In this section, we show how to utilize the observation that any protocol Π for computing a circuit
C that is linear-based and weakly-private against active adversaries actually is a secure protocol for computing the additively corruptible version feC of C for the purpose of computing C in the presence of an active adversary.
First, we protect the inputs and outputs of C by transforming C into another circuit CAMD that gets its inputs and computes its outputs encoded in some AMD code. Second, using the results of Section 3.3 we obtain a secure versionCbAMD ofCAMD. Third, we will invoke a linear-based and weakly- private against active adversaries protocol Π for computingCbAMD.
By the properties of Π we have that any deviation from the protocol made by an active adversary corresponds to an additive attack onCbAMD. In addition, by the security property ofCbAMDthis additive attack corresponds to an attack on the inputs and outputs of CbAMD. Since the inputs and outputs of
b
and abort the computation. See Figure 2(b) for a graphical representation of the constructions presented in this section. We begin by defining the circuit CAMD.
Construction 5.3. Let C:F`× · · · ×F`→F` be an m-client circuit. In addition, let (Enc,Dec) be an
(`, k, 0)-AMD code. We define the randomizedm-client circuit CAMD:Fk× · · · ×Fk→F×Fk that on
inputs (x1, . . . , xm) performs the following:
1. For all 1≤i≤m compute (bi, x0i)←Dec(xi).
2. Compute b←Pm
i=1ribi where ri is a random field element.
3. Output (b,Enc(C(x01,· · · , x0m)) +br0) where r0 is generated uniformly at random fromFk.
We now proceed to describe a protocol forCin thefe
b
CAMD-hybrid model wherefe
b
CAMD is the additively
corruptible version ofC.
Construction 5.4. LetC:F`×· · ·×F`→F` be anm-client circuit and let(Enc,Dec)be an(`, k, AMD)-
AMD code. In addition, letCAMDbe the circuit constructed fromC in Construction 5.3 using(Enc,Dec)
and let CbAMD be an 0-secure implementation of CAMD. Consider the protocol π in the fe
b
CAMD-hybrid
model which on inputs(x1, . . . , xm) proceeds as follows:
1. Each client Ci locally computes xbi ←Enc(xi).
2. Next, each client Ci sends its encoded inputs xbi to the ideal functionalityfeCbAMD.
Upon obtaining an output (b, z) from the ideal functionality, C1 performs the following:
1. If b6= 0 thenC1 aborts.
2. C1 computes (b0, z0)←Dec(z). If b0 6= 0 thenC1 aborts.
3. Otherwise, C1 outputs z0.
Theorem 5.3. For any m-client circuit C:F`× · · · ×F`→ F` the protocol π as defined in Construc-
tion 5.4-securely computes C with abort in thefe
b
CAMD-hybrid model for =AMD+0.
Proof. Let Adv be an adversary controlling a subset of clients C. Assume without loss of generality that Adv is deterministic, we describe a simulator SimAMD for Adv. On inputs ~xC (of the corrupted
clients inC),SimAMD performs the following.
1. InvokeAdvon inputs~xC and let~x0C be the inputs sent byAdv to thefe
b
CAMD oracle on behalf of the
corrupted clients. In addition, let A be the additive attack on CbAMD that is also sent by Adv to thefe
b
CAMD oracle.
2. SimAMD computes a vector ain and a distribution Aout representing the additive attack on the inputs and outputs of CbAMD that is equivalent to A as defined in Definition 1.1. In addition, SimAMD samples a vector aout from Aout.
We split the simulation into two cases.
• IfC1 is not corrupted. We consider three sub-cases:
1. If it holds that ainC 6= 0 or aout 6= 0 then SimAMD aborts. For this case the simulation is complete.
2. If it holds thatainC =aout = 0 then SimAMD computes for each Ci ∈ C the values (bi, x00i) ← Dec(x0i+ainC
3. If there exists a client Ci ∈ C such that bi 6= 0 then SimAMD aborts. Otherwise, SimAMD invokes the trusted party with the decoded inputsx00C for the corrupted clients.
• IfC1 is corrupted. In this case only the adversary gets outputs, thus SimAMD proceeds to set the view of the adversary as follows.
– For eachCi∈ C compute (bi, x00i)←Dec(x0i+ainCi).
– If ainC 6= 0 or there exists Ci ∈ C such that bi 6= 0 then set the view of the adversary to be
(r0, r) +aout where r0 is a random non-zero field element and r is generated uniformly from
F`.
– IfainC = 0 and for all Ci∈ C it holds that bi = 0 invoke the trusted party with inputs x00C for
the corrupted clients. Let zbe the output of the trusted party, the view of the adversary is set to be (0,Enc(z)) +aout.
We claim that for all~x it holds that
SD
IdealabortC,SimAMD,C(~x),Real
e f b CAMD π,Adv,C(~x) ≤AMD+0.
Notice that all the client butC1 do not get any messages or outputs duringπ, thus, simulating the view
of all the corrupted client butC1 can be done easily buy just setting their view to be their corresponding
inputs. Fix an input~x forπ, notice that this fixes the view of all the corrupted clients butC1 (in case
it is corrupted).
We proceed to simulate the output ofC1 in case it is honest or its view in case it is corrupted. LetA
be the adversary’s input tofe
b
CAMD representing the additive attack onCbAMDand letfebe the randomized functionality obtained fromfe
b
CAMD by fixing the additive attack on CbAMD toA. By the additive-attack security property ofCbAMD we have that
SDCbAMD((~xC, ~x0C) +ain) +Aout,fe(~x)
≤0
where~xC is the inputs of the honest clients and~x0C are the inputs of the corrupted clients as provided by the adversary. We split the proof into two cases.
• IfC1 is not corrupted we have to simulate the outputs ofC1. We have two cases to consider.
– IfainC 6= 0 or decoding usingDec of~x0C+ainC fails (i.e. there existsCi ∈ C such that (bi, yi)← Dec(x0i+aini ) andbi 6= 0). In this case either the adversary decided to attack the inputs of the
honest clients inside CbAMD (which are sent encoded using Enc) or has provided with inputs
~x0C+ainC for the corrupted parties that does not decode. In both cases, by the the additive robustness of (Enc,Dec) we have that
SD b CAMD((~xC, ~x0C) +ain) +Aout, U∗×U` ≤AMD
where U∗ is the uniform distribution of the non-zero elements of F. Finally, observe that
upon receiving output from such distributionC1immediately aborts. Thus, we have obtained
the output ofC1 is (AMD+0)-close to abort which is exactly the simulated output of C1.
– If ainC = 0 and decoding using Dec of ~x0C +ainC succeeds (i.e. for all Ci ∈ C it holds that
(bi, yi)←Dec(x0i+aini ) and bi= 0). In this case, let ~y be the decoding of (~xC, ~x0C) +ain.
Observe that by the additive robustness property of (Enc,Dec) and ofCbAMDwe have that the output ofC1 in the real world is (AMD+0)-close to the distributionAoutC1 defined as follows:
Aout
C1 is the second output of Dec(Cb
AMD(Enc(~y))) when Aout outputs 0 andAout
C1 outputs an
abort symbol otherwise. Next, observe that second output ofDec(CbAMD(Enc(~x))) is equal to
C(x). Finally, observe that Aout
• IfC1is corrupted we have to simulate its view sinceOC≡OC0 ≡ ⊥. We have two cases to consider.
– Ifain
C 6= 0 or decoding usingDecof~x 0
C+ainC fails (i.e. there existsCi∈ Cfor which it holds that
(bi, yi)← Dec(x0i+aini ) andbi 6= 0). In this case either the adversary decided to attack the
inputs of the honest clients insideCbAMD (which are sent encoded usingEnc) or has provided with inputs~x0C+ainC for the corrupted parties that does not decode.
By construction we have that the view of the clients in C during a real execution of π is
VC = (xC,fe(~x)).Using the additive-attack security property ofCbAMD we obtain
SDVC,(xC,CbAMD((~xC, ~x0C) +ain) +Aout)
≤0.
Using the additive robustness property of (Enc,Dec), we have that
SD VC,(xC, U∗×Uk+Aout)
≤AMD+0.
Finally, notice that by construction it holds that (xC, U∗×Uk+Aout) =VC0.
– If ainC = 0 and decoding using Dec of ~x0C +ainC succeeds (i.e. for all Ci ∈ C it holds that
(bi, yi)←Dec(x0i+aini ) and bi= 0). In this case, let ~y be the decoding of (~xC, ~x0C) +ain.
By construction we have thatVC ≡(xC,fe(~x)).Using the additive-attack security property of b CAMD we obtain SD VC,(xC,CbAMD((x~C, ~x0C) +ain) +Aout) ≤0.
Observe that for this case it holds thatCbAMD((~xC, ~x0C) +ain) = (0,Enc(C(~y))). Thus, we have that
SDVC, xC,(0,Enc(C(~y)) +Aout)
≤0.
Finally, notice that by construction it holds that (xC,(0,Enc(C(~y)) +Aout))≡VC0.
The following corollary states that any protocolπ for privately computing a circuitC that is linear- based and weakly-private against active adversaries can be transformed into a protocol π0 securely computing C in the presence of active adversaries.
Corollary 5.2. Let n, t be positive integers such that n= 2t+ 1 and let π be a protocol fort-privately
computing a circuit C, using m clients and n servers, that is linear-based with respect to some dense
and redundant secret sharing scheme and is weakly-private against active adversaries controlling at
mosttservers. Then there exists a protocolπ0 usingmclients and nservers that(t, O(|C|/|F|))-securely
computesCwith abort. Moreover, the communication complexity ofπ0 is bigger than the communication
complexityπ by a constant factor.
Proof. First observe that Construction 5.4 can be instantiated (using the AMD code from Theo- rem 2.2, and the circuit transformation from Theorem 3.7) to produce an (m, O(|C|/|F|))-secure protocol π00 for computing C with abort in the fe
b
CAMD-hybrid model.
Next, notice that by Theorem 5.2 we have that the protocol π when invoked on CbAMD is at-secure for computing fe
b
CAMD. Thus, obtain π0 by replacing the oracle call to fe
b
CAMD of π00 with the protocol π
forCbAMD. Since|CbAMD|=O(|C|), we have that the communication complexity of π0 is bigger than the communication complexity of π by a constant factor.