On the Power of Hybrid Networks in Multi-Party Computation Divya Ravi Advisor: Dr Arpita Patra Indian Institute of Science

Outline Introduction to Secure Multi-party Computation Verifiable Secret Sharing Types of Network Our Results in hybrid network Feasibility results

Secure Multi-Party Computation (MPC) x1 Parties with private inputs Goal : Compute joint function f(x1, x2, x3, x4 ) Mutual Distrust Adversary corrupts t out of n parties Properties Correctness Privacy x4 x2 x3

Verifiable Secret Sharing (VSS) Dealer s - Privacy: Dealer input secret from adversary - Commitment : unique secret defined at end of sharing is reconstructed s1 s2 s3 Reconstruction - Correctness: unique secret is honest dealer’s input Secret s

Types of Network Synchronous Asynchronous Delay bounded by known constant Convenient : Divide protocol into rounds Arbitrary yet finite delay Realistic Does not know how long to wait for Knows exactly how long to wait for Cheater Identified! Is he cheating or slow?

Challenge in Asynchronous Network n parties, t corrupt Cannot afford to wait for all : may lead to endless waiting Can wait for only (n – t) messages Might ignore t honest parties! . Drawbacks: No input provision in MPC. VSS: May not terminate when Dealer corrupt. Low Fault-Tolerance

Bridging the fault-tolerance gap (perfect security) Hybrid Network Synchronous Asynchronous Few synchronous rounds followed by asynchronous 1 Round n >= 3t + 1 n >= 4t + 1 Sufficient for VSS  Impossible for MPC! Necessary: 2; Sufficient: 3 rounds

Our Results Setting : Information-theoretic ; n >= 3t + 1 Goal : Bridge the synchronous v/s asynchronous gap Means: Hybrid Network - few synchronous rounds in beginning [1] Arpita Patra, Divya Ravi “On the power of Hybrid Network in Multi-party Computation”, IEEE Transactions on Information Theory 2018 Minimum number of synchronous Rounds : Improve fault tolerance from t < n/4 to t < n/3? Minimum number of synchronous Rounds : Achieve properties of SVSS / SMPC in hybrid network? AVSS Necessary One [Trivial] Sufficient One AMPC Two Three SVSS Necessary Sufficient Three [GIKR02] SMPC Three Three Three

Impossibility of perfect AMPC with n >= 3t + 1 for hybrid network with one synchronous round n = 4, t = 1 f( *, x2, x3, *) = x2 ∧ x3 Protocol  (x2, x3 ) P1 blocks P4’s messages in asynchronous phase. P1 P4 P2, P3 wait only for (n – t) = (4 – 1) = 3 parties  (1,0)  (0,1)  (1,1) Transcript T(x2, x3) independent of x2 and x3 T(0,1) = T(1,0) = T(1,1) P2 P3 P4’s round 1 messages independent View as in (1,0) View as in (0,1) P2 and P2 output 0. Correctness Fails!

Impossibility of SVSS : 2 synchronous rounds in hybrid network (x, r1) P1 P2 (r2) P1 P2 (r2) (y, r1) (x) (y) P3 (r4) P4 (r3) (r4) P4 P3 (r3) (y) P2 (y, r1) P1 P2 P1 * (r2) P1 (x) (r2) (x, r1) There must exist (r1, r2, r4) such that P3’s view is the same in (x) and (y) P2* (x) (y) (x) (y) (y) (x) (x) P4 P4 P4 * P3 (r3) (r4) P3 (r3) (r4) P3 (r3) (y) E1(x) E2(y) E3(*) P4’s view in E1, E3 is same P2’s view in E2, E3 is same P3’s view in E1, E2 E3 is same {P2, P3, P4} participate in reconstruction with same views across all !

Upper bounds AVSS with t < n/3 : single synchronous round in hybrid network New primitive “Asynchronous Weak Polynomial Sharing” Uses no broadcast, efficient Property of 2d-sharing, useful to design MPC SMPC with t < n/3 : three synchronous rounds in hybrid network Uses 3-round existing SVSS protocol [KKK08] Builds upon the framework of [CHP13] [KKK08] J. Katz, C.-Y. Koo, and R. Kumaresan, “Improving the round complexity of VSS in point-to-point networks,” ICALP 2008. [CHP13] A. Choudhury, M. Hirt, and A. Patra, “Asynchronous multiparty computation with linear communication complexity,” DISC 2013.

Thank You 

Impossibility of SVSS with 2 synchronous rounds n = 4, t = 1 . P1 is dealer (x) (y) (r1, r2, r3, r4) (r1, r2, r3, r4) R1 2→1 3→1 4→1 1→2 3→2 4→2 1→3 2→3 4→3 1→4 2→4 3→4 1→3 2→3 4→3 1→3 2→3 4→3 1→4 2→4 2→1 4→1 1→2 4→2 3 →1 3 →1 3 →2 3 →2 3→4 3→4 R2 Async There must exist (r1, r2, r4) such that P3’s view is the same in (x) and (y)

(x) (y) E3(*) P2* E2(y) P1* E1(x) R1 R1 R2 R2 Async Async P4* 2→1 3→1 4→1 1→2 3→2 4→2 1→3 2→3 4→3 1→4 2→4 3→4 R1 2→1 3→1 4→1 1→2 3→2 4→2 1→3 2→3 4→3 1→4 2→4 3→4 R2 R2 Async Async P2* E1(x) P4* E2(y) (r1, r2, r3, *) P1* E3(*) (r1, * , r3, r4) (*, r2, r3, r4) 3→1 4→1 2→1 1→2 3→2 4→2 1→3 4→3 1→4 3→ 4 1→2 3→2 1→3 2→3 2→1 3→1 4→1 1→2 2→3 4→3 1→4 2→4 3→4 1→3 2→1 3→1 2→4 3→4 1→4 2→3 3→2 4→2 2→4 4→1 4→2 4 →3

Gap between the two models Network Security Resilience CC Synchronous Perfect t < n/3 O(n) Statistical t < n/2 Cryptographic Asynchronous t < n/4 O(n2) O(n5) How to overcome this difference?