a protocol that solely uses $\mathcal {BC}$ would be applicable in scenarios where, say, the first round messages are to be interpreted as public keys.

Our Work. The focus of this work is on understanding the role of these channels in the two-round setting with honest majority, where their differences come into sharper contrast. We ask:

That is, we seek to understand the best-achievable security and the necessary assumptions in different communication models. We focus our study on the plain model – the most natural model for honest-majority MPC.^{Footnote 1} We sometimes augment our model to include a “bare” (i.e., untrusted) public-key infrastructure (PKI) as a means for emulating $\mathcal {P}\mathrm {2}\mathcal {P}$ channels over $\mathcal {BC}$.^{Footnote 2} Throughout this work, we use $\mathcal {PKI}$ to refer to a bare PKI setup.

Background on Security Notions. Before presenting our results, we provide a brief discussion on the prominent security notions studied in the literature. The weakest of them all is semi-honest (SH) security that guarantees privacy against semi-honest (a.k.a. honest but curious) adversaries. The case of malicious adversaries is more complex, and a variety of security notions have been studied.^{Footnote 3}

Security with abort: A suite of three increasingly stronger security notions allows a malicious adversary to prevent the honest parties from learning the output by prematurely aborting the protocol: (a) selective abort (SA), where the adversary may selectively force a subset of honest parties to abort,(b) unanimous abort (UA), where all the honest parties agree on whether or not to abort, and (c) identifiable abort (IA) [29], where the honest parties agree on the identity of a corrupted party in the case of an abort.
Security with guaranteed output delivery: Security with guaranteed output delivery ensures that an adversary cannot prevent the honest parties from learning the output via premature aborts. This notion is meaningful, both against fully malicious adversaries, and fail-stop adversaries who behave like semi-honest adversaries, except that they may prematurely abort. We refer to security in these two cases as M-GoD and FS-GoD, respectively.

The relationship between all of these notions can be summarized as follows: $\texttt {SH}< \texttt {SA}< \texttt {UA}< \texttt {IA} < \texttt {M-GoD} $, and $\texttt {SH}<\texttt {FS-GoD} < \texttt {M-GoD} $ (note that FS-GoD is incomparable to SA, UA and IA).

Summary of Our Contributions. We start by providing a high-level statement of the key conclusions from our study, while omitting some finer points and results. We sketch an overview (omitting the specifics of the computational assumptions involved) in Fig. 1, which shows how our results fill in the gaps from prior work with regards to the feasibility of different security notions. A detailed description of our results in different communication models is given in Sect. 1.1.

Necessity of Oblivious Transfer: While honest-majority MPC without any round restrictions is possible information-theoretically, our first set of results show that in many cases two-round MPC implies the existence of a two-message two-party oblivious transfer (OT) protocol:
- When the two-round honest-majority MPC protocol is over a $\mathcal {BC}$ channel only (no $\mathcal {P}\mathrm {2}\mathcal {P}$ channels), then it implies a two-message OT protocol. If the original MPC protocol is semi-honest or malicious secure, and if it is in the plain model or uses a setup like a common reference string, the OT protocol inherits the same properties.
- Even if the honest-majority MPC protocol uses both a $\mathcal {BC}$ channel and $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, if it offers $\texttt {FS-GoD} $ security, then it implies two-message semi-honest OT. Interestingly, this holds only when the corruption threshold is $n/3\le t<n/2$; for $t<n/3$, we show that minicrypt assumptions are in fact sufficient.
Equivalence of Honest Majority and Dishonest Majority: An interesting consequence of the first of the above results is that it removes the qualitative difference between honest-majority and dishonest-majority in the two-round $\mathcal {BC}$-only setting. Specifically, in the semi-honest setting, an honest-majority protocol implies two-message semi-honest OT, which in turn implies two-round dishonest-majority MPC [9, 19]. On the other hand, in the malicious adversary setting, two-message OT is impossible in the plain model, and it follows that achieving malicious security is impossible in the honest-majority setting without $\mathcal {P}\mathrm {2}\mathcal {P}$ channels (as was already known for dishonest majority [22]). In other words, removing $\mathcal {P}\mathrm {2}\mathcal {P}$ channels “strips off” the advantages of the honest-majority model and places it on equal footing with dishonest-majority MPC – both in terms of necessary assumptions and feasibility.
Best-Achievable Security: In the plain model, $\texttt {M-GoD} $ and fairness are known to be impossible in two rounds even in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ setting [20, 30].^{Footnote 4} Yet, nothing is known with regards to the “next best” security notion, namely, IA. We first prove that $\texttt {IA} $ is also impossible in the plain model in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ setting. However, if we replace $\mathcal {P}\mathrm {2}\mathcal {P}$ channels with a bare $\mathcal {PKI}$ setup, then we observe that $\texttt {M-GoD} $ (and hence, fairness and $\texttt {IA})$ is in fact possible. Previously, two-round protocols achieving $\texttt {M-GoD} $ relied on a CRS setup in addition to bare $\mathcal {PKI}$ [24].

These results “explain” that the reliance on $\mathcal {P}\mathrm {2}\mathcal {P}$ channels (together with $\mathcal {BC}$) in the recent constructions of two-round honest-majority MPC protocols [1,2,3,4, 18, 30] was in fact necessary, and that these protocols couldn’t have achieved the stronger security guarantee of $\texttt {IA} $ or achieved security with $\texttt {FS-GoD} $ under weaker assumptions.

Overall, our results (put together with prior works) fully determine the best-achievable security notions in different communication models in two rounds in the honest-majority setting. Referring to Fig. 1, we obtain the following hierarchy of communication models:

$$\begin{aligned} \mathcal {BC}\;<\; \mathcal {P}\mathrm {2}\mathcal {P}\;<\; \mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}\;<\; \mathcal {BC}+\mathcal {PKI}. \end{aligned}$$

This shows that $\mathcal {BC}$ channel is the weakest communication model, and that $\mathcal {BC}+\mathcal {PKI}$ model is strictly stronger than $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model.

1.1 Our Results in Detail

We conduct a comprehensive study of the role of communication channels in two-round honest-majority MPC. There are four natural communication models that one can consider: (i) $\mathcal {BC}$ only, i.e., where the protocol only uses $\mathcal {BC}$ channels, (ii) $\mathcal {P}\mathrm {2}\mathcal {P}$ only, i.e., where the protocol only uses $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, (iii) $\mathcal {BC}+ \mathcal {P}\mathrm {2}\mathcal {P}$, where protocol uses both $\mathcal {BC}$ and $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, and (iv) $\mathcal {BC}+ \mathcal {PKI}$, where we replace $\mathcal {P}\mathrm {2}\mathcal {P}$ channels with a “bare” public-key infrastructure. Out of these four, the $\mathcal {P}\mathrm {2}\mathcal {P}$ only model is already pretty well-understood from prior work. Hence, we primarily focus on the remaining three models.

For each of these models, we obtain new results for two-round honest-majority MPC that we elaborate on below. See Fig. 2 for a summary.

I.
Broadcast only. We first investigate the feasibility of two-round honest-majority MPC without $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, i.e., by relying only on $\mathcal {BC}$. In this model, we show that two-round honest-majority MPC is equivalent to two-round dishonest-majority MPC. In other words, without $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, achieving security against dishonest minority is as hard as against dishonest majority.

Specifically, we show that any two-round honest-majority MPC for general functions in the $\mathcal {BC}$ only model can be transformed into two-round oblivious transfer (OT). Starting with an MPC with SH security yields semi-honest OT (sh-OT), while starting with one with SA (or stronger malicious) security yields malicious-receiver OT (mR-OT), where the view of a malicious receiver can be simulated.

Overall, in Sect. 4, we establish that sh-OT (resp., mR-OT) is necessary for SH (resp., SA, UA, IA), thereby yielding the following corollaries:

SA, UA and IA are impossible in the plain model. This follows from the impossibility of two-round mR-OT in the plain model. Recently, two-round honest-majority MPC protocols with SH [1,2,3, 18], SA [2, 4] and UA [1, 2, 4] security were constructed for general circuits based on one-way functions (OWF) and for $\mathbf {NC}^1$ circuits unconditionally, i.e., with information-theoretic (IT) security. These protocols use (only) $\mathcal {P}\mathrm {2}\mathcal {P}$ channels for achieving SH and SA security, and $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ channels for achieving UA security. The above result establishes that the reliance on $\mathcal {P}\mathrm {2}\mathcal {P}$ channels in these protocols is necessary.
We observe that our transformation in fact also works in the CRS model. In the CRS model, two-round dishonest-majority MPC with SA and UA security was established in [9, 19] based on mR-OT.^{Footnote 5} Recently, [12] extended these results to also capture IA security. A natural question is whether one could obtain similar feasibility results in the CRS model from weaker assumptions by assuming an honest majority. We establish that this is not the case; in particular, $\textsf {mR-OT} $ is necessary even when we assume an honest majority.

II.
Broadcast + P2P. We next investigate how the above landscape changes when we use $\mathcal {P}\mathrm {2}\mathcal {P}$ channels together with $\mathcal {BC}$. Recent works have already shown that SH, SA, UA and FS-GoD are achievable in this model. Our contribution here is in providing a more complete picture, both with regards to best-achievable security and the necessary computational assumptions.

1.
Identifiable Abort. In light of the impossibility of $\texttt {M-GoD} $ (as well as fairness), we investigate the feasibility of the “next best” security notion, namely, IA for which no prior results are known in the two-round setting (without trusted setup). In Sect. 5.1, we show that IA is impossible to achieve for general honest majority even in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model.^{Footnote 6} This separates it from UA for which positive results are known in this model [1, 2, 4, 30].
2.
Fail-Stop Guaranteed Output Delivery. On the one hand, FS-GoD is known to be impossible in two rounds in the $\mathcal {BC}$ only model [24] due to implications to general-purpose program obfuscation [7]. On the other hand, it was recently shown to be achievable in the $\mathcal {P}\mathrm {2}\mathcal {P}$ only model based on sh-OT [1] for any $t<n/2$. A natural question is whether it is possible to base it on weaker assumptions, possibly in the stronger $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model. We find that the answer is mixed:
- For $n/3 \le t < n/2$, in Sect. 5.2, we show that sh-OT is necessary for FS-GoD in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model.
- For $t<n/3$, in Sect. 5.2, we observe that FS-GoD can be easily achieved for general circuits based on only OWFs (and for $\mathbf {NC}^1$ circuits, with IT security) in the $\mathcal {P}\mathrm {2}\mathcal {P}$ only model.

III.
Broadcast + PKI. Next, we consider the case where the protocol uses a bare $\mathcal {PKI}$ setup instead of $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, together with $\mathcal {BC}$. It is easy to see that $\mathcal {BC}+\mathcal {PKI}$ model is at least as strong as $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ since private channels can be emulated over $\mathcal {BC}$ using public-key encryption (PKE). While it might be tempting to believe that these models are equivalent, this is not the case – $\mathcal {BC}+\mathcal {PKI}$ model is strictly stronger than $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$.

In Sect. 6, we observe that by leveraging a specially crafted bare $\mathcal {PKI}$, it is possible to achieve $\texttt {M-GoD} $ against $t<n/2$ corruptions in two rounds in the $\mathcal {BC}+\mathcal {PKI}$ model.
In the full version of this paper, we show that by using a bare $\mathcal {PKI}$ based on generic PKE, it is possible to achieve $\texttt {IA} $ against $t<n/2$ corruptions in two rounds in the $\mathcal {BC}+\mathcal {PKI}$ model.

Both of these constructions rely on multi-CRS non-interactive zero-knowledge (m-NIZK) [25] proofs in addition to $\textsf {PKE}$. m-NIZK proof systems for NP are known based on Zaps [15] (which in turn can be constructed from various standard assumptions such as trapdoor permutations and assumptions on bilinear maps) or learning with errors [6].

We note that while the first protocol achieves a strictly stronger result, it is qualitatively different from the second in that it relies on a specially crafted bare $\mathcal {PKI}$ setup where the public keys contain CRSes of an m-NIZK proof system in addition to public keys of a PKE scheme. On a technical level, such a $\mathcal {PKI}$ allows for using m-NIZK proofs in the first round of the protocol which is instrumental for achieving M-GoD security. Without such a $\mathcal {PKI}$, however, we can still use m-NIZK proofs in the second round and we observe that this is sufficient for achieving IA security.

IV.
P2P Only. The remaining case is when the parties have access to only P2P channels. A recent work of [30] established SA as the strongest achievable notion of security against malicious adversaries in this setting, and a matching positive result for computing general circuits was given by [2, 4] based on OWFs (and for $\mathbf {NC}^1$ circuits, with IT security). For FS-GoD, [1] showed that it is achievable for $t<n/2$ based on sh-OT. We have further sharpened this result by showing that for $t<n/3$, OWFs suffice, and for $n/3 \le t < n/2$, sh-OT is necessary. Put together, these results complete the picture for the $\mathcal {P}\mathrm {2}\mathcal {P}$ only model as well.

1.2 Related Work

In this work, we show that any form of malicious security is impossible in the $\mathcal {BC}$ only setting in the plain model. In the CRS model, however, $\texttt {SA} $, $\texttt {UA} $ and $\texttt {IA} $ are possible to achieve in the $\mathcal {BC}$ only setting [9, 12, 19].

In a concurrent and independent work, Damgård et al. [14], explore a related (but different) question in the setting where parties have access to both a $\mathcal {PKI}$ and a trusted CRS setup. They investigate the necessity of $\mathcal {BC}$ in each individual round of a two-round honest-majority MPC protocol. In contrast, we consider a setting without any trusted setup (i.e., either the plain model or the plain model augmented with a bare $\mathcal {PKI}$). Hence, their results are incomparable to ours.

2 Technical Overview

In this section, we discuss the main ideas underlying our results.

2.1 Lower Bounds in the $\mathcal {BC}$ only Model

In the $\mathcal {BC}$ only model, we show that 2-round honest-majority MPC implies the existence of 2-message oblivious transfer ($\textsf {sh-OT} $ or $\textsf {mR-OT} $, depending on the level of security of the honest-majority MPC). This is in sharp contrast to the general setting, where without any restriction on the number of rounds or communication channels, honest-majority MPC (even with M-GoD security) is possible unconditionally.

To understand the source of this requirement, we consider an n-party variant of $\mathsf {OT}$, denoted as $\mathcal {F}_{n\text {-}\mathsf {OT}}$, in which there is a sender, a receiver, and $(n-2)$ “helper parties” (who do not have any inputs or outputs). Interestingly, by relying on $\mathcal {P}\mathrm {2}\mathcal {P}$ channels, $\mathcal {F}_{n\text {-}\mathsf {OT}}$ can be securely realized (with $\texttt {SH} $ security) unconditionally in two rounds.^{Footnote 7} Further, even if we only use $\mathcal {BC}$ channels but allow for at least three rounds, then public-key encryption (rather than OT) is sufficient, by using the first round to send public keys for establishing private channels for the next two rounds. Thus the necessity of OT must stem from the combination of the two-round constraint and the restriction to $\mathcal {BC}$.

Our strategy is to build a two-message (two-party) OT protocol from an honest-majority two-round protocol $\varPi $ for $\mathcal {F}_{n\text {-}\mathsf {OT}}$, in the $\mathcal {BC}$ model. In this section, we only consider $n=3$ (with the sender, the receiver and a single helper party), so that honest-majority translates to corruption of at most one party. The proof easily generalizes to an arbitrary number of parties and is shown in the technical section.

As a first attempt, one may hope that the helper party – who has no input and receives only publicly visible messages – can be implemented by either party (thus collapsing to a 2-party protocol), and the protocol will remain secure. Unfortunately, this is not true. For instance, suppose the receiver and the helper also broadcast a public key for encryption in the first round, and the sender’s second round message also includes a 2-out-of-2 secret-sharing of its inputs, each share encrypted using one of these keys. In such a case, corrupting at most one party in $\varPi $ does not reveal these inputs, but if the helper is implemented by the receiver, then the protocol is no longer secure. This attack is symmetric, and prevents clubbing the helper with either the sender or the receiver. On the other hand, the sender and the receiver jointly implementing the helper in a secure manner is not an option, as it leaves us with a harder problem than we set out to solve.

The key to resolving this conundrum is to break the symmetry between the receiver and the sender. We observe that $\varPi $ can first be modified so that the receiver does not send any message in the second round. This is a legitimate modification, since the last round messages are only used for output generation, and the receiver is the only party with an output in the protocol. This modification to $\varPi $ prevents the attack mentioned above when the helper is implemented by the sender. We go on to show that this in fact, leads to a protocol that is secure against all passive attacks. Clearly, security against corruption of the receiver follows from the same in $\varPi $. Security against corruption of the sender follows, informally, from the fact that even in $\varPi $, by corrupting the sender alone, the adversary can obtain the same view as in the transformed 2-party protocol, by internally simulating the helper party. Specifically, since the honest receiver never responds to the helper’s messages, the internally simulated helper’s view can be combined with the independently generated message of the receiver to obtain a valid simulation.

Thus the transformed protocol is a semi-honest secure 2-party OT protocol (i.e., $\textsf {sh-OT} $). Further, it can be cast as a two message protocol:

Round 1: The first message from the receiver consists of its first round message in $\varPi $.
Round 2: The second message from the sender consists of both first and second round messages from the sender and the helper in $\varPi $.

Note that we are able to “postpone” the first round messages of the sender and helper in $\varPi $ to the second message of OT because an honest receiver is non-rushing; i.e., its first round message does not depend on the messages of the other parties.

This argument partly extends to the case when $\varPi $ is secure against active corruptions. In this case, the transformed protocol will have the same security as $\varPi $ against the corruption of the receiver, but only security against semi-honest corruption of the sender. When $\varPi $ is secure w.r.t. straightline simulation (which is standard for security with honest majority) this yields a 2-party, 2-round OT protocol that is secure against passive corruption of senders, and active corruption of receivers, with straightline simulation in the latter case. We term such a protocol an $\textsf {mR-OT} $ protocol.

These arguments readily extend to all $n\ge 3$. Thus two-round n-party honest-majority MPC over $\mathcal {BC}$ channels implies two-round $\textsf {sh-OT} $ or two-round $\textsf {mR-OT} $, depending on the security level of the honest-majority protocol. In the latter case, we obtain an impossibility result for MPC in the plain model, by proving the impossibility of two-round $\textsf {mR-OT} $ protocol (in the plain model), similar to the impossibility of UC security in the plain model. We give a formal proof in Sect. 4.

2.2 $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ Model

Impossibility of $\texttt {IA} $ in $\boldsymbol{\mathcal {BC}} \boldsymbol{+} \boldsymbol{\mathcal {P}\mathrm {2}\mathcal {P}}$ Model. We next describe our ideas for proving the impossibility of 2-round honest-majority MPC with $\texttt {IA} $ security in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model, without any setup. We focus on the case of $n=3$ parties and $t=1$ corruption.

From our first lower bound, we know that security with $\texttt {IA} $ is impossible in two-rounds in the $\mathcal {BC}$ only model. In general, access to $\mathcal {P}\mathrm {2}\mathcal {P}$ channels can often help in overcoming such impossibilities. Indeed, recent two-round protocols [1, 2, 4] that achieve $\texttt {SA}/\texttt {UA} $ security crucially rely on the use of $\mathcal {P}\mathrm {2}\mathcal {P}$ channels. An obvious advantage of using $\mathcal {P}\mathrm {2}\mathcal {P}$ channels in the honest majority setting is “easy” (straight-line) extraction of the adversary’s inputs during simulation. However, there is also a potential disadvantage: an adversary may use $\mathcal {P}\mathrm {2}\mathcal {P}$ channels to create inconsistent views amongst the honest parties. For example, it may send honestly computed messages to one honest party, but not to the other.

While such attacks can usually be handled (by requiring the honest parties to output $\bot $ by default in case of any conflict or confusion) when we only require $\texttt {SA} $ or $\texttt {UA} $ security, it becomes a challenge in achieving $\texttt {IA} $ security. Recall that in $\texttt {IA} $, if the honest parties output $\bot $, they must also be able to identify a corrupt party. In a two round protocol, even if an honest party – who does not receive a “valid” message in the first round from the adversary – tries to complain to another honest party in the second round, the latter party is left in a dilemma about whether the complaint is legitimate or fabricated (to frame the other party). As a result, it is unable to decide who amongst the other two parties is actually corrupt. This observation forms the basis of our impossibility result.

Consider a 3-party functionality $\mathcal {F}$ that takes inputs $b\in \{0,1\}$ from $P_2$ and $(x_0,x_1)$ from $P_3$ and outputs $x_b$ to $P_1$. That is, $\mathcal {F}(\bot ,b,(x_0,x_1)) = (x_b,\bot ,\bot )$. Consider an adversary who corrupts $P_2$ in the following manner: it behaves honestly, except that it does not send any protocol specified private channel message to $P_1$ (i.e., simply drops them).^{Footnote 8} We argue that no protocol can achieve $\texttt {IA} $ security against such an attack.

In particular, we argue that in this case, the honest parties can neither output $\bot $ nor a non-$\bot $ value. As discussed earlier, if the honest parties output $\bot $, they must also be able to identify the corrupt party. However, $P_3$’s view in this case is indistinguishable from another execution where a corrupt $P_1$ falsely accuses an honest $P_2$ of not sending private channel messages. It is easy to see that this inherent “conflict” for $P_3$ about who amongst $P_1$ and $P_2$ is the corrupt party is impossible to resolve. Hence, the output of the honest parties cannot be $\bot $.

This leaves the possibility of the output being non-$\bot $. Consider $P_2$ using an input b in the protocol execution. In case the output of the honest parties is a non-$\bot $ value, there are two possible outcomes, corresponding to what a simulator extracts as $P_2$’s input: (1) the simulator extracts b with probability (almost) 1 or (2) with at least a non-negligible probability, it extracts $1-b$.

In the first case, note that the simulator’s view of $P_2$’s messages only involves messages visible to $P_3$. Then, since the simulator is a straight-line simulator, and the protocol is in the plain model, a corrupt $P_3$ can violate privacy by running the same simulator to extract an honest $P_2$’s input. Hence this case is not possible.
In the second case, consider another instance where $P_1$ is corrupt, while $P_2$ and $P_3$ are honest. Consider an execution where $P_1$ follows the protocol honestly and learns the output $x_b$. Later it launches an “offline reset attack,” by recomputing its second round messages pretending that it did not receive a message from party $P_2$ in the first round. Upon recomputing the output using this alternate view (where $P_2$’s private messages were not received), it learns, with non-negligible probability, $x_{1-b}$. Hence, $P_1$ can distinguish between the case $x_0=x_1$ and $x_0\ne x_1$ with a non-negligible advantage, thereby violating $P_3$’s privacy. Hence, this case is also not possible.

We present a formal proof in Sect. 5.1.

Necessity of sh-OT for FS-GoD in the $\boldsymbol{\mathcal {BC}} \boldsymbol{+} \boldsymbol{\mathcal {P}\mathrm {2}\mathcal {P}}$ Model. In the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model, we show that 2-round honest-majority that achieves $\texttt {FS-GoD} $ security implies the existence of 2-message $\textsf {sh-OT} $. This implication holds for $n/3 \le t <n/2$; for $t<n/3$, we describe a simple $\texttt {FS-GoD} $ protocol in the technical sections based on weaker assumptions.

Recall that in the transformation from a two-round $\mathcal {BC}$ only protocol for $\mathcal {F}_{3\text {-}\mathsf {OT}}$ to a secure protocol for $\mathsf {OT}$ (discussed in Sect. 2.1), the sender implements the helper party. Security against a semi-honest sender follows from the fact that in the $\mathcal {BC}$ only model, the view of an adversary who corrupts the sender and the helper in the transformed protocol is no different from the view of an adversary who only corrupts the sender in the original protocol. It is easy to see that this argument fails (even in the semi-honest setting) when the protocol additionally uses $\mathcal {P}\mathrm {2}\mathcal {P}$ channels. Consider, for example, the case where the receiver is required to send a private message to the helper in the first round. An adversary who corrupts both the sender and the helper now gets this additional information, which it does not get by corrupting the sender alone. Indeed, since two-round protocols [1,2,3,4, 18] that achieve security with $\texttt {SA} $ or $\texttt {UA} $ in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model are already known, we know that the above approach must fail.

Our key insight is that if the two-round protocol achieves FS-GoD security, then it means that some private channel messages are “redundant,” and can be removed if one only cares about security against semi-honest adversaries. This observation allows us to start with a “truncated” version of the underlying FS-GoD protocol (which only achieves SH security) and then use a similar strategy as in Sect. 2.1 to construct two-message sh-OT. We first focus on the setting with $n=3$ parties and $t=1$ corruption. Later we discuss how this argument can be extended for arbitrary n and $n/3\le t<n/2$.

As earlier, we consider the functionality $\mathcal {F}_{3\text {-}\mathsf {OT}}$ involving a sender, a receiver and a helper party. Let $\varPi $ be a 3-party protocol for this functionality with $\texttt {FS-GoD} $ security. Note that $\texttt {FS-GoD} $ security implies that even if the helper does not send its second round message, the protocol must still remain (at the very least) semi-honest secure. Furthermore, if the helper is not required to send any messages in the second round, the sender and receiver do not need to send any messages to the helper in the first round (except the broadcast channel messages, which are received by everyone). Combining these observations with the observation from Sect. 2.1 that the receiver (by virtue of being the only output party) does not need to send a message in the second round, and that the sender and helper can send all their messages in the second round, we obtain the following two-message protocol:

Round 1: The receiver computes and sends its first round broadcast message and its private message for the sender.
Round 2: The sender computes and sends its first and second round broadcast messages and its private channel messages for the receiver. It also computes and sends the first round broadcast message and the private channel message of the helper for the receiver.

Security against a semi-honest sender and receiver in the transformed $\mathsf {OT}$ protocol can be argued similarly as before, although we need to be slightly more careful in handling private channel messages of each party in the underlying three-party protocol.

The above idea can be generalized to n parties and $n/3\le t<n/2$ corruptions for the n-party functionality $\mathcal {F}_{n\text {-}\mathsf {OT}}$ (described earlier). In this case, the first 2t parties are emulated by the sender and the remaining $n-2t$ are emulated by the receiver. Since $n/3\le t<n/2$, we know that $n-2t\le t$. Security against a semi-honest receiver in this case follows exactly as before. For security against a semi-honest sender, we rely on the fact that since t out of the 2t parties emulated by the sender do not send second round messages, the receiver parties do not need to send them private channel messages in the first round. We can now rely on the semi-honest security of (the truncated version of) $\varPi $ to show that an adversary who corrupts the sender does not gain any more advantage over an adversary who corrupts the first t parties in $\varPi $. We defer further details to Sect. 5.2.

2.3 $\mathcal {BC}+\mathcal {PKI}$ Model

Positive Result for $\texttt {M-GoD} $. There exist two-round $\texttt {M-GoD} $ protocols in the $\mathcal {BC}+\mathcal {PKI}$ model that rely on a trusted CRS setup [24]. We observe that there is simple way to eliminate the centralized CRS setup.

The CRS setup in existing two-round $\texttt {M-GoD} $ protocols is only used for NIZK proofs. In the honest majority setting, it is easy to verify that standard $\mathsf {NIZK}$s can be replaced with multi-CRS $\mathsf {NIZK}$s (m-NIZKs) [25], where the setup consists of multiple CRS strings (as opposed to a single CRS) and soundness holds as long as a majority of the CRS are honestly generated. Our key observation is that a multi-CRS setup can in fact be embedded inside the bare $\mathcal {PKI}$ setup: start with any bare $\mathcal {PKI}$ setup and modify it such that the public key of each party also includes a CRS for a $\textsf {m-NIZK}$. This is still a valid bare $\mathcal {PKI}$ setup since the adversary in $\textsf {m-NIZK}$ is allowed to choose its CRSes adaptively after looking at the honest parties’ CRSes. Putting this together, we obtain a 2-round $\texttt {M-GoD} $ protocol in the $\mathcal {PKI}+ \mathcal {BC}$ model.

By using the same observation, the three-round $\texttt {M-GoD} $ protocol of Ananth et al. [1] in the plain model can also be transformed into a two-round protocol in the $\mathcal {BC}+\mathcal {PKI}$ model by moving the entire first round of their protocol to a bare $\mathcal {PKI}$ setup. For the sake of completeness, in Sect. 6, we give a formal description of the resulting two-round $\texttt {M-GoD} $ protocol. We in fact present a transformation from any two-round (semi-malicious) $\texttt {FS-GoD} $ protocol in the $\mathcal {BC}+\mathcal {PKI}$ model (which is known from [1]) into a two-round $\texttt {M-GoD} $ protocol using $\textsf {m-NIZK}$s.

Positive Result for $\texttt {IA} $. The above $\texttt {M-GoD} $ protocol also implies a two-round protocol for $\texttt {IA} $ in the $\mathcal {BC}+\mathcal {PKI}$ model and complements the $\texttt {IA} $ impossibility result from Sect. 2.2. However, the protocol uses a specially crafted $\mathcal {PKI}$ where the public keys contain CRSes of an m-NIZK proof system in addition to public keys of a PKE scheme.

We present a separate protocol for $\texttt {IA} $ in the $\mathcal {BC}+\mathcal {PKI}$ model, where the $\mathcal {PKI}$ can be instantiated from generic PKE. We obtain this protocol by devising a generic transformation from any two-round $\texttt {UA} $-secure protocol in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model that achieves perfect correctness to a two-round $\texttt {IA} $-secure protocol in the $\mathcal {BC}+\mathcal {PKI}$ model.

Given a two-round protocol $\varPi $ that achieves security with UA in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model, a natural idea to strengthen its security to IA (in the $\mathcal {BC}+\mathcal {PKI}$ model) is to simply require each party to prove honest behavior using the standard “commit and prove” approach: the parties encrypt their private channel messages under the public-keys of the recipient parties, broadcast them in the first round and attach a proof of having computed all of these messages honestly in each round. If a party cheats, then its proof will fail verification, and all the honest parties will be able to identify that corrupt party. While this idea can be easily implemented using $\mathsf {NIZK}$s, it would result in a protocol in the CRS model.

Since we are in the honest majority setting, we can attempt to replace standard $\mathsf {NIZK}$s with multi-CRS $\mathsf {NIZK}$s (m-NIZKs) [25]. In our setting, the CRS strings can be generated by the parties in the first round of the protocol and the honest majority assumption implies that a majority of the CRS are computed honestly. Using m-NIZKs, the parties can still prove honest behavior in the second round of the protocol. However, a proof of honest behavior in the first round can no longer be sent in the first round itself (since the CRS strings are not known at that point); instead it can only be sent (belatedly) in the second round. In this case, we need to ensure that it is not “too late” for the honest parties to detect and identify a cheating party.

We implement this idea in the following manner. If the parties are able to compute their second round messages – given the first round messages from all the other parties – they give a single proof in the second round to prove that they computed all their (first and second round) messages honestly.

In case a corrupt party does not compute and encrypt its first round private channel messages honestly, there are two possibilities: (1) the honest recipient of the malformed private message is able to detect that the message is not “well-formed” (e.g. if the message is an empty string or it does not satisfy the syntax specified by underlying protocol, etc.) and is unable to use this message to compute its second round message, or (2) the honest recipient does not detect any issues with the message and is able to compute its second round message as per the specification of the underlying protocol. We handle these two scenarios differently.

In the first case, the recipient party simply reveals the decrypted malformed message to all other parties in the second round and gives a proof to convince them that its (respective) public key was honestly generated and that the corrupt party did indeed send them an encryption of this malformed message. Given the decrypted message, the remaining parties can perform the same (public) verification as the recipient party to determine whether or not the message is well-formed and identify the corrupt party. In the second case, we will rely on the soundness of the proof given by the corrupt party. In case the corrupt party did not encrypt its first round private channel messages honestly, it will not be able to give a convincing proof in the second round, and will be easily identified. The formal description of this construction is deferred to the full-version of this paper.

3 Preliminaries

Throughout the paper, we use $\lambda $ to denote the security parameter. We recall some standard cryptographic definitions in this section. Apart from this, we also use the standard definitions of public key encryption and the different security notions in secure multiparty computation. We omit their definitions here.

3.1 Oblivious Transfer (OT)

In this paper, we consider the standard notion of 1-out-of-2 oblivious transfer [16]; where one party (the sender) has inputs $(m_0, m_1)$ in some domain (say $\{0,1\}^*$), and another party (the receiver) has a choice bit $b\in \{0,1\}$. At the end, the receiver should learn $m_b$ and nothing more while the sender should learn nothing about b.

We consider two variants of this $\mathsf {OT}$ protocol, a semi-honest version called sh-OT and one that is secure against a malicious receiver called mR-OT. For mR-OT, we require an efficient straight-line simulator for a maliciously corrupt receiver.

We define the syntax and the security guarantees of a two-message $\mathsf {OT}$ protocol in the plain model. The definition can be naturally extended to the CRS model.

Definition 1

(2 Message $\mathsf {OT}$). A two-message oblivious transfer between a receiver R and a sender S is defined by a tuple of 3 PPT algorithms $(\mathsf {OT}_R,\mathsf {OT}_S,\mathsf {OT}_\mathsf {out})$. Let $\lambda $ be the security parameter. The receiver computes $\mathsf {msg}_R,\rho $ as the evaluation of $\mathsf {OT}_R(1^\lambda , b)$, where $b\in \{0,1\}$ is the receiver’s input. The receiver sends $\mathsf {msg}_R$ to the sender. The sender computes $\mathsf {msg}_S$ as the evaluation of $OT_S(1^\lambda ,\mathsf {msg}_R,(m_0, m_1))$, where $m_0,m_1 \in \{0, 1\}^*$ are the sender’s input. The sender sends $\mathsf {msg}_S$ to the receiver. Finally the receiver computes $m_b$ by evaluating $OT_\mathsf {out}(\rho ,\mathsf {msg}_R,\mathsf {msg}_S)$.

A sh-OT protocol satisfies correctness, security against semi-honest receiver and semi-honest sender, while a mR-OT satisfies correctness, security against semi-honest sender and malicious receiver, which are defined as follows:

Correctness: For each $m_0,m_1\in \{0,1\}^*$, $b\in \{0,1\}$, it holds that
$$ \Pr \left[ \begin{aligned} (\rho ,\mathsf {msg}_R)\leftarrow \mathsf {OT}_R\left( 1^\lambda ,b\right) \\\mathsf {msg}_S\leftarrow OT_S\left( 1^\lambda ,\mathsf {msg}_R,(m_0, m_1)\right) \end{aligned}\Biggm | \mathsf {OT}_\mathsf {out}\left( \rho ,\mathsf {msg}_R,\mathsf {msg}_S\right) = m_b\right] = 1, $$
Security against Semi-Honest Sender: It holds that,
$$\begin{aligned} \left\{ (\mathsf {msg}^0_R,\rho ^0) \leftarrow \mathsf {OT}_R\left( 1^\lambda ,0\right) \Bigm |\mathsf {msg}^0_R \right\} \approx _c \left\{ (\mathsf {msg}^1_R,\rho ^1) \leftarrow \mathsf {OT}_R\left( 1^\lambda ,1\right) \mid \mathsf {msg}^1_R \right\} \end{aligned}$$
Security against Semi-Honest Receiver: it holds that for each $b\in \{0,1\}$, $m_0,m_1,m_0',m_1'\in \{0,1\}^*$, and $m_b=m'_{b}$,
$$\begin{aligned} \left\{ \mathsf {OT}_S\left( 1^\lambda ,\mathsf {msg}_R,(m_0, m_1)\right) \right\} {\approx }_c \left\{ \mathsf {OT}_S\left( 1^\lambda ,\mathsf {msg}_R,(m'_0, m'_1)\right) \right\} \end{aligned}$$
where $(\mathsf {msg}_R,\rho ) \leftarrow OT_R(1^\lambda ,b)$.
Security against a Malicious Receiver: For every PPT adversary $\mathcal {A} $, there exists a PPT simulator $\mathcal {S} _R=(\mathcal {S} _R^1,\mathcal {S} _R^2)$ for any choice of $m_0,m_1\in \{0,1\}^*$ such that the following holds
$$\begin{aligned} \bigg |\Pr \left[ \mathsf {IDEAL}_{\mathcal {S} _R,\mathcal {F}_\mathsf {OT}}(1^\lambda ,m_0,m_1)=1\right] -\Pr \left[ \mathsf {REAL}_{\mathcal {A},\mathsf {OT}}(1^\lambda ,m_0,m_1)=1\right] \bigg |\\\le \frac{1}{2}+\mathsf {negl}(\lambda ). \end{aligned}$$
Where experiments $\mathsf {IDEAL}_{\mathcal {S} _R,\mathcal {F}_\mathsf {OT}}$ and $\mathsf {REAL}_{\mathcal {A},\mathsf {OT}}$ are defined as follows:

3.2 Multi-CRS Non-interactive Zero Knowledge (m-NIZK)

We use the definition from [6], which is adapted from [25]. Let R be an efficiently computable binary relation and L an NP-language of statements x such that $(x, w) \in R$ for some witness w.

Definition 2

(Multi-CRS NIZK). A multi-CRS NIZK for a language L is a tuple of PPT algorithms $\textsf {m-NIZK}= (\mathsf {m\text {-}NIZK.}\mathsf {Gen},\mathsf {m\text {-}NIZK.}\mathsf {Prove},\mathsf {m\text {-}NIZK.}\mathsf {Verify})$ satisfying the following specifications:

$\mathsf {m\text {-}NIZK.}\mathsf {Gen}(1^\lambda )$: It takes as input the security parameter $\lambda $ and outputs a uniformly random string $\mathsf {crs}$.
$\mathsf {m\text {-}NIZK.}\mathsf {Prove}(\mathsf {crs},x,w)$: It takes as input a set of n random strings $\overrightarrow{\mathsf {crs}}$, a statement x, and a witness w and outputs a $\mathsf {proof}$.
$\mathsf {m\text {-}NIZK.}\mathsf {Verify}(\overrightarrow{\mathsf {crs}},x,\mathsf {proof})$: It takes as input a set of n random strings $\overrightarrow{\mathsf {crs}}$, a statement x, and a $\mathsf {proof}$. It outputs 1 if it accepts the $\mathsf {proof}$ and 0 if it rejects it.

We require that the algorithms satisfy the following properties for all non uniform PPT adversaries $\mathcal {A} $:

Perfect Completeness
$$ \Pr \left[ \begin{aligned} s=\emptyset ; (\overrightarrow{\mathsf {crs}},x,w)\leftarrow \mathcal {A} ^{\mathsf {m\text {-}NIZK.}\mathsf {Gen}}\\\mathsf {proof}\leftarrow \mathsf {m\text {-}NIZK.}\mathsf {Prove}(\overrightarrow{\mathsf {crs}},x,w)\end{aligned}\Biggm |\begin{aligned} \mathsf {m\text {-}NIZK.}\mathsf {Verify}(\overrightarrow{\mathsf {crs}},x,\mathsf {proof})=0\\ \text { and } (x,w)\in R\end{aligned} \right] = 0, $$
where $\mathsf {m\text {-}NIZK.}\mathsf {Gen}$ is an oracle that when queried, outputs $\mathsf {crs}\leftarrow \mathsf {m\text {-}NIZK.}\mathsf {Gen}(1^\lambda )$ and sets $\overrightarrow{\mathsf {crs}} = \overrightarrow{\mathsf {crs}} \cup {\mathsf {crs}}$. Note that this says that even if the adversary arbitrarily picks all the random strings, perfect completeness still holds.
Soundness
$$ \Pr \left[ \begin{aligned} S=\emptyset ; \\ (\overrightarrow{\mathsf {crs}},x,\mathsf {proof})\leftarrow \mathcal {A} ^{\mathsf {m\text {-}NIZK.}\mathsf {Gen}} \end{aligned} \Biggm |\begin{aligned} \mathsf {m\text {-}NIZK.}\mathsf {Verify}(\overrightarrow{\mathsf {crs}},x,\mathsf {proof})=0 ~\wedge \\ x \notin L ~\wedge ~ |\overrightarrow{\mathsf {crs}}\cap S|>n/2 \end{aligned}\right] \le \mathsf {negl}(\lambda ) $$
where $\mathsf {m\text {-}NIZK.}\mathsf {Gen}$ is an oracle that when queried, outputs $\mathsf {crs}\leftarrow \mathsf {m\text {-}NIZK.}\mathsf {Gen}(1^\lambda )$ and sets $S = S \cup {\mathsf {crs}_q}$. Note that this says that as long as at least half of the random strings are honestly generated, the adversary cannot forge a proof except with negligible probability.
Zero-Knowledge. There exist PPT algorithms $\mathcal {S} _\textsf {Gen}$, $\mathcal {S} _\textsf {Prove}$ such that
$$\Pr [\mathsf {crs}\leftarrow \mathsf {m\text {-}NIZK.}\mathsf {Gen}(1^\lambda ) \mid \mathcal {A} (\mathsf {crs}) = 1] \approx \Pr [(\mathsf {crs}, \tau ) \leftarrow \mathcal {S} _\textsf {Gen}(1^\lambda ) : \mathcal {A} (\mathsf {crs}) = 1]$$
and
$$ \Pr \left[ \begin{aligned} s=\emptyset ; (\overrightarrow{\mathsf {crs}},x,\mathsf {proof})\leftarrow \mathcal {A} ^{\mathcal {S} _\textsf {Gen}}\\ \mathsf {proof}\leftarrow \mathsf {m\text {-}NIZK.}\mathsf {Prove}(\overrightarrow{\mathsf {crs}},x,w) \end{aligned}\Biggm |\begin{aligned} \mathcal {A} (\mathsf {proof})=1 \text { and } (x,w) \in R \\ \text { and } |\overrightarrow{\mathsf {crs}}\cap S|>n/2 \end{aligned}\right] $$

$$ \approx \Pr \left[ \begin{aligned} s=\emptyset ; (\overrightarrow{\mathsf {crs}},x,\mathsf {proof})\leftarrow \mathcal {A} ^{\mathcal {S} _\textsf {Gen}}\\ \mathsf {proof}\leftarrow \mathcal {S} _\textsf {Prove}(\overrightarrow{\mathsf {crs}},x,\overrightarrow{\tau }) \end{aligned}\Biggm |\begin{aligned} \mathcal {A} (\mathsf {proof})=1 \text { and } (x,w) \in R \\ \text { and } |\overrightarrow{\mathsf {crs}}\cap S|>n/2 \end{aligned}\right] $$
where $\overrightarrow{\tau }$ is the set containing all simulation trapdoors $\tau $ generated by $\mathcal {S} _\textsf {Gen}$.

4 Broadcast Model

In this section, we investigate the minimal assumptions required to enable two-round honest-majority secure MPC protocols over only a $\mathcal {BC}$ channel. In Sect. 4.1, we show that any two-round honest majority MPC for general functionalities that achieves either semi-honest security or security against malicious adversaries, over a $\mathcal {BC}$ channel can be transformed into a two-message oblivious transfer protocol. In the semi-honest case, this yields a semi-honest $\mathsf {OT}$ protocol (sh-OT), while in the malicious setting, this yields a malicious receiver $\mathsf {OT}$ protocol (mR-OT). Later in Sect. 4.2, we show that such a two-round malicious receiver $\mathsf {OT}$ is impossible in the plain model, thereby showing that maliciously secure, two-round MPC is impossible in the plain model given only broadcast channels.

4.1 Lower Bound for $t=1$

We start by formally stating the observation that for functionalities where only a single party receives an output, the output party need not send any messages in the last round.

Observation 1

Let $\mathcal {F}$ be any n-input functionality and let $\varPi $ be a secure MPC protocol that computes $\mathcal {F}$, such that only one party $P_\mathsf {out}$ receives the output of $\mathcal {F}$. Then $\varPi $ can be transformed into a protocol $\varPi '$, where the output party does not send any message in the last round. Moreover, $\varPi '$ achieves the same security as $\varPi $ in the same communication/setup model.

Indeed, the above observation holds w.l.o.g. If $P_\mathsf {out}$ simply drops its last round message, then by virtue of being the only output party, the output of all other parties remains unaffected. While $P_\mathsf {out}$ can still compute its output by first locally computing its last round message in $\varPi $ and then running the output reconstruction algorithm of $\varPi $ on the protocol transcript and this locally computed message. It is easy to see that the security of this modified protocol follows from the security of $\varPi $.

Given this observation, we now show that any two-round protocol in the $\mathcal {BC}$ model can be transformed into a two-message $\mathsf {OT}$ in the same setting.

Theorem 1

If there exists a 2-round, n-party protocol over $\mathcal {BC}$ channels for general functions, in the plain model, that is secure against $t=1$ semi-honest corruption, then there exists a 2-message semi-honest OT protocol in the plain model.

If there exists a 2-round, n-party protocol over $\mathcal {BC}$ channels for general functions, in the plain model, that achieves security with abort ($\mathtt {SA,UA,IA}$) against $t=1$ malicious corruption, then there exists a 2-message malicious receiver OT protocol in the plain model.

Looking ahead, in Sect. 4.2, we show that two-message $\textsf {mR-OT} $ in the plain model is impossible, thereby proving impossibility of $\texttt {SA},\texttt {UA} $ and $\texttt {IA} $ in the plain model over only $\mathcal {BC}$ channels. We remark that while Theorem 1 is stated for the plain model, it will be easy to see that this implication from two-round $\mathcal {BC}$ only protocols to two-message OT also holds in the CRS model. As discussed in the Introduction, since $\textsf {mR-OT} $ is achievable in two-rounds in the CRS model, this implication complements the two-round protocols based on two-message $\textsf {mR-OT} $ for $\texttt {SA},\texttt {UA} $ and $\texttt {IA} $ from [9, 12, 19] in the CRS model.

The proof of Theorem 1 is organised as follows: We first give a common transformation from an n-party protocol $\varPi $ to a two-message $\mathsf {OT}$ protocol. Then in Lemma 1, we show that if $\varPi $ is semi-honest secure, then the resulting $\mathsf {OT}$ protocol is also semi-honest secure. Finally, in Lemma 2, we show that if $\varPi $ achieves security with abort (SA,UA,IA) against a malicious adversary, then the resulting $\mathsf {OT}$ protocol achieves malicious receiver security.

Proof (Proof of Theorem 1)

Consider the following functionality involving a set of n parties, $\mathcal {P}=\{P_1,\ldots ,P_n\}$:

$$ \mathcal {F}_{n\text {-}\mathsf {OT}}((m_0,m_1),\{\bot \}_{i\in [n-2]},b)=(\{\bot \}_{i\in [n-1]}, m_b) $$

where the input of the first party $P_1$ is $(m_0,m_1)\in \{0,1\}^*$, parties $P_2,\ldots , P_{n-1}$ have no inputs and the input of the last party $P_n$ is a bit $b\in \{0,1\}$. Party $P_n$ is the only output party in this functionality.

Let $\varPi $ be a protocol for $\mathcal {F}_{n\text {-}\mathsf {OT}}$ that operates over a $\mathcal {BC}$ channel. From Observation 1, we know that any MPC protocol with a single output party can be transformed into one where the output party does not send any message in the last round. In Fig. 3, we show how such a protocol (where $P_n$ does not participate in the second round) for $\mathcal {F}_{n\text {-}\mathsf {OT}}$ can be used to design a two-message $\mathsf {OT}$ protocol $\varPi _\mathsf {OT}$ in the same setup/communication model as $\varPi $. We assume $\varPi ^r$ to be the $r^{\text {th}}$ round next message function in $\varPi $ that takes the index of a party $P_i$ among other values as input and outputs $\mathsf {msg}_i^r$, $\rho _i^r$ (internal state). We use $\overrightarrow{\mathsf {msg}}^r$ to denote the set of all the messages sent by the parties in round r. For simplicity of notation, we do not specify the randomness used in these functions explicitly. We specify the input of a party as part of the input to $\varPi ^1$, and internal state as part of the input to $\varPi ^r$, for $r>1$.

Lemma 1

Let $\varPi $ be a two-round n-party protocol for $\mathcal {F}_{n\text {-}\mathsf {OT}}$, secure against a single semi-honest corruption over $\mathcal {BC}$ in the plain (or CRS resp.) model, then the protocol $\varPi _\mathsf {OT}$ in Fig. 3 is a two-message sh-OT in the plain (or CRS resp.) model.

Proof

Correctness of $\varPi _\mathsf {OT}$ follows directly from the correctness of the protocol $\varPi $ for functionality $\mathcal {F}_{n\text {-}\mathsf {OT}}$. We now argue sender and receiver security. Let $\mathcal {E}$ be an execution of $\varPi $, where $P_1's$ input is $(m_0,m_1)$ and $P_n's$ input is b.

1.
Security against semi-honest receiver: From the semi-honest security of $\varPi $, we know that there exists a simulator $\mathcal {S} _n$ corresponding to the real world execution $\mathcal {E}$ where the adversary corrupts party $P_n$, such that the following holds:
$$\begin{aligned} \left\{ \mathcal {S} _n(b,m_b),\{\bot \}_{i\in [n-1]}\right\}&\approx _c \left\{ \mathsf {view}_n(\mathcal {E}),\mathsf {out}_{1}(\mathcal {E}),\ldots ,\mathsf {out}_{n-1}(\mathcal {E})\right\} \\ \implies \left\{ \mathcal {S} _n(b,m_b)\right\}&\approx _c \left\{ \mathsf {view}_n(\mathcal {E})\right\} \end{aligned}$$
where $\mathsf {view}_i(\mathcal {E}),\mathsf {out}_i(\mathcal {E})$ denote the view and output of party $P_i$ in the real world execution $\mathcal {E}$. Let $\mathcal {E}'$ be another execution of $\varPi $, where $P_1's$ input is $(m'_0,m'_1)$ and $P_n's$ input is b and let $m_b=m_b'$. Then it also holds that $ \left\{ \mathcal {S} _n(b,m_b)\right\} \approx _c \left\{ \mathsf {view}_n(\mathcal {E}')\right\} . $ From transitivity of the indistinguishability property,
$$\begin{aligned} \left\{ \mathsf {view}_n(\mathcal {E})\right\} \approx _c \left\{ \mathsf {view}_n(\mathcal {E}')\right\} \implies \left\{ \mathsf {view}_R(\mathcal {E})\right\} \approx _c \left\{ \mathsf {view}_R(\mathcal {E}')\right\} \end{aligned}$$
where $\mathsf {view}_n=\mathsf {view}_R$. Thus, sender security holds.
2.
Security against semi-honest sender: From the semi-honest security of $\varPi $, we know that there exists a simulator $\mathcal {S} _1$ corresponding to $\mathcal {E}$ where the adversary corrupts party $P_1$, such that the following holds:
$$\begin{aligned} \left\{ \mathcal {S} _1((m_0,m_1),\bot ),\{\bot \}_{i\in [n-2]},m_b\right\}&\approx _c \left\{ \mathsf {view}_1(\mathcal {E}),\mathsf {out}_{2}(\mathcal {E}),\ldots ,\mathsf {out}_{n}(\mathcal {E})\right\} \\ \left\{ \overline{\mathsf {msg}}^1_n\right\}&\approx _c \left\{ \mathsf {msg}^1_n\right\} \end{aligned}$$
where $\overline{\mathsf {msg}}^1_n$ is the first round message of party $P_n$ simulated by $\mathcal {S} _1((m_0,m_1),\bot )$. Let $\mathcal {E}'$ be another execution of $\varPi $, where $P_1's$ input is $(m_0,m_1)$ and $P_n's$ input is $b'\ne b$. Then it also holds that $ \left\{ \overline{\mathsf {msg}}^1_n\right\} \approx _c \left\{ \mathsf {msg}'^1_n\right\} $. Receiver security now follows from transitivity of the indistinguishability property
$$\begin{aligned} \left\{ \mathsf {msg}^1_n\right\} \approx _c \left\{ \mathsf {msg}'^1_n\right\} \implies \left\{ \mathsf {view}_S(\mathcal {E})\right\} \approx _c \left\{ \mathsf {view}_S(\mathcal {E}')\right\} \end{aligned}$$

Lemma 2

Let $\varPi $ be a two-round n-party protocol for $\mathcal {F}_{n\text {-}\mathsf {OT}}$, that achieves security with abort ($\mathtt {SA,UA,IA}$) against a single malicious corruption over $\mathcal {BC}$ in the plain (or CRS resp.) model, then the protocol $\varPi _\mathsf {OT}$ in Fig. 3 is a two-message mR-OT in the plain (or CRS resp.) model.

Proof

Correctness of the OT protocol follows directly from the correctness of the underlying protocol $\varPi $. Receiver security against a semi-honest sender follows exactly as in Lemma 1. We proceed to argue simulation-based sender security against a malicious receiver. Let the adversary corrupt party $P_n$ in the underlying protocol $\varPi $. From security of $\varPi $, we know that there exists a stateful PPT simulator $\mathcal {S} _n$, that can simulate an indistinguishable view for this adversary in the ideal world.

Given $\mathcal {S} _n$, the simulator $\mathcal {S} _R$ for the OT protocol first computes $ \{\mathsf {msg}^1_i\}_{i\in [n-1]}\leftarrow \mathcal {S} _n $. Upon receiving the OT receiver message $\mathsf {msg}_R=\mathsf {msg}_n^1$, it invokes $\mathcal {S} _n$ on this message. At some point, while running $\mathcal {S} _n$, when $\mathcal {S} _n$ queries the ideal functionality on input b of party $P_n$ (receiver), the simulator $\mathcal {S} _R$ of the $\mathsf {OT}$ protocol forwards this query to its ideal functionality $\mathcal {F}_{\mathsf {OT}}$. Upon receiving the output $m_b$ from its ideal functionality, it forwards it to the simulator $\mathcal {S} _n$. At the end, $\mathcal {S} _n$ also outputs simulated second round messages $\{\mathsf {msg}^2_i\}_{i\in [n-1]}$. It sends $\mathsf {msg}_S=\{\mathsf {msg}^1_i,\mathsf {msg}^2_i\}_{i\in [n-1]}$ to the adversary.

Indistinguishability of the real and ideal world executions of the $\mathsf {OT}$ protocol follow from security of protocol $\varPi $. We note that we do not need to explicitly consider the output of honest parties in the real and ideal experiments in this case, because the output of an honest sender in this case is $\bot $.

This completes the proof of Theorem 1.

4.2 Impossibility of Two-Message mR-OT in the Plain Model

In this section we show that a two-message malicious receiver $\mathsf {OT}$ is impossible in the plain model. We prove this impossibility by showing that if there exists a simulator that can simulate an indistinguishable view for a malicious receiver, then a malicious/semi-honest sender can run the same simulator to extract the input of an honest receiver.

Lemma 3

There does not exist a 2-message $\mathsf {OT}$ with one-sided efficient straight-line simulation security against a corrupt receiver.

Proof

Suppose there exists a 2-round protocol which securely realizes such an OT, i.e. for each PPT $\mathcal {A} $, there exists a PPT $\mathcal {S} _R=(\mathcal {S} _R^1,\mathcal {S} _R^2)$ s.t for each $ m_0,m_1\in \{0,1\}^*$:

$$\begin{aligned} \bigg |\Pr \left[ \mathsf {IDEAL}_{\mathcal {S} _R,\mathcal {F}_\mathsf {OT}}(1^\lambda ,m_0,m_1)=1\right] -\Pr \left[ \mathsf {REAL}_{\mathcal {A},\mathsf {OT}}(1^\lambda ,m_0,m_1)=1\right] \bigg |\\\le \frac{1}{2}+\mathsf {negl}(\lambda ). \end{aligned}$$

where experiments $\mathsf {IDEAL}_{\mathcal {S} _R,\mathcal {F}_\mathsf {OT}}$ and $\mathsf {REAL}_{\mathcal {A},\mathsf {OT}}$ are as defined in Definition 1. Let b be the input on which $\mathcal {S} _R$ queries the functionality $\mathcal {F}_{OT}(m_0,m_1)$. Then, we construct an adversary $\mathcal {A} _S$ who corrupts the sender as follows: $\mathcal {A} _S$ receives $\mathsf {msg}_R$ from an honest receiver, runs $\mathcal {S} ^1_R\left( 1^\lambda ,\mathsf {msg}_R\right) $ and computes b. This enables $\mathcal {A} _S$ to extract an honest receiver’s input with a high probability. Note that $\mathcal {A} _S$ is a semi-honest adversary since it does not need to send any message before extracting the receiver’s input. This contradicts the assumption that the protocol is secure against a semi-honest sender.

Combining Theorem 1 with the above Lemma, we get the following corollary.

Corollary 1

There exists a functionality $\mathcal {F}\in P/Poly$, for which there does not exist a two-round n-party protocol over $\mathcal {BC}$ that achieves security with $\mathtt {SA/UA/IA}$ against $t=1$ malicious corruption with straight-line simulation in the plain model.

We note that all known honest majority protocols have straight-line simulation.

Another interesting consequence of Theorem 1, is an equivalence between a two-round honest-majority MPC and a two-round dishonest majority MPC over broadcast channels. We note that the above reduction from 2-round honest majority MPC for general functionalities to mR-OT compliments the protocols in [9, 19], where they show that OT is complete for two-round MPC over $\mathcal {BC}$ in the CRS model.

5 $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ Model

In this section, we investigate the feasibility of a two round IA protocol with general honest majority in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model and investigate the minimal assumptions that are required for designing a two round $\texttt {FS-GoD} $ protocol in the $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ model.

5.1 Impossibility Result for Identifiable Result

In this section, we show that there does not exist a two-round IA protocol for general functionalities and general honest majority over $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ in the plain model. To prove this result, it suffices to show that there exists a three-party functionality that cannot be securely realized with IA security, over $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ in the plain model, in two-rounds, against a single corrupt party.

Theorem 2

There exists a functionality $\mathcal {F}\in P/Poly$, for which there does not exist a three-party protocol that achieves security with $\mathtt {IA}$ against a single malicious corruption over $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ with straight-line simulation in the plain model.

Proof

Let $\mathcal {F}$ be a 3-party functionality in which party $P_1$ has no input, $P_2$’s input is $b\in \{0,1\}$ and $P_3$’s input is $(x_0,x_1)$. $P_1$ receives an output $x_b$, while $P_2$ and $P_3$ do not receive any output. That is, $\mathcal {F}(\bot ,b,(x_0,x_1)) = (x_b,\bot ,\bot )$. Let $\varPi $ be a three-party protocol over $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ channels, realises $\mathcal {F}$ with IA security and straight line simulation. Let $\mathcal {E}^1$ be an execution of the protocol $\varPi $ computing $\mathcal {F}$. Also, let $\varPi $ be such that the parties do not send any private messages in the second round (this holds w.l.o.g.). Let $\mathcal {A} $ be an adversary who corrupts party $P_2$ and works as follows; it behaves like an honest party except that it does not send its private channel message to party $P_1$ in the first round.

We consider the following three cases:

1.
Output of the honest parties is $\bot $: We know that in security with IA, if the output of the honest parties is $\bot $, then they must identify at least one corrupted party. Since by assumption $\varPi $ achieves security with IA, it must be the case that both $P_1$ and $P_3$ correctly identify $P_2$ as the corrupt party. Let $\mathsf {view}_{3}(\mathcal {E}^1)$ be the view of party $P_3$ in execution $\mathcal {E}^1$. Consider another execution $\mathcal {E}^2$ for the same functionality with the same set of inputs, where the adversary corrupts party $P_1$ and works as follows. It behaves honestly in the first round. In the second round, it lies about not having received a message from party $P_2$ in the first round and computes its second round messages accordingly. Let $\mathsf {view}_{3}(\mathcal {E}^2)$ be the view of party $P_3$ in execution $\mathcal {E}^2$. Clearly, the view of party $P_3$ in this case is indistinguishable from its view in execution $\mathcal {E}_\varPi ^1$, i.e., $\mathsf {view}_3(\mathcal {E}^1)\approx _c\mathsf {view}_3(\mathcal {E}^2)$. Since the output of $P_3$ in $\mathcal {E}^1$ was $(\bot ,P_2)$, it must be the case that the output of party $P_3$ in execution $\mathcal {E}^2$ is also $(\bot ,P_2)$. However, since $P_2$ is an honest party, this violates the requirements of security with IA. Hence either $\varPi $ does not achieve IA or the output of the honest parties in $\mathcal {E}^1$ cannot be $\bot $.
2.
The simulator extracts b as $P_2$’s input with probability (almost) 1: In this case, simulator $\mathcal {S} _2$’s view of $P_2$’s messages only involves the broadcast message (say $\mathsf {bmsg}^1_2$) and the private message (say $\mathsf {pmsg}^1_{2\rightarrow 3}$) that was sent to $P_3$. The simulator $\mathcal {S} _2$, it straight-line, it is able to extract $P_2$’s input b only using $(\mathsf {bmsg}^1_2,\mathsf {pmsg}^1_{2\rightarrow 3})$. Note that both of these messages are visible to $P_3$, i.e., $(\mathsf {bmsg}^1_2,\mathsf {pmsg}^1_{2\rightarrow 3})\in \mathsf {view}_3(\mathcal {E}^1)$. Consider another execution $\mathcal {E}^2$, where the adversary passively corrupts $P_3$ and all parties (including $P_3$) compute and send their messages honestly. Let $(\overline{\mathsf {bmsg}}^1_2,\overline{\mathsf {pmsg}}^1_{2\rightarrow 3})$ be the messages sent by an honest $P_2$ to $P_3$ in execution $\mathcal {E}^2$. Since the simulator $\mathcal {S} _2$ is straight-line, a corrupt $P_3$ can now simply run $\mathcal {S} _2$ on $(\overline{\mathsf {bmsg}}^1_2,\overline{\mathsf {pmsg}}^1_{2\rightarrow 3})$ to extract an honest $P_2$’s input. This would clearly break privacy of an honest $P_2$’s input. Hence, either $\varPi $ does not achieve IA or there does not exist a straight-line simulator that extracts $P_2$’s correct input b.
3.
The simulator extracts $1-b$ as $P_2$’s input with some non-negligible probability. Consider another execution $\mathcal {E}^2$ for the same functionality $\mathcal {F}$, with the same set of inputs, where the adversary passively corrupts party $P_1$ and behaves honestly throughout the protocol execution. Let $\{\mathsf {bmsg}^1_i,\mathsf {bmsg}^2_i,\{\mathsf {pmsg}^1_{i\rightarrow j}\}_{j\in [3]}\}_{i\in [3]}$ be the set of messages exchanged between the parties. From correctness of protocol $\varPi $, it follows that $P_1$ learns the output $x'_{b'}$, where $x'_{b'}$ is $P_3$’s input in $\mathcal {E}_2$ and $b'$ is $P_2$’s input. A semi-honest $P_1$ can now launch the following offline resetting attack: It computes a new second round message while assuming that it did not receive a message from $P_2$ in the first round, i.e.,
$$\overline{\mathsf {bmsg}}^2_1\leftarrow \varPi ^2(1,\overline{\mathtt {T}}^1_1),$$
where $\overline{\mathtt {T}}^1_1$ is the truncated first round transcript $(\mathsf {bmsg}^1_2,\mathsf {bmsg}^1_3,\mathsf {pmsg}^1_{3\rightarrow 1})$ of party $P_1$. Note that the transcript of $P_1$ is now similar to the one in $\mathcal {E}^1$ and hence outcome of the protocol (output of $P_1$) in this case must be $x'_{1-b'}$ with non-negligible probability. As a result of this attack, $P_1$ is able to learn both $x'_{b'}$ and $x'_{1-b'}$, which clearly violates the privacy of $P_3$’s input. Hence, either $\varPi $ does not achieve IA or there does not exist a straight-line simulator that extracts $1-b$ with non-negligible probability.

Since all 3 cases above are impossible, protocol $\varPi $ cannot be a secure implementation of functionality $\mathcal {F}$, tolerating a single corruption with IA.

5.2 Fail-Stop Guaranteed Output Delivery

FS-GoD is known to be impossible [24] in the plain/CRS models in the absence of private channels in two rounds. In this section, we investigate the minimal assumptions that are required to a realize such protocols in the presence of private channels. More specifically, we show that for $n/3\le t<n/2$, sh-OT is necessary for achieving $\texttt {FS-GoD} $ for general functionalities in the plain model,^{Footnote 9} while $\textsf {OWF}$ suffice for $t<n/3$.

Necessity of sh-OT for $\boldsymbol{(t<n/2).}$ We first show that any n-party FS-GoD protocol for general functionalities with $n/3\le t<n/2$ implies sh-OT.

Theorem 3

If there exists a 2-round n-party FS-GoD protocol for any $\mathcal {F}\in \text {P/Poly}$ in the plain model for $n/3\le t<n/2$, then there exists a two-message sh-OT protocol in the plain model.

Proof

Let $\varPhi $ be a n-party FS-GoD protocol over $\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}$ for the following functionality:

$$ \mathcal {F}_{n\text {-}\mathsf {OT}}((m_0,m_1),\{\bot \}_{i\in [n-2]},b)=(\{\bot \}_{i\in [n-1]},m_b) $$

where, input of $P_1$ is $(m_0,m_1)\in \{0,1\}^*$, parties $P_2,\ldots ,P_{n-1}$ have no inputs, input of $P_n$ is a bit $b\in \{0,1\}$; and output of $P_n$ is $m_b$.

From Observation 1, we assume that $P_n$ does not send any message in the last round. Additionally, the remaining parties only need to send private channel messages to $P_n$ in the second round. Now, since $\varPhi $ achieves FS-GoD, even if t parties, say $P_{t+1},\ldots ,P_{2t}$ fail-stop after sending their first round messages, an honest $P_n$ will still be able to learn the output. Let $\varPi $ be a slightly modified version of $\varPhi $, which forces $P_{t+1},\ldots ,P_{2t}$ to stop after sending their first round messages, as follows:

No messages are sent to $P_{t+1},\ldots ,P_{2t}$ in the first round.
$P_{t+1},\ldots ,P_{2t}$ do not send any messages in the second round.

Note that $\varPi $ is not only a correct protocol (based on FS-GoD security of $\varPhi $), but also a semi-honest secure protocol against corruption of any t parties. This is true since an adversary in protocol $\varPhi $ corrupting any t parties can further pretend to not have received the messages omitted in $\varPi $, thus simulating the view in protocol $\varPi $.

In Fig. 4, we show how $\varPi $ for $\mathcal {F}_{n\text {-}\mathsf {OT}}$ can be used to design a two-message sh-OT in the same setup/communication model as $\varPi $, where the first 2t parties act as the sender and the remaining parties act as the receiver. We use $\mathtt {T}^r_i$ to denote the transcript of party $P_n$, at the end of the round r. We borrow the remaining notations from previous sections. Correctness of the $\mathsf {OT}$ protocol in Fig. 4 follows directly from the correctness of the underlying protocol $\varPi $ for functionality $\mathcal {F}_{n\text {-}\mathsf {OT}}$. The proof for security against semi-honest receiver follows from semi-honest security of $\varPi $, since, any adversary corrupting the receiver in $\mathsf {OT}$ protocol can be viewed as an adversary corrupting the last $n-2t$ parties in the underlying protocol $\varPi $ (where $n-2t < t$). We now argue security against semi-honest sender.

Security Against Semi-honest Sender. Recall that, we need to show that the distribution of the first message by the receiver on input $b=0$ is indistinguishable from that on input $b=1$. The message sent by the receiver is $\{\mathsf {bmsg}^1_{j},\{\mathsf {pmsg}^1_{j\rightarrow i}\}_{i\in [2t]}\}_{j\in [2t+1,n]}$. But, since the parties do not send any messages to $P_t,\ldots , P_{2t}$ in the underlying protocol $\varPi $, the first message is in fact $\{\mathsf {bmsg}^1_{j},\{\mathsf {pmsg}^1_{j\rightarrow i}\}_{i\in [t]}\}_{j\in [2t+1,n]}$. This however, is part of the view of a semi-honest adversary corrupting the first t parties in the underlying protocol $\varPi $. Hence by the semi-honest security guarantee of $\varPi $, this view remains indistinguishable between $b=0$ and $b=1$.

Positive Result for $\boldsymbol{(t<n/3)}$. Now we construct a two-round FS-GoD protocol for $t<n/3$. Our construction is based on one-way functions for general functionalities in P/Poly and achieves information-theoretic security for functions in $\mathbf {NC}^1$. We obtain this result by using the compiler from [4], who show that the task of securely computing any arbitrary polynomial function can be non-interactively reduced to securely computing arbitrary quadratic functions in the multi-party setting. An important property of their reduction is that the resulting protocol for arbitrary polynomial functions achieves the same security as the protocol for quadratic functions. We leverage this observation and focus on constructing an FS-GoD protocol for quadratic functionalities and prove the following theorem.

Theorem 4

There exists a perfectly secure two-round FS-GoD protocol for quadratic functionalities with $t<n/3$ unbounded fail-stop corruptions over $\mathcal {P}\mathrm {2}\mathcal {P}$ channels in the plain model.

Instantiating the Master Theorem from [4] using the protocol from the above theorem, we get the following results.

Corollary 2

Assuming the existence of $\textsf {OWF}$, there exists a two round FS-GoD protocol for $t<n/3$ over $\mathcal {P}\mathrm {2}\mathcal {P}$ channels in the plain model for any $f\in P/Poly$.

There exists a statistically secure two round FS-GoD protocol for $t<n/3$ over $\mathcal {P}\mathrm {2}\mathcal {P}$ channels in the plain model for any $f\in \mathbf {NC}^1$.

Proof (Proof of Theorem 4)

We observe that a slightly modified version of the semi-honest protocol in [27], achieves FS-GoD with $t<n/3$ for quadratic functionalities. The protocol in [27] is based on the standard “share-evaluate-reconstruct” approach, where the parties compute t-out-of-n threshold secret shares [32] of their inputs in the first round. In the second round all the parties evaluate the functionality (that they wish to compute) on their respective shares and send the evaluated share to all other parties, who can then run the reconstruction algorithm of the secret sharing scheme to reconstruct the output. We observe that pre-mature aborts by a fail-stop adversary can be handled in this protocol for $t<n/3$ as follows:

Abort in Round 1: If a corrupt party $P_i$ aborts in the first round and does not send any messages, the remaining parties can evaluate the functionality by simply setting the shares that they were expecting from $P_i$ to 0 and proceed as normal, without any disruption.
Abort in Round 2: Since there are ${>}2t$ honest parties and evaluated shares in the second round correspond to a 2t-out-of-n secret sharing, the shares of the honest parties are sufficient to reconstruct the output. Therefore, aborts in the second round do not disrupt the computation.

For the sake of completeness, we give a description of this protocol in Fig. 5. The correctness and security of this modified protocol follows trivially and hence we omit it.

6 $\mathcal {BC}+\mathcal {PKI}$ Model: Guaranteed Output Delivery

In this section, we give a generic compiler from any two-round (semi-malicious) $\texttt {FS-GoD} $ protocol over $\mathcal {BC}+\mathcal {PKI}$ channels to a two-round $\texttt {M-GoD} $ protocol over $\mathcal {BC}+\mathcal {PKI}$. Our transformation relies on multi-CRS non-interactive zero-knowledge (m-NIZK) proof systems and $\textsf {PKE}$. We refer the reader to Sect. 3.2 for a formal definition of m-NIZKs. This protocol is a simple adaptation of the three-round $\texttt {M-GoD} $ protocol of Ananth et al. [1], with the only modification that the entire first round of their protocol is moved to the bare $\mathcal {PKI}$ setup in our protocol.

Theorem 5

Assuming the existence of $\textsf {PKE}$ and $\textsf {m-NIZK}$, there exists a generic transformation from any two round, n-party (semi-malicious) $\texttt {FS-GoD} $ protocol in the $\mathcal {BC}+\mathcal {PKI}$ model for $t<n/2$, to a two-round n-party $\texttt {M-GoD} $ protocol in the $\mathcal {BC}+\mathcal {PKI}$ model for $t<n/2$.

Ananth et al. [1] present a two-round (semi-malicious) $\texttt {FS-GoD} $ protocol in the $\mathcal {BC}+\mathcal {PKI}$ model based on public-key encryption ($\textsf {PKE}$) with perfect correctness. Instantiating the above theorem with this protocol, we get the following corollary.

Corollary 3

Assuming the existence of $\textsf {PKE}$ and $\textsf {m-NIZK}$, there exists an n-party protocol in the $\mathcal {BC}+\mathcal {PKI}$ model that achieves security with $\texttt {M-GoD} $ against $t<n/2$ corruptions for any $\mathcal {F}\in P/Poly$.

Protocol Description. Let $\mathcal {P}=\{P_1,\ldots ,P_n\}$ be the set of parties with inputs $\mathsf {X}_1,\ldots ,\mathsf {X}_n$. We start by listing the building blocks and establishing some notations:

1.
Protocol $\varPi $: A two-round n-party MPC protocol $\varPi =(\varPi ^\mathcal {PKI},\varPi ^1,\varPi ^2,\varPi ^{\mathsf {out}})$ that operates in the $\mathcal {BC}+\mathcal {PKI}$ model and achieves (semi-malicious) $\texttt {FS-GoD} $ security against $t<n/2$. Here, $\varPi ^\mathcal {PKI}$ is the algorithm used by each party to compute its message in the bare $\mathcal {PKI}$ setup phase, $\varPi ^r$ is the $r^{\text {th}}$ round next-message function and $\varPi ^{\mathsf {out}}$ is the output computation function of $\varPi $. We use $\mathsf {msg}_i^r$ to denote the broadcast message of party $P_i$ in round r.
2.
PKE: Public key encryption scheme $(\mathsf {PKE}.\mathsf {Gen},\mathsf {PKE}.\mathsf {Enc},\mathsf {PKE}.\mathsf {Dec})$ with perfect completeness.
3.
Secret Sharing: A threshold secret sharing scheme $(\mathsf {Share},\mathsf {Recon})$ [32].
4.
m-NIZK : Multi-string NIZK $(\mathsf {m\text {-}NIZK.}\mathsf {Gen},\mathsf {m\text {-}NIZK.}\mathsf {Prove},\mathsf {m\text {-}NIZK.}\mathsf {Verify})$ (see Definitions 3.2). We assume the randomness used in these algorithms to be implicit and do not specify them.

At the start of the protocol, each party $P_i$ samples a sufficiently long random tape $\rho _i$ to use in the various sub-parts of the protocol; let $\rho _i^\mathsf {key}$ be the randomness used for generating keys $(\mathsf {pk}_i,\mathsf {sk}_i)$, $\rho _i^\mathcal {PKI}$ be the randomness used to generate the PKI in the underlying protocol $\varPi $, $\rho _i^\varPi $ be the randomness for generating messages in protocol $\varPi $ and $\rho _{i,j}^\mathsf {enc}$ to encrypt the private message intended for $P_j$. We use the vector notation along with a $\bullet $ symbol to refer to a set of n messages, for instance, $\overrightarrow{\mathsf {ct}}_{\bullet \rightarrow i}=\mathsf {ct}_{1\rightarrow i},\ldots ,\mathsf {ct}_{n\rightarrow i}$. The remaining notations are borrowed from previous sections. A full description of our protocol appears in Fig. 6. We defer the security proof of this protocol to the full version of this paper.

Notes

1.
Typically, the honest-majority assumption is viewed as an alternative to trusted setup assumptions such as a common reference string (CRS).
2.
In a bare PKI setup, an adversarial party does not need to register its key prior to protocol; specifically, it does not need to prove knowledge of its secret key.
3.
The list of notions we discuss here is not exhaustive and some other notions have been studied that lie “in-between” the primary notions. This includes, e.g., semi-malicious security [5], which is a slight strengthening of SH, and fairness, which is a weakening of M-GoD. The lower and upper bounds for these notions tend to be similar to their respective “closest” notions; hence we do not explicitly discuss them.
4.
There is a corner case of exactly one corruption (i.e., $t=1$) and $n\ge 4$ where this impossibility result can be circumvented in the plain model [26, 28].
5.
These works in fact rely on $\textsf {mR-OT} $ in the CRS model with universally composable security [10].
6.
In the weaker $\mathcal {P}\mathrm {2}\mathcal {P}$ only model, honest-majority protocols with $\texttt {IA} $ security are known to be impossible even if we allow for arbitrary rounds [13].
7.
Specifically, it can be implemented as OLE over a large field, using a protocol in which each helper party receives degree t Shamir shares of a and x from sender and receiver respectively, and degree 2t shares of b from sender, and sends degree 2t shares of $ax+b$ to the receiver.
8.
If the protocol does not require any P2P message from $P_2$ to $P_1$, then the corrupted $P_2$ is simply behaving honestly since there is no message to be dropped. In this case, the protocol must result in a not-$\bot $ output. This case is addressed below.
9.
We note that this lower bound complements the protocol designed by Ananth et al. in [1].

References

Ananth, P., Choudhuri, A.R., Goel, A., Jain, A.: Round-optimal secure multiparty computation with honest majority. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 395–424. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_14
Chapter Google Scholar
Ananth, P., Choudhuri, A.R., Goel, A., Jain, A.: Two round information-theoretic MPC with malicious security. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 532–561. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_19
Chapter Google Scholar
Applebaum, B., Brakerski, Z., Tsabary, R.: Perfect secure computation in two rounds. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 152–174. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_6
Chapter Google Scholar
Applebaum, B., Brakerski, Z., Tsabary, R.: Degree 2 is complete for the round-complexity of malicious MPC. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 504–531. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_18
Chapter Google Scholar
Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_29
Chapter Google Scholar
Badrinarayanan, S., Jain, A., Manohar, N., Sahai, A.: Secure MPC: laziness leads to GOD. Cryptology ePrint Archive, Report 2018/580 (2018). https://eprint.iacr.org/2018/580
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Chapter Google Scholar
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10. ACM Press, May 1988
Google Scholar
Benhamouda, F., Lin, H.: k-round multiparty computation from k-round oblivious transfer via garbled interactive circuits. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 500–532. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_17
Chapter Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001
Google Scholar
Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (abstract). In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 462–462. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_43
Chapter Google Scholar
Cohen, R., Garay, J., Zikas, V.: Broadcast-optimal two-round MPC. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 828–858. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_28
Chapter Google Scholar
Cohen, R., Lindell, Y.: Fairness versus guaranteed output delivery in secure multiparty computation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 466–485. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_25
Chapter MATH Google Scholar
Damgård, I., Magri, B., Siniscalchi, L., Yakoubov, S.: Broadcast-optimal two round MPC with an honest majority. Cryptology ePrint Archive, Report 2020/1254 (2020). https://eprint.iacr.org/2020/1254
Dwork, C., Naor, M.: Zaps and their applications. In: 41st FOCS, pp. 283–293. IEEE Computer Society Press, November 2000
Google Scholar
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO’82, pp. 205–210. Plenum Press, New York (1982)
Google Scholar
Fischer, M.J., Lynch, N.A., Merritt, M.: Easy impossibility proofs for distributed consensus problems. In: Malcolm, M.A., Strong, H.R. (eds.) 4th ACM PODC, pp. 59–70. ACM, August 1985
Google Scholar
Garg, S., Ishai, Y., Srinivasan, A.: Two-round MPC: information-theoretic and black-box. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 123–151. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_5
Chapter Google Scholar
Garg, S., Srinivasan, A.: Two-round multiparty secure computation from minimal assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 468–499. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_16
Chapter Google Scholar
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: On 2-round secure multiparty computation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 178–193. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_12
Chapter Google Scholar
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, pp. 218–229. ACM Press, May 1987
Google Scholar
Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207
Article MathSciNet MATH Google Scholar
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems (extended abstract). In: 17th ACM STOC, pp. 291–304. ACM Press, May 1985
Google Scholar
Dov Gordon, S., Liu, F.-H., Shi, E.: Constant-round MPC with fairness and guarantee of output delivery. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 63–82. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_4
Chapter Google Scholar
Groth, J., Ostrovsky, R.: Cryptography in the multi-string model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_18
Chapter MATH Google Scholar
Ishai, Y., Kumaresan, R., Kushilevitz, E., Paskin-Cherniavsky, A.: Secure computation with minimal interaction, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 359–378. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_18
Chapter Google Scholar
Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: 41st FOCS, pp. 294–304. IEEE Computer Society Press, November 2000
Google Scholar
Ishai, Y., Kushilevitz, E., Paskin, A.: Secure multiparty computation with minimal interaction. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 577–594. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_31
Chapter Google Scholar
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Chapter Google Scholar
Patra, A., Ravi, D.: On the exact round complexity of secure three-party computation. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 425–458. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_15
Chapter Google Scholar
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st ACM STOC, pp. 73–85. ACM Press, May 1989
Google Scholar
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Article MathSciNet Google Scholar

Download references

Acknowledgements

The first and second authors were supported in part by an NSF CNS grant 1814919, NSF CAREER award 1942789 and Johns Hopkins University Catalyst award. The second author was additionally supported in part by an Office of Naval Research grant N00014- 19-1-2294. The third author is supported by the joint Indo-Israel Project DST/INT/ISR/P-16/2017 and Ramanujan Fellowship of Dept. of Science and Technology, India.

Author information

Authors and Affiliations

Johns Hopkins University, Baltimore, USA
Aarushi Goel & Abhishek Jain
IIT Bombay, Mumbai, India
Manoj Prabhakaran & Rajeev Raghunath

Authors

Aarushi Goel
View author publications
You can also search for this author in PubMed Google Scholar
Abhishek Jain
View author publications
You can also search for this author in PubMed Google Scholar
Manoj Prabhakaran
View author publications
You can also search for this author in PubMed Google Scholar
Rajeev Raghunath
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aarushi Goel .

Editor information

Editors and Affiliations

Georgetown University, Washington, WA, USA
Kobbi Nissim
The University of Texas at Austin, Austin, TX, USA
Brent Waters

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Goel, A., Jain, A., Prabhakaran, M., Raghunath, R. (2021). On Communication Models and Best-Achievable Security in Two-Round MPC. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13043. Springer, Cham. https://doi.org/10.1007/978-3-030-90453-1_4

Download citation

DOI: https://doi.org/10.1007/978-3-030-90453-1_4
Published: 04 November 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90452-4
Online ISBN: 978-3-030-90453-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

On Communication Models and Best-Achievable Security in Two-Round MPC

Abstract

Similar content being viewed by others

Minimizing Setup in Broadcast-Optimal Two Round MPC

Broadcast-Optimal Two-Round MPC

Guaranteed Output Delivery Comes Free in Honest Majority MPC

1 Introduction

1.1 Our Results in Detail

1.2 Related Work

2 Technical Overview

2.1 Lower Bounds in the \(\mathcal {BC}\) only Model

2.2 \(\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}\) Model

2.3 \(\mathcal {BC}+\mathcal {PKI}\) Model

3 Preliminaries

3.1 Oblivious Transfer (OT)

Definition 1

3.2 Multi-CRS Non-interactive Zero Knowledge (m-NIZK)

Definition 2

4 Broadcast Model

4.1 Lower Bound for \(t=1\)

Observation 1

Theorem 1

Proof (Proof of Theorem 1)

Lemma 1

Proof

Lemma 2

Proof

4.2 Impossibility of Two-Message mR-OT in the Plain Model

Lemma 3

Proof

Corollary 1

5 \(\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}\) Model

5.1 Impossibility Result for Identifiable Result

Theorem 2

Proof

5.2 Fail-Stop Guaranteed Output Delivery

Theorem 3

Proof

Theorem 4

Corollary 2

Proof (Proof of Theorem 4)

6 \(\mathcal {BC}+\mathcal {PKI}\) Model: Guaranteed Output Delivery

Theorem 5

Corollary 3

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation