Secure Arithmetic Computation with No Honest Majority

We study the complexity of securely evaluating arithmetic circuits over finite rings. This question is motivated by natural secure computation tasks. Focusing mainly on the case of two-party protocols with security against malicious parties, our main goals are to: (1) only make black-box calls to the ring operations and standard cryptographic primitives, and (2) minimize the number of such black-box calls as well as the communication overhead. We present several solutions which differ in their efficiency, generality, and underlying intractability assumptions. These include: 1. An unconditionally secure protocol in the OT-hybrid model which makes a black-box use of an arbitrary ring $R$, but where the number of ring operations grows linearly with (an upper bound on) $\log|R|$. 2. Computationally secure protocols in the OT-hybrid model which make a black-box use of an underlying ring, and in which the number of ring operations does not grow with the ring size. These results extend a previous approach of Naor and Pinkas for secure polynomial evaluation (SIAM J. Comput., 35(5), 2006). 3. A protocol for the rings $\mathbb{Z}_m=\mathbb{Z}/m\mathbb{Z}$ which only makes a black-box use of a homomorphic encryption scheme. When $m$ is prime, the (amortized) number of calls to the encryption scheme for each gate of the circuit is constant. All of our protocols are in fact UC-secure in the OT-hybrid model and can be generalized to multiparty computation with an arbitrary number of malicious parties.

💡 Research Summary

The paper “Secure Arithmetic Computation with No Honest Majority” investigates how to evaluate arithmetic circuits over finite rings when the participants may be malicious and there is no honest majority. The authors focus on two‑party protocols (though the techniques extend to any number of parties) and aim to (i) treat the underlying ring or field as a black box—only invoking its addition, subtraction, and multiplication operations and standard cryptographic primitives—and (ii) minimize both the number of such black‑box calls and the overall communication cost. All constructions are proven UC‑secure in the OT‑hybrid model, meaning they assume an ideal oblivious‑transfer oracle and achieve simulation‑based security against malicious adversaries.

The work presents three families of protocols, each with distinct trade‑offs in efficiency, generality, and underlying hardness assumptions.

1. Unconditionally Secure Protocol (OT‑Hybrid, Black‑Box Ring).
   This protocol works for any finite ring R. It uses only black‑box access to the ring operations and to an OT oracle. The cost per gate is polynomial in the statistical security parameter k and linear in an upper bound on log |R|. Concretely, each multiplication gate requires poly(k)·log |R| ring operations and a comparable amount of data transmission. This mirrors the CFIK03 multi‑party protocol but removes the honest‑majority requirement, at the price of a logarithmic dependence on the ring size.

2. Computationally Secure Protocols Based on Noisy Linear Codes.
   The authors develop a general methodology that reduces secure arithmetic evaluation to the problem of decoding noisy linear codes over the same algebraic structure. The security rests on the conjectured hardness of decoding random linear codes (or Reed‑Solomon codes) when a substantial fraction of random noise is present. Three concrete instantiations are given:

   • Field‑Only Variant. For any finite field F, the protocol’s per‑gate cost does not grow with |F|. The number of field operations per gate is bounded by a fixed polynomial in k, independent of the field size. The underlying assumption is that a random linear code over F with enough noise is pseudorandom, an assumption that follows from average‑case hardness of decoding when |F| is polynomial in k.

   • Ring Variant (No Inverses). Extends the previous construction to arbitrary rings R, avoiding the need for multiplicative inverses. It relies on families of linear codes over rings that can be efficiently decoded in the presence of erasures but are believed to be hard to decode when random noise is added.

   • Reed‑Solomon Optimized Variant. By using Reed‑Solomon codes of constant rate and a constant fraction of noise, the amortized communication per multiplication gate becomes a constant number of field elements, and the computational overhead drops to O(log k) field operations per gate (assuming the field size is super‑polynomial in k). This is a substantial improvement over homomorphic‑encryption‑based approaches, which typically need Ω(k + log |F|) ring multiplications per gate.

   The authors compare these protocols to prior work such as the constant‑overhead protocol of Ishai‑Kushilevitz‑Obliv‑Sahai (IKOS08) applied to Boolean circuits, noting that while their communication is better, the computational cost is higher by an O(log k) factor when the Boolean‑circuit simulation is used.

3. Homomorphic‑Encryption‑Based Protocol for ℤₘ.
   For rings of the form ℤₘ (with the standard representation), the paper presents a protocol that uses any homomorphic encryption scheme whose plaintext group is ℤₘ (e.g., Paillier, Damgård‑Jurik). The protocol makes a black‑box use of the encryption scheme; each gate requires a constant number of ciphertexts and a constant number of encryption/decryption calls, provided m is prime. When m is composite, the scheme can still be applied but the ciphertext size grows with log m. The construction avoids the heavy zero‑knowledge proofs required by earlier threshold homomorphic schemes (e.g., CDN01, DN03) and thus reduces setup cost. The approach also extends naturally to matrix rings ℤₙ×ₙₘ, incurring an n² factor in communication.

All protocols achieve universal composability (UC) in the OT‑hybrid model, meaning they remain secure when composed with arbitrary other protocols that also run in the same model. The security proofs handle malicious adversaries that may abort at any point; the simulation guarantees that any information learned before abort is indistinguishable from the ideal functionality.

Key Technical Contributions and Insights

• Black‑Box Ring Access: By restricting protocols to only invoke ring operations via an oracle, the authors ensure that the protocols are agnostic to the internal representation of ring elements. This is crucial for applications where the ring may be large or its structure unknown to the parties.

• Noisy Linear‑Code Reductions: The central novelty is the reduction from secure arithmetic evaluation to decoding of noisy linear codes. This bridges two previously separate areas—coding theory and secure multiparty computation—and allows the use of well‑studied hardness assumptions (e.g., decoding Reed‑Solomon codes with high noise) to obtain cryptographic security.

• Elimination of Inverses: The ring‑variant protocol works without requiring multiplicative inverses, broadening applicability to non‑field rings such as matrix rings or rings with zero‑divisors.

• Constant‑Overhead for Prime Moduli: The homomorphic‑encryption protocol shows that, for prime m, the per‑gate overhead can be made constant, matching the best known results for Boolean circuits while keeping the primitive simple (just an additively homomorphic encryption scheme).

• UC Security in the OT‑Hybrid Model: By building on the IPS08 framework (which itself builds on IKOS07 and HIKN08), the authors obtain protocols that are composable and secure against adaptive adversaries, even when the adversary can erase data.

Potential Impact and Applications

The protocols enable efficient secure computation for tasks that naturally involve arithmetic over large rings, such as distributed key generation, privacy‑preserving data mining, secure linear algebra, and auction mechanisms. The black‑box nature makes the constructions suitable for settings where the underlying algebraic structure is supplied by a third party or is dynamically chosen. Moreover, the reliance on standard primitives (OT and homomorphic encryption) facilitates implementation using existing libraries.

In summary, the paper delivers a comprehensive suite of protocols for secure arithmetic computation without honest majority, balancing unconditional security, computational efficiency, and minimal cryptographic assumptions, and opens new avenues for applying coding‑theoretic hardness to multiparty computation.