MPC for Tech Giants (GMPC): Enabling Gulliver and the Lilliputians to Cooperate Amicably

TL;DR

This paper introduces the GMPC model, enabling secure multi-party computation between a powerful server and many less powerful users with polylogarithmic complexity, and provides protocols for secure computation of various functions.

Contribution

The paper develops the GMPC model and presents a secure committee election protocol, enabling efficient secure computation of functions with polylogarithmic size and depth, including sorting, without relying on FHE.

Findings

Secure protocols for GMPC model with malicious adversaries.

Efficient secure computation of functions with polylogarithmic size and depth.

Sorting securely computed in GMPC, impacting differential privacy applications.

Abstract

In this work, we introduce the Gulliver multi-party computation model (GMPC). The GMPC model considers a single highly powerful party, called the server or Gulliver, that is connected to $n$ users over a star topology network (alternatively formulated as a full network, where the server can block any message). The users are significantly less powerful than the server, and, in particular, should have both computation and communication complexities that are polylogarithmic in $n$. Protocols in the GMPC model should be secure against malicious adversaries that may corrupt a subset of the users and/or the server. Designing protocols in the GMPC model is a delicate task, since users can only hold information about polylog(n) other users (and, in particular, can only communicate with polylog(n) other users). In addition, the server can block any message between any pair of honest parties. Thus, reaching an agreement becomes a challenging task. Nevertheless, we design generic protocols in the GMPC model, assuming that at most $\alpha<1/6$ fraction of the users may be corrupted (in addition to the server). Our main contribution is a variant of Feige's committee election protocol [FOCS 1999] that is secure in the GMPC model. Given this tool we show: 1. Assuming fully homomorphic encryption (FHE), any computationally efficient function with $O\left(n\cdot polylog(n)\right)$-size output can be securely computed in the GMPC model. 2. Any function that can be computed by a circuit of $O(polylog(n))$ depth, $O\left(n\cdot polylog(n)\right)$ size, and bounded fan-in and fan-out can be securely computed in the GMPC model without assuming FHE. 3. In particular, sorting can be securely computed in the GMPC model without assuming FHE. This has important applications for the shuffle model of differential privacy, and resolves an open question of Bell et al. [CCS 2020].