Join Log in
Score:2
randoracle avatar Crypto

Secure Multi-Party Computation (MPC) protocol with all dishonest parties

cc flag
randoracle

What if we consider an MPC protocol in which all parties are dishonest? Is it unattainable (even with allowing abort) or is it just meaningless to think about?

570
3 + 0
Score:4
poncho avatar Crypto
my flag
poncho

What if we consider a MPC protocol in which all parties are dishonest?

If all parties are dishonest, then they all can refuse to perform whatever protocol we selected, and do whatever they want. Hence, if there is a security goal that is met by an MPC protocol that we specify, that goal is met because the parties couldn't violate it.

+ 1
randoracle avatar
cc flag
randoracle
So if I get you correctly, an MPC protocol with all dishonest parties that meets a security goal has to minimize the ability of the parties so that they cannot violate it. Or your point is that the notion does not make sense because of their ability to do whatever they want?
0
Reply
Score:4
Geoffroy Couteau avatar Crypto
cn flag
Geoffroy Couteau

Secure computation against all dishonest parties is well-defined, and actually attainable under standard assumptions. The key point is that this notion is useful when we consider composable notions of MPC (e.g. MPC in the UC model). Indeed, in this case, you could have $N$ parties running a big protocol, which internally involves (among other things) $n< N$ parties running a sub-protocol. Now, you want the resulting composed protocol to remain secure even when all $n$ parties are corrupted.

This does not contradict poncho's answer: here, the $n$ parties refusing to participate would result in an abortion of the protocol (since the sub-component would never be run). In other terms, poncho explained that you cannot have security without aborts, and that the notion does not make sense in the stand-alone setting (or, rather, is trivially attained - "stand-alone" is the term used to indicate security of a protocol when the latter is run in isolation, not in a broader context). I'm pointing that, on the other hand, it makes perfect sense for composable security-with-abort (and is typically considered in Canetti's framework of universal composability).

The setting of full corruption is for example discussed here, see also pointers therein. The introduction explicitly discusses this setting.

+ 3
randoracle avatar
cc flag
randoracle
Thank you for your detailed answer! Could you clarify why the notion does not make sense in the stand-alone settings? I am not getting it.
0
Reply
Geoffroy Couteau avatar
cn flag
Geoffroy Couteau
If you only run the protocol in isolation, what would be the security notion? The natural, « simulation-style » notion, would be along the lines of: there is a simulator who can simulate correctly the messages of all *honest* parties from the viewpoint of the adversary. If there are no honest parties, this becomes trivially true! But in a broader context, there could be honest parties *beyond* the parties involved in the protocol. Does that make sense?
0
Reply
randoracle avatar
cc flag
randoracle
It makes perfect sense. Thank you very much!
0
Reply
Score:2
avatar Crypto
us flag
Mikero

It sometimes make sense to consider all malicious parties in the context of adaptive security.

  • Static security = the set of corrupt parties is fixed during the protocol execution.
  • Adaptive security = additional parties can become corrupted during the protocol execution.

Security is trivial against an adversary who statically corrupts all parties -- i.e., there is nothing to simulate in this case. But security is nontrivial against an adversary who adaptively corrupts all parties eventually. When the adversary chooses to corrupt a party, it learns that party's internal state. The simulator must therefore simulate that internal state, and this is usually nontrivial to do.

You can consider a scenario where some parties start the execution honestly, but all parties are eventually corrupted by the end of the execution.

This can be a natural situation when you consider composition. Suppose there are $n$ parties, and some subset of $n' < n$ of them run a subprotocol. The adversary can adaptively corrupt some of the $n$ "outer" parties, leaving some of the uncorrupted, but causing all $n'$ of the parties involved in the subprotocol to become corrupted. So even if it's unnatural to think that all $n$ "outer" parties become corrupted, you might still need the subprotocol to be secure against all corrupt parties.

+ 3
sh flag
Paŭlo Ebermann
Could the dishonest parties just be "corrupted by different adversaries"?
0
Reply
us flag
Mikero
Corruption by different/independent adversaries is famously hard to get right in a composable model. So I can't claim to give insight about that case.
0
Reply
Geoffroy Couteau avatar
cn flag
Geoffroy Couteau
This is a good complementary answer to mine: I forgot to discuss the fact that the issue crucially shows up in the setting of adaptive corruption (actually, the paper I pointed to specifically discusses adaptive corruptions in a composition setting).
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.