\({\varvec{1/p}}\)-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Abstract

A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more harm than in an ideal computation, where parties give their inputs to a trusted party that returns the output of the functionality to all parties. In particular, in the ideal model, such computation is fair—if the corrupted parties get the output, then the honest parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible without an honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested a relaxed definition—1/p-secure computation—which guarantees partial fairness. For two parties, they constructed 1/p-secure protocols for functionalities for which the size of either their domain or their range is polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended to multiparty protocols. We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result is constructions of 1/p-secure protocols that are resilient against any number of corrupted parties provided that the number of parties is constant and the size of the range of the functionality is at most polynomial (in the security parameter \({n}\)). If fewer than 2/3 of the parties are corrupted, the size of the domain of each party is constant, and the functionality is deterministic, then our protocols are efficient even when the number of parties is \(\log \log {n}\). On the negative side, we show that when the number of parties is super-constant, 1/p-secure protocols are not possible when the size of the domain of each party is polynomial. Thus, our feasibility results for 1/p-secure computation are essentially tight. We further motivate our results by constructing protocols with stronger guarantees: If in the execution of the protocol there is a majority of honest parties, then our protocols provide full security. However, if only a minority of the parties are honest, then our protocols are 1/p-secure. Thus, our protocols provide the best of both worlds, where the 1/p-security is only a fall-back option if there is no honest majority.

Appendix A: Proof of Lemma 2.6

Proof

Fix \(D_1,D_2\) satisfying Inequality (1). We prove the lemma by induction on \({r}\). When \({r}=1\) the lemma is trivially true; Assume \({\text {win}}({r})\le 1/\alpha {r}+ \beta \); we upper-bound \({\text {win}}({r}+1)\). As \({{\mathcal {A}}}\) is unbounded, we can assume without loss of generality that \({{\mathcal {A}}}\) is deterministic. Let S be the set in the support of \(D_2\) such that \({{\mathcal {A}}}\) aborts in the first iteration if and only if \(a_1\in S\). We define \(S_h\) as all the elements \(z\in S\) s.t. \(\Pr _{a\leftarrow D_1}[a=z] \ge \alpha \Pr _{a\leftarrow D_2}[a=z]\) holds for them and \(S_\ell = S {\setminus } S_h\). Observe that \(\Pr _{a\leftarrow D_2}[a_1\in S_\ell ]\le \beta \). If \({{\mathcal {A}}}\) does not abort in the first iteration, and the game does not end, then the conditional distribution of \(i^\star \) is uniform in \(\left\{ 2,\ldots ,{r}\right\} \) and the game \(\Gamma ({r}+1)\) from this point forward is exactly equivalent to the game \(\Gamma ({r})\). In particular, conditioned on the game \(\Gamma ({r}+1)\) not ending after the first iteration, the probability that \({{\mathcal {A}}}\) wins is at most \({\text {win}}({r})\). We thus have

$$\begin{aligned}&\Pr [{\text {win}}({r}+1)] \nonumber \\&\quad = \Pr [{{\mathcal {A}}}{\text {wins}} \wedge a_1 \in S_\ell \wedge i^\star =1] + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge a_1 \in S_h \wedge i^\star =1] \nonumber \\&\qquad + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge i^\star>1] \nonumber \\&\quad \le \Pr [a_1 \in S_\ell \wedge i^\star =1] + \Pr [ a_1 \in S_h \wedge i^\star =1] + \Pr [{{\mathcal {A}}}{\text {wins}} \wedge i^\star >1] \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S]\right) {\text {win}}({r}) \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S_h]\right) \left( \frac{1}{\alpha {r}}+\beta \right) \nonumber \\&\quad \le \frac{\beta }{{r}+1} + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\Pr _{a_1\leftarrow D_1}[a_1 \in S_h]\right) \frac{1}{\alpha {r}}+ \frac{{r}}{{r}+1}\beta \nonumber \\&\quad \le \beta + \frac{1}{{r}+1}\Pr _{a_1\leftarrow D_2}[a_1 \in S_h]+ \frac{{r}}{{r}+1}\left( 1-\alpha \Pr _{a_1\leftarrow D_2}[a_1 \in S_h]\right) \frac{1}{\alpha {r}} \nonumber \\&= \beta + \frac{1}{\alpha ({r}+1)}. \end{aligned}$$

\(\square \)