Trading Correctness for Privacy in Unconditional Multi-Party Computation

This paper improves on the classical results in unconditionally secure multi-party computation among a set of n players, by considering a model with three simultaneously occurring types of player corruption: the adversary can actively corrupt (i.e. take full control over) up to ta players and, additionally, can passively corrupt (i.e. read the entire information of) up to tp players and fail-corrupt (i.e. stop the computation of) up to tf other players. The classical results in multi-party computation are for the special cases of only passive (ta = tf = 0) or only active (tp = tf = 0) corruption. In the passive case, every function ? This the a corrected version of an article with the same title in Advances in Cryptology – CRYPTO ’98, Lecture Notes in Computer Science, vol. 1462, Springer. Research supported by the Swiss National Science Foundation (SNF), SPP project no. 5003045293. can be computed securely if and only if tp < n/2. In the active case, every function can be computed securely if and only if ta < n/3; when a broadcast channel is available, then this bound is ta < n/2. These bounds are tight. Strictly improving these results, one of our results states that, in addition to tolerating ta < n/3 actively corrupted players, privacy can be guaranteed against every minority, thus tolerating additional tp ≤ n/6 passively corrupted players. These protocols require no broadcast and have an exponentially small failure probability. We further show that the bound t < n/2 for passive corruption holds even if the adversary is additionally allowed to make the passively corrupted players fail. Moreover, we characterize completely the achievable thresholds ta, tp and tf for four scenarios. Zero failure probability is achievable if and only if 3ta + 2tp + tf < n; this holds whether or not a broadcast channel is available. Exponentially small failure probability with a broadcast channel is achievable if and only if 2ta +2tp + tf < n; without broadcast, the additional condition 3ta + tf < n is necessary and sufficient.