The Hidden Graph Model: Communication Locality and Optimal Resiliency with Adaptive Faults

Transcription

1 The Hidde Graph Model: Commuicatio Locality ad Optimal Resiliecy with Adaptive Faults Nishath Chadra Wutichai Chogchitmate Jua A. Garay Shafi Goldwasser Rafail Ostrovsky Vassilis Zikas Abstract Secure multi-party computatio (MPC) has bee thoroughly studied over the past decades. The vast majority of works assume a full commuicatio patter: every party exchages messages with all the etwork participats over a complete etwork of poit-to-poit chaels. This ca be problematic i moder large scale etworks, where the umber of parties ca be of the order of millios, as for example whe computig o large distributed data. Motivated by the above observatio, Boyle, Goldwasser, ad Tessaro [TCC 013] recetly put forward the otio of commuicatio locality, amely, the total umber of poit-to-poit chaels that each party uses i the protocol, as a quality metric of MPC protocols. They proved that assumig a public-key ifrastructure (PKI) ad a commo referece strig (CRS), a MPC protocol ca be costructed for computig ay -party fuctio, with commuicatio locality O(log c ) ad roud complexity O(log c ), for appropriate costats c ad c. Their protocol tolerates a static (i.e., o-adaptive) adversary corruptig up to t < ( 1 3 ɛ) parties for ay give costat 0 < ɛ < 1 3. These results leave ope the followig questios: (1) Ca we achieve low commuicatio locality ad roud complexity while toleratig adaptive adversaries? () Ca we achieve low commuicatio locality with optimal resiliecy t < /? I this work we aswer both questios affirmatively. First, we cosider the model from [TCC 013], where we replace the CRS with a symmetric-key ifrastructure (SKI). I this model we give a protocol with commuicatio locality ad roud complexity polylog() (as i the [TCC 013] work) which tolerates up to t < / adaptive corruptios, uder a stadard itractability assumptio for adaptively secure protocols, amely, the existece of ehaced trapdoor permutatios ad secure erasures. This is doe by usig the SKI to derive a sequece of radom hidde commuicatio graphs amog players. A cetral ew techique the shows how to use these graphs to emulate a complete etwork i polylog() rouds while preservig the polylog() locality. Secod, we show how we ca eve remove the SKI setup assumptio at the cost, however, of icreasig the commuicatio locality (but ot the roud complexity) by a factor of. This is the full versio of versio of [1] which also fixes a icosistecy. Cocretely, we eed to assume atomic erasures as part of our adaptive-adversary security model. Microsoft Research, Idia, ichadr@microsoft.com. UCLA, wutichai@math.ucla.edu, rafail@cs.ucla.edu. Texas A&M Uiversity, garay@cse.tamu.edu. Work doe while the author was at Yahoo Labs. MIT ad The Weizma Istitute of Sciece, shafi@theory.csail.mit.edu. Uiversity of Ediburgh, vzikas@if.ed.ac.uk. Work doe while the author was at ETH Zurich.

2 1 Itroductio Secure multi-party computatio (MPC for short) allows a set of parties to securely compute ay give fuctio f o their private data. Esuig the semial works i the area [45, 9, 3, 15], the systematic study of the problem over the last decades has lead to great improvemets regardig several efficiecy measures, such as commuicatio complexity (umber of exchaged messages), roud complexity, ad computatio complexity. Util recetly, however, essetially all MPC results required all parties to commuicate directly with each other over a complete etwork of poit to poit chaels, or by havig access to a broadcast chael. While this requiremet may be harmless whe the umber of participats is small compared to the complexity of the fuctio f, it is highly problematic i settigs where the umber of parties is a domiat factor 1. Commuicatio locality i MPC. Recetly, Boyle, Goldwasser, ad Tessaro [7], buildig o work by Kig et al. o Byzatie agreemet [36, 37], itroduced a ew efficiecy metric called commuicatio locality to address such settigs. Iformally, the commuicatio locality of a protocol is the total umber of differet poit-to-poit chaels that each party uses i the protocol. The protocols provided i [7] for the computatio of ay polyomial time fuctio f achieve a commuicatio locality of polylog() assumig a public-key ifrastructure (PKI), a commo referece strig (CRS), ad the existece of a sematically secure public-key ecryptio ad existetially uforgeable sigatures. A example of a sceario where the complexity of the fuctio may be much smaller tha the umber of parties, is whe securely computig the output of a subliear algorithm, which takes iputs from a small subset of q = o() of parties. (Subliear algorithms are particularly useful for computig statistics o large populatios.) By assumig, i additio to the PKI ad sematically secure public-key ecryptio, the existece of a multi-sigature scheme [4, 41], a (certifiable) fully homomorphic ecryptio (FHE) [8, 9], ad simulatio-soud adaptive o-iteractive zero-kowledge (NIZK) [5, 3], the authors also obtai a protocol for computig subliear fuctios, which commuicates O((κ+) polylog())-bit messages 3 ad termiates i polylog()+o(q) rouds. The solutio of [7], however, has two major limitatios: (1) It caot tolerate a adaptive adversary who may choose the parties to corrupt o the fly durig the protocol executio; it oly tolerates a static adversary who decides o the faulty parties prior to the protocol executio. () It achieves a sub-optimal resiliecy of t < (1/3 ɛ) corrupted parties, for ay give costat 0 < ɛ < 1/3, whereas traditioal MPC protocols i the computatioal settig (without the low commuicatio locality requiremet) ca tolerate up to t < / corruptios. Our results. I this paper, we first show that by replacig the CRS with a slightly differet setup assumptio, amely, a symmetric-key ifrastructure (SKI) [1] where every pair of participats shares a uiformly radom key that is ukow to other participats, we ca overcome both of the above limitatios. Specificially, we costruct adaptively secure MPC protocols with commuicatio locality polylog() toleratig ay t < / corruptios. (As metioed above, this is the optimal umber of corruptios that ca be tolerated, eve i the complete commuicatio settig without the extra requiremet of commuicatio locality [9, 16].) Lookig ahead, we will show 1 Iterestigly, recet implemetatio results report remarkable performace of the state-of-the-art solutios for small istaces of the problem such as three-party computatio [6] or i a lab eviromet whe broadcast is assumed for free (e.g., [4, 40, 17, 18, 19, 34]). [36, 37] i fact achieve almost-everywhere Byzatie agreemet [], which does ot guaratee that all hoest players will receive a output (see Other related work below). 3 κ is the security parameter. 1

3 how the SKI ca be iterpreted as a special type of radom iitial commuicatio graph which dictates which pairs of players ca sed poit-to-poit messages to each other to start with. The graph is shared but hidde: each player will oly kow the restricted subset of polylog() players it ca sed messages to ad receive messages from. 4. Next, we show that we ca remove the additioal SKI assumptio at the cost of icreasig the commuicatio locality by a factor of. Both of our costructios assume the existece of a family of ehaced trapdoor permutatios. This is the weakest kow geeral assumptio which is sufficiet for adaptively secure MPC over o-private chaels assumig secure erasures [1, 6, 7]. We remark that i order to circumvet the shortcomigs i [7] we eed to develop ew ad quite differet techiques, as the limitatios to sub-optimal resiliecy ad o-adaptive adversaries seem to be iheret i ther approach. This ca be see as follows. I [7], the parties elect iput committees C 1,..., C, as well as oe supreme committee C all of size polylog() i a way that esures that (with high probability) at least a /3 fractio of the parties i each committee are hoest. Each protocol message of party p i is the secret-shared to committee C i, which re-shares it to the parties of the supreme committee C. Subsequetly, the members of C compute the output of the give fuctio o the shared iputs ad retur it to the users (by sharig it to the iput committees, which the recostruct to their associated iput parties). All sharigs are private ad robust so log as the adversary does ot corrupt more tha 1/3 of a committee members. Clearly, the above caot work if the adversary is allowed to adaptively corrupt parties depedig o his view of the electio process. Such a adversary might choose to corrupt more tha a 1/3 fractio of the parties i some committee 5 ad thus violate the privacy of the protocol. Furthermore, eve for a static adversary, the above approach caot yield a optimally resiliet (i.e., t < /) protocol, as a adversary who o-adaptively corrupts / 1 of the parties has a oticeable probability of corruptig 1/3 (or eve 1/) of the parties i some committee. Iterestigly, we ote that uder the additioal assumptios of FHE ad multi-sigatures, [7] obtais better commuicatio complexity for computig subliear algorithms tha directly applyig our approach. Improvig the commuicatio complexity of our protocols is a ethrallig directio for future research. Other related work. Our result should be cotrasted with the work of Dai et al. [0], which provides MPC i the iformatio-theoretic settig assumig perfectly private commuicatio chaels with commuicatio complexity of O( ), but oly offers security agaist a static adversary ad t < /3 corruptios. For the problem of Byzatie agreemet (BA), Kig ad Saia [35] show how to costruct a protocol that is secure agaist adaptive corruptios, ad where the commuicatio complexity of every party is Õ(). This leads to a BA protocol with Õ() commuicatio locality; however, their protocol oly tolerates t < ( 1 3 ɛ) corruptios (ad is specific to Byzatie agreemet). Aother related body of work is o coductig Byzatie agreemet ad MPC whe players are ot coected via a poit-to-poit etwork but rather via a sparse, public etwork. This has bee studied both i the cotext of BA [, 44, 13, 14] ad of MPC [5, 36, 37]. These results ievitably oly achieve the so called almost-everywhere versios of the problems, as the protocols give up a umber x = ω(1) of hoest parties (ad provide o guaratees for them). The iterested reader may refer to Appedix A for a short survey of the correspodig literature. 4 I fact, oe may alteratively state our setup as havig the players share a iitial hidde radom graph, ad our result as a reductio from this setup. 5 Recall that the adversary has a liear corruptio budget t < (1/3 ɛ) ad the committees are of size polylog().

4 1.1 Overview of our results ad techiques I this paper we establish the feasibility of secure multiparty computatio with low (i.e., polylog()) commuicatio locality both for static ad for adaptive adversaries corruptig ay t < / parties. Our costructios assume a PKI ad a symmetric-key ifrastructure (SKI see details below). Furthermore, our protocols have polylog() roud complexity. I more detail, we show the followig: Theorem 1. Assumig a PKI, a SKI, ad trapdoor permutatios with a reversed domai sampler, there exists a MPC protocol secure agaist a adaptive adversary corruptig up to t < / parties ad satisfyig the followig properties with overwhelmig probability: (Polylogarithmic commuicatio locality) Every party commuicates with at most O(log 1+ɛ ) other parties, for some costat ɛ > 0. (Polylogarithmic roud complexity) The protocol termiates after O(log ɛ ) rouds, for some costat ɛ > 0. Sice we wish to obtai MPC with guarateed output delivery for all hoest players, our boud o t < is optimal. Furthermore, if we do ot wish to give up ay party i the protocol, the the best commuicatio locality that oe ca hope to attai is ω(log ) 6, ad hece our protocols are ear optimal i terms of commuicatio locality as well. Next, we show that we ca completely get rid of the SKI setup (while still guarateeig adaptive security) at the cost of icreasig the commuicatio locality (but ot the roud complexity). That is, we show: Theorem. Assumig a PKI ad trapdoor permutatios with a reversed domai sampler, there exists a MPC protocol secure agaist a adaptive adversary corruptig up to t < / parties ad satisfyig the followig coditios with overwhelmig probability: Every party commuicates with at most O( log 1+ɛ ) other parties, for some costat ɛ > 0. The protocol termiates after O(log ɛ ) rouds for some costat ɛ > 0. I the remaider of this sectio we summarize our mai techiques ad provide a high-level overview of our MPC costructio. Before we do that, we describe our model i a bit more detail. All parties are coected via a complete etwork of poit-to-poit chaels. For simplicity, we assume that the chaels are secure; however, as we assume a public-key ifrastructure (PKI), these chaels ca be implemeted by ecryptio ad autheticatio [9]. Furthermore, we assume sychroous commuicatio, i.e., our protocols proceed i rouds where messages sed i ay roud are delivered by the ed of the roud. A adversary ca adaptively corrupt t < / parties ad caot observe whether or ot two hoest parties commuicated. Agaist such adaptive attacks, our protocols assume atomic simultaeous multi-sed operatios [30, 4] ad erasures (cf. Sectio ). I additio, our costructio assumes a symmetric-key ifrastructure (deoted SKI), where every pair (i, j) of parties shares a uiformly radom key sk i,j {0, 1} κ for some security parameter κ. Note that there does ot seem to be a direct way of gettig rid of the SKI assumptio without icreasig the commuicatio locality, as the direct approach of usig the PKI for fair exchage would require (at least) a roud where every party commuicates with all other parties to exchage the pairwise keys keys. Removig the SKI assumptio without icreasig the locality is a itriguig ope problem. SKI as a hidde graph setup. Cetral to our results is a ovel way of iterpretig/trasformig a symmetric key-ifrastructure ito a special type of setup, which we refer to as hidde-graph setup (HG). 6 If a party commuicates with oly O(log ) parties i the protocol, the a adversary ca simply guess these O(log ) parties (with o-egligible probability) ad corrupt them, thereby isolatig this hoest party. 3

5 Let G = (V, E) be a udirected graph, where V = [] is the vertex set ad E is the set of edges i G. I slight abuse of otatio, we also use E to deote the adjacecy matrix of G, i.e., E(i, j) = E(j, i) = 1 if there is a edge i G coectig vertices i ad j; otherwise E(i, j) = E(j, i) = 0. We let G(, p) = (V, E) deote the Erdős-Réyi radom graph o vertices where for every i, j V, Pr[(i, j) E] = p. We refer to such a graph as a p-radom graph. We say that the parties i [] hold a hidde p-radom graph setup (p-hg) 7 if, after samplig G = G(, p), every party i [] is give his correspodig row E(i, j) for j [] ad o other iformatio o E. Note that istead of the aïve ecodig which would require bits (i.e., give each party the full vector correspodig to his row i E), we ca simply give each party i a vector Γ(i) which icludes the parties i commuicates with over the bilateral secure chael. Thus if party i commuicates with q parties, his p-hg setup will be of size q log(). 8 We ow show how such a HG ca be efficietly (ad locally) computed from a SKI: Recall that i a SKI every pair of parties i ad j is give a uiformly radom key sk i,j. We use this key as a seed to a pseudo-radom fuctio (PRF). Parties i ad j will use the PRF (keyed with sk i,j ) to (locally) compute the radom cois eeded to sample (i, j) for the graph G; i.e., i ad j will use the output of the PRF as cois i a samplig algorithm which picks a bit b to be 1 with probability p. If b = 1, the i ad j will commuicate with each other directly i the protocol ad (i, j) will be a edge i the commuicatio graph G. The security of the PRF esures that the bit b computed as above is distributed idistiguishably from the output of the samplig algorithm o uiformly radom cois. Without loss of geerality, we will heceforth assume that the PRF keys that parties share ca be used to sample as may radom graphs as eeded. Our adaptively secure costructio will make use of several (polylog()-may) idepedet HG s. A sequece of l-may HG s that is idistiguishable from a sequece of l idepedet p-hg s ca be geerated as above, by queryig the PRF o distict (fixed) iputs. Overview of our costructio. At the heart of our costructio lies a protocol for reliable message trasmissio (RMT) i this commuicatio-costraied settig. Such a protocol allows a seder i to reliably sed a message to a receiver j. Note that as we assume a completely coected etwork, a trivial way of implemetig RMT would be for party i to use the poit-to-poit chael he shares with each j []. However, our goal is to achieve RMT where each party utilizes oly a polylogarithmic umber of its direct poit-to-poit chaels. Clearly, i such a settig we caot allow the adversary to kow the eighbors of a hoest party i [] as this would eable the adversary to cut-off (i.e., isolate) party i from the rest of the parties by corruptig all of its eighbors. This is where the hidde-graph setup comes i hady: Every party will oly exchage messages with its eighbors i this hidde graph ad igore all other iterfaces. 9 As we show, a adversary who corrupts up to ay costat fractio q < 1 of parties caot make the legth of the shortest hoest path betwee ay two hoest parties to be greater tha log ɛ (), for some ɛ > 0, except with egligible probability. I particular, we show that if G deotes the graph that is obtaied by deletig from G all parties/odes that such a adversary corrupts, the with overwhelmig probability, every two odes i G (i.e., every two hoest parties) are coected (i G ) by a path of legth at most log ɛ. Thus, parties ca achieve RMT by simply floodig the etwork; i.e., party i will simply sed message m, siged uder its sigig key, to all its eighbors; the, for log ɛ () 7 Throughout this paper we oly cosider p = log1+ɛ () for some ɛ > 0. Wheever ɛ is clear from the cotext we might omit p ad just refer to the setup as a (hidde) radom graph setup. 8 I our settig q = polylog() with overwhelmig probability, thus, we get that a hidde graph setup is also of size polylog(). 9 Note that the adversary might try to sed messages to hoest parties usig all the corrupted parties. However, the hoest parties will igore messages from all parties that are ot their eighbors i their hidde graphs. 4

6 rouds, all parties i every roud, will simply forward (the first validly siged) message that they receive to all its eighbors. Sice i ad j are coected by a path of legth N = log ɛ i G, the after N rouds, j will receive at least oe copy of m that is siged uder i s sigig key ad hece will reliably receive the message m. Observe that the above RMT protocol tolerates ay costat fractio q < 1 of corruptios (i.e., up to t q corrupted parties) ad requires a stadard PKI for digital sigatures (i additio to the HG). We assume stadard digital sigatures secure agaist chose-plaitext attacks. Further, sice the message is guarateed to reach all hoest parties withi N rouds, the above RMT protocol ca be used to have a message set to all hoest parties. 10 Ufortuately, the above approach oly works for a static adversary. The reaso is that, while corruptig parties (eve adaptively) ad learig their setup, does ot reveal aythig about the hidde graph (other tha the eighbors of corrupted parties themselves), the protocol itself might reveal whether or ot (i, j) E for hoest parties i, j []. For example, if a adversarial party i seds a message to aother adversarial party j, ad j receives this message i 3 rouds, the it must be the case that there exists a path of legth 3 betwee i ad j. Oe might thik that we ca get aroud this problem by simply havig i ecrypt the message uder j s public key; this, however, is completely useless i the case whe j is corrupted. Aother idea might be to have i delay sedig its message; however, this too is useless whe i is corrupted. 11 As a result, costructig a RMT protocol for the adaptive-corruptio case eds up beig much more challegig tha i the static case. The high-level idea behid the protocol for the adaptive case is to sample a ew Erdős-Réyi radom graph G = G(, p), with p = logɛ, at every roud of the protocol. As log as the total umber of rouds of the protocol is polylogarithmic, so will be the total umber of poit-to-poit chaels that a hoest party uses (sice i each roud, every hoest party might speak to at most polylog() potetially ew eighbors). The ituitio for choosig a differet HG for each roud is that ay corruptios made by the adversary before roud i are idepedet of the graph selected i roud i ad hece this would be equivalet to the static adversary case. However, ow provig that hoest parties ca commuicate reliably (ad that there exists a path of bouded legth betwee ay two hoest parties) is delicate, costitutig the crux of our techical result. I fact, the assumptio of erasures plays a crucial role i our adaptive-security argumets. Specifically, we will assume that oce ay party forwards (i.e., multi-seds) a message to its eighbors, it immediately erases the idetities of these eighbors. This will esure that the adversary caot corrupt a party who seds a message i roud i, trace the origi of this message back to the seder s eighbor, ad elimiate the etire tree rooted at this eighbor. Havig RMT, the ext step is to desig the MPC protocol. Recall that our goal is a protocol with full security (i.e., icludig fairess) a optimal resiliecy (i.e., toleratig t < / corruptios) [16, 9]. Oe idea to achieve this is as follows: Sice we have already established RMT betwee ay two hoest parties, we ca ivoke ay kow MPC protocol Π secure for t < / assumig autheticated chaels, over the virtual etwork iduced by RMT. Wheever party i is istructed i Π to sed a message m to party j, we ivoke RMT for this purpose. This approach would give a MPC protocol toleratig up to t < / corruptios, but does work geerically (for ay protocol Π) i combiatio with our simulated commuicatio chaels. To see why, observe that i our adaptively secure protocol, a icrease of the roud complexity implies the same (asymptotic) icrease of the hoest parties commuicatio locality. Ideed, sice usig our RMT, every party commuicates with O(log c ) (potetially ew) parties i every roud 10 Note, however, that if the seder is corrupted, there is o guaratee that the message is set cosistetly. 11 Note that we wat to use RMT for every pair of parties; thus, the adversary might use iformatio o the HG leared i a executio of RMT with a corrupted seder ad/or receiver to attack aother RMT with hoest seder ad receiver. 5

7 1 l D, we ca oly afford to ru a protocol that rus i log c umber of rouds for some c > 0. Thus, i order for the above idea to work we eed a adaptive MPC protocol over poit-to-poit autheticated chaels which termiates i polylog() rouds. Such a protocol ca be obtaied by takig ay costat-roud MPC protocol that utilizes a poit-to-poit etwork of secure chaels ad a broadcast chael (e.g., the protocol i []), ad modifyig it as follows: (1) trasmissio over the poit-to-poit secure chaels are emulated by calls to our RMT protocol where the message is ecrypted usig adaptively secure ecryptio [1], ad () calls to the broadcast chael are emulated by a (radomized, autheticated) broadcast protocol which termiates i polylog() rouds (cf. the protocol i [33]). Remark 1 (Static security). Our primary goal i this paper is adaptive security. However, i the static security settig our approach yields a protocol with polylog() locality which relies oly o sematically secure public-key ecryptio ad existetially uforgeable sigatures (as i [7]). The protocol tolerates a optimal umber of t < / corruptios ad assumes a PKI ad a (sigle) hidde graph setup 1 (istead of the PKI ad CRS assumed i [7]). Fially, we show (Sectio 5) how to avoid the SKI assumptio, at the expese of a icreased commuicatio locality (but ot roud complexity) cf. Theorem. I a utshell, the parties will compute some kid of alterate radom graph setup by havig each party locally decide which of his poit-to-poit chaels he will use; a chael betwee two (hoest) parties i, j [] is the used oly if both parties choose it. By adequately settig the probability of the hoest parties decisios, the resultig commuicatio graph will iclude a Erdős-Réyi graph which will allow us to use our ideas from the SKI-based costructio, with a guarateed O( log δ ) commuicatio locality, for some costat δ > 0. Model, Defiitios ad Buildig Blocks As already metioed earlier, we assume all parties share a public-key ifrastructure (PKI) as well as a symmetric-key ifrastructure (SKI). I other words, every party has a public-key, secret-key pair (for a digital sigature scheme); every party i [] receives party j s public-key (for all j []). I additio, every pair of parties i, j [] share a secret key sk i,j. Parties are coected by a fully coected sychroous etwork; however, i our costructios every party will oly commuicate with polylog() other parties. We allow up to t < of the parties to be adaptively corrupted by a rushig adversary (meaig that the adversary is allowed to corrupt parties dyamically durig the protocol executio ad depedig o his view, ad that the adversary is able to postpoe the sedig of ay give roud s messages util after he receives the messages from the hoest parties, resp.). Agaist such a adaptive adversary we assume atomic simultaeous multi-sed ad secure erasures. Cocretely, i each roud, wheever a ucorrupted party i is istructed to sed a message m to the set P [] of its eighbors (via the direct poit-to-poit chaels he shares with them), the oce i is activated for sedig (by the rushig adversary) for that roud, it ca sed the message to all these eighbors ad delete iformatio related to this trasmissio (e.g., the idetities of these eighbors) before the adversary has a chace to corrupt it. Note that although this stricter commuicatio model is essetial for our proofs, it is ot ecessary for the static corruptio case. We refer to [30, 4] for a discussio about the implicatios of assumig simultaeous multi-sed. 1 Note that, istead of a SKI, a sigle copy of our hidde graph ca be represeted as polylog() bits held by each party correspodig to the vector of the idices of its eighbours. 6

8 We cosider the stadard simulatio-based otio of security for multiparty protocols via the real/ideal world paradigm. I other words (ad iformally), we require that for every probabilisticpolyomial time adversary A (that corrupts t of the parties) i a real-world executio of the protocol, there exists a correspodig PPT adversary S i the ideal world who ca simulate the output of A give oly access to the ideal world where S oly lears the output of the evaluated fuctio. We prove our results for stadaloe security. We refer the reader to [10, 11] for further details o this otio of security for multiparty computatio. Throughout, we assume that > κ, the security parameter. Our costructios rely o the stadard itractability assumptio for adaptively secure multiparty protocols with ersasures, amely, the existece of a family of ehaced trapdoor permutatios [6, 7, 8]. This assumptio is sufficiet for all the primitives used i this paper, amely: Pseudo-radom fuctios (PRFs) [3], existetially uforgeable sigatures (assumig a PKI setup) [3], ad costat-roud adaptively secure MPC over a poit-to-poit etwork with (autheticated) broadcast [] (see below). Defiitio 3 ([43, 38]). A protocol for parties P = P 1,, P, where a distiguished player (called the dealer) P P holds a iitial iput m, is a broadcast protocol toleratig t malicious parties if the followig coditios hold for ay adversary cotrollig at most t parties: Agreemet: All hoest parties output the same value v. Validity: If the dealer is hoest, the v = m. Broadcast protocols that assume a public-key ifrastructure are usually termed autheticated. We also make use of the followig fact about expected-costat-roud broadcast ad Byzatie agreemet protocols, implicit i [33]. Theorem 4 ([33]). Assumig a PKI, there exists a protocol Π BC which achieves broadcast with overwhelmig probability agaist t < / adaptive corruptios, ruig for log 1+c () rouds o a complete etwork, for some costat c > 0. 3 Reliable Commuicatio i the Locality Model I this sectio we prove our results for Reliable Message Trasmissio (RMT) betwee every pair of hoest parties i our commuicatio-costraied settig, assumig a stadard PKI (for digital sigatures) as well as a SKI, as defied above. The costructios i this sectio tolerate ay costat fractio of corrupted parties tha what is required for fully secure MPC; that is, we oly assume that the umber of corrupted parties i t q, for costat q < 1 (arbitrarily close to 1). 3.1 Static security We first show a RMT protocol that is secure agaist static corruptios. This will illustrate some of the ideas that are eeded for our adapively secure costructio. Setup phase. Recall that we work i a model i which parties share a public-key as well as a symmetric-key ifrastructure. That is, i the setup phase, party i receives a private key sk i for a sigature scheme, ad every party j receives the public key vk i correspodig to sk i, for all i []. The SKI allows for a hidde p-radom graph setup (p-hg), with p = log1+ɛ (for appropriately chose ɛ > 0), as explaied above. Note that, because i this sectio we assume oly a sigle shared hidde graph, it is sufficiet (i fact equivalet) that the keys i the SKI are oe-bit log. 7

9 Costructio idea. The hidde graph setup esures that the adversary does ot get to kow whether party i commuicates with party j, uless he corrupts oe of them. We show that give such a p-hg, a adversary who (o-adaptively) corrupts ay costat fractio q of the parties caot isolate ay of the hoest parties. I fact, we show a much stroger property for the graph G formed by removig (i the hidde graph) t = q corrupted odes; amely, that with overwhelmig probability (i ), every pair (i, j) of hoest parties is coected by a path of legth at most N = log ɛ (), for some ɛ > 0 which depeds oly o ɛ. Note that sice parties start with a PKI, we oly require that hoest parties i, j [] are coected by a path of legth N = log ɛ (), for some ɛ > 0 i graph G. Parties ca the achieve RMT by simply floodig the etwork; i.e., party i will simply sed message m, siged uder its sigig key, to all its eighbors. Next, each party i every roud simply forwards the (first validly siged) message that it receives to all of its eighbors. A formal descriptio of the o-adaptively secure protocol for a seder i to reliably sed a message m to a receiver j, deoted by RMT i,j (m), is as follows. (Let Γ(i) deote party i s eighbors i G.) Protocol RMT i,j (m) 1. Roud 1: Party i seds (m, sig ski (m)) to all odes i Γ(i).. For each roud ρ =,..., log ɛ (): For every party k [] \ {i, j}: If a message (m, σ), where σ is party i s valid sigature o m, was received for the first time from some of its eighbors, i.e., some ode i Γ(i), i the previous roud, the party k seds (m, σ) to all its eighbors ad halts. (If multiple validly siged pairs were received i that roud for the first time, the take the first oe i a lexicographic order.) For receiver j: If a message (m, σ), where σ is party i s valid sigature o m, is received for the first time from some ode i Γ(j) the output m ad halt. (If multiple validly siged pairs are received i that roud for the first time, the take the first oe i a lexicographic order.) The security of protocol RMT i,j (m) (stated i Theorem 7) ca be argued as follows: If i ad j are coected by a path of legth N i G, the after N rouds j will receive at least oe copy of m that is siged uder i s sigig key, ad hece will reliably receive the message m. Thus we simply eed to argue that the above holds for some N = polylog(). To this directio, we first prove the followig lemma, which implies RMT betwee i ad j for all hoest i, j []. Lemma 5. Let G = (V, E) be a hidde p-radom graph, ad let A be a adversary who oadaptively chooses a set of parties to corrupt ad by doig so lears all their eighbors i G. Deote by U V the set of corrupted odes, ad by G the subgraph o V \ U resultig from erasig all odes i U. If for some costat q < 1, U q ad p = d = log1+ɛ, the, for ay costat 0 < k < 1 q, G is a expader graph with edge expasio kd. Proof. Sice each pair of vertices i G is still coected with probability p idepedetly of U, G is a radom graph G((1 q), p). Let = (1 q) ad 0 < k < 1 q. The, for each S V = V \ U, S = r, we have e G (S, S) = X v,v, where X v,v v S,v S is the idicator whether there exists a edge betwee v ad v. The E[e G (S, S)] = E[X v,v ] = S S p = r( r)p. v S,v S 8

10 By the Cheroff boud, ( ( ) r( Pr[e G (S, S) < kd S ] e 1 k r)p r = e ) 1 k ( r) r rd = e ( ) r k r rd. Sice 0 < r <, we have 1 q Thus, For d = log 1+ɛ, we have ( r k ) r = r = 1 q < 1. 1 ( 1 q k) = c > 0. Pr[e G (S, S) < kd S ] ( e c) rd = ( 1 c log ɛ ad by the uio boud, the probability that e G (S, S) < kd S for some subset S, S V / is bouded by r=1 S, S =r Pr[e G (S, S) < kd S ] = < ) r, ( ) ( 1 r c log ɛ r=1 ( r r=1 1 c log ɛ ( 1 c log ɛ 1 r=1 1 c log ɛ c log ɛ 1 ) r ) r ) r = λ(), where λ() represets a fuctio that is egligible i. Therefore, G is a expader with edge expasio kd with overwhelmig probability. The ext corollary follows immediately from Lemma 5, by usig the fact that a expader graph as above has polylogarithmic diameter except with egligible probability. We make use of the followig ituitive termiology: for a give graph G = ([], E) we say that two parties i ad j i [] are G-coected by a hoest path of legth l if there exists a sequece of coected odes PATH(i, j) from i to j i G such that for every ode k PATH(i, j), ode k is hoest, ad PATH(i, j) = l. Corollary 6. Let ɛ > 0, p = log1+ɛ, ad G be a hidde p-radom graph. For ay adversary who (o-adaptively) corrupts at most t = q parties, the followig holds except with egligible (i ) probability: there exists some ɛ > 0 which depeds oly o ɛ such that ay two hoest parties are G-coected by a hoest path of legth at most log ɛ (). 9

11 The security of protocol RMT i,j (m) follows ow easily from the above corollary, as o matter how the (static) adversary chooses the corrupted parties he caot icrease the diameter of the graph defied by the hoest parties ad the hidde graph setup to more tha polylog(). Theorem 7. Let 0 < q < 1, ad T [] be the set of (o-adaptively) corrupted parties, T = t q. Assumig a PKI ad a SKI, the RMT i,j is a secure RMT protocol betwee ay two hoest odes i, j []\ T satisfyig the followig two coditios with overwhelmig probability: 1. Every party commuicates with at most O(log 1+ɛ ) other parties;. the protocol termiates after O(log ɛ ) rouds, for some ɛ > 0. Proof. Sice Lemma 5 shows that ay message set by a hoest i will reach every hoest j withi O(log ɛ ()) rouds, it follows from the uforgeability property of the sigature scheme that j will always accept the message set by hoest i. Hece, the above protocol is a secure RMT protocol. The commuicatio locality of the protocol follows from the degree of G = G(, p) which is O(log 1+ɛ ), except with egligible probability. Parallel compositio of RMT. I our MPC costructio, we will require all odes to execute their respective RMT protocols i parallel (simultaesouly). That is, let m i,j be the message that ode i wishes to sed to j via the RMT protocol, deoted RMT i,j (m i,j ) as above. Now, let RMT all (m) deote the protocol executed by all parties whe RMT i,j (m i,j ) for all i, j [] are executed i parallel. (That is, i roud k of RMT all (m), all parties execute the k th roud of protocol RMT i,j (m i,j ), for all i, j []). RMT all ( ) is composed of idividual RMT protocols. We have the followig corollary. Corollary 8. For all hoest i, j [], RMT all (m) is a reliable message trasmissio protocol for sedig m i,j from i to j, satisfyig the followig properties: 1. Every party commuicates with at most O(log 1+ɛ ) other parties i the protocol.. The protocol termiates after O(log ɛ ) rouds for some ɛ > 0. Proof. From Lemma 5 we have that ay message set by ay hoest i will reach every hoest j withi O(log ɛ ) rouds. Hece, from this ad the uforgeability of the uderlyig sigature scheme, it follows by a stadard hybrid argumet that every hoest j will always accept the message set by ay hoest i at the ed of RMT all (m). Furthermore, ote that the protocol s roud complexity is equal to the maximum roud complexity of its compoets, which equals O(log ɛ ). Further, ote that the commuicatio locality of every party i RMT all (m) is equal to the commuicatio locality of the party i RMT i,j (m i,j ), for ay i, j []. Hece, the corollary follows. 3. Adaptively secure RMT As discussed i the Sectio 1.1 the above proof techique fails agaist adaptive adversaries. Iformally, the issue is that a adversary ca use the roud i which a corrupted party/relayer receives a message to deduce iformatio o the commuicatio graph (see Sectio 1.1 for more details ad a cocrete example). I this sectio we describe a RMT protocol that is secure agaist such a adaptive adversary. The idea is have the parties use a differet, idepedet commuicatio graph for each roud i the trasmissio scheme. As log as the trasmissio scheme does ot have more tha polylog() rouds ad i each roud, every party commuicates with at most polylog() (additioal) parties, the overall locality with be polylog(). 10

12 The mai challege i the above idea is to prove that i this dyamically updated commuicatio graph, the message will reach each recipiet through a hoest path i at most polylog() rouds. Provig this costitute the mai techical cotributio of our work. The (adaptively secure) RMT protocol AdRMT is similar to the protocol i the static case, except that i roud ρ parties forward messages received i the previous roud to their eighbours i the commuicatio graph G ρ. We first describe the correspodig setup that it requires. Setup phase. As i the static case, the parties share both a PKI ad a SKI. The SKI will be used here i the same spirit, except that istead of geeratig oe Erdős-Réyi graph, G = G(, p) with p = logɛ, it will be used to geerate D such graphs, deoted G = (G 1,..., G D ). These graphs ca be sampled usig the same PRF key sk i,j that parties i ad j share. As before, every ode oly kows its ow eighbors, ad whe the adversary corrupts a ode j, he oly lears j s eighbors i G 1,..., G D. At the ed of this process, the parties erase the secret keys from their SKI. The protocol is described below, followed by security statemet ad a high-level descriptio of its proof. (The formal proof ca be foud i Appedix B.) Protocol AdRMT i,j (m) 1. Roud 1: Party i seds (m, sig ski (m)) to all its eighbors i graph G 1.. For each roud ρ =,..., log ɛ (): For every party k [] \ {i, j}: If a message (m, σ), where σ is party i s valid sigature o m was received for the first time from some of its eighbours i G ρ 1 i the previous roud, the party k seds (m, σ) to all its eighbors i graph G ρ, erases all iformatio about its G ρ -eighborhood, ad halts. (If multiple validly siged pairs were received i that roud for the first time, the take the first oe i a lexicographic order.) For receiver j: If a message (m, σ), where σ is party i s valid sigature o m is received for the first time from some of party j s eighbours i G ρ, the output m ad halt. (If more tha oe validly siged pair is received i that roud for the first time, the take the first oe i a lexicographic order.) Theorem 9. Let T [] be the set of adaptively corrupted parties, T = t q, for ay costat 0 < q < 1. Assumig a PKI ad a SKI, protocol AdRMT i,j (m) is a secure RMT protocol betwee ay two hoest odes i, j [] \ T, satisfyig the followig tow properties with overwhelmig probability: 1. Every party commuicates with at most O(log 1+ɛ ) other parties.. The protocol termiates after O(log ɛ ) rouds, for some ɛ > 0. Proof idea. As i the static case, we show that there exists a path of legth at most O(log ɛ ()) betwee ay two hoest odes i, j [] whe we cosider the collectio of commuicatio graphs G that selects graph G i as the commuicatio graph i hop i. We prove this i three steps: First, we prove that at every step of the protocol, eve if a adversary corrupts a costat fractio of the odes i the radom graph, the hoest eighbors of ay set S of size d that are ot i S, will be at least of size kd S, for some appropriate costat k (except with egligible probability). More cocretely, i Appedix B we prove the followig lemma, where we let ɛ > 0, 0 < q < 1 be costats, d = log 1+ɛ, p = d = log1+ɛ, ad D = O(log ). Lemma 10. Let G = G(, p) be graph o V = [], ad U V, U q, chose adaptively while oly learig edges coectig to U. Let G be the iduced subgraph o V = V \ U. The, for ay 11

13 costat 0 < k < 1 q, there exists a costat c > 0 such that, for sufficietly large ad for ay S V with S = r d = 1 p, the set of all eighbors of S that are ot i S, Γ(S), has size at least kd S except with egligible probability P r = ( ) 1 r. c logɛ Next, via a applicatio of Hoeffdig s iequality (see Lemma 16 i Appedix B,) we prove that as log as the adversarial parties are chose idepedetly of the radom eighbors chose by ay party, a costat fractio of the party s eighbors will be hoest, except with egligible probability (as log as the adversarial set is of size at most q for some costat 0 < q < 1). Thus we get the followig. Lemma 11. Let V = [] ad C V, C = m, be a subset chose uiformly at radom. Let 0 < q < 1 be a costat ad U V, U = q, be a subset chose idepedetly of C. The, for all 0 < δ < 1 q, C \ U > (1 q δ)m except with probability e mδ. I particular, for m = log 1+ɛ, C \ U > ( 1 q C \ U > 1 m except with egligible probability. ) m except with egligible probability. Furthermore, for q = 1 ɛ, Fially, usig Lemmas 10 ad 11, we show that eve whe a adversary adaptively corrupts parties i every roud of the protocol, as log as the parties select a radom graph at each roud of the protocol, there exists a path of legth at most D = O(log ) betwee ay two hoest odes i []. Formally: Lemma 1. Let G 1,..., G D be graphs o V = [] costructed idepedetly as G(, p). Let U 1, U,..., U D V be disjoit subsets with U = D i=j U j such that U = q where U j is chose idepedetly from G j+1,..., G D, but adaptively, after learig the eighbors of U i i G i for i j. Let G i be the iduced subgraph o V i = V \ ( i j=1 U j). The, except with egligible probability, ay pair of vertices v, v V = V \ U are reachable with respect to G = (G 1,..., G D ) by a path of legth at most D. Combiig these gives us our mai theorem (Theorem 9). Parallel compositio of adaptively secure RMT. Oce agai, we will require all odes i, j [] to execute their respective RMT protocols i parallel simultaeously. Let AdRMT all (m) deote the protocol executed by all parties whe AdRMT i,j (m i,j ) for all i, j [] are executed i parallel. That is, i roud k of AdRMT all (m), all parties execute the k th roud of protocol AdRMT i,j (m i,j ) (for all i, j []). Importatly, all the messages that a party has to sed i this roud are set as a sigle atomic multi-sed ad the correspodig eighbors idetities are erased. Note that the graph G k used i the k th roud of the protocol depeds oly o the roud k ad ot o i ad j; hece, we use the same graph G k to sed all the messages of protocol AdRMT all (m). We have the followig corollary: Corollary 13. For all hoest i, j [], AdRMT all (m) is a reliable message trasmissio protocol for sedig m i,j from i to j, satisfyig the followig properties: 1. Every party commuicates with at most O(log 1+ɛ ) other parties i the protocol.. The protocol termiates after O(log ɛ ) rouds, for some ɛ > 0. The proof of this corollary is similar to Corollary 8 s. 1

14 4 Secure Multiparty Computatio with Low Commuicatio We are ow ready to describe our MPC protocol for securely evaluatig ay give (eve reactive) - party fuctio i the comuicatio-locality model. Our protocol is secure agaist t < / adaptive corruptios. The idea behid our MPC protocol is to use a costat-roud adaptively secure MPC protocol for t < / workig over poit-to-poit secure chaels ad broadcast (e.g., []), where those resources are emulated via our RMT protocol of Sectio 3.. We let Π BC deote the autheticated broadcast protocol guarateed by Theorem 4 (Sectio ). The protocol achieves broadcast with overwhelmig probability agaist t < / adaptive corruptios, ruig for log 1+c rouds o a complete etwork, for some costat c > 0. As poited out i [33], assumig uique process ad message ID s as i [39], Π BC remais secure uder parallel compositio. Let Π BC deote the protocol which results by havig the parties execute Π BC where i each roud istead of usig the poit-to-poit chaels for exchagig their messages, the parties ivoke AdRMT all from Sectio 3.. The it follows immediately from the security of AdRMT all (Corollary 13) ad the fact that each message trasmissio requires polylog() rouds that protocol Π BC is also a secure broadcast protocol with polylogarithmic roud complexity ad commuicatio locality. Lemma 14. Protocol Π BC described above achieves broadcast agaist t < / adaptive corruptios ad satisfies the followig coditios with overwhelmig probability: 1. Every party commuicaties with at most O(log 1+ɛ ) parties for ay costat ɛ > 0.. The protocol termiates after O(log ɛ ) rouds for some costat ɛ > 0. Proof (sketch). The security of Π BC follows directly from the security of protocols Π BC ad AdRMT all. The (asymptotic) roud complexity is computed as follows: for each roud l of Π BC, protocol Π BC executes AdRMT all to have the parties exchage their roud l messages; thus, for each roud i Π BC we eed O(log ɛ ) rouds i Π BC. Because Π BC rus i O(log ɛ ) rouds, the total roud complexity of Π BC is O(log ɛ +ɛ ) rouds. We ext argue the commuicatio locality: With overwhelmig probability, i each roud of Π BC, every party might commuicate with at most to O(log 1+ɛ ) (potetially differet) parties (for executig AdRMT all ). Thus, sice the total umber of rouds is O(log ɛ +ɛ ), the with overwhelmig probability (by the uio boud) the total umber of parties that each i [] exchages messages with usig the poit-to-poit chaels is O(log 1+ɛ+ɛ +ɛ ). The ext step is to costruct a secure message trasmissio protocol (SMT) which will allow a seder i to securely (i.e., authetically ad privately) sed a message m i,j to a receiver j. Sice we have a PKI ad a adaptively secure broadcast protocol, we ca use the stadard reductio of secure chaels to broadcast: The seder i ecrypts m i,j uder the receiver s public key ad broadcasts the correspodig ciphertext c i,j. Upo receivig c i,j, party j decrypts it usig his secret key ad recovers m i,j. However, i order for the above reductio to be secure (i a simulatio-based maer) agaist a adaptive adversary, we eed to esure that a simulator ca ope a ciphertext to ay message of its choice. This ca be achieved by the use of adaptively secure ecryptio schemes with erasures, which are kow to exist uder stadard itractability assumptios [1]. Cosistetly with the otatio itroduced i the previous sectio, we use AdSMT i,j to deote the above SMT protocol, ad AdSMT all to deote the protocol composed of idividual AdSMT i,j (m i,j ) protocols (for all i, j []), ru i parallel, where m = (m 1,1, m 1,,..., m ). With the above tools, we have: 13

15 Theorem 1. Assumig a PKI, a SKI, ad trapdoor permutatios with a reversed domai sampler, there exists a protocol for securely evaluatig ay give -party fuctio agaist a adaptive adversary who corrupts t < / parties, satisfyig the followig two coditios with overwhelmig probability: 1. Every party commuicates with at most O(log 1+ɛ ) other parties, for some costat ɛ > 0.. The protocol termiates after O(log ɛ ) rouds, for some costat ɛ > 0. Proof (sketch). Let Π MPC deote a costat-roud MPC protocol which is secure agaist adaptive corruptios of up to t < / parties, where parties commuicate over a complete etwork of poitto-poit chaels ad broadcast. (Such protocols are kow to exist uder the assumptio i the theorem, e.g., [].) Furthermore, let Π MPC deote the protocol that results by istatiatig i Π MPC the calls to the secure chaels ad broadcast by ivocatios of protocols Π BC ad AdSMT, respectively. We argue that Π MPC satisfies all the properties claimed i the theorem. The security of Π MPC follows immediately from the security of the uderlyig protocol Π MPC ad the security of protocols Π BC ad AdSMT all. For the roud complexity: For each roud i Π MPC, all message exchages (i.e., poit-to-poit trasmissios or broadcast calls) are exchaged i Π MPC by appropriate (parallel) executios of protocols Π BC ad AdSMT all, where the executios have uique roud, protocol, ad message IDs. 13 Thus, for every roud i Π MPC we eed O(log ɛ ) rouds i Π MPC, for some give costat ɛ > 0. Because Π MPC termiates i a costat umber of rouds, the roud complexity of Π MPC is also O(log ɛ ). I each of these rouds, every party might commuicate with at most O(log 1+ɛ ) (potetially differet) parties, (Recall that all parallel executios of Π BC ad AdSMT all use the same sequece of graph setups.) Thus, the total umber of parties that each i [] talks directly to (i.e., via its poit-to-poit chaels) is O(log 1+ɛ+ɛ ). 5 Gettig Rid of the SKI I this sectio we show how to get rid of the symmetric-key setup assumptio, at the cost, however, of icreasig the commuicatio-locality (but ot the roud complexity) by a factor of. The idea for gettig rid of the SKI is to have the parties compute some kid of a alterative radom graph setup. This is doe as follows: each party i [] locally decides which of his poit-to-poit chaels he will use; a chael betwee two (hoest) parties i, j [] is the used oly if both parties choose it. (This is similar i spirit to the way the work of Chadra et al. [14] hadles edge corruptios i sparse etworks.) By havig each party decide to use each of his chaels with probability p = logɛ for some give costat ɛ > 1 (ad igore all other chaels) we esure that, with overwhelmig probability, each (hoest) party uses at most O( log δ ) of its poit-to-poit chaels for some costat δ > 0. Furthermore, each edge betwee two hoest parties i ad j is chose with probability p = p = logɛ, thus the resultig commuicatio graph will iclude Erdős-Réyi graph G(, p ) which will allow us to use our ideas from the previous sectios. Note however, that as the adversarial odes might choose to commuicate with all their eighbors, the commuicatio locality is o loger guarateed to be O(log ɛ ); otwithstadig, it is guarateed to be O( log δ ) with overwhelmig probability. RMT protocol. We ow describe a reliable message trasmissio protocol which tolerates up to t < q adaptive corruptios, for ay give costat q < 1. Our protocol (ad proof) are similar to the correspodig protocol from Sectio 3., with the oly differece beig that the parties choose 13 Recall that the ID s are eeded to esure security of Π BC uder parallel compositio [39]. 14