Computation over Shared Inputs

A basic idea underlying our reductions is to delegate the computation to a small committee. In- tuitively, this is done by having each party secret share its input value among the committee members, and letting the committee compute the function over the shared inputs. The type of the secret-sharing scheme that we use depends on whether an honest majority is assumed or not. In the honest-majority setting, we consider an error-correcting secret-sharing scheme (ECSS, see Definition2.2), allowing honest committee members to reconstruct the correct input values even if corrupted committee members arbitrarily modify the shares they received.

The case that an honest majority cannot be guaranteed is somewhat more subtle. In this case, ECSS schemes do not exist [40], and we need to use an n0-out-of-n0 secret sharing. Furthermore, to prevent corrupted parties from computing the function on wrong inputs (by changing some of their shares), we let each party broadcast commitments to its shares. The functionality computed by the committee, parametrized by all the commitments, first verifies that the decommitments are valid and only later reconstructs the input values and evaluates the function.

The Verify-Reconstruct-Compute functionality. Given a public-outputn-party functional-

ityf andn0 < n, then0-party functionalitySSn→n0

in (f) is parametrized bynvectors of commitments

ci = (c1i, . . . , cn

0

i ), for i ∈ [n]. Each of the commitments c j

i commits a unique value s j

i; denote

xi =Lj∈[n0_]sj_i. Each input value to SSn→n 0

in (f) consists of a vector of n values, such that thei’th value for the j’th party is the decommitment to cj_i. The functionality validates that all of the decommitments are valid, reconstructs all xi’s, evaluates y =f(x1, . . . , xn) and outputs the result

y to all n0 parties. A formal description of the functionality appears in Figure3.

The functionalitySSn_in→n0(f)

The n0-party functionality SSnin→n0(f) is parametrized by an n-party public-output functionality f,

a non-interactive commitment schemeComand vectors of commitments ci = (c1i, . . . , cn

0

i ), for every

i∈[n]. SSn_in→n0(f) is formally defined as follows, on inputs (s1, . . . ,sn0).

1. For every j ∈ [n0], parse sj as an n-vector (ˆsj1, . . . ,sˆjn); for everyi ∈ [n], parse ˆs j

i as a pair

ˆ

sj_i = (sj_i, ρj_i) and verify thatcj_i =Com(sj_i;ρj_i). If there exists a malformedsj, output (⊥, j) to

all parties (for the smallest suchj). 2. For everyi∈[n], computexi=Lj∈[n0_]s

j i.

3. Computey=f(x1, . . . , xn) and outputy to all parties.

Figure 3: The Verify-Reconstruct-Compute functionality

The Reconstruct-Compute-Share functionality This functionality is parametrized by a

(t0 + 1)-out-of-n0 error-correcting secret-sharing scheme (ECSS, Definition 2.2) that can correct up to t0 errors during the reconstruction procedure. Given an n-party functionality f, denote by SS_inn→_-out(t0,n0)(f) the n0-party functionality, that receives as input secret shares of an n-tuple (x1, . . . , xn), evaluates f on the reconstructed values as y = f(x1, . . . , xn),24 and outputs secret

shares of y. A formal description of the functionality appears in Figure4.

24_{For the sake of simplicity, we consider f as a public-output functionality. Adjusting the protocol for private-}

The functionalitySSn→(t

0_,n0₎

in-out (f)

Then0-party functionalitySSn→(t

0_,n0₎

in-out (f), parametrized by ann-party functionalityf and a (t0+ 1)-

out-of-n0 ECSS scheme (Share,Recon), is formally defined as follows, on inputs (s1, . . . ,sn0). 1. For everyj ∈[n0] parsesj as ann-vector (sj1, . . . , s

j

n) (in casesj cannot be parsed, set to the

vector (0, . . . ,0); the value 0 is arbitrary). 2. For everyi∈[n], computexi =Recon(s1i, . . . , sn

0

i ) (in case the reconstruction fails, setxi= ˜xi

for some default value ˜xi).

3. Computey=f(x1, . . . , xn).

4. Secret share the result (y1, . . . , yn0)←Share(y). 5. Set the output for everyj∈[n0] to beyj.

Figure 4: The Reconstruct-Compute-Share functionality

5

Security with Abort to Full Security

In this section, we show a black-box reduction from full security to security with abort when sufficiently many parties are honest. We stress that we do not assume that the underlying func- tionality also provides identifiability; that is, an adversary may abort the computation after seeing the output, in which case, all honest parties receive a special⊥symbol as output but no malicious party should be identified. The results in this section are unconditional, i.e., we consider com- putationally unbounded adversaries and that parties can communicate over secure point-to-point channels as well as over a broadcast channel. Security with fairness and restricted abort is de- fined in Section 5.1. In Section5.2 we show how to uplift a fair computation of f with restricted abort to a fully secure computation off, when sufficiently many parties are honest. In Section5.3

we show how to reduce a fair computation of f with restricted abort to security with abort of the Reconstruct-Compute-Share variant of a function f (see Section 4.4), when a majority of the parties are honest.

Theorem 5.1 (restating Theorem 1.8). Let f be ann-party functionality.

1. Let tbe such that t·(2t+ 1)< n and denoten0 = 2t+ 1. Then, f can bet-securely computed with full security, with statistical security, in the hybrid model computing SSn_in→_-out(t,n0)(f) with abort, using t invocations of the ideal functionality. For n0 = 3t+ 1 and t·(3t+ 1)< n, the above holds with perfect security.

2. Lettbe such that(t+1)·(2t+1)≤nand denoten0= 2t+1. Then,f can bet-securely computed with full security, with statistical security, in the hybrid model computing SSn_in→(_-outt,n0)(f) with abort,t+1times in parallel, using a single invocation of the ideal functionality. Forn0= 3t+1

and (t+ 1)·(3t+ 1)< n, the above holds with perfect security.

The proof of Theorem 5.1 follows from Theorems 5.4 and 5.5 appearing in Sections 5.2 and 5.3

5.1 Fairness with Restricted Abort

We start by modifying the security definition of fairness with restricted identifiable abort (Defini- tion2.11), such that in case the adversary aborts the computation, no corrupted party is identified.

Ideal model with fairness and restricted abort. An ideal computation, with fairness andC- abort, of ann-party functionality f on inputx= (x1, . . . , xn) for parties (P1, . . . ,Pn) with respect

toC= (C₁, . . . ,C_{`</sub>), whereC<sub>1</sub>, . . . ,C<sub>`}⊆[n], in the presence of an ideal-model adversaryAcontrolling the parties indexed byI ⊆[n], proceeds via the following steps.

Sending inputs to trusted party: An honest party Pi sends its input xi to the trusted party. The

adversary may send to the trusted party arbitrary inputs for the corrupted parties. Letx0_i be the value actually sent as the input of partyPi.

Early abort: If there exists a corrupted party in every subset Cj, i.e., ifI ∩ Cj 6=∅for every j∈[`],

then the adversaryAcan abort the computation by sending theabortmessage to the trusted party. In case of such abort, the trusted party sends the message⊥to all parties and halts.

Trusted party answers the parties: If C_j ⊆ I for some j ∈ [`], the trusted party sends all the input values x0₁, . . . , x0_n to the adversary, waits to receive from the adversary output values

y₁0, . . . , y_n0, sends y_i0 to Pi and proceeds to the Outputs step. Otherwise, the trusted party

computes (y1, . . . , yn) =f(x01, . . . , xn0) and sendsyi to party Pi for everyi∈[n].

Outputs: Honest parties always output the message received from the trusted party and the cor- rupted parties output nothing. The adversary A outputs an arbitrary function of the initial inputs{xi}i∈I, the messages received by the corrupted parties from the trusted party and its

auxiliary input.

Definition 5.2(ideal-model computation with fairness and restricted abort). Let f: ({0,1}∗)n7→

({0,1}∗)n be an n-party functionality, let I ⊆[n], and let C = (C1, . . . ,C_{`</sub>), where C1, . . . ,C<sub>`} ⊆[n]. The joint execution of f with C under (A, I) in the ideal model, on input vector x = (x1, . . . , xn), auxiliary inputztoA, and security parameterκ, denotedIDEAL_f,C-_Iabort_,A(z)(x, κ), is defined as the output vector of P1, . . . ,Pn, and A(z) resulting from the above described ideal process.

Security definition.

Definition 5.3. Let f: ({0,1}∗)n 7→ ({0,1}∗)n be an n-party functionality and let π be a _ppt protocol computingf. Theprotocolπ(δ, t)-securely computesf with fairness and(`, n0, t0)-abort (and statistical security), if for every real-model adversary A, there exists an adversary S for the ideal model, whose running time is polynomial in the running time of A, such that for every I ⊆[n] of size at most t, and subsetsC = (C<sub>1</sub>, . . . ,C<sub>`</sub>), where for every j∈[`], C_j ⊆[n] satisfies|C_j|=n0 and

|I ∩ C_j| ≤t0, it holds that n REALπ,I,A(z)(x, κ) o (x,z)∈({0,1}∗₎n+1_,κ∈ N ≡_sδnIDEAL_f,C-_Ifair_,S(z)(x, κ) o (x,z)∈({0,1}∗₎n+1_,κ∈ N .

If δ is negligible, we say thatπ is a protocol thatt-securely computes f with fairness and (`, n0, t0)- abort and statistical security.

Similarly, π is a protocol that (δ, t)-securely computes f with fairness and (`, n0, t0)-abort (and perfect security), if n REALπ,I,A(z)(x, κ) o (x,z)∈({0,1}∗₎n+1_,κ∈ N ≡δnIDEALC_f,-_Ifair_,S(z)(x, κ) o (x,z)∈({0,1}∗₎n+1_,κ∈ N .

If δ = 0, we say that π is a protocol that t-securely computes f with fairness and (`, n0, t0)-abort and perfect security.

We denote fairness with (1, n0, t0)-abort by fairness with (n0, t0)-abort.