[Resource Topic] 2024/503: Two Levels are Better than One: Dishonest Majority MPC with $\widetilde{O}(|C|)$ Total Communication

Welcome to the resource topic for 2024/503

Two Levels are Better than One: Dishonest Majority MPC with \widetilde{O}(|C|) Total Communication

Authors: Alexander Bienstock, Kevin Yeo


In recent years, there has been tremendous progress in improving the communication complexity of dishonest majority MPC. In the sub-optimal corruption threshold setting, where t<(1-\varepsilon)\cdot n for some constant 0<\varepsilon\leq 1/2, the recent works Sharing Transformation (Goyal \textit{et al.}, CRYPTO’22) and SuperPack (Escudero \textit{et al.}, EUROCRYPT’23) presented protocols with information-theoretic online phases achieving O(1) communication per multiplication gate, across all parties. However, the former assumes that their offline phase is instantiated by a trusted party, while the latter instantiates their offline phase with \Omega(n) communication per multiplication gate assuming oblivious linear evaluation (OLE) correlations.

In this work, we present a dishonest majority MPC protocol for t< (1-\varepsilon)\cdot n with \widetilde{O}(1) total communication per multiplication gate across both the offline and online phases, or \widetilde{O}(|C|) total communication for any arithmetic circuit C. To do so, we securely instantiate the offline phase of Sharing Transformation, assuming some OLE correlations. The major bottleneck in instantiating the offline phases of both Sharing Transformation and SuperPack is generating random packed beaver triples of the form [\boldsymbol{a}], [\boldsymbol{b}], [\boldsymbol{c}], for random \boldsymbol{a},\boldsymbol{b}\in\mathbb{F}^k, and \boldsymbol{c}=\boldsymbol{a}*\boldsymbol{b}\in\mathbb{F}^k, where k=\Omega(n) is the \textit{packing parameter}. We overcome this barrier by presenting a packed beaver triple protocol with \widetilde{O}(n) total communication, or \widetilde{O}(1) communication per underlying triple.

Our packed beaver triple protocol consists of two levels of randomness extraction. The first level uses a relaxation of super-invertible matrices that we introduce, called \textit{weakly} super-invertible matrices, in which sub-matrices have sufficiently high (but not necessarily full) rank. This weakening enables matrix constructions with only O(n) non-zero entries, which is a primary reason for the efficiency of our protocol. Our second level of extraction is based on the \textit{triple extraction} protocol of (Choudhury and Patra, Trans. Inform. Theory '17).

ePrint: https://eprint.iacr.org/2024/503

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .