Hybrid-Secure MPC: Trading Information-Theoretic Robustness for Computational Privacy

Christoph Lucas, Dominik Raub, and Ueli Maurer

Proc. of the 2010 ACM Symposium on Principles of Distributed Computing — PODC '10, pp. 219–228, Jul 2010, Full Version available from http://eprint.iacr.org/2009/009.

Most protocols for distributed, fault-tolerant computation, or multi-party computation (MPC), provide security guarantees in an all-or-nothing fashion: If the number of corrupted parties is below a certain threshold, these protocols provide all specified security guarantees. Beyond this threshold, they provide no security guarantees at all. Furthermore, most previous protocols achieve either information-theoretic (IT) security, in which case this threshold is low, or they achieve only computational security, in which case this threshold is high. In contrast, a hybrid-secure protocol provides different security guarantees depending on the set of corrupted parties and the computational power of the adversary, without being aware of the actual adversarial setting. Thus, hybrid-secure MPC protocols allow for graceful degradation of security.

We present a hybrid-secure MPC protocol that provides an optimal trade-off between IT robustness and computational privacy: For any robustness parameter $ρ < \frac{n}{2}$ , we obtain one MPC protocol that is simultaneously IT secure with robustness for up to $t \leq ρ$ actively corrupted parties, IT secure with fairness (no robustness) for up to $t < \frac{n}{2}$ , and computationally secure with agreement on abort (privacy and correctness only) for up to $t < n - ρ$ . Our construction is secure in the universal composability (UC) framework (based on a network of secure channels, a broadcast channel, and a common reference string). It achieves the bound on the trade-off between robustness and privacy shown by Ishai et al. [CRYPTO'06] and Katz [STOC'07], the bound on fairness shown by Cleve [STOC'86], and the bound on IT security shown by Kilian [STOC'00], and is the first protocol that achieves all these bounds simultaneously.

For example, in the special case $ρ = 0$ our protocol simultaneously achieves non-robust MPC for up to $t < n$ corrupted parties in the computational setting (like Goldreich et al. [STOC'87]), while providing security with fairness in the IT setting for up to $t < \frac{n}{2}$ corrupted parties (like Rabin and Ben-Or [STOC'89] though without robustness).

BibTeX Citation

@inproceedings{LuRaMa10,
    author       = {Christoph Lucas and Dominik Raub and Ueli Maurer},
    title        = {Hybrid-Secure MPC: Trading Information-Theoretic Robustness for Computational Privacy},
    booktitle    = {Proc. of the 2010 ACM Symposium on Principles of Distributed Computing --- PODC~'10},
    pages        = {219--228},
    year         = {2010},
    month        = {7},
    note         = {Full Version available from http://eprint.iacr.org/2009/009},
}