Revisiting Covert Multiparty Computation

Is it feasible for parties to securely evaluate a function on their joint inputs, while hiding not only their private input, but even the very fact that they are taking part to the protocol? This intriguing question was given a positive answer in the two-party case at STOC’05, and in the general case at FOCS’07, under the name of covert multiparty computation (CMPC). A CMPC protocol allows n players with inputs (x1 · · ·xn) to compute a function f with the following guarantees: – If every party is taking part to the protocol, and if the result of the computation is favorable to all the parties, then all parties learn f(x1, · · · , xn) (and nothing more) – Else, when the result is not favorable to all the parties, or if some player does not participate to the computation, no one gets to learn anything (and in particular, no player can learn whether any of the other parties was indeed participating to the protocol) While previous works proved the existence of CMPC under standard assumptions, their candidate CMPC protocols were exclusively of theoretical interest, and several questions were left open – in particular, can CMPC protocols be constructed with a complexity comparable to that of standard MPC protocols? In this work, we revisit the design of CMPC protocols. We construct a variant of the UC framework tailored to CMPC that allows for modular security proofs and enhances it with partial composability properties. Then, we show how to build a CMPC protocol out of a standard, state-of-the-art MPC protocol, where both the communication and the computation are the same than the original protocol up to an additive factor independent of the size of the circuit. Our construction relies on homomorphic smooth projective hash functions, which were previously used in the context of key-dependent message security.