Amortized Complexity of Information-Theoretically Secure MPC Revisited

  • Ignacio CascudoEmail author
  • Ronald Cramer
  • Chaoping Xing
  • Chen Yuan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10993)


A fundamental and widely-applied paradigm due to Franklin and Yung (STOC 1992) on Shamir-secret-sharing based general n-player MPC shows how one may trade the adversary threshold t against amortized communication complexity, by using a so-called packed version of Shamir’s scheme. For e.g. the BGW-protocol (with active security), this trade-off means that if \(t + 2k -2 < n/3\), then k parallel evaluations of the same arithmetic circuit on different inputs can be performed at the overall cost corresponding to a single BGW-execution.

In this paper we propose a novel paradigm for amortized MPC that offers a different trade-off, namely with the size of the field of the circuit which is securely computed, instead of the adversary threshold. Thus, unlike the Franklin-Yung paradigm, this leaves the adversary threshold unchanged. Therefore, for instance, this paradigm may yield constructions enjoying the maximal adversary threshold \(\lfloor (n-1)/3 \rfloor \) in the BGW-model (secure channels, perfect security, active adversary, synchronous communication).

Our idea is to compile an MPC for a circuit over an extension field to a parallel MPC of the same circuit but with inputs defined over its base field and with the same adversary threshold. Key technical handles are our notion of reverse multiplication-friendly embeddings (RMFE) and our proof, by algebraic-geometric means, that these are constant-rate, as well as efficient auxiliary protocols for creating “subspace-randomness” with good amortized complexity. In the BGW-model, we show that the latter can be constructed by combining our tensored-up linear secret sharing with protocols based on hyper-invertible matrices á la Beerliova-Hirt (or variations thereof). Along the way, we suggest alternatives for hyper-invertible matrices with the same functionality but which can be defined over a large enough constant size field, which we believe is of independent interest.

As a demonstration of the merits of the novel paradigm, we show that, in the BGW-model and with an optimal adversary threshold \(\lfloor (n-1)/3 \rfloor \), it is possible to securely compute a binary circuit with amortized complexity O(n) of bits per gate per instance. Known results would give \(n \log n\) bits instead. By combining our result with the Franklin-Yung paradigm, and assuming a sub-optimal adversary (i.e., an arbitrarily small \(\epsilon >0\) fraction below 1/3), this is improved to O(1) bits instead of O(n).



The work of Ronald Cramer and Chen Yuan was supported in part by ERC Advanced Grant No. 74079 (ALGSTRONGCRYPTO). Part of Chen Yuan’s work was performed while he was employed at NTU in Singapore. The authors thank Martin Hirt, Ivan Damgård, Yuval Ishai, and Jesper Buus Nielsen for helpful discussions and the anonymous reviewers for their valuable comments.


  1. [BBGS15]
    Bassa, A., Beelen, P., Garcia, A., Stichtenoth, H.: Towers of function fields over non-prime finite fields. Moscow Math. J. 15(1), 1–29 (2015)MathSciNetzbMATHGoogle Scholar
  2. [Bea91]
    Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). Scholar
  3. [BGW88]
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, Chicago, Illinois, USA, 2–4 May 1988, pp. 1–10 (1988)Google Scholar
  4. [BH08]
    Beerliová-Trubíniová, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008). Scholar
  5. [BMN17]
    Block, A.R., Maji, H.K., Nguyen, H.H.: Secure computation based on leaky correlations: high resilience setting. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 3–32. Springer, Cham (2017). Scholar
  6. [Bra85]
    Bracha, G.: An o(log n) expected rounds randomized byzantine generals protocol. In: Proceedings of the 17th Annual ACM Symposium on Theory of Computing, Providence, Rhode Island, USA, 6–8 May 1985, pp. 316–326 (1985)Google Scholar
  7. [CC88]
    Chudnovsky, D., Chudnovsky, G.: Algebraic complexities and algebraic curves over finite fields. J. Complex. 4, 285–316 (1988)MathSciNetCrossRefGoogle Scholar
  8. [CCCX09]
    Cascudo, I., Chen, H., Cramer, R., Xing, C.: Asymptotically good ideal linear secret sharing with strong multiplication over Any fixed finite field. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 466–486. Springer, Heidelberg (2009). Scholar
  9. [CCX11]
    Cascudo, I., Cramer, R., Xing, C.: The torsion-limit for algebraic function fields and its application to arithmetic secret sharing. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 685–705. Springer, Heidelberg (2011). Scholar
  10. [CCX12]
    Cascudo, I., Cramer, R., Xing, C.: The arithmetic codex. In: 2012 IEEE Information Theory Workshop, Lausanne, Switzerland, 3–7 September 2012, pp. 75–79 (2012)Google Scholar
  11. [CDN15]
    Cramer, R., Damgård, I., Nielsen, J.B.: Secure Multiparty Computation and Secret Sharing. Cambridge University Press, Cambridge (2015)CrossRefGoogle Scholar
  12. [DI06]
    Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006). Scholar
  13. [DIK10]
    Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010). Scholar
  14. [DN07]
    Damgård, I., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007). Scholar
  15. [DNPR16]
    Damgård, I., Nielsen, J.B., Polychroniadou, A., Raskin, M.: On the communication required for unconditionally secure multiplication. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 459–488. Springer, Heidelberg (2016). Scholar
  16. [FY92]
    Franklin, M.K., Yung, M.: Communication complexity of secure computation (extended abstract). In: Proceedings of the 24th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, 4–6 May 1992, pp. 699–710 (1992)Google Scholar
  17. [GS95]
    García, A., Stichtenoth, H.: A tower of Artin-Schreier extensions of function fields attaining the Drinfeld-Vlăduţ bound. Invent. Math. 121(1), 211–222 (1995)MathSciNetCrossRefGoogle Scholar
  18. [GS96]
    Garcia, A., Stichtenoth, H.: On the asymptotic behaviour of some towers of function fields over finite fields. J. Number Theory 61(2), 248–273 (1996)MathSciNetCrossRefGoogle Scholar
  19. [HMP00]
    Hirt, M., Maurer, U.M., Przydatek, B.: Efficient secure multi-party computation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 143–161. Springer, Heidelberg (2000). Scholar
  20. [IKOS09]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Zero-knowledge proofs from secure multiparty computation. SIAM J. Comput. 39(3), 1121–1152 (2009)MathSciNetCrossRefGoogle Scholar
  21. [Sha79]
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefGoogle Scholar
  22. [Sti09]
    Stichtenoth, H.: Algebraic Function Fields and Codes. Graduate Texts in Mathematics, vol. 254, 2nd edn. Springer, Berlin (2009). Scholar
  23. [XY07]
    Xing, C., Yeo, S.L.: Algebraic curves with many points over the binary field. J. Algebra 311(2), 775–780 (2007)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Ignacio Cascudo
    • 1
    Email author
  • Ronald Cramer
    • 2
    • 3
  • Chaoping Xing
    • 4
  • Chen Yuan
    • 2
  1. 1.Aalborg UniversityAalborgDenmark
  2. 2.CWI AmsterdamAmsterdamThe Netherlands
  3. 3.Leiden UniversityLeidenThe Netherlands
  4. 4.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations