Information-theoretic security without an honest majority
We present six multiparty protocols with
information-theoretic security that tolerate an arbitrary number of
corrupt participants. All protocols assume pairwise authentic
private channels and a broadcast channel (in a single case, we
require a simultaneous broadcast channel). We give protocols for
veto, vote, anonymous bit transmission,
collision detection, notification and anonymous
message transmission. Not assuming an honest majority, in most
cases, a single corrupt participant can make the protocol abort. All
protocols achieve functionality never obtained before without the
use of either computational assumptions or of an honest majority.
Keywords: multiparty computation, anonymous message transmission, election protocols, collision detection, dining cryptographers, information-theoretic security.
In the most general case, multiparty secure computation enables participants to collaborate to compute an -input, -output function (one per participant). Each participant only learns his private output which, depending on the function, can be the same for each participant. Assuming that private random keys are shared between each pair of participants, we known that every function can be securely computed in the presence of an active adversary if and only if less than participants are corrupt; this fundamental result is due to Michael Ben-Or, Shafi Goldwasser and Avi Wigderson [BGW88] and David Chaum, Claude Crépeau and Ivan Damg\arard [CCD88]. When a broadcast channel is available, the results of Tal Rabin and Michael Ben-Or [RB89] tell us that this proportion can be improved to .
Here, we present six specific multiparty computation protocols that achieve correctness and privacy without any assumption on the number of corrupt participants. Naturally, we cannot always achieve the ideal functionality, for example in some cases, a single participant can make the protocol abort. This is the price to pay to tolerate an arbitrary number of corrupt participants and still provide information-theoretic privacy of the inputs.
All protocols we propose have polynomial complexity in the number of participants and the security parameter. We always assume pairwise shared private random keys between each pair of participants, which allows pairwise private authentic channels. We also assume a broadcast channel and, even though it is a strong assumption, in some cases we need the broadcast to be simultaneous [CGMA85, HM05].
1.1 Summary of results
Our main contributions are in the areas of elections (vote) and anonymity (anonymous bit transmission and anonymous message transmission). Each protocol is an astute combination of basic protocols, which are also of independent interest, and that implement parity, veto, collision detection and notification.
The main ingredient for our information-theoretically secure protocols is the dining cryptographers protocol [Cha88] (see also Section 2), to which we add the following simple yet powerful observation: if participants each hold a private bit of an -bit string with Hamming weight of parity , then any single participant can randomize by locally flipping his bit with a certain probability. It is impossible, however, for any participant to locally derandomize . In the case of the anonymous message transmission, we also build on the dining cryptographers protocol by noting that a message that is sent can be ciphered with a one-time pad by having one participant (the receiver) broadcast a random bit. Any modification of the message can then be detected by the receiver with an algebraic manipulation detection code [CFP07].
Our vote protocol (Section 4) allows participants to conduct an -candidate election. The privacy is perfect but the protocol has the drawback that if it aborts (any corrupt participant can cause an abort), the participants can still learn information that would have been available had the protocol succeeded. For this protocol, we require a simultaneous broadcast channel. It would be particularly well-suited for a small group of voters that are unwilling to trust any third party and who have no advantage in making the protocol abort.
Previous work on information-theoretically secure voting protocols include [CFSY96], where a protocol is given in the context where many election authorities are present. To the best of our knowledge, our approach is fundamentally different from any other approaches for voting. It is the first to provide information-theoretic security without requiring or trusting any third party, while also providing ballot casting assurance (each participant is convinced that their input is correctly recorded [AN06]) and universal verifiability (each participant is conviced that only registered voters cast ballots and that the tally is correctly computed [SK95]).
Anonymity is the power to perform a task without having to identify the participants that are involved. In the case of anonymous message transmission, it is simply the capacity of the sender to transmit a private message to a specific receiver of his choosing without revealing either his identity or the identity of the receiver. A number of protocols have been suggested for anonymous transmission. Many of these rely on trusted or semi-trusted third parties as well as computational assumptions (for instance, the MIX-net [Cha81]). Here, we do not make any such assumptions. The most notable protocol for anonymous transmission in our context is the dining cryptographer’s protocol [Cha88], which allows a single sender to anonymously broadcast a bit, and provides information-theoretical security against a passive adversary. We present the protocol in a version that implements the multiparty computation of the parity function in Section 2.
The case of multiple yet honest senders in the dining cryptographer’s protocol can be solved by time slot reservation techniques, as originally noted by Chaum [Cha88]. But nevertheless, any corrupt participant can jam the channel. Techniques offering computational security to this problem have been proposed [Cha88, WP89b]. Also, computational assumptions allow the removal of the reliance on a broadcast channel [WP89a].
In our implementation of anonymous bit transmission (Section 5), we elegantly deal with the case of multiple senders by allowing an unlimited amount of participants to act as anonymous senders. Each anonymous sender can target any number of participants and send them each a private bit of his choice. Thus, the outcome of the protocol is, for each participant, a private list indicating how many s and how many s were received. The anonymity of the sender and receiver and the privacy of all transmitted bits is always perfectly achieved, but any participant can cause the protocol to abort, in which case the participants may still learn some information about their own private lists.
We need a way for all participants to find out if the protocol has succeeded. This is done with the veto protocol (Section 3), which takes as input a single bit from each participant; the output of the protocol is the logical OR of the inputs. Our implementation differs from the ideal functionality since a participant that inputs will learn if some other participant also input . We make use of this deviation from the ideal functionality in further protocols.
In our fixed role anonymous message transmission protocol (Section 8), we present a method which allows a single sender to communicate a message of arbitrary length to a single receiver. To the best of our knowledge, this is the first protocol ever to provide perfect anonymity, message privacy and integrity. For a fixed security parameter, the anonymous message transmission is asymptotically optimal.
Our final protocol for anonymous message transmission (Section 9) allows a sender to send a message of arbitrary length to a receiver of his choosing. While any participant can cause the protocol to abort, the anonymity of the sender and receiver is always perfectly achieved. The privacy of the message is preserved except with exponentially small probability. As far as we are aware, all previous proposed protocols for this task require either computational assumptions or a majority of honest participants. The protocol deals with the case of multiple senders by first executing the collision detection protocol (Section 6), in which each participant inputs a single bit. The outcome only indicates if the sum of the inputs is , or more. Compared to similar protocols called time slot reservation [Cha88, WP89b], our protocol does not leak any additional information about the number of would-be senders. The final protocol also makes use of the notification protocol (Section 7) in which each participant chooses a list of other participants that are to be notified. The output privately reveals to each participant the logical OR of his received notifications. A special case of this protocol is when a single participant notifies another single participant; this is the version used in our final protocol to enable the sender to anonymously tell to the receiver to act accordingly.
1.2 Common features to all protocols
All protocols presented in the following sections share some common features, which we now describe. Our protocols are given in terms of multiparty computation with inputs and outputs and involve participants, indexed by . In the ideal functionality, the only information that the participants learn is their output (and what can be deduced from it). Correctness refers to the fact that the outputs are correctly computed, while privacy ensures that the inputs are never revealed.
The protocols ensure correctness and privacy even in the presence of an unlimited number of misbehaving participants. Two types of such behaviour are relevant: participants who collude (they follow the protocol but pool their information in order to violate the protocol’s privacy), and participants who actively deviate from the protocol (in order to violate the protocol’s correctness or privacy). Without loss of generality, these misbehaviours are modelled by assuming a central adversary that controls some participants, rendering them corrupt. The adversary is either passive (it learns all the information held by the corrupt participants), or active (it takes full control of the corrupt participants). We will deal only with the most general case of active adversaries, and require them to be static (the set of corrupt participants does not change). A participant that is not corrupt is called honest. Our protocols are such that if they do not abort, there exists inputs for the corrupt participants that would lead to the same output if they were to act honestly. If a protocol aborts, the participants do not learn any more information than they could have learned in an honest execution of the protocol. The input and output description applies only to honest participants.
We assume that each pair of participants shares a private, uniformly random string that can be used to implement an authentic private channel. The participants have access to a broadcast channel and in some cases, it is simultaneous. A broadcast channel is an authentic broadcast channel for which the sender is confident that all participants receive the same value and the receivers know the identity of the sender. A simultaneous broadcast channel is a collection of broadcast channels where the input of one participant cannot depend on the input of any other participant. This could be achieved if all participants simultaneously performed a broadcast. In order to distinguish between the two types of broadcast, we sometimes call the broadcast channel a regular broadcast. It is not uncommon in multiparty computation to allow additional resources, even if these resources cannot be implemented with the threshold on the honest participants (the results of [RB89] which combine a broadcast channel with honest participants being the most obvious example). Our work suggests that a simultaneous broadcast channel is an interesting primitive to study in this context.
In all protocols, the security parameter is . Unfortunately, in many of our protocols, a single corrupt participant can cause the protocol to abort. All protocols run in polynomial time with respect to the number of participants, the security parameter and the input length. Although some of the protocols presented in this paper are efficient, our main focus here is in the existence of protocols for the described tasks. We leave for future work improvement of their efficiency. Finally, due to lack of space, we present only sketches of security proofs.
Protocol 1 implements the parity function and is essentially the same as the dining cryptographers protocol [Cha88], with the addition of a simultaneous broadcast channel. Note that if we used a broadcast channel instead, then the last participant to speak would have the unfair advantage of being able to adapt his input in order to fix the outcome of the protocol!
Correctness and privacy follows from [Cha88]. Thus, any adversary can learn only what can be deduced from the corrupt participant’s inputs and the outcome of the protocol. Note that this means that the adversary can deduce the parity of the inputs of the other participants. We will later use the two simple observations that there is no way to cheat except by refusing to broadcast and that any value that is broadcast is consistent with a choice of valid inputs. In the following protocols, we will adapt step 4 of the parity protocol to make it relevant to the scenario, this will allow us to remove the assumption of the simultaneous broadcast. We will also use the fact that if a single participant either does not broadcast, or broadcasts a random bit in step 4 then the value of the output of parity is known to this participant, but is perfectly hidden to all other participants.
In this section, we build on the parity protocol to give a protocol for the secure implementation of the veto function, which computes the logical OR of the participant’s inputs (Protocol 2). We also discuss some important deviations from the ideal functionality.
(Reliability) No participant can make the veto protocol abort.
If a participant refuses to broadcast, it is assumed that the output of the protocol is . ∎
(Correctness) If all participants in the veto protocol have input , then the protocol achieves the ideal functionality with probability 1. If there exists a participant with input then the protocol is correct with probability at least .
The correctness follows by the properties of the parity protocol, with the difference that we now have a broadcast channel instead of a simultaneous broadcast channel. The case where all inputs are 0 is trivial. Let and suppose that the protocol is executed until the ordering in which participant speaks last. Then with probability at least , in step 2 of veto, the output of the protocol will be set to . ∎
(Privacy) In the veto protocol, the most an adversary can learn is the information that it could have learned by assigning to all corrupt participants the input . Additionally, this information is revealed, even to a passive adversary, with probability at least .
This follows from the properties of the parity protocol: for a given repetition, the adversary learns the parity of the honest participants’ ’s, but nothing else. Because of the way that the ’s are chosen in step 1, if for any repetition, this parity is odd, the adversary concludes that at least one honest participant has input , and otherwise if all repetitions yield , then the adversary concludes that with probability at least , all the honest participant’s inputs are . In all cases, this is the only information that is revealed; clearly, it is revealed to any passive adversary, except with exponentially small probability. ∎
The participants now wish to conduct an -candidate vote. The idea of Protocol 3 is simple. In the veto protocol, each participant with input completely randomizes his input into the parity protocol, thus randomizing the output of parity. By flipping the output of parity with probability only , the probability of the outcome being odd becomes a function of the number of such flips. Using repetition, this probability can be approximated to obtain the exact number of flips with exponentially small error probability. This can be used to compute the number of votes for each candidate. Unfortunately, a corrupt participant can randomize his bit with probability higher than , enabling him to vote more than once. But since a participant cannot derandomize the parity, he cannot vote less than zero times. Verifying that the sum of the votes equals ensures that all participants vote exactly once. Note that the protocol we present is polynomial in and not in the length of .
(Correctness) If the vote does not abort, then there exists an input for each corrupt participant such that the output of the honest participants equals the output of the ideal functionality, except with probability exponentially small in .
If all participants are honest, the correctness of the protocol is derived from the Chernoff bound as explained in the Appendix. Assume now corrupt participants. Since the parity protocol is perfect, the only place participant can deviate from the protocol is by choosing with an inappropriate probability. We first note that if the corrupt participants actually transmit the correct number of private bits in phase A and broadcast the correct number of bits in phase B, then whatever they actually send is consistent with some global probability of flipping.
We use again the fact that it is possible to randomize the parity but not to derandomize it: if the corrupt participants altogether flip with a probability not consistent with an integer number of votes, either the statistics will be inconsistent, causing the protocol to abort, or we can interpret the results as being consistent with an integer amount of votes. If they flip with a probability consistent with an integer different than , then each will be assigned a value, but with probability exponentially close to 1, we will have and the protocol will abort. ∎
(Privacy) In the vote protocol, no adversary can learn more than what it would have learned by assigning to all corrupt participants the input in the ideal functionality, and this even if the protocol aborts.
Assume that the first participants are corrupt. No information is sent phase A or phase C. We thus have to concentrate on phase B where the participants broadcast their information regarding each parity. For each execution of parity, the adversary learns the parity of the honest participant’s values, , but no information on these individual values is revealed. The adversary can thus only evaluate the probability with which the other participants have flipped the parity. But this information could be deduced from the output of the ideal functionality, for instance by fixing the corrupt participants’ inputs to . ∎
It is important to note that the above results do not exclude the possibility of an adversary causing the protocol to abort while still learning some information as stipulated in Lemma 4.2. This information could be used to adapt the behaviour of the adversary in a future execution of vote.
In addition to the above theorems, it follows from the use of the simultaneous broadcast channel that an adversary cannot act in a way that a corrupt participant’s vote depends an honest participant’s vote. In particular, it cannot duplicate an honest participant’s vote. We claim that our protocol provides ballot casting assurance and universal verifiability. This is straightforward from the fact that participants do not entrust any computation to a third party: they provide their own inputs and can verify that the final outcome is computed correctly.
5 Anonymous Bit Transmission
The anonymous bit transmission protocol enables a sender to privately and anonymously transmit one bit to a receiver of his choice. Protocol 4 actually deals with the usually problematic scenario of multiple anonymous senders in an original way: it allows an arbitrary number participants to act as anonymous senders, each one targeting any number of participants and sending them each a chosen private bit. Each participant is also simultaneously a potential receiver: at the end of the protocol, each participant has a private account of how many anonymous senders sent the bit and how many sent the bit . Note that in our formalism for multiparty computation, the privacy of the inputs implies the anonymity of the senders and receivers.
The security of the anonymous bit transmission protocol follows directly from the security of the vote and of the veto. Of course, the anonymous bit transmission also inherits the drawbacks of these protocols. More precisely we have the following:
(Correctness) The anonymous bit transmission protocol computes the correct output, except with exponentially small probability.
(Privacy) In the anonymous bit transmission protocol, the privacy is the same as in the ideal functionality.
Each execution of the vote protocol provides perfect privacy, even if the protocol aborts. The final veto reveals some partial information about which honest participants have been targeted by corrupt participants, but this does not compromise the privacy of the protocol.∎
In Protocol 4, the use of the private channel in step (a) can be removed and replaced by a broadcast channel. Since participant does not broadcast, the messages remain private. Another modification of the protocol makes it possible to send possible messages instead of just two but note that the complexity is polynomial in and not in the length of . The transmission of arbitrarily long strings is discussed in Sections 8 and 9.
6 Collision Detection
The collision detection protocol (Protocol 5) enables the participants to verify whether or not there is a single sender in the group. This will be used as a procedure for the implementation of anonymous message transmission in Section 9. Ideally, a protocol to detect a collision would have as input only but unfortunately we do not know how to achieve such a functionality.
(Reliability) No participant can make the collision detection protocol abort.
This follows from the reliability of veto. ∎
(Correctness) In the collision detection protocol, the output equals the output of the ideal functionality (except with exponentially small probability).
This follows from the correctness of the veto protocol. There are only two ways a corrupt participant can deviate from the protocol. First, participant can set although and although in the first veto his input was 1 and a collision was detected. The outcome of veto B will still be 1 since another participant with input 1 in veto A will input 1 in veto B. This is consistent with input . Second, participant can set although . If veto B is executed, then we know that another participant has input 1 in veto A. This is consistent with input . ∎
Note that we have raised a subtle deviation from the ideal protocol in the above proof: we showed how it is possible for a corrupt participant to set his input to 0 if all other participants have input and to otherwise. Fortunately, the protocol is still sufficiently good for the requirements of the following sections.
(Privacy) In the collision detection protocol, an adversary cannot learn more than it could have learned by assigning to all corrupt participants the input in the ideal functionality.
In each veto, an adversary can only learn whether or not there exists an honest participant with input 1. In all cases, this can be deduced from the outcome of the ideal functionality by setting the input to be for all corrupt participants. ∎
In the notification protocol (Protocol 6), each participant chooses a list of other participants to notify. The output privately reveals to each participant whether or not he was notified, but no information on the number or origin of such notifications is revealed.
The notification protocol achieves privacy and except with exponentially small probability, the correct output is computed.
Privacy and correctness are trivially deduced from properties of the parity protocol. ∎
8 Fixed Role Anonymous Message Transmission
In Section 5, we presented an anonymous bit transmission protocol. The protocol easily generalizes to messages, but the complexity of the protocol becomes polynomial in . It is not clear how to modify the protocol to transmit a string of arbitrary length, while still allowing multiple senders and receivers. However, in the context where a single sender is allowed, it is possible to implement a secure protocol for to anonymously transmit a message to a single receiver , which we call fixed role anonymous message transmission (Protocol 7). If the uniqueness condition on and is not satisfied, the protocol aborts. The protocol combines the use of the parity protocol with an algebraic manipulation detection code [CFP07], which we present as Theorem 8.1. Due to lack of space, the encoding and decoding algorithms, and , respectfully, are not repeated. For a less efficient algorithm that achieves a similar result, see [PSJ99].
Theorem 8.1 ([Cfp07]).
There exists an efficient probabilistic encoding algorithm and decoding algorithm such that for all , , and any combination of bit flips applied to produces a such that , except with probability .
(Correctness, Privacy, Oracle) In the fixed role anonymous message transmission protocol, the probability that obtains as output a corrupt message is exponentially small. The protocol is perfectly private, and if the oracle conditions are not satisfied, it will abort (except with exponentially small probability).
Because of the properties of parity and the fact that the receiver broadcasts a random bit, we have perfect privacy. Correctness is a direct consequence of Theorem 8.1. Finally, if more than one participant acts as a sender or receiver, then again because of Theorem 8.1, the message will not be faithfully transmitted and the protocol will abort in step 5, except with exponentially small probability. ∎
For a fixed security parameter, the fixed role anonymous message transmission protocol is asymptotically optimal.
For any protocol to preserve the anonymity of the sender and the receiver, each player must sent at least one bit to every other player for each bit of the message. In the fixed role anonymous message transmission protocol, for a fixed , each player actually sends bits to each other player and therefore the protocol is asymptotically optimal. ∎
9 Anonymous Message Transmission
Our final protocol allows a sender to anonymously transmit message to a receiver of his choosing. Contrary to the fixed role anonymous message transmission protocol of Section 8, anonymous message transmission (Protocol 8) does not suppose that there is a single sender, but instead, it deals with potential collisions (or lack of any sender at all) by producing the outputs Collision or No Transmission. The only deviation from the ideal functionality in the protocol is that a single participant can force the Collision output. Note again that in this protocol, the privacy of the input implies anonymity of the sender and receiver.
(Correctness) In the anonymous message transmission protocol, the output equals the output of the ideal functionality except with exponentially small probability. The only exception is that a single participant can make the protocol produce the output Collision.
This follows easily from the correctness of the collision detection, notification and fixed role anonymous message transmission protocols. ∎
(Privacy) The anonymity of the sender and receiver are perfect. If the protocol succeeds, except with exponentially small probability, participant is the only participant who knows .
Perfect anonymity follows from the privacy of the collision detection, notification and anonymous message transmission protocols. If the sender successfully notifies the receiver in step 2, then the privacy of is perfect. But with exponentially small probability, the receiver will not be correctly notified, and an adversary acting as the receiver will successfully receive the message . ∎
We have given six multiparty protocols that are information-theoretically secure without any assumption on the number of honest participants. It would be interesting to see if the techniques we used can be applied to other multiparty functions or in other contexts.
Our main goal was to prove the existence of several protocols in a model that does not make use of any strong hypotheses such as computational assumptions or an honest majority. This being said, all the presented protocols are reasonably efficient: they are all polynomial in terms of communication and computational complexity and in one case, asymptotically optimal.
The authors wish to thank Hugue Blier, Gilles Brassard, Serge Fehr and Sébastien Gambs. A. B. is supported by scholarships from the CFUW, FQRNT and NSERC. A. T. is supported by CIFAR, FQRNT, MITACS and NSERC.
Appendix A Proof of correctness for Protocol 3
(Correctness) If all participants are honest in the vote (Protocol 3), then the output is correct, except with probability exponentially small in .
We fix a value and suppose that participants have input . Thus we need to show that in the vote, , except with probability exponentially small in .
We now give the intuition behind phase C of the vote. Let be the probability that . For , we have , and . Solving this recurrence, we get
Thus, the idea of phase C of the vote is for the participants to approximate by computing . If the approximation is within of , then the outcome is . We first show that if such a exists, it is unique.
Clearly, for , we have that . We also have . Thus the difference between and is:
Hence if such a exists, it is unique. We now show that except with probability exponentially small in , the correct will be chosen. Let be the sum of the executions of parity, with the expected value of . The participants have computed .
By the Chernoff bound, for any ,
Let . We have
Similarly, still by the Chernoff bound, for any ,
Let and we get
Hence the protocol produces the correct value for , except with probability exponentially small in . ∎
- B. Adida and C. A. Neff. Ballot casting assurance. In EVT ’06, Proceedings of the First Usenix/ACCURATE Electronic Voting Technology Workshop, 2006.
- M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In Proceedings of the twentieth annual ACM Symposium on Theory of Computing (STOC), pages 1–10, 1988.
- D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols (extended abstract). In Proceedings of the twentieth annual ACM Symposium on Theory of Computing (STOC), pages 11–19, 1988.
- R. Cramer, S. Fehr, and C. Padró. Combinatorial codes for detection of algebraic manipulation and their applications. Manuscript, 2007.
- R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with linear work. In Proceedings of Eurocypt 1996, pages 72–83, 1996.
- B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneity in the presence of faults. In Proceedings of the 26th Annual Symposium on Foundations of Computer Science (FOCS), pages 383–395, 1985.
- D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24:84–88, 1981.
- D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology, 1:65–75, 1988.
- A. Hevia and D. Micciancio. Simultaneous broadcast revisited. In Proceedings of the twenty-fourth annual ACM symposium on Principles of distributed computing, pages 324–333, 2005.
- C. Padró, G. Sáez, and L. Villar J.\̇lx@bibnewblockDetection of cheaters in vector space secret sharing schemes. Designs, codes and cryptography, 16:75–85, 1999.
- T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority. In Proceedings of the twenty-first annual ACM Symposium on Theory of Computing (STOC), pages 73–85, 1989.
- K. Sako and J. Kilian. Receipt-free mix-type voting scheme — a practical solution to the implementation of a voting booth. In Proceedings of Eurocrypt 1995, pages 393–403, 1995.
- M. Waidner and B. Pfitzmann. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability. In Proceedings of Eurocrypt ’89, page 690, 1989.
- M. Waidner and B. Pfitzmann. Unconditional sender and recipient untraceability in spite of active attacks — some remarks. Technical report, Universität Karlsruhe, 1989.