Secure computation with honest-looking parties: What if nobody is truly honest?

Abstract

In a secure multi-party computation a set of mutually distrustful parties interact in order to evaluate a predefined function of their inputs, without revealing the inputs to each other. In this scenario, the trust in other parties should be minimal. In the classic formulation of this problem, most of the parties are trusted to exactly follow the prescribed protocol, except for a limited number of parties that are corrupted by a centralized adversary and are allowed to deviate from the protocol in an arbitrary way. However, an assumption of a totally honest behavior of most parties can not be verified. In particular, if an `honest-looking' party diverges from its protocol in a way that is indistinguishable from a totally honest player, it can do so with `impunity'. In this paper, we consider the situation where all parties (even uncorrupted ones) may deviate from their protocol in arbitrary ways, under the sole restriction that most of the parties do not risk being detected by other parties as deviating from the protocol execution. The question whether secure protocols exist in this scenario was raised in the past, and solutions for very limited deviations from the protocol (i.e., refraining from erasing data) were given. Yet, solving the general problem was believed hard, if at all possible. Contrary to this belief, we show that if secure communication channels are provided (and one-way functions exist) then any polynomial function can be securely computed in this scenario.