International Association
for Cryptologic Research

In this paper we continue the study of two-round broadcast-optimal MPC, where broadcast is used in one of the two rounds, but not in both. We consider the realistic scenario where the round that does not use broadcast is asynchronous. Since a first asynchronous round (even when followed by a round of broadcast) does not admit any secure computation, we introduce a new notion of asynchrony which we call $(t_d, t_m)$-asynchrony. In this new notion of asynchrony, an adversary can delay or drop up to $t_d$ of a given party's incoming messages; we refer to $t_d$ as the deafness threshold. Similarly, the adversary can delay or drop up to $t_m$ of a given party's outgoing messages; we refer to $t_m$ as the muteness threshold.

We determine which notions of secure two-round computation are achievable when the first round is $(t_d, t_m)$-asynchronous, and the second round is over broadcast. Similarly, we determine which notions of secure two-round computation are achievable when the first round is over broadcast, and the second round is (fully) asynchronous. We consider the cases where a PKI is available, when only a CRS is available but private communication in the first round is possible, and the case when only a CRS is available and no private communication is possible before the parties have had a chance to exchange public keys.