Fast Large-Scale Honest-Majority MPC for Malicious Adversaries | Journal of Cryptology
Skip to main content

Fast Large-Scale Honest-Majority MPC for Malicious Adversaries

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

Protocols for secure multiparty computation enable a set of parties to compute a function of their inputs without revealing anything but the output. The security properties of the protocol must be preserved in the presence of adversarial behavior. The two classic adversary models considered are semi-honest (where the adversary follows the protocol specification but tries to learn more than allowed by examining the protocol transcript) and malicious (where the adversary may follow any arbitrary attack strategy). Protocols for semi-honest adversaries are often far more efficient, but in many cases the security guarantees are not strong enough. In this paper, we present new protocols for securely computing any functionality represented by an arithmetic circuit, assuming an honest majority exists. We utilize a new method for verifying that the adversary does not cheat, that yields a cost of just twice that of semi-honest protocols in some settings. Our protocols are information-theoretically secure in the presence of malicious adversaries. We present protocol variants for small and large fields, and show how to efficiently instantiate them based on replicated secret sharing and Shamir secret sharing. In particular, for large fields, our protocol requires each party to send just 2 field elements per multiplication gate in the three-party setting, and just 12 field elements per multiplication gate for any number of parties. As with previous works in this area aiming to achieve high efficiency, our protocol is secure with abort and does not achieve fairness, meaning that the adversary may receive output while the honest parties do not. We implemented our protocol and ran experiments for different numbers of parties, different network configurations and different circuit depths. Our protocol significantly outperforms the previous best for this setting (Lindell and Nof, CCS 2017); for a large number of parties (e.g., 100 parties), our implementation runs almost an order of magnitude faster than theirs.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Similar content being viewed by others

Notes

  1. Here, we assume that the number inputs and outputs is dominated by the number of multiplication gates. In Sect. 4, we give the exact cost for evaluating an arithmetic circuit, including the cost for securely sharing the inputs and reconstructing the outputs.

  2. This modeling is only for simplicity, since in our protocol, all parties receive and send messages in each round. Thus, by instructing each party to only send their round \(i+1\) messages after receiving all round-i messages, we have that an execution of the protocol in an asynchronous network is the same as for a rushing adversary in a synchronous network. Note that we do not guarantee output delivery, so “hanging” of the protocol is also allowed.

  3. Note that this is not as immediate as it seems since the adversary has the seed/key as well, and so at this point the pseudorandom property is actually lost. However, the checks work by generating the randomness after everything else is finished and then verifying that some equality holds, or that the results are correct. These properties are actually determined before the key is revealed, and thus security is maintained even after the key is revealed.

  4. If \(\beta _{m_0,i}\) were to be revealed, as in Protocol 4.1 for large fields, then the question of whether the equation holds is something that the distinguisher could determine (since it knows all of the \(y_k\) values from the input, and it can receive all of the \(d_k,e_{k,i},f_{k,i},g_{m,i}\) values from the adversary). Thus, it would not suffice to set \(T_i=0\) with the correct probability but as a function of the actual values. However, \({{{\mathcal {S}}}}\) does not know the \(y_k\) values and so could not determine this.

  5. More generically, we associate a unique \(\gamma _i\in {\mathbb {F}}\) for the ith party.

  6. Observe that we require here that r will be shared using a \((n-1)\)-degree polynomial. This is in contrast to the original protocol as described in [16] where r is shared using a \(2\rho \)-degree polynomial to mask \([x\cdot y]_{2\rho }\). This detail is of importance and is crucial for the security of the final protocol. See footnote 7.

  7. We stress that if r would not be shared using a \((n-1)\)-degree polynomial, then deferring the \(\textsf{compareview}\) procedure to the end might result with an insecure protocol. To see this, assume that \(2\rho =n-2\) (this happens when n is even; For example, when \(n=4\) we have \(\rho =\lfloor \frac{n-1}{2}\rfloor =1\) and so \(2\rho =2=n-2\).) and we mask \([x\cdot y]_{2\rho }\) with \([r]_{n-2}\). Observe that to reconstruct \(x\cdot y - r\) from \([x\cdot y-r]_{n-2}\) only \(n-1\) shares (points on the polynomial) are needed. Now, consider the following attack that is carried out over 2 multiplication gates in two layers of the circuit when \(P_1\) and \(P_n\) are corrupted. In the first gate, party \(P_1\) reconstructs the value \(\alpha =x\cdot y - r_1\) from the shares it receives. Then, it sends \(\alpha \) to all parties but party \(P_2\) for whom he sends \(\alpha +1\). Since the parties do not compare their views now, this cheating is not detected. Next, assume that the output wire enters a second multiplication gate and denote the sharing on the second input wire to this gate by \([w]_\rho \). In this gate, \(P_1\) uses the shares of parties \(P_1,P_3,\ldots ,P_n\) to compute \(x\cdot y\cdot w -r_2\) (as all these parties held a correct sharing of \(x\cdot y\) on the output wire of the first gate). Moreover, \(P_1\) can also compute the share of \(x\cdot y\cdot w -r_2\) that should be held by \(P_2\), i.e., the value of \((x\cdot y -r_1+r_1^2)\cdot w^2 -r^2_2\) (where \(r_1^2, w^2\) and \(r_2^2\) are the shares of \(r_1,w\) and \(r_2\) held by \(P_2\)). However, the share that \(P_2\) actually sent to \(P_1\) is \((x\cdot y -r_1+1+r_1^2)\cdot w^2 -r^2_2\) and so \(P_1\) can compute \(w^2\) by taking the difference between the two shares, breaking the privacy of the protocol. Note that when the masking is done with a random \((n-1)\)-degree polynomial \(P_1\) there is no redundancy and the shares of all parties are required to reconstruct \(x\cdot y -r\). In other words, the shares of the honest parties are truly random and independent and so the masking is perfect. The above attack is taken from the recent work of [25].

References

  1. T. Araki, A. Barak, J. Furukawa, T. Lichter, Y. Lindell, A. Nof, K. Ohara, A. Watzman, O. Weinstein. Optimized honest-majority MPC for malicious adversaries - breaking the 1 billion-gate per second barrier. In the 38th IEEE Symposium on Security and Privacy, pp. 843–862, (2017)

  2. T. Araki, J. Furukawa, Y. Lindell, A. Nof, K. Ohara. High-throughput semi-honest secure three-party computation with an honest majority. In the 23rd ACM CCS, pp. 805–817, (2016)

  3. D. Beaver. Foundations of secure interactive computing. In the 11th CRYPTO, pp 377–391, (1991)

  4. E. Ben-Sasson, S. Fehr, R. Ostrovsky. Near-linear unconditionally-secure multiparty computation with a dishonest minority. In the 32nd CRYPTO, pp 663-680, (2012)

  5. Z. Beerliová-Trubíniová, M. Hirt. Perfectly-secure MPC with linear communication complexity. In the 5th TCC, pp 213–230, (2008)

  6. M. Ben-Or, S. Goldwasser, A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In the 20th STOC, pp 1–10, (1988)

  7. S.S. Burra, E. Larraia, J.B. Nielsen, P.S. Nordholt, C. Orlandi, E. Orsini, P. Scholl, N.P. Smart. High performance multi-party computation for binary circuits based on oblivious transfer. ePrint Cryptology Archive, 2015/472.

  8. R. Canetti. Security and composition of multiparty cryptographic protocols. J. Cryptol., 13(1), 143–202, (2000)

    Article  MathSciNet  MATH  Google Scholar 

  9. R. Canetti. Universally composable security: a new paradigm for cryptographic protocols. In the 42nd FOCS, pp 136–145, (2001)

  10. D. Chaum, C. Crépeau, I. Damgård. Multi-party unconditionally secure protocols. In the 20th STOC, pp 11–19, (1988)

  11. K. Chida, D. Genkin, K. Hamada, D. Ikarashi, R. Kikuchi, Y. Lindell, A. Nof. Fast large-scale honest-majority mpc for malicious adversaries. In the 38th CRYPTO, pp 34–64, (2018)

  12. R. Cleve. Limits on the security of coin flips when half the processors are faulty. In the 18th STOC, pp 364–369, (1986)

  13. R. Cramer, I. Damgård, Y. Ishai, Share conversion, pseudorandom secret-sharing and applications to secure computation. In TCC 2005, pp 342–362, (2005)

  14. I. Damgård, Y. Ishai. Scalable secure multiparty computation. In the 26th CRYPTO, pp 501–520, (2006)

  15. I. Damgård, M. Keller, E. Larraia, V. Pastro, P. Scholl, N.P. Smart. Practical covertly secure MPC for dishonest majority - or: breaking the SPDZ limits. In the 18th ESORICS, pp 1–18, (2013)

  16. I. Damgård, J. Nielsen. Scalable and unconditionally secure multiparty computation. In the 27th CRYPTO, pp 572–590, (2007)

  17. I. Damgård, V. Pastro, N.P. Smart, S. Zakarias. Multiparty computation from somewhat homomorphic encryption. In the 32nd CRYPTO, pp 643–662, (2012)

  18. D. Genkin, Y. Ishai, M. Prabhakaran, A. Sahai, E. Tromer. Circuits resilient to additive attacks with applications to secure computation. In STOC 2014, pp 495-504, (2014)

  19. D. Genkin, Y. Ishai, A. Polychroniadou. Efficient multi-party computation: from passive to active security via secure SIMD circuits. In the 35th CRYPTO, pp 721–741, (2015)

  20. M. Hirt, J.B. Nielsen. Robust multiparty computation with linear communication complexity. In the 26th CRYPTO, pp 463–482, (2006)

  21. O. Goldreich, S. Micali, A. Wigderson. How to play any mental game. In the 19th STOC, pp 218–229, (1987)

  22. S. Goldwasser, L. Levin. Fair computation of general functions in presence of immoral majority. In the 10th CRYPTO, pp 77–93, (1990)

  23. O. Goldreich. Foundations of Cryptography: Basic Applications. (Cambridge University Press, Cambridge 2004)

    Book  MATH  Google Scholar 

  24. S. Goldwasser, Y. Lindell. Secure computation without agreement. J. Cryptol. 18(3), 247–287 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  25. V. Goyal, Y. Liu, Y. Song. Communication-efficient unconditional MPC with guaranteed output delivery. In the 39th CRYPTO, pp 85–114, (2019)

  26. V. Goyal, Y. Song, C. Zhu, Guaranteed output delivery comes free in honest majority MPC. In the 40th CRYPTO, pp 618–646, (2020)

  27. M. Keller, E. Orsini, P. Scholl, MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In the 23rd ACM CCS, pp 830–842, (2016)

  28. M. Keller, V. Pastro, D. Rotaru, Overdrive: making SPDZ great again. In the 37th EUROCRYPT, pp 158-189, (2018)

  29. E. Kushilevitz, Y. Lindell, T. Rabin. Information-theoretically secure protocols and security under composition. SIAM J. Comput. 39(5), 2090–2112, (2010)

    Article  MathSciNet  MATH  Google Scholar 

  30. Y. Lindell, A. Nof. A framework for constructing fast MPC over arithmetic circuits with malicious adversaries and an honest-majority. In the ACM CCS 2017, pp 259–276, (2017)

  31. Y. Lindell, B. Pinkas. Secure two-party computation via cut-and-choose oblivious transfer. In the 8th TCC, pp 329–346, (2011)

  32. P. Mohassel, M. Rosulek, Y. Zhang. Fast and secure three-party computation: the garbled circuit approach. In the 22nd ACM CCS, pp 591–602, (2015)

  33. J.B. Nielsen, P.S. Nordholt, C. Orlandi, S.S. Burra. A new approach to practical active-secure two-party computation. In the 32nd CRYPTO, pp 681–700, (2012)

  34. P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT’ 99, pp 223–238, (1999)

  35. T. Rabin, M. Ben-Or. Verifiable secret sharing and multi-party protocols with honest majority. In the 21st STOC, pp 73–85, (1989)

  36. A. Shamir. How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  37. I. Damgård, M. Geisler, M. Krøigaard, J.B.Nielsen. Asynchronous multiparty computation: theory and implementation. In the 12th PKC, pp 160–179, (2009)

  38. A. Yao. How to generate and exchange secrets. In the 27th FOCS, pp 162–167, (1986)

Download references

Acknowledgements

We thank Meital Levy and Lior Koskas for their help in implementing our protocol and running the experiments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ariel Nof.

Additional information

Communicated by Manoj Prabhakara.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This paper is the full version of [11].

Supported by the European Research Council under the ERC consolidators grant agreement no. 615172 (HIPS) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office

This paper was reviewed by Yan Huang and Rajeev Raghunath.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chida, K., Hamada, K., Ikarashi, D. et al. Fast Large-Scale Honest-Majority MPC for Malicious Adversaries. J Cryptol 36, 15 (2023). https://doi.org/10.1007/s00145-023-09453-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-023-09453-7

Keywords