**Revisiting Covert Multiparty Computation**

*Geoffroy Couteau*

**Abstract: **Is it feasible for parties to securely evaluate a function on their joint inputs, while hiding not only their private input, but even the very fact that they are taking part to the protocol? This intriguing question was given a positive answer in the two-party case at STOC’05, and in the general case at FOCS’07, under the name of covert multiparty computation (CMPC). A CMPC protocol allows n players with inputs (x1 ···xn) to compute a function f with the following guarantees:
– If all the parties are taking part to the protocol, and if the result of the computation is favorable to all the parties, then they get to learn f(x1,··· ,xn) (and nothing more)
– Else, when the result is not favorable to all the parties, or if some player does not participate to the computation, no one gets to learn anything (and in particular, no player can learn whether any of the other parties was indeed participating to the protocol)
While previous works proved the existence of CMPC under standard assumptions, their candidate CMPC protocols were exclusively of theoretical interest. In this work, we revisit the design of CMPC protocols and show that, perhaps surprisingly, this very strong security notion can be achieved essentially for free. More specifically, we show how to build a CMPC protocol out of a standard, state-of-the-art MPC protocol, where both the communication and the computation are the same than the original protocol, up to an additive factor independent of the size of the circuit. Along the way, we prove two variants of the UC theorem which greatly simplify the design and the security analysis of CMPC protocols.

**Category / Keywords: **cryptographic protocols / Covert multiparty computation, Multiparty computation, Universal composability.

**Date: **received 2 Oct 2016

**Contact author: **geoffroy couteau at ens fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20161004:164500 (All versions of this report)

**Short URL: **ia.cr/2016/951

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]