Loading…
Fast Large-Scale Honest-Majority MPC for Malicious Adversaries
Protocols for secure multiparty computation enable a set of parties to compute a function of their inputs without revealing anything but the output. The security properties of the protocol must be preserved in the presence of adversarial behavior. The two classic adversary models considered are semi...
Saved in:
Published in: | Journal of cryptology 2023-07, Vol.36 (3), Article 15 |
---|---|
Main Authors: | , , , , , , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Summary: | Protocols for secure multiparty computation enable a set of parties to compute a function of their inputs without revealing anything but the output. The security properties of the protocol must be preserved in the presence of adversarial behavior. The two classic adversary models considered are
semi-honest
(where the adversary follows the protocol specification but tries to learn more than allowed by examining the protocol transcript) and
malicious
(where the adversary may follow any arbitrary attack strategy). Protocols for semi-honest adversaries are often far more efficient, but in many cases the security guarantees are not strong enough. In this paper, we present new protocols for securely computing any functionality represented by an arithmetic circuit, assuming
an honest majority exists
. We utilize a new method for verifying that the adversary does not cheat, that yields a cost of just
twice
that of semi-honest protocols in some settings. Our protocols are information-theoretically secure in the presence of malicious adversaries. We present protocol variants for small and large fields, and show how to efficiently instantiate them based on replicated secret sharing and Shamir secret sharing. In particular, for large fields, our protocol requires each party to send just
2 field elements
per multiplication gate in the three-party setting, and just
12 field elements
per multiplication gate for any number of parties. As with previous works in this area aiming to achieve high efficiency, our protocol is
secure with abort
and does not achieve fairness, meaning that the adversary may receive output while the honest parties do not. We implemented our protocol and ran experiments for different numbers of parties, different network configurations and different circuit depths. Our protocol significantly outperforms the previous best for this setting (Lindell and Nof, CCS 2017); for a large number of parties (e.g., 100 parties), our implementation runs almost an order of magnitude faster than theirs. |
---|---|
ISSN: | 0933-2790 1432-1378 |
DOI: | 10.1007/s00145-023-09453-7 |