Transcript scws3 6723

Round-Efficient
Multi-Party Computation in
Point-to-Point Networks
Jonathan Katz
Chiu-Yuen Koo
University of Maryland
Round-Efficient
Multi-Party Computation in
Point-to-Point Networks
Jonathan Katz
Chiu-Yuen Koo
University of Maryland
Motivation

Suppose we want to obtain a practical
protocol for a given task


The protocol needs to be round-efficient
If we know round-efficient solutions exist, we can
then turn our attention to improving other aspects
(such as computation)
Motivation

Suppose we want to obtain a practical
protocol for a given task



The protocol needs to be round-efficient
If we know round-efficient solutions exist, we can
then turn our attention to improving other aspects
(such as computation)
How do we know?
Motivation

Approach 1:

Determine whether round-efficient solutions are
possible after we are given the task



Given task A, ask if round-efficient solutions for task A exist
Given task B, ask if round-efficient solutions for task B exist
Given task C, ask if round-efficient solutions for task C exist



……………………………………………………
Repetitive!
Can we solve the problem once and for all?
Motivation

Approach 2:


Determine whether round-efficient solutions for
secure multi-party computation (MPC) exist
A MPC protocol can solve almost every task

A round-efficient solution for MPC implies the existence
of round-efficient solutions for (almost) every task!
Round-Efficient
Multi-Party Computation in
Point-to-Point Networks
Round-Efficient
Multi-Party Computation in
Point-to-Point Networks
Our Motivation


Previous work on round complexity (for the most
part) has assumed a broadcast channel “for free”
 A broadcast channel enables one party to send the
same message to all parties
But in point-to-point networks, a broadcast
channel does not come for free; it is emulated by a
broadcast protocol
 High overhead
Our Motivation


Previous work on round complexity (for the most
part) has assumed a broadcast channel “for free”
 A broadcast channel enables one party to send the
same message to all parties
But in point-to-point networks, a broadcast
channel does not come for free; it is emulated by a
broadcast protocol
 High overhead
Our Motivation

If the broadcast channel is emulated by a
deterministic protocol, then the round complexity
will be linear in the number of corrupted parties
[FL82]
 This will not lead to sub-linear-round protocols
Our Motivation

If the broadcast channel is emulated by a
randomized protocol, then each round of
broadcast can be emulated in an expected
constant number of rounds (assuming honest
majority) [FM88, FG03, KK06]
 But the exact constant is rather high
 If broadcast is used in more than one round, then
we need to handle sequential composition of
protocols without simultaneous termination
— leads to complication and a substantial
increase in round complexity [LLR02, BY03, KK06]
Our Motivation

If the broadcast channel is emulated by a
randomized protocol, then each round of
broadcast can be emulated in an expected
constant number of rounds (assuming honest
majority) [FM88, FG03, KK06]
 But the exact constant is rather high
 If broadcast is used in more than one round, then
we need to handle sequential composition of
protocols without simultaneous termination
— leads to complication and a substantial
increase in round complexity [LLR02, BY03, KK06]
Our Motivation
Sequential composition of protocols without
simultaneous termination

In a broadcast protocol, each party is assumed to
start at the same round
 However, parties may leave at different rounds


So parties may start execution of the next protocol in
different rounds
If protocols are executed sequentially, additional
rounds are needed to handle the composition
Our Motivation

If the broadcast channel is emulated by a
randomized protocol, then each round of
broadcast can be emulated in an expected
constant number of rounds (assuming honest
majority) [FM88, FG03, KK06]
 But the exact constant is rather high
 If broadcast is used in more than one round, then
we need to handle sequential composition of
protocols without simultaneous termination
— leads to complication and a substantial
increase in round complexity [LLR02, BY03, KK06]
Our Motivation

If the broadcast channel is emulated by a
randomized protocol, then each round of
broadcast can be emulated in an expected
constant number of rounds (assuming honest
majority) [FM88, FG03, KK06]
 But the exact constant is rather high
 If broadcast is used in more than one round, then
we need to handle sequential composition of
protocols without simultaneous termination
— leads to complication and a substantial
increase in round complexity [LLR02, BY03, KK06]
Our Motivation
For example,



Consider the setting in which at most one-third of
parties are corrupted
Micali and Rabin show a Verifiable Secret Sharing
(VSS) protocol that uses 16 rounds but only a single
round of broadcast
 Compiling the above protocol for a point-to-point
network, it runs in an expected 31 rounds
Any protocol that uses broadcast twice will require an
expected 55 rounds after being compiled for a pointto-point network
Our Motivation

If the ultimate goal is a round-efficient protocol for
point-to-point networks, then it is preferable to focus
on minimizing the number of rounds in which
broadcast is used rather than minimizing the total
number of rounds
Our Motivation

This raises the following question:
Is it possible to construct a constant-round
(or sub-linear-round) MPC protocol
that uses only a single round of broadcast?
(This is clearly optimal…)

We resolve the above question in the affirmative in a
number of settings
The Rest of the Talk



Prior work
Results and constructions
Future directions
Prior Work



Broadcast/Byzantine agreement
Verifiable secrete sharing (VSS)
General secure MPC
Prior Work



Broadcast/Byzantine agreement
 Reviewed in the last talk
Verifiable secrete sharing (VSS)
General secure MPC
Prior Work



Broadcast/Byzantine agreement
Verifiable secrete sharing (VSS) [CGMA85]
General secure MPC
Prior Work
Round complexity of VSS
(Let t be the number of corrupted parties; n be the
total number of parties)

[GIKR01]:

n > 4t : Efficient 2-round protocol

n > 3t : No 2-round protocol exists
Efficient 4-round protocol
Inefficient 3-round protocol

[FGGRS06]: Efficient 3-round protocol for n > 3t
Prior Work
But…

Previous work studies the round complexity of VSS
under the assumption that a broadcast channel is
available

As we have seen, this is not necessarily the best
way to optimize round complexity of VSS in a
point-to-point setting
Prior Work



Broadcast/Byzantine Agreement
Verifiable Secrete Sharing (VSS)
General Secure MPC
Prior Work

Secure MPC


Allows a set of parties with private inputs to
compute some joint function of their inputs.
Feasibility results


[BGW88, CDD88]: MPC for n > 3t in point-to
point networks
[RB89, B89, CDDHR99]: MPC for n > 2t assuming
a broadcast channel
Prior Work

Round-efficient solutions

[BMR90, DI05]: constant-round MPC for n> 2t
assuming a broadcast channel and one-way
functions
 Both protocols can be converted to expected
O(1)-round protocols in point-to-point networks
using authenticated broadcast
Prior Work

Round-efficient solutions

[BMR90, DI05]: constant-round MPC for n> 2t
assuming a broadcast channel and one-way
functions
 Both protocols can be converted to expected
O(1)-round protocols in point-to-point networks
using authenticated broadcast but the constant
obtained is very high, on the order of hundreds
of rounds
Prior Work

Round-efficient solutions


[GIKR01]: 3-round MPC for t < n/4 assuming a
broadcast channel and one-way functions
 The protocol uses only a single round of
broadcast
 Resilience is not optimal
[GL02]: round-efficient protocols for t < n
 Fairness and output delivery not guaranteed
The Rest of the Talk



Prior work
Results and constructions
Future directions
Network Assumptions





Synchronous communication
Pairwise private and authenticated channels
A broadcast channel
 With the understanding that it will be emulated by
a round-efficient broadcast sub-routine
 Recall, our goal is to use broadcast only once
Honest majority
 n > 3t : do not assume setup
 n > 2t : assume a PKI
Adaptive adversary
Results and Constructions


We start by sketching a MPC protocol that uses only
a single round of broadcast
Call (a, b, c) a random multiplication triple if
 c = ab
 a, b, and c have been “shared” among the parties
 a and b are uniformly distributed
Results and Constructions

Beaver shows that if, in a “setup” phase, parties
share their inputs along with sufficiently-many
multiplication triples,
Results and Constructions

Beaver shows that if, in a “setup” phase, parties
share their inputs along with sufficiently-many
multiplication triples, then the parties can carry out
secure MPC in a round-efficient manner without using
any further invocations of broadcast

Our task is now reduced to implement the setup
phase using only a single round of broadcast
Results and Constructions
Implementation of the setup phase

Recall the concept of moderated protocol from the
previous talk
 There is a distinguished party Pm known as the
moderator
 Given a protocol , designed under the
assumption of a broadcast channel, the
moderated version ’ does not use broadcast
Results and Constructions
Implementation of the setup phase

’ has the following properties:
 By the end of the protocol, each party Pi outputs a
binary value trusti(m)
 If the moderator Pm is honest, then each honest
party outputs trusti(m)= 1
 If an honest party that outputs trusti(m)=1, then
 achieves the functionality of ’
Results and Constructions
Implementation of the setup phase

Previous talk has illustrated how to compile a
protocol  into its moderated version ’ while
increasing the round complexity by at most a
constant multiplicative factor
Results and Constructions
Implementation of the setup phase



Let i denote some constant-round protocol,
designed assuming a broadcast channel, that shares
the input value of party Pi as well as sufficientlymany multiplication triples.
Such protocols are constructed in, e.g., [BGW88,
B89, RB89, B91, GRR98, CDDHR99, DI05]
Compile i into a moderated protocol i’ where Pi
acts as the moderator
Results and Constructions

Implementation of the setup phase
1. Run protocols {1’,…,n’ } in parallel
2. Each party Pi broadcasts {trusti(1),…, trusti(n)}
3. A party Pi is disqualified if t or fewer parties
broadcast trustj(i)=1. If a party is disqualified,
then a default value is used as input of Pi
4. Let i* be the minimum value such that Pi* is not
disqualified. The set of random multiplication
triples that the parties will use is taken to be the
set that was generated in i*
Results and Constructions


Implementation of the setup phase
1. Run protocols {1’,…,n’ } in parallel
2. Each party Pi broadcasts {trusti(1),…, trusti(n)}
3. A party Pi is disqualified if t or fewer parties
broadcast trustj(i)=1. If a party is disqualified,
then a default value is used as input of Pi
4. Let i* be the minimum value such that Pi* is not
disqualified. The set of random multiplication
triples that the parties will use is taken to be the
set that was generated in i*
The above protocol uses broadcast in only one round
Results and Constructions

Implementation of the setup phase
1. Run protocols {1’,…,n’ } in parallel
2. Each party Pi broadcasts {trusti(1),…, trusti(n)}
3. A party Pi is disqualified if t or fewer parties
broadcast trustj(i)=1. If a party is disqualified,
then a default value is used as input of Pi
4. Let i* be the minimum value such that Pi* is not
disqualified. The set of random multiplication
triples that the parties will use is taken to be the
set that was generated in i*

An honest party will not be disqualified
Results and Constructions


Implementation of the setup phase
1. Run protocols {1’,…,n’ } in parallel
2. Each party Pi broadcasts {trusti(1),…, trusti(n)}
3. A party Pi is disqualified if t or fewer parties
broadcast trustj(i)=1. If a party is disqualified,
then a default value is used as input of Pi
4. Let i* be the minimum value such that Pi* is not
disqualified. The set of random multiplication
triples that the parties will use is taken to be the
set that was generated in i*
If Pi is not disqualified, then i’ achieves the functionality of i
Results and Constructions


Implementation of the setup phase
1. Run protocols {1’,…,n’ } in parallel
2. Each party Pi broadcasts {trusti(1),…, trusti(n)}
3. A party Pi is disqualified if t or fewer parties
broadcast trustj(i)=1. If a party is disqualified,
then a default value is used as input of Pi
4. Let i* be the minimum value such that Pi* is not
disqualified. The set of random multiplication
triples that the parties will use is taken to be the
set that was generated in i*
The above protocol implements the setup phase using only one
round of broadcast
Results and Constructions

Combined with [BGW88, CDDHR99, DI05], we obtain
MPC using only one round of broadcast and:
 O(depth of the circuit) rounds, assuming n > 3t
(without computational assumption)
 O(1) rounds, assuming n > 3t and the existence
of one-way functions
 O(1) rounds, assuming n > 2t, the existence of
one-way functions, and a PKI
Results and Constructions


However, a naïve compilation will yield MPC protocols
with relatively high round complexity
 Existing construction of i does not attempt to
minimize the number of rounds of broadcast
 for n > 3t, each round of broadcast in i is
replaced by six rounds of interaction in i’
 for n > 2t, it is eight rounds
We construct a new set of protocols that minimize
their use of broadcast as well as the total number of
rounds
Results and Constructions


In the following, we illustrate one of the techniques
used to reduce the number of rounds of broadcast —
without compilation
We show how to obtain a 6-round VSS protocol that
uses 2 rounds of broadcast from the 4-round VSS
protocol in [GIKR01] (which uses 3 rounds of
broadcast)
 In the paper, this is improved to 7 rounds with 1
round of broadcast
Results and Constructions


VSS – informal definitions
There is a dealer D with an input s. A VSS protocol is
a 2-phase protocol:
 Sharing phase: D shares s
 Reconstruction phase: The parties reconstruct a
value s’
If D is honest, then:
 During the sharing phase, the joint view of
corrupted parties is independent of s
 In the reconstruction phase, s is reconstructed
Results and Constructions

VSS – informal definitions
If D is dishonest:
 The view of the honest parties at the end of the
sharing phase defines a value s’ that will be
reconstructed in the reconstruction phase
Results and Constructions

Review of the [GIKR01] protocol:
 Round 1:
 D selects a random bivariate polynomial F(x,y) of degree
t in each variable, s.t. F(0,0) = s; sends F(x,i) = gi(x)
and F(i,y) = hi(y) to Pi.
 Pi sends to Pj a random pad rij.
Results and Constructions

Review of the [GIKR01] protocol:
 Round 1:
 D selects a random bivariate polynomial F(x,y) of degree
t in each variable, s.t. F(0,0) = s; sends F(x,i) = gi(x)
and F(i,y) = hi(y) to Pi.
 Pi sends to Pj a random pad rij.
 Round 2:
 Pi broadcasts aij = gi(j) + rij ; bij = hi(j) + rji
 Pj broadcasts aji = gj(i) + rji ; bji = hj(i) + rij
Results and Constructions

Review of the [GIKR01] protocol:
 Round 1:
 D selects a random bivariate polynomial F(x,y) of degree
t in each variable, s.t. F(0,0) = s; sends F(x,i) = gi(x)
and F(i,y) = hi(y) to Pi.
 Pi sends to Pj a random pad rij.
 Round 2:
 Pi broadcasts aij = gi(j) + rij ; bij = hi(j) + rji
 Round 3: For each aij ≠ bji
 Pi broadcasts gi(j); Pj broadcasts hj(i); D broadcasts F(j,i)
 Round 4: …
Results and Constructions

Review of the [GIKR01] protocol:
 Round 1:
 D selects a random bivariate polynomial F(x,y) of degree
t in each variable, s.t. F(0,0) = s; sends F(x,i) = gi(x)
and F(i,y) = hi(y) to Pi.
 Pi sends to Pj a random pad rij.
 Round 2:
 Pi broadcasts aij = gi(j) + rij ; bij = hi(j) + rji
 Round 3: For each aij ≠ bji
 Pi broadcasts gi(j); Pj broadcasts hj(i); D broadcasts F(j,i)
 Round 4: …
Results and Constructions
Replace round 2 and round 3 by the following
steps:

1.
2.
3.
4.
Pi sends hi(j) to Pj
Let hj,i’ be the value Pi received from Pj. If hj,i’ ≠ gi(j), then
Pi sends “complain(i,j)” to D
If D receives “complain(i,j)” from Pi in the last step, then
D sends “complain(i,j)” to Pj.
(i) If Pi sends “complain(i,j)” to D in (2), then Pi broadcasts
“(i,j): gi(j)” else broadcasts “(i,j): no complaint”
(ii) If Pj receives “complain(i,j)” from D in (3), then Pj
broadcasts “(i,j): hj(i)” else broadcasts “(i,j): no complaint”
(iii) If D receives “complain(i,j)” from Pi in (2), then D
broadcasts “(i,j): F(j,i)” else broadcasts “(i,j): no
complaint”
Results and Constructions

Summary of our results:
Round Complexity of MPC
n > 3t
26 (1 round of broadcast)
n > 2t
34 (1 round of broadcast)
Results and Constructions

Round complexity of our MPC protocols in point-topoint networks (in expectation)
n > 3t
n > 2t
Our work*
41
64
Any protocol using
55
94
broadcast twice (even with
no additional rounds!)*
*Given
best currently-known protocols for broadcast
The Rest of the Talk



Prior work
Results and constructions
Future directions
Future Directions

Characterize the round complexity of VSS in a point-
to-point network


Better lower bounds on the round complexity of
secure computation?
For n > 2t, determine the existence of an MPC
protocol using a single round of broadcast and not
relying on a PKI
Round-Efficient
Multi-Party Computation in
Point-to-Point Networks
Jonathan Katz
Chiu-Yuen Koo
University of Maryland