Name
Abstract | ||
|---|---|---|
A fundamental and widely-applied paradigm due to Franklin and Yung (STOC 1992) on Shamir-secret -sharing based general n-player MPC shows how one may trade the adversary threshold t against amortized communication complexity, by using a so-called packed version of Shamir's scheme. For e.g. the BGW-protocol (with active security), this trade-off means that if t 2k 2 < n/3, then k parallel evaluations of the same arithmetic circuit on different inputs can be performed at the overall cost corresponding to a single BGW-execution. In this paper we propose a novel paradigm for amortized MPC that offers a different trade-off, namely with the size of the field of the circuit which is securely computed, instead of the adversary threshold. Thus, unlike the Franklin-Yung paradigm, this leaves the adversary threshold unchanged. Therefore, for instance, this paradigm may yield constructions enjoying the maximal adversary threshold L(n 1)/3] in the BGWmodel (secure channels, perfect security, active adversary, synchronous communication). Our idea is to compile an MPC for a circuit over an extension field to a parallel MPC of the same circuit but with inputs defined over its base field and with the same adversary threshold. Key technical handles are our notion of reverse multiplication-friendly embeddings (RMFE) and our proof, by algebraic -geometric means, that these are constant-rate, as well as efficient auxiliary protocols for creating "subspace-randomness" with good amortized complexity. In the BGW-model, we show that the latter can be constructed by combining our tensored-up linear secret sharing with protocols based on hyper-invertible matrices a la BeerliovaHirt (or variations thereof). Along the way, we suggest alternatives for hyper-invertible matrices with the same functionality but which can be defined over a large enough constant size field, which we believe is of independent interest. As a demonstration of the merits of the novel paradigm, we show that, in the BGW-model and with an optimal adversary threshold L(n 1)/3], it is possible to securely compute a binary circuit with amortized complexity 0(n) of bits per gate per instance. Known results would given log n bits instead. By combining our result with the Franklin-Yung paradigm, and assuming a sub-optimal adversary (i.e., an arbitrarily small > 0 fraction below 1/3), this is improved to 0(1) bits instead of 0(n). |
Year | DOI | Venue |
|---|---|---|
2018 | 10.1007/978-3-319-96878-0_14 | ADVANCES IN CRYPTOLOGY - CRYPTO 2018, PT III |
DocType | Volume | ISSN |
Conference | 10993 | 0302-9743 |
Citations | PageRank | References |
0 | 0.34 | 12 |
Authors | ||
4 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Ignacio Cascudo Pueyo | 1 | 118 | 11.41 |
| Ronald Cramer | 2 | 2499 | 178.28 |
| Chaoping Xing | 3 | 916 | 110.47 |
| Chen Yuan | 4 | 27 | 12.30 |