A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more harm than in an ideal computation, where parties give their inputs to a trusted party that returns the output of the functionality to all parties. In particular, in the ideal model, such computation is fair—if the corrupted parties get the output, then the honest parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible without an honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested a relaxed definition—1/p-secure computation—which guarantees partial fairness. For two parties, they constructed 1/p-secure protocols for functionalities for which the size of either their domain or their range is polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended to multiparty protocols. We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result is constructions of 1/p-secure protocols that are resilient against any number of corrupted parties provided that the number of parties is constant and the size of the range of the functionality is at most polynomial (in the security parameter $${n}$$ ). If fewer than 2/3 of the parties are corrupted, the size of the domain of each party is constant, and the functionality is deterministic, then our protocols are efficient even when the number of parties is $$\log \log {n}$$ . On the negative side, we show that when the number of parties is super-constant, 1/p-secure protocols are not possible when the size of the domain of each party is polynomial. Thus, our feasibility results for 1/p-secure computation are essentially tight. We further motivate our results by constructing protocols with stronger guarantees: If in the execution of the protocol there is a majority of honest parties, then our protocols provide full security. However, if only a minority of the parties are honest, then our protocols are 1/p-secure. Thus, our protocols provide the best of both worlds, where the 1/p-security is only a fall-back option if there is no honest majority.

中文翻译：

---

$${\varvec{1/p}}$$-没有诚实多数和两全其美的安全多方计算

如果该协议中的对手不能造成比理想计算中更大的伤害，则用于计算功能的协议是安全的，在理想计算中，各方将其输入提供给受信任方，该方将功能输出返回给所有各方。特别是在理想模型中，这样的计算是公平的——如果腐败方得到输出，那么诚实方得到输出。Cleve (STOC 1986) 证明，一般来说，没有诚实的多数，公平是不可能的。为了克服这种不可能性，Gordon 和 Katz（Eurocrypt 2010）提出了一个宽松的定义——1/p-安全计算——它保证了部分公平。对于两方，他们为功能构建了 1/p-secure 协议，这些功能的域或范围的大小是多项式（在安全参数中）。Gordon 和 Katz 询问他们的结果是否可以扩展到多方协议。我们研究了多方设置中的 1/p-secure 协议以实现一般功能。我们的主要结果是构建 1/p-secure 协议，该协议可以抵御任何数量的损坏方，前提是参与方的数量是恒定的，并且功能范围的大小至多是多项式（在安全参数 $${ n}$$）。如果少于 2/3 的参与方被破坏，每一方的域大小不变，并且功能是确定性的，那么即使参与方的数量为 $$\log \log {n}，我们的协议也是有效的$$ 。在消极方面，我们表明当参与方的数量是超常量时，当每一方的域大小是多项式时，1/p 安全协议是不可能的。因此，我们对于 1/p-secure 计算的可行性结果基本上是严格的。我们通过构建具有更强保证的协议来进一步激发我们的结果：如果在协议的执行中有大多数诚实的参与方，那么我们的协议就提供了完全的安全性。然而，如果只有少数方是诚实的，那么我们的协议是 1/p 安全的。因此，我们的协议提供了两全其美的优势，如果没有诚实的多数，1/p-security 只是一个后备选项。