Communication-Efficient (Proactive) Secure Computation for Dynamic General Adversary Structures and Dynamic Groups

摘要

In modern distributed systems, an adversary's limitations when corrupting subsets of a system's components (e.g., servers) may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics. This means that the corruption patterns (and thus protection guarantees) are based on the adversary being limited by what can be captured by a General Adversary Structure (GAS). We consider efficient secure multiparty computation (MPC) under such dynamically-changing GAS settings. In such settings, one desires to protect against and during corruption profile changes; such adaptivity also renders some (secret sharing-based) encoding schemes underlying MPC protocols more efficient than others when operating with the (currently) considered GAS. One of our contributions is a set of new protocols to efficiently and securely convert back and forth between different MPC schemes for GAS; this process is often called share conversion. We consider two MPC schemes, one based on additive secret sharing and the other based on Monotone Span Programs (MSP). The ability to convert between the secret sharing representations of these MPC schemes enables us to construct the first communication-efficient structure-adaptive proactive MPC protocol for dynamic GAS settings. By structure-adaptive, we mean that the choice of the MPC protocol to execute in future rounds after the GAS is changed (as specified by an administrative entity) is chosen to ensure communication-efficiency (the typical bottleneck in MPC). Furthermore, since such secure "collaborative" computing may be long-lived, we consider the mobile adversary setting, often called the proactive security setting. As our second contribution, we construct communication-efficient MPC protocols that can adapt to the proactive security setting. Proactive security assumes that at each (well defined) period of time the adversary corrupts different parties and may visit the entire system overtime and corrupt all parties, provided that in each period it controls groups obeying the GAS constraints. In our protocol, the shares can be refreshed, meaning that parties receive new shares reconstructing the same secret, and some parties who lost their shares because of the reboot/reset can recover their shares. As our third contribution, we consider another aspect of global long-term computations, namely, that of the dynamic groups. Settings with dynamic groups and GAS were not dealt with in existing literature on (proactive) MPC. In dynamic group settings, parties can be added and eliminated from the computation, under different GAS restrictions. We extend our protocols to this additional dynamic group settings defined by different GAS (see the full version of the paper [18] for formal details of protocols and proofs).