Efficient Perfectly Secure Computation with Optimal Resilience
Secure computation enables n mutually distrustful parties to compute a function over their private inputs jointly. In 1988, Ben-Or, Goldwasser, and Wigderson (BGW) proved that any function can be computed with perfect security in the presence of a malicious adversary corrupting at most t < n / 3...
Gespeichert in:
Veröffentlicht in: | Journal of cryptology 2022-10, Vol.35 (4), Article 27 |
---|---|
Hauptverfasser: | , , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | Secure computation enables
n
mutually distrustful parties to compute a function over their private inputs jointly. In 1988, Ben-Or, Goldwasser, and Wigderson (BGW) proved that any function can be computed with perfect security in the presence of a malicious adversary corrupting at most
t
<
n
/
3
parties. After more than 30 years, protocols with perfect malicious security, and round complexity proportional to the circuit’s depth, still require (verifiably) sharing a total of
O
(
n
2
)
values per multiplication. In contrast, only
O
(
n
) values need to be shared per multiplication to achieve semi-honest security. Sharing
Ω
(
n
)
values for a single multiplication seems to be the natural barrier for polynomial secret-sharing-based multiplication. In this paper, we construct a new secure computation protocol with perfect, optimal resilience and malicious security that incurs (verifiably) sharing
O
(
n
) values per multiplication. Our protocol requires a constant number of rounds per multiplication. Like BGW, it has an overall round complexity that is proportional only to the multiplicative depth of the circuit. Our improvement is obtained by a novel construction for
weak VSS for polynomials of degree 2t
, which incurs the same communication and round complexities as the state-of-the-art constructions for
VSS for polynomials of degree t
. Our second contribution is a method for reducing the communication complexity for any depth 1 sub-circuit to be proportional only to the size of the input and output (rather than the size of the circuit). This implies protocols with
sub-linear communication complexity
(in the size of the circuit) for perfectly secure computation for important functions like matrix multiplication. |
---|---|
ISSN: | 0933-2790 1432-1378 |
DOI: | 10.1007/s00145-022-09434-2 |