Separating Broadcast from Cheater Identification

Secure Multiparty Computation (MPC) protocols that achieve Identifiable Abort (IA) guarantee honest parties that if they are denied output, they will be notified of the identity of at least one corrupt party. Cheater identification provides recourse in the event of a protocol failure, and in some settings-such as key management-can even be desired over Guaranteed Output Delivery. However, unlike the weaker security with abort setting, IA protocols make integral use of a broadcast channel. In this work, we call attention to the fact that instantiating the broadcast channel itself-commonly overlooked in prior works on IA-may be the most complex and expensive component in deployments. For instance in ECDSA key management, broadcast would clearly dominate the cost of the secure computation (i.e. threshold signing). We therefore initiate a deeper investigation into the relationship between cheater identification and broadcast. As prior work has shown that the traditional notion of IA implies broadcast, we show that this connection can be circumvented: we allow honest parties to differ in which cheaters they identify, however with the ability to prove claims of cheating to any external auditor. We construct an honest majority threshold ECDSA signing protocol that offers our new notion of Provable Identifiable Selective Abort (PISA) without a traditional broadcast channel. This enables an efficient and easily deployable cheater identification mechanism for distributed key management. Our benchmarks show that with a signing threshold t=10, the computational burden of the worst case execution path is under 500ms on standard hardware. Furthermore, we generalize our methodology: we show that any MPC protocol that achieves IA with r broadcasts can be compiled to one that achieves PISA with 2(r + 1) point to point rounds.