Two Levels are Better than One: Dishonest Majority MPC with $\widetilde{O}(|C|)$ Total Communication

Alexander Bienstock; Kevin Yeo

Paper 2024/503

Two Levels are Better than One: Dishonest Majority MPC with $\widetilde{O}(|C|)$ Total Communication

Alexander Bienstock, New York University

Kevin Yeo, Google (United States), Columbia University

Abstract

In recent years, there has been tremendous progress in improving the communication complexity of dishonest majority MPC. In the sub-optimal corruption threshold setting, where $t<(1-\varepsilon)\cdot n$ for some constant $0<\varepsilon\leq 1/2$, the recent works Sharing Transformation (Goyal $\textit{et al.}$, CRYPTO'22) and SuperPack (Escudero $\textit{et al.}$, EUROCRYPT'23) presented protocols with information-theoretic online phases achieving $O(1)$ communication per multiplication gate, across all parties. However, the former assumes that their offline phase is instantiated by a trusted party, while the latter instantiates their offline phase with $\Omega(n)$ communication per multiplication gate assuming oblivious linear evaluation (OLE) correlations. In this work, we present a dishonest majority MPC protocol for $t< (1-\varepsilon)\cdot n$ with $\widetilde{O}(1)$ total communication per multiplication gate across both the offline and online phases, or $\widetilde{O}(|C|)$ total communication for any arithmetic circuit $C$. To do so, we securely instantiate the offline phase of Sharing Transformation, assuming some OLE correlations. The major bottleneck in instantiating the offline phases of both Sharing Transformation and SuperPack is generating random packed beaver triples of the form $[\boldsymbol{a}], [\boldsymbol{b}], [\boldsymbol{c}]$, for random $\boldsymbol{a},\boldsymbol{b}\in\mathbb{F}^k$, and $\boldsymbol{c}=\boldsymbol{a}*\boldsymbol{b}\in\mathbb{F}^k$, where $k=\Omega(n)$ is the $\textit{packing parameter}$. We overcome this barrier by presenting a packed beaver triple protocol with $\widetilde{O}(n)$ total communication, or $\widetilde{O}(1)$ communication per underlying triple. Our packed beaver triple protocol consists of two levels of randomness extraction. The first level uses a relaxation of super-invertible matrices that we introduce, called $\textit{weakly}$ super-invertible matrices, in which sub-matrices have sufficiently high (but not necessarily full) rank. This weakening enables matrix constructions with only $O(n)$ non-zero entries, which is a primary reason for the efficiency of our protocol. Our second level of extraction is based on the $\textit{triple extraction}$ protocol of (Choudhury and Patra, Trans. Inform. Theory '17).

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Preprint.
Keywords: MPC Dishonest Majority Constant Communication Packed Secret-Sharing Weakly Super-Invertible Matrices
Contact author(s): abienstock @ cs nyu edu
kwlyeo @ google com
History: 2024-04-01: revised; 2024-03-29: received; See all versions
Short URL: https://ia.cr/2024/503
License: CC BY

BibTeX

@misc{cryptoeprint:2024/503,
      author = {Alexander Bienstock and Kevin Yeo},
      title = {Two Levels are Better than One: Dishonest Majority MPC with $\widetilde{O}(|C|)$ Total Communication},
      howpublished = {Cryptology ePrint Archive, Paper 2024/503},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/503}},
      url = {https://eprint.iacr.org/2024/503}
}