## Efficient General-Adversary Multi-Party Computation

Martin Hirt, Daniel Tschudi? ETH Zurich

{hirt,tschudid}@inf.ethz.ch

Abstract. Secure multi-party computation (MPC) allows a setP ofnplayers to evaluate a functionf in presence of an adversary who corrupts a subset of the players. In this paper we consider active, general adversaries, characterized by a so-called adversary structureZ which enumerates all possible subsets of corrupted players. In particular for small sets of players general adversaries better capture real-world requirements than classical threshold adversaries.

Protocols for general adversaries are “efficient” in the sense that they require |Z|O(1)bits of communication. However, as|Z|is usually very large (even ex-ponential inn), the exact exponent is very relevant. In the setting with perfect security, the most efficient protocol known to date communicatesO(|Z|3

)bits; we present a protocol for this setting which communicatesO(|Z|2)bits. In the setting with statistical security,O(|Z|3

)bits of communication is needed in gen-eral (whereas for a very restricted subclass of adversary structures, a protocol with communicationO(|Z|2

)bits is known); we present a protocol for this set-ting (without limitations) which communicatesO(|Z|1)bits.

Keywords: Secure Multiparty Computation, General Adversaries, Efficiency

### 1

### Introduction

Secure Multi-Party Computation Secure Multi-Party Computation (MPC) allows a

setP of nplayers to securely evaluate a functionf even when a subset of the play-ers is corrupted by a central advplay-ersary. MPC was introduced by Yao [Yao82]. A first solution (with computational security) was given by Goldreich, Micali, and Wigder-son [GMW87]. Later solutions [BGW88, CCD88, RB89] provide statistical and even perfect security. All these protocols consider threshold adversaries (characterized by an upper bound ton the number of corrupted parties). This was generalized in [HM00] by considering so-called general adversaries, characterized by an adversary structure

Z={Z1, . . . , Z`}, which enumerates all possible subsets of corrupted players.
In the setting with perfect active security, MPC is achievable if and only ift < n_{3},
respectivelyQ3_{(}_{P}_{,}_{Z}_{)}_{(the union of no}_{three}_{sets in}_{Z} _{covers}_{P}_{). In the setting with}
statistical or cryptographic active security, MPC is achievable if and only if t < n

2,
respectivelyQ2_{(}_{P}_{,}_{Z}_{)}_{(the union of no}_{two}_{sets in}_{Z}_{covers}_{P}_{).}

?

Threshold vs. General Adversaries Clearly, general adversaries are more flexible, which is relevant in particular when the set of players is not very large. However, gen-eral-adversary protocols are typically by orders of magnitude less efficient than thresh-old protocols; more specifically, threshthresh-old protocols usually communicatePoly(n)bits per multiplication, whereas general-adversary protocols requirePoly(|Z|)bits. As typ-ically |Z| is exponential inn, this is a huge drawback. However, in some scenarios (e.g. with very different types of players), threshold protocols are not applicable, and general-adversary protocols must be used. In these settings, the concrete communi-cation complexity of the general-adversary protocol is highly relevant: For example forn = 25,|Z|is expected to be around one million, and a protocol communicating

|Z| ·Poly(n)might be acceptable, whereas a protocol communicating|Z|3·Poly(n) might be useless.

Contributions In the statistically-secure model, one can tolerate at most adversary
structures satisfyingQ2_{(}_{P}_{,}_{Z}_{). The most efficient protocol known to date, which is}
also optimal in terms of resilience, requires |Z|3·Poly(n, κ)bits of communication
(where κ is the security parameter) [Mau02, HMZ08]. There exists a protocol with
communication complexity of|Z|2·Poly(n, κ)[PSR03]. But this results is non-optimal
in terms of resilience, as it tolerates only adversaries satisfyingQ3_{.}

Using a new approach for multiplication, we construct a protocol communicating|Z| ·

Poly(n, κ)bits and toleratingQ2 _{adversary structures. This protocol is optimal both}
in terms of overall efficiency and resilience. We stress that even with cryptographic
security,Q2_{is necessary and complexity linear in}_{|Z|}_{is required at least with respect}
to the computation (see [Hir01]).

Furthermore, we present a perfectly secure protocol (with no error probability) with
communication complexity of|Z|2·Poly(n). It is optimal in terms of resilience (Q3_{)}
and also the most efficient protocol up to date in the model with perfect security.

Setting Cond. Bits / Mult. Reference
passive perfect Q2 _{|Z| ·}

Poly(n) [Mau02]
active perfect Q3 _{|Z|}3

·Poly(n) [Mau02]
active perfect Q3 _{|Z|}2

·Poly(n) our result
active unconditional Q2 _{|Z|}3_{·}

Poly(n, κ) [Mau02]/[HMZ08]
active unconditional Q3 _{|Z|}2

·Poly(n, κ) [PSR03]
active unconditional Q2 _{|Z| ·}

Poly(n, κ) our result

Table 1.Communication complexity of different protocols

### 2

### Preliminaries

by a circuitCconsisting of input, output, random, addition, and multiplication gates. In an ideal world, a trusted party does all the computation. In the real world, players are connected by a complete network of secure (private and authentic) synchronous channels. There exist authenticated broadcast channels (they can be simulated by the players, see e.g. [FM98] or [PW96] ). In order to compute the functionf, the players simulate the trusted party by using some MPC-protocolΠ.

Adversary and Adversary Structure Dishonesty is modeled in terms of a central
ad-versaryAwho corrupts players. During the execution of the protocol the adversary can
access the internal state of corrupted players and make them deviate from the protocol
at will. We allow that the adversary is computationally unbounded. Before the execution
of the protocol the adversary has to specify the players he wants to corrupt. His choice is
limited by means of an adversary structureZ ={Z1, . . . , Z`} ⊆2P, i.e. all corrupted
players must be part of an adversary set inZ. We denote the chosen set byZ∗. Note
thatZ∗is not known to the honest players and is solely used for ease of notation. We
say thatZsatisfies theQk_{(}_{P}_{,}_{Z}_{)}_{property if}_{P 6⊆}_{Z1}_{∪ · · · ∪}_{Z}

k ∀Z1, . . . , Zk∈ Z.

Security We say a protocol isZ-secure if anything the adversary achieves during the
execution of the protocol can be achieved in the ideal world as well. More precisely, for
every adversary in the real world there exists an adversary in the ideal world such that
both the information the adversary gets and the output of honest players are statistically
indistinguishable for perfect security respectively statistically close for unconditional
security. The main result from [HM97] states thatQ3_{(}_{P}_{,}_{Z}_{)}_{resp.}_{Q}2_{(}_{P}_{,}_{Z}_{)}_{are the}
necessary and sufficient conditions for the existence of perfectly resp. unconditionally

Z-secure protocols considering active adversaries. For simplicity we assume that all messages sent during the execution ofΠare from the right domain. If a player receives a message where this is not the case, he replaces it with an arbitrary element from the right domain. If a player receives an unexpected message, he ignores it.

### 3

### Perfect Protocol

In this section we present a perfectlyZ-secure protocol for an arbitrary adversary
struc-tureZ satisfying theQ3 _{property. The communication complexity of the protocol is}
quadratic in|Z|. The efficiency gain is due to an improved multiplication protocol. The
sharing is (up to presentation) the same as in [Mau02].

3.1 Secret Sharing

Secret sharing allows a player to distribute a secret value among the player set, such that only qualified subsets of players are able reconstruct it. The secret sharing used for our protocol is based on the one from [Mau02] / [BFH+08]. It is characterized by asharing specificationS= (S1, . . . , Sh), which is a tuple of subsets ofP.

a) There exist sharess1, . . . , shsuch thats=P h q=1sq b) Eachsqis known to every (honest) player inSq

We denote the sharing of a valuesby[s]and use[s]q as notation forsq, theq-th share.
A sharing specificationS= (S1, . . . , Sh)is calledZ-privateif for everyZ ∈ Zthere
is an S ∈ S such thatZ ∩S = ∅. A sharing specification S = (S1, . . . , Sh)and
an adversary structureZ satisfyQk_{(}

S,Z)if S 6⊆ Z1∪ · · · ∪Zk ∀Z1, . . . , Zk ∈

Z S ∈ S. IfSisZ-private, a sharing[s]does not leak information to the adversary,
as all shares known by the adversary are statistically independent ofs. The players
can compute a sharing of any linear combination of shared values (with respect to a
sharing specification_{S}) by locally computing the linear combination of their shares.
This property is called the linearity of the sharing. The following protocolShareallows
a dealerPDto correctly share valuesamong the players inP.

ProtocolShare(P,Z,_{S}, PD, s)[Mau02]

0: The dealerPDtakessas input.

1: PDsplitssinto random sharess1, . . . , s|S|subject tos= P|S|

q=1sq.
2: for allq∈ {1, . . . ,|_{S}|} do

3: PDsendssqto every player inSq.

4: Each player inSqforwards the received value to every player inSq. 5: Each player inSqchecks that the received values are all the same and

broadcastsOK, orNOKaccordingly.

6: If a player inSqbroadcastNOK, the dealer broadcastssq and the players inSqtake this value (resp. some default value if the dealer does not broadcast) as share. Otherwise every player inSqtakes the value he received in Step 3 as share.

7: end for

8: The players inP collectively output[s].

Lemma 1. For any adversary structureZthe protocolShare(P,Z,S, PD, s)securely
computes a sharing[s0_{]}_{. For honest}_{P}

Dit holds thats0 =s. The protocol communicates at most|S|(n2+n) log|F|bits and broadcasts at most|S|(log|F|+n)bits.

Proof. Correctness: For eachsqeither all the honest players inSq hold the same value after Step 3, or one of them complains and they receive a consistent value in Step 6. Hence the protocol outputs a (consistent) sharing[s0]. If the dealer is honest he is able to ensure in Steps 3 and 6 that the honest players use the intended value forsqsuch that s=s0. Privacy: Let the dealer be honest, as otherwise secrecy is trivially fulfilled. All a player learns beyond his designated output are values broadcast in Step 6. However this does not violate secrecy as these values are already known to the adversary (from Step 3). Complexity: For each share at mostn+n2values are sent and at mostn+ log|F|

bits broadcast. ut

ProtocolDefaultShare(P,Z,S, s) 0: Every player takessas input.

1: The shares1is set tosand all other shares are set to0. 2: The players inP collectively output[s].

Lemma 2. DefaultShare(P,Z,S, s)securely computes a sharing[s]wheresis a pub-licly known value. The protocol does not communicate.

Proof. Correctness: In Step 1 every honest player inSqtakes the same value for share sq. As the sum of all shares iss, the protocol outputs a consistent sharing[s]. Privacy: During the protocol no communication occurs, hence the adversary does not obtain new

information. ut

The protocolReconstructShareallows the reconstruction of a share[s]qto the players in some setR. This implies that the players can reconstruct a shared value[s]by invoking ReconstructSharefor each share.

ProtocolReconstructShare(P,Z,_{S},[s]q, R)

0: The players inSq take the share[s]qas input. 1: Every playerPiinSqsends[s]qto every player inR.

2: For each playerPj ∈Rletvj,ibe the value received fromPi. ThenPjoutputs some valuevjsuch that there exists aZ∈ Zwithvj,i=vjfor allPi∈Sq\Z.

Lemma 3. IfSqandZsatisfyQ2(Sq,Z), the protocolReconstructSharesecurely re-constructs the share [s]q to the players in R, such that every (honest) player outputs [s]q. The protocol communicates at mostn2log|F|bits.

Proof. Correctness: In Step 1 all honest player will send the same value[s]q, which is a suitable choice forvj for an (honest) playerPj ∈ Rin Step 2. For the sake of contradiction suppose there exist two valuesv1 6=v2with correspondingZ1, Z2 ∈ Z

such that the condition of Step 2 holds for both of them. Hence(Sq\Z1)∩(Sq\Z2) =∅ and thusSq ⊆Z1∪Z2which contradictsQ2(Sq,Z). Therefore every honest players outputs the value[s]q. Privacy: The adversary learns at most[s]q (if a malicious player is part ofR). Complexity: Each player inSq sends his value to at mostnplayers. ut

ProtocolReconstruct(P,Z,S,[s], R)[Mau02] 0: The players inP take collectively[s]as input.

1: ∀q∈ {1, . . . ,|S|}protocolReconstructShare(P,Z,S,[s]q, R)is invoked. 2: The players inRlocally sum up the obtained shares and output the sums.

Lemma 4. If S and Z satisfy Q2(S,Z) and [s] is a sharing of the value s, then Reconstruct(P,Z,S,[s], R)securely reconstructssto the players inR. The protocol communicates at most|S|n2log|F|bits.

3.2 Multiplication

We present a protocol for the perfectly-secure computation of the (shared) product of
two shared values [a] and [b] (with respect to a sharing specification S). Along the
lines of [Mau02] the fundamental idea of multiplication is to assign each local product
apbq to a player inSp ∩Sq, who computes and shares his designated products. The
sum of all these sharings is a sharing ofabas long as no player actively cheated. So
each player is mapped to a collection of local products, formalized by a functionI :
[n] → 2{(p,q)|1≤p,q≤|Z|}_{with the constraint that}_{∀}_{(p, q)}_{∃}_{!}_{i}_{such that}_{(p, q)}_{∈} _{I(i).}
W.l.o.g letI(i)..={(p, q)|Pi = minP{P ∈Sp∩Sq}}. We first show an optimistic
multiplication protocol which takes an additional parameterZand computes the correct
product if the actual adversary setZ∗ is a subset ofZ. In this protocol local products
are assigned to players inP \Zonly. Clearly this is possible if and only if for each local
product a player inP \Zholds both involved shares, i.e.∀Sp, Sq ∈S : Sp∩Sq\Z 6=∅.
So for each Z ∈ Z letIZ be a mapping as above with the additional constraint that

∀Pi∈Z IZ(i) =∅. Without loss of generality, letIZ(i)..={(p, q)|Pi= minP{P ∈ Sp∩Sq\Z}}.

ProtocolOptimisticMult(P,Z,S,[a],[b], Z)

0: The players inP take collectively[a],[b]andZas input. 1:

a) Each playerPi ∈ P \Z(locally) computes his designated products and shares the sumci=P(p,q)∈IZ(i)apbq.

b) For eachPi ∈ZDefaultShare(P,Z,S,0)is invoked to shareci = 0. 2: The players collectively output([c1], . . . ,[cn])and[c] =P

n i=1[ci].

Lemma 5. LetZ ⊆ P such that∀Sp, Sq ∈S : Sp∩Sq\Z 6=∅. Then the protocol
OptimisticMultsecurely computes sharings[c],([c1], . . . ,[cn]). If no player inP \Z
actively cheats (in particular, ifZ∗ ⊆ Z), then∀i ci = P_{(}_{p,q}_{)∈}_{I}_{Z}_{(}_{i}_{)}apbq and c =
ab. The protocol communicates at mostO(|S|n3log|F|)bits and broadcasts at most

O(|S|(nlog|F|+n2))bits.

Proof. Correctness: The properties of the sharing protocol guarantee that the outputs are valid sharings. If none of the players inP \Zcheated actively, it holds for eachPi thatci=P(p,q)∈IZ(i)apbq. The condition∀Sp, Sq ∈S : Sp∩Sq\Z6=∅guarantees

thatab=Pn i=1

P

(p,q)∈IZ(i)apbq. Hence it follows thatc=ab. Privacy / Complexity:

Follow directly from Lemmas 1 and 2. ut

as these sharings are potentially tampered (Step 3 of theMultiplicationprotocol). This checking and removing is repeated until all remaining sharing are equal (and hence cor-rect). As the identification of cheaters does not reveal any information to the adversary, Multiplicationallows the secure computation of the product of two shared secret values.

ProtocolMultiplication(P,Z,S,[a],[b]) 0: SetM =∅.

1: Invoke OptimisticMult(P,Z,S,[a],[b], Z) to compute ([c(1Z)], . . . ,[c
(Z)
n ])
and[c(Z)_{]}_{for each}_{Z}_{∈ Z}_{.}

2: Set ZM ..= {Z ∈ Z | M ⊆ Z}, fix some Ze ∈ ZM and reconstruct the
differences[c(Ze)_{]}_{−}_{[c}(Z)_{]} _{∀}_{Z} _{∈ Z}

M.

3: If all differences are zero, output[c(Ze)_{]}_{as sharing of the product.}

Otherwise let ([d1], . . . ,[dn]) ..= ([c (Ze)

1 ], . . . ,[c (Ze)

n ]), ([e1], . . . ,[en]) ..=
([c(_{1}Z)], . . . ,[c(nZ)]), D..=I

e

ZandE..=IZ, where[c

(Ze)_{]}_{−}_{[c}(Z)_{]}_{6}_{= 0.}

a) EachPi shares the2nvaluesdi,j = P(p,q)∈D(i)∩E(j)apbq andei,j = P

(p,q)∈E(i)∩D(j)apbq

b) For each playerPireconstruct the differences[di]−Pn_{j}_{=1}[di,j]and[ei]−
Pn

j=1[ei,j]. If one of them is non-zero setM ←M ∪ {Pi}and continue at Step 2.

c) For each (ordered) pair (Pi, Pj) of players reconstruct the difference [di,j] − [ej,i]. If it is non-zero, reconstruct [di,j],[ej,i] and all shares

{ap, bq |(p, q) ∈ D(i)∩E(j)} to find the cheaterP ∈ {Pi, Pj}. Set M ←M∪ {P}and continue at Step 2.

Lemma 6. IfSand Z satisfy Q2(S,Z)the protocol Multiplicationyields a sharing
[c] = [ab]. No information is leaked to the adversary. Multiplicationcommunicates
at mostO(|_{S}| |Z|n3_{log}_{|}

F|+|S|n5log|F|)bits and broadcasts at mostO(|S| |Z|(n log|F|+n2) +|S|(n3log|F|+n4))bits.

Proof. Correctness: By invokingOptimisticMultfor eachZ ∈ Z it holds forZ∗that
[c(Z∗)_{] = [ab]}_{(due to} _{Q}2_{(}

S,Z) ∀Sp, Sq ∈ S : Sp ∩Sq \Z 6= ∅ holds) . If for
everyZ ∈ ZM the difference in Step 2 is zero, then[c(Z)] = [ab]∀Z ∈ ZM (M =∅
at the beginning). Hence the protocol terminates successfully outputting a sharing of
ab. Otherwise there exists [c(Ze)_{]}_{−}_{[c}(Z)_{]} _{6}_{= 0} _{and thus} Pn

i=1[di] 6= P n

i=1[ei]. In Step 3a) each player is supposed to share a partition of his shares. Hence one of the following cases must occur: There exists a playerPi such that[di] 6= P

n

j=1[di,j]or [ei]6=P

n

j=1[ei,j]. Or there exists a pair of players(Pi, Pj)such that[di,j]6= [ej,i]. In the first casePiwill be detected as cheater in Step 3b). In the second case the cheater will be detected in Step 3c). In both casesM ⊆ P is strictly increased, hence the protocol will terminate after at mostniterations. It holds thatM ⊆Z∗and thusZ∗ ∈ ZM. Therefore the correct sharing[c(Z

∗_{)}

adversary learns the differences reconstructed in Steps 2 and 3 ofMultiplication, which are all zero unless the adversary cheats. In case of cheating the reconstructed values depends solely on the inputs of the adversary and are thus already known to him, thus privacy is not violated. All values further reconstructed in Step 3c) are known to the adversary before, as eitherPiorPjis corrupted.Complexity: Follows from Lemmas 1, 4 and 5 by counting the number of invocations of the corresponding sub-protocols. ut

3.3 MPC Protocol

CombiningShare,Reconstruct, andMultiplicationthe players can securely compute a
circuitCover_{F}, where all intermediate values are shared according to Definition 1.

ProtocolMPC(P,Z,C)

0: The players takeS..={P \Z|Z∈ Z}as sharing specification. 1: For every gate ofCbeing evaluated do the following:

- Input gate forPD:Share(P,Z,S, PD, s)is invoked to shares, wherePD is the input-giving player.

- Linear gate:The linear combination of the corresponding shares is com-puted locally using the linearity of the sharing.

- Random gate:Each player shares a random value. The sum of these values is used as output of the gate.

- Multiplication gate: Multiplication(P,Z,_{S},[a],[b]) is used to multiply
[a]and[b].

- Output gate:The players invoke Reconstruct(P,Z,S,[s], R)to recon-struct the sharing[s]to players inR.

Theorem 1. LetPbe a set ofnplayers,Ca circuit overFandZan adversary structure
satisfyingQ3_{(}_{P}_{,}_{Z}_{)}_{, then}_{MPC}_{(}_{P}_{,}_{Z}_{,}_{C}_{)}_{perfectly}_{Z}_{-securely evaluates}_{C}_{. It }
commu-nicates|C| |Z|2·Poly(n,log|_{F}|)bits.

Proof. It is easy to see thatS ..={P \Z|Z ∈ Z}is a sharing specification satisfying

Q2_{(}

S,Z). Hence by the properties of the sharing scheme and Lemma 6 the statement
follows. The protocol communicatesO(|C| |Z|2n3log|F|+|C| |Z|n5log|F|)bits and
broadcastsO(|C| |Z|2(nlog|_{F}|+n2_{) +}_{|C| |Z|}_{(n}3_{log}_{|}

F|+n4))bits. Broadcast can be simulated with the protocol in [FM98], which communicatesPoly(n)bits in order to broadcast one bit. This yields the claimed communication complexity. ut

### 4

### Unconditional Protocol

4.1 Information Checking

In the perfect model,Q3_{enables the honest players to securely reconstruct shares, as it}
assures that every share is held by enough honest players. Here,Q2_{only ensures that}
each share is held by at least one honest player. Correctness is achieved by the use of
information checking, a technique that prevents (malicious) players from announcing
wrong values (see [RB89, Bea91a, CDD+_{99, HMZ08]). The following }
information-checking protocol is a slight variation of [CDD+_{99]. It is a three party protocol between}
a sender Pi, a recipient Pj and a verifierPk. The sender Pi provides Pj with some
authentication tag andPk with some verification tag, such thatPj later can prove the
authenticity of a valuesto the verifierPk. We assume that each pairPi, Pkof players
knows a fixed secret valueαi,k∈F\ {0,1}.

Definition 2. A vector(s, y, z, α)is1-consistent if there exists a polynomialfof degree 1over Fsuch thatf(0) = s, f(1) =y, f(α) = z. We say a valuesis(Pi, Pj, Pk) -authenticatedifPj knowssand some authentication tag y andPk knows a verifica-tion tagzsuch that(s, y, z, αi,k)is1-consistent. The vector(y, z, αi,k)is denoted by Ai,j,k(s).

Lemma 7. A(Pi, Pj, Pk)-authenticated valuesdoes not leak information toPk.

Proof. The verification tagzis statistically independent of the values. ut

Lemma 8. Letsbe(Pi, Pj, Pk)-authenticated, i.e.(s, y, z, αi,k)is1-consistent. Then forPjbeing able to find an authentication tagy0for a values06=ssuch that(s0, y0, z, αi,k)is1-consistent is equivalent to findingαi,k.

Proof. If both(s, y, z, αi,k)and(s0, y0, z, αi,k)are1-consistent, then also(s−s0, y−
y0,0, αi,k)is1-consistent. The corresponding polynomial of degree1is not parallel to
thex-axis, ass−s0_{6}_{= 0. Thus it has an unique root at}_{α}

i,k= s−s

0

s−s0_{−}_{y}_{+}_{y}0.

Lemma 9. The playersPjandPkcan locally compute an authentication and a verifi-cation tag of any linear combination of(Pi, Pj, Pk)-authenticated values (for fixedPi). This is called the linearity of the authentication.

Proof. Letsaandsb be(Pi, Pj, Pk)-authenticated with authentication tagsya, yband verification tagsza, zb and the (fixed) pointαi,k and let Lbe a linear function. Then L(sa, sb)is(Pi, Pj, Pk)-authenticated with authentication tagy =L(ya, yb)and ver-ification tagz =L(za, zb). This works as the polynomials of degree1overFform a vector space, hence(L(sa, sb), L(ya, yb), L(za, zb), αi,k)is1-consistent. ut Letsbe a value known toPjandPk. Then these players can use the protocolDefault Authenticate to(Pi, Pj, Pk)-authenticate s without communication for arbitrary Pi. Note thatPidoes not play an (active) role in this protocol.

ProtocolDefaultAuthenticate(Pi, Pj, Pk, s)

0: Pj, Pktake the valuesas input.

Lemma 10. If the valuesis known to the honest players in{Pj, Pk}protocolDefault Authenticate(Pi, Pj, Pk, s)securely(Pi, Pj, Pk)-authenticatesswithout any commu-nication.

Proof. Correctness:(s, s, s, αi,k)is1-consistent for anyαi,k.Privacy/Communication:

No communication occurs. ut

The non-robust protocol Authenticateallows to securely (Pi, Pj, Pk)-authenticate a (secret) values.

ProtocolAuthenticate(Pi, Pj, Pk, s)

0: PiandPjtake the valuesas input.

1: Pichooses random values(y, z)∈ Fsuch that(s, y, z, αi,k)is1-consistent and random values (s0, y0, z0) ∈ Fsuch that(s0, y0, z0, αi,k)is1-consistent and sends(s0, y, y0)toPjand(z, z0)toPk

2: Pkbroadcasts randomr∈F.

3: Pibroadcastss00=rs+s0andy00=ry+y0.

4: Pj checks ifs00 = rs+s0 andy00 = ry+y0 and broadcast OKor NOK accordingly. IfNOKwas broadcast the protocol is aborted.

5: Pkchecks if(s00, y00, rz+z0, αi,k)is1-consistent. If yesPksendsOKtoPj otherwise he sends(αi,k, z)toPj, who adjustsy such that(s, y, z, αi,k)is 1-consistent.

6: PjoutputsyandPkoutputsz.

Lemma 11. If Pk is honest and sis known to the honest players in {Pi, Pj}. Then
Authenticate(Pi, Pj, Pk, s)either securely(Pi, Pj, Pk)-authenticatessor aborts
ex-cept with error probability of at most _{|}1

F|. In the case of an abort a player in{Pi, Pj} is corrupted. The protocol communicates at most7 log|F|bits and broadcasts at most 3 log|F|+ 1bits.

Proof. Correctness:If the protocol was aborted, eithers00 _{6}_{=}_{rs}_{+}_{s}0_{or}_{y}00_{6}_{=}_{ry}_{+}_{y}0
meaning Pi is corrupted, orPj misleadingly accusedPi. Otherwise, the players use
some (s, y, z, αi,k) as authentication of s. The probability that (s, y, z, αi,k) is not
1-consistent is|_{F}|−1, as for a fixed r there is exactly one way to choosey, z such
that the inconsistency is not detected.Privacy:The verification tagz, the valuess00and
y00are statistically independent of the values. Alsoαi,k is sent only toPj if eitherPi
orPkis malicious.Communication:Seen by counting the number of messages sent or

broadcast during the protocol. ut

Remark 1. If the (honest) playersPiandPj do not know the samesthe protocol will abort as well.

ProtocolVerify(Pi, Pj, Pk, s0, Ai,j,k(s))

0: LetAi,j,k(s) = (y, z, αi,k).Pjtakesyas input andPktakess0, zas input. 1: PjsendsytoPk

2: Pkoutputss0if(s0, y, z, αi,k)is1-consistent otherwise⊥.

Lemma 12. Assumes is (Pi, Pj, Pk)-authenticated and let Pk be an honest player
knowings0. IfPj is honest ands0 =s,Pk will outputsinVerify. OtherwisePk will
output⊥orsexcept with error probability of at most_{|} 1

F|−2. The protocol communicates at mostlog|F|bits.

Proof. Correctness:LetPkbe an honest player,letAi,j,k(s) = (y, z, αi,k)be consistent
withs, i.e.(s, y, z, αi,k)is1-consistent and assume thats0 =s. IfPj sends the right
y the vector(s0, y, z, αi,k)is1-consistent andPk will outputs. OtherwisePk always
outputs⊥. So assumes0 6= s. Then the probability of findingy0 such that the vector
(s0, y0, z, αi,k) is1-consistent is at most _{|}_{F}_{|−2}1 , thusPk outputs⊥except with error
probability of at most _{|} 1

F|−2.Privacy/Communication:No information exceptyis sent.

u t

4.2 Unconditional Secret Sharing

Starting from the secret sharing of Section 3.1 we construct a sharing scheme for the

Q2_{case using the information-checking scheme of the previous section.}

Definition 3. A valuesissharedwith respect to the sharing specification_{S}= (S1, . . . ,
Sh), if the following holds:

a) There exist sharess1, . . . , shsuch thats=Phq=1sq b) Eachsqis known to every (honest) player inSq c) ∀Pi, Pj∈Sq Pk ∈ Psq is(Pi, Pj, Pk)-authenticated.

We denote the sharing of a valuesby[s]. Let[s]q = (sq,{Ai,j,k(sq)}), wheresq is theq-th share and{Ai,j,k(sq)}the set of all associated authentications. As the perfect sharing from Section 3.1 this sharing is linear and does not leak information to the adversary (for aZ-privateS).

The following protocol allows a dealerPDto securely share a secret values.

ProtocolShare(P,Z,_{S}, PD, s)

0: The dealerPDtakessas input.

1: PDsplitssinto random sharess1, . . . , s|S|subject tos= P|S|

q=1sq.
2: for allq∈ {1, . . . ,|_{S}|} do

3: PDsends sharesqto every player inSq.

4: ∀Pi, Pj∈Sq and∀Pk∈ PinvokeAuthenticate(Pi, Pj, Pk, sq). If (for fixedq) anyAuthenticate(Pi, Pj, Pk, sq)was aborted PDbroadcastssq, the players inSqreplace there share and

DefaultAuthenticate(Pi, Pj, Pk, sq)is invoked∀Pi, Pj ∈Sq∀Pk ∈ P. 5: end for

Lemma 13. For any adversary structureZthe protocolShare(P,Z,_{S}, PD, s)securely
computes a sharing [s0] except with error probability of at most _{|}1

F|n
3_{|}

S|and ifPD is honest s0 = s. The protocol communicates at most |S|(7n3+n) log|F|bits and broadcasts at most|S|((3n3+ 1) log|F|+n3)bits.

Proof. Correctness:Assume thatPDdoes not send the same value to the (honest)
play-ers inSq (Step 3). In this case at least one invocation ofAuthenticatewill abort (see
Remark 1) and PD must broadcast the value. Otherwise all (honest) player use the
same value sq in Step 3. We have to show that every (honest) Pj gets his
authenti-cationsAi,j,k(sq). If all instances ofAuthenticatedo not abort the statement follows
from Lemma 11. Otherwisesq is broadcast and the players useDefaultAuthenticate
resulting in the proper sharing state (c.f. Lemma 10). Note that a single invocation of
Authenticatehas an error probability of at most _{|}1

F|, so the above upper bound on the error probability follows.Privacy:We only have to check that broadcastingsq in Step 4 does not violate privacy. Butsqis only broadcast when at least oneAuthenticatewas aborted. In this case eitherPDor a player inSq is malicious, hencesq is known to the adversary before the broadcast (Lemma 11 and Remark 1).Communication:Follows directly by counting the numbers of messages sent or broadcast (c.f. Lemmas 11 and

10) ut

If a value is publicly known the player can useDefaultShareto obtain a sharing of it.

ProtocolDefaultShare(P,Z,S, s) 0: Every player takessas input.

1: The shares1is set tosand all other shares are set to0.

2: DefaultAuthenticate(Pi, Pj, Pk, sq)is invoked∀Sq∀Pi, Pj∈Sq∀Pk∈ P. 3: The players inP collectively output[s].

Lemma 14. DefaultShare(P,Z,S, s)securely computes a sharing[s]ofs. The proto-col does not communicate.

Proof. The statement follows from Lemmas 2 and 10. ut

The protocol ReconstructShareallows reconstruction of a share from some sharing [s] to players inR ⊆ P. Hence the players can reconstruct s by invoking protocol ReconstructSharefor each share of[s].

ProtocolReconstructShare(P,Z,_{S},[s]q, R)

0: The players inSq take collectively[s]q = (sq,{Ai,j,k(sq)})as input. 1: Every playerPjinSq sendssqto every player inR.

2: for allPj∈Sq, Pk ∈Rdo 3: InvokeVerify(Pi, Pj, Pk, s

(j)

q , Ai,j,k(sq))∀Pi∈Sq wheres (j) q is the value received byPkfromPjin Step 1. IfPkoutputs

(j)

q in each invocation he acccepts it as value forsq.

4: end for

Lemma 15. AssumeSq and Z satisfy Q1(Sq,Z)and let[s]q be a consistent share.
Every honest player inRoutputssqinReconstructShareexcept with error probability
of at most _{|} 1

F|−2n|Sq|. The protocol communicates at most(n

3_{+}_{n}2_{) log}_{|}

F|bits and does not broadcast.

Proof. Correctness: AsSq andZ satisfy Q1(Sq,Z)there exists at least one honest
playerPjinSq, who sends the right valuesqtoPk∈Rin Step 1. Hence every (honest)
Pkwill acceptsq in Step 3 fromPj, asPjhas a valid authentication forsqfrom every
player inSq (c.f. Lemma 12). On the other hand a malicious player does not have a
valid authentication fors0_{q} 6=sq from every player inSq (one of them is honest!). So
no honest player will accepts0_{q} 6=sq in Step 3 and thusPk outputsq in the last step
except with error probability of at most_{|} 1

F|−2|Sq|(c.f. Lemma 12). As there are at most n players in R the overall error probability follows.Privacy: Follows from Lemma 12.Communication:Follows directly by counting the numbers of messages sent (c.f.

Lemma 12) ut

ProtocolReconstruct(P,Z,S,[s], R)

0: The players inP take collectively[s]as input. 1: for allq= 1, . . . ,|S| do

2: ReconstructShare(P,Z,_{S},[s]q, R)is invoked.
3: end for

4: The players locally sum up the shares to obtain and outputs.

Lemma 16. Assume S andZ satisfyQ1(S,Z)and let [s]be a sharing of the value
s. Every honest player inRoutputssinReconstructexcept with error probability of
at most _{|} 1

F|−2n
2_{|}

S|. The protocol communicates at most|S|(n3+n2) log|F|bits and does not broadcast.

Proof. The statement follows directly from Lemma 15, as the players invoke the

proto-colReconstructSharefor each share. ut

4.3 Multiplication

ProtocolBasicMult(P,Z,S,[a],[b], M)

0: The players inP take collectively[a],[b]andMas input.

1: ∀Sq :Sq∩M =6 ∅invokeReconstructShareto reconstructaq andbq.
2: _{a}_{) Each player}_{P}_{i} _{∈ P \}_{M} _{(locally) computes his designated products and}

shares the sumci=P(p,q)∈I(i)apbq.

b) For each Pi ∈ M DefaultShare(P,Z,S, ci) is invoked where ci = P

(p,q)∈I(i)apbq.

3: The players collectively output([c1], . . . ,[cn])and[c] =Pn_{i}_{=1}[ci].

Lemma 17. LetM ⊆Z∗be a set of (identified) malicious players and assume thatZ

andSsatisfyQ1(S,Z). ThenBasicMult(P,Z,S,[a],[b], M)securely computes
shar-ings[c],([c1], . . . ,[cn])except with error probability ofO(_{|}1_{F}_{|}n4|S|). If no player in

P \M actively cheats, then∀i ci =P(p,q)∈IZ(i)apbq andc=ab. The protocol

com-municates at mostO(|S|n4log|F|)bits and broadcasts at mostO(|S|n4log|F|)bits.

Proof. Correctness: The properties of the sharing protocol guarantee that the outputs
are valid sharings except with error probability ofO(_{|}1

F|n
4_{|}

S|). TheQ1(S,Z)property
allows the players to securely reconstruct shares and grants that there exists a proper
assignment of players in P to the local products. If none of the players in P \M
cheated, it holds for eachPithatci=P_{(}_{p,q}_{)∈}_{I}_{Z}_{(}_{i}_{)}apbq(for players inMDefaultShare
is used on reconstructed values). Privacy: All reconstructed sharesaq,bq are known to
players inM. Complexity: Follow directly from the properties of the sharing scheme

(c.f. Lemmas 13, 14 and 15). ut

Detectable Random Triple Generation The following unconditionally secure
proto-col takes a setM of malicious players as an additional input and computes a random
multiplication triple([a],[b],[c])wherec =abgiven that no player inP \M actively
cheats. Otherwise it outputs a set of malicious playersM0such thatM (M0. This
pro-tocol uses a probabilistic check to detect cheating. First the players generate a shared
random challenge[r]and a blinding[b0]. Then they useBasicMultto compute the
shar-ings[c] = [a][b],[c0_{] = [a][b}0_{]}_{and check whether}_{[a](r[b] + [b}0_{]) = (r[c] + [c}0_{]). If this}
is the case the multiplication triple([a],[b],[c])is output. Otherwise the players identify
(at least) one cheater inP \M by reconstructing[a],[b],[b0],[c],[c0].

Lemma 18. If SandZ satisfyQ1(S,Z)andM ⊆Z∗, the protocolRandomTriple
outputs either a random multiplication triple([a],[b],[c])or setM0 ⊆Z∗whereM (
M0except with error probability ofO(_{|}1

F||S|n
4_{) +} 1

|F|. No information is leaked to the adversary.RandomTriplecommunicates at mostO(|S|n4log|F|)bits and broadcasts at mostO(|S|n4log|F|)bits.

Proof. Correctness:In Step 2, the players compute[c]and[c0]. Given that no player in

P \M actively cheated it holds thatc=abandc0=ab0. In this case[a](r[b] + [b0])−

[c0]is non-zero except for at most onerand the players go to Step 5 with probability at least(1− 1

|F|)(assuming that no errors happen in sharing and reconstruction of values). For at least one playerPi ∈ P \M it must hold thatrci+c0i6=

P

(p,q)∈I(i)r(apbq) + (apb0q). By opening all involved sharing it is easy to find these players. Thus it holds thatM ( M0 andM0 ⊆ Z∗. The overall error probability is composed of the error probability of the sharing scheme and the one of the random challenge check in Step 3.Privacy:Neither the protocolBasicMultnor the sharing scheme do violate privacy (c.f. Lemma 17). The valueseis statistically independent of([a],[b],[c]), asb0 acts as blinding. If no cheating occurred the valuedis always zero. If Step 5 is invoked, the reconstructed values are not used, and privacy is met.Communication:Follows from counting the number of messages sent (c.f. Lemmas 13, 16 and 17). ut

ProtocolRandomTriple(P,Z,_{S}, M)

0: The players take the setM ⊆ Pas input.

1: The players generate random shared values [a],[b],[b0],[r] by summing up shared random values (one from each player) for each value.

2: InvokeBasicMult(P,Z,S,[a],[b], M)to compute the sharing[c]and the
vec-tor([c1], . . . ,[cn])and invokeBasicMult(P,Z,S,[a],[b0], M)to compute the
sharing[c0]and the vector([c0_{1}], . . . ,[c0_{n}]).

3: Reconstruct[r]and (locally) compute[e] = r[b] + [b0]and reconstruct it to obtaine. Then[d] =e[a]−r[c]−[c0]is computed (locally) and reconstructed. 4: If the valuedis zero the players output([a],[b],[c]).

5: Otherwise reconstruct the sharings[a],[b],[b0],[c1], . . . ,[cn],[c01],. . .,[c0n]. The players outputM0=M∪{Pi:rci+c0i6=

P

(p,q)∈I(i)r(apbq)+(apb0q)}.

Multiplication with Circuit Randomization The actual multiplication is based on circuit randomization [Bea91b]. It allows players to compute the product[xy]of two shared values[x]and[y]at the cost of two reconstructions given a random multiplica-tion triple([a],[b],[c]), whereab=c. The trick is to use thatxy= ((x−a) +a)((y−

b) +b). By reconstructingd =x−aande =y−bthe players can compute[xy]as de+d[b] + [a]e+ [c]. This does not violate the secrecy of[x]or[y]as the random values [a]and[b]act as blinding.

ProtocolMultiplication(P,Z,S,[x],[y])

0: The players inP take collectively[x],[y]as input and setM ..=∅.

1: InvokeRandomTriple(P,Z,S, M). If the protocol outputs a setM0, setM ← M0and repeat Step 1. Otherwise use the output as random multiplication triple ([a],[b],[c]).

Lemma 19. Multiplication(P,Z,_{S},[x],[y])is an unconditional secure multiplication
protocol given that SandZ satisfyQ1(S,Z). The protocol has an error probability
ofO(_{|}1

F||S|n

5_{)}_{, communicates at most}_{O}_{(}_{|}

S|n5log|F|)bits and broadcasts at most

O(|S|n5log|F|)bits.

Proof. Correctness:Assume thatRandomTriplein Step 1 outputs a setM0, then we have thatM ( M0 ⊆ P. Hence this step is repeated less thenntimes and results in a random multiplication triple([a],[b],[c])(c.f. Lemma 18). The rest of the protocol is just the multiplication from [Bea91b].Privacy:Follows from [Bea91b] and Lemma 18. Communication:Follows from counting the number of messages sent (c.f. Lemmas 16

and 18). ut

4.4 Unconditional MPC Protocol

The combination ofShare,ReconstructandMultiplicationdirectly gives the following unconditionally secure MPC protocol.

ProtocolMPC(P,Z,C)

0: The players take_{S}..={P \Z|Z∈ Z}as sharing specification.
1: For every gate ofCbeing evaluated do the following:

- Input gate forPD:Share(P,Z,S, PD, s)is invoked to shares

- Linear gate:The linear combination of the corresponding shares is com-puted locally using the linearity of the sharing.

- Random gate:Each player shares a random value. The sum of these values is used as output of the gate.

- Multiplication gate:Multiplication(P,Z,S,[x],[y])is used to multiply [x]and[y].

- Output gate:The players invoke Reconstruct(P,Z,_{S},[s], R)to
recon-structsfor players inR.

Theorem 2. Let C be a circuit overF, where |F| ∈ Ω(2κ)and κis a security
pa-rameter, and letZbe an adversary structure satisfyingQ2_{(}_{P}_{,}_{Z}_{)}_{, then}_{MPC}_{(}_{P}_{,}_{Z}_{,}_{C}_{)}

Z-securely evaluatesCwith an error probability of2−κ_{|C| |Z|·}_{Poly(n, κ)}_{. It }
communi-cates|C| |Z|·Poly(n, κ)bits and broadcasts|C| |Z|·Poly(n, κ)bits withinPoly(n, κ)·d
rounds, whereddenotes the multiplicative depth ofC.

Proof. It is easy to see thatS ..={P \Z|Z ∈ Z}is a sharing specification satisfying

Q1_{(}

S,Z). Hence by the properties of the sharing scheme and Lemma 19 correctness and the bound on the error probability follow. The claimed communication and broad-cast complexity follow directly from the used subprotocols. Inspection of the subproto-cols also shows that it is possible to evaluate gates on the same multiplicative depth of Cin parallel. As each subprotocol only requiresPoly(n, κ)rounds, the total number of

Note that broadcast can be (unconditionally secure) simulated using the protocol from
[PW96], which communicatesPoly(n, κ)bits in order to broadcast one bit (with error
probability ofO(2−κ_{)). This results in an MPC protocol with the same efficiency and}
error probability as stated in Theorem 2.

The error probability of the presented protocol grows linearly in the size of the adver-sary structureZ. As|Z|is typically exponential inn, the security parameterκmust be chosen accordingly (such that|Z| ∈Poly(κ)). This results in a huge security parameter and therefore in inefficient protocols. We therefore provide an extension of the previous protocol in which the error probability only depends onlog|Z|, and hence a reasonably large security parameterκis sufficient.

### 5

### Unconditional Protocol for Superpolynomial

### |Z|

The protocol from the previous section has an error probability linear in|Z|, which is problematic for large adversary structuresZ. In this section, we present modifications to the protocol that reduce the dependency tolog|Z|, which is inPoly(n).

The reason for the error probability being dependent on |Z| is twofold: Firstly, the
protocol requiresΩ(|Z|)probabilistic checks, in each of them a cheating party might
remain undetected with probability2−κ_{. Secondly, the protocol requires}_{Ω(}_{|Z|}_{)}_{}
broad-casts, each of them having a small probability of failure.

5.1 Information Checking

In each invocation ofAuthenticate/Verify, a cheating attempt of a malicious player
Piis not detected with probability ofO(_{|}1_{F}_{|})(c.f. Section 4.1). As these protocols are
invokedΘ(|Z|)times per sharing, the resulting error probability depends linearly on

|Z|. To avoid this we use local dispute control to deal with detected cheaters.

More formally, each playerPklocally maintains a listLkof players whom he distrusts. At the beginning of theMPCprotocol these lists are empty. ProtocolAuthenticateis modified, such thatPjputsPion his listLjif the check in Step 4 fails. OncePi∈ Lj, Pj behaves in all future invocations of the protocol as if the check in Step 4 failed independently whether this is the case or not. SimilarlyPkputsPion his listLk if the check in Step 5 fails. As soon asPi∈ Lk,Pkbehaves in Step 5 as if the corresponding check failed. Furthermore, in protocolVerify,Pk putsPj on his listLk if the check in Step 2 failed. AgainPk behaves for allPj ∈ Lk as if the check failed independently whether this is the case or not.

In both protocols the adversary has a chance ofO(_{|}1

F|)to cheat successfully, but if he fails (with probabilityΩ(1− 1

|F|)) one corrupted playerPi is put on the listLk of an
honest playerPk. From then onPiis never able to cheat in instances of both protocols
whenPktakes part (in the right position). This means that the adversary actually has at
mostn2_{attempts to cheat. Hence total error probability of arbitrary many instances of}
VerifyandAuthenticateis at mostO(_{|}1

F|n

2_{)}_{and no longer depends on}_{Z}_{.}

Pk) the consistency check failsPk must assume that all other parallel checks failed. Analogous modifications are made inVerifyandMultiplication.

Lemma 20. The modifiedAuthenticateandVerifyprotocols have a total error proba-bility ofO( 1

|F|n

2_{)}_{independent of the number of invocations.}

5.2 Broadcast

Although broadcast is only needed inShare, the total number of broadcast calls is in Θ(|Z|). If [PW96] is used, the resulting overall error probability depends linearly on

|Z|. To avoid this problem, the number of broadcast calls must be reduced.

To reach this goal we use the fact that theShareprotocol only has constantly many rounds. In each round a player PS must broadcast Θ(|Z|) many messages of size

O(log|_{F}|). Instead of broadcasting these messages in parallel,PS sends their
concate-nation to the other players, who then check that they received the same message. If an
inconsistency is detected the protocol is repeated. To limit the number of repetitions we
use the concept of dispute control from [BH06] which prevents the malicious players
from repetitive cheating. Dispute control is realized by a publicly knowndispute set
Γ ⊆ P × P, a set of unordered pairs of players. If{Pi, Pj} ∈Γ it means that there is
a dispute betweenPiandPjand thus at least one of them is corrupted. Note that from
Pi’s view all player in{Pj|{Pi, Pj} ∈ Γ} are malicious and thus he no longer trust
them. At the beginning of theMPCprotocolΓ is empty.

ProtocolOptimisticBroadcast(P,Z, PS, m)

0: The playerPStakesm∈ {0,1}was input. 1: ∀{Pi, PS} 6∈Γ PSsendsmasmitoPi. 2: ∀{Pi, Pj} 6∈Γ PisendsmiasmijtoPj.

3: ∀Pi if all received values are the same Pi is happy, otherwise unhappy. Pi broadcasts using [PW96] his happy bit.

4: If all players are happy, eachPioutputs the value he holds.

Otherwise, an unhappy playerPi(e.g. the one with the smallest index)
broad-castsj, j0, z, bwheremji differs frommj0_{i}at bit-position zandb is the bit

of mjiat positionz. ThenPS, Pj, Pj0 broadcast their versions of the bit at

positionz. Using this information the players localize a dispute between two players of{Pi, PS, Pj, Pj0}. Then the protocol is repeated with updatedΓ.

Lemma 21. The protocolOptimisticBroadcast(P,Z, PS, m)achieves the broadcast
of a messagem0∈ {0,1}w_{. The protocol communicates at most}_{w}_{·}_{Poly(n, κ)}_{bits and}
broadcasts at mostlogw·Poly(n, κ).

the honest players will find at least one dispute. The protocol will terminate, as the number of repetition is limited byn(n−1). As the broadcast ofzrequireslogwbits, the communication and broadcast complexities follow. ut

For a message of lengthΘ(|Z|)the above protocol only needs to broadcastlog|Z| ·

Poly(n, κ)bits, hence the total number of broadcast calls per invocation ofShareis reduced tolog|Z| ·Poly(n, κ).

Lemma 22. The modifiedShareprotocol communicates|C| |Z| ·Poly(n, κ)bits and broadcasts|C|log|Z| ·Poly(n, κ)bits.

5.3 Summary

The combination of the above extension results in the following Lemma:

Lemma 23. LetCbe a circuit overF, where|F| ∈Ω(2κ)andκis a security parameter,
and let Z be an adversary structure satisfyingQ2_{(}_{P}_{,}_{Z}_{)}_{, then the modified protocol}
MPC(P,Z,C)Z-securely evaluatesCwith an error probability of2−κ_{|C| ·}_{Poly(n, κ)}_{.}
It communicates|C| |Z| ·Poly(n, κ)bits and broadcasts |C|log|Z| ·Poly(n, κ)bits.
The number of rounds isPoly(n, κ)·d, whereddenotes the multiplicative depth ofC.

Proof. Follows directly from Theorem 2 and Lemmas 20 and 22. ut

By replacing broadcast with the simulated one from [PW96], one gets for|Z| ∈ O(2n_{)}
and|C| ∈Poly(κ)the following theorem.

Theorem 3. Let C be a circuit over F, where |F| ∈ Ω(2κ)and κis a security
pa-rameter, and letZbe an adversary structure satisfyingQ2_{(}_{P}_{,}_{Z}_{)}_{, then}_{MPC}_{(}_{P}_{,}_{Z}_{,}_{C}_{)}

Z-securely evaluatesCwith an error probability of2−κ_{·}_{Poly(n, κ)}_{. It communicates}

|Z| ·Poly(n, κ)bits.

### 6

### Lower Bound on the Efficiency

The following theorem states that there exists a family of circuits and Q2 _{adversary}
structures such that the length of unconditionally secure protocols tolerating these
ad-versaries grows exponentially in the number of players. This implies that the
computa-tional complexity of our protocol from the previous section is optimal, as there exists
no protocol with a computational complexity in o(|Z|).

Theorem 4. [Hir01] LetCbe the circuit which takes inputs fromP1andP2and outputs
the product toP1. Then there exists a familyZ2,Z3, . . . ofQ2_{adversary structures for}
player setsP2,P3, . . . (|Pn| =n) such that the length of the shortest unconditionally

### References

[Bea91a] D. Beaver. Secure multiparty protocols and zero-knowledge proof systems tolerat-ing a faulty minority.Journal of Cryptology, 4(2):75–122, 1991.

[Bea91b] Donald Beaver. Efficient multiparty protocols using circuit randomization. In

CRYPTO, pages 420–432. Springer-Verlag, 1991.

[BFH+08] Zuzana Beerliova-Trubiniova, Matthias Fitzi, Martin Hirt, Ueli Maurer, and Vassilis Zikas. MPC vs. SFE: Perfect security in a unified corruption model. InTCC, volume 4948 ofLNCS, pages 231–250. Springer-Verlag, March 2008.

[BGW88] M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. InSTOC, pages 1–10. ACM, 1988.

[BH06] Zuzana Beerliova-Trubiniova and Martin Hirt. Efficient multi-party computation with dispute control. InTCC, volume 3876 ofLNCS, pages 305–328. Springer-Verlag, March 2006.

[CCD88] D. Chaum, C. Cr´epeau, and I. Damgard. Multiparty unconditionally secure proto-cols. InSTOC, pages 11–19. ACM, 1988.

[CDD+99] Ronald Cramer, Ivan Damgrd, Stefan Dziembowski, Martin Hirt, and Tal Rabin. Efficient multiparty computations secure against an adaptive adversary, 1999. [FM98] Matthias Fitzi and Ueli Maurer. Efficient byzantine agreement secure against

gen-eral adversaries. InDISC, volume 1499 ofLNCS, pages 134–148. Springer-Verlag, September 1998.

[GMW87] S. Goldwasser, S. Micali, and A. Wigderson. How to play any mental game, or a completeness theorem for protocols with an honest majority. InSTOC, volume 87, pages 218–229, 1987.

[Hir01] Martin Hirt. Multi-Party Computation: Efficient Protocols, General Adversaries, and Voting. PhD thesis, ETH Zurich, September 2001. Reprint as vol. 3 ofETH Series in Information Security and Cryptography, ISBN 3-89649-747-2, Hartung-Gorre Verlag, Konstanz, 2001.

[HM97] Martin Hirt and Ueli Maurer. Complete characterization of adversaries tolerable in secure multi-party computation. InPODC, pages 25–34, August 1997.

[HM00] Martin Hirt and Ueli Maurer. Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology, 13(1):31–60, April 2000. Extended abstract inProc. 16th of ACM PODC ’97.

[HMZ08] Martin Hirt, Ueli Maurer, and Vassilis Zikas. MPC vs. SFE: Unconditional and computational security. In ASIACRYPT, volume 5350 of LNCS, pages 1–18. Springer-Verlag, December 2008.

[Mau02] Ueli Maurer. Secure multi-party computation made simple. InSCN, volume 2576 ofLNCS, pages 14–28. Springer-Verlag, September 2002.

[PSR03] B. Prabhu, K. Srinathan, and C. Pandu Rangan. Trading players for efficiency in unconditional multiparty computation. InSCN, pages 342–353. Springer-Verlag, 2003.

[PW96] Birgit Pfitzmann and Michael Waidner. Information-theoretic pseudosignatures and byzantine agreement for t≥n/3. InResearch report. IBM Research, 1996. [RB89] T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with

honest majority. InSTOC, pages 73–85. ACM, 1989.