Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss
{"title":"密码协议中主动安全的代价","authors":"Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss","doi":"10.1007/s00145-024-09509-2","DOIUrl":null,"url":null,"abstract":"<p>We construct the first actively-secure Multi-Party Computation (MPC) protocols with an <i>arbitrary</i> number of parties in the dishonest majority setting, for an <i>arbitrary</i> field <span>\\({\\mathbb {F}}\\)</span> with <i>constant communication overhead</i> over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality <span>\\({{{\\mathcal {F}}}}_{\\scriptscriptstyle \\textrm{MULT}}\\)</span>, to an actively-secure protocol for general functionalities. Roughly, <span>\\({{{\\mathcal {F}}}}_{\\scriptscriptstyle \\textrm{MULT}}\\)</span> is parameterized by a linear-secret sharing scheme <span>\\({{{\\mathcal {S}}}}\\)</span>, where it takes <span>\\({{{\\mathcal {S}}}}\\)</span>-shares of two secrets and returns <span>\\({{{\\mathcal {S}}}}\\)</span>-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on <i>any</i> passive implementation of <span>\\({{{\\mathcal {F}}}}_{\\scriptscriptstyle \\textrm{MULT}}\\)</span>, which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of <span>\\({{{\\mathcal {F}}}}_{\\scriptscriptstyle \\textrm{MULT}}\\)</span>, we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07). </p>","PeriodicalId":54849,"journal":{"name":"Journal of Cryptology","volume":"39 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The Price of Active Security in Cryptographic Protocols\",\"authors\":\"Carmit Hazay, Muthuramakrishnan Venkitasubramaniam, Mor Weiss\",\"doi\":\"10.1007/s00145-024-09509-2\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>We construct the first actively-secure Multi-Party Computation (MPC) protocols with an <i>arbitrary</i> number of parties in the dishonest majority setting, for an <i>arbitrary</i> field <span>\\\\({\\\\mathbb {F}}\\\\)</span> with <i>constant communication overhead</i> over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality <span>\\\\({{{\\\\mathcal {F}}}}_{\\\\scriptscriptstyle \\\\textrm{MULT}}\\\\)</span>, to an actively-secure protocol for general functionalities. Roughly, <span>\\\\({{{\\\\mathcal {F}}}}_{\\\\scriptscriptstyle \\\\textrm{MULT}}\\\\)</span> is parameterized by a linear-secret sharing scheme <span>\\\\({{{\\\\mathcal {S}}}}\\\\)</span>, where it takes <span>\\\\({{{\\\\mathcal {S}}}}\\\\)</span>-shares of two secrets and returns <span>\\\\({{{\\\\mathcal {S}}}}\\\\)</span>-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on <i>any</i> passive implementation of <span>\\\\({{{\\\\mathcal {F}}}}_{\\\\scriptscriptstyle \\\\textrm{MULT}}\\\\)</span>, which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of <span>\\\\({{{\\\\mathcal {F}}}}_{\\\\scriptscriptstyle \\\\textrm{MULT}}\\\\)</span>, we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07). </p>\",\"PeriodicalId\":54849,\"journal\":{\"name\":\"Journal of Cryptology\",\"volume\":\"39 1\",\"pages\":\"\"},\"PeriodicalIF\":2.3000,\"publicationDate\":\"2024-07-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Cryptology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1007/s00145-024-09509-2\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cryptology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s00145-024-09509-2","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
The Price of Active Security in Cryptographic Protocols
We construct the first actively-secure Multi-Party Computation (MPC) protocols with an arbitrary number of parties in the dishonest majority setting, for an arbitrary field \({\mathbb {F}}\) with constant communication overhead over the “passive-GMW” protocol (Goldreich, Micali and Wigderson, STOC ‘87). Our protocols rely on passive implementations of Oblivious Transfer (OT) in the Boolean setting and Oblivious Linear function Evaluation (OLE) in the arithmetic setting. Previously, such protocols were only known over sufficiently large fields (Genkin et al. STOC ‘14) or a constant number of parties (Ishai et al. CRYPTO ‘08). Conceptually, our protocols are obtained via a new compiler from a passively-secure protocol for a distributed multiplication functionality \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), to an actively-secure protocol for general functionalities. Roughly, \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\) is parameterized by a linear-secret sharing scheme \({{{\mathcal {S}}}}\), where it takes \({{{\mathcal {S}}}}\)-shares of two secrets and returns \({{{\mathcal {S}}}}\)-shares of their product. We show that our compilation is concretely efficient for sufficiently large fields, resulting in an overhead of 2 when securely computing natural circuits. Our compiler has two additional benefits: (1) It can rely on any passive implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), which, besides the standard implementation based on OT (for Boolean) and OLE (for arithmetic), allows us to rely on implementations based on threshold cryptosystems (Cramer et al. Eurocrypt ‘01), and (2) it can rely on weaker-than-passive (i.e., imperfect/leaky) implementations, which in some parameter regimes yield actively-secure protocols with overhead less than 2. Instantiating this compiler with an “honest-majority” implementation of \({{{\mathcal {F}}}}_{\scriptscriptstyle \textrm{MULT}}\), we obtain the first honest-majority protocol (with up to one-third corruptions) for Boolean circuits with constant communication overhead over the best passive protocol (Damgård and Nielsen, CRYPTO ‘07).
期刊介绍:
The Journal of Cryptology is a forum for original results in all areas of modern information security. Both cryptography and cryptanalysis are covered, including information theoretic and complexity theoretic perspectives as well as implementation, application, and standards issues. Coverage includes such topics as public key and conventional algorithms and their implementations, cryptanalytic attacks, pseudo-random sequences, computational number theory, cryptographic protocols, untraceability, privacy, authentication, key management and quantum cryptography. In addition to full-length technical, survey, and historical articles, the journal publishes short notes.