Welcome!
To use the personalized features of this site, please log in or register.
If you have forgotten your username or password, we can help.
|
 |
Secure Computation without Agreement
Extended Abstract
| |
|
Secure Computation without Agreement
Extended Abstract
Shafi Goldwasser5  and Yehuda Lindell5
| (5) |
Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel |
Abstract
It has recently been shown that executions of authenticated Byzantine Agreement protocols in which more than a third of the
parties are corrupted, cannot be composed concurrently, in parallel, or even sequentially (where the latter is true for deterministic
protocols). This result puts into question any usage of authenticated Byzantine agreement in a setting where many executions
take place. In particular, this is true for the whole body of work of secure multi-party protocols in the case that 1/3 or
more of the parties are corrupted. Such protocols strongly rely on the extensive use of a broadcast channel, which is in turn
realized using authenticated Byzantine Agreement. Essentially, this use of Byzantine Agreement cannot be eliminated since
the standard definition of secure computation (for the case that less than 1/2 of the parties are corrupted) actually implies
Byzantine Agreement. Moreover, it was accepted folklore that the use of a broadcast channel is essential for achieving secure
multiparty computation, when 1/3 or more of the parties are corrupted.
In this paper we show that this folklore is false. We mildly relax the definition of secure computation allowing abort, and
show how this definition can be reached. The difference between our definition and previous ones is as follows. Previously,
if one honest party aborted then it was required that all other honest parties also abort. Thus, the parties agree on whether or not the protocol execution terminated successfully or not. In our new definition, it is possible that some
parties abort while others receive output. Thus, there is no agreement regarding the success of the protocol execution. We
stress that in all other aspects, our definition remains the same. In particular, if an output is received it is guaranteed
to have been computed correctly. The novelty of the new definition is in decoupling the issue of agreement from the central security issues of privacy and correctness in secure computation. As a result the
lower bounds of Byzantine Agreement no longer apply to secure computation. Indeed, we prove that secure multi-party computation
can be achieved for any number of corrupted parties and without a broadcast channel (or trusted preprocessing phase as required
for running authenticated Byzantine Agreement). An important corollary of our result is the ability to obtain multi-party
protocols that compose.
A full version of this paper can be found on the IACR Cryptology ePrint Archive, Report 2002/040, http://eprint.iacr.org
Fulltext Preview (Small, Large)
 References secured to subscribers.
|
|
|
|
|
|