Adaptively secure multi-party computation
STOC '96 Proceedings of the twenty-eighth annual ACM symposium on Theory of computing
Selectively traceable anonymity
PET'06 Proceedings of the 6th international conference on Privacy Enhancing Technologies
| Hi-index | 0.00 |
A fundamental problem in designing secure multi-party protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographic primitives based on computational limitations of the adversary. It turns out that the power of an adaptive adversary is greatly affected by the amount of information gathered upon the corruption of the party. This amount of information models the extent to which uncorrupted parties are trusted to carry out instructions that cannot be externally verified, such as erasing records of past configurations. It has been shown that if the parties are trusted to erase such records, then adaptivity secure computation can be carried out using known primitives. However, this total trust in parties may be unrealistic in many scenarios. An important question, open since 1986, is whether adaptively secure multi-party computation can be carried out in the "insecure channel" setting, even if no party is thoroughly trusted. Our main result is an affirmative resolution of this question for the case where even uncorrupted parties may deviate from the protocol by keeping record of all past configurations. We first propose a novel property of encryption protocols and show that if an encryption protocol enjoying this property is used, instead of a standard encryption scheme, then known constructions become adaptively secure. Next we constructed, based on standard RSA assumption, an encryption protocol that enjoys this property. We also consider parties that, even when corrupted, may internally deviate from their protocols in arbitrary ways, as long as no external test can detect faulty behavior. We show that in this case no non-trivial protocol can be proven adaptively secure using black-box simulation. This holds even if the communication channels are totally secure.