Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
In the setting of secure multiparty computation (MPC), a set of mutually distrusting parties wish to jointly compute a function in a correct and private manner. An MPC protocol is called fully secure if no adversary can prevent the honest parties from obtaining their outputs. A protocol is called fair if an adversary can prematurely abort the computation, however, only before learning any new information.
We present highly efficient transformations from fair computations to fully secure computations, assuming the fraction of honest parties is constant (e.g., \(1\%\) of the parties are honest). Compared to previous transformations that require linear invocations (in the number of parties) of the fair computation, our transformations require super-logarithmic, and sometimes even super-constant, such invocations.
One application of these transformations is a new \(\delta \)-bias coin-flipping protocol, whose round complexity has a super-logarithmic dependency on the number of parties, improving over the protocol of Beimel, Omri, and Orlov (Crypto 2010) that has a linear dependency. A second application is a new fully secure protocol for computing the Boolean OR function, with a super-constant round complexity, improving over the protocol of Gordon and Katz (TCC 2009) whose round complexity is linear in the number of parties.
Finally, we show that our positive results are in a sense optimal, by proving that for some functionalities, a super-constant number of (sequential) invocations of the fair computation is necessary for computing the functionality in a fully secure manner.
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
A \((t+1)\)-out-of-n secret-sharing scheme is error correcting, if the reconstruction algorithm outputs the correct secret even when up to t shares are arbitrarily modified. ECSS schemes are also known as robust secret sharing.
Unless stated otherwise, we assume that parties can communicate over a broadcast channel. If a broadcast channel is not available, identifiable abort cannot be achieved generically [6], and indeed, some functionalities can be fairly computed, but not with full security [6, 7].
The attacker of [5] either aborts at round \(i^*\) or at round \(i^*+1\), but the transformation to the above attacker is simple (see the full version [8]).
Although non-interactive perfectly binding commitments can be constructed from one-way permutations, in our setting, one-way functions are sufficient. This follows since Naor’s commitments [21] can be made non-interactive in the common random string (CRS) model, and even given a weak CRS (a high min-entropy common string). A high min-entropy string can be constructed by n parties, without assuming an honest majority, using the protocol from [12] that requires \(log^*(n)+O(1)\) rounds.
t-full-privacy means that the adversary does not learn any additional information other than what it can learn from \(t+1\) invocations of the ideal functionality, with fixed inputs for the honest parties.
A computation has \(\alpha \)-partially identifiable abort [18], if in case the adversary aborts the computation, a subset of parties is identified, such that at least an \(\alpha \)-fraction of the subset is corrupted.
By \(\varphi =1/\sqrt{1-2\beta '}+\varOmega (1)\) we mean that for sufficiently large \(\kappa \) it holds that \(\varphi (\kappa )>1/\sqrt{1-2\beta '}\).