Secure Multiparty Computation with Partial Fairness

A protocol for computing a functionality is secure if an adversary in this protocol cannot cause moreharm than in an ideal computation where parties give their inputs to a trusted party which returns theoutput of the functionality to all parties. In particular, in the ideal model such computation is fair –all parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible withoutan honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested arelaxed definition – 1/p-secure computation – which guarantees partial fairness. For two parties, theyconstruct 1/p-secure protocols for functionalities for which the size of either their domain or their rangeis polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended tomultiparty protocols.We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result isconstructions of 1/p-secure protocols when the number of parties is constant provided that less than 2/3of the parties are corrupt. Our protocols require that either (1) the functionality is deterministic and thesize of the domain is polynomial (in the security parameter), or (2) the functionality can be randomizedand the size of the range is polynomial. If the size of the domain is constant and the functionality isdeterministic, then our protocol is efficient even when the number of parties is O(log log n) (where n isthe security parameter). On the negative side, we show that when the number of parties is super-constant,1/p-secure protocols are not possible when the size of the domain is polynomial. ∗Supported by ISF grant 938/09 and by the Frankel Center for Computer Science.†This research was generously supported by the European Research Council as part of the ERC project “LAST”.‡Supported by ISF grant 938/09 and by the Frankel Center for Computer Science.