We provide new and tight lower bounds on the ability of players to implement equilibria using cheap talk, that is, just allowing communication among the players. One of our main results is that, in general, it is impossible to implement three-player Nash equilibria in a bounded number of rounds. We also give the first rigorous connection between Byzantine agreement lower bounds and lower bounds on implementation. To this end we consider a number of variants of Byzantine agreement and introduce reduction arguments. We also give lower bounds on the running time of two player implementations. All our results extended to lower bounds on (k, t)-robust equilibria, a solution concept that tolerates deviations by coalitions of size up to k and deviations by up to t players with unknown utilities (who may be malicious).

In the setting of multiparty computation, a set of parties wish to jointly compute a function of their inputs, while preserving security in the case that some subset of them are corrupted. The typical security properties considered are privacy, correctness, independence of inputs, guaranteed output delivery and fairness. Until now, all works in this area either considered the case that the corrupted subset of parties constitutes a strict minority, or the case that a half or more of the parties are corrupted. Secure protocols for the case of an honest majority achieve full security and thus output delivery and fairness are guaranteed. However, the security of these protocols is completely compromised if there is no honest majority. In contrast, protocols for the case of no honest majority do not guarantee output delivery, but do provide privacy, correctness and independence of inputs for any number of corrupted parties. Unfortunately, an adversary controlling only a single party can disrupt the computation of these protocols and prevent output delivery. In this paper, we study the possibility of obtaining general protocols for multiparty computation that simultaneously guarantee security (allowing abort) in the case that an arbitrary number of parties are corrupted and full security (including guaranteed output delivery) in the case that only a minority of the parties are corrupted. That is, we wish to obtain the best of both worlds in a single protocol, depending on the corruption case. We obtain both positive and negative results on this question, depending on the type of the functionality to be computed (standard or reactive) and the type of dishonest majority (semi-honest or malicious).

Two settings are typically considered for secure multiparty computation, depending on whether or not a majority of the parties are assumed to be honest. Protocols designed under this assumption provide “full security ” (and, in particular, guarantee output delivery and fairness) when this assumption is correct; however, if half or more of the parties are dishonest then security is completely compromised. On the other hand, protocols tolerating arbitrarilymany faults do not provide fairness or guaranteed output delivery even if only a single party is dishonest. It is natural to wonder whether it is possible to achieve the “best of both worlds”: namely, a single protocol that simultaneously achieves the best possible security in both the above settings. Ishai, et al. (Crypto 2006) recently addressed this question, and ruled out constant-round protocols of this type. As our main result, we completely settle the question by ruling out protocols using any (expected) polynomial number of rounds. Given this stark negative result, we then ask what can be achieved if we are willing to assume simultaneous message transmission (or, equivalently, a non-rushing adversary). In this setting, we show that impossibility still holds for logarithmicround protocols. We also show, for any polynomial p, a protocol (whose round complexity depends on p) that can be simulated to within closeness O(1/p).

Abstract. This paper considers unconditionally secure protocols for reliable broadcast among a set of n players, where up to t of the players can be corrupted by a (Byzantine) adversary but the remaining h = n−t players remain honest. In the standard model with a complete, synchronous network of bilateral authenticated communication channels among the players, broadcast is achievable if and only if 2n/h < 3. We show that, by extending this model by the existence of partial broadcast channels among subsets of b players, global broadcast can be achieved if and only if the number h of honest players satisfies 2n/h < b+1. Achievability is demonstrated by protocols with communication and computation complexities polynomial in the size of the network, i.e., in the number of partial broadcast channels. A respective characterization for the related consensus problem is also given. Key words. Broadcast, Byzantine agreement, unconditional security. ∗ Preliminary versions of the results presented in this article were reported in [25], [9], [19], [10], and [20].

Abstract. Most protocols for multi-party computation (MPC) are secure either against information-theoretic (IT) or against computationally bounded adversaries. Hybrid-secure MPC protocols guarantee different levels of security, depending on the power of the adversary. We present a hybrid-secure MPC protocol that provides an optimal trade-off between IT robustness and computational privacy: For any robustness parameter ρ < n 2 we obtain an MPC protocol that is simultaneously IT secure with robustness for up to t ≤ ρ actively corrupted parties, IT secure with fairness (no robustness) for up to t < n 2 and computationally secure with agreement on abort (no fairness) for up to t < n − ρ. Our construction is secure in the universal composability (UC) framework (with broadcast and CRS), and achieves the bounds of Ishai et al. [CRYPTO’06], Katz [STOC’07], and Cleve [STOC’86] on trade-offs between robustness and privacy, and on fairness. For example, in the special case ρ = 0 our protocol simultaneously achieves non-robust MPC for up to t < n corrupted parties in the computational setting (like Goldreich et al. [STOC’87]) while providing security with fairness in the IT setting for up to t < n 2 corrupted parties (like Rabin and Ben-Or [STOC’89] though without robustness). A crucial technique in our construction is player emulation, first suggested by Chaum [CRYPTO’89]. In this work we provide a formal and detailed treatment of emulated players in the UC setting.