A given Boolean function has its input distributed among many parties. The aim is to determine which parties to tMk to and what information to exchange with each of them in order to evaluate the function while minimizing the total communication. This paper shows that it is possible to obtain the Boolean answer deterministically with only a polynomial increase in communication with respect to the information lower bound given by the nondeterministic communication complexity of the function.

We give a new randomized algorithm for achieving consensus among asynchronous processes that communicate by reading and writing shared registers. The fastest previously known algorithm has exponential expected running time. Our algorithm is polynomial, requiring an expected O(n 4 ) operations. Applications of this algorithm include the elimination of critical sections from concurrent data structures and the construction of asymptotically unbiased shared coins.

We study the problem of perfectly secure communication in a general network in which processors and communication lines may be faulty. Lower bounds are obtained on the connectivity required for success-ful secure communication. Efficient algorithms are obtained that operate with this connectivity and rely on no complexity theoretic assumptions. These are the first algorithms for secure communication in a general network to simultaneously achieve the three goals of perfect secrecy, perfect resiliency, and worst case time linear in the diameter of the network.

) Donald Beaver Harvard University Silvio Micali y MIT Phillip Rogaway y MIT Abstract In a network of n players, each player i having private input x i , we show how the players can collaboratively evaluate a function f(x 1 ; : : : ; xn ) in a way that does not compromise the privacy of the players' inputs, and yet requires only a constant number of rounds of interaction. The underlying model of computation is a complete network of private channels, with broadcast, and a majority of the players must behave honestly. Our solution assumes the existence of a one-way function. 1 Introduction Secure function evaluation. Assume we have n parties, 1; : : : ; n; each party i has a private input x i known only to him. The parties want to correctly evaluate a given function f on their inputs, that is to compute y = f(x 1 ; : : : ; xn ), while maintaining the privacy of their own inputs. That is, they do not want to reveal more than the value y implicitly reveals. Secure function evaluat...

. This paper presents a polynomial-time protocol for reaching Byzantine agreement in t + 1 rounds whenever n ? 3t, where n is the number of processors and t is an a priori upper bound on the number of failures. This resolves an open problem presented by Pease, Shostak and Lamport in 1980. An early-stopping variant of this protocol is also presented, reaching agreement in a number of rounds that is proportional to the number of processors that actually fail. SICOMP 27-1 (1998), pp.247-290 Key words. Byzantine agreement, consensus, distributed computing, fault tolerance, computer security. AMS subject classifications. 68M10, 68M15, 68Q22, 94C12 1. Introduction. The Byzantine agreement problem (BA), introduced by Pease, Shostak and Lamport in [22], is recognized as a fundamental problem in fault-tolerant distributed computing. Over the last decade or more, the problem has received a great deal of attention in the literature, and has become a testbed for a variety of models for distrib...

In Journal of Cryptology 1/1 (1988) 65-75 ( = [Chau_88]), David Chaum describes a beautiful technique, the DC-net, which should allow participants to send and receive messages anonymously in an arbitrary network. The untraceability of the senders is proved to be unconditional, but that of the recipients implicitly assumes a reliable broadcast network. This assumption is unrealistic in some networks, but it can be removed completely by using the fail-stop key generation schemes by Waidner (these proceedings, = [Waid_89]). In both cases, however, each participant can untraceably and permanently disrupt the entire DC-net. We present a protocol which guarantees unconditional untraceability, the original goal of the DC-net, on the inseparability assumption (i.e. the attacker must be unable to prevent honest participants from communicating, which is considerably less than reliable broadcast), and computationally secure serviceability: Computationally restricted disrupters can be identified and removed from the DC-net. On the one hand, our solution is based on the lovely idea by David Chaum [Chau_88 § 2.5] of setting traps for disrupters. He suggests a scheme to guarantee unconditional untraceability and computationally secure serviceability, too, but on the reliable broadcast assumption. The same scheme seems to be used by

Abstract The classical results in unconditional multi-party computation among a set of n players state that less than n=2 passive or less than n=3 active adversaries can be tolerated; assuming a broadcast channel the threshold for active adversaries is n=2. Strictly generalizing these results we specify the set of potentially misbehaving players as an arbitrary set of subsets of the player set. We prove the necessary and sufficient conditions for the existence of secure multi-party protocols in terms of the potentially misbehaving player sets. For every function there exists a protocol secure against a set of potential passive collusions if and only if no two of these collusions add up to the full player set. The same condition applies for active adversaries when assuming a broadcast channel. Without broadcast channels, for every function there exists a protocol secure against a set of potential active adverse player sets if and only if no three of these sets add up to the full player set. The complexities of the protocols not using a broadcast channel are polynomial, that of the protocol with broadcast is only slightly higher.

We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and perhaps modified. Yet, we want parties whose security is thus compromised to regain their ability to communicate in an authenticated way aided by other parties. In this work we present a mathematical model for this highly adversarial setting, exhibiting salient properties and parameters, and then describe a practically-appealing protocol for the task of maintaining authenticated communication in this model. A key element in our solution is devising proactive distributed signature (PDS) schemes in our model. Although PDS schemes are known in the literature, they are all designed for a model where authenticated communication and broadcast primitives are available. We therefore show how t...

. A protocol is described which allows to send and receive messages anonymously using an arbitrary communication network, and it is proved to be unconditionally secure. This improves a result by DAVID CHAUM: The DC-net guarantees the same, but on the assumption of a reliable broadcast network. Since unconditionally secure Byzantine Agreement cannot be achieved, such a reliable broadcast network cannot be realized by algorithmic means. The solution proposed here, the DC + -net, uses the DC-net, but replaces the reliable broadcast network by a fail-stop one. By choosing the keys necessary for the DC-net dependently on the previously broadcast messages, the fail-stop broadcast can be achieved unconditionally secure and without increasing the complexity of the DC-net significantly, using an arbitrary communication network. Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General --- Security and protection, E.3 [Data Encryption], F.2.1 [Analysis of Algorithms...

We consider the tolerance of data structures to memory faults. We observe that many pointer-based data structures (e.g. linked lists, trees, etc.) are highly nonresilient to faults. A single fault in a linked list or tree may result in the loss of the entire set of data. In this paper we present a formal framework for studying the fault tolerance properties of pointer-based data structures, and we provide fault tolerant versions of the stack, the linked list, and the dictionary tree. 1