Cryptology ePrint Archive: Report 2020/356

Efficient MPC with a Mixed Adversary

Martin Hirt and Marta Mularczyk

Abstract: Over the past 20 years, the efficiency of secure multi-party protocols has been greatly improved. While the seminal protocols from the late 80's require a communication of $\Omega(n^6)$ field elements per multiplication among $n$ parties, recent protocols offer linear communication complexity. This means that each party needs to communicate a constant number of field elements per multiplication, independent of $n$.

However, these efficient protocols only offer active security, which implies that at most $t<n/3$ (perfect security), respectively $t<n/2$ (statistical or computational security) parties may be corrupted. Higher corruption thresholds (i.e., $t\geq n/2$) can only be achieved with degraded security (unfair abort), where one single corrupted party can prevent honest parties from learning their outputs.

The aforementioned upper bounds ($t<n/3$ and $t<n/2$) have been circumvented by considering mixed adversaries (Fitzi et al., Crypto' 98), i.e., adversaries that corrupt, at the same time, some parties actively, some parties passively, and some parties in the fail-stop manner. It is possible, for example, to achieve perfect security even if $2/3$ of the parties are faulty (three quarters of which may abort in the middle of the protocol, and a quarter may even arbitrarily misbehave). This setting is much better suited to many applications, where the crash of a party is more likely than a coordinated active attack.

Surprisingly, since the presentation of the feasibility result for the mixed setting, no progress has been made in terms of efficiency: the state-of-the-art protocol still requires a communication of $\Omega(n^6)$ field elements per multiplication.

In this paper, we present a perfectly-secure MPC protocol for the mixed setting with essentially the same efficiency as the best MPC protocols for the active-only setting. For the first time, this allows to tolerate faulty majorities, while still providing optimal efficiency. As a special case, this also results in the first fully-secure MPC protocol secure against any number of crashing parties, with optimal (i.e., linear in $n$) communication. We provide simulation-based proofs of our construction.

Category / Keywords: cryptographic protocols /

Original Publication (with major differences): ITC 2020

Date: received 26 Mar 2020

Contact author: mumarta at inf ethz ch

Available format(s): PDF | BibTeX Citation

Version: 20200328:145603 (All versions of this report)

Short URL: ia.cr/2020/356


[ Cryptology ePrint archive ]