## Cryptology ePrint Archive: Report 2021/684

Tight Setup Bounds for Identifiable Abort

Nicholas Brandt

Abstract: We present fundamental (in-)feasibility results for the strongest security notion for Secure Multi-Party Computation (MPC) that is achievable when a majority of parties is malicious, i.e. security with Identifiable Abort. As general Universally Composable (UC) MPC requires a setup, typically in the form of a Common Reference String or Common-Randomness, we investigate whether the setup must provide randomness to all parties.

Given broadcast, we give tight bounds for the necessary and sufficient setup cardinality, i.e. number of participating parties, for UC-MPC protocols with Identifiable Abort. Concretely, we improve previous upper bounds by constructing Secure Function Evaluation for $n$ parties ($h$ of which are honest) from setups of cardinality $\beta := \min(n,\lfloor n/h\rfloor+\lfloor(n-1)/h\rfloor-1)$ and broadcast. Conversely, we present the first general lower bound on the minimal setup cardinality for Identifiable Abort by proving that setups of cardinality $\beta-1$ plus broadcast are insufficient even for a commitment among $n$ parties. Somewhat surprisingly, we show that Oblivious Transfer plus broadcast is sufficient for $n = 2h \geq 2$ which is consistent with the fact that in two-party MPC Identifiable Abort comes for free. We present the results in the Universal Composibility (UC) framework and assume the setup functionalities to be secure with Identifiable Abort.

Our constructions yield an efficient (poly-time) protocol for any $n \in \mathrm{poly}(\lambda)$ where $\lambda$ is the security parameter if at least a constant fraction $h \in \Theta(n)$ of parties is honest. However for $h \in \mathrm{o}(n)$ our results suggest that for efficient protocols the overall number of parties $n$ is limited quite severely by $\binom{n}{\beta} \in \mathrm{poly}(\lambda)$.

Category / Keywords: foundations / Multi-Party Computation, Identifiable Abort, Broadcast, Dishonest Majority