Complete Fairness in Secure Two-Party Computation

Transcription

1 Complete Farness n Secure Two-Party Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure two-party computaton, two mutually dstrustng partes wsh to compute some functon of ther nputs whle preservng, to the extent possble, varous securty propertes such as prvacy, correctness, and more. One desrable property s farness whch guarantees, nformally, that f one party receves ts output, then the other party does too. Cleve (STOC 1986) showed that complete farness cannot be acheved n general wthout an honest maorty. Snce then, the accepted folklore has been that nothng non-trval can be computed wth complete farness n the two-party settng. We demonstrate that ths folklore belef s false by showng completely far protocols for varous non-trval functons n the two-party settng based on standard cryptographc assumptons. We frst show feasblty of obtanng complete farness when computng any functon over polynomal-sze domans that does not contan an embedded XOR ; ths class of functons ncludes boolean AND/OR as well as Yao s mllonares problem. We also demonstrate feasblty for certan functons that do contan an embedded XOR, and prove a lower bound showng that any completely far protocol for such functons must have round complexty superlogarthmc n the securty parameter. Our results demonstrate that the queston of completely far secure computaton wthout an honest maorty s far from closed. Keywords: cryptography, secure computaton, farness, dstrbuted computng Dept. of Computer Scence, Columba Unversty. Work done whle at the Unversty of Maryland. Dept. of Computer Scence, Aarhus Unversty. Work done whle at Bar-Ilan Unversty. Dept. of Computer Scence, Unversty of Maryland. Work supported by NSF grants # and # , and US-Israel Bnatonal Scence Foundaton grant # Dept. of Computer Scence, Bar-Ilan Unversty. Work supported by US-Israel Bnatonal Scence Foundaton grant #

2 1 Introducton In the settng of secure computaton, a set of partes wsh to run some protocol for computng a functon of ther nputs whle preservng, to the extent possble, securty propertes such as prvacy, correctness, nput ndependence, etc. These requrements, and more, are formalzed by comparng a real-world executon of the protocol to an deal world where there s a trusted entty who performs the computaton on behalf of the partes. Informally, a protocol s secure f for any real-world adversary A there exsts a correspondng deal-world adversary S (corruptng the same partes as A) such that the result of executng the protocol n the real world wth A s computatonally ndstngushable from the result of computng the functon n the deal world wth S. One desrable property s farness whch, ntutvely, means that ether everyone receves the output, or else no one does. Unfortunately, t has been shown by Cleve [11] that complete farness 1 s mpossble to acheve n general when a maorty of partes s not honest (whch, n partcular, ncludes the two-party settng); specfcally, Cleve rules out completely far con tossng, whch mples the mpossblty of computng boolean XOR wth complete farness. Snce Cleve s work, the accepted folklore has been that nothng non-trval can be computed wth complete farness wthout an honest maorty, and researchers have smply resgned themselves to beng unable to acheve ths goal. Indeed, the standard formulaton of secure computaton (see [18]) posts two deal worlds, and two correspondng defntons of securty: one that ncorporates farness and s used when a maorty of the partes are assumed to be honest (we refer to the correspondng defnton as securty wth complete farness ), and one that does not ncorporate farness and s used when an arbtrary number of partes may be corrupted (we refer to the correspondng defnton as securty wth abort, snce the adversary n ths case may abort the protocol once t receves ts output). Protocols achevng securty wth complete farness when a maorty of partes are honest, for arbtrary functonaltes, are known (assumng a broadcast channel) [19, 5, 9, 1, 30], as are protocols achevng securty wth abort for any number of corrupted partes (under sutable cryptographc assumptons) [19, 18]. Snce the work of Cleve, however, there has been no progress toward a better understandng of complete farness wthout an honest maorty. No further mpossblty results have been shown (.e., other than those that follow trvally from Cleve s result), nor have any completely far protocols for any non-trval 2 functons been constructed. In short, the queston of farness wthout an honest maorty has been treated as closed for over two decades. 1.1 Our Results Cleve s work shows that certan functons cannot be computed wth complete farness wthout an honest maorty. The folklore nterpretaton of ths result seems to have been that nothng (non-trval) can be computed wth complete farness wthout an honest maorty. Surprsngly, we show that ths folklore s false by demonstratng that many nterestng and non-trval functons can be computed wth complete farness n the two-party settng. Our postve results can be based on standard cryptographc assumptons such as the exstence of enhanced trapdoor permutatons. (Actually, our results can be based on the mnmal assumpton that oblvous transfer s possble.) 1 Varous notons of partal farness have also been consdered; see Secton 1.2 for a bref dscusson. 2 It s not hard to see that some trval functons (e.g., the constant functon) can be computed wth complete farness. Furthermore, any functon that depends on only one party s nput can be computed wth complete farness, as can any functon where only one party receves output. We consder such functons trval n ths context. 1

3 Our frst result concerns functons wthout an embedded XOR, where a functon f s sad to have an embedded XOR f there exst nputs x 0, x 1, y 0, y 1 such that f(x, y ) =. We show: Theorem Let f be a two-nput boolean functon defned over polynomal-sze domans that does not contan an embedded XOR. Then, under sutable cryptographc assumptons, there exsts a protocol for securely computng f wth complete farness. Ths result s descrbed n Secton 3. The round complexty of our protocol n ths case s lnear n the sze of the domans, hence the restrcton that the domans be of polynomal sze. Examples of functons wthout an embedded XOR nclude boolean OR and AND, as well as Yao s mllonares problem [31] (.e., the greater-than functon). We remark that even smple functons such as OR/AND are non-trval n the context of secure two-party computaton snce they cannot be computed wth nformaton-theoretc prvacy [10] and are n fact complete for two-party secure computaton wth abort [24]. Recall that Cleve s result rules out completely far computaton of boolean XOR. Gven ths and the fact that our frst result apples only to functons wthout an embedded XOR, a natural conecture s that the presence of an embedded XOR serves as a barrer to completely far computaton of a gven functon. Our next result shows that ths conecture s false: Theorem Under sutable cryptographc assumptons, there exst two-nput boolean functons contanng an embedded XOR that can be securely computed wth complete farness. Ths result s descrbed n Secton 4. The round complexty of the protocol here s super-logarthmc n the securty parameter. We show that ths s, n fact, nherent: Theorem Let f be a two-party functon contanng an embedded XOR. Then any protocol securely computng f wth complete farness (assumng one exsts) requres ω(log n) rounds. Our proof of the above s remnscent of Cleve s proof [11], except that Cleve only needed to consder the adversary s ablty to bas a con toss, whereas we must ontly consder both bas and prvacy (snce, for certan functons contanng an embedded XOR, t s possble for an adversary to bas the output even n the deal world). Ths makes the proof consderably more complex. 1.2 Related Work Questons of farness have been studed snce the early days of secure computaton. Prevous work has been dedcated to achevng varous relaxatons of farness (.e., partal farness ), both for the case of specfc functonaltes lke con tossng [11, 12, 28] and contract sgnng/exchangng secrets [6, 26, 14, 4, 13], as well as for the case of general functonaltes [32, 16, 3, 20, 15, 7, 29, 17, 22]. Whle relevant, such work s tangental to our own: here, rather than try to acheve partal farness for all functonaltes, we are nterested n obtanng complete farness and then ask for whch functonaltes ths s possble. 1.3 Open Questons We have shown the frst postve results for completely-far secure computaton of non-trval functonaltes wthout an honest maorty. Ths re-opens an area of research that was prevously thought to be closed, and leaves many tantalzng open drectons to explore. The most pressng queston left open by ths work s to provde a tght characterzaton of whch boolean functons can be computed wth complete farness n the two-party settng. More generally, the postve results 2

4 shown here apply only to determnstc, sngle-output, 3 boolean functons defned over polynomalsze domans. Relaxng any of these restrctons n a non-trval way (or provng the mpossblty of dong so) would be an nterestng next step. Fnally, what can be sad wth regard to complete farness n the mult-party settng wthout honest maorty? (Ths queston s nterestng both wth and wthout the assumpton of a broadcast channel.) Intal feasblty results have been shown [21], but much work remans to be done. 2 Defntons We let n denote the securty parameter. A functon µ( ) s neglgble f for every postve polynomal p( ) and all suffcently large n t holds that µ(n) < 1/p(n). A dstrbuton ensemble X = {X(a, n)} a Dn, n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. (Lookng ahead, n wll be the securty parameter and D n wll denote the doman of the partes nputs.) Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are computatonally ndstngushable, denoted X c Y, f for every nonunform polynomal-tme algorthm D there exsts a neglgble functon µ( ) such that for every n and every a D n Pr[D(X(a, n)) = 1] Pr[D(Y (a, n)) = 1] µ(n). The statstcal dfference between two dstrbutons X(a, n) and Y (a, n) s defned as SD ( X(a, n), Y (a, n) ) = 1 2 Pr[X(a, n) = s] Pr[Y (a, n) = s], s where the sum ranges over s n the support of ether X(a, n) or Y (a, n). Two dstrbuton ensembles X = {X(a, n)} a Dn, n N and Y = {Y (a, n)} a Dn, n N are statstcally close, denoted X s Y, f there s a neglgble functon µ( ) such that for every n and every a D n, t holds that SD ( X(a, n), Y (a, n) ) µ(n). Functonaltes. In the two-party settng, a functonalty F = {f n } n N s a sequence of randomzed processes, where each f n maps pars of nputs to pars of outputs (one for each party). We wrte f n = (fn, 1 fn) 2 f we wsh to emphasze the two outputs of f n, but stress that f fn 1 and fn 2 are randomzed then the outputs of fn 1 and fn 2 are correlated random varables. The doman of f n s X n Y n, where X n (resp., Y n ) denotes the possble nputs of the frst (resp., second) party. 4 If X n and Y n are polynomal n n, then we say that F s defned over polynomal-sze domans. If each f n s determnstc we wll refer to each f n as well as the collecton F, as a functon. 2.1 Secure Two-Party Computaton wth Complete Farness In what follows, we defne what we mean by a secure protocol. Our defnton follows the standard defnton of [18] (based on [20, 27, 2, 8]) except that we requre complete farness even though we are n the two-party settng. (Thus, our defnton s equvalent to the one n [18] for the case of an honest maorty, even though we do not have an honest maorty.) We consder actve (.e., malcous) adversares, who may devate from the protocol arbtrarly, and statc corruptons. 3 I.e., where both partes receve the same output. 4 The typcal conventon n secure computaton s to let f n = f and X n = Y n = {0, 1} for all n. We wll be dealng wth functons defned over polynomal-sze domans, whch s why we ntroduce ths notaton. 3

5 Two-party computaton. A two-party protocol for computng a functonalty F = {(f 1 n, f 2 n)} s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 begns by holdng 1 n and nput x X n, and party P 2 holds 1 n and nput y Y n, then the ont dstrbuton of the outputs of the partes s statstcally close to (f 1 n(x, y), f 2 n(x, y)). Securty of protocols (nformal). The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what t can do n an deal scenaro that s secure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any adversary nteractng n the real protocol (where no trusted party exsts) can do no more harm than f t were nvolved n the above-descrbed deal computaton. We assume an adversary who corrupts one of the partes. It s also meanngful to consder an eavesdroppng adversary who corrupts nether of the partes (and should learn nothng from the executon), but such an adversary s easly handled and s not very nterestng n our settng. Executon n the deal model. The partes are P 1 and P 2, and there s an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows: Inputs: P 1 and P 2 hold the same value 1 n, and ther nputs x X n and y Y n, respectvely; the adversary A receves an auxlary nput z. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by (x, y ). Trusted party sends outputs: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random and sends f 1 n(x, y ; r) to party P 1 and f 2 n(x, y ; r) to party P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs an arbtrary (probablstc polynomal-tme computable) functon of ts vew. We let deal F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We next consder the real model n whch a two-party protocol π s executed by P 1 and P 2 (and there s no trusted party). In ths case, the adversary A gets the nputs of the corrupted party and sends all messages on behalf of ths party, usng an arbtrary polynomal-tme strategy. The honest party follows the nstructons of π. Let F be as above and let π be a two-party protocol computng F. Let A be a non-unform probablstc polynomal-tme machne wth auxlary nput z. We let real π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and y. Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol (n the real model) emulates the deal model (n whch a trusted party exsts). Ths s formulated as follows: 4

6 Defnton 2.1 Protocol π s sad to securely compute F wth complete farness f for every nonunform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that { dealf,s(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N 2.2 Secure Two-Party Computaton Wth Abort c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. Ths defnton s the standard one for secure two-party computaton [18] n that t allows early abort;.e., the adversary may receve ts own output even though the honest party does not. We agan let P 1 and P 2 denote the two partes, and consder an adversary A who has corrupted one of them. The only change from the defnton n Secton 2.1 s wth regard to the deal model for computng F = {f n }, whch s now defned as follows: Inputs: As prevously. Send nputs to trusted party: As prevously. Trusted party sends output to corrupted party: If x X n the trusted party sets x to some default nput n X n ; lkewse f y Y n the trusted party sets y equal to some default nput n Y n. Then the trusted party chooses r unformly at random, computes z 1 = f 1 n(x, y ; r) and z 2 = f 2 n(x, y ; r), and sends z to the corrupted party P (.e., to the adversary A). Adversary decdes whether to abort: After recevng ts output (as descrbed above), the adversary ether sends abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P, and n the latter case the trusted party sends z to P. Outputs: As prevously. We let deal abort F,A(z) (x, y, n) be the random varable consstng of the output of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.2 Protocol π s sad to securely compute F wth abort f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that { deal abort F,S(z) (x, y, n) } 2.3 The Hybrd Model (x,y) X n Y n, z {0,1}, n N c { real π,a(z) (x, y, n) } (x,y) X n Y n, z {0,1}, n N. The hybrd model combnes both the real and deal models. Specfcally, an executon of a protocol π n the G-hybrd model, for some functonalty G, nvolves the partes sendng normal messages to each other (as n the real model) and, n addton, havng access to a trusted party computng G. The partes communcate wth ths trusted party n exactly the same way as n the deal models descrbed above; the queston of whch deal model s taken (that wth or wthout abort) must be specfed. In ths paper, we always consder a hybrd model where the functonalty G s computed accordng to the deal model wth abort. In all our protocols n the G-hybrd model there wll only be sequental calls to G;.e., there s at most a sngle call to G per round, and no other messages are sent durng any round n whch G s called. 5

7 Let G be a functonalty and let π be a two-party protocol for computng some functonalty F, where π ncludes real messages between the partes as well as calls to G. Let A be a non-unform probablstc polynomal-tme machne wth auxlary nput z. We let hybrd G π,a(z) (x, y, n) be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π (wth deal calls to G) where P 1 begns by holdng 1 n and nput x and P 2 begns by holdng 1 n and nput y. Both securty wth complete farness and securty wth abort can be defned va the natural modfcatons of Defntons 2.1 and 2.2. The hybrd model gves a powerful tool for provng the securty of protocols. Specfcally, we may desgn a real-world protocol for securely computng some functonalty F by frst constructng a protocol for computng F n the G-hybrd model. Lettng π denote the protocol thus constructed (n the G-hybrd model), we denote by π ρ the real-world protocol n whch calls to G are replaced by sequental executon of a real-world protocol ρ that computes G. ( Sequental here mples that only one executon of ρ s carred out at any tme, and no other π-protocol messages are sent durng executon of ρ.) The results of [8] then mply that f π securely computes F n the G-hybrd model, and ρ securely computes G, then the composed protocol π ρ securely computes F (n the real world). For completeness, we state ths result formally as we wll use t n ths work: Proposton 1 Let ρ be a protocol that securely computes G wth abort, and let π be a protocol that securely computes F wth complete farness n the G-hybrd model (where G s computed accordng to the deal world wth abort). Then protocol π ρ securely computes F wth complete farness. 2.4 Informaton-Theoretc MACs We brefly revew the standard defnton for nformaton-theoretcally secure message authentcaton codes (MACs). (We use such MACs for smplcty, though computatonally secure MACs would also suffce.) A message authentcaton code conssts of three polynomal-tme algorthms (Gen, Mac, Vrfy). The key-generaton algorthm Gen takes as nput the securty parameter 1 n n unary and outputs a key k. The message authentcaton algorthm Mac takes as nput a key k and a message M {0, 1} n, and outputs a tag t; we wrte ths as t = Mac k (M). The verfcaton algorthm Vrfy takes as nput a key k, a message M {0, 1} n, and a tag t, and outputs a bt b; we wrte ths as b = Vrfy k (M, t). We regard b = 1 as acceptance and b = 0 as reecton, and requre that for all n, all k output by Gen(1 n ), all M {0, 1} n, t holds that Vrfy k (M, Mac k (M)) = 1. We say (Gen, Mac, Vrfy) s a secure m-tme MAC, where m may be a functon of n, f no computatonally unbounded adversary can output a vald tag on a new message after seeng vald tags on m other messages. For our purposes, we do not requre securty aganst an adversary who adaptvely chooses ts m messages for whch to obtan a vald tag; t suffces to consder a nonadaptve defnton where the m messages are fxed n advance. (Nevertheless, known constructons satsfy the stronger requrement.) Formally: Defnton 2.3 Message authentcaton code (Gen, Mac, Vrfy) s an nformaton-theoretcally secure m-tme MAC f for any sequence of messages M 1,..., M m and any adversary A, the followng s neglgble n the securty parameter n: Pr [ k Gen(1 n ); : t = Mac k (M ); (M, t ) A(M 1, t 1,..., M m, t m ) : Vrfy k (M, t ) = 1 ] M {M 1,..., M m }. 6

8 3 Far Computaton of the Mllonares Problem (and More) In ths secton, we descrbe a protocol for securely computng the mllonares problem (and related functonaltes) wth complete farness. (We dscuss n Secton 3.2 how ths generalzes, rather easly, to any functon over polynomal-sze domans that does not contan an embedded XOR.) Specfcally, we look at functons defned by a lower-trangular matrx, as n the followng table: y 1 y 2 y 3 y 4 y 5 y 6 x x x x x x Let F = {f m(n) } n N denote a functon of the above form, where m = m(n) denotes the sze of the domans of each nput whch we assume, for now, have the same sze. (In the next secton we wll consder the case when they are unequal.) Let X m = {x 1,..., x m } denote the vald nputs for the frst party and let Y m = {y 1,..., y m } denote the vald nputs for the second party. By sutably orderng these elements, we may wrte f m as follows: f m (x, y ) = { 1 f > 0 f. (1) Vewed n ths way, f m s exactly the mllonares problem or, equvalently, the greater-than functon. The remander of ths secton s devoted to a proof of the followng theorem: Theorem Let m = poly(n). Assumng the exstence of constant-round general secure two-party computaton wth abort, there exsts an Θ(m)-round protocol that securely computes F = {f m } wth complete farness. Constant-round protocols for general secure two-party computaton wth abort can be constructed based on enhanced trapdoor permutatons or any constant-round protocol for oblvous transfer [25]. (The assumpton of a constant-round protocol s needed only for the clam regardng round complexty.) The fact that our protocol requres (at least) Θ(m) rounds explans why we requre m = poly(n). When m = 2, we obtan a constant-round protocol for computng boolean AND wth complete farness and, by symmetry, we also obtan a protocol for boolean OR. We remark further that our results extend to varants of f m such as the greater-than-or-equal-to functon, or the greater-than functon where the szes of the domans X and Y are unequal; see Secton 3.2 for a full dscusson. 3.1 The Protocol In ths secton, we wrte f n place of f m, and X and Y n place of X m and Y m. Intuton. At a hgh level, our protocol works as follows. Say the nput of P 1 s x, and the nput of P 2 s y. Followng a constant-round pre-processng phase, the protocol proceeds n a seres of m teratons, where P 1 learns the output namely, the value f(x, y ) n teraton, and P 2 learns the output n teraton. (That s, n contrast to standard protocols, the teraton n whch 7

9 a party learns the output depends on the value of ts own nput.) If one party (say, P 1 ) aborts after recevng ts teraton-k message, and the second party (say, P 2 ) has not yet receved ts output, then P 2 assumes that P 1 learned ts output n teraton k, and so computes f on ts own usng nput x k for P 1. (In ths case, that means that P 2 would output f(x k, y ).) We stress that a malcous P 1 may, of course, abort n any teraton t lkes (and not necessarly n the teraton n whch t learns ts output); the foregong s only an ntutve explanaton. The fact that ths approach gves complete farness can be ntutvely understood as follows. Say P 1 s malcous and uses x as ts effectve nput, and let y denote the (unknown) nput of P 2. There are two possbltes: P 1 ether aborts n teraton k <, or teraton k. (If P 1 never aborts then farness s trvally acheved.) In the frst case, P 1 never learns the correct output and so farness s acheved. In the second case, P 1 does obtan the output f(x, y) (n teraton ) and then aborts n some teraton k. Here we consder two sub-cases dependng on the value of P 2 s nput y = y : If < k then P 2 has already receved ts output n a prevous teraton and farness s acheved. If k then P 2 has not yet receved ts output. Snce P 1 aborts n teraton k, the protocol drects P 2 to output f(x k, y) = f(x k, y ). Snce k, we have f(x k, y ) = 0 = f(x, y ) (relyng on the specfcs of f), and so the output of P 2 s equal to the output obtaned by P 1 (and thus farness s acheved). Ths s the key observaton that enables us to obtan farness for ths functon. We formalze the above ntuton n our proof, where we demonstrate an deal-world smulator correspondng to the actons of any malcous P 1. Of course, we also consder the case of a malcous P 2. Formal descrpton of the protocol. We use a message authentcaton code (Gen, Mac, Vrfy); see Defnton 2.3. For convenence, we use an m-tme message authentcaton code (MAC) wth nformaton-theoretc securty, though a computatonally secure MAC would also suffce. We also rely on a sub-protocol for securely computng a randomzed functonalty ShareGen defned n Fgure 1. In our protocol, the partes wll compute ShareGen as a result of whch P 1 wll obtan shares a (1) 1, b(1) 1, a(1) 2, b(1) 2,... and P 2 wll obtan shares a (2) 1, b(2) 1, a(2) 2, b(2) 2,.... (The functonalty ShareGen also provdes the partes wth MAC keys and tags so that f a malcous party modfes the share t sends to the other party, then the other party wll almost certanly detect ths. In case such manpulaton s detected, t wll be treated as an abort.) The partes then exchange ther shares one-by-one n a sequence of m teratons. Specfcally, n teraton party P 2 wll send a (2) def to P 1, thus allowng P 1 to reconstruct the value a = a (1) a (2), and then P 1 wll send b (1) def to P 2, thus allowng P 2 to learn the value b = b (2) b (1). Let π be a protocol that securely computes ShareGen wth abort. Our protocol for computng f wth complete farness uses π and s gven n Fgure 2. Theorem 3.1 If (Gen, Mac, Vrfy) s an nformaton-theoretcally secure m-tme MAC, and π securely computes ShareGen wth abort, then the protocol n Fgure 2 securely computes {f m } wth complete farness. Proof: Let Π denote the protocol n Fgure 2. We analyze Π n a hybrd model where there s a trusted party computng ShareGen. (Snce π s only guaranteed to securely compute ShareGen wth abort, the adversary n the hybrd model s allowed to abort the trusted party computng ShareGen 8

10 before output s sent to the honest party.) We prove that an executon of Π n ths hybrd model s statstcally close to an evaluaton of f n the deal model (wth complete farness), where the only dfference occurs due to MAC forgeres. Applyng Proposton 1 then mples the theorem. We separately analyze corrupton of P 1 and P 2, begnnng wth P 1 : Clam 2 For every non-unform, polynomal-tme adversary A corruptng P 1 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 1 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Let P 1 be corrupted by A. We construct a smulator S gven black-box access to A: 1. S nvokes A on the nput x, the auxlary nput z, and the securty parameter n. 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X (ths ncludes the case when x = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t b = Mac k b ( b (1) ) for every. Fnally, t hands A the strngs a (1) 1,..., a(1) m, (b (1) 1, tb 1 ),..., (b(1) m, t b m), and k a as ts output from the computaton of ShareGen. ShareGen Inputs: Let the nputs to ShareGen be x and y wth 1, m. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Set a = b = f(x, y ). For l {1,..., m}, l, set a l = null. For l {1,..., m}, l, set b l = null. (Techncally, a, b are represented as 2-bt values wth, say, 00 nterpreted as 0, 11 nterpreted as 1, and 01 nterpreted as null.) 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (I.e., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. P 1 receves the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MAC-key k a. 2. P 2 receves the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MAC-key k b. Fgure 1: Functonalty ShareGen. 9

11 Protocol 1 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x, y, and securty parameter n. (b) If P 1 receves from the above computaton (because P 2 aborts the computaton or uses an nvald nput n π) t outputs f(x, y 1 ) and halts. Lkewse, f P 2 receves, t outputs f(x 1, y) and halts. Otherwse, the partes proceed. (c) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (d) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 halts. If P 1 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y 1 ) (f = 1, then P 1 outputs f(x, y 1 )). (c) If Vrfy ka ( a (2), t a ) = 1 and a(1) a (2) null (.e., x = x ), then P 1 sets ts output to be a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 halts. If P 2 has already determned ts output n some earler teraton, then t outputs that value. Otherwse, t outputs f(x, y). (c) If Vrfy kb ( b (1), t b ) = 1 and b(1) b (2) null (.e., y = y ), then P 2 sets ts output to be b (1) b (2) (and contnues runnng the protocol). Fgure 2: Protocol for computng f. 3. If A sends abort to the trusted party computng ShareGen (sgnallng that P 2 should receve as output from ShareGen), then S sends x 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 4. Let (wth 1 m) be the ndex such that x = x (such an exsts snce x X). 5. To smulate teraton, for <, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ) n the th teraton:. If Vrfy kb ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S sends x to the trusted party computng f, outputs whatever A outputs, and halts. 10

12 . If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 6. To smulate teraton, smulator S works as follows: (a) S sends x to the trusted party computng f, and receves back the output z = f(x, y). (b) S chooses a (2) such that a (1) a (2) = z, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (c) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1), ˆt b ) = 0 (or the message s nvald, or A aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1), ˆt b ) = 1, then S proceeds to the next teraton. 7. To smulate teraton, for < m, smulator S works as follows: (a) S chooses a (2) such that a (1) a (2) = null, and computes the tag t a = Mac k a ( a (2) ). Then S gves A the message (a (2), t a ). (b) S receves A s message (ˆb (1), ˆt b ). If Vrfy k b ( ˆb (1) aborts), then S outputs whatever A outputs, and halts. If Vrfy kb ( ˆb (1) proceeds to the next teraton., ˆt b ) = 0 (or the message s nvald, or A 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs., ˆt b ) = 1, then S We analyze the smulator S descrbed above. In what follows we assume that f Vrfy kb ( ˆb (1), ˆt b ) = 1 (1) then ˆb = b (1) (meanng that A sent the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 2. Snce ths assumpton holds wth all but neglgble probablty (by securty of the nformaton-theoretc MAC), ths proves statstcal closeness as stated n the clam. Let y denote the nput of P 2. It s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 2 ; the only dfference s that the ntal shares gven to A are generated by S wthout knowledge of z = f(x, y), but snce these shares are unformly dstrbuted the vew of A s unaffected. Therefore, what s left to demonstrate s that the ont dstrbuton of A s vew and P 2 s output s dentcal n the hybrd world and the deal world. We show ths now by separately consderng three dfferent cases: 1. Case 1: S sends x 1 to the trusted party because x X, or because A aborted the computaton of ShareGen: In the hybrd world, P 2 would have receved from ShareGen, and would have then output f(x 1, y) as nstructed by protocol Π. Ths s exactly what P 2 outputs n the deal executon wth S because, n ths case, S sends x 1 to the trusted party computng f. If Case 1 does not occur, let x be defned as n the descrpton of the smulator. 2. Case 2: S sends x to the trusted party, for some < : Ths case occurs when A aborts the protocol n some teraton < (ether by refusng to send a message, sendng an nvald message, or sendng an ncorrect share). There are two sub-cases dependng on the value of P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l then, n the hybrd world, P 2 would not yet have determned ts output (snce t only determnes ts output once t receves a vald message from P 1 n teraton l). Thus, as nstructed by the protocol, P 2 would output f(x, y). Ths s exactly what P 2 outputs n the deal world, because S sends x to the trusted party n ths case. 11

13 (b) If l < then, n the hybrd world, P 2 would have already determned ts output f(x, y) = f(x, y l ) n the lth teraton. In the deal world, P 2 wll output f(x, y l ) snce S sends x to the trusted party. Snce < we have l < < and so f(x, y l ) = f(x, y l ) = 1. Thus, P 2 s output f(x, y) n the hybrd world s equal to ts output f(x, y) n the deal executon wth S. 3. Case 3: S sends x to the trusted party: Here, P 2 outputs f(x, y) n the deal executon. We show that ths s dentcal to what P 2 would have output n the hybrd world. There are two sub-cases dependng on P 2 s nput y. Let l be the ndex such that y = y l. Then: (a) If l <, then P 2 would have already determned ts output f(x, y) = f(x, y) n the lth teraton. (The fact that we are n Case 3 means that A could not have sent an ncorrect share pror to teraton.) (b) If l, then P 2 would not yet have determned ts output. There are two sub-cases:. A sends correct shares n teratons =,..., l (nclusve). Then P 2 would determne ts output as b (1) l b (2) l = f(x, y) = f(x, y), exactly as n the deal world.. A sends an ncorrect share n teraton ζ, where ζ l. In ths case, by the specfcaton of the protocol, party P 2 would output f(x ζ, y) = f(x ζ, y l ). However, snce ζ l we have f(x ζ, y l ) = 0 = f(x, y l ). Thus, P 2 outputs the same value n the hybrd and deal executons. Ths concludes the proof of the clam. The followng clam, dealng wth a corrupted P 2, completes the proof of the theorem: Clam 3 For every non-unform, polynomal-tme adversary A corruptng P 2 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 2 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X m Y m,z {0,1},n N. Proof: Say P 2 s corrupted by A. We construct a smulator S gven black-box access to A: 1. S nvokes A on the nput y, the auxlary nput z, and the securty parameter n. 2. S receves the nput y of A to the computaton of the functonalty ShareGen. (a) If y / Y (ths ncludes the case when y = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some y Y, then S chooses unformly dstrbuted shares a (2) 1,..., a(2) m and b (2) 1,..., b(2) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t a = Mac ka ( a (2) ) for every. Fnally, t hands A the strngs b (2) 1,..., b(2) m, (a (2) 1, ta 1 ),..., (a(2) m, t a m), and k b as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends y 1 to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 12

14 4. Let (wth 1 m) be the ndex such that y = y (such an exsts snce y Y ). 5. To smulate teraton, for <, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ) n the th teraton:. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1, then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S proceeds. (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 6. To smulate teraton, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ).. If Vrfy ka ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends y 1 to the trusted party computng f (f = 1 then S sends y 1 ), outputs whatever A outputs, and halts.. If Vrfy ka ( â (2), ˆt a ) = 1, then S sends y to the trusted party computng f, receves the output z = f(x, y ), and proceeds. (b) Choose b (1) such that b (1) b (2) = z, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 7. To smulate teraton, for < m, smulator S works as follows: (a) S receves A s message (â (2), ˆt a ). If Vrfy k a ( â (2) A aborts), then S outputs whatever A outputs, and halts. If Vrfy ka ( â (2) S proceeds., ˆt a ) = 0 (or the message s nvald, or, ˆt a ) = 1, then (b) Choose b (1) such that b (1) b (2) = null, and compute the tag t b = Mac k b ( b (1) ). Then gve to A the message (b (1), t b ). 8. If S has not halted yet, at ths pont t halts and outputs whatever A outputs. As n the proof of the prevous clam, we assume n what follows that f Vrfy ka ( â (2), ˆt a ) = 1 then â (2) = a (2) (meanng that A sent P 1 the same share that t receved). Under ths assumpton, we show that the dstrbuton generated by S s dentcal to the dstrbuton n a hybrd executon between A and an honest P 1. Snce ths assumptons holds wth all but neglgble probablty (by securty of the MAC), ths proves statstcal closeness as stated n the clam. Let x denote the nput of P 1. Agan, t s clear that the vew of A n an executon wth S s dentcal to the vew of A n a hybrd executon wth P 1. What s left to demonstrate s that the ont dstrbuton of A s vew and P 1 s output s dentcal. We show ths by consderng four dfferent cases: 13

15 1. Case 1: S sends y 1 to the trusted party because y Y, or because A aborted the computaton of ShareGen: In such a case, the protocol nstructs P 1 to output f(x, y 1 ), exactly what P 1 outputs n the deal world. 2. Case 2: S sends y 1 to the trusted party because A sends an ncorrect share n the frst teraton: In ths case, the smulator sends y 1 to the trusted party computng f, and so the output of P 1 n the deal world s f(x, y 1 ). In the hybrd world, P 1 wll also output f(x, y 1 ) as nstructed by the protocol. If Cases 1 and 2 do not occur, let y be defned as n the descrpton of the smulator. 3. Case 3: S sends y 1 to the trusted party, for some 1 1 <, because A sends an ncorrect share n the th teraton: The output of P 1 n the deal world s f(x, y 1 ). There are two sub-cases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l < then, n the hybrd world, P 1 would have already determned ts output f(x, y ) = f(x l, y ). But snce l 1 < we have f(x l, y ) = 0 = f(x l, y 1 ), and so P 1 s output s dentcal n both the hybrd and deal worlds. (b) If l then, n the hybrd world, P 1 would not yet have determned ts output. Therefore, as nstructed by the protocol, P 1 wll output f(x, y 1 ) n the hybrd world, whch s exactly what t outputs n the deal executon wth S. 4. Case 4: S sends y to the trusted party: Ths case occurs when A sends correct shares up through and ncludng teraton. The output of P 1 n the deal world s f(x, y ). There are agan two sub-cases here, dependng on the value of P 1 s nput x. Let l be the ndex such that x = x l. Then: (a) If l, then P 1 would have already determned ts output f(x, y ) = f(x l, y ) n the lth teraton. Ths matches what P 1 outputs n the deal executon wth S. (b) If l >, then P 1 would not have yet have determned ts output. There are two sub-cases:. A sends correct shares n teratons = + 1,..., l (nclusve). Ths mples that, n the hybrd world, P 1 would determne ts output to be a (1) l a (2) l = f(x, y ) = f(x, y ), exactly as n the deal executon.. A sends an ncorrect share n teraton ζ, where < ζ l. In ths case, by the specfcaton of the protocol, party P 1 would output f(x, y ζ 1 ) = f(x l, y ζ 1 ) n the hybrd world. But snce ζ 1 < l we have f(x l, y ζ 1 ) = 1 = f(x l, y ), and so P 1 s output s dentcal n both the hybrd and deal worlds. Ths completes the proof of the clam. The precedng clams along wth Proposton 1 mply the theorem. 3.2 Handlng any Functon wthout an Embedded XOR The protocol n the prevous secton, as descrbed, apples only to the greater-than functon on two equal-sze domans X and Y. For the case of the greater-than functon wth X = Y + 1, the same protocol (wth one small change) stll works. Specfcally, let X = {x 1,..., x m+1 } and 14

16 Y = {y 1,..., y m } wth f stll defned as n Equaton (1). Modfy the protocol of Fgure 2 so that f the end of the protocol s reached and P 1 holds nput x m+1, then P 1 outputs 1. Then the same proof as n the prevous secton shows that ths protocol s also completely far. (Adaptng Clam 3 s mmedate: the vew of a malcous P 2 s smulated n the same way; as for the output of the honest P 1, the case when P 1 holds nput x = x wth < m + 1 s analyzed dentcally, and when x = x m+1 then P 1 outputs 1 no matter what n both the hybrd and deal worlds. Adaptng Clam 2 requres only a lttle thought to verfy that the analyss n Case 2(b) stll holds when = m + 1.) We now show that the protocol can be appled to any functon defned over polynomal-sze domans that does not contan an embedded XOR. Ths s because any such functon can be converted to the greater-than functon as we now descrbe. Let g : X Y {0, 1} be a functon that does not contan an embedded XOR, and let X = {x 1,..., x m1 } and Y = {y 1,..., y m2 }. It wll be convenent to pcture g as an m 1 m 2 matrx, where entry (, ) contans the value g(x, y ). Smlarly, we can vew any matrx as a functon. We wll apply a sequence of transformatons to g that wll result n a functonally equvalent functon g, where by functonally equvalent we mean that g can be computed wth perfect securty (and complete farness) n the g -hybrd model (where g s computed by a trusted party wth complete farness). It follows that a secure and completely far protocol for computng g yelds a secure and completely far protocol for computng g. The transformatons are as follows: 1. Frst, remove any duplcate rows or columns n g. (E.g., f there exst and such that g(x, y) = g(x, y) for all y Y, then remove ether row or row.) Denote the resultng functon by g, and say that g (vewed as a matrx) has dmenson m 1 m 2. It s clear that g s functonally equvalent to g. 2. We observe that no two rows (resp., columns) of g have the same Hammng weght. To see ths, notce that two non-dentcal rows (resp., columns) wth the same Hammng weght would mply the exstence of an embedded XOR n g, and hence an embedded XOR n g. Snce the maxmum Hammng weght of any row s m 2, ths mples that m 1 m Applyng the same argument to the columns shows that m 2 m 1 + 1, and so the number of rows s wthn 1 of the number of columns. Assume m 1 m 2 ; f not, we may smply take the transpose of g (whch ust has the effect of swappng the roles of the partes). 3. Order the rows of g n ncreasng order accordng to ther Hammng weght. Order the columns n the same way. Once agan ths results n a functon g that s functonally equvalent to g (and hence to g). All the above transformatons are effcently computable snce we are assumng that the ntal domans X and Y are of polynomal sze. Gven g resultng from the above transformatons, there are now three possbltes (recall we assume that the number of rows s at least the number of columns): 1. Case 1: m 1 = m In ths case the frst row of g s an all-0 row and the last row s an all-1 row, and we exactly have an nstance of the greater-than functon wth m 1 = m Case 2: m 1 = m 2 and the frst row of g s an all-0 row. Then we agan have an nstance of the greater-than functon, except now wth equal-sze domans. 15

17 3. Case 3: m 1 = m 2 and the frst row of g s not an all-0 row. In ths case, the last row of g must be an all-1 row. Takng the complement of every bt n the matrx (and then re-orderng the rows and columns accordngly) gves a functon that s stll functonally equvalent to g and s exactly an nstance of the greater-than functon on equal-sze domans. We have thus proved: Theorem 3.2 Let f be a two-nput functon defned over polynomal-sze domans that does not contan an embedded XOR. Then, assumng the exstence of general secure two-party computaton wth abort, there exsts a protocol for securely computng f wth complete farness. The assumpton n the theorem s mnmal, snce the exstence of even a secure-wth-abort protocol for computng boolean OR mples the exstence of oblvous transfer [24], whch n turn suffces for constructng a secure-wth-abort protocol for any polynomal-tme functonalty [23]. 4 Far Computaton of Functons wth an Embedded XOR Recall that Cleve s result showng mpossblty of completely far con tossng mples the mpossblty of completely far computaton of boolean XOR. (More generally, t mples the mpossblty of completely far computaton of any functon f that enables con tossng:.e., any f such that a completely far mplementaton of f suffces for con tossng.) Gven ths, along wth the fact that our result n the prevous secton apples only to functons that do not contan an embedded XOR, t s temptng to conecture that no functon contanng an embedded XOR can be computed wth complete farness. In ths secton, we show that ths s not the case and that there exst functons wth an embedded XOR that can be computed wth complete farness. Interestngly, however, such functons appear to be more dffcult to compute wth complete farness; specfcally, we refer the reader to Secton 5 where we prove a lower bound of ω(log n) on the round complexty of any protocol for completely far computaton of any functon havng an embedded XOR. (Note that, n general, ths bound s ncomparable to the result of the prevous secton, where the round complexty was lnear n the doman sze.) It wll be nstructve to see why Cleve s mpossblty result does not mmedately rule out complete farness for all functons contanng an embedded XOR. Consder the followng functon f (whch s the example for whch we wll later prove feasblty): y 1 y 2 x x x If the partes could be forced to choose ther nputs from {x 1, x 2 } and {y 1, y 2 }, respectvely, then t would be easy to generate a far con toss from any secure computaton of f (wth complete farness) by smply nstructng both partes to choose ther nputs unformly from the stated domans. (Ths results n a far con toss snce the output s unform at long as ether party chooses ther nput at random.) Unfortunately, a protocol for securely computng f does not restrct the frst party to choosng ts nput n {x 1, x 2 }, and cannot prevent that party from choosng nput x 3 and thus basng the result toward 1 wth certanty. (Nave solutons such as requrng the frst party to provde a zero-knowledge proof that t chose ts nput n {x 1, x 2 } do not work ether, snce we stll 16

18 need a way for, e.g., the second party to decde on ther output n case the zero-knowledge proof of the frst party fals.) Of course, ths only shows that Cleve s mpossblty result does not apply but does not prove that a completely far protocol for computng f exsts. 4.1 The Protocol Prelmnares. In ths secton we present a generc protocol for computng a boolean functon F = {f n : X n Y n {0, 1}}. (For convenence, we wrte X and Y and drop the explct dependence on n n what follows.) The protocol s parameterzed by a functon α = α(n), and the number of rounds s set to m = ω(α 1 log n) n order for correctness to hold wth all but neglgble probablty. (We thus must have α notceable to ensure that the number of rounds s polynomal n n.) We do not clam that the protocol s completely far for arbtrary functons F and arbtrary settngs of α. Rather, we clam that for some functons F there exsts a correspondng α for whch the protocol s completely far. In Secton 4.2, we prove ths for one specfc functon that contans an embedded XOR. In Appendx A we generalze the proof and show that the protocol can be used for completely far computaton of other functons as well. Overvew and ntuton. As n the protocol of the prevous secton, the partes begn by runnng a prelmnary phase durng whch values a 1, b 1,..., a m, b m are generated based on the partes respectve nputs x and y, and shares of the {a, b } are dstrbuted to each of the partes. (As before, ths phase wll be carred out usng a standard protocol for secure two-party computaton, where one party can abort the executon and prevent the other party from recevng any output.) As n the prevous protocol, followng the prelmnary phase the partes exchange ther shares one-by-one n a sequence of m teratons, wth P 1 reconstructng a and P 2 reconstructng b n teraton. At the end of the protocol, P 1 outputs a m and P 2 outputs b m. If a party (say, P 1 ) ever aborts, then the other party (P 2 n ths case) outputs the last value t successfully reconstructed;.e., f P 1 aborts before sendng ts teraton- message, P 2 outputs b 1. (Ths assumes > 1. See the formal descrpton of the protocol for further detals.) In contrast to our earler protocol, however, the values a 1, b 1,..., a m, b m are now generated probablstcally n the followng way: frst, a value {1,..., m} s chosen accordng to a geometrc dstrbuton wth parameter α (see below), n a way such that nether party learns the value of. For <, the value a (resp., b ) s chosen n a manner that s ndependent of P 2 s (resp., P 1 s) nput; specfcally, we set a = f(x, ŷ) for randomly chosen ŷ Y (and analogously for b ). For all, the values a and b are set equal to f(x, y). Note that f m = ω(α 1 log n), we have a m = b m = f(x, y) wth all but neglgble probablty and so correctness holds. (The protocol could also be modfed so that a m = b m = f(x, y) wth probablty 1, thus gvng perfect correctness. But the analyss s easer wthout ths modfcaton.) Farness s more dffcult to see and, of course, cannot hold for all functons f snce some functons cannot be computed farly. But as ntuton for why the protocol acheves farness for certan functons, we observe that: (1) f a malcous party (say, P 1 ) aborts n some teraton <, then P 1 has not yet obtaned any nformaton about P 2 s nput and so farness s trvally acheved. On the other hand, (2) f P 1 aborts n some teraton > then both P 1 and P 2 have receved the correct output f(x, y) and farness s obtaned. The worst case, then, occurs when P 1 aborts exactly n teraton, as P 1 has then learned the correct value of f(x, y) whle P 2 has not. However, P 1 cannot dentfy teraton wth certanty, even f t knows the other party s nput y! Ths s because P 1 can randomly receve the correct output value even n rounds <. Although the 17

19 ShareGen Inputs: Let the nputs to ShareGen be x X and y Y. (If one of the receved nputs s not n the correct doman, then both partes are gven output.) The securty parameter s n. Computaton: 1. Defne values a 1,..., a m and b 1,..., b m n the followng way: Choose accordng to a geometrc dstrbuton wth parameter α (see text). For = 1 to 1 do: Choose ŷ Y and set a = f(x, ŷ). Choose ˆx X and set b = f(ˆx, y). For = to m, set a = b = f(x, y). 2. For 1 m, choose (a (1), a (2) ) and (b (1), b (2) ) as random secret sharngs of a and b, respectvely. (E.g., a (1) s random and a (1) a (2) = a.) 3. Compute k a, k b Gen(1 n ). For 1 m, let t a = Mac k a ( a (2) ) and t b = Mac k b ( b (1) ). Output: 1. Send to P 1 the values a (1) 1,..., a(1) m and (b (1) 1, tb 1),..., (b (1) m, t b m), and the MAC-key k a. 2. Send to P 2 the values (a (2) 1, ta 1),..., (a (2) m, t a m) and b (2) 1,..., b(2) m, and the MAC-key k b. Fgure 3: Functonalty ShareGen, parameterzed by a value α. adversary may happen to guess correctly, the fact that t can never be sure whether ts guess s correct s what allows us to prove farness. (Recall, we defne farness va ndstngushablty from an deal world n whch farness s guaranteed. Ths ntuton provdes a way of understandng what s gong on, but the formal proof does not exactly follow ths ntuton.) Formal descrpton of the protocol. The protocol s parameterzed by a value α = α(n) whch s assumed to be notceable. Let m = ω(α 1 log n). As n the prevous secton, we use an m-tme MAC wth nformaton-theoretc securty. We also rely on a sub-protocol π computng a functonalty ShareGen that generates shares (and assocated MAC tags) for the partes; see Fgure 3. (As before, π securely computes ShareGen wth abort.) We contnue to let a (1) 1, b(1) 1, a(1) 2, b(1) 2,... denote the shares obtaned by P 1, and let a (2) 1, b(2) 1, a(2) 2, b(2) 2,... denote the shares obtaned by P 2. Functonalty ShareGen generates a value accordng to a geometrc dstrbuton wth parameter α. Ths s the probablty dstrbuton on N = {1, 2,...} gven by repeatng a Bernoull tral (wth parameter α) untl the frst success. In other words, s determned by tossng a based con (that s heads wth probablty α) untl the frst head appears, and lettng be the number of tosses performed. Note that nether party learns the value of. We use a geometrc dstrbuton for because t has the followng useful property: for any, the probablty that = condtoned on the event that s ndependent of (namely, Pr[ = ] = α). We remark that, as far as ShareGen s concerned, f > m then the exact value of s unmportant, and so ShareGen can be mplemented n strct (rather than expected) polynomal tme. In any case, our choce of m ensures that m wth all but neglgble probablty. Our second protocol calls ShareGen as a subroutne and then has the partes exchange ther shares as n our frst protocol. As dscussed above, aborts are handled dfferently here n that a party also outputs the last value t reconstructed f the other party aborts. A formal descrpton 18

20 of the protocol s gven n Fgure 4. Protocol 2 Inputs: Party P 1 has nput x and party P 2 has nput y. The securty parameter s n. The protocol: 1. Prelmnary phase: (a) P 1 chooses ŷ Y unformly at random, and sets a 0 = f(x, ŷ). Smlarly, P 2 chooses ˆx X unformly at random, and sets b 0 = f(ˆx, y). (b) Partes P 1 and P 2 run protocol π for computng ShareGen, usng ther respectve nputs x and y, and securty parameter n. (c) If P 1 receves from the above computaton, t outputs a 0 and halts. Lkewse, f P 2 receves then t outputs b 0 and halts. Otherwse, the partes proceed to the next step. (d) Denote the output of P 1 from π by a (1) 1,..., a(1) m, (b (1) 1, tb 1),..., (b (1) m, t b m), and k a. (e) Denote the output of P 2 from π by (a (2) 1, ta 1),..., (a (2) m, t a m), b (2) 1,..., b(2) m, and k b. 2. For = 1,..., m do: P 2 sends the next share to P 1 : (a) P 2 sends (a (2), t a ) to P 1. (b) P 1 receves (a (2), t a ) from P 2. If Vrfy ka ( a (2), t a ) = 0 (or f P 1 receved an nvald message, or no message), then P 1 outputs a 1 and halts. (c) If Vrfy ka ( a (2), t a ) = 1, then P 1 sets a = a (1) a (2) (and contnues runnng the protocol). P 1 sends the next share to P 2 : (a) P 1 sends (b (1), t b ) to P 2. (b) P 2 receves (b (1), t b ) from P 1. If Vrfy kb ( b (1), t b ) = 0 (or f P 2 receved an nvald message, or no message), then P 2 outputs b 1 and halts. (c) If Vrfy kb ( b (1), t b ) = 1, then P 2 sets b = b (1) b (2) (and contnues runnng the protocol). 3. If all m teratons have been run, party P 1 outputs a m and party P 2 outputs b m. Fgure 4: Generc protocol for computng a functon f. 4.2 Proof of Securty for a Partcular Functon Protocol 2 cannot guarantee complete farness for all functons f. Rather, what we clam s that for certan functons f and partcular assocated values of α, the protocol provdes complete farness. In ths secton, we prove securty for the followng functon f: y 1 y 2 x x x Ths functon has an embedded XOR, and s defned over a fnte doman so that X n = X = {x 1, x 2, x 3 } and Y n = Y = {y 1, y 2 }. For ths f, we set α = 1/5 n Protocol 2. 19

21 Theorem 4.1 If (Gen, Mac, Vrfy) s an nformaton-theoretcally secure m-tme MAC, and π securely computes ShareGen wth abort, then the protocol n Fgure 4, wth α = 1/5, securely computes f wth complete farness. Proof: Let Π denote the protocol n Fgure 4 wth α = 1/5. We analyze Π n a hybrd model where there s a trusted party computng ShareGen. (One agan, we stress that snce π s only guaranteed to securely compute ShareGen wth abort, the adversary s allowed to abort the trusted party computng ShareGen before t sends output to the honest party.) We wll prove that an executon of Protocol 2 n ths hybrd model s statstcally close to an evaluaton of f n the deal model wth complete farness, where the only dfferences can occur due to MAC forgeres. Applyng Proposton 1 then mples the theorem. In the two clams that follow, we separately analyze corrupton of P 2 and P 1. The case of a corrupted P 2 s relatvely easy to analyze snce P 1 always gets the output frst (because, n every teraton and teraton n partcular P 2 sends ts share frst). The proof of securty when P 1 s corrupted s much more challengng, and s gven second. Clam 4 For every non-unform, polynomal-tme adversary A corruptng P 2 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 2 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X Y,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X Y,z {0,1},n N. Proof: Let P 2 be corrupted by A. We construct a smulator S gven black-box access to A: 1. S nvokes A on the nput y, the auxlary nput z, and the securty parameter n. The smulator also chooses ŷ Y unformly at random. (It wll send ŷ to the trusted party, f needed.) 2. S receves the nput y of A to the computaton of the functonalty ShareGen. (a) If y / Y (ths ncludes the case when y = snce A aborts), then S hands to A as ts output from the computaton of ShareGen and sends ŷ to the trusted party computng f. It then halts and outputs whatever A outputs. (b) Otherwse, f the nput s some y Y, then S chooses unformly dstrbuted shares a (2) 1,..., a(2) m and b (2) 1,..., b(2) m. In addton, t generates keys k a, k b Gen(1 n ) and computes t a = Mac ka ( a (2) ) for every. Fnally, t hands A the strngs b (2) 1,..., b(2) m, (a (2) 1, ta 1 ),..., (a(2) m, t a m), and k b as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends ŷ to the trusted party computng f. It then halts and outputs whatever A outputs. Otherwse (.e., f A sends contnue), S proceeds as below. 4. S chooses accordng to a geometrc dstrbuton wth parameter α. 5. For = 1 to 1: (a) S receves A s message (â (2), ˆt a ) n the th teraton. If Vrfy k a ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends ŷ to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse, S proceeds. 20

22 (b) S chooses ˆx X unformly at random, computes b = f(ˆx, y ), sets b (1) = b (2) b, and computes t b = Mac k b ( b (1) ). It gves A the message (b (1), t b ). (Note that a fresh ˆx s chosen n every teraton.) 6. For = : (a) S receves A s message (â (2), ˆt a ). If Vrfy k a ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S sends ŷ to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse, S sends y to the trusted party computng f, receves the output z = f(x, y ), and proceeds. (b) S sets b (1) = b(2) 7. For = + 1 to m: z, and computes tb = Mac k b ( b (1) ). It gves A the message (b(1), tb ). (a) S receves A s message (â (2), ˆt a ) n the th teraton. If Vrfy k a ( â (2), ˆt a ) = 0 (or the message s nvald, or A aborts), then S outputs whatever A outputs, and halts. (b) S sets b (1) = b (2) z, and computes t b = Mac k b ( b (1) ). It gves A the message (b (1), t b ). 8. If S has not halted yet, at ths pont t outputs whatever A outputs and halts. We assume that f Vrfy ka ( â (2), ˆt a ) = 1, then â(2) = a (2) (meanng that A sent the same share that t receved). It s straghtforward to prove that ths s the case wth all but neglgble probablty based on the nformaton-theoretc securty of the MAC. Under ths assumpton, the dstrbuton generated by S n an deal-world executon wth a trusted party computng f s dentcal to the dstrbuton n a hybrd executon between A and an honest P 1. To see ths, frst note that the vew of A s dentcal n both worlds. As for the output of P 1, f A aborts (or sends an nvald message) before sendng ts frst-teraton message, then P 1 outputs f(x, ŷ) for a random ŷ Y n both the hybrd and deal worlds. If A aborts after sendng a vald teraton- message then, condtoned on A s vew at that pont, the dstrbuton of s dentcal n the hybrd and deal worlds. Moreover, n both worlds, P 1 outputs f(x, ŷ) (for a random ŷ Y ) f < and outputs f(x, y ) f. Ths concludes the proof of ths case. We remark that the proof of the precedng clam dd not depend on the value of α or the partcular functon f. The value of α and the specfc nature of f wll become mportant when we deal wth a malcous P 1 n the proof of the followng clam. Clam 5 For every non-unform, polynomal-tme adversary A corruptng P 1 and runnng Π n a hybrd model wth access to an deal functonalty computng ShareGen (wth abort), there exsts a non-unform, probablstc polynomal-tme adversary S corruptng P 1 and runnng n the deal world wth access to an deal functonalty computng f (wth complete farness), such that { dealf,s(z) (x, y, n) } (x,y) X Y,z {0,1},n N s { hybrd ShareGen Π,A(z) (x, y, n) } (x,y) X Y,z {0,1},n N. Proof: Say P 1 s corrupted by an adversary A. We construct a smulator S that s gven blackbox access to A. For readablty n what follows, we gnore the presence of the MAC-tags and keys. That s, we do not menton the fact that S computes MAC-tags for messages t gves to A, nor do we menton the fact that S must verfy the MAC-tags on the messages sent by A. When we say that A aborts, we nclude n ths the event that A sends an nvald message, or a message whose tag does not pass verfcaton. 21

23 1. S nvokes A on the nput 5 x, auxlary nput z, and the securty parameter n. The smulator also chooses ˆx X unformly at random (t wll send ˆx to the trusted party, f needed). 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X (ths ncludes the case when x = snce A aborts), then S hands to A as ts output from the computaton of ShareGen, sends ˆx to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. Then, S gves these shares to A as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends ˆx to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 4. Choose accordng to a geometrc dstrbuton wth parameter α. We now branch dependng on the value of x. If x = x 3 : 5. For = 1 to m: (a) S sets a (2) = a (1) 1 and gves a (2) to A. (Recall that f(x 3, y) = 1 for any y.) (b) If A aborts and, then S sends ˆx to the trusted party computng f. If A aborts and > then S sends x = x 3 to the trusted party computng f. In ether case, S then outputs whatever A outputs, and halts. If A does not abort, then S proceeds to the next teraton. 6. If S has not halted yet, then f m t sends x 3 to the trusted party computng f whle f > m t sends ˆx. Fnally, S outputs whatever A outputs and halts. If x {x 1, x 2 }: 7. Let x be the other value n {x 1, x 2 };.e., f x = x c then x = x 3 c. 8. For = 1 to 1: (a) S chooses ŷ Y unformly at random, computes a = f(x, ŷ), and sets a (2) = a (1) a. It gves a (2) to A. (Note that a fresh ŷ s chosen n every teraton.) (b) If A aborts:. If a = 0, then wth probablty 1/3 send x to the trusted party computng f, and wth probablty 2/3 send x 3.. If a = 1, then wth probablty 1/3 send x to the trusted party computng f; wth probablty 1/2 send x; and wth probablty 1/6 send x 3. 5 To smplfy readablty later, we reserve x for the value nput by A to the computaton of ShareGen. 22

24 In ether case, S then outputs whatever A outputs, and halts. If A does not abort, then S proceeds. 9. For = to m: (a) If = then S sends x to the trusted party computng f and receves z = f(x, y). (b) S sets a (2) = a (1) z and gves a (2) to A. (c) If A aborts, then S then outputs whatever A outputs, and halts. If A does not abort, then S proceeds. 10. If S has not yet halted, and has not yet sent anythng to the trusted party computng f (ths can only happen f > m and A has never aborted), then t sends ˆx to the trusted party. Then S outputs whatever A outputs and halts. We wll show that the dstrbuton generated by S n an deal-world executon wth a trusted party computng f s dentcal to the dstrbuton n a hybrd executon between A and an honest P 2. (As always, we are gnorng here the possblty that A can forge a vald MAC-tag; once agan, ths ntroduces only a neglgble statstcal dfference.) We frst observe that the case of x = x 3 s straghtforward snce n ths case S does not need to send anythng to the trusted party untl after A aborts. (Ths s because a = 1 for all snce f(x 3, y) = 1 for all y Y ; note that ths s the frst tme n the proof we rely on specfc propertes of f.) For the remander of the proof, we therefore focus our attenton on the case when x {x 1, x 2 }. Let vew hyb (x, y) be the random varable denotng the vew of A n the hybrd world (.e., runnng Π wth a trusted party computng ShareGen ) when P 2 holds nput y and A uses nput x n the computaton of ShareGen. Let vew deal (x, y) be the random varable denotng the vew of A n the deal world (.e., where S runs A as a black-box and nteracts wth a trusted party computng f) wth x, y smlarly defned. Fnally, let out hyb (x, y), out deal (x, y) be random varables denotng the output of the honest player P 2 n the hybrd and deal worlds, respectvely, for the gven x and y. We wll show that for any x {x 1, x 2 } and y Y, ( vewhyb (x, y), out hyb (x, y) ) ( vew deal (x, y), out deal (x, y) ). (2) (We stress that the above assumes A never forges a vald MAC-tag, and therefore the securty parameter n can be gnored and perfect equvalence obtaned. Takng the possblty of a forged MAC-tag nto account, the above dstrbutons would then have statstcal dfference neglgble n the securty parameter n.) It s mmedate from the descrpton of S that vew hyb (x, y) vew deal (x, y) for any x, y; the dffculty les n argung about the ont dstrbuton of A s vew and P 2 s output, as above. We prove Eq. (2) by showng that for any x, y as above and any vew v and bt b, t holds that: Pr [( vew hyb (x, y), out hyb (x, y) ) = (v, b) ] = Pr [( vew deal (x, y), out deal (x, y) ) = (v, b) ]. (3) Clearly, f v represents a vew that does not correspond to the actons of A (e.g., v contans a, but gven vew v the adversary would have aborted pror to teraton ; or v does not contan a, but gven vew v the adversary would not have aborted pror to teraton ), then both probabltes n Eq. (3) are dentcally 0 (regardless of b). From now on, therefore, we only consder vews that correspond to actons of A. 23

25 A s vew conssts of ts ntal nputs, the values a (1) 1, b(1) 1,..., a(1) m, b (1) m that A receves from computaton of ShareGen, and f A does not abort before the frst teraton a sequence of values a 1,..., a where s the teraton n whch A aborts (f any). (Techncally A receves a (2) 1,..., a(2) but we equvalently consder the reconstructed values a 1,..., a nstead.) Lookng at the descrpton of S, t s easy to see that f v represents a vew n whch A aborts before the frst teraton, or n whch A never aborts (.e., A runs the protocol to completon), then Eq. (3) holds for ether choce of b. Thus, the dffcult cases to analyze are exactly those n whch A aborts n some teraton. Let v be a vew n whch A aborts n teraton (.e., after recevng ts teraton- message). We wll let A s ntal nputs and ts outputs from ShareGen be mplct, and focus on the vector of values a = (a 1,..., a ) that A sees before t aborts n teraton, We wll show that for any x, y as above, any a, and any bt b t holds that Pr [( vew hyb (x, y), out hyb (x, y) ) = ( a, b) ] = Pr [( vew deal (x, y), out deal (x, y) ) = ( a, b) ]. (4) We stress that we are consderng exactly those vews a = (a 1,..., a ) n whch A aborts after recevng ts teraton- message; there s thus no possblty that A mght abort gven the sequence of values a 1,..., a (wth < ). Toward provng Eq. (4), we frst prove: Clam 6 For any x {x 1, x 2 } and y Y, [ (vewhyb Pr (x, y), out hyb (x, y) ) = ( a, b) ] < [ (vewdeal = Pr (x, y), out deal (x, y) ) = ( a, b) ] <. (5) Proof: A proof of ths clam follows easly from the observaton that, condtoned on <, the true nput of P 1 s used to compute P 2 s output n both the hybrd and deal worlds. Formally, fx some x, y and let these be mplct n what follows. To prove the clam, note that [ (vewhyb ) Pr, out hyb = ( a, b) ] < [ ] [ ] = Pr out hyb = b vew hyb = a < Pr vew hyb = a < and [ (vewdeal ) Pr, out deal = ( a, b) ] < [ ] = Pr out deal = b vew deal = a < [ ] Pr vew deal = a <. It follows from the descrpton of S that Pr [vew hyb = a < ] = Pr [vew deal = a < ]. Furthermore, condtoned on < the output of P 2 s the correct output f(x, y) n both the hybrd and deal worlds. We conclude that Eq. (5) holds. To complete the proof of Eq. (4), we prove that for any x {x 1, x 2 } and y Y, any a {0, 1}, and all b {0, 1} t holds that [ (vewhyb Pr (x, y), out hyb (x, y) ) = ( a, b) ] [ (vewdeal = Pr (x, y), out deal (x, y) ) = ( a, b) ]. (6) 24

26 Ths s the crux of the proof. Wrte a = ( a 1, a), vew hyb = (vew 1 hyb, vew hyb ), and vew deal = (vew 1 deal, vew deal ). (In what follows, we also often leave x and y mplct n the nterests of readablty.) Then [ (vewhyb ) Pr, out hyb = ( a, b) ] [ (vew ) = Pr hyb, out hyb = (a, b) vew 1 hyb = a ] [ 1 Pr vew 1 hyb = a ] 1 and [ (vewdeal ) Pr, out deal = ( a, b) ] [ (vew ) = Pr deal, out deal = (a, b) vew 1 deal = a ] 1 Once agan, t follows readly from the descrpton of S that [ Pr vew 1 hyb = a ] [ 1 = Pr vew 1 deal = a ] 1. [ Pr vew 1 deal = a ] 1. Moreover, condtoned on the event that, the random varables of vew hyb and out hyb (resp., vew deal and out deal ) are ndependent of vew 1 hyb (resp., vew 1 deal ) for fxed x and y. Thus, Eq. (6) s proved once we show that Pr [( vew hyb, out hyb) = (a, b) ] = Pr [( vew deal, out deal) = (a, b) ] (7) for all x, y, a, b as above. We prove ths va case-by-case analyss. For convenence, we recall the table for f: y 1 y 2 x x x Case 1: x = x 1 and y = y 1. We analyze the hybrd world frst, followed by the deal world. Hybrd world. We frst consder the hybrd world where the partes are runnng protocol Π. If A aborts after recevng ts teraton- message, P 2 wll output out hyb = b 1. Snce, we have b 1 = f(ˆx, y 1 ) where ˆx s chosen unformly from X. So Pr[out hyb = 0] = Prˆx X [f(ˆx, y 1 ) = 0] = 1/3 and Pr[out hyb = 1] = 2/3. Snce, the value of vew hyb = a s ndependent of the value of b 1. Condtoned on the event that, we have Pr[ = ] = α = 1/5 and Pr[ > ] = 4/5. If =, then a = f(x, y) = f(x 1, y 1 ) = 0. If >, then a = f(x 1, ŷ) where ŷ s chosen unformly from Y. So Pr[a = 1] = Prŷ Y [f(x 1, ŷ) = 1] = 1/2 and Pr[a = 0] = 1/2. Overall, then, we have Pr[vew hyb (x 1, y 1 ) = 0 ] = α 1 + (1 α) 1 2 = 3 5 Pr[vew hyb (x 1, y 1 ) = 1 ] = α 0 + (1 α) 1 2 =

27 Puttng everythng together gves Pr [( vew hyb (x 1, y 1 ), out hyb (x 1, y 1 ) ) = (a, b) ] = = 2 3 = 1 5 (a, b) = (0, 0) 3 = 2 5 (a, b) = (0, 1) 15 (a, b) = (1, 0) = 4 15 (a, b) = (1, 1) (8) Ideal world. We now turn our attenton to the deal world. Snce we are condtonng on, here t s also the case that Pr[ = ] = α = 1/5 and Pr[ > ] = 4/5. Furthermore, f = then vew deal = a = f(x 1, y 1 ) = 0. Now, however, f = then S has already sent x 1 to the trusted party computng f (n order to learn the value f(x 1, y 1 )) and so P 2 wll also output f(x 1, y 1 ) = 0, rather than some ndependent value b 1. When >, then (by constructon of S) we have Pr[a = 0] = Prŷ Y [f(x 1, ŷ) = 0] = 1/2 and Pr[a = 1] = 1/2. Now, however, the output of P 2 depends on the value sent to the trusted party followng an abort by A, whch n turn depends on a (cf. step 8(b) of S). In partcular, we have: and Pr[out deal (x 1, y 1 ) = 0 a = 0 > ] = Pr[S sends x 1 to the trusted party a = 0 > ] = 0, Pr[out deal (x 1, y 1 ) = 0 a = 1 > ] = Pr[S sends x 1 to the trusted party a = 1 > ] = 1/3 (n calculatng the above, recall that x = x 1 ). Puttng everythng together, we obtan Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (0, 0) ] Smlarly, = α Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (0, 0) = ] + (1 α) Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (0, 0) > ] = α + (1 α) 0 = 1 5. (9) Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (0, 1) ] = (1 α) = 2 5 Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (1, 0) ] = (1 α) = 2 15 Pr [( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (1, 1) ] = (1 α) = 4 15, (12) n exact agreement wth Eq. (8). Case 2: x = x 2 and y = y 1. In all the remanng cases, the arguments are the same as before; ust the numbers dffer. Therefore, we wll allow ourselves to be more laconc. (10) (11) 26

28 In the hybrd world, condtoned on, the values of out hyb = b 1 and vew hyb = a are agan ndependent. The dstrbuton of b 1 s gven by: Pr[b 1 = 0] = Prˆx X [f(ˆx, y 1 ) = 0] = 1/3 and Pr[b 1 = 1] = 2/3. As for the dstrbuton of a, we have Pr[a = 1 ] = α Pr[a = 1 = ] + (1 α) Pr[a = 1 > ] = α 1 + (1 α) Prŷ Y [f(x 1, ŷ) = 1] = = 3 5, and so Pr[a = 0 ] = 2/5. Puttng everythng together gves Pr [( vew hyb (x 2, y 1 ), out hyb (x 2, y 1 ) ) = (a, b) ] = = = (a, b) = (0, 0) 15 (a, b) = (0, 1) 3 = 1 5 (a, b) = (1, 0) = 2 5 (a, b) = (1, 1) (13) In the deal world, f = then out deal = vew deal = f(x 2, y 1 ) = 1. If >, then the dstrbuton of vew deal = a s gven by Pr[a = 1] = Prŷ Y [f(x 1, ŷ) = 1] = 1/2 and Pr[a = 0] = 1/2. The value of out deal s now dependent on the value of a (cf. step 8(b) of S); specfcally: and Pr[out deal (x 2, y 1 ) = 0 a = 0 > ] = Pr[S sends x 1 to the trusted party a = 0 > ] = 1/3, Pr[out deal (x 2, y 1 ) = 0 a = 1 > ] = Pr[S sends x 1 to the trusted party a = 1 > ] = 1/2 (usng the fact that x = x 2 ). Puttng everythng together, we obtan Pr [( vew deal (x 2, y 1 ), out deal (x 2, y 1 ) ) = (0, 0) ] = (1 α) = 2 15 Pr [( vew deal (x 2, y 1 ), out deal (x 2, y 1 ) ) = (0, 1) ] = (1 α) = 4 15 Pr [( vew deal (x 2, y 1 ), out deal (x 2, y 1 ) ) = (1, 0) ] = (1 α) = 1 5 Pr [( vew deal (x 2, y 1 ), out deal (x 2, y 1 ) ) = (1, 1) ] = α + (1 α) = 2 5, (17) n exact agreement wth Eq. (13). Case 3: x = x 1 and y = y 2. In the hybrd world, ths case s exactly symmetrc to the case when x = x 2 and y = y 1. Thus we obtan the same dstrbuton as n Eq. (13). In the deal world, f = then out deal = vew deal = f(x 1, y 2 ) = 1. If >, then the dstrbuton of vew deal = a s gven by Pr[a = 1] = Prŷ Y [f(x 2, ŷ) = 1] = 1/2 and Pr[a = 0] = 1/2. The value of out deal s dependent on the value of a (cf. step 8(b) of S); specfcally: Pr[out deal (x 1, y 2 ) = 0 a = 0 > ] = Pr[S sends x 2 to the trusted party a = 0 > ] = 1/3, (14) (15) (16) 27

29 and Pr[out deal (x 1, y 2 ) = 0 a = 1 > ] = Pr[S sends x 2 to the trusted party a = 1 > ] = 1/2 (usng the fact that x = x 1 ). Puttng everythng together, we obtan the same dstrbuton as n Eqs. (14) (17). The dstrbutons n the hybrd and deal worlds are, once agan, n exact agreement. Case 4: x = x 2 and y = y 2. In the hybrd world, ths case s exactly symmetrc to the case when x = x 1 and y = y 1. Thus we obtan the same dstrbuton as n Eq. (8). In the deal world, f = then out deal = vew deal = f(x 2, y 2 ) = 0. If >, then the dstrbuton of vew deal = a s gven by Pr[a = 1] = Prŷ Y [f(x 2, ŷ) = 1] = 1/2 and Pr[a = 0] = 1/2. The value of out deal s dependent on the value of a (cf. step 8(b) of S); specfcally: and Pr[out deal (x 2, y 2 ) = 0 a = 0 > ] = Pr[S sends x 2 to the trusted party a = 0 > ] = 0, Pr[out deal (x 2, y 2 ) = 0 a = 1 > ] = Pr[S sends x 2 to the trusted party a = 1 > ] = 1/3 (usng the fact that x = x 2 ). Puttng everythng together, we obtan the same dstrbuton as n Eqs. (9) (12). The dstrbutons n the hybrd and deal worlds are, once agan, n exact agreement. Ths completes the proof of Clam 5. The precedng clams along wth Proposton 1 conclude the proof of Theorem A Lower Bound for Functons wth an Embedded XOR In the prevous secton we have shown a protocol that enables completely far computaton of certan functons that contan an embedded XOR. That protocol, however, has round complexty ω(log n). (The round complexty may be worse, dependng on α, but f α s constant then the round complexty s m = ω(log n).) In ths secton we prove that ths s nherent for any functon that has an embedded XOR. 5.1 Prelmnares Let f be a sngle-output, boolean functon wth an embedded XOR; that s, a functon for whch there exst nputs x 0, x 1, y 0, y 1 such that f(x, y ) =. Let Π be an r(n)-round protocol that securely computes f wth complete farness. Here we denote the two partes executng the protocol by A and B. We present some basc conventons below, as well as the specfcaton of a seres of fal-stop adversares that we wll use n our proof. Notaton and conventons: We assume that A sends the frst message n protocol Π, and B sends the last message. A round of Π conssts of a message from A followed by a message from B. If A aborts before sendng ts th-round message (but after sendng the frst 1 messages), then 28

30 we denote by b 1 the value output by B (so B outputs b 0 f A sends nothng). If B aborts before sendng ts th-round message (but after sendng the frst 1 messages), then we denote by a the value output by A (so A outputs a 1 f B sends nothng). If nether party aborts, then B outputs b r and A outputs a r+1. Proof overvew. We consder executons of Π n whch each party begns wth nput dstrbuted unformly n {x 0, x 1 } or {y 0, y 1 }, respectvely. We descrbe a seres of 4r fal-stop adversares {A 1, A 0, B 1, B 0 } r =1 where, ntutvely, the am of adversary A b s to guess B s nput whle smultaneously basng B s output toward the bt b. (The am of adversary B b s exactly analogous.) We show that f r = O(log n), then one of these adversares succeeds wth hgh probablty even though, as explaned next, ths s not possble n the deal world. In the deal world evaluaton of f (when B chooses ts nput at random n {y 0, y 1 }), t s certanly possble for an adversary corruptng A to learn B s nput wth certanty (ths follows from the fact that f contans an embedded XOR), and t may be possble, dependng on f, to bas B s output wth certanty. It s not possble, however, to do both smultaneously wth hgh probablty. (We formally state and prove ths below.) Ths gves us our desred contradcton whenever r = O(log n), and shows that no protocol wth ths many rounds can be completely far. Descrptons of the adversares. Before gvng the formal specfcaton of the adversares, we provde an ntutve descrpton of adversary A 1. (The other adversares rely on the same ntuton.) A 1 chooses a random nput x {x 0, x 1 } and runs the protocol honestly for 1 rounds. It then computes the value t would output f B aborted the protocol at the current pont,.e., t computes a. If a = 1, then A 1 contnues the protocol for one more round (hopng that ths wll cause B to output 1 also) and halts. If a = 0, then A 1 halts mmedately (hopng that B s output does not yet match A 1 s, and that B wll stll output 1). In addton to ths behavor durng the protocol, A 1 also guesses B s nput, n the natural way, based on ts own nput value x and the value of a t computed. In partcular, f x = x σ then A 1 guesses that B s nput s y a σ (snce f(x σ, y a σ) = a ). Say B s nput s y. Intutvely, because the protocol s completely far, f the output that A 1 computes n round s based toward the correct value of f(x, y), t must be that the last message sent by A 1 has relatvely lmted relevance (.e., that B would output the same bt whether A 1 sends ts th round message or not). In partcular, n the case of A r1, the computed output must be equal to f(x, y) (wth all but neglgble probablty), and therefore the last message of the protocol s, n some sense, unnecessary. Usng nducton (for a logarthmc number of steps) we wll demonstrate that the same holds for each of the pror rounds, and conclude that a protocol runnng n O(log n) rounds can be transformed nto an empty protocol n whch nether party sends anythng. Ths s, of course, mpossble; therefore, no such protocol exsts. We now formally descrbe the adversares. Adversary A 1 : 1. Choose x R {x 0, x 1 }. 2. Run the honest A for the frst 1 rounds (usng nput x) and compute a : (a) If a = 1 and x = x 0, then output guess(y = y 1 ), send the th round message, and halt. (b) If a = 1 and x = x 1, then output guess(y = y 0 ), send the th round message, and halt. (c) If a = 0 and x = x 0, then output guess(y = y 0 ) and halt mmedately. (d) If a = 0 and x = x 1, then output guess(y = y 1 ) and halt mmedately. 29

31 Adversary A 0 : 1. Choose x R {x 0, x 1 }. 2. Run the honest A for the frst 1 rounds (usng nput x) and compute a : (a) If a = 0 and x = x 0, then output guess(y = y 0 ), send the th round message and halt. (b) If a = 0 and x = x 1, then output guess(y = y 1 ), send the th round message and halt. (c) If a = 1 and x = x 0, then output guess(y = y 1 ) and halt mmedately. (d) If a = 1 and x = x 1, then output guess(y = y 0 ) and halt mmedately. Adversary B 1 : 1. Choose y R {y 0, y 1 }. 2. Run the honest B for the frst 1 rounds (usng nput y), receve A s th round message, and compute b : (a) If b = 1 and y = y 0, then output guess(x = x 1 ), send the th round message, and halt. (b) If b = 1 and y = y 1, then output guess(x = x 0 ), send the th round message, and halt. (c) If b = 0 and y = y 0, then output guess(x = x 0 ) and halt mmedately. (d) If b = 0 and y = y 1, then output guess(x = x 1 ) and halt mmedately. Adversary B 0 : 1. Choose y R {y 0, y 1 }. 2. Run the honest B for the frst 1 rounds (usng nput y), receve A s th round message, and compute b : (a) If b = 0 and y = y 0, then output guess(x = x 0 ), send the th round message, and halt. (b) If b = 0 and y = y 1, then output guess(x = x 1 ), send the th round message, and halt. (c) If b = 1 and y = y 0, then output guess(x = x 1 ) and halt mmedately. (d) If b = 1 and y = y 1, then output guess(x = x 0 ) and halt mmedately. Success probablty for A 1 : As preparaton for the proof that follows, we calculate the probablty that A 1 succeeds n smultaneously guessng B s nput y correctly, and havng B output 1. By constructon, f (say) A 1 uses x = x 0 as nput and obtans a = 0, then t guesses correctly ff y = y 0. Furthermore, snce t receved a = 0 t does not send ts th round message; thus, by our notaton, B outputs 1 f b 1 = 1. There are three other possble ways for ths to occur as well: Pr[A 1 guesses y B outputs 1] = Pr[x = x 0 y = y 0 a = 0 b 1 = 1] + Pr[x = x 0 y = y 1 a = 1 b = 1] + Pr[x = x 1 y = y 1 a = 0 b 1 = 1] + Pr[x = x 1 y = y 0 a = 1 b = 1]. The calculatons are smlar for A 0, B 1, and B 0 so we present them wth no further explanaton. 30

32 Success probablty for A 0 : Pr[A 0 guesses y B outputs 0] = Pr[x = x 0 y = y 0 a = 0 b = 0] + Pr[x = x 0 y = y 1 a = 1 b 1 = 0] + Pr[x = x 1 y = y 1 a = 0 b = 0] + Pr[x = x 1 y = y 0 a = 1 b 1 = 0]. Success probablty for B 1 : Pr[B 1 guesses x A outputs 1] = Pr[y = y 0 x = x 0 b = 0 a = 1] + Pr[y = y 0 x = x 1 b = 1 a +1 = 1] + Pr[y = y 1 x = x 1 b = 0 a = 1] + Pr[y = y 1 x = x 0 b = 1 a +1 = 1]. Success probablty for B 0 : Pr[B 0 guesses x A outputs 0] = Pr[y = y 0 x = x 0 b = 0 a +1 = 0] + Pr[y = y 0 x = x 1 b = 1 a = 0] 5.2 The Proof + Pr[y = y 1 x = x 1 b = 0 a +1 = 0] + Pr[y = y 1 x = x 0 b = 1 a = 0]. We begn by showng that, n the deal model, t s mpossble for an adversary to bas the output of the honest party whle smultaneously guessng the honest party s nput, wth probablty greater than 1/2. Note that an adversary can certanly do one or the other. For example, f the honest B uses nput y R {y 0, y 1 } and an adversaral A uses nput x 0, then A learns the nput of B (by observng f the output s 0 or 1). Furthermore, f there exsts a value x for whch f(x, y 0 ) = f(x, y 1 ) = 1 then A can completely bas the output of B to be 1. 6 In the frst case, however, B s output s a random bt; n the second case, A learns no nformaton about B s nput. The followng clam proves that these two extremes represent, n some sense, the best possble strateges: Clam 7 Consder an deal-world evaluaton of f (wth complete farness), where the honest party B chooses ts nput y unformly from {y 0, y 1 } and the corrupted A outputs a guess for y followng ts nteracton wth the trusted party. For any A and any σ {0, 1}, t holds that Pr[A guesses y B outputs σ] 1 2. An analogous clam holds for the case when A s honest. def Proof: We consder the case of an honest B. Let X 0 = {x f(x, y 0 ) = f(x, y 1 ) = 0}, and def lkewse X 1 = {x f(x, y 0 ) = f(x, y 1 ) = 1}. Let X = {x f(x, y 0 ) f(x, y 1 )}. Note that X 0, X 1, and X partton the set of all nputs for A. In the followng, when we say A sends x we mean that t sends x to the trusted party n the deal model. 6 We stress that ths s dfferent from the case of boolean XOR, where t s mpossble to bas the honest party s output at all n the deal model (when the honest party uses a random nput). 31

33 Fx any σ {0, 1}. Clearly Pr[A guesses y B outputs σ A sends x X σ ] = 0 snce B always outputs σ when A sends x X σ. Also, Pr[A guesses y B outputs σ A sends x X σ ] = Pr[A guesses y A sends x X σ ] = 1 2, where the frst equalty s because when A sends x X σ, then party B always outputs σ and the second equalty s because, n that case, A learns no nformaton about B s nput (whch was chosen unformly from {y 0, y 1 }). Fnally, Pr[A guesses y B outputs σ A sends x X ] Pr[B outputs σ A sends x X ] = 1 2, because B s nput s chosen unformly from {y 0, y 1 }. We thus have Pr[A guesses y B outputs σ] provng the clam. = Pr[A guesses y B outputs σ A sends x X σ ] + Pr[A guesses y B outputs σ A sends x X σ ] + Pr[A guesses y B outputs σ A sends x X ] = Pr[A guesses y B outputs σ A sends x X σ ] Pr[A sends x X σ ] + Pr[A guesses y B outputs σ A sends x X σ ] Pr[A sends x X σ ] + Pr[A guesses y B outputs σ A sends x X ] Pr[A sends x X ] 1 2 (Pr[A sends x X σ ] + Pr[A sends x X ] ) 1 2, The above clam, along wth the assumed securty of Π (wth complete farness), mples that for every nverse polynomal µ = 1/poly we have Pr[B 0 guesses x A outputs 0] 1 + µ(n) (18) 2 Pr[B 1 guesses x A outputs 1] 1 + µ(n) (19) 2 Pr[A 0 guesses y B outputs 0] 1 + µ(n) (20) 2 Pr[A 1 guesses y B outputs 1] 1 + µ(n) (21) 2 for suffcently large n and all 1 r(n). We now prove a clam that states, nformally, that f both partes can compute the correct output wth hgh probablty after runnng rounds of Π, then they can also compute the correct output wth hgh probablty even when B does not send ts th-round message. Clam 8 Fx a functon µ and a value of n for whch Equatons (18) (21) hold for 1 r(n), and let µ = µ(n). For any 1 r(n), f the followng nequaltes hold: Pr[y = y 0 x = x 1 b = 1 a +1 = 1] 1 4 µ (22) Pr[y = y 1 x = x 0 b = 1 a +1 = 1] 1 4 µ (23) 32

34 Pr[y = y 0 x = x 0 b = 0 a +1 = 0] 1 4 µ (24) Pr[y = y 1 x = x 1 b = 0 a +1 = 0] 1 4 µ (25) when x s chosen unformly from {x 0, x 1 } and y s chosen unformly from {y 0, y 1 }, then: Pr[y = y 0 x = x 1 b = 1 a = 1] 1 4 4µ (26) Pr[y = y 1 x = x 0 b = 1 a = 1] 1 4 4µ (27) Pr[y = y 0 x = x 0 b = 0 a = 0] 1 4 4µ (28) Pr[y = y 1 x = x 1 b = 0 a = 0] 1 4 4µ (29) when x and y are chosen n the same way. The frst four equatons represent the probablty wth whch both partes receve correct output after executng the frst rounds of Π (.e., after B sends ts message n round ), for all possble choces of ther nputs. The last four equatons consder the same event, but when B does not send ts message n round. The clam asserts that the fact that B does not send ts message n round has a lmted effect on the probablty wth whch the partes obtan correct outputs. Proof: We frst prove Equaton (26). That Pr[y = y 0 x = x 1 b = 1 a = 1] µ s mmedate, snce Pr[y = y 0 x = x 1 ] = 1 4. We must therefore prove the correspondng lower bound. Combnng Equatons (18), (24), and (25), and usng our earler calculaton for the success probablty for B 0, we obtan µ Pr[B 0 guesses x A outputs 0] = Pr[y = y 0 x = x 0 b = 0 a +1 = 0] + Pr[y = y 0 x = x 1 b = 1 a = 0] + Pr[y = y 1 x = x 1 b = 0 a +1 = 0] + Pr[y = y 1 x = x 0 b = 1 a = 0] 1 4 µ + Pr[y = y 0 x = x 1 b = 1 a = 0] µ + Pr[y = y 1 x = x 0 b = 1 a = 0] = Pr[y = y 0 x = x 1 b = 1 a = 0] + Pr[y = y 1 x = x 0 b = 1 a = 0] µ, mplyng We also have Pr[y = y 0 x = x 1 b = 1 a = 0] 3µ. (30) Pr[y = y 0 x = x 1 b = 1 a = 0] + Pr[y = y 0 x = x 1 b = 1 a = 1] = Pr[y = y 0 x = x 1 b = 1] Pr[y = y 0 x = x 1 b = 1 a +1 = 1] 1 4 µ, 33

35 usng Equaton (22) for the fnal nequalty. Combned wth Eq. (30), we conclude that Pr[y = y 0 x = x 1 b = 1 a = 1] 1 4 4µ, provng Equaton (26). Usng a symmetrc argument, we can smlarly prove Equaton (27). Usng an exactly analogous argument, but wth adversary B 1 n place of B 0, we can prove Equatons (28) and (29). The proof of the followng clam exactly parallels the proof of the precedng clam, but usng adversares A 0 and A 1 nstead of adversares B 0 and B 1. Clam 9 Fx a functon µ and a value of n for whch Equatons (18) (21) hold for 1 r(n), and let µ = µ(n). For any 1 r(n), f the followng nequaltes hold: Pr[y = y 0 x = x 1 b = 1 a = 1] 1 4 µ Pr[y = y 1 x = x 0 b = 1 a = 1] 1 4 µ Pr[y = y 0 x = x 0 b = 0 a = 0] 1 4 µ Pr[y = y 1 x = x 1 b = 0 a = 0] 1 4 µ when x s chosen unformly from {x 0, x 1 } and y s chosen unformly from {y 0, y 1 }, then: Pr[y = y 0 x = x 1 b 1 = 1 a = 1] 1 4 4µ Pr[y = y 1 x = x 0 b 1 = 1 a = 1] 1 4 4µ Pr[y = y 0 x = x 0 b 1 = 0 a = 0] 1 4 4µ Pr[y = y 1 x = x 1 b 1 = 0 a = 0] 1 4 4µ when x and y are chosen n the same way. We now prove the followng theorem. Theorem 5.1 Let f be a two-party functon contanng an embedded XOR. Then any protocol securely computng f wth complete farness (assumng one exsts) requres ω(log n) rounds. Proof: Let Π be a protocol computng f wth complete farness usng r = r(n) rounds. Set µ = 1/poly(n) for some polynomal to be fxed later. By correctness of Π, we have that for n suffcently large Pr[y = y 0 x = x 1 b r = 1 a r+1 = 1] 1 4 µ(n) 34

36 Pr[y = y 1 x = x 0 b r = 1 a r+1 = 1] 1 4 µ(n) Pr[y = y 0 x = x 0 b r = 0 a r+1 = 0] 1 4 µ(n) Pr[y = y 1 x = x 1 b r = 0 a r+1 = 0] 1 4 µ(n) when x and y are chosen unformly from {x 0, x 1 } and {y 0, y 1 }, respectvely. Takng n large enough so that Equatons (18) (21) also hold for 1 r(n), we see that Clam 8 may be appled wth = r. Snce the concluson of Clam 8 s the assumpton of Clam 9 and vce versa, the clams can be repeatedly appled r tmes, yeldng: Pr[y = y 0 x = x 1 b 0 = 1 a 1 = 1] r(n) µ(n) Pr[y = y 1 x = x 0 b 0 = 1 a 1 = 1] r(n) µ(n) Pr[y = y 0 x = x 0 b 0 = 0 a 1 = 0] r(n) µ(n) Pr[y = y 1 x = x 1 b 0 = 0 a 1 = 0] r(n) µ(n). If r = O(log n), then p(n) def = 4 2r(n) s polynomal. Takng µ(n) = 1/16p(n) mples that, for n suffcently large, A and B can both correctly compute (wth probablty at least 3/4) the value f(x, y), for all x {x 0, x 1 } and y {y 0, y 1 }, wthout any nteracton at all. Ths s mpossble, and so we conclude that r = ω(log n). References [1] D. Beaver. Secure multparty protocols and zero-knowledge proof systems toleratng a faulty mnorty. Journal of Cryptology, 4(2):75 122, [2] D. Beaver. Foundatons of secure nteractve computng. In Advances n Cryptology Crypto 91, volume 576 of LNCS, pages Sprnger, [3] D. Beaver and S. Goldwasser. Multparty computaton wth faulty maorty. In 30th Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, [4] M. Ben-Or, O. Goldrech, S. Mcal, and R. Rvest. A far protocol for sgnng contracts. IEEE Trans. Informaton Theory, 36(1):40 46, [5] M. Ben-Or, S. Goldwasser, and A. Wgderson. Completeness theorems for non-cryptographc fault-tolerant dstrbuted computaton. In 20th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [6] M. Blum. How to exchange (secret) keys. ACM Transactons on Computer Systems, 1(2): ,

37 [7] D. Boneh and M. Naor. Tmed commtments. In Advances n Cryptology Crypto 2000, volume 1880 of LNCS, pages Sprnger, [8] R. Canett. Securty and composton of multparty cryptographc protocols. Journal of Cryptology, 13(1): , [9] D. Chaum, C. Crépeau, and I. Damgård. Multparty uncondtonally secure protocols. In 20th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [10] B. Chor and E. Kushlevtz. A zero-one law for Boolean prvacy. SIAM Journal on Dscrete Math., 4:36 47, [11] R. Cleve. Lmts on the securty of con flps when half the processors are faulty. In 18th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [12] R. Cleve. Controlled gradual dsclosure schemes for random bts and ther applcatons. In Advances n Cryptology Crypto 89, volume 435 of LNCS, pages Sprnger, [13] I. Damgård. Practcal and provably secure release of a secret and exchange of sgnatures. Journal of Cryptology, 8(4): , [14] S. Even, O. Goldrech, and A. Lempel. A randomzed protocol for sgnng contracts. Comm. ACM, 28(6): , [15] M. Frankln. Complexty and Securty of Dstrbuted Protocols. PhD thess, Columba Unversty, [16] Z. Gall, S. Haber, and M. Yung. Cryptographc computaton: Secure faut-tolerant protocols and the publc-key model. In Advances n Cryptology Crypto 87, volume 293 of LNCS, pages Sprnger, [17] J. A. Garay, P. D. MacKenze, M. Prabhakaran, and K. Yang. Resource farness and composablty of cryptographc protocols. In 3rd Theory of Cryptography Conference TCC 2006, volume 3876 of LNCS, pages Sprnger, [18] O. Goldrech. Foundatons of Cryptography, vol. 2: Basc Applcatons. Cambrdge Unversty Press, Cambrdge, UK, [19] O. Goldrech, S. Mcal, and A. Wgderson. How to play any mental game, or a completeness theorem for protocols wth honest maorty. In 19th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [20] S. Goldwasser and L. A. Levn. Far computaton of general functons n presence of mmoral maorty. In Advances n Cryptology Crypto 90, volume 537 of LNCS, pages Sprnger, [21] S. Gordon and J. Katz. Complete farness n mult-party computaton wthout an honest maorty. In 6th Theory of Cryptography Conference TCC 2009, volume 5444 of LNCS, pages Sprnger,

38 [22] S. D. Gordon and J. Katz. Partal farness n secure two-party computaton. In Advances n Cryptology Eurocrypt 2010, volume 6110 of LNCS, pages Sprnger, [23] J. Klan. Foundng cryptography on oblvous transfer. In 20th Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [24] J. Klan. A general completeness theorem for two-party games. In 23rd Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [25] Y. Lndell. Parallel con-tossng and constant-round secure two-party computaton. Journal of Cryptology, 16(3): , [26] M. Luby, S. Mcal, and C. Rackoff. How to smultaneously exchange a secret bt by flppng a symmetrcally-based con. In 24th Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, [27] S. Mcal and P. Rogaway. Secure computaton. In Advances n Cryptology Crypto 91, volume 576 of LNCS, pages Sprnger, [28] T. Moran, M. Naor, and G. Segev. An optmally far con toss. In 6th Theory of Cryptography Conference TCC 2009, volume 5444 of LNCS, pages Sprnger, [29] B. Pnkas. Far secure two-party computaton. In Advances n Cryptology Eurocrypt 2003, volume 2656 of LNCS, pages Sprnger, [30] T. Rabn and M. Ben-Or. Verfable secret sharng and multparty protocols wth honest maorty. In 21st Annual ACM Symposum on Theory of Computng (STOC), pages ACM Press, [31] A. C. Yao. Protocols for secure computatons. In 23rd Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, [32] A. C.-C. Yao. How to generate and exchange secrets. In 27th Annual Symposum on Foundatons of Computer Scence (FOCS), pages IEEE, A Complete Farness for Other Functons usng Protocol 2 A.1 Prelmnary Dscusson Before specfyng the more general functons for whch Protocol 2 (cf. Fgure 4) can be appled, we brefly dscuss how we chose the value α = 1/5 for the specfc f of Secton 4.2. Ths wll provde some ntuton that wll be helpful n the secton that follows. It should be clear that our entre dscusson n ths appendx assumes the specfc smulaton strategy descrbed n the proof of Theorem 4.1. It may be the case that a dfferent smulaton strategy would allow for other values of α, or there may exst a dfferent protocol altogether for computng f. Consder the case of a malcous P 1 who aborts after recevng ts teraton- message, and let the partes nputs be x = x 1, y = y 1 (note f(x 1, y 1 ) = 0). We use the notaton as n the proof of 37

39 Clam 5, so that vew hyb denotes the value a that P 1 reconstructs n teraton and out hyb denote the output of the honest P 2. The protocol tself ensures that n the hybrd world we have Pr[ ( vew hyb (x 1, y 1 ), out hyb (x 1, y 1 ) ) = (0, 0) ] = Pr[vew hyb (x 1, y 1 ) = 0 ] Pr[out hyb (x 1, y 1 ) = 0 ], snce out hyb = b 1 s ndependent of vew hyb = a when. We have and Pr[out hyb (x 1, y 1 ) = 0 ] = Pr ˆx X [f(ˆx, y 1) = 0] = 1/3 Pr[vew hyb (x 1, y 1 ) = 0 ] = α Pr[vew hyb (x 1, y 1 ) = 0 = ] + (1 α) Pr[vew hyb (x 1, y 1 ) = 0 > ] = α + (1 α) Prŷ Y [f(x 1, ŷ) = 0] = α + (1 α) 1 2, where the frst equalty holds snce Pr[ = ] = α. Puttng everythng together we see that Pr[ ( vew hyb (x 1, y 1 ), out hyb (x 1, y 1 ) ) = (0, 0) ] = 1 ( 3 α + (1 α) 1 ). 2 In the deal world, our smulaton strategy ensures that, condtoned on, the smulator S sends x = x 1 to the trusted party wth probablty α; when ths occurs, the smulator wll then set vew deal = a = f(x 1, y 1 ) = 0, and the honest party P 2 wll output f(x 1, y 1 ) = 0. Therefore, regardless of anythng else the smulator mght do, Pr[ ( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (0, 0) ] α. If we want the deal-world and hybrd-world dstrbutons to be equal, then ths requres ( α α + (1 α) 1 ) 1 2 3, whch s equvalent to requrng α 1/5. A smlar argument appled to the other possble values for x, y shows that α 1/5 suffces for all of them. Settng α = 1/5 mnmzes the number of rounds of the protocol. Havng fxed the value of α, we now explan how we determned the smulator s actons (for a malcous P 1 ) n step 8(b). We begn by ntroducng some notaton that we wll also use n the followng secton. def def Defne p x = Prŷ Y [f(x, ŷ) = 1] and, smlarly, defne p y = Prˆx X [f(ˆx, y ) = 1]. Let x be as n the descrpton of S n the proof of Clam 5. If A aborts n round < after recevng the bt a, then we denote the event that S sends x to the deal functonalty computng f by X (a ) x x. Usng ths notaton, we have from step 8(b) of S that: Pr[X (1) x 1 x 1 ] = 1 3 Pr[X (1) x 1 x 2 ] = 1 2 Pr[X (1) x 1 x 3 ] =

40 Consder once agan the case x = x 1 and y = y 1. In the hybrd world, by constructon of Protocol 2, we have Pr[ ( vew hyb (x 1, y 1 ), out hyb (x 1, y 1 ) ) = (1, 1) ] = Pr[vew hyb (x 1, y 1 ) = 1 ] Pr[out hyb (x 1, y 1 ) = 1 ] = (1 α) p x1 p y1. (Note that f =, whch occurs wth probablty α, then a = f(x 1, y 1 ) = 0.) Because of the way S s defned, n the deal world we have Pr[ ( vew deal (x 1, y 1 ), out deal (x 1, y 1 ) ) = (1, 1) ] = Pr[vew deal (x 1, y 1 ) = 1 ] Pr[out deal (x 1, y 1 ) = 1 vew deal (x 1, y 1 ) = 1 ] ( ) = (1 α) p x1 Pr[X x (1) 1 x 2 ] + Pr[X x (1) 1 x 3 ]. If we want these to be equal, ths requres Pr[X (1) x 1 x 2 ] + Pr[X (1) x 1 x 3 ] = p y1 = 2 3. Proceedng smlarly for the case when x = x 1 and y = y 2 and lookng at the probablty that a = 0 and the output of P 2 s 1, we derve Pr[X (1) x 1 x 1 ] + Pr[X (1) x 1 x 3 ] = α (p y 2 1) (1 α)(1 p x1 ) + p y 2 = 1 2. Combnng the above two wth the constrant that Pr[X (1) x 1 x 1 ] + Pr[X (1) x 1 x 2 ] + Pr[X (1) x 1 x 3 ] = 1 we obtan the unque feasble values used n step 8(b) of S (for the case x = x 1 ). The case of x = x 2 follows va a smlar analyss. Lookng at the problem more generally, we observe that for certan functons f (e.g., the boolean XOR functon), the problem s over-constraned and no feasble soluton exsts (regardless of the choce of α). In the followng secton we wll argue that our protocol can be appled to any functon f for whch the above constrants can be satsfed for all possble nputs x, y. A.2 Characterzaton of Functons for whch Protocol 2 Apples In ths secton we characterze a class of functons that can be securely computed wth complete farness usng Protocol 2. The proof s a generalzaton of the proof from Secton 4.2. Notaton. We assume a sngle-output, boolean functon f : X Y {0, 1} defned over a fnte doman, where X = {x 1,... x l } and Y = {y 1,..., y m }. We let M f denote the l m matrx whose entry at poston (, ) s f(x, y ), and let v y denote the column of M f correspondng to the nput y of P 2. For every nput x X of player P 1 we defne p x def = Prŷ Y [f(x, ŷ) = 1], where ŷ s chosen unformly from the doman Y of player P 2. Equvalently, p x =. We def def defne p y, for y Y, symmetrcally. In addton, let p x = 1 p x and p y = 1 p y. We set α as follows: { } 1 α def f(x, y ) p x 1 f(x, y ) p y = mn, (31) (,) 1 f(x, y ) p x 1 f(x, y ) p y + f(x, y ) p y y Y f(x,y) m 39

41 where the mnmum s taken over 1 l and 1 m. By smple calculaton, one can show that 0 < α 1 and, n fact, α < 1 unless f s a constant functon (n whch case completely far computaton of f s trval). Usng ths value of α we defne, for x X, the m-dmensonal row vector C (0) x, ndexed by y Y, as follows: C x (0) (y) def = p y f f(x, y) = 1 α p y (1 α) p x + p y f f(x, y) = 0. Smlarly, we defne C (1) x va: C x (1) (y) def = α (p y 1) (1 α) p x + p y f f(x, y) = 1 p y f f(x, y) = 0 (The denomnators, above, are never 0.) A row vector (p 1,..., p l ) of real numbers s a probablty vector f 0 p 1 for all, and p = 1. We are now ready to prove the followng: Theorem A.1 Let f be a sngle-output, boolean functon, and let M f and C x (b) be as defned above. If for all b {0, 1} and x X there exsts a probablty vector X x (b) = (p 1,..., p l ) such that X (b) x M f = C (b) x, then there exsts a protocol that securely computes f wth completes farness. Proof: We take Protocol 2 wth α computed as n Eq. (31). Smulaton for a corrupted P 2 follows exactly along the lnes of the proof of Clam 4; recall that the smulator n that case dd not rely on any specfc propertes of the functon f or the value of α. We therefore focus our attenton on the case when the adversary A corrupts P 1. In ths case, our smulator S s almost dentcal to the smulator descrbed n the proof of Clam 5 (except, of course, that t uses the approprate value of α); the only sgnfcant change s how we deal wth an abort n teraton < (ths corresponds to step 8(b) n the smulator from the proof of Clam 5). For completeness, we descrbe the modfed smulator n ts entrety, although we once agan gnore the presence of the MAC-tags and keys for smplcty. 1. S nvokes A on the nput x, the auxlary nput, and the securty parameter n. The smulator also chooses ˆx X unformly at random. 2. S receves the nput x of A to the computaton of the functonalty ShareGen. (a) If x / X, then S hands to A as ts output from the computaton of ShareGen, sends ˆx to the trusted party computng f, outputs whatever A outputs, and halts. (b) Otherwse, f the nput s some x X, then S chooses unformly dstrbuted shares a (1) 1,..., a(1) m and b (1) 1,..., b(1) m. Then, S gves these shares to A as ts output from the computaton of ShareGen. 3. If A sends abort to the trusted party computng ShareGen, then S sends ˆx to the trusted party computng f, outputs whatever A outputs, and halts. Otherwse (.e., f A sends contnue), S proceeds as below. 40

42 4. Choose accordng to a geometrc dstrbuton wth parameter α. 5. For = 1 to 1: (a) S chooses ŷ Y unformly at random, computes a = f(x, ŷ), and sets a (2) = a (1) a. It gves a (2) to A. (b) If A aborts, then S chooses x accordng to the dstrbuton defned by 7 X (a ) x, and sends x to the trusted party computng f. It then outputs whatever A outputs, and halts. If A does not abort, then S proceeds. 6. For = to m: (a) If = then S sends x to the trusted party computng f and receves z = f(x, y). (b) S sets a (2) = a (1) z and gves a (2) to A. (c) If A aborts, then S then outputs whatever A outputs, and halts. If A does not abort, then S proceeds. 7. If S has not yet halted, and has not yet sent anythng to the trusted party computng f (ths can only happen f > m and A has not aborted), then t sends ˆx to the trusted party. Then S outputs whatever A outputs and halts. (The smulator constructed n Clam 5 branched dependng on the value of x, but ths was only a smplfcaton due to the fact that the nput x 3, there, completely determned the output. In general there need not be any such nput.) We borrow the same notaton as n our proof of Clam 5. Examnng that proof, we see that the proof here wll proceed dentcally up to the pont where we need to show that, for all nputs x, y and all a, b {0, 1}: Pr [( vew hyb, out hyb) = (a, b) ] = Pr [( vew deal, out deal) = (a, b) ] (32) (Ths s Eq. (7) there. As was done there, we suppress explct menton of the nputs when the notaton becomes cumbersome.) We now fx arbtrary x, y and show that the above holds. We consder two sub-cases dependng on the value of f(x, y). Case 1: x and y are such that f(x, y) = 0. In the hybrd world, when A aborts after recevng ts teraton- message, then P 2 outputs out hyb = b 1 and the value of vew hyb = a s ndependent of the value of b 1. By defnton of the protocol, we have Pr[b 1 = 0 ] = p y and Pr[b 1 = 1 ] = p y, snce b 1 = f(ˆx, y) for ˆx chosen unformly from X. As for a, we have Pr [ a = 0 ] = α + (1 α) p x and Pr [ a = 1 ] = (1 α) p x. 7 Ths s understood n the natural way;.e., x s chosen wth probablty X (a ) x (). 41

43 Snce b 1 and a are ndependent, we conclude that Pr [( vewhyb (x, y), out hyb(x, y) ) = (a, b) ] = (α + (1 α) p x ) p y (a, b) = (0, 0) (α + (1 α) p x ) p y (a, b) = (0, 1) (1 α) p x p y (a, b) = (1, 0) (1 α) p x p y (a, b) = (1, 1) In the deal world, f = then out deal = vew deal = f(x, y) = 0. If >, then the dstrbuton of vew deal = a s gven by Pr[a = 0] = p x. The value of out deal s now dependent on the value of a (cf. step 5(b) of the smulator descrbed n ths secton); specfcally, we have: Pr[out deal (x, y) = 0 a = 0 > ] = Pr[S sends x to the trusted party s.t. f(x, y) = 0 a = 0 > ] = Pr x X x (0) [x = x] x: f( x,y)=0 and, n the general case, Pr[out deal (x, y) = b a = a > ] = We therefore have, for example, x: f( x,y)=b Pr [( vew deal (x, y), out deal(x, y) ) = (0, 0) ] = α + (1 α) p x Pr x X x (a) [x = x]. x: f( x,y)=0 Pr x X (0) [x = x] ( = α + (1 α) p x 1 X ) x (0) v y ( = α + (1 α) p x 1 C ) x (0) (y) ( ) α p y = α + (1 α) p x 1 p y (1 α) p x = (α + (1 α) p x ) p y, (The second equalty uses the defntons of X x (0) and v y ; the thrd equalty uses the assumpton, from the theorem, that X x (0) v y = C x (0) (y). We then use the defnton of C x (0) (y) and re-arrange usng algebra.) Ths s equal to the assocated probablty n the hybrd world, as computed above. For completeness, we nclude the calculatons for the remanng cases: Pr [( vew deal (x, y), out deal(x, y) ) = (0, 1) ] = (1 α) p x Pr x X (0) [x = x] x: f( x,y)=1 ( ) = (1 α) p x X (0) x v y = (1 α) p x = (1 α) p x (0) C x (y) ( α py + p y (1 α) p x x ) = (α + (1 α) p x ) p y = Pr [( vew hyb (x, y), out hyb(x, y) ) = (0, 1) ]. 42 x

44 Pr [( vew deal (x, y), out deal(x, y) ) = (1, 0) ] = (1 α) p x Pr x X x (1) [x = x] x: f( x,y)=0 ( = (1 α) p x 1 X ) x (1) v y ( = (1 α) p x 1 C ) x (1) (y) = (1 α) p x (1 p y ) = (1 α) p x p y = Pr [( vew hyb (x, y), out hyb(x, y) ) = (1, 0) ]. Pr [( vew deal (x, y), out deal(x, y) ) = (1, 1) ] = (1 α) p x Pr x X x (1) [x = x] x: f( x,y)=1 ( ) = (1 α) p x X (1) x v y (1) = (1 α) p x C x (y) = (1 α) p x p y = Pr [( vew hyb (x, y), out hyb(x, y) ) = (1, 1) ]. Equalty holds, n all cases, between the correspondng probabltes n the deal and hybrd worlds. We thus conclude that Eq. (32) holds for all x, y wth f(x, y) = 0. Case 2: x and y are such that f(x, y) = 1. We provde the calculatons wth lmted dscusson. In the hybrd world, we have ((1 α) p x ) p y (a, b) = (0, 0) Pr [( vewhyb (x, y), out hyb(x, y) ) = (a, b) ] ((1 α) p x ) p y (a, b) = (0, 1) = (α + (1 α) p x ) p y (a, b) = (1, 0) (α + (1 α) p x ) p y (a, b) = (1, 1) In the deal world, f = then out deal = vew deal = f(x, y) = 1. If >, then the dstrbuton of vew deal = a s gven by Pr[a = 0] = p x, and the value of out deal s now dependent on the value of a. Workng out the detals, we have: Pr [( vew deal (x, y), out deal(x, y) ) = (0, 0) ] = (1 α) p x x: f( x,y)=0 ( = (1 α) p x 1 X ) x (0) v y ( = (1 α) p x 1 C ) x (0) (y) = (1 α) p x p y. Pr x X x (0) [x = x] Pr [( vew deal (x, y), out deal(x, y) ) = (0, 1) ] 43

45 = (1 α) p x x: f( x,y)=1 ( ) = (1 α) p x X (0) x v y ( ) = (1 α) p x C (0) x (y) = (1 α) p x p y. Pr x X x (0) [x = x] Pr [( vew deal (x, y), out deal(x, y) ) = (1, 0) ] = (1 α) p x Pr x X x (1) [x = x] x: f( x,y)=0 ( = (1 α) p x 1 X ) x (1) v y ( = (1 α) p x 1 C ) x (1) (y) ( = (1 α) p x 1 α (p ) y 1) p y (1 α) p x = (α + (1 α) p x ) p y. Pr [( vew deal (x, y), out deal(x, y) ) = (1, 1) ] = α + (1 α) p x Pr x X x (1) [x = x] x: f( x,y)=1 ( ) = α + (1 α) p x X (1) x v y ( ) = α + (1 α) p x C (1) x (y) ( ) α (py 1) = α + (1 α) p x + p y (1 α) p x = (α + (1 α) p x ) p y. Once agan, equalty holds between the correspondng probabltes n the deal and hybrd worlds n all cases. Ths concludes the proof of the theorem. 44