Secure Multiparty Computation with Identifiable Abort from Vindicating Release
@misc{DKLS24,
title = {Secure Multiparty Computation with Identifiable Abort from Vindicating Release},
author = {Ran Cohen and Jack Doerner and Yash Kondi and abhi shelat},
howpublished = {CRYPTO'2024 and eprint/2023/1136},
year = {2023},
}
In the dishonest-majority setting, secure multiparty computation (MPC) protocols typically guarantee only security with abort, leaving them vulnerable to attacks in which malicious participants abort the protocol after learning their outputs.
One strategy to defend against such denial-of-service attacks is to identify cheaters who cause aborts. At present, there is a substantial performance gap between the best known protocols that are secure with identifiable abort (IA), and those that achieve non-identifiable abort. Known constructions with IA rely on generic zero-knowledge proofs, adaptively secure oblivious transfer (OT) protocols, or homomorphic primitives.
We present a novel approach for realizing a weak form of input-revealing IA, which is based on delicate and selective revealing of committed input values. We refer to this new approach as vindicating release. While forcing parties to release their input seems like a natural strategy for IA, prior attempts have been unable to devise a simulation strategy: it invokes many of the same difficulties as fully-adaptive security.
We apply our approach to several well-known protocols, including PVW OT, SoftSpoken OT Extension, DKLs VOLE, and MASCOT. These modified constructions can be combined to realize any sampling functionality with (standard) IA. Such a realization is statistically secure given a variant of statically-corruptable ideal OT, and it differs minimally in terms of cost, techniques, and analysis from the equivalent realization that lacks identifiability. If input-revealing abort is tolerable, then the bandwidth overhead induced by our modifications is 50-100%.
On a practical level, we apply our techniques to the problem of threshold ECDSA, and show that the resulting protocol (with standard IA) is concretely efficient. On a theoretical level, we consider the IOZ compiler, which transforms any secure protocol into one with (standard) IA assuming an adaptively-secure OT protocol. We reduce the requirements of IOZ to a variant of statically-corruptable ideal OT.