International Association
for Cryptologic Research

We study the problem of how to efficiently outsource a sensitive computation on secret inputs to a number of untrusted workers, under the assumption that at least one worker is honest.

In our setting there are a number of clients $C_1,\ldots,C_n$ with inputs $x_1,\ldots,x_n$. The clients want to delegate a secure computation of $f(x_1,\ldots,x_n)$ to a set of untrusted workers $W_1,\ldots,W_m$. We want do so in such a way that as long as there is at least one honest worker (and everyone else might be actively corrupted) the following holds: * the privacy of the inputs is preserved; * output of the computation is correct (in particular workers cannot change the inputs of honest clients).

We propose a solution where the clients' work is minimal and the interaction pattern simple (one message to upload inputs, one to receive results), while at the same time reducing the overhead for the workers to a minimum. Our solution is generic and can be instantiated with any underlying reactive MPC protocol where linear operations are ``for free''. In contrast previous solutions were less generic and could only be instantiated for specific numbers of clients/workers.