At Crypto 2006, Ishai et al.~combined these two protocols into a single protocol which provides passive security against $t<n$ corruptions and active security against $t<n/2$ corruptions. This protocol unifies the security guarantees of the passive world and the active world (``best of both worlds''). However, the corruption threshold $t<n$ can be tolerated only when \emph{all} corruptions are passive. With a single active corruption, the threshold is reduced to $t<n/2$.
As our main result, we introduce a \emph{dynamic tradeoff} between active and passive corruptions: We present a protocol which provides security against $t<n$ passive corruptions, against $t<n/2$ active corruptions, \emph{and everything in between}. In particular, our protocol provides full security against $k$ active corruptions, as long as less than $n-k$ parties are corrupted in total, for any unknown $k$.
The main technical contribution is a new secret sharing scheme that, in the reconstruction phase, releases secrecy \emph{gradually}. This allows to construct non-robust MPC protocols which, in case of an abort, still provide some level of secrecy. Furthermore, using similar techniques, we also construct protocols for reactive MPC with hybrid security, i.e., different thresholds for secrecy, correctness, robustness, and fairness. Intuitively, the more corrupted parties, the less security is guaranteed.
Category / Keywords: cryptographic protocols / Multi-party computation, gradual secret sharing, computational security, mixed adversary Publication Info: IACR version of a Crypto 2013 paper Date: received 6 Jun 2013, last revised 22 Aug 2013 Contact author: hirt at inf ethz ch Available format(s): PDF | BibTeX Citation Note: The order of the author names was unintentionally wrong. Version: 20130822:204059 (All versions of this report) Short URL: ia.cr/2013/349 Discussion forum: Show discussion | Start new discussion