On Communication Models and Best-Achievable Security in Two-Round MPC

Abstract

Recently, a sequence of works have made strong advances in two-round (i.e., round-optimal) secure multi-party computation (MPC). In the honest-majority setting – the focus of this work – Ananth et al. [CRYPTO’18, EC’19], Applebaum et al. [TCC’18, EC’19] and Garg et al. [TCC’18] have established the feasibility of general two-round MPC in standard communication models involving broadcast (\(\mathcal {BC}\)) and private point-to-point (\(\mathcal {P}\mathrm {2}\mathcal {P}\)) channels.In this work, we set out to understand what features of the communication model are necessary for these results, and more broadly the design of two-round MPC. Focusing our study on the plain model – the most natural model for honest-majority MPC – we obtain the following results: Dishonest majority from Honest majority: In the two round setting, honest-majority MPC and dishonest-majority MPC are surprisingly close, and often equivalent. This follows from our results that the former implies 2-message oblivious transfer, in many settings. (i) We show that without private point-to-point (\(\mathcal {P}\mathrm {2}\mathcal {P}\)) channels, i.e., when we use only broadcast (\(\mathcal {BC}\)) channels, honest-majority MPC implies 2-message oblivious transfer. (ii) Furthermore, this implication holds even when we use both \(\mathcal {P}\mathrm {2}\mathcal {P}\) and \(\mathcal {BC}\), provided that the MPC protocol is robust against “fail-stop” adversaries. Best-Achievable Security: While security with guaranteed output delivery (and even fairness) against malicious adversaries is impossible in two rounds, nothing is known with regards to the “next best” security notion, namely, security with identifiable abort (IA). We show that IA is also impossible to achieve with honest-majority even if we use both \(\mathcal {P}\mathrm {2}\mathcal {P}\) and \(\mathcal {BC}\) channels. However, if we replace \(\mathcal {P}\mathrm {2}\mathcal {P}\) channels with a “bare” (i.e., untrusted) public-key infrastructure (\(\mathcal {PKI}\)), then even security with guaranteed output delivery (and hence \(\texttt {IA} \)) is possible to achieve. These results “explain” that the reliance on \(\mathcal {P}\mathrm {2}\mathcal {P}\) channels (together with \(\mathcal {BC}\)) in the recent two-round protocols in the plain model was in fact necessary, and that these protocols couldn’t have achieved a stronger security guarantee, namely, \(\texttt {IA} \). Overall, our results (put together with prior works) fully determine the best-achievable security for honest-majority MPC in different communication models in two rounds. As a consequence, they yield the following hierarchy of communication models: $$\begin{aligned} \mathcal {BC}< \mathcal {P}\mathrm {2}\mathcal {P}< \mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}< \mathcal {BC}+\mathcal {PKI}. \end{aligned}$$This shows that \(\mathcal {BC}\) channel is the weakest communication model, and that \(\mathcal {BC}+\mathcal {PKI}\) model is strictly stronger than \(\mathcal {BC}+\mathcal {P}\mathrm {2}\mathcal {P}\) model.