Abstract
We study the communication complexity of unconditionally secure multiparty computation (MPC) protocols in the honest majority setting. Despite tremendous efforts in achieving efficient protocols for binary fields under computational assumptions, there are no efficient unconditional MPC protocols in this setting. In particular, there are no n-party protocols with constant overhead admitting communication complexity of O(n) bits per gate. Cascudo, Cramer, Xing and Yuan (CRYPTO 2018) were the first ones to achieve such an overhead in the amortized setting by evaluating \(O(\log n)\) copies of the same circuit in the binary field in parallel. In this work, we construct the first unconditional MPC protocol secure against a malicious adversary in the honest majority setting evaluating just a single boolean circuit with amortized communication complexity of O(n) bits per gate.
A. Polychroniadou—This paper was prepared in part for information purposes by the Artificial Intelligence Research group of JPMorgan Chase & Co and its affiliates (“JP Morgan”), and is not a product of the Research Department of JP Morgan. JP Morgan makes no representation and warranty whatsoever and disclaims all liability, for the completeness, accuracy or reliability of the information contained herein. This document is not intended as investment research or investment advice, or a recommendation, offer or solicitation for the purchase or sale of any security, financial instrument, financial product or service, or to be used in any way for evaluating the merits of participating in any transaction, and shall not constitute a solicitation under any jurisdiction or to any person, if such solicitation under such jurisdiction or to such person would be unlawful. 2020 JPMorgan Chase & Co. All rights reserved.
Y. Song—Work done in part while at J.P. Morgan AI Research. Supported in part by the NSF award 1916939, DARPA SIEVE program, a gift from Ripple, a DoE NETL award, a JP Morgan Faculty Fellowship, a PNC center for financial services innovation award, and a Cylab seed funding award.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Secure multiparty computation (MPC) [Yao82, GMW87, CCD88, BOGW88] allows n parties to compute any function of their local inputs while guaranteeing the privacy of the inputs and the correctness of the outputs even if t of the parties are corrupted by an adversary.
Given that point-to-point secure channels are established across the parties, any function can be computed with unconditional (perfect) security, against a semi-honest adversary if \(n \ge 2t + 1\) and against a malicious adversary if \(n \ge 3t + 1\) [BOGW88, CCD88]. If we accept small error probability, \(n \ge 2t + 1\) is sufficient to get malicious security [RBO89, Bea89].
The methods used in unconditional secure protocols tend to be computationally much more efficient than the cryptographic machinery required for computational security. So unconditionally secure protocols are very attractive from a computational point of view, but they seem to require a lot of interaction. In fact, such protocols require communication complexity proportional to the size of the (arithmetic) circuit computing the function. In this work we focus on the communication complexity per multiplication of unconditional MPC protocols in the honest majority setting.
Known unconditional secure MPC protocols represent the inputs as elements of a finite field \(F_q\) and represent the function as an arithmetic circuit over that finite field. Moreover, protocols that are efficient in the circuit size of the evaluated function process the circuit gate-by-gate using Shamir secret sharing [Sha79]. This approach usually allows non-interactive processing of addition gates but requires communication for every multiplication gate. However, secret-sharing-based protocols require that the size of the underlying finite field is larger than the number of parties, i.e., \(q>n\). The work of [BTH08] based on hyper-invertible matrices requires the underlying finite field to be \(q\ge 2 n\).Footnote 1 Other types of protocols with unconditional online phase based on message authentication codes, such as the SPDZ-based protocol [DPSZ12], require the size of the underlying finite field to be large, i.e., \(q>2^\kappa \), where \(\kappa \) is the security parameter. This is based on the fact that the cheating probability of the adversary needs to be inverse proportional to the size of the field.
In this paper, we ask a very natural question for unconditionally secure protocols which, to the best of our knowledge, has not been studied in detail before:
Is it possible to construct unconditional MPC protocols for \(t < n/2\) for computing an arithmetic circuit over a small field \(F_q\) (such as \(q=2\)) with amortized communication complexity O(n) field elements (bits) per gate?
Note that the standard solution of applying the existing protocols to functions which are already represented as binary circuits requires to lift the circuit to a large enough extension field. That said, in such a scenario the communication complexity incurs a multiplicative overhead of \(\log n\).
Recently, Cascudo, et al. [CCXY18] revisited the amortized complexity of unconditional MPC. At a high level, the authors leverage the large extension field to evaluate more than one instance of the same binary circuit in parallel. In particular, the authors compile an MPC protocol for a circuit over an extension field to a parallel MPC protocol of the same circuit but with inputs defined over its base field. That said, their protocol can evaluate \(O(\log n)\) copies of the same circuit in the binary field in parallel and achieve communication complexity of O(Cn) bits where C is the size of the circuit. However, such an overhead cannot be achieved for a single copy of the circuit. The works of [DZ13, CG20] also allow efficient parallel computation of several evaluations of the same binary circuits with a special focus on the dishonest majority. Note that these works are based on packed secret sharing for SIMD circuits, however this induces an extra overhead of \(\log C\) in the circuit size when using for a single binary circuit.
Our Results. We answer the above question in the affirmative, obtaining an unconditional MPC protocol in the honest majority setting for calculations over \(\mathbb {F}_2\). Informally, we prove the following:
Theorem 1
(informal). There exists an unconditional MPC protocol for n parties secure against \(t < n/2\) corruptions in the presence of a malicious adversary evaluating a single boolean circuit with an amortized communication complexity of O(n) bits per gate.
We formally state our results and communication overhead in Theorem 5. To establish our result, we propose an online phase based on additive sharings where we are able to authenticate the shares with O(Cn) communication overhead as opposed to prior works which achieve an overhead of \(O(Cn\kappa )\) for a single boolean circuit, where \(\kappa \) is the security parameter.
We are aware that the works of Hazay et al. [HVW20] and Boyle et al. [BGIN20] (building on Boneh et al. [BBCG+19]) provide general compilers from semi-honest security to malicious security in the honest-majority setting, with at most a constant communication overhead. We leave the possibility of an alternative approach to achieve malicious security by applying these compilers to a semi-honest protocol which communicates O(n) field elements per gate, such as our semi-honest protocol, to future work.
2 Technical Overview
In the following, we will use n to denote the number of parties and t to denote the number of corrupted parties. In the setting of the honest majority, we have \(n=2t+1\).
Our construction will utilize two kinds of secret sharing schemes:
-
The standard Shamir secret sharing scheme [Sha79]: We will use \([x]_t\) to denote a degree-t Shamir sharing, or a \((t+1)\)-out-of-n Shamir sharing. It requires at least \(t+1\) shares to reconstruct the secret and any t shares do not leak any information about the secret.
-
An additive sharing among the first \(t+1\) parties: We will use \(\langle x \rangle \) to denote an additive sharing, which satisfies that the summation of the shares held by the first \(t+1\) parties is the secret x, and the shares of the rest of parties are 0.
In this paper, we are interested in the information-theoretic setting. Our goal is to construct a secure-with-abort MPC protocol for a single arithmetic circuit over the binary field \(\mathbb {F}_2\), such that the communication complexity is O(Cn) bits (ignoring terms which are sub-linear in the circuit size), where C is the circuit size and n is the number of parties. The structure of our overview is as follows:
-
1.
We first provide an overview of related works and discuss why their protocols cannot achieve O(Cn) bits for a single binary circuit.
-
2.
Then we introduce a high-level structure of our construction. Very informally, our protocol uses additive sharings to achieve high efficiency in the online phase. However, using additive sharings requires authentications of the secrets to detect malicious behaviors. Based on the prior works, directly generating an authentication for each sharing already requires the communication of \(O(Cn\kappa )\) bits, where \(\kappa \) is the security parameter. The main difficulty is how to efficiently authenticate the secrets of additive sharings.
-
3.
Next we review the notion of reverse multiplication-friendly embeddings (RMFE) introduced in [CCXY18], which is an important building block of our protocol.
-
4.
Finally, we introduce our main technique. Our idea stems from a new way to authenticate the secret of an additive sharing. Combining with RMFEs, we can authenticate the secret of a single additive sharing with the communication of O(n) bits. Relying on this new technique, we can obtain a secure-with-abort MPC protocol for a single binary circuit with the communication complexity of O(Cn) bits.
How Previous Constructions Work. In the honest majority setting, the best-known semi-honest protocol is introduced in the work of Damgård and Nielsen [DN07] in 2007 (hereafter referred to as the DN protocol). The communication complexity of the DN protocol is \(O(Cn\phi )\) bits, where \(\phi \) is the size of a field element. A beautiful line of works [GIP+14, LN17, CGH+18, NV18, GSZ20] have shown how to compile the DN protocol to achieve security-with-abort. In particular, the recent work [GSZ20] gives the first construction where the communication complexity matches the DN protocol. At a high-level, these protocols follow the idea of computing a degree-t Shamir sharing for each wire, and making use of the properties of the Shamir secret sharing scheme to evaluate addition gates and multiplication gates. However, the Shamir secret sharing scheme requires the field size to be at least \(n+1\). It means that the size of a field element \(\phi \ge \log n\). When we want to evaluate a binary circuit by using these protocols, we need to use a large enough extension field so that the Shamir secret sharing scheme is well-defined, which results in \(O(Cn\log n)\) bits in the communication complexity.
[CCXY18] revisited the amortized complexity of information-theoretically secure MPC. Their idea is to compile an MPC for a circuit over an extension field to a parallel MPC of the same circuit but with inputs defined over its base field. In this way, we can evaluate \(O(\log n)\) copies of the same circuit in the binary field at the same time and achieve O(Cn) bits per circuit. The main technique is the notion of reverse multiplication-friendly embeddings (RMFE) introduced in this work [CCXY18]. At a high-level, RMFE allows us to perform a coordinate-wise product between two vectors of bits by multiplying two elements in the extension field. When evaluating \(O(\log n)\) copies of the same circuit in the binary field, each multiplication is just a coordinate-wise product between the vectors of bits associated with the input wires. Relying on RMFE, all parties can transform the computation to one multiplication between two elements in the extension field, which can be handled by the DN protocol. This is the first paper which sheds light on the possibility of evaluating a binary circuit with communication complexity of O(Cn) bits. However, it is unclear how to use this technique to evaluate a single binary circuit.
In the setting of the dishonest majority, the well-known work SPDZ [DPSZ12] shows that, with necessary correlated randomness prepared in the preprocessing phase, we can use an information-theoretic protocol in the online phase to achieve high efficiency. The high-level idea of the online phase protocol is to use the notion of Beaver tuples to transform a multiplication operation to two reconstructions. We will elaborate this technique at a later point. In the online phase, all parties will compute an additive sharing for each wire. One benefit of the additive secret sharing scheme is that it is well-defined in the binary field and each party holds a single bit as its share. As a result, the communication complexity in the online phase is just O(Cn) bits. However, unlike the honest majority setting where the shares of honest parties can determine the secret of a degree-t Shamir sharing, the secret of an additive sharing can be easily altered by a corrupted party changing its own share. Therefore, a secure MAC is required to authenticate the secret of each additive sharing. To make the MAC effective, the MAC size should be proportional to the security parameter \(\kappa \). Although it does not necessarily affect the sharing space, e.g., the work TinyOT [NNOB12] uses an additive sharing in the binary field with a secure MAC in the extension field, generating a secure MAC for each sharing in the preprocessing phase brings in an overhead of \(\kappa \), which results in \(O(Cn\kappa )\) bits in the overall communication complexity. We however note that, this protocol achieves a highly efficient online phase, which is O(Cn) bits. Our starting idea is the online phase protocol in [DPSZ12]. In the honest majority setting, the preprocessing phase can also be done by an information-theoretic protocol. In fact, the idea of using Beaver tuples has been used in several previous works [BTH08, BSFO12, CCXY18] in the honest majority setting. We first describe a prototype protocol of using Beaver tuples in this setting.
A Prototype Protocol of Using Beaver Tuples. This protocol follows the same structure as the protocol in [DPSZ12], but in the honest majority setting. Recall that we use \(\langle x \rangle \) to denote an additive sharing among the first \(t+1\) parties. We use \(\textsf {MAC}(x)\) to denote an abstract MAC for x. It satisfies that all parties can use \(\textsf {MAC}(x)\) to check the correctness of x. We further require that \(\textsf {MAC}(\cdot )\) is linear homomorphic, i.e., \(\textsf {MAC}(x)+\textsf {MAC}(y)=\textsf {MAC}(x+y)\). Let \([\![x]\!]:=(\langle x \rangle , \textsf {MAC}(x))\).
In the preprocessing phase, all parties prepare a batch of Beaver tuples in the form of \(([\![a]\!], [\![b]\!], [\![c]\!])\), where a, b are random bits and \(c:=a\cdot b\). These tuples will be used in the online phase to evaluate multiplication gates.
In the online phase, all parties start with holding \([\![x]\!]\) for each input wire. Addition gates and multiplication gates are evaluated in a predetermined topological order.
-
For an addition gate with input sharings \([\![x]\!]\) and \([\![y]\!]\), all parties can locally compute
$$[\![z]\!]:=(\langle z \rangle , \textsf {MAC}(z)) = (\langle x \rangle , \textsf {MAC}(x))+(\langle y \rangle , \textsf {MAC}(y)) = [\![x]\!] + [\![y]\!].$$ -
For a multiplication gate with input sharings \([\![x]\!]\) and \([\![y]\!]\), let \(([\![a]\!], [\![b]\!], [\![c]\!])\) be the first unused Beaver tuple. Note that:
$$\begin{aligned} z= & {} x\cdot y = (x+a-a)\cdot (y+b-b)\\= & {} (x+a)\cdot (y+b) - (x+a)\cdot b-(y+b)\cdot a + a\cdot b \end{aligned}$$Therefore, if all parties know \(x+a\) and \(y+b\), \([\![z]\!]\) can be locally computed by
$$[\![z]\!]:=(x+a)\cdot (y+b) - (x+a)\cdot [\![b]\!] -(y+b)\cdot [\![a]\!] + [\![c]\!].$$The task of computing \([\![z]\!]\) becomes to reconstruct \([\![x]\!]+[\![a]\!]\) and \([\![y]\!] + [\![b]\!]\). We will use \(\langle x+a \rangle \) and \(\langle y+b \rangle \) to do the reconstructions. All parties send their shares of \(\langle x+a \rangle , \langle y+b \rangle \) to the first party. Then, the first party reconstructs the \(x+a, y+b\), and sends the result back to other parties.
To check the correctness of the computation, it is sufficient to verify the reconstructions. For each \(x+a\), all parties use \([\![x]\!], [\![a]\!]\) to compute \(\textsf {MAC}(x+a)\), which can be used to verify the reconstruction.
Note that we only need to communicate O(n) bits per multiplication gates. Therefore, the communication complexity is O(Cn) bits in the online phase. The main bottleneck of this approach is how to generate Beaver tuples efficiently. Our protocol relies on the notion of reverse multiplication-friendly embeddings and a novel MAC to achieve high efficiency in generating Beaver tuples.
Review of the Reverse Multiplication-Friendly Embeddings [CCXY18]. We note that a Beaver tuple can be prepared by the following two steps: (1) prepare two random sharings \([\![a]\!],[\![b]\!]\), and (2) compute \([\![c]\!]\) such that \(c:=a\cdot b\). Note that a, b are random bits. It naturally connects to the idea of RMFE, which allows us to perform a coordinate-wise product between two vector of bits by multiplying two elements in the extension field. We first give a quick review of this notion.
Let \(\mathbb {F}_2^k\) denote a vector space of \(\mathbb {F}_2\) of dimension k, and \(\mathbb {F}_{2^m}\) denote the extension field of \(\mathbb {F}_2\) of degree m. A reverse multiplication-friendly embedding is a pair of \(\mathbb {F}_2\)-linear maps \((\phi , \psi )\), where \(\phi :\mathbb {F}_2^k\rightarrow \mathbb {F}_{2^m}\) and \(\psi :\mathbb {F}_{2^m}\rightarrow \mathbb {F}_2^k\), such that for all \(\boldsymbol{x}, \boldsymbol{y}\in \mathbb {F}_2^k\),
where \(*\) denotes the coordinate-wise product. In [CCXY18], it has been shown that there exists a family of RMFEs such that \(m=\varTheta (k)\).
In [CCXY18], recall that \(k=O(\log n)\) copies of the same circuit are evaluated together. For each wire, there is a vector of k bits associated with this wire, where the i-th bit is the wire value of the i-th copy of the circuit. Thus, an addition gate corresponds to a coordinate-wise addition, and a multiplication gate corresponds to a coordinate-wise product. In the construction of [CCXY18], for each wire, the vector \(\boldsymbol{x}\) associated with this wire is encoded to \(\phi (\boldsymbol{x})\in \mathbb {F}_{2^m}\). All parties hold a degree-t Shamir sharing \([\phi (\boldsymbol{x})]_t\). Since \(\phi (\cdot )\) is an \(\mathbb {F}_2\)-linear map, addition gates can be computed locally. The main task is to evaluate multiplication gates:
-
For a multiplication gate with input sharings \([\phi (\boldsymbol{x})]_t, [\phi (\boldsymbol{y})]_t\), the goal is to compute a degree-t Shamir sharing \([\phi (\boldsymbol{z})]_t\) such that \(\boldsymbol{z} = \boldsymbol{x} * \boldsymbol{y}\).
-
Relying on the DN protocol [DN07], all parties can compute a degree-t Shamir sharing \([w]_t:=[\phi (\boldsymbol{x})\cdot \phi (\boldsymbol{y})]_t\). By the property of the RMFE, we have \(\boldsymbol{z}=\psi (w)\). Therefore, all parties need to transform \([w]_t\) to \([\phi (\psi (w))]_t\).
-
In [CCXY18], this is done by using a pair of random sharings \(([r]_t, [\phi (\psi (r))]_t)\). All parties reconstruct \([w+r]_t\) and compute \([\phi (\psi (w))]_t:=\phi (\psi (w+r)) - [\phi (\psi (r))]_t\). The correctness follows from the fact that \(\phi \) and \(\psi \) are \(\mathbb {F}_2\)-linear maps.
-
Finally, all parties set \([\phi (\boldsymbol{z})]_t:=[\phi (\psi (w))]_t\).
As analyzed in [CCXY18], the communication complexity per multiplication gate is \(O(m\cdot n)\) bits. Since each multiplication gate corresponds to k multiplications in the binary field, the amortized communication complexity per multiplication is \(O(m/k\cdot n) = O(n)\) bits.
Following the idea in [CCXY18], we can prepare a random tuple of sharings \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\), where \(\boldsymbol{a}, \boldsymbol{b}\) are random vectors in \(\mathbb {F}_2^k\), and \(\boldsymbol{c} = \boldsymbol{a} * \boldsymbol{b}\). In particular, the communication complexity per tuple is \(O(m\cdot n)\) bits. Suppose that \(\boldsymbol{a} = (a_1,a_2,\ldots , a_k), \boldsymbol{b} = (b_1, b_2,\ldots , b_k)\), and \(\boldsymbol{c} = (c_1,c_2,\ldots , c_k)\). If we can transform a random tuple \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\) to k Beaver tuples:
then the communication complexity per Beaver tuple is \(O(m/k\cdot n)= O(n)\) bits! More concretely, our goal is to efficiently separate a degree-t Shamir sharing \([\phi (\boldsymbol{a})]_t\) to k sharings \([\![a_1]\!],[\![a_2]\!],\ldots ,[\![a_k]\!]\). For all \(i\in [k]\), recall that \([\![a_i]\!] = (\langle a_i \rangle , \textsf {MAC}(a_i))\). Therefore, we need to efficiently obtain an additive sharing \(\langle a_i \rangle \) and a secure \(\textsf {MAC}(a_i)\) from a degree-t Shamir sharing \([\phi (\boldsymbol{a})]_t\).
Establish a Connection between \([\phi (\boldsymbol{x})]_t\) and \(\{[\![x_i]\!]\}_{i=1}^k\). We first consider the following question: Given \(\phi (\boldsymbol{x})\), how can we obtain the i-th bit \(x_i\) from \(\phi (\boldsymbol{x})\)? Let \(\boldsymbol{e}^{(i)}\) be a vector in \(\mathbb {F}_2^k\) such that all entries are 0 except that the i-th entry is 1. Then \(\boldsymbol{e}^{(i)} * \boldsymbol{x}\) is a vector in \(\mathbb {F}_2^k\) such that all entries are 0 except that the i-th entry is \(x_i\). According to the definition of RMFEs, we have
To obtain \(x_i\) from \(\boldsymbol{e}^{(i)} * \boldsymbol{x}\), we can compute the summation of all entries in \(\boldsymbol{e}^{(i)} * \boldsymbol{x}\). We define an \(\mathbb {F}_2\)-linear map \(\textsf {val}(\cdot ):\mathbb {F}_{2^m}\rightarrow \mathbb {F}_2\) as follows:
-
For an input element \(y\in \mathbb {F}_{2^m}\), suppose \(\psi (y) = (y_1, y_2, \ldots , y_k)\).
-
\(\textsf {val}(y)\) is defined to be \(\sum _{i=1}^k y_i\).
Therefore, we have
Note that \(\phi (\boldsymbol{e}^{(i)})\) is an element in \(\mathbb {F}_{2^m}\) and is known to all parties. Therefore, all parties can locally compute \([y^{(i)}]_t:=\phi (\boldsymbol{e}^{(i)}) \cdot [\phi (\boldsymbol{x})]_t\). In particular, we have \(\textsf {val}(y^{(i)}) = x_i\). In the honest majority setting, a degree-t Shamir sharing satisfies that the secret is determined by the shares of honest parties. In particular, corrupted parties cannot alter the secret of this sharing. Therefore, \([y^{(i)}]_t\) can be seen as a secure MAC for \(x_i\). Thus for an element \(x\in \mathbb {F}_2\), we set \(\textsf {MAC}(x):=[y]_t\), where \(y\in \mathbb {F}_{2^m}\) satisfies that \(\textsf {val}(y)=x\). Note that \([y]_t\) can be used to check the correctness of x, and for all \(x, x'\in \mathbb {F}_2\),
where the last step follows from the fact that \(\textsf {val}(y+y')=\textsf {val}(y)+\textsf {val}(y')\).
Recall that \([\![x_i]\!]=(\langle x_i \rangle , \textsf {MAC}(x_i))\). So far, we have obtained \(\textsf {MAC}(x_i)\) from \([\phi (\boldsymbol{x})]_t\). Therefore, the only task is to obtain \(\langle x_i \rangle \). Let \(\langle \boldsymbol{x} \rangle :=(\langle x_1 \rangle , \langle x_2 \rangle , \ldots , \langle x_k \rangle )\) denote a vector of additive sharings of \(\boldsymbol{x}\in \mathbb {F}_2^k\). For each party, its share of \(\langle \boldsymbol{x} \rangle \) is a vector in \(\mathbb {F}_2^k\). For the last t parties, they take the all-0 vector as their shares.
We note that for a degree-t Shamir sharing \([\phi (\boldsymbol{x})]_t\), the secret \(\phi (\boldsymbol{x})\) can be written as a linear combination of the shares of the first \(t+1\) parties. Therefore, the first \(t+1\) parties can locally transform their shares of \([\phi (\boldsymbol{x})]_t\) to an additive sharing of \(\phi (\boldsymbol{x})\), denoted by \(\langle \phi (\boldsymbol{x}) \rangle \). Let \(u_i\) denote the i-th share of \(\langle \phi (\boldsymbol{x}) \rangle \). Then we have \(\phi (\boldsymbol{x}) = \sum _{i=1}^{t+1} u_i\). In Sect. 3.3, we give an explicit construction of an \(\mathbb {F}_2\)-linear map \(\tilde{\phi }^{-1}:\mathbb {F}_{2^m}\rightarrow \mathbb {F}_2^k\) which satisfies that for all \(\boldsymbol{x}\in \mathbb {F}_2^k\), \(\tilde{\phi }^{-1}(\phi (\boldsymbol{x})) = \boldsymbol{x}\). Utilizing \(\tilde{\phi }^{-1}\), we have
Thus, the i-th party takes \(\tilde{\phi }^{-1}(u_i)\) as its share of \(\langle \boldsymbol{x} \rangle \).
In summary, we show that given \([\phi (\boldsymbol{x})]_t\), all parties can locally obtain \(\{[\![x_i]\!]\}_{i=1}^k\). Together with RMFEs, the communication complexity per Beaver tuple is O(n) bits. Relying on the prototype protocol of using Beaver tuples, we obtain a secure-with-abort MPC protocol for a single binary circuit which has communication complexity O(Cn) bits. We note that these k sharings \(\{[\![x_i]\!]\}_{i=1}^k\) are correlated since they are computed from a single degree-t Shamir sharing \([\phi (\boldsymbol{x})]_t\). Our protocol will make use of additional randomness as mask to protect the secrecy of these sharings when they are used. The preparation of this additional randomness is done in a batch way at the beginning of the protocol and does not affect the asymptotic communication complexity of the main protocol. We refer the readers to Sect. 6.3 and Sect. 6.4 for the additional randomness we need in the construction.
An Overview of Our Main Construction. Our main protocol follows the same structure as the prototype protocol of using Beaver tuples. Recall that for \(x\in \mathbb {F}_2\), we use \(\langle x \rangle \) to denote an additive sharing of x among the first \(t+1\) parties, and the shares of the rest of parties are 0. Let \((\phi , \psi )\) be a RMFE, where \(\phi :\mathbb {F}_2^k\rightarrow \mathbb {F}_{2^m}\) and \(\psi :\mathbb {F}_{2^m}\rightarrow \mathbb {F}_2^k\) are \(\mathbb {F}_2\)-linear maps. Recall that \(\textsf {val}(\cdot ):\mathbb {F}_{q^m}\rightarrow \mathbb {F}_q\) is an \(\mathbb {F}_q\)-linear map, defined by \(\textsf {val}(y) = \sum _{i=1}^k y_i\), where \((y_1, y_2,\ldots , y_k) = \psi (y)\). For \(x\in \mathbb {F}_2\), let \([\![x]\!]:=(\langle x \rangle , [y]_t)\), where \(\langle x \rangle \) is an additive sharing among the first \(t+1\) parties in \(\mathbb {F}_2\), and \([y]_t\) is a degree-t Shamir sharing of \(y\in \mathbb {F}_{2^m}\) such that \(\textsf {val}(y)=x\).
In the preprocessing phase, all parties prepare a batch of Beaver tuples in the form of \(([\![a]\!], [\![b]\!], [\![c]\!])\), where a, b are random bits and \(c:=a\cdot b\). The Beaver tuples are prepared by the following steps:
-
All parties first prepare a batch of random tuples of sharings in the form of \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\), where \(\boldsymbol{a}, \boldsymbol{b}\) are random vectors in \(\mathbb {F}_2^k\) and \(\boldsymbol{c}=\boldsymbol{a}*\boldsymbol{b}\). In our protocol, preparing such a random tuple of sharings require the communication of \(O(m\cdot n)\) bits.
-
For each tuple of sharings \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\), all parties locally transform it to k Beaver tuples in the form of \(([\![a]\!], [\![b]\!], [\![c]\!])\).
Note that the amortized cost per Beaver tuple is O(n) bits.
In the online phase, all parties start with holding \([\![x]\!]\) for each input wire. Addition gates and multiplication gates are evaluated in a predetermined topological order.
-
For an addition gate with input sharings \([\![x]\!]\) and \([\![y]\!]\), all parties locally compute \([\![z]\!]:=[\![x]\!]+[\![y]\!]\).
-
For a multiplication gate with input sharings \([\![x]\!]\) and \([\![y]\!]\), let \(([\![a]\!], [\![b]\!], [\![c]\!])\) be the first unused Beaver tuple. All parties use the additive sharings \(\langle x+a \rangle , \langle y+b \rangle \) to reconstruct \(x+a\) and \(y+b\). Then all parties compute
$$[\![z]\!]:=(x+a)\cdot (y+b) - (x+a)\cdot [\![b]\!] - (y+b)\cdot [\![a]\!] + [\![c]\!].$$All parties also locally compute \([\![x+a]\!]:=[\![x]\!]+[\![a]\!]\) and \([\![y+b]\!]:=[\![y]\!]+[\![b]\!]\). These sharings will be used to verify the reconstructions at the end of the protocol.
After evaluating the whole circuit, all parties together verify the value-sharing pairs in the form of \((x+a, [\![x+a]\!])\), where \(x+a\) is the reconstruction of \([\![x+a]\!]\). In Sect. 7.3, we show that all the value-sharing pairs can be verified together with sub-linear communication complexity in the number of pairs.
Note that addition gates can be computed locally, and the communication complexity per multiplication gate is O(n) bits. Therefore, the communication complexity of our protocol is O(Cn) bits.
Other Building Blocks and Security Issues. We note that the work [CCXY18] only focuses on the setting of 1/3 corruption. These protocols cannot be used directly in the honest majority setting. Some techniques even fail when the corruption threshold increases. In this work, we rebuild the protocols in [CCXY18] to fit the honest majority setting by combining known techniques in [BSFO12, GSZ20]. Concretely,
-
We follow the definition of a general linear secret sharing scheme (GLSSS) in [CCXY18]. Following the idea in [BSFO12] of preparing random degree-t Shamir sharings, we introduce a protocol to allow all parties efficiently prepare random sharings of a given GLSSS. We use this protocol to prepare various kinds of random sharings in our main construction. Let \(\mathcal {F}_{\text {rand}}\) denote the functionality of this protocol.
-
To prepare Beaver tuples, we first prepare a random tuple of sharings
$$([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t),$$where \(\boldsymbol{a}, \boldsymbol{b}\) are random vectors in \(\mathbb {F}_2^k\) and \(\boldsymbol{c}=\boldsymbol{a}*\boldsymbol{b}\). This random tuple of sharings is prepared as follows:
-
The first step is to prepare random sharings \([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t\). We show that they can be prepared by using \(\mathcal {F}_{\text {rand}}\).
-
Then all parties compute \([\phi (\boldsymbol{a})\cdot \phi (\boldsymbol{b})]_t\). We rely on the multiplication protocol and the efficient multiplication verification in [GSZ20].
-
Finally, all parties need to transform a sharing \([w]_t\) to \([\phi (\psi (w))]_t\), where \(w=\phi (\boldsymbol{a})\cdot \phi (\boldsymbol{b})\). We model this process in the functionality \(\mathcal {F}_{\text {re-encode}}\). We extend the idea in [CCXY18] from the 1/3 corruption setting to the honest majority setting, and construct an efficient protocol for the functionality \(\mathcal {F}_{\text {re-encode}}\).
-
More details can be found in Sect. 4 and Sect. 6.
We note that the idea of using Beaver tuples to construct an MPC protocol in the honest majority setting has been used in several previous works [BTH08, BSFO12, CCXY18]. These protocols all have an additional term \(O(D\cdot n^2)\) in the communication complexity, where D is the circuit depth. It is due to a verification of the computation in each layer. Recall that relying on Beaver tuples, an multiplication can be transformed to two reconstructions. In [GLS19], Goyal, et al. show that, without verification of the computation in each layer, corrupted parties can learn extra information when doing reconstructions for multiplications in the next layer. It turns out that our protocol has a similar security issue.
To avoid the verification of the computation per layer, Goyal, et al. [GLS19] rely on an n-out-of-n secret sharing to protect the shares of honest parties. In this way, even without verifications, the share of each honest party is uniformly distributed. It allows Goyal, et al. to only check the correctness at the end of the protocol. We follows the idea in [GLS19]. Concretely, we want to protect the shares of honest parties when using \(\langle x+a \rangle , \langle y+b \rangle \) to do reconstructions. To this end, we add a uniformly random additive sharing of 0 for each reconstruction. In this way, each honest party simply sends a uniformly random element to the first party. It allows us to delay the verification to the end of the protocol. More details can be found in Sect. 7.
3 Preliminaries
3.1 The Model
In this work, we focus on functions that can be represented as arithmetic circuits over a finite field \(\mathbb {F}_q\) of size q with input, addition, multiplication, and output gates. We use \(\kappa \) to denote the security parameter and C to denote the size of the circuit. In the following, we will use an extension field of \(\mathbb {F}_q\) denoted by \(\mathbb {F}_{q^m}\) (of size \(q^m\)). We always assume that \(|\mathbb {F}_{q^m}|=q^m\ge 2^\kappa \).
For the secure multi-party computation, we use the client-server model. In the client-server model, clients provide inputs to the functionality and receive outputs, and servers can participate in the computation but do not have inputs or get outputs. Each party may have different roles in the computation. Note that, if every party plays a single client and a single server, this corresponds to a protocol in the standard MPC model. Let c denote the number of clients and \(n=2t+1\) denote the number of servers. For all clients and servers, we assume that every two of them are connected via a secure (private and authentic) synchronous channel so that they can directly send messages to each other. The communication complexity is measured by the number of bits via private channels.
An adversary \(\mathcal {A}\) can corrupt at most c clients and t servers, provide inputs to corrupted clients, and receive all messages sent to corrupted clients and servers. Corrupted clients and servers can deviate from the protocol arbitrarily. We refer the readers to Sect. 3.1 in the full version of this paper [PS20] for the security definition.
Benefits of the Client-Server Model. In our construction, the clients only participate in the input phase and the output phase. The main computation is conducted by the servers. For simplicity, we use \(\{P_1,\ldots ,P_n\}\) to denote the n servers, and refer to the servers as parties. Let \(\mathcal {C}\) denote the set of all corrupted parties and \(\mathcal {H}\) denote the set of all honest parties. One benefit of the client-server model is the following theorem shown in [GIP+14].
Theorem 2
(Lemma 5.2 [GIP+14]). Let \(\Pi \) be a protocol computing a c-client circuit C using \(n=2t+1\) parties. Then, if \(\Pi \) is secure against any adversary controlling exactly t parties, then \(\Pi \) is secure against any adversary controlling at most t parties.
This theorem allows us to only consider the case where the adversary controls exactly t parties. Therefore in the following, we assume that there are exactly t corrupted parties.
3.2 Secret Sharing Scheme
Shamir Secret Sharing Scheme. In this work, we will use the standard Shamir Secret Sharing Scheme [Sha79]. Let n be the number of parties and \(\mathbb {G}\) be a finite field of size \(|\mathbb {G}|\ge n+1\). Let \(\alpha _1,\ldots ,\alpha _n\) be n distinct non-zero elements in \(\mathbb {G}\).
A degree-d Shamir sharing of \(x\in \mathbb {G}\) is a vector \((x_1,\ldots ,x_n)\) which satisfies that, there exists a polynomial \(f(\cdot )\in \mathbb {G}[X]\) of degree at most d such that \(f(0)=x\) and \(f(\alpha _i)=x_i\) for \(i\in \{1,\ldots ,n\}\). Each party \(P_i\) holds a share \(x_i\) and the whole sharing is denoted by \([x]_d\).
We recall the properties of a degree-d Shamir sharing: (1) It requires \(d+1\) shares to reconstruct the secret x, and (2) any d shares do not leak any information about x.
Abstract General Linear Secret Sharing Schemes. We adopt the notion of an abstract definition of a general linear secret sharing scheme (GLSSS) in [CCXY18]. The following notations are borrowed from [CCXY18].
For non-empty sets U and \(\mathcal {I}\), \(U^\mathcal {I}\) denotes the indexed Cartesian product \(\prod _{i\in \mathcal {I}}U\). For a non-empty set \(A\subset \mathcal {I}\), the natural projection \(\pi _A\) maps a tuple \(u=(u_i)_{i\in \mathcal {I}}\in U^\mathcal {I}\) to the tuple \((u_i)_{i\in A}\in U^A\). Let K be a field.
Definition 1
(Abstract K-GLSSS [CCXY18]). A general K-linear secret sharing scheme \(\varSigma \) consists of the following data:
-
A set of parties \(\mathcal {I}=\{1,\ldots , n\}\)
-
A finite-dimensional K-vector space Z, the secret space.
-
A finite-dimensional K-vector space U, the share space.
-
A K-linear subspace \(C\subset U^\mathcal {I}\), where the latter is considered a K-vector space in the usual way (i.e., direct sum).
-
A surjective K-linear map \(\varPhi :C\rightarrow Z\), its defining map.
Definition 2
([CCXY18]). Suppose \(A\subset \mathcal {I}\) is nonempty. Then A is a privacy set if the K-linear map
is surjective. Finally, A is a reconstruction set if, for all \(x\in C\), it holds that
A Tensoring-up Lemma. We follow the definition of interleaved GLSSS: the m-fold interleaved GLSSS \(\varSigma ^{\times m}\) is an n-party scheme which corresponds to m \(\varSigma \)-sharings. We have the following proposition from [CCXY18]:
Proposition 1
([CCXY18]). Let L be a degree-m extension field of K and let \(\varSigma \) be a K-GLSSS. Then the m-fold interleaved K-GLSSS \(\varSigma ^{\times m}\) is naturally viewed as an L-GLSSS, compatible with its K-linearity.
Let [x] denote a sharing in \(\varSigma \). This proposition allows us to define \(\lambda :\varSigma ^{\times m}\rightarrow \varSigma ^{\times m}\) for every \(\lambda \in L\) such that for all \([\boldsymbol{x}]=([x_1], \ldots , [x_m])\in \varSigma ^{\times m}\):
-
for all \(\lambda \in K\), \(\lambda \cdot ([x_1], \ldots , [x_m])=(\lambda \cdot [x_1], \ldots , \lambda \cdot [x_m])\);
-
for all \(\lambda _1, \lambda _2\in L\), \(\lambda _1\cdot [\boldsymbol{x}]+\lambda _2\cdot [\boldsymbol{x}] = (\lambda _1+\lambda _2)\cdot [\boldsymbol{x}]\);
-
for all \(\lambda _1, \lambda _2\in L\), \(\lambda _1\cdot (\lambda _2\cdot [\boldsymbol{x}]) = (\lambda _1\cdot \lambda _2)\cdot [\boldsymbol{x}]\).
An Example of a GLSSS and Using the Tensoring-up Lemma. We will use the standard Shamir secret sharing scheme as an example of a GLSSS and show how to use the tensoring-up lemma. For a field K (of size \(|K|\ge n+1\)), we may define a secret sharing \(\varSigma \) which takes an input \(x\in K\) and outputs \([x]_t\), i.e., a degree-t Shamir sharing. The secret space and the share space of \(\varSigma \) are K. According to the Lagrange interpolation, the secret x can be written as a K-linear combination of all the shares. Therefore, the defining map of \(\varSigma \) is K-linear. Thus \(\varSigma \) is a K-GLSSS.
A sharing \([\boldsymbol{x}]_t = ([x_1]_t, [x_2]_t,\ldots , [x_m]_t) \in \varSigma ^{\times m}\) is a vector of m sharings in \(\varSigma \). Let L be a degree-m extension field of K. The tensoring-up lemma says that \(\varSigma ^{\times m}\) is a L-GLSSS. Therefore we can perform L-linear operations to the sharings in \(\varSigma ^{\times m}\).
3.3 Reverse Multiplication Friendly Embeddings
Definition 3
([CCXY18]). Let k, m be integers and \(\mathbb {F}_q\) be a finite field. A pair \((\phi , \psi )\) is called an \((k,m)_q\)-reverse multiplication friendly embedding (RMFE) if \(\phi :\mathbb {F}_{q}^k\rightarrow \mathbb {F}_{q^m}\) and \(\psi :\mathbb {F}_{q^m}\rightarrow \mathbb {F}_{q}^k\) are two \(\mathbb {F}_q\)-linear maps satisfying
for all \(\boldsymbol{x}, \boldsymbol{y}\in \mathbb {F}_{q}^k\), where \(*\) denotes coordinate-wise product.
Note that when picking \(\boldsymbol{1} = (1,1, \ldots , 1)\), we have \(\boldsymbol{x} * \boldsymbol{1} = \boldsymbol{x}\) and therefore, \(\boldsymbol{x} = \psi (\phi (\boldsymbol{x})\cdot \phi (\boldsymbol{1}))\). It implies that \(\phi \) is injective. Therefore, there exists \(\phi ^{-1}:\text {Im}(\phi )\rightarrow \mathbb {F}_{q}^k\) such that for all \(\boldsymbol{x}\in \mathbb {F}_{q}^k\), it satisfies that
It is easy to verify that \(\phi ^{-1}\) is also \(\mathbb {F}_q\)-linear.
Now we show that there exists an \(\mathbb {F}_q\)-linear map \(\tilde{\phi }^{-1}:\mathbb {F}_{q^m}\rightarrow \mathbb {F}_{q}^k\) such that for all \(\boldsymbol{x}\in \mathbb {F}_{q}^k\),
Lemma 1
Let k, m be integers and \(\mathbb {F}_q\) be a finite field. Suppose \((\phi , \psi )\) is an \((k,m)_q\)-reverse multiplication friendly embedding. Then there exists an \(\mathbb {F}_q\)-linear map \(\tilde{\phi }^{-1}:\mathbb {F}_{q^m}\rightarrow \mathbb {F}_{q}^k\) such that for all \(\boldsymbol{x}\in \mathbb {F}_{q}^k\),
Proof
Let \(\boldsymbol{1}= (1,1,\ldots , 1)\in \mathbb {F}_{q}^k\). We explicitly construct \(\tilde{\phi }^{-1}\) as follows:
It is clear that \(\tilde{\phi }^{-1}\) is \(\mathbb {F}_q\)-linear. For all \(\boldsymbol{x}\in \mathbb {F}_{q}^k\), by the definition of RMFE, we have
\(\square \)
In [CCXY18], Cascudo et al. show that there exist constant rate RMFEs, which is summarized in Theorem 3.
Theorem 3
For every finite prime power q, there exists a family of constant rate \((k, m)_q\)-RMFE where \(m=\varTheta (k)\).
3.4 Useful Building Blocks
In this part, we will introduce three functionalities which will be used in our main construction.
-
The first functionality \(\mathcal {F}_{\text {coin}}\) allows all parties to generate a random element. An instantiation of this functionality can be found in [GSZ20] (Protocol 6 in Sect. 3.5 of [GS20]), which has communication complexity \(O(n^2)\) elements in \(\mathbb {F}_{q^m}\) (i.e., \(O(n^2\cdot m)\) elements in \(\mathbb {F}_q\)).
-
The second functionality \(\mathcal {F}_{\text {mult}}\) allows all parties to evaluate a multiplication with inputs being shared by degree-t Shamir sharings. While \(\mathcal {F}_{\text {mult}}\) protects the secrets of the input sharings, it allows the adversary to add an arbitrary fixed value to the multiplication result. This functionality can be instantiated by the multiplication protocol in the semi-honest DN protocol [DN07]. In [GSZ20], Goyal et al. also provide a detailed proof of the security of the multiplication protocol in [DN07] (Lemma 4 in Sect. 4.1 of [GS20]). The amortized communication complexity per multiplication is O(n) field elements per party.
-
The third functionality \(\mathcal {F}_{\text {multVerify}}\) allows all parties to verify the correctness of multiplications computed by \(\mathcal {F}_{\text {mult}}\). An instantiation of \(\mathcal {F}_{\text {multVerify}}\) can be found in [GSZ20] (Protocol 17 in Sect. 5.4 of [GS20]), which has communication complexity \(O(n^2\cdot \log N\cdot \kappa )\) bits, where n is the number of parties and \(\kappa \) is the security parameter. Note that the amortized communication per multiplication tuple is sub-linear.
We refer the readers to Sect. 3.4 in the full version of this paper [PS20] for the descriptions of these functionalities.
4 Preparing Random Sharings for \(\mathbb {F}_q\)-GLSSS
In this section, we present the protocol for preparing random sharings for a given general \(\mathbb {F}_q\)-linear secret sharing scheme, denoted by \(\varSigma \). Let \([x]\) denote a sharing in \(\varSigma \) of secret x. For a set \(A\subset \mathcal {I}\), recall that \(\pi _A([x])\) refers to the shares of \([x]\) held by parties in A. We assume that \(\varSigma \) satisfies the following property:
-
Given a set \(A\subset \mathcal {I}\) and a set of shares \(\{a_i\}_{i\in A}\) for parties in A, let
$$\varSigma (A, (a_i)_{i\in A}):=\{[x]|\ [x]\in \varSigma \text { and }\pi _A([x]) = (a_i)_{i\in A}\}.$$Then, there is an efficient algorithm which outputs that either \(\varSigma (A, (a_i)_{i\in A})=\emptyset \), or a random sharing \([x]\) in \(\varSigma (A, (a_i)_{i\in A})\).
The description of the functionality \(\mathcal {F}_{\text {rand}}\) appears in Functionality 1. In short, \(\mathcal {F}_{\text {rand}}\) allows the adversary to specify the shares held by corrupted parties. Based on these shares, \(\mathcal {F}_{\text {rand}}\) generates a random sharing in \(\varSigma \) and distributes the shares to honest parties. Note that, when the set of corrupted parties is a privacy set, the secret is independent of the shares chosen by the adversary.
We will follow the idea in [BSFO12] of preparing random degree-t Shamir sharings to prepare random sharings in \(\varSigma \). At a high-level, each party first deals a batch of random sharings in \(\varSigma \). For each party, all parties together verify that the sharings dealt by this party have the correct form. Then all parties locally convert the sharings dealt by each party to random sharings such that the secrets are not known to any single party.
We refer the readers to Sect. 4 in the full version of this paper [PS20] for the construction for \(\mathcal {F}_{\text {rand}}\). Suppose the share size of a sharing in \(\varSigma \) is \(\textsf {sh}\) field elements in \(\mathbb {F}_q\). The communication complexity of preparing N random sharings in \(\varSigma \) is \(O(N\cdot n\cdot \textsf {sh} + n^3\cdot m)\) elements in \(\mathbb {F}_q\).
5 Hidden Additive Secret Sharing
Let \((\phi ,\psi )\) be an \((k,m)_q\)-RMFE. Recall that n denotes the number of parties and \(\phi :\mathbb {F}_{q}^k\rightarrow \mathbb {F}_{q^m}\) is an \(\mathbb {F}_q\)-linear map. Recall that \(|\mathbb {F}_{q^m}|=q^m\ge 2^\kappa \ge n+1\). Thus, the Shamir secret sharing scheme is well-defined in \(\mathbb {F}_{q^m}\). In our construction, we will use \(\phi \) to encode a vector \(\boldsymbol{x}=(x^{(1)}, \ldots , x^{(k)})\in \mathbb {F}_{q}^k\). All parties will hold a degree-t Shamir sharing of \(\phi (\boldsymbol{x})\), denoted by \([\phi (\boldsymbol{x})]_t\).
Defining Additive Sharings and Couple Sharings. For \(x\in \mathbb {F}_q\), we use \(\langle x \rangle \) to denote an additive sharing of x among the first \(t+1\) parties in \(\mathbb {F}_q\). Specifically, \(\langle x \rangle = (x_1, \ldots , x_n)\) where the party \(P_i\) holds the share \(x_i\in \mathbb {F}_q\) such that \(x = \sum _{i=1}^{t+1} x_i\) and the last t shares \(x_{t+2}, \ldots , x_{n}\) are all 0.
Recall that \(\psi :\mathbb {F}_{q^m}\rightarrow \mathbb {F}_{q}^k\) is an \(\mathbb {F}_q\)-linear map. For all \(y\in \mathbb {F}_{q^m}\), if \(\psi (y)=(y_1, y_2,\ldots , y_k)\), we define \(\textsf {val}(y):=\sum _{i=1}^k y_i\). Note that \(\textsf {val}(\cdot )\) is an \(\mathbb {F}_q\)-linear map from \(\mathbb {F}_{q^m}\) to \(\mathbb {F}_q\). We say a pair of sharings \((\langle x \rangle , [y]_t)\) is a pair of couple sharings if
-
\(\langle x \rangle \) is an additive sharing of \(x\in \mathbb {F}_q\);
-
\([y]_t\) is a degree-t Shamir sharing of \(y\in \mathbb {F}_{q^m}\);
-
\(\textsf {val}(y)=x\).
In the following, we will use \([\![x]\!]:=(\langle x \rangle , [y]_t)\) to denote a pair of couple sharings of \(x\in \mathbb {F}_q\). Note that for the additive sharing \(\langle x \rangle \), a corrupted party in the first \(t+1\) parties can easily change the secret by changing its own share. However, the secret of \([y]_t\) is determined by the shares of honest parties and cannot be altered by corrupted parties. Therefore, \([y]_t\) can be seen as a robust version of the sharing \(\langle x \rangle \).
Properties of Couple Sharings. We note that couple sharings are \(\mathbb {F}_q\)-linear. Concretely, for all couple sharings \([\![x]\!]=(\langle x \rangle , [y]_t)\) and \([\![x']\!]=(\langle x' \rangle , [y']_t)\), and for all \(\alpha , \beta \in \mathbb {F}_q\), the linear combination
is still a pair of couple sharings. This property follows from the fact that \(\textsf {val}(\cdot )\) is an \(\mathbb {F}_q\)-linear map.
We can also define the addition operation between a pair of couple sharings \([\![x]\!]\) and a field element \(x'\) in \(\mathbb {F}_q\). This is done by transforming \(x'\) to a pair of couple sharings of \(x'\). For \(\langle x' \rangle \), we set the share of the first party to be \(x'\), and the shares of the rest of parties to be 0. For the degree-t Shamir sharing, we first need to find \(y'\in \mathbb {F}_{q^m}\) such that \(\textsf {val}(y')=x'\). This is done by choosing two vectors \(\boldsymbol{a}, \boldsymbol{b}\in \mathbb {F}_{q}^k\) such that:
-
For \(\boldsymbol{a}\), the first entry is 1 and the rest of entries are 0.
-
For \(\boldsymbol{b}\), the first entry is \(x'\) and the rest of entries are 0.
By the property of RMFE, \(\psi (\phi (\boldsymbol{a})\cdot \phi (\boldsymbol{b}))=\boldsymbol{a}*\boldsymbol{b}\). In particular, the first entry of \(\boldsymbol{a}*\boldsymbol{b}\) is \(x'\) and the rest of entries are 0. Therefore \(y':=\phi (\boldsymbol{a})\cdot \phi (\boldsymbol{b})\) satisfies that \(\textsf {val}(y') = x'\). For \([y']_t\), we set the share of each party to be \(y'\). Finally, the addition operation between \([\![x]\!]\) and \(x'\in \mathbb {F}_q\) is defined by
Generating Couple Sharings from \([\phi (\boldsymbol{x})]_t\). In this part, we show how to non-interactively obtain k pairs of couple sharings \([\![x^{(1)}]\!], [\![x^{(2)}]\!], \ldots , [\![x^{(k)}]\!]\) from a degree-t Shamir sharing \([\phi (\boldsymbol{x})]_t\), where \(\boldsymbol{x}=(x^{(1)}, x^{(2)}, \ldots , x^{(k)})\in \mathbb {F}_{q}^k\). It allows us to prepare k pairs of random couple sharings with the cost of preparing one random sharing \([\phi (\boldsymbol{x})]_t\).
We first show how to obtain \([y^{(i)}]_t\) such that \(\textsf {val}(y^{(i)})=x^{(i)}\) for all \(i\in [k]\). Let \(\boldsymbol{e}^{(i)}\) be a vector in \(\mathbb {F}_{q}^k\) such that all entries are 0 except that the i-th entry is 1. By the property of RMFE, we have
For \(\boldsymbol{e}^{(i)} * \boldsymbol{x}\), all entries are 0 except that the i-th entry is \(x^{(i)}\). Therefore by the definition of \(\textsf {val}(\cdot )\), we have \(\textsf {val}(\phi (\boldsymbol{e}^{(i)})\cdot \phi (\boldsymbol{x})) = x^{(i)}\). To obtain \([y^{(i)}]_t\), all parties compute
Now we show how to obtain \(\langle x^{(i)} \rangle \) from \([\phi (\boldsymbol{x})]\). Let \(\langle \boldsymbol{x} \rangle :=(\langle x^{(1)} \rangle , \ldots , \langle x^{(k)} \rangle )\) denote a vector of additive sharings of \(\boldsymbol{x}\in \mathbb {F}_{q}^k\). For each party, its share of \(\langle \boldsymbol{x} \rangle \) is a vector in \(\mathbb {F}_{q}^k\). For the last t parties, they take the all-0 vector as their shares.
Recall that the degree-t Shamir sharing \([\phi (\boldsymbol{x})]_t\) corresponds to a degree-t polynomial \(f(\cdot )\in \mathbb {F}_{q^m}[X]\) such that \(f(\alpha _i)\) is the share of the i-th party \(P_i\) and \(f(0)=\phi (\boldsymbol{x})\), where \(\alpha _1,\ldots ,\alpha _n\) are distinct non-zero elements in \(\mathbb {F}_{q^m}\). In particular, relying on Lagrange interpolation, f(0) can be written as a linear combination of the first \(t+1\) shares. For \(i\in \{1,\ldots ,t+1\}\), let \(c_i=\prod _{j\ne i, j\in [t+1]} \frac{\alpha _j}{\alpha _j-\alpha _i}\). We have
Therefore, the Shamir sharing \([\phi (\boldsymbol{x})]_t\) can be locally converted to an additive sharing of \(\phi (\boldsymbol{x})\) among the first \(t+1\) parties by letting \(P_i\) take \(c_if(\alpha _i)\) as its share. For each \(i\in \{1,\ldots , t+1\}\), \(P_i\) locally applies \(\tilde{\phi }^{-1}(c_if(\alpha _i))\), which outputs a vector in \(\mathbb {F}_{q}^k\). It is sufficient to show that these \(t+1\) shares correspond to an additive sharing of \(\boldsymbol{x}\). Note that
The description of Separate appears in Protocol 2.
6 Building Blocks for Preprocessing Phase
In this section, we will introduce 4 functionalities which are used to prepare necessary correlated-randomness for the computation.
-
The first functionality \(\mathcal {F}_{\text {random}}\) allows all parties to prepare random sharings in the form of \([\phi (\boldsymbol{r})]_t\), where \((\phi , \psi )\) is a RMFE, and \(\boldsymbol{r}\) is a random vector in \(\mathbb {F}_{q}^k\).
-
The second functionality \(\mathcal {F}_{\text {tuple}}\) allows all parties to prepare random tuple of sharings in the form of \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\), where \(\boldsymbol{a}, \boldsymbol{b}\) are random vectors in \(\mathbb {F}_{q}^k\), and \(\boldsymbol{c} = \boldsymbol{a} * \boldsymbol{b}\). For each tuple, relying on \(\textsc {Separate}\), all parties can locally obtain k multiplication tuples in the form of \(([\![a]\!], [\![b]\!], [\![c]\!])\), where a, b are random elements in \(\mathbb {F}_q\), and \(c=a\cdot b\). Such a multiplication tuple is referred to as a Beaver tuple. In the online phase, one Beaver tuple will be consumed to compute a multiplication gate.
-
Recall that we use \(\langle x \rangle \) to denote an additive sharing of \(x\in \mathbb {F}_q\) among the first \(t+1\) parties, and the shares of the rest of parties are 0. The third functionality \(\mathcal {F}_{\text {zero}}\) allows all parties to prepare random additive sharings of 0. When evaluating a multiplication gate in the online phase, we will use random additive sharings of 0 to protect the shares of honest parties.
-
Recall that \(\textsf {val}(\cdot ):\mathbb {F}_{q^m}\rightarrow \mathbb {F}_q\) is an \(\mathbb {F}_q\)-linear map, defined by \(\textsf {val}(y) = \sum _{i=1}^k y_i\), where \((y_1, y_2,\ldots , y_k) = \psi (y)\). The last functionality \(\mathcal {F}_{\text {parity}}\) allows all parties to prepare random sharings in the form of \([p]_t\), where \(\textsf {val}(p) = 0\). These random sharings are used at the end of the protocol to verify the computation.
6.1 Preparing Random Sharings
In this part, we introduce the functionality to let all parties prepare random sharings in the form of \([\phi (\boldsymbol{r})]_t\). Recall that \((\phi ,\psi )\) is an \((k,m)_q\)-RMFE. Here each \([\phi (\boldsymbol{r})]_t\) is a random degree-t Shamir sharing of the secret \(\phi (\boldsymbol{r})\) where \(\boldsymbol{r}\) is a random vector in \(\mathbb {F}_{q}^k\). The description of \(\mathcal {F}_{\text {random}}\) appears in Functionality 3. In Sect. 6.1 of the full version of this paper [PS20], we show how to use \(\mathcal {F}_{\text {rand}}\) to instantiate \(\mathcal {F}_{\text {random}}\). Relying on the protocol (Sect. 4 in [PS20]) for \(\mathcal {F}_{\text {rand}}\), we can generate N random sharings in the form of \([\phi (\boldsymbol{r})]_t\) with communication of \(O(N\cdot n\cdot m + n^3\cdot m)\) elements in \(\mathbb {F}_q\).
6.2 Preparing Beaver Tuples
In this part, we show how to prepare random tuples of sharings in \(\mathbb {F}_{q^m}\) in the form of \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\) where \(\boldsymbol{a}, \boldsymbol{b}\) are random vectors in \(\mathbb {F}_{q}^k\), and \(\boldsymbol{c} = \boldsymbol{a} * \boldsymbol{b}\). The description of \(\mathcal {F}_{\text {tuple}}\) appears in Functionality 4. In Sect. 6.2 of the full version of this paper [PS20], we introduce an instantiation of \(\mathcal {F}_{\text {tuple}}\). The communication complexity of preparing N tuples of sharings in the form of \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\) is \(O(N\cdot n\cdot m + n^3\cdot m + n^2 \cdot \log N \cdot m)\) elements in \(\mathbb {F}_q\).
In the online phase, each tuple \(([\phi (\boldsymbol{a})]_t, [\phi (\boldsymbol{b})]_t, [\phi (\boldsymbol{c})]_t)\) will be separated by Separate (Protocol 2) to k Beaver tuples
A Beaver tuple \(([\![a^{(i)}]\!], [\![b^{(i)}]\!], [\![c^{(i)}]\!])\) satisfies that \(a^{(i)}, b^{(i)}\) are random elements in \(\mathbb {F}_q\) and \(c^{(i)} = a^{(i)}\cdot b^{(i)}\). A multiplication gate is then evaluated by consuming one Beaver tuple. More details can be found in Sect. 7.2.
6.3 Preparing Zero Additive Sharings
With Beaver tuples prepared in the preprocessing phase, all parties only need to do reconstructions in the online phase. To protect the shares held by honest parties, for each reconstruction, we will prepare a random additive sharing of 0 among the first \(t+1\) parties. We summarize the functionality for zero additive sharings in Functionality 5. In Sect. 6.3 of the full version of this paper [PS20], we show how to use \(\mathcal {F}_{\text {rand}}\) to instantiate \(\mathcal {F}_{\text {zero}}\). Relying on the protocol (Sect. 4 in [PS20]) for \(\mathcal {F}_{\text {rand}}\), we can generate N random sharings in the form of \(\langle o \rangle \) with communication of \(O(N\cdot n + n^3\cdot m)\) elements in \(\mathbb {F}_q\).
6.4 Preparing Parity Sharings
Recall that all parties only need to do reconstructions in the online phase. At the end of the online phase, it is sufficient to only verify the reconstructions. To this end, we first define what we call parity elements and parity sharings.
Recall that \(\textsf {val}(\cdot ):\mathbb {F}_{q^m}\rightarrow \mathbb {F}_q\) is an \(\mathbb {F}_q\)-linear map, defined by \(\textsf {val}(y) = \sum _{i=1}^k y_i\), where \((y_1,y_2,\ldots , y_k) = \psi (y)\). For an element \(p\in \mathbb {F}_{q^m}\), we say p is a parity element if \(\textsf {val}(p) = 0\). A parity sharing is a degree-t Shamir sharing of a parity element. At the end of the protocol, we will use uniformly random parity sharings as masks when checking the correctness of the reconstructions. We summarize the functionality for preparing random parity sharings in Functionality 6. In Sect. 6.4 of the full version of this paper [PS20], we show how to use \(\mathcal {F}_{\text {rand}}\) to instantiate \(\mathcal {F}_{\text {parity}}\). Relying on the protocol (Sect. 4 in [PS20]) for \(\mathcal {F}_{\text {rand}}\), we can generate N random parity sharings with communication of \(O(N\cdot n\cdot m + n^3\cdot m)\) elements in \(\mathbb {F}_q\).
7 Online Phase
Let \((\phi , \psi )\) be an \((k,m)_q\)-RMFE. Recall that
-
\(\textsf {val}(\cdot ):\mathbb {F}_{q^m}\rightarrow \mathbb {F}_q\) is defined by \(\textsf {val}(y)=\sum _{i=1}^k y_i\), where \((y_1,\ldots , y_k) = \psi (y)\).
-
We use \(\langle x \rangle \) to denote an additive sharing of \(x\in \mathbb {F}_q\) among the first \(t+1\) parties, and the shares of the rest of parties are 0.
-
A pair of couple sharings \([\![x]\!]:=(\langle x \rangle , [y]_t)\) contains an additive sharing of \(x\in \mathbb {F}_q\) and a degree-t Shamir sharing of \(y\in \mathbb {F}_{q^m}\) such that \(\textsf {val}(y) = x\).
In the online phase, our idea is to compute a pair of couple sharings for each wire. For an addition gate, given two pairs of couple sharings as input, all parties can locally compute the addition of these two sharings. For a multiplication gate, relying on Beaver tuples prepared in the preprocessing phase, all parties only need to reconstruct two pairs of couple sharings. We note that for the two sharings in a pair of couple sharings:
-
The first sharing is an additive sharing in \(\mathbb {F}_q\). The share of each party is just a field element in \(\mathbb {F}_q\). We will use this sharing to do reconstruction. However, the correctness cannot be guaranteed since a single corrupted party can change the secret by changing its own share.
-
The second sharing is a degree-t Shamir sharing in \(\mathbb {F}_{q^m}\). The share of each party is a field element in \(\mathbb {F}_{q^m}\). Note that the secret is determined by the shares of honest parties, and cannot be altered by corrupted parties. However, using this sharing to do reconstruction is expensive. Therefore, we will use this sharing to verify the correctness of reconstruction at the end of the protocol.
7.1 Input Gates
Recall that we are in the client-server model. In particular, all the inputs belong to the clients. In this part, we introduce a protocol Input, which allows a client to share k inputs to all parties. In the main protocol, we will invoke Input for every client with k inputs.
The description of Input appears in Protocol 7. The communication complexity of \(\textsc {Input}(\textsf {Client}, \{x^{(1)}, \ldots , x^{(k)}\})\) is \(O(m+k)\) elements in \(\mathbb {F}_q\) plus one call of \(\mathcal {F}_{\text {random}}\).
Note that this protocol guarantees the security of the inputs of honest clients. This is because the input of honest clients are masked by random vectors \(\boldsymbol{r}\)’s which are chosen by \(\mathcal {F}_{\text {random}}\). However, a corrupted client can send different values to different parties, which leads to incorrect or inconsistent couple sharings in the final step. We will address this issue by checking consistency of the values distributed by all clients at the end of the protocol.
7.2 Addition Gates and Multiplication Gates
For each fan-in two addition gate with input sharings \([\![x^{(1)}]\!], [\![x^{(2)}]\!]\), all parties locally compute
For each multiplication gate with input sharings \([\![x^{(1)}]\!], [\![x^{(2)}]\!]\), we want to obtain a pair of couple sharings \([\![x^{(0)}]\!]\) such that \(x^{(0)} = x^{(1)} \cdot x^{(2)}\). To this end, we will use one Beaver tuple \(([\![a]\!], [\![b]\!], [\![c]\!])\) prepared in Sect. 6.2. It satisfies that a, b are random field elements in \(\mathbb {F}_q\) and \(c = a\cdot b\). Note that
Therefore, all parties only need to reconstruct the sharings \([\![a]\!] + [\![x^{(1)}]\!]\) and \([\![b]\!] + [\![x^{(2)}]\!]\), and the resulting sharing can be computed by
To reconstruct \([\![a]\!] + [\![x^{(1)}]\!]\), we will use the additive sharing \(\langle a + x^{(1)} \rangle :=\langle a \rangle +\langle x^{(1)} \rangle \). We first add a random additive sharing \(\langle o \rangle \) of 0 (prepared in Sect. 6.3) to protect the shares of honest parties. The first \(t+1\) parties locally compute \(\langle a \rangle +\langle x^{(1)} \rangle +\langle o \rangle \) and send their shares to \(P_1\). \(P_1\) reconstructs the secret \(a+x^{(1)}\) and sends the result to all other parties. Similar process is done when reconstructing \(\langle b + x^{(2)} \rangle := \langle b \rangle + \langle x^{(2)} \rangle \).
Note that \(\langle a \rangle +\langle o \rangle \) is a random additive sharing. The share of each honest party in \(\{P_1,\ldots , P_{t+1}\}\) is uniformly distributed. Essentially, each honest party in \(\{P_1,\ldots , P_{t+1}\}\) uses a random element as mask to protect its own share. The protocol Mult appears in Protocol 8. The communication complexity of Mult is O(n) elements in \(\mathbb {F}_q\) plus two calls of \(\mathcal {F}_{\text {zero}}\).
The protocol Mult can go wrong at three places:
-
A corrupted party may send an incorrect share to \(P_1\).
-
\(P_1\) is corrupted and distributes an incorrect reconstruction result to all other parties.
-
\(P_1\) is corrupted and distributes different values to different parties.
Note that, relying on the random additive sharing of 0, honest parties in the first \(t+1\) parties only send random elements to \(P_1\). Therefore, Mult does not leak any information about the shares of honest parties even if the input sharings of the multiplication gate are not in the correct form. It allows us to delay the verification of the values distributed by \(P_1\) to the end of the protocol. It also allows us to delay the verification of the values distributed by clients in the input phase to the end of the protocol since a corrupted client distributing different values to different parties has the same effect as \(P_1\) distributing different values to different parties. During the verification of the computation, we will first check whether all parties receive the same values to resolve the third issue. Then, for the first two issues, it is sufficient to check the correctness of the reconstructions.
7.3 Verification of the Computation
Before all parties revealing the outputs, we need to verify the computation. Concretely, we need to verify that (1) the clients distributed the same values in the input phase, and \(P_1\) distributed the same values when evaluating multiplication gates, and (2) the reconstructions are correct.
Checking the Correctness of Distribution. All parties first check whether they receive the same values when handling input gates and multiplication gates. Note that these values are all in \(\mathbb {F}_q\). Assume that these values are denoted by \(x^{(1)}, x^{(2)}, \ldots , x^{(N)}\). The protocol CheckConsistency appears in Protocol 9. The communication complexity of \(\textsc {CheckConsistency}(N, \{x^{(1)}, \ldots , x^{(N)}\})\) is \(O(n^2\cdot m)\) elements in \(\mathbb {F}_q\).
Lemma 2
If there exists two honest parties who receive different set of values \(\{x^{(1)}, \ldots , x^{(N)}\}\), then with overwhelming probability, at least one honest party will abort in the protocol CheckConsistency.
We refer the readers to Sect. 7.3 in the full version of this paper [PS20] for the proof of Lemma 2.
This step makes sure that all (honest) parties receive the same values from clients and \(P_1\). Therefore, the remaining task is to verify the correctness of the reconstructions.
Verification of Reconstructions. Recall that a pair of couple sharings \([\![x]\!]:=(\langle x \rangle , [y]_t)\) satisfies that \(\langle x \rangle \) is an additive sharing of x and \([y]_t\) is a degree-t Shamir sharing of y such that \(\textsf {val}(y) = x\). For a multiplication gate with input sharings \((\langle x^{(1)} \rangle , [y^{(1)}]_t), (\langle x^{(2)} \rangle , [y^{(2)}]_t)\), one Beaver tuple \(((\langle a \rangle , [\alpha ]_t), (\langle b \rangle , [\beta ]_t), (\langle c \rangle , [\gamma ]_t))\) is consumed to compute the resulting sharing. All parties reconstruct
and learn \(x^{(1)}+a\) and \(x^{(2)}+b\). Note that, the secret of a degree-t Shamir sharing is determined by the shares held by honest parties. Therefore, the correctness can be verified by checking \(\textsf {val}(y^{(1)}+\alpha ) = x^{(1)}+a\) and \(\textsf {val}(y^{(2)}+\beta )=x^{(2)}+b\).
This task can be summarized as follows: Given N value-sharing pairs
where \(u^{(i)}\in \mathbb {F}_q\) and \(w^{(i)}\in \mathbb {F}_{q^m}\) for all \(i\in [N]\), we want to verify that for all \(i\in [N]\), \(\textsf {val}(w^{(i)}) = u^{(i)}\). Here \(u^{(i)}\) corresponds to \(x^{(1)}+a\) and \([w^{(i)}]_t\) corresponds to \([y^{(1)}+\alpha ]_t\). The functionality \(\mathcal {F}_{\text {checkRecon}}\) appears in Functionality 10. In Sect. 7.3 of the full version of this paper [PS20], we introduce an instantiation of \(\mathcal {F}_{\text {checkRecon}}\). The communication complexity of this instantiation is \(O(n^2\cdot m^2)\) elements in \(\mathbb {F}_q\) plus m calls of \(\mathcal {F}_{\text {parity}}\).
7.4 Output Gates
Recall that we are in the client-server model. In particular, only the clients receive the outputs. In this part, we will introduce a functionality \(\mathcal {F}_{\text {output}}\) which reconstructs the output couple sharings to the client who should receive them. In the main protocol, we will invoke \(\mathcal {F}_{\text {output}}\) for every client.
Suppose we need to reconstruct the following N pairs of couple sharings to the \(\textsf {Client}\):
Recall that a pair of couple sharings \([\![x]\!]:=(\langle x \rangle , [y]_t)\) satisfies that \(\langle x \rangle \) is an additive sharing of x, and \([y]_t\) is a degree-t Shamir sharing of y such that \(\textsf {val}(y)=x\). The functionality \(\mathcal {F}_{\text {output}}\) appears in Functionality 11. In Sect. 7.4 of the full version of this paper [PS20], we introduce an instantiation of \(\mathcal {F}_{\text {output}}\). The communication complexity of this instantiation is \(O(N\cdot n + n^2\cdot m+ n\cdot m^2)\) elements in \(\mathbb {F}_q\) plus N calls of \(\mathcal {F}_{\text {zero}}\) and m calls of \(\mathcal {F}_{\text {parity}}\).
7.5 Main Protocol
Now we are ready to introduce our main construction. Recall that we are in the client-server model. In particular, all the inputs belong to the clients, and only the clients receive the outputs. The functionality \(\mathcal {F}_{\text {main}}\) is described in Functionality 12. The protocol Main appears in Protocol 13.
Theorem 4
Let c be the number of clients and \(n=2t+1\) be the number of parties. The protocol Main securely computes \(\mathcal {F}_{\text {main}}\) with abort in \(\{\mathcal {F}_{\text {tuple}}, \mathcal {F}_{\text {random}},\) \(\mathcal {F}_{\text {zero}}, \mathcal {F}_{\text {coin}}, \mathcal {F}_{\text {checkRecon}}, \mathcal {F}_{\text {output}}\}\)-hybrid model in the presence of a fully malicious adversary controlling up to c clients and t parties.
We refer the readers to Sect. 7.5 in the full version of this paper [PS20] for the proof of Theorem 4.
Analysis of the Communication Complexity of Main. Let \(c_I, c_M, c_O\) denote the numbers of input gates, multiplication gates, and output gates. Recall that c is the number of clients. In \(\textsc {Main}\), we need to invoke
-
\(c_M/k\) times of \(\mathcal {F}_{\text {tuple}}\) in Step 1, which has communication complexity \(O(c_M\cdot n\cdot m/k + n^3\cdot m + n^2\cdot \log (c_M/k)\cdot m)\) elements in \(\mathbb {F}_q\),
-
\(c_I/k\) times of \(\textsc {Input}\) in Step 2, which has communication complexity \(O(c_I\cdot (m+k)/k)\) elements in \(\mathbb {F}_q\) and \(c_I/k\) calls of \(\mathcal {F}_{\text {random}}\),
-
\(c_M\) times of \(\textsc {Mult}\) in Step 3, which has communication complexity \(O(c_M\cdot n)\) elements in \(\mathbb {F}_q\) and \(2\cdot c_M\) calls of \(\mathcal {F}_{\text {zero}}\),
-
one time of \(\textsc {CheckConsistency}\) in Step 4, which has communication complexity \(O(n^2\cdot m)\) elements in \(\mathbb {F}_q\),
-
one time of \(\mathcal {F}_{\text {checkRecon}}\) in Step 4, which has communication complexity \(O(n^2\cdot m^2)\) elements in \(\mathbb {F}_q\) plus m calls of \(\mathcal {F}_{\text {parity}}\),
-
c times of \(\mathcal {F}_{\text {output}}\) in Step 5, which has communication complexity \(O(c_O\cdot n + c\cdot n^2\cdot m + c\cdot n\cdot m^2)\) elements in \(\mathbb {F}_q\) plus \(c_O\) calls of \(\mathcal {F}_{\text {zero}}\) and \(c\cdot m\) calls of \(\mathcal {F}_{\text {parity}}\).
For \(\mathcal {F}_{\text {random}},\mathcal {F}_{\text {zero}},\mathcal {F}_{\text {parity}}\), we will instantiate them using \(\textsc {Rand}\) with suitable secret sharing schemes. As analyzed in Sect. 6,
-
the communication complexity for \(c_I/k\) calls of \(\mathcal {F}_{\text {random}}\) is \(O(c_I\cdot n\cdot m/k + n^3\cdot m)\) elements in \(\mathbb {F}_q\),
-
the communication complexity for \(2\cdot c_M+c_O\) calls of \(\mathcal {F}_{\text {zero}}\) is \(O((2\cdot c_M+c_O)\cdot n + n^3\cdot m)\) elements in \(\mathbb {F}_q\),
-
the communication complexity for \((c+1)\cdot m\) calls of \(\mathcal {F}_{\text {parity}}\) is \(O((c+1)\cdot n\cdot m^2+n^3\cdot m)\) elements in \(\mathbb {F}_q\).
Let \(C=c_I+c_M+c_O\) be the size of the circuit. In summary, the communication complexity of Main is
elements in \(\mathbb {F}_q\). Recall that we require the extension field \(\mathbb {F}_{q^m}\) to satisfy that \(q^m\ge 2^\kappa \). Therefore, we use \(\kappa \) as an upper bound of m. According to Theorem 3, there exists a family of constant rate \((k,m)_q\)-RMFEs with \(m=\varTheta (k)\). Thus, m/k is a constant. The communication complexity becomes
elements in \(\mathbb {F}_q\).
Theorem 5
In the client-server model, let c denote the number of clients, and \(n=2t+1\) denote the number of parties (servers). Let \(\kappa \) denote the security parameter, and \(\mathbb {F}_q\) denote a finite field of size q. For an arithmetic circuit over \(\mathbb {F}_q\) of size C, there exists an information-theoretic MPC protocol which securely computes the arithmetic circuit with abort in the presence of a fully malicious adversary controlling up to c clients and t parties. The communication complexity of this protocol is \(O(C\cdot n + \textsf {poly}(c, n, \kappa , \log C))\) elements in \(\mathbb {F}_q\).
References
Boneh, D., Boyle, E., Corrigan-Gibbs, H., Gilboa, N., Ishai, Y.: Zero-knowledge proofs on secret-shared data via fully linear PCPs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 67–97. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_3
Beaver, D.: Multiparty protocols tolerating half faulty processors. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 560–572. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_49
Boyle, E., Gilboa, N., Ishai, Y., Nof, A.: Efficient fully secure computation via distributed zero-knowledge proofs. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 244–276. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_9
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 1–10. ACM (1988)
Ben-Sasson, E., Fehr, S., Ostrovsky, R.: Near-linear unconditionally-secure multiparty computation with a dishonest minority. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 663–680. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_39
Beerliová-Trubíniová, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_13
Chaum, D., Crépeau, C., Damgard, I.: Multiparty unconditionally secure protocols. In: Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 11–19. ACM (1988)
Cascudo, I., Cramer, R., Xing, C., Yuan, C.: Amortized complexity of information-theoretically secure MPC revisited. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 395–426. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_14
Cascudo, I., Gundersen, J.S.: A secret-sharing based MPC protocol for boolean circuits with good amortized complexity. Cryptology ePrint Archive, Report 2020/162 (2020). https://eprint.iacr.org/2020/162
Chida, K., et al.: Fast large-scale honest-majority MPC for malicious adversaries. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 34–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_2
Damgård, I., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_32
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Damgård, I., Zakarias, S.: Constant-overhead secure computation of boolean circuits using preprocessing. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 621–641. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_35
Genkin, D., Ishai, Y., Prabhakaran, M.M., Sahai, A., Tromer, E.: Circuits resilient to additive attacks with applications to secure computation. In: Proceedings of the Forty-Sixth Annual ACM Symposium on Theory of Computing, STOC 2014, New York, NY, USA, pp. 495–504. ACM (2014)
Goyal, V., Liu, Y., Song, Y.: Communication-efficient unconditional MPC with guaranteed output delivery. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 85–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_4
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM (1987)
Goyal, V., Song, Y.: Malicious security comes free in honest-majority MPC. Cryptology ePrint Archive, Report 2020/134 (2020). https://eprint.iacr.org/2020/134
Goyal, V., Song, Y., Zhu, C.: Guaranteed output delivery comes free in honest majority MPC. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 618–646. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_22
Hazay, C., Venkitasubramaniam, M., Weiss, M.: The price of active security in cryptographic protocols. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 184–215. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_7
Lindell, Y., Nof, A.: A framework for constructing fast MPC over arithmetic circuits with malicious adversaries and an honest-majority. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 259–276. ACM (2017)
Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_40
Nordholt, P.S., Veeningen, M.: Minimising communication in honest-majority MPC by batchwise multiplication verification. In: Preneel, B., Vercauteren, F. (eds.) ACNS 2018. LNCS, vol. 10892, pp. 321–339. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93387-0_17
Polychroniadou, A., Song, Y.: Constant-overhead unconditionally secure multiparty computation over binary fields. Cryptology ePrint Archive, Report 2020/1412 (2020). https://eprint.iacr.org/2020/1412
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 73–85. ACM (1989)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science, 1982, SFCS 2008, pp. 160–164. IEEE (1982)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Polychroniadou, A., Song, Y. (2021). Constant-Overhead Unconditionally Secure Multiparty Computation Over Binary Fields. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_28
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)