Complete Fairness in Secure TwoParty Computation


 Lora McKinney
 1 years ago
 Views:
Transcription
1 Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute some functon of ther nputs whle preservng, to the extent possble, varous securty propertes such as prvacy, correctness, and more. One desrable property s farness whch guarantees, nformally, that f one party receves ts output, then the other party does too. Cleve (STOC 1986) showed that complete farness cannot be acheved n general wthout an honest maorty. Snce then, the accepted folklore has been that nothng nontrval can be computed wth complete farness n the twoparty settng. We demonstrate that ths folklore belef s false by showng completely far protocols for varous nontrval functons n the twoparty settng based on standard cryptographc assumptons. We frst show feasblty of obtanng complete farness when computng any functon over polynomalsze domans that does not contan an embedded XOR ; ths class of functons ncludes boolean AND/OR as well as Yao s mllonares problem. We also demonstrate feasblty for certan functons that do contan an embedded XOR, and prove a lower bound showng that any completely far protocol for such functons must have round complexty superlogarthmc n the securty parameter. Our results demonstrate that the queston of completely far secure computaton wthout an honest maorty s far from closed. Keywords: cryptography, secure computaton, farness, dstrbuted computng Dept. of Computer Scence, Columba Unversty. Work done whle at the Unversty of Maryland. Dept. of Computer Scence, Aarhus Unversty. Work done whle at BarIlan Unversty. Dept. of Computer Scence, Unversty of Maryland. Work supported by NSF grants # and # , and USIsrael Bnatonal Scence Foundaton grant # Dept. of Computer Scence, BarIlan Unversty. Work supported by USIsrael Bnatonal Scence Foundaton grant #
2 1 Introducton In the settng of secure computaton, a set of partes wsh to run some protocol for computng a functon of ther nputs whle preservng, to the extent possble, securty propertes such as prvacy, correctness, nput ndependence, etc. These requrements, and more, are formalzed by comparng a realworld executon of the protocol to an deal world where there s a trusted entty who performs the computaton on behalf of the partes. Informally, a protocol s secure f for any realworld adversary A there exsts a correspondng dealworld adversary S (corruptng the same partes as A) such that the result of executng the protocol n the real world wth A s computatonally ndstngushable from the result of computng the functon n the deal world wth S. One desrable property s farness whch, ntutvely, means that ether everyone receves the output, or else no one does. Unfortunately, t has been shown by Cleve [11] that complete farness 1 s mpossble to acheve n general when a maorty of partes s not honest (whch, n partcular, ncludes the twoparty settng); specfcally, Cleve rules out completely far con tossng, whch mples the mpossblty of computng boolean XOR wth complete farness. Snce Cleve s work, the accepted folklore has been that nothng nontrval can be computed wth complete farness wthout an honest maorty, and researchers have smply resgned themselves to beng unable to acheve ths goal. Indeed, the standard formulaton of secure computaton (see [18]) posts two deal worlds, and two correspondng defntons of securty: one that ncorporates farness and s used when a maorty of the partes are assumed to be honest (we refer to the correspondng defnton as securty wth complete farness ), and one that does not ncorporate farness and s used when an arbtrary number of partes may be corrupted (we refer to the correspondng defnton as securty wth abort, snce the adversary n ths case may abort the protocol once t receves ts output). Protocols achevng securty wth complete farness when a maorty of partes are honest, for arbtrary functonaltes, are known (assumng a broadcast channel) [19, 5, 9, 1, 30], as are protocols achevng securty wth abort for any number of corrupted partes (under sutable cryptographc assumptons) [19, 18]. Snce the work of Cleve, however, there has been no progress toward a better understandng of complete farness wthout an honest maorty. No further mpossblty results have been shown (.e., other than those that follow trvally from Cleve s result), nor have any completely far protocols for any nontrval 2 functons been constructed. In short, the queston of farness wthout an honest maorty has been treated as closed for over two decades. 1.1 Our Results Cleve s work shows that certan functons cannot be computed wth complete farness wthout an honest maorty. The folklore nterpretaton of ths result seems to have been that nothng (nontrval) can be computed wth complete farness wthout an honest maorty. Surprsngly, we show that ths folklore s false by demonstratng that many nterestng and nontrval functons can be computed wth complete farness n the twoparty settng. Our postve results can be based on standard cryptographc assumptons such as the exstence of enhanced trapdoor permutatons. (Actually, our results can be based on the mnmal assumpton that oblvous transfer s possble.) 1 Varous notons of partal farness have also been consdered; see Secton 1.2 for a bref dscusson. 2 It s not hard to see that some trval functons (e.g., the constant functon) can be computed wth complete farness. Furthermore, any functon that depends on only one party s nput can be computed wth complete farness, as can any functon where only one party receves output. We consder such functons trval n ths context. 1
3 Our frst result concerns functons wthout an embedded XOR, where a functon f s sad to have an embedded XOR f there exst nputs x 0, x 1, y 0, y 1 such that f(x, y ) =. We show: Theorem Let f be a twonput boolean functon defned over polynomalsze domans that does not contan an embedded XOR. Then, under sutable cryptographc assumptons, there exsts a protocol for securely computng f wth complete farness. Ths result s descrbed n Secton 3. The round complexty of our protocol n ths case s lnear n the sze of the domans, hence the restrcton that the domans be of polynomal sze. Examples of functons wthout an embedded XOR nclude boolean OR and AND, as well as Yao s mllonares problem [31] (.e., the greaterthan functon). We remark that even smple functons such as OR/AND are nontrval n the context of secure twoparty computaton snce they cannot be computed wth nformatontheoretc prvacy [10] and are n fact complete for twoparty secure computaton wth abort [24]. Recall that Cleve s result rules out completely far computaton of boolean XOR. Gven ths and the fact that our frst result apples only to functons wthout an embedded XOR, a natural conecture s that the presence of an embedded XOR serves as a barrer to completely far computaton of a gven functon. Our next result shows that ths conecture s false: Theorem Under sutable cryptographc assumptons, there exst twonput boolean functons contanng an embedded XOR that can be securely computed wth complete farness. Ths result s descrbed n Secton 4. The round complexty of the protocol here s superlogarthmc n the securty parameter. We show that ths s, n fact, nherent: Theorem Let f be a twoparty functon contanng an embedded XOR. Then any protocol securely computng f wth complete farness (assumng one exsts) requres ω(log n) rounds. Our proof of the above s remnscent of Cleve s proof [11], except that Cleve only needed to consder the adversary s ablty to bas a con toss, whereas we must ontly consder both bas and prvacy (snce, for certan functons contanng an embedded XOR, t s possble for an adversary to bas the output even n the deal world). Ths makes the proof consderably more complex. 1.2 Related Work Questons of farness have been studed snce the early days of secure computaton. Prevous work has been dedcated to achevng varous relaxatons of farness (.e., partal farness ), both for the case of specfc functonaltes lke con tossng [11, 12, 28] and contract sgnng/exchangng secrets [6, 26, 14, 4, 13], as well as for the case of general functonaltes [32, 16, 3, 20, 15, 7, 29, 17, 22]. Whle relevant, such work s tangental to our own: here, rather than try to acheve partal farness for all functonaltes, we are nterested n obtanng complete farness and then ask for whch functonaltes ths s possble. 1.3 Open Questons We have shown the frst postve results for completelyfar secure computaton of nontrval functonaltes wthout an honest maorty. Ths reopens an area of research that was prevously thought to be closed, and leaves many tantalzng open drectons to explore. The most pressng queston left open by ths work s to provde a tght characterzaton of whch boolean functons can be computed wth complete farness n the twoparty settng. More generally, the postve results 2
4 shown here apply only to determnstc, sngleoutput, 3 boolean functons defned over polynomalsze domans. Relaxng any of these restrctons n a nontrval way (or provng the mpossblty of dong so) would be an nterestng next step. Fnally, what can be sad wth regard to complete farness n the multparty settng wthout honest maorty? (Ths queston s nterestng both wth and wthout the assumpton of a broadcast channel.) Intal feasblty results have been shown [21], but much work remans to be done. 2 Defntons We let n denote the securty parameter. A functon µ( ) s neglgble f for every postve polynomal p( ) and all suffcently large n t holds that µ(n) < 1/p(n). A dstrbuton ensemble X = {X(a, n)} a Dn, n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. (Lookng ahead, n wll be the securty parameter and D n wll denote the doman of the partes nputs.) Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are computatonally ndstngushable, denoted X c Y, f for every nonunform polynomaltme algorthm D there exsts a neglgble functon µ( ) such that for every n and every a D n Pr[D(X(a, n)) = 1] Pr[D(Y (a, n)) = 1] µ(n). The statstcal dfference between two dstrbutons X(a, n) and Y (a, n) s defned as SD ( X(a, n), Y (a, n) ) = 1 2 Pr[X(a, n) = s] Pr[Y (a, n) = s], s where the sum ranges over s n the support of ether X(a, n) or Y (a, n). Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are statstcally close, denoted X s Y, f there s a neglgble functon µ( ) such that for every n and every a D n, t holds that SD ( X(a, n), Y (a, n) ) µ(n). Functonaltes. In the twoparty settng, a functonalty F = {f n } n N s a sequence of randomzed processes, where each f n maps pars of nputs to pars of outputs (one for each party). We wrte f n = (fn, 1 fn) 2 f we wsh to emphasze the two outputs of f n, but stress that f fn 1 and fn 2 are randomzed then the outputs of fn 1 and fn 2 are correlated random varables. The doman of f n s X n Y n, where X n (resp., Y n ) denotes the possble nputs of the frst (resp., second) party. 4 If X n and Y n are polynomal n n, then we say that F s defned over polynomalsze domans. If each f n s determnstc we wll refer to each f n as well as the collecton F, as a functon. 2.1 Secure TwoParty Computaton wth Complete Farness In what follows, we defne what we mean by a secure protocol. Our defnton follows the standard defnton of [18] (based on [20, 27, 2, 8]) except that we requre complete farness even though we are n the twoparty settng. (Thus, our defnton s equvalent to the one n [18] for the case of an honest maorty, even though we do not have an honest maorty.) We consder actve (.e., malcous) adversares, who may devate from the protocol arbtrarly, and statc corruptons. 3 I.e., where both partes receve the same output. 4 The typcal conventon n secure computaton s to let f n = f and X n = Y n = {0, 1} for all n. We wll be dealng wth functons defned over polynomalsze domans, whch s why we ntroduce ths notaton. 3
5 Twoparty computaton. A twoparty protocol for computng a functonalty F = {(f 1 n, f 2 n)} s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 begns by holdng 1 n and nput x X n, and party P 2 holds 1 n and nput y Y n, then the ont dstrbuton of the outputs of the partes s statstcally close to (f 1 n(x, y), f 2 n(x, y)). Securty of protocols (nformal). The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what t can do n an deal scenaro that s secure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any adversary nteractng n the real protocol (where no trusted party exsts) can do no more harm than f t were nvolved n the abovedescrbed deal computaton. We assume an adversary who corrupts one of the partes. It s also meanngful to consder an eavesdroppng adversary who corrupts nether of the partes (and should learn nothng from the executon), but such an adversary s easly handled and s not very nterestng n our settng. Executon n the deal model. The partes are P 1 and P 2, and there s an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows: Inputs: P 1 and P 2 hold the same value 1 n, and ther nputs x X n and y Y n, respectvely; the adversary A receves an auxlary nput z. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by (x, y ). Trusted party sends outputs: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random and sends f 1 n(x, y ; r) to party P 1 and f 2 n(x, y ; r) to party P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs an arbtrary (probablstc polynomaltme computable) functon of ts vew. We let deal F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We next consder the real model n whch a twoparty protocol π s executed by P 1 and P 2 (and there s no trusted party). In ths case, the adversary A gets the nputs of the corrupted party and sends all messages on behalf of ths party, usng an arbtrary polynomaltme strategy. The honest party follows the nstructons of π. Let F be as above and let π be a twoparty protocol computng F. Let A be a nonunform probablstc polynomaltme machne wth auxlary nput z. We let real π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and y. Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol (n the real model) emulates the deal model (n whch a trusted party exsts). Ths s formulated as follows: 4
6 Defnton 2.1 Protocol π s sad to securely compute F wth complete farness f for every nonunform probablstc polynomaltme adversary A n the real model, there exsts a nonunform probablstc polynomaltme adversary S n the deal model such that { dealf,s(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N 2.2 Secure TwoParty Computaton Wth Abort c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. Ths defnton s the standard one for secure twoparty computaton [18] n that t allows early abort;.e., the adversary may receve ts own output even though the honest party does not. We agan let P 1 and P 2 denote the two partes, and consder an adversary A who has corrupted one of them. The only change from the defnton n Secton 2.1 s wth regard to the deal model for computng F = {f n }, whch s now defned as follows: Inputs: As prevously. Send nputs to trusted party: As prevously. Trusted party sends output to corrupted party: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random, computes z 1 = f 1 n(x, y ; r) and z 2 = f 2 n(x, y ; r), and sends z to the corrupted party P (.e., to the adversary A). Adversary decdes whether to abort: After recevng ts output (as descrbed above), the adversary ether sends abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P, and n the latter case the trusted party sends z to P. Outputs: As prevously. We let deal abort F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.2 Protocol π s sad to securely compute F wth abort f for every nonunform probablstc polynomaltme adversary A n the real model, there exsts a nonunform probablstc polynomaltme adversary S n the deal model such that { deal abort F,S(z) (x, y, n) } 2.3 The Hybrd Model (x,y) X n Y n, z {0,1}, n N c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. The hybrd model combnes both the real and deal models. Specfcally, an executon of a protocol π n the Ghybrd model, for some functonalty G, nvolves the partes sendng normal messages to each other (as n the real model) and, n addton, havng access to a trusted party computng G. The partes communcate wth ths trusted party n exactly the same way as n the deal models descrbed above; the queston of whch deal model s taken (that wth or wthout abort) must be specfed. In ths paper, we always consder a hybrd model where the functonalty G s computed accordng to the deal model wth abort. In all our protocols n the Ghybrd model there wll only be sequental calls to G;.e., there s at most a sngle call to G per round, and no other messages are sent durng any round n whch G s called. 5
7 Let G be a functonalty and let π be a twoparty protocol for computng some functonalty F, where π ncludes real messages between the partes as well as calls to G. Let A be a nonunform probablstc polynomaltme machne wth auxlary nput z. We let hybrd G π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π (wth deal calls to G) where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and nput y. Both securty wth complete farness and securty wth abort can be defned va the natural modfcatons of Defntons 2.1 and 2.2. The hybrd model gves a powerful tool for provng the securty of protocols. Specfcally, we may desgn a realworld protocol for securely computng some functonalty F by frst constructng a protocol for computng F n the Ghybrd model. Lettng π denote the protocol thus constructed (n the Ghybrd model), we denote by π ρ the realworld protocol n whch calls to G are replaced by sequental executon of a realworld protocol ρ that computes G. ( Sequental here mples that only one executon of ρ s carred out at any tme, and no other πprotocol messages are sent durng executon of ρ.) The results of [8] then mply that f π securely computes F n the Ghybrd model, and ρ securely computes G, then the composed protocol π ρ securely computes F (n the real world). For completeness, we state ths result formally as we wll use t n ths work: Proposton 1 Let ρ be a protocol that securely computes G wth abort, and let π be a protocol that securely computes F wth complete farness n the Ghybrd model (where G s computed accordng to the deal world wth abort). Then protocol π ρ securely computes F wth complete farness. 2.4 InformatonTheoretc MACs We brefly revew the standard defnton for nformatontheoretcally secure message authentcaton codes (MACs). (We use such MACs for smplcty, though computatonally secure MACs would also suffce.) A message authentcaton code conssts of three polynomaltme algorthms (Gen, Mac, Vrfy). The keygeneraton algorthm Gen takes as nput the securty parameter 1 n n unary and outputs a key k. The message authentcaton algorthm Mac takes as nput a key k and a message M {0, 1} n, and outputs a tag t; we wrte ths as t = Mac k (M). The verfcaton algorthm Vrfy takes as nput a key k, a message M {0, 1} n, and a tag t, and outputs a bt b; we wrte ths as b = Vrfy k (M, t). We regard b = 1 as acceptance and b = 0 as reecton, and requre that for all n, all k output by Gen(1 n ), all M {0, 1} n, t holds that Vrfy k (M, Mac k (M)) = 1. We say (Gen, Mac, Vrfy) s a secure mtme MAC, where m may be a functon of n, f no computatonally unbounded adversary can output a vald tag on a new message after seeng vald tags on m other messages. For our purposes, we do not requre securty aganst an adversary who adaptvely chooses ts m messages for whch to obtan a vald tag; t suffces to consder a nonadaptve defnton where the m messages are fxed n advance. (Nevertheless, known constructons satsfy the stronger requrement.) Formally: Defnton 2.3 Message authentcaton code (Gen, Mac, Vrfy) s an nformatontheoretcally secure mtme MAC f for any sequence of messages M 1,..., M m and any adversary A, the followng s neglgble n the securty parameter n: Pr [ k Gen(1 n ); : t = Mac k (M ); (M, t ) A(M 1, t 1,..., M m, t m ) : Vrfy k (M, t ) = 1 ] M {M 1,..., M m }. 6
8 3 Far Computaton of the Mllonares Problem (and More) In ths secton, we descrbe a protocol for securely computng the mllonares problem (and related functonaltes) wth complete farness. (We dscuss n Secton 3.2 how ths generalzes, rather easly, to any functon over polynomalsze domans that does not contan an embedded XOR.) Specfcally, we look at functons defned by a lowertrangular matrx, as n the followng table: y 1 y 2 y 3 y 4 y 5 y 6 x x x x x x Let F = {f m(n) } n N denote a functon of the above form, where m = m(n) denotes the sze of the domans of each nput whch we assume, for now, have the same sze. (In the next secton we wll consder the case when they are unequal.) Let X m = {x 1,..., x m } denote the vald nputs for the frst party and let Y m = {y 1,..., y m } denote the vald nputs for the second party. By sutably orderng these elements, we may wrte f m as follows: f m (x, y ) = { 1 f > 0 f. (1) Vewed n ths way, f m s exactly the mllonares problem or, equvalently, the greaterthan functon. The remander of ths secton s devoted to a proof of the followng theorem: Theorem Let m = poly(n). Assumng the exstence of constantround general secure twoparty computaton wth abort, there exsts an Θ(m)round protocol that securely computes F = {f m } wth complete farness. Constantround protocols for general secure twoparty computaton wth abort can be constructed based on enhanced trapdoor permutatons or any constantround protocol for oblvous transfer [25]. (The assumpton of a constantround protocol s needed only for the clam regardng round complexty.) The fact that our protocol requres (at least) Θ(m) rounds explans why we requre m = poly(n). When m = 2, we obtan a constantround protocol for computng boolean AND wth complete farness and, by symmetry, we also obtan a protocol for boolean OR. We remark further that our results extend to varants of f m such as the greaterthanorequalto functon, or the greaterthan functon where the szes of the domans X and Y are unequal; see Secton 3.2 for a full dscusson. 3.1 The Protocol In ths secton, we wrte f n place of f m, and X and Y n place of X m and Y m. Intuton. At a hgh level, our protocol works as follows. Say the nput of P 1 s x, and the nput of P 2 s y. Followng a constantround preprocessng phase, the protocol proceeds n a seres of m teratons, where P 1 learns the output namely, the value f(x, y ) n teraton, and P 2 learns the output n teraton. (That s, n contrast to standard protocols, the teraton n whch 7
9 a party learns the output depends on the value of ts own nput.) If one party (say, P 1 ) aborts after recevng ts teratonk message, and the second party (say, P 2 ) has not yet receved ts output, then P 2 assumes that P 1 learned ts output n teraton k, and so computes f on ts own usng nput x k for P 1. (In ths case, that means that P 2 would output f(x k, y ).) We stress that a malcous P 1 may, of course, abort n any teraton t lkes (and not necessarly n the teraton n whch t learns ts output); the foregong s only an ntutve explanaton. The fact that ths approach gves complete farness can be ntutvely understood as follows. Say P 1 s malcous and uses x as ts effectve nput, and let y denote the (unknown) nput of P 2. There are two possbltes: P 1 ether aborts n teraton k <, or teraton k. (If P 1 never aborts then farness s trvally acheved.) In the frst case, P 1 never learns the correct output and so farness s acheved. In the second case, P 1 does obtan the output f(x, y) (n teraton ) and then aborts n some teraton k. Here we consder two subcases dependng on the value of P 2 s nput y = y : If < k then P 2 has already receved ts output n a prevous teraton and farness s acheved. If k then P 2 has not yet receved ts output. Snce P 1 aborts n teraton k, the protocol drects P 2 to output f(x k, y) = f(x k, y ). Snce k, we have f(x k, y ) = 0 = f(x, y ) (relyng on the specfcs of f), and so the output of P 2 s equal to the output obtaned by P 1 (and thus farness s acheved). Ths s the key observaton that enables us to obtan farness for ths functon. We formalze the above ntuton n our proof, where we demonstrate an dealworld smulator correspondng to the actons of any malcous P 1. Of course, we also consder the case of a malcous P 2. Formal descrpton of the protocol. We use a message authentcaton code (Gen, Mac, Vrfy); see Defnton 2.3. For convenence, we use an mtme message authentcaton code (MAC) wth nformatontheoretc securty, though a computatonally secure MAC would also suffce. We also rely on a subprotocol for securely computng a randomzed functonalty ShareGen defned n Fgure 1. In our protocol, the partes wll compute ShareGen as a result of whch P 1 wll obtan shares a (1) 1, b(1) 1, a(1) 2, b(1) 2,... and P 2 wll obtan shares a (2) 1, b(2) 1, a(2) 2, b(2) 2,.... (The functonalty ShareGen also provdes the partes wth MAC keys and tags so that f a malcous party modfes the share t sends to the other party, then the other party wll almost certanly detect ths. In case such manpulaton s detected, t wll be treated as an abort.) The partes then exchange ther shares onebyone n a sequence of m teratons. Specfcally, n teraton party P 2 wll send a (2) def to P 1, thus allowng P 1 to reconstruct the value a = a (1) a (2), and then P 1 wll send b (1) def to P 2, thus allowng P 2 to learn the value b = b (2) b (1). Let π be a protocol that securely computes ShareGen wth abort. Our protocol for computng f wth complete farness uses π and s gven n Fgure 2. Theorem 3.1 If (Gen, Mac, Vrfy) s an nformatontheoretcally secure mtme MAC, and π securely computes ShareGen wth abort, then the protocol n Fgure 2 securely computes {f m } wth complete farness. Proof: Let Π denote the protocol n Fgure 2. We analyze Π n a hybrd model where there s a trusted party computng ShareGen. (Snce π s only guaranteed to securely compute ShareGen wth abort, the adversary n the hybrd model s allowed to abort the trusted party computng ShareGen 8
10 before output s sent to the honest party.) We prove that an executon of Π n ths hybrd model s statstcally close to an evaluaton of f n the deal model (wth complete farness), where the only dfference occurs due to MAC forgeres. Applyng Proposton 1 then mples the theorem. We separately analyze corrupton of P 1 and P 2, begnnng wth P 1 : Clam 2 For every nonunform, polynomaltme adversary A corruptng P 1 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a nonunform, probablstc polynomaltme adversary S corruptng P 1 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Let P 1 be corrupted by A. We construct a smulator S gven blackbox access to A: 1. S nvokes A on the nput x, the auxlary nput z, and the securty parameter n. 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X (ths ncludes the case when x = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t b = Mac k b ( b (1) ) for every. Fnally, t hands A the strngs a (1) 1,..., a(1) m, (b (1) 1, tb 1 ),..., (b(1) m, t b m), and k a as ts output from the computaton of ShareGen. ShareGen Inputs: Let the nputs to ShareGen be x and y wth 1, m. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Set a = b = f(x, y ). For l {1,..., m}, l, set a l = null. For l {1,..., m}, l, set b l = null. (Techncally, a, b are represented as 2bt values wth, say, 00 nterpreted as 0, 11 nterpreted as 1, and 01 nterpreted as null.) 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (I.e., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. P 1 receves the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MACkey k a. 2. P 2 receves the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MACkey k b. Fgure 1: Functonalty ShareGen. 9
11 Protocol 1 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x, y, and securty parameter n. (b) If P 1 receves from the above computaton (because P 2 aborts the computaton or uses an nvald nput n π) t outputs f(x, y 1 ) and halts. Lkewse, f P 2 receves, t outputs f(x 1, y) and halts. Otherwse, the partes proceed. (c) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (d) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 halts. If P 1 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y 1 ) (f = 1, then P 1 outputs f(x, y 1 )). (c) If Vrfy ka ( a (2), t a ) = 1 and a(1) a (2) null (.e., x = x ), then P 1 sets ts output to be a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 halts. If P 2 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y). (c) If Vrfy kb ( b (1), t b ) = 1 and b(1) b (2) null (.e., y = y ), then P 2 sets ts output to be b (1) b (2) (and contnues runnng the protocol). Fgure 2: Protocol for computng f. 3. If A sends abort to the trusted party computng ShareGen (sgnallng that P 2 should receve as output from ShareGen), then S sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 4. Let (wth 1 m) be the ndex such that x = x (such an exsts snce x X). 5. To smulate teraton, for <, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ) n the th teraton:. If Vrfy kb ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S sends x to the trusted party computng f, outputs whatever A outputs, and halts. 10
12 . If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 6. To smulate teraton, smulator S works as follows: (a) S sends x to the trusted party computng f, and receves back the output z = f(x, y). (b) S chooses a (2) such that a (1) a (2) = z, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (c) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 7. To smulate teraton, for < m, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1) aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1) proceeds to the next teraton., ˆt b ) = 0 (or the message s nvald, or A 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs., ˆt b ) = 1, then S We analyze the smulator S descrbed above. In what follows we assume that f Vrfy kb ( ˆb (1), ˆt b ) = 1 (1) then ˆb = b (1) (meanng that A sent the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 2. Snce ths assumpton holds wth all but neglgble probablty (by securty of the nformatontheoretc MAC), ths proves statstcal closeness as stated n the clam. Let y denote the nput of P 2. It s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 2 ; the only dfference s that the ntal shares gven to A are generated by S wthout knowledge of z = f(x, y), but snce these shares are unformly dstrbuted the vew of A s unaffected. Therefore, what s left to demonstrate s that the ont dstrbuton of A s vew and P 2 s output s dentcal n the hybrd world and the deal world. We show ths now by separately consderng three dfferent cases: 1. Case 1: S sends x 1 to the trusted party because x X, or because A aborted the computaton of ShareGen: In the hybrd world, P 2 would have receved from ShareGen, and would have then output f(x 1, y) as nstructed by protocol Π. Ths s exactly what P 2 outputs n the deal executon wth S because, n ths case, S sends x 1 to the trusted party computng f. If Case 1 does not occur, let x be defned as n the descrpton of the smulator. 2. Case 2: S sends x to the trusted party, for some < : Ths case occurs when A aborts the protocol n some teraton < (ether by refusng to send a message, sendng an nvald message, or sendng an ncorrect share). There are two subcases dependng on the value of P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l then, n the hybrd world, P 2 would not yet have determned ts output (snce t only determnes ts output once t receves a vald message from P 1 n teraton l). Thus, as nstructed by the protocol, P 2 would output f(x, y). Ths s exactly what P 2 outputs n the deal world, because S sends x to the trusted party n ths case. 11
13 (b) If l < then, n the hybrd world, P 2 would have already determned ts output f(x, y) = f(x, y l ) n the lth teraton. In the deal world, P 2 wll output f(x, y l ) snce S sends x to the trusted party. Snce < we have l < < and so f(x, y l ) = f(x, y l ) = 1. Thus, P 2 s output f(x, y) n the hybrd world s equal to ts output f(x, y) n the deal executon wth S. 3. Case 3: S sends x to the trusted party: Here, P 2 outputs f(x, y) n the deal executon. We show that ths s dentcal to what P 2 would have output n the hybrd world. There are two subcases dependng on P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l <, then P 2 would have already determned ts output f(x, y) = f(x, y) n the lth teraton. (The fact that we are n Case 3 means that A could not have sent an ncorrect share pror to teraton.) (b) If l, then P 2 would not yet have determned ts output. There are two subcases:. A sends correct shares n teratons =,..., l (nclusve). Then P 2 would determne ts output as b (1) l b (2) l = f(x, y) = f(x, y), exactly as n the deal world.. A sends an ncorrect share n teraton ζ, where ζ l. In ths case, by the specfcaton of the protocol, party P 2 would output f(x ζ, y) = f(x ζ, y l ). However, snce ζ l we have f(x ζ, y l ) = 0 = f(x, y l ). Thus, P 2 outputs the same value n the hybrd and deal executons. Ths concludes the proof of the clam. The followng clam, dealng wth a corrupted P 2, completes the proof of the theorem: Clam 3 For every nonunform, polynomaltme adversary A corruptng P 2 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a nonunform, probablstc polynomaltme adversary S corruptng P 2 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Say P 2 s corrupted by A. We construct a smulator S gven blackbox access to A: 1. S nvokes A on the nput y, the auxlary nput z, and the securty parameter n. 2. S receves the nput y of A to the computaton of the functonalty ShareGen. (a) If y / Y (ths ncludes the case when y = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some y Y, then S chooses unformly dstrbuted shares a (2) 1,..., a(2) m and b (2) 1,..., b(2) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t a = Mac ka ( a (2) ) for every. Fnally, t hands A the strngs b (2) 1,..., b(2) m, (a (2) 1, ta 1 ),..., (a(2) m, t a m), and k b as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 12
14 4. Let (wth 1 m) be the ndex such that y = y (such an exsts snce y Y ). 5. To smulate teraton, for <, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ) n the th teraton:. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1, then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S proceeds. (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 6. To smulate teraton, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ).. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1 then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S sends y to the trusted party computng f, receves the output z = f(x, y ), and proceeds. (b) Choose b (1) such that b (1) b (2) = z, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 7. To smulate teraton, for < m, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ). If Vrfy k a ( â (2) A aborts), then S outputs whatever A outputs, and halts. If Vrfy ka ( â (2) S proceeds., ˆt a ) = 0 (or the message s nvald, or, ˆt a ) = 1, then (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs. As n the proof of the prevous clam, we assume n what follows that f Vrfy ka ( â (2), ˆt a ) = 1 then â (2) = a (2) (meanng that A sent P 1 the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 1. Snce ths assumptons holds wth all but neglgble probablty (by securty of the MAC), ths proves statstcal closeness as stated n the clam. Let x denote the nput of P 1. Agan, t s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 1. What s left to demonstrate s that the ont dstrbuton of A s vew and P 1 s output s dentcal. We show ths by consderng four dfferent cases: 13
15 1. Case 1: S sends y 1 to the trusted party because y Y, or because A aborted the computaton of ShareGen: In such a case, the protocol nstructs P 1 to output f(x, y 1 ), exactly what P 1 outputs n the deal world. 2. Case 2: S sends y 1 to the trusted party because A sends an ncorrect share n the frst teraton: In ths case, the smulator sends y 1 to the trusted party computng f, and so the output of P 1 n the deal world s f(x, y 1 ). In the hybrd world, P 1 wll also output f(x, y 1 ) as nstructed by the protocol. If Cases 1 and 2 do not occur, let y be defned as n the descrpton of the smulator. 3. Case 3: S sends y 1 to the trusted party, for some 1 1 <, because A sends an ncorrect share n the th teraton: The output of P 1 n the deal world s f(x, y 1 ). There are two subcases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l < then, n the hybrd world, P 1 would have already determned ts output f(x, y ) = f(x l, y ). But snce l 1 < we have f(x l, y ) = 0 = f(x l, y 1 ), and so P 1 s output s dentcal n both the hybrd and deal worlds. (b) If l then, n the hybrd world, P 1 would not yet have determned ts output. Therefore, as nstructed by the protocol, P 1 wll output f(x, y 1 ) n the hybrd world, whch s exactly what t outputs n the deal executon wth S. 4. Case 4: S sends y to the trusted party: Ths case occurs when A sends correct shares up through and ncludng teraton. The output of P 1 n the deal world s f(x, y ). There are agan two subcases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l, then P 1 would have already determned ts output f(x, y ) = f(x l, y ) n the lth teraton. Ths matches what P 1 outputs n the deal executon wth S. (b) If l >, then P 1 would not have yet have determned ts output. There are two subcases:. A sends correct shares n teratons = + 1,..., l (nclusve). Ths mples that, n the hybrd world, P 1 would determne ts output to be a (1) l a (2) l = f(x, y ) = f(x, y ), exactly as n the deal executon.. A sends an ncorrect share n teraton ζ, where < ζ l. In ths case, by the specfcaton of the protocol, party P 1 would output f(x, y ζ 1 ) = f(x l, y ζ 1 ) n the hybrd world. But snce ζ 1 < l we have f(x l, y ζ 1 ) = 1 = f(x l, y ), and so P 1 s output s dentcal n both the hybrd and deal worlds. Ths completes the proof of the clam. The precedng clams along wth Proposton 1 mply the theorem. 3.2 Handlng any Functon wthout an Embedded XOR The protocol n the prevous secton, as descrbed, apples only to the greaterthan functon on two equalsze domans X and Y. For the case of the greaterthan functon wth X = Y + 1, the same protocol (wth one small change) stll works. Specfcally, let X = {x 1,..., x m+1 } and 14
16 Y = {y 1,..., y m } wth f stll defned as n Equaton (1). Modfy the protocol of Fgure 2 so that f the end of the protocol s reached and P 1 holds nput x m+1, then P 1 outputs 1. Then the same proof as n the prevous secton shows that ths protocol s also completely far. (Adaptng Clam 3 s mmedate: the vew of a malcous P 2 s smulated n the same way; as for the output of the honest P 1, the case when P 1 holds nput x = x wth < m + 1 s analyzed dentcally, and when x = x m+1 then P 1 outputs 1 no matter what n both the hybrd and deal worlds. Adaptng Clam 2 requres only a lttle thought to verfy that the analyss n Case 2(b) stll holds when = m + 1.) We now show that the protocol can be appled to any functon defned over polynomalsze domans that does not contan an embedded XOR. Ths s because any such functon can be converted to the greaterthan functon as we now descrbe. Let g : X Y {0, 1} be a functon that does not contan an embedded XOR, and let X = {x 1,..., x m1 } and Y = {y 1,..., y m2 }. It wll be convenent to pcture g as an m 1 m 2 matrx, where entry (, ) contans the value g(x, y ). Smlarly, we can vew any matrx as a functon. We wll apply a sequence of transformatons to g that wll result n a functonally equvalent functon g, where by functonally equvalent we mean that g can be computed wth perfect securty (and complete farness) n the g hybrd model (where g s computed by a trusted party wth complete farness). It follows that a secure and completely far protocol for computng g yelds a secure and completely far protocol for computng g. The transformatons are as follows: 1. Frst, remove any duplcate rows or columns n g. (E.g., f there exst and such that g(x, y) = g(x, y) for all y Y, then remove ether row or row.) Denote the resultng functon by g, and say that g (vewed as a matrx) has dmenson m 1 m 2. It s clear that g s functonally equvalent to g. 2. We observe that no two rows (resp., columns) of g have the same Hammng weght. To see ths, notce that two nondentcal rows (resp., columns) wth the same Hammng weght would mply the exstence of an embedded XOR n g, and hence an embedded XOR n g. Snce the maxmum Hammng weght of any row s m 2, ths mples that m 1 m Applyng the same argument to the columns shows that m 2 m 1 + 1, and so the number of rows s wthn 1 of the number of columns. Assume m 1 m 2 ; f not, we may smply take the transpose of g (whch ust has the effect of swappng the roles of the partes). 3. Order the rows of g n ncreasng order accordng to ther Hammng weght. Order the columns n the same way. Once agan ths results n a functon g that s functonally equvalent to g (and hence to g). All the above transformatons are effcently computable snce we are assumng that the ntal domans X and Y are of polynomal sze. Gven g resultng from the above transformatons, there are now three possbltes (recall we assume that the number of rows s at least the number of columns): 1. Case 1: m 1 = m In ths case the frst row of g s an all0 row and the last row s an all1 row, and we exactly have an nstance of the greaterthan functon wth m 1 = m Case 2: m 1 = m 2 and the frst row of g s an all0 row. Then we agan have an nstance of the greaterthan functon, except now wth equalsze domans. 15
17 3. Case 3: m 1 = m 2 and the frst row of g s not an all0 row. In ths case, the last row of g must be an all1 row. Takng the complement of every bt n the matrx (and then reorderng the rows and columns accordngly) gves a functon that s stll functonally equvalent to g and s exactly an nstance of the greaterthan functon on equalsze domans. We have thus proved: Theorem 3.2 Let f be a twonput functon defned over polynomalsze domans that does not contan an embedded XOR. Then, assumng the exstence of general secure twoparty computaton wth abort, there exsts a protocol for securely computng f wth complete farness. The assumpton n the theorem s mnmal, snce the exstence of even a securewthabort protocol for computng boolean OR mples the exstence of oblvous transfer [24], whch n turn suffces for constructng a securewthabort protocol for any polynomaltme functonalty [23]. 4 Far Computaton of Functons wth an Embedded XOR Recall that Cleve s result showng mpossblty of completely far con tossng mples the mpossblty of completely far computaton of boolean XOR. (More generally, t mples the mpossblty of completely far computaton of any functon f that enables con tossng:.e., any f such that a completely far mplementaton of f suffces for con tossng.) Gven ths, along wth the fact that our result n the prevous secton apples only to functons that do not contan an embedded XOR, t s temptng to conecture that no functon contanng an embedded XOR can be computed wth complete farness. In ths secton, we show that ths s not the case and that there exst functons wth an embedded XOR that can be computed wth complete farness. Interestngly, however, such functons appear to be more dffcult to compute wth complete farness; specfcally, we refer the reader to Secton 5 where we prove a lower bound of ω(log n) on the round complexty of any protocol for completely far computaton of any functon havng an embedded XOR. (Note that, n general, ths bound s ncomparable to the result of the prevous secton, where the round complexty was lnear n the doman sze.) It wll be nstructve to see why Cleve s mpossblty result does not mmedately rule out complete farness for all functons contanng an embedded XOR. Consder the followng functon f (whch s the example for whch we wll later prove feasblty): y 1 y 2 x x x If the partes could be forced to choose ther nputs from {x 1, x 2 } and {y 1, y 2 }, respectvely, then t would be easy to generate a far con toss from any secure computaton of f (wth complete farness) by smply nstructng both partes to choose ther nputs unformly from the stated domans. (Ths results n a far con toss snce the output s unform at long as ether party chooses ther nput at random.) Unfortunately, a protocol for securely computng f does not restrct the frst party to choosng ts nput n {x 1, x 2 }, and cannot prevent that party from choosng nput x 3 and thus basng the result toward 1 wth certanty. (Nave solutons such as requrng the frst party to provde a zeroknowledge proof that t chose ts nput n {x 1, x 2 } do not work ether, snce we stll 16
18 need a way for, e.g., the second party to decde on ther output n case the zeroknowledge proof of the frst party fals.) Of course, ths only shows that Cleve s mpossblty result does not apply but does not prove that a completely far protocol for computng f exsts. 4.1 The Protocol Prelmnares. In ths secton we present a generc protocol for computng a boolean functon F = {f n : X n Y n {0, 1}}. (For convenence, we wrte X and Y and drop the explct dependence on n n what follows.) The protocol s parameterzed by a functon α = α(n), and the number of rounds s set to m = ω(α 1 log n) n order for correctness to hold wth all but neglgble probablty. (We thus must have α notceable to ensure that the number of rounds s polynomal n n.) We do not clam that the protocol s completely far for arbtrary functons F and arbtrary settngs of α. Rather, we clam that for some functons F there exsts a correspondng α for whch the protocol s completely far. In Secton 4.2, we prove ths for one specfc functon that contans an embedded XOR. In Appendx A we generalze the proof and show that the protocol can be used for completely far computaton of other functons as well. Overvew and ntuton. As n the protocol of the prevous secton, the partes begn by runnng a prelmnary phase durng whch values a 1, b 1,..., a m, b m are generated based on the partes respectve nputs x and y, and shares of the {a, b } are dstrbuted to each of the partes. (As before, ths phase wll be carred out usng a standard protocol for secure twoparty computaton, where one party can abort the executon and prevent the other party from recevng any output.) As n the prevous protocol, followng the prelmnary phase the partes exchange ther shares onebyone n a sequence of m teratons, wth P 1 reconstructng a and P 2 reconstructng b n teraton. At the end of the protocol, P 1 outputs a m and P 2 outputs b m. If a party (say, P 1 ) ever aborts, then the other party (P 2 n ths case) outputs the last value t successfully reconstructed;.e., f P 1 aborts before sendng ts teraton message, P 2 outputs b 1. (Ths assumes > 1. See the formal descrpton of the protocol for further detals.) In contrast to our earler protocol, however, the values a 1, b 1,..., a m, b m are now generated probablstcally n the followng way: frst, a value {1,..., m} s chosen accordng to a geometrc dstrbuton wth parameter α (see below), n a way such that nether party learns the value of. For <, the value a (resp., b ) s chosen n a manner that s ndependent of P 2 s (resp., P 1 s) nput; specfcally, we set a = f(x, ŷ) for randomly chosen ŷ Y (and analogously for b ). For all, the values a and b are set equal to f(x, y). Note that f m = ω(α 1 log n), we have a m = b m = f(x, y) wth all but neglgble probablty and so correctness holds. (The protocol could also be modfed so that a m = b m = f(x, y) wth probablty 1, thus gvng perfect correctness. But the analyss s easer wthout ths modfcaton.) Farness s more dffcult to see and, of course, cannot hold for all functons f snce some functons cannot be computed farly. But as ntuton for why the protocol acheves farness for certan functons, we observe that: (1) f a malcous party (say, P 1 ) aborts n some teraton <, then P 1 has not yet obtaned any nformaton about P 2 s nput and so farness s trvally acheved. On the other hand, (2) f P 1 aborts n some teraton > then both P 1 and P 2 have receved the correct output f(x, y) and farness s obtaned. The worst case, then, occurs when P 1 aborts exactly n teraton, as P 1 has then learned the correct value of f(x, y) whle P 2 has not. However, P 1 cannot dentfy teraton wth certanty, even f t knows the other party s nput y! Ths s because P 1 can randomly receve the correct output value even n rounds <. Although the 17
19 ShareGen Inputs: Let the nputs to ShareGen be x X and y Y. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Choose accordng to a geometrc dstrbuton wth parameter α (see text). For = 1 to 1 do: Choose ŷ Y and set a = f(x, ŷ). Choose ˆx X and set b = f(ˆx, y). For = to m, set a = b = f(x, y). 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (E.g., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. Send to P 1 the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MACkey k a. 2. Send to P 2 the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MACkey k b. Fgure 3: Functonalty ShareGen, parameterzed by a value α. adversary may happen to guess correctly, the fact that t can never be sure whether ts guess s correct s what allows us to prove farness. (Recall, we defne farness va ndstngushablty from an deal world n whch farness s guaranteed. Ths ntuton provdes a way of understandng what s gong on, but the formal proof does not exactly follow ths ntuton.) Formal descrpton of the protocol. The protocol s parameterzed by a value α = α(n) whch s assumed to be notceable. Let m = ω(α 1 log n). As n the prevous secton, we use an mtme MAC wth nformatontheoretc securty. We also rely on a subprotocol π computng a functonalty ShareGen that generates shares (and assocated MAC tags) for the partes; see Fgure 3. (As before, π securely computes ShareGen wth abort.) We contnue to let a (1) 1, b(1) 1, a(1) 2, b(1) 2,... denote the shares obtaned by P 1, and let a (2) 1, b(2) 1, a(2) 2, b(2) 2,... denote the shares obtaned by P 2. Functonalty ShareGen generates a value accordng to a geometrc dstrbuton wth parameter α. Ths s the probablty dstrbuton on N = {1, 2,...} gven by repeatng a Bernoull tral (wth parameter α) untl the frst success. In other words, s determned by tossng a based con (that s heads wth probablty α) untl the frst head appears, and lettng be the number of tosses performed. Note that nether party learns the value of. We use a geometrc dstrbuton for because t has the followng useful property: for any, the probablty that = condtoned on the event that s ndependent of (namely, Pr[ = ] = α). We remark that, as far as ShareGen s concerned, f > m then the exact value of s unmportant, and so ShareGen can be mplemented n strct (rather than expected) polynomal tme. In any case, our choce of m ensures that m wth all but neglgble probablty. Our second protocol calls ShareGen as a subroutne and then has the partes exchange ther shares as n our frst protocol. As dscussed above, aborts are handled dfferently here n that a party also outputs the last value t reconstructed f the other party aborts. A formal descrpton 18
20 of the protocol s gven n Fgure 4. Protocol 2 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) P 1 chooses ŷ Y unformly at random, and sets a 0 = f(x, ŷ). Smlarly, P 2 chooses ˆx X unformly at random, and sets b 0 = f(ˆx, y). (b) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x and y, and securty parameter n. (c) If P 1 receves from the above computaton, t outputs a 0 and halts. Lkewse, f P 2 receves then t outputs b 0 and halts. Otherwse, the partes proceed to the next step. (d) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (e) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 outputs a 1 and halts. (c) If Vrfy ka ( a (2), t a ) = 1, then P 1 sets a = a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 outputs b 1 and halts. (c) If Vrfy kb ( b (1), t b ) = 1, then P 2 sets b = b (1) b (2) (and contnues runnng the protocol). 3. If all m teratons have been run, party P 1 outputs a m and party P 2 outputs b m. Fgure 4: Generc protocol for computng a functon f. 4.2 Proof of Securty for a Partcular Functon Protocol 2 cannot guarantee complete farness for all functons f. Rather, what we clam s that for certan functons f and partcular assocated values of α, the protocol provdes complete farness. In ths secton, we prove securty for the followng functon f: y 1 y 2 x x x Ths functon has an embedded XOR, and s defned over a fnte doman so that X n = X = {x 1, x 2, x 3 } and Y n = Y = {y 1, y 2 }. For ths f, we set α = 1/5 n Protocol 2. 19
Ciphers with Arbitrary Finite Domains
Cphers wth Arbtrary Fnte Domans John Black 1 and Phllp Rogaway 2 1 Dept. of Computer Scence, Unversty of Nevada, Reno NV 89557, USA, jrb@cs.unr.edu, WWW home page: http://www.cs.unr.edu/~jrb 2 Dept. of
More informationMANY of the problems that arise in early vision can be
IEEE TRANSACTIONS ON PATTERN ANALYSIS AND MACHINE INTELLIGENCE, VOL. 26, NO. 2, FEBRUARY 2004 147 What Energy Functons Can Be Mnmzed va Graph Cuts? Vladmr Kolmogorov, Member, IEEE, and Ramn Zabh, Member,
More informationBoosting as a Regularized Path to a Maximum Margin Classifier
Journal of Machne Learnng Research 5 (2004) 941 973 Submtted 5/03; Revsed 10/03; Publshed 8/04 Boostng as a Regularzed Path to a Maxmum Margn Classfer Saharon Rosset Data Analytcs Research Group IBM T.J.
More informationDo Firms Maximize? Evidence from Professional Football
Do Frms Maxmze? Evdence from Professonal Football Davd Romer Unversty of Calforna, Berkeley and Natonal Bureau of Economc Research Ths paper examnes a sngle, narrow decson the choce on fourth down n the
More informationWhat to Maximize if You Must
What to Maxmze f You Must Avad Hefetz Chrs Shannon Yoss Spegel Ths verson: July 2004 Abstract The assumpton that decson makers choose actons to maxmze ther preferences s a central tenet n economcs. Ths
More informationEVERY GOOD REGULATOR OF A SYSTEM MUST BE A MODEL OF THAT SYSTEM 1
Int. J. Systems Sc., 1970, vol. 1, No. 2, 8997 EVERY GOOD REGULATOR OF A SYSTEM MUST BE A MODEL OF THAT SYSTEM 1 Roger C. Conant Department of Informaton Engneerng, Unversty of Illnos, Box 4348, Chcago,
More information(Almost) No Label No Cry
(Almost) No Label No Cry Gorgo Patrn,, Rchard Nock,, Paul Rvera,, Tbero Caetano,3,4 Australan Natonal Unversty, NICTA, Unversty of New South Wales 3, Ambata 4 Sydney, NSW, Australa {namesurname}@anueduau
More informationMULTIPLE VALUED FUNCTIONS AND INTEGRAL CURRENTS
ULTIPLE VALUED FUNCTIONS AND INTEGRAL CURRENTS CAILLO DE LELLIS AND EANUELE SPADARO Abstract. We prove several results on Almgren s multple valued functons and ther lnks to ntegral currents. In partcular,
More informationTrueSkill Through Time: Revisiting the History of Chess
TrueSkll Through Tme: Revstng the Hstory of Chess Perre Dangauther INRIA Rhone Alpes Grenoble, France perre.dangauther@mag.fr Ralf Herbrch Mcrosoft Research Ltd. Cambrdge, UK rherb@mcrosoft.com Tom Mnka
More informationFrom Computing with Numbers to Computing with Words From Manipulation of Measurements to Manipulation of Perceptions
IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS I: FUNDAMENTAL THEORY AND APPLICATIONS, VOL. 45, NO. 1, JANUARY 1999 105 From Computng wth Numbers to Computng wth Words From Manpulaton of Measurements to Manpulaton
More informationAssessing health efficiency across countries with a twostep and bootstrap analysis *
Assessng health effcency across countres wth a twostep and bootstrap analyss * Antóno Afonso # $ and Mguel St. Aubyn # February 2007 Abstract We estmate a semparametrc model of health producton process
More informationWho are you with and Where are you going?
Who are you wth and Where are you gong? Kota Yamaguch Alexander C. Berg Lus E. Ortz Tamara L. Berg Stony Brook Unversty Stony Brook Unversty, NY 11794, USA {kyamagu, aberg, leortz, tlberg}@cs.stonybrook.edu
More informationAsRigidAsPossible Shape Manipulation
AsRgdAsPossble Shape Manpulaton akeo Igarash 1, 3 omer Moscovch John F. Hughes 1 he Unversty of okyo Brown Unversty 3 PRESO, JS Abstract We present an nteractve system that lets a user move and deform
More informationAlpha if Deleted and Loss in Criterion Validity 1. Appeared in British Journal of Mathematical and Statistical Psychology, 2008, 61, 275285
Alpha f Deleted and Loss n Crteron Valdty Appeared n Brtsh Journal of Mathematcal and Statstcal Psychology, 2008, 6, 275285 Alpha f Item Deleted: A Note on Crteron Valdty Loss n Scale Revson f Maxmsng
More informationFinance and Economics Discussion Series Divisions of Research & Statistics and Monetary Affairs Federal Reserve Board, Washington, D.C.
Fnance and Economcs Dscusson Seres Dvsons of Research & Statstcs and Monetary Affars Federal Reserve Board, Washngton, D.C. Banks as Patent Fxed Income Investors Samuel G. Hanson, Andre Shlefer, Jeremy
More informationWhch one should I mtate? Karl H. Schlag Projektberech B Dscusson Paper No. B365 March, 996 I wsh to thank Avner Shaked for helpful comments. Fnancal support from the Deutsche Forschungsgemenschaft, Sonderforschungsberech
More informationDISCUSSION PAPER. Is There a Rationale for OutputBased Rebating of Environmental Levies? Alain L. Bernard, Carolyn Fischer, and Alan Fox
DISCUSSION PAPER October 00; revsed October 006 RFF DP 03 REV Is There a Ratonale for OutputBased Rebatng of Envronmental Leves? Alan L. Bernard, Carolyn Fscher, and Alan Fox 66 P St. NW Washngton, DC
More information4.3.3 Some Studies in Machine Learning Using the Game of Checkers
4.3.3 Some Studes n Machne Learnng Usng the Game of Checkers 535 Some Studes n Machne Learnng Usng the Game of Checkers Arthur L. Samuel Abstract: Two machnelearnng procedures have been nvestgated n some
More informationcan basic entrepreneurship transform the economic lives of the poor?
can basc entrepreneurshp transform the economc lves of the poor? Orana Bandera, Robn Burgess, Narayan Das, Selm Gulesc, Imran Rasul, Munsh Sulaman Aprl 2013 Abstract The world s poorest people lack captal
More informationThe Relationship between Exchange Rates and Stock Prices: Studied in a Multivariate Model Desislava Dimitrova, The College of Wooster
Issues n Poltcal Economy, Vol. 4, August 005 The Relatonshp between Exchange Rates and Stock Prces: Studed n a Multvarate Model Desslava Dmtrova, The College of Wooster In the perod November 00 to February
More informationAsRigidAsPossible Image Registration for Handdrawn Cartoon Animations
AsRgdAsPossble Image Regstraton for Handdrawn Cartoon Anmatons Danel Sýkora Trnty College Dubln John Dnglana Trnty College Dubln Steven Collns Trnty College Dubln source target our approach [Papenberg
More informationThe Developing World Is Poorer Than We Thought, But No Less Successful in the Fight against Poverty
Publc Dsclosure Authorzed Pol c y Re s e a rc h Wo r k n g Pa p e r 4703 WPS4703 Publc Dsclosure Authorzed Publc Dsclosure Authorzed The Developng World Is Poorer Than We Thought, But No Less Successful
More informationFace Alignment through Subspace Constrained MeanShifts
Face Algnment through Subspace Constraned MeanShfts Jason M. Saragh, Smon Lucey, Jeffrey F. Cohn The Robotcs Insttute, Carnege Mellon Unversty Pttsburgh, PA 15213, USA {jsaragh,slucey,jeffcohn}@cs.cmu.edu
More informationEnsembling Neural Networks: Many Could Be Better Than All
Artfcal Intellgence, 22, vol.37, no.2, pp.239263. @Elsever Ensemblng eural etworks: Many Could Be Better Than All ZhHua Zhou*, Janxn Wu, We Tang atonal Laboratory for ovel Software Technology, anng
More informationWhy Don t We See Poverty Convergence?
Why Don t We See Poverty Convergence? Martn Ravallon 1 Development Research Group, World Bank 1818 H Street NW, Washngton DC, 20433, USA Abstract: We see sgns of convergence n average lvng standards amongst
More informationUPGRADE YOUR PHYSICS
Correctons March 7 UPGRADE YOUR PHYSICS NOTES FOR BRITISH SIXTH FORM STUDENTS WHO ARE PREPARING FOR THE INTERNATIONAL PHYSICS OLYMPIAD, OR WISH TO TAKE THEIR KNOWLEDGE OF PHYSICS BEYOND THE ALEVEL SYLLABI.
More informationTurbulence Models and Their Application to Complex Flows R. H. Nichols University of Alabama at Birmingham
Turbulence Models and Ther Applcaton to Complex Flows R. H. Nchols Unversty of Alabama at Brmngham Revson 4.01 CONTENTS Page 1.0 Introducton 1.1 An Introducton to Turbulent Flow 11 1. Transton to Turbulent
More informationThe Global Macroeconomic Costs of Raising Bank Capital Adequacy Requirements
W/1/44 The Global Macroeconomc Costs of Rasng Bank Captal Adequacy Requrements Scott Roger and Francs Vtek 01 Internatonal Monetary Fund W/1/44 IMF Workng aper IMF Offces n Europe Monetary and Captal Markets
More informationIncome per natural: Measuring development as if people mattered more than places
Income per natural: Measurng development as f people mattered more than places Mchael A. Clemens Center for Global Development Lant Prtchett Kennedy School of Government Harvard Unversty, and Center for
More informationDISCUSSION PAPER. Should Urban Transit Subsidies Be Reduced? Ian W.H. Parry and Kenneth A. Small
DISCUSSION PAPER JULY 2007 RFF DP 0738 Should Urban Transt Subsdes Be Reduced? Ian W.H. Parry and Kenneth A. Small 1616 P St. NW Washngton, DC 20036 2023285000 www.rff.org Should Urban Transt Subsdes
More information