Information-theoretic security without an honest majority

Information-theoretic security without an honest majority

Abstract

We present six multiparty protocols with information-theoretic security that tolerate an arbitrary number of corrupt participants. All protocols assume pairwise authentic private channels and a broadcast channel (in a single case, we require a simultaneous broadcast channel). We give protocols for veto, vote, anonymous bit transmission, collision detection, notification and anonymous message transmission. Not assuming an honest majority, in most cases, a single corrupt participant can make the protocol abort. All protocols achieve functionality never obtained before without the use of either computational assumptions or of an honest majority.
Keywords: multiparty computation, anonymous message transmission, election protocols, collision detection, dining cryptographers, information-theoretic security.

1 Introduction

In the most general case, multiparty secure computation enables  participants to collaborate to compute an -input, -output function (one per participant). Each participant only learns his private output which, depending on the function, can be the same for each participant. Assuming that private random keys are shared between each pair of participants, we known that every function can be securely computed in the presence of an active adversary if and only if less than  participants are corrupt; this fundamental result is due to Michael Ben-Or, Shafi Goldwasser and Avi Wigderson [BGW88] and David Chaum, Claude Crépeau and Ivan Damg\arard [CCD88]. When a broadcast channel is available, the results of Tal Rabin and Michael Ben-Or [RB89] tell us that this proportion can be improved to .

Here, we present six specific multiparty computation protocols that achieve correctness and privacy without any assumption on the number of corrupt participants. Naturally, we cannot always achieve the ideal functionality, for example in some cases, a single participant can make the protocol abort. This is the price to pay to tolerate an arbitrary number of corrupt participants and still provide information-theoretic privacy of the inputs.

All protocols we propose have polynomial complexity in the number of participants and the security parameter. We always assume pairwise shared private random keys between each pair of participants, which allows pairwise private authentic channels. We also assume a broadcast channel and, even though it is a strong assumption, in some cases we need the broadcast to be simultaneous [CGMA85, HM05].

1.1 Summary of results

Our main contributions are in the areas of elections (vote) and anonymity (anonymous bit transmission and anonymous message transmission). Each protocol is an astute combination of basic protocols, which are also of independent interest, and that implement parity, veto, collision detection and notification.

The main ingredient for our information-theoretically secure protocols is the dining cryptographers protocol [Cha88] (see also Section 2), to which we add the following simple yet powerful observation: if  participants each hold a private bit of an -bit string with Hamming weight of parity , then any single participant can randomize  by locally flipping his bit with a certain probability. It is impossible, however, for any participant to locally derandomize . In the case of the anonymous message transmission, we also build on the dining cryptographers protocol by noting that a message that is sent can be ciphered with a one-time pad by having one participant (the receiver) broadcast a random bit. Any modification of the message can then be detected by the receiver with an algebraic manipulation detection code [CFP07].

Vote

Our vote protocol (Section 4) allows  participants to conduct an -candidate election. The privacy is perfect but the protocol has the drawback that if it aborts (any corrupt participant can cause an abort), the participants can still learn information that would have been available had the protocol succeeded. For this protocol, we require a simultaneous broadcast channel. It would be particularly well-suited for a small group of voters that are unwilling to trust any third party and who have no advantage in making the protocol abort.

Previous work on information-theoretically secure voting protocols include [CFSY96], where a protocol is given in the context where many election authorities are present. To the best of our knowledge, our approach is fundamentally different from any other approaches for voting. It is the first to provide information-theoretic security without requiring or trusting any third party, while also providing ballot casting assurance (each participant is convinced that their input is correctly recorded [AN06]) and universal verifiability (each participant is conviced that only registered voters cast ballots and that the tally is correctly computed [SK95]).

Anonymity

Anonymity is the power to perform a task without having to identify the participants that are involved. In the case of anonymous message transmission, it is simply the capacity of the sender to transmit a private message to a specific receiver of his choosing without revealing either his identity or the identity of the receiver. A number of protocols have been suggested for anonymous transmission. Many of these rely on trusted or semi-trusted third parties as well as computational assumptions (for instance, the MIX-net [Cha81]). Here, we do not make any such assumptions. The most notable protocol for anonymous transmission in our context is the dining cryptographer’s protocol [Cha88], which allows a single sender to anonymously broadcast a bit, and provides information-theoretical security against a passive adversary. We present the protocol in a version that implements the multiparty computation of the parity function in Section 2.

The case of multiple yet honest senders in the dining cryptographer’s protocol can be solved by time slot reservation techniques, as originally noted by Chaum [Cha88]. But nevertheless, any corrupt participant can jam the channel. Techniques offering computational security to this problem have been proposed [Cha88, WP89b]. Also, computational assumptions allow the removal of the reliance on a broadcast channel [WP89a].

In our implementation of anonymous bit transmission (Section 5), we elegantly deal with the case of multiple senders by allowing an unlimited amount of participants to act as anonymous senders. Each anonymous sender can target any number of participants and send them each a private bit of his choice. Thus, the outcome of the protocol is, for each participant, a private list indicating how many s and how many s were received. The anonymity of the sender and receiver and the privacy of all transmitted bits is always perfectly achieved, but any participant can cause the protocol to abort, in which case the participants may still learn some information about their own private lists.

We need a way for all participants to find out if the protocol has succeeded. This is done with the veto protocol (Section 3), which takes as input a single bit from each participant; the output of the protocol is the logical OR of the inputs. Our implementation differs from the ideal functionality since a participant that inputs  will learn if some other participant also input . We make use of this deviation from the ideal functionality in further protocols.

In our fixed role anonymous message transmission protocol (Section 8), we present a method which allows a single sender to communicate a message of arbitrary length to a single receiver. To the best of our knowledge, this is the first protocol ever to provide perfect anonymity, message privacy and integrity. For a fixed security parameter, the anonymous message transmission is asymptotically optimal.

Our final protocol for anonymous message transmission (Section 9) allows a sender to send a message of arbitrary length to a receiver of his choosing. While any participant can cause the protocol to abort, the anonymity of the sender and receiver is always perfectly achieved. The privacy of the message is preserved except with exponentially small probability. As far as we are aware, all previous proposed protocols for this task require either computational assumptions or a majority of honest participants. The protocol deals with the case of multiple senders by first executing the collision detection protocol (Section 6), in which each participant inputs a single bit. The outcome only indicates if the sum of the inputs is , or more. Compared to similar protocols called time slot reservation [Cha88, WP89b], our protocol does not leak any additional information about the number of would-be senders. The final protocol also makes use of the notification protocol (Section 7) in which each participant chooses a list of other participants that are to be notified. The output privately reveals to each participant the logical OR of his received notifications. A special case of this protocol is when a single participant notifies another single participant; this is the version used in our final protocol to enable the sender to anonymously tell to the receiver to act accordingly.

1.2 Common features to all protocols

All protocols presented in the following sections share some common features, which we now describe. Our protocols are given in terms of multiparty computation with inputs and outputs and involve  participants, indexed by . In the ideal functionality, the only information that the participants learn is their output (and what can be deduced from it). Correctness refers to the fact that the outputs are correctly computed, while privacy ensures that the inputs are never revealed.

The protocols ensure correctness and privacy even in the presence of an unlimited number of misbehaving participants. Two types of such behaviour are relevant: participants who collude (they follow the protocol but pool their information in order to violate the protocol’s privacy), and participants who actively deviate from the protocol (in order to violate the protocol’s correctness or privacy). Without loss of generality, these misbehaviours are modelled by assuming a central adversary that controls some participants, rendering them corrupt. The adversary is either passive (it learns all the information held by the corrupt participants), or active (it takes full control of the corrupt participants). We will deal only with the most general case of active adversaries, and require them to be static (the set of corrupt participants does not change). A participant that is not corrupt is called honest. Our protocols are such that if they do not abort, there exists inputs for the corrupt participants that would lead to the same output if they were to act honestly. If a protocol aborts, the participants do not learn any more information than they could have learned in an honest execution of the protocol. The input and output description applies only to honest participants.

We assume that each pair of participants shares a private, uniformly random string that can be used to implement an authentic private channel. The participants have access to a broadcast channel and in some cases, it is simultaneous. A broadcast channel is an authentic broadcast channel for which the sender is confident that all participants receive the same value and the receivers know the identity of the sender. A simultaneous broadcast channel is a collection of broadcast channels where the input of one participant cannot depend on the input of any other participant. This could be achieved if all participants simultaneously performed a broadcast. In order to distinguish between the two types of broadcast, we sometimes call the broadcast channel a regular broadcast. It is not uncommon in multiparty computation to allow additional resources, even if these resources cannot be implemented with the threshold on the honest participants (the results of [RB89] which combine a broadcast channel with  honest participants being the most obvious example). Our work suggests that a simultaneous broadcast channel is an interesting primitive to study in this context.

In all protocols, the security parameter is . Unfortunately, in many of our protocols, a single corrupt participant can cause the protocol to abort. All protocols run in polynomial time with respect to the number of participants, the security parameter and the input length. Although some of the protocols presented in this paper are efficient, our main focus here is in the existence of protocols for the described tasks. We leave for future work improvement of their efficiency. Finally, due to lack of space, we present only sketches of security proofs.

2 Parity

Protocol 1 implements the parity function and is essentially the same as the dining cryptographers protocol [Cha88], with the addition of a simultaneous broadcast channel. Note that if we used a broadcast channel instead, then the last participant to speak would have the unfair advantage of being able to adapt his input in order to fix the outcome of the protocol!

Input:
Output:
Broadcast type : simultaneous broadcast
Achieved functionality:
1) (Correctness) If the protocol does not abort, the output is the same as in the ideal functionality.
2) (Privacy) No adversary can learn more than the output of the ideal functionality.   Each participant  does the following:

  1. Select uniformly at random an -bit string with Hamming weight of parity .

  2. Send to participant using the private channel; keep bit to yourself.

  3. Compute , the parity of the sum of all the bits received, including .

  4. Use the simultaneous broadcast channel to announce .

  5. After the simultaneous broadcast is finished, compute . This is the outcome of the protocol. If the simultaneous broadcast fails, abort the protocol.

Protocol 1 Parity

Correctness and privacy follows from [Cha88]. Thus, any adversary can learn only what can be deduced from the corrupt participant’s inputs and the outcome of the protocol. Note that this means that the adversary can deduce the parity of the inputs of the other participants. We will later use the two simple observations that there is no way to cheat except by refusing to broadcast and that any value that is broadcast is consistent with a choice of valid inputs. In the following protocols, we will adapt step 4 of the parity protocol to make it relevant to the scenario, this will allow us to remove the assumption of the simultaneous broadcast. We will also use the fact that if a single participant either does not broadcast, or broadcasts a random bit in step 4 then the value of the output of parity is known to this participant, but is perfectly hidden to all other participants.

3 Veto

In this section, we build on the parity protocol to give a protocol for the secure implementation of the veto function, which computes the logical OR of the participant’s inputs (Protocol 2). We also discuss some important deviations from the ideal functionality.

Input:
Output:
Broadcast type : regular broadcast
Achieved functionality:
1) (Reliability) No participant can make the protocol abort.
2) (Correctness) The outcome of the protocol equals the outcome of the ideal functionality.
3) (Privacy) Any adversary learns what it would have learned in the ideal functionally, had the corrupt participants used  as input, but nothing more.

 

The  participants agree on  orderings such that each ordering has a different last participant.

For each ordering,
—-Repeat  times:

  1. Each participant  sets the value of  in the following way: if  then ; otherwise, with probability  and with complimentary probability.

  2. The participants execute the parity protocol with inputs , with the exception that the simultaneous broadcast is replaced by a regular broadcast with the participants broadcasting according to the current ordering (if any participant refuses to broadcast, set the value ). If the outcome of parity is , then set  .

Output the value result.

Protocol 2 Veto
Lemma 3.1.

(Reliability) No participant can make the veto protocol abort.

Proof.

If a participant refuses to broadcast, it is assumed that the output of the protocol is . ∎

Lemma 3.2.

(Correctness) If all participants in the veto protocol have input , then the protocol achieves the ideal functionality with probability 1. If there exists a participant with input then the protocol is correct with probability at least .

Proof.

The correctness follows by the properties of the parity protocol, with the difference that we now have a broadcast channel instead of a simultaneous broadcast channel. The case where all inputs are 0 is trivial. Let  and suppose that the protocol is executed until the ordering in which participant  speaks last. Then with probability at least , in step 2 of veto, the output of the protocol will be set to . ∎

Lemma 3.3.

(Privacy) In the veto protocol, the most an adversary can learn is the information that it could have learned by assigning to all corrupt participants the input . Additionally, this information is revealed, even to a passive adversary, with probability at least .

Proof.

This follows from the properties of the parity protocol: for a given repetition, the adversary learns the parity of the honest participants’ ’s, but nothing else. Because of the way that the ’s are chosen in step 1, if for any repetition, this parity is odd, the adversary concludes that at least one honest participant has input , and otherwise if all repetitions yield , then the adversary concludes that with probability at least , all the honest participant’s inputs are . In all cases, this is the only information that is revealed; clearly, it is revealed to any passive adversary, except with exponentially small probability. ∎

4 Vote

The participants now wish to conduct an -candidate vote. The idea of Protocol 3 is simple. In the veto protocol, each participant with input  completely randomizes his input into the parity protocol, thus randomizing the output of parity. By flipping the output of parity with probability only , the probability of the outcome being odd becomes a function of the number of such flips. Using repetition, this probability can be approximated to obtain the exact number of flips with exponentially small error probability. This can be used to compute the number of votes for each candidate. Unfortunately, a corrupt participant can randomize his bit with probability higher than , enabling him to vote more than once. But since a participant cannot derandomize the parity, he cannot vote less than zero times. Verifying that the sum of the votes equals  ensures that all participants vote exactly once. Note that the protocol we present is polynomial in  and not in the length of .

Input:
Output: for to ,
Broadcast type : simultaneous broadcast
Achieved functionality:
1) (Correctness) If the protocol does not abort, then there exists an input  for each corrupt participant such that the protocol achieves the ideal functionality.
2) (Privacy) Even if the protocol aborts, no adversary can learn more that what it would have learned by setting in the ideal functionality  for all corrupt participants.

 

Phase A

For each candidate to ,

For  to ,

  1. Each participant  sets the value of  in the following way: if , then ; otherwise, with probability  and with complimentary probability.

  2. The participants execute the parity protocol to compute the parity of , but instead of broadcasting their output bit , they store it as .

Phase B

All participants simultaneously broadcast  . If the simultaneous broadcast is not successful, the protocol aborts.

Phase C

To compute the tally, , for each value  , each participant sets: , and if there exists an integer  such that ,
where , then  .

If for any , no such value  exists, or if , the protocol aborts.

Protocol 3 Vote
Lemma 4.1.

(Correctness) If the vote does not abort, then there exists an input for each corrupt participant such that the output of the honest participants equals the output of the ideal functionality, except with probability exponentially small in .

Proof.

If all participants are honest, the correctness of the protocol is derived from the Chernoff bound as explained in the Appendix. Assume now  corrupt participants. Since the parity protocol is perfect, the only place participant  can deviate from the protocol is by choosing  with an inappropriate probability. We first note that if the  corrupt participants actually transmit the correct number of private bits in phase A and broadcast the correct number of bits in phase B, then whatever they actually send is consistent with some global probability of flipping.

We use again the fact that it is possible to randomize the parity but not to derandomize it: if the corrupt participants altogether flip with a probability not consistent with an integer number of votes, either the statistics will be inconsistent, causing the protocol to abort, or we can interpret the results as being consistent with an integer amount of votes. If they flip with a probability consistent with an integer different than , then each  will be assigned a value, but with probability exponentially close to 1, we will have  and the protocol will abort. ∎

Lemma 4.2.

(Privacy) In the vote protocol, no adversary can learn more than what it would have learned by assigning to all corrupt participants the input  in the ideal functionality, and this even if the protocol aborts.

Proof.

Assume that the first  participants are corrupt. No information is sent phase A or phase C. We thus have to concentrate on phase B where the participants broadcast their information regarding each parity. For each execution of parity, the adversary learns the parity of the honest participant’s values, , but no information on these individual values is revealed. The adversary can thus only evaluate the probability with which the other participants have flipped the parity. But this information could be deduced from the output of the ideal functionality, for instance by fixing the corrupt participants’ inputs to . ∎

It is important to note that the above results do not exclude the possibility of an adversary causing the protocol to abort while still learning some information as stipulated in Lemma 4.2. This information could be used to adapt the behaviour of the adversary in a future execution of vote.

In addition to the above theorems, it follows from the use of the simultaneous broadcast channel that an adversary cannot act in a way that a corrupt participant’s vote depends an honest participant’s vote. In particular, it cannot duplicate an honest participant’s vote. We claim that our protocol provides ballot casting assurance and universal verifiability. This is straightforward from the fact that participants do not entrust any computation to a third party: they provide their own inputs and can verify that the final outcome is computed correctly.

5 Anonymous Bit Transmission

The anonymous bit transmission protocol enables a sender to privately and anonymously transmit one bit to a receiver of his choice. Protocol 4 actually deals with the usually problematic scenario of multiple anonymous senders in an original way: it allows an arbitrary number participants to act as anonymous senders, each one targeting any number of participants and sending them each a chosen private bit. Each participant is also simultaneously a potential receiver: at the end of the protocol, each participant has a private account of how many anonymous senders sent the bit  and how many sent the bit . Note that in our formalism for multiparty computation, the privacy of the inputs implies the anonymity of the senders and receivers.

Input: ,
Output:
Broadcast type : regular broadcast
1) (Correctness) If the protocol does not abort then the output of the protocol equals the output of the ideal functionality.
2) (Privacy) The privacy is the same as in the ideal functionality.

 

For each participant ,

  1. Execute the vote protocol with  as modified below. The three choices are: , , or (abstain). Each participant  chooses his input to the vote according to , his choice of message to be sent anonymously to participant . The vote protocol is modified such that:

    1. The output strings are sent to participant  through the private channel.

    2. Participant  computes the tally as in the vote and if this computation succeeds, he finds out how many participants sent him a , how many sent him a  and how many abstained. If this occurs (and the results are consistent) he sets his success bit,  to . If the vote aborts, he sets  to .

Execute the veto protocol, using as inputs the success bits . If the output of veto is , then the anonymous bit transmission succeeds. Otherwise, the protocol fails.

Protocol 4 Anonymous Bit Transmission

The security of the anonymous bit transmission protocol follows directly from the security of the vote and of the veto. Of course, the anonymous bit transmission also inherits the drawbacks of these protocols. More precisely we have the following:

Lemma 5.1.

(Correctness) The anonymous bit transmission protocol computes the correct output, except with exponentially small probability.

Proof.

If the protocol does not abort, by Lemmas 3.2 and 4.1, except with exponentially small probability, all bits are correctly transmitted. ∎

Lemma 5.2.

(Privacy) In the anonymous bit transmission protocol, the privacy is the same as in the ideal functionality.

Proof.

Each execution of the vote protocol provides perfect privacy, even if the protocol aborts. The final veto reveals some partial information about which honest participants have been targeted by corrupt participants, but this does not compromise the privacy of the protocol.∎

In Protocol 4, the use of the private channel in step (a) can be removed and replaced by a broadcast channel. Since participant  does not broadcast, the messages remain private. Another modification of the protocol makes it possible to send  possible messages instead of just two but note that the complexity is polynomial in  and not in the length of . The transmission of arbitrarily long strings is discussed in Sections 8 and 9.

6 Collision Detection

The collision detection protocol (Protocol 5) enables the participants to verify whether or not there is a single sender in the group. This will be used as a procedure for the implementation of anonymous message transmission in Section 9. Ideally, a protocol to detect a collision would have as input only  but unfortunately we do not know how to achieve such a functionality.

Input:
Output: let then 
Broadcast type : regular broadcast
1) (Reliability) No participant can make the protocol abort.
2) (Correctness) The output of the protocol equals the output of the ideal functionality.
3) (Privacy) An adversary cannot learn more than it could have learned by assigning to all corrupt participants the input  in the ideal functionality.

 

Veto A

All participants perform the veto protocol with inputs .

Veto B

If the outcome of veto A is , skip this step. Otherwise, each participant with input 1 in veto A will set  if he detected in veto A that another participant had input , or if . All other participants set . Then all participants perform a second veto protocol with inputs .

Output:

Protocol 5 Collision Detection
Lemma 6.1.

(Reliability) No participant can make the collision detection protocol abort.

Proof.

This follows from the reliability of veto. ∎

Lemma 6.2.

(Correctness) In the collision detection protocol, the output equals the output of the ideal functionality (except with exponentially small probability).

Proof.

This follows from the correctness of the veto protocol. There are only two ways a corrupt participant can deviate from the protocol. First, participant  can set  although  and although in the first veto his input was 1 and a collision was detected. The outcome of veto B will still be 1 since another participant with input 1 in veto A will input 1 in veto B. This is consistent with input . Second, participant  can set  although . If veto B is executed, then we know that another participant has input 1 in veto A. This is consistent with input . ∎

Note that we have raised a subtle deviation from the ideal protocol in the above proof: we showed how it is possible for a corrupt participant to set his input to 0 if all other participants have input  and to  otherwise. Fortunately, the protocol is still sufficiently good for the requirements of the following sections.

Lemma 6.3.

(Privacy) In the collision detection protocol, an adversary cannot learn more than it could have learned by assigning to all corrupt participants the input  in the ideal functionality.

Proof.

In each veto, an adversary can only learn whether or not there exists an honest participant with input 1. In all cases, this can be deduced from the outcome of the ideal functionality by setting the input to be  for all corrupt participants. ∎

7 Notification

In the notification protocol (Protocol 6), each participant chooses a list of other participants to notify. The output privately reveals to each participant whether or not he was notified, but no information on the number or origin of such notifications is revealed.

Input:
Output:
Broadcast type : regular broadcast
1) (Correctness) If the protocol does not abort then the output of the protocol equals the output of the ideal functionality.
2) (Privacy) The privacy is the same as in the ideal functionality.

 

For each participant :
—-Participant  sets .
—-Repeat  times:

  1. Each participant  sets the value of  in the following way: if  then ; otherwise, with probability  and with complimentary probability. Let .

  2. The participants execute the parity protocol with inputs , with the exception that participant  does not broadcast his value, and the simultaneous broadcast is replaced by a regular broadcast (if any participant refuses to broadcast, abort).

  3. Participant  computes the outcome of parity, and if it is ,  .

Protocol 6 Notification
Lemma 7.1.

The notification protocol achieves privacy and except with exponentially small probability, the correct output is computed.

Proof.

Privacy and correctness are trivially deduced from properties of the parity protocol. ∎

8 Fixed Role Anonymous Message Transmission

In Section 5, we presented an anonymous bit transmission protocol. The protocol easily generalizes to  messages, but the complexity of the protocol becomes polynomial in . It is not clear how to modify the protocol to transmit a string of arbitrary length, while still allowing multiple senders and receivers. However, in the context where a single sender  is allowed, it is possible to implement a secure protocol for  to anonymously transmit a message to a single receiver , which we call fixed role anonymous message transmission (Protocol 7). If the uniqueness condition on  and  is not satisfied, the protocol aborts. The protocol combines the use of the parity protocol with an algebraic manipulation detection code [CFP07], which we present as Theorem 8.1. Due to lack of space, the encoding and decoding algorithms, and , respectfully, are not repeated. For a less efficient algorithm that achieves a similar result, see [PSJ99].

Theorem 8.1 ([Cfp07]).

There exists an efficient probabilistic encoding algorithm and decoding algorithm such that for all , , and any combination of bit flips applied to  produces a  such that , except with probability .

Oracle: The sender  and receiver  know their identity
Input: has input , all other players have no input
Output: has output , all other players have no output
Broadcast type : regular broadcast
1) (Correctness) If the protocol does not abort, obtains the correct message.
2) (Privacy) The only information that can be learned through the protocol is for  to learn .
3) (Oracle) If the oracle conditions are not satisfied (in the sense that more than one honest participant believes to be the sender or the receiver), the protocol will abort.

 

  1. computes 

  2. The participants execute  rounds of the parity protocol, with participants using a broadcast instead of a simultaneous broadcast and using the following inputs:

    1. uses as input the bits of .

    2. uses as input the bits of a random -bit string, .

    3. All other players use as input for each round.

  3. Let be the output of the rounds of parity.  computes .

  4. computes .

  5. A veto is performed: all players input 0 except who inputs  if and  otherwise.
    If the outcome of veto is 1, the protocol aborts. Otherwise, sets his output to .

Protocol 7 Fixed Role Anonymous Message Transmission
Lemma 8.2.

(Correctness, Privacy, Oracle) In the fixed role anonymous message transmission protocol, the probability that  obtains as output a corrupt message is exponentially small. The protocol is perfectly private, and if the oracle conditions are not satisfied, it will abort (except with exponentially small probability).

Proof.

Because of the properties of parity and the fact that the receiver broadcasts a random bit, we have perfect privacy. Correctness is a direct consequence of Theorem 8.1. Finally, if more than one participant acts as a sender or receiver, then again because of Theorem 8.1, the message will not be faithfully transmitted and the protocol will abort in step 5, except with exponentially small probability. ∎

Theorem 8.3.

For a fixed security parameter, the fixed role anonymous message transmission protocol is asymptotically optimal.

Proof.

For any protocol to preserve the anonymity of the sender and the receiver, each player must sent at least one bit to every other player for each bit of the message. In the fixed role anonymous message transmission protocol, for a fixed , each player actually sends bits to each other player and therefore the protocol is asymptotically optimal. ∎

9 Anonymous Message Transmission

Our final protocol allows a sender to anonymously transmit message to a receiver of his choosing. Contrary to the fixed role anonymous message transmission protocol of Section 8, anonymous message transmission (Protocol 8) does not suppose that there is a single sender, but instead, it deals with potential collisions (or lack of any sender at all) by producing the outputs Collision or No Transmission. The only deviation from the ideal functionality in the protocol is that a single participant can force the Collision output. Note again that in this protocol, the privacy of the input implies anonymity of the sender and receiver.

Input: or where and
Output: If then and if then . Otherwise let  be such that then all except .
Broadcast type : regular broadcast
1) (Correctness) The output equals the output of the ideal functionality except that a single participant can make the protocol produce the output Collision.
2) (Privacy) The privacy is the same as in the ideal functionality.

 

  1. The participants execute the collision detection protocol; participants who have input  use input  while all others use input . If the outcome of collision detection is , continue, otherwise output No Transmission if the output is  and Collision if the output is .

  2. Let the sender  be the unique participant with . The participants execute the notification protocol, with  using input  and otherwise. All other participants use the input bits . Let  be the participant who computes as output . If the notification protocol fails, abort.

  3. The participants execute the fixed role anonymous message transmission protocol.

Protocol 8 Anonymous Message Transmission
Lemma 9.1.

(Correctness) In the anonymous message transmission protocol, the output equals the output of the ideal functionality except with exponentially small probability. The only exception is that a single participant can make the protocol produce the output Collision.

Proof.

This follows easily from the correctness of the collision detection, notification and fixed role anonymous message transmission protocols. ∎

Lemma 9.2.

(Privacy) The anonymity of the sender and receiver are perfect. If the protocol succeeds, except with exponentially small probability, participant  is the only participant who knows .

Proof.

Perfect anonymity follows from the privacy of the collision detection, notification and anonymous message transmission protocols. If the sender successfully notifies the receiver in step 2, then the privacy of  is perfect. But with exponentially small probability, the receiver will not be correctly notified, and an adversary acting as the receiver will successfully receive the message . ∎

10 Conclusion

We have given six multiparty protocols that are information-theoretically secure without any assumption on the number of honest participants. It would be interesting to see if the techniques we used can be applied to other multiparty functions or in other contexts.

Our main goal was to prove the existence of several protocols in a model that does not make use of any strong hypotheses such as computational assumptions or an honest majority. This being said, all the presented protocols are reasonably efficient: they are all polynomial in terms of communication and computational complexity and in one case, asymptotically optimal.

Acknowledgements

The authors wish to thank Hugue Blier, Gilles Brassard, Serge Fehr and Sébastien Gambs. A. B. is supported by scholarships from the CFUW, FQRNT and NSERC. A. T. is supported by CIFAR, FQRNT, MITACS and NSERC.

Appendix A Proof of correctness for Protocol 3

Lemma A.1.

(Correctness) If all participants are honest in the vote (Protocol 3), then the output is correct, except with probability exponentially small in .

Proof.

We fix a value  and suppose that  participants have input . Thus we need to show that in the vote, , except with probability exponentially small in .

We now give the intuition behind phase C of the vote. Let  be the probability that . For , we have , and . Solving this recurrence, we get

(1)

Thus, the idea of phase C of the vote is for the participants to approximate  by computing . If the approximation is within  of , then the outcome is . We first show that if such a  exists, it is unique.

Clearly, for , we have that . We also have . Thus the difference between and is:

(2)
(3)
(4)
(5)

Hence if such a  exists, it is unique. We now show that except with probability exponentially small in , the correct  will be chosen. Let be the sum of the  executions of parity, with  the expected value of . The participants have computed  .

By the Chernoff bound, for any ,

(6)

Let . We have

(7)

and so

(8)

Similarly, still by the Chernoff bound, for any ,

(9)

Let and we get

(10)

and so

(11)

Hence the protocol produces the correct value for , except with probability exponentially small in . ∎

References

  1. B. Adida and C. A. Neff. Ballot casting assurance. In EVT ’06, Proceedings of the First Usenix/ACCURATE Electronic Voting Technology Workshop, 2006.
  2. M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In Proceedings of the twentieth annual ACM Symposium on Theory of Computing (STOC), pages 1–10, 1988.
  3. D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols (extended abstract). In Proceedings of the twentieth annual ACM Symposium on Theory of Computing (STOC), pages 11–19, 1988.
  4. R. Cramer, S. Fehr, and C. Padró. Combinatorial codes for detection of algebraic manipulation and their applications. Manuscript, 2007.
  5. R. Cramer, M. Franklin, B. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with linear work. In Proceedings of Eurocypt 1996, pages 72–83, 1996.
  6. B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneity in the presence of faults. In Proceedings of the 26th Annual Symposium on Foundations of Computer Science (FOCS), pages 383–395, 1985.
  7. D. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24:84–88, 1981.
  8. D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology, 1:65–75, 1988.
  9. A. Hevia and D. Micciancio. Simultaneous broadcast revisited. In Proceedings of the twenty-fourth annual ACM symposium on Principles of distributed computing, pages 324–333, 2005.
  10. C. Padró, G. Sáez, and L. Villar J.\̇lx@bibnewblockDetection of cheaters in vector space secret sharing schemes. Designs, codes and cryptography, 16:75–85, 1999.
  11. T. Rabin and M. Ben-Or. Verifiable secret sharing and multiparty protocols with honest majority. In Proceedings of the twenty-first annual ACM Symposium on Theory of Computing (STOC), pages 73–85, 1989.
  12. K. Sako and J. Kilian. Receipt-free mix-type voting scheme — a practical solution to the implementation of a voting booth. In Proceedings of Eurocrypt 1995, pages 393–403, 1995.
  13. M. Waidner and B. Pfitzmann. The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability. In Proceedings of Eurocrypt ’89, page 690, 1989.
  14. M. Waidner and B. Pfitzmann. Unconditional sender and recipient untraceability in spite of active attacks — some remarks. Technical report, Universität Karlsruhe, 1989.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
220674
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description