# Lower bounds and optimal protocols for three-party secure computation

10 Jul 2016-pp 1361-1365

TL;DR: New and better lower bounds on the amount of communication required between the parties to guarantee zero probability of error in the computation and achieve information-theoretic security are derived.

Abstract: The problem of three-party secure computation, where a function of private data of two parties is to be computed by a third party without revealing information beyond respective inputs or outputs is considered. New and better lower bounds on the amount of communication required between the parties to guarantee zero probability of error in the computation and achieve information-theoretic security are derived. Protocols are presented and proved to be optimal in some cases by showing that they achieve the improved lower bounds.

Topics: Secure two-party computation (66%), Secure multi-party computation (63%), Computation (54%)

##### Citations

More filters

•

01 Jan 2018-

Abstract: A fundamental problem in the theory of secure multi-party computation (MPC) is to characterize functions with more than 2 parties which admit MPC protocols with information-theoretic security against passive corruption. This question has seen little progress since the work of Chor and Ishai (2001), which demonstrated difficulties in resolving it. In this work, we make significant progress towards resolving this question in the important case of aggregating functionalities, in which m parties P1, . . . , Pm hold inputs x1, . . . , xm and an aggregating party P0 must learn f(x1, . . . , xm). We give a necessary condition and a slightly stronger sufficient condition for f to admit a secure protocol. Both the conditions are stated in terms of an algebraic structure we introduce called Commuting Permutations Systems (CPS), which may be of independent combinatorial interest. When our sufficiency condition is met, we obtain a perfectly secure protocol with minimal interaction, that fits the model of Non-Interactive MPC or NIMPC (Beimel et al., 2014), but without the need for a trusted party to generate correlated randomness. We define Unassisted Non-Interactive MPC (UNIMPC) to capture this variant. We also present an NIMPC protocol for all functionalities, which is simpler and more efficient than the one given in the prior work. 2012 ACM Subject Classification Theory of computation → Cryptographic protocols, Theory of computation → Complexity classes, Security and privacy → Mathematical foundations of

3 citations

••

Sibi Raj B Pillai

^{1}, Manoj Prabhakaran^{1}, Vinod M. Prabhakaran^{2}, Srivatsan Sridhar^{1}•Institutions (2)15 Dec 2019-

TL;DR: This note shows that in fact, this message is also optimal in the protocol of Feige et al. (ISIT 2016), which improves on a previous result of Rajan et al., which showed this optimality restricted to protocols where Alice and Bob are deterministic.

Abstract: In an influential work aimed at understanding the communication requirements of secure computation, Feige, Kilian and Naor introduced a minimal model of secure computation (STOC 1994). In that work, among other results, Feige et al. presented a simple protocol for the 2 input AND function. It has remained an intriguing question whether the communication and randomness used in this protocol are optimal. While previous work of Data et al. (CRYPTO 2014) showed that the communication from the two parties with inputs (Alice and Bob) to the third party who gets the output is optimal, the question of optimality for the third message in the protocol – a common reference string shared between Alice and Bob – remained open. In this note we show that in fact, this message (and hence all the randomness used in the protocol) is also optimal in the protocol of Feige et al. This improves on a previous result of Rajan et al. (ISIT 2016), which showed this optimality restricted to protocols where Alice and Bob are deterministic. Further, our result holds even if only a weak secrecy condition is required of the protocol.

1 citations

##### References

More filters

••

03 Nov 1982-

TL;DR: This paper describes three ways of solving the millionaires’ problem by use of one-way functions (i.e., functions which are easy to evaluate but hard to invert) and discusses the complexity question “How many bits need to be exchanged for the computation”.

Abstract: Two millionaires wish to know who is richer; however, they do not want to find out inadvertently any additional information about each other’s wealth. How can they carry out such a conversation? This is a special case of the following general problem. Suppose m people wish to compute the value of a function f(x1, x2, x3, . . . , xm), which is an integer-valued function of m integer variables xi of bounded range. Assume initially person Pi knows the value of xi and no other x’s. Is it possible for them to compute the value of f , by communicating among themselves, without unduly giving away any information about the values of their own variables? The millionaires’ problem corresponds to the case when m = 2 and f(x1, x2) = 1 if x1 < x2, and 0 otherwise. In this paper, we will give precise formulation of this general problem and describe three ways of solving it by use of one-way functions (i.e., functions which are easy to evaluate but hard to invert). These results have applications to secret voting, private querying of database, oblivious negotiation, playing mental poker, etc. We will also discuss the complexity question “How many bits need to be exchanged for the computation”, and describe methods to prevent participants from cheating. Finally, we study the question “What cannot be accomplished with one-way functions”. Before describing these results, we would like to put this work in perspective by first considering a unified view of secure computation in the next section.

3,504 citations

••

27 Oct 1986-

TL;DR: A new tool for controlling the knowledge transfer process in cryptographic protocol design is introduced and it is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature.

Abstract: In this paper we introduce a new tool for controlling the knowledge transfer process in cryptographic protocol design. It is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature. Specifically, we show how two parties A and B can interactively generate a random integer N = p?q such that its secret, i.e., the prime factors (p, q), is hidden from either party individually but is recoverable jointly if desired. This can be utilized to give a protocol for two parties with private values i and j to compute any polynomially computable functions f(i,j) and g(i,j) with minimal knowledge transfer and a strong fairness property. As a special case, A and B can exchange a pair of secrets sA, sB, e.g. the factorization of an integer and a Hamiltonian circuit in a graph, in such a way that sA becomes computable by B when and only when sB becomes computable by A. All these results are proved assuming only that the problem of factoring large intergers is computationally intractable.

3,178 citations

•

01 Jan 1988-

TL;DR: The above bounds on t , where t is the number of players in actors, are tight!

Abstract: Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that:t are tight!

- If no faults occur, no set of size
t <n /2 of players gets any additional information (other than the function value), - Even if Byzantine faults are allowed, no set of size
t <n /3 can either disrupt the computation or get additional information.

2,151 citations

### "Lower bounds and optimal protocols ..." refers methods in this paper

...While the founding works [3]-[7] were based on computational Iimitations of the users, seminal papers by Ben-Or, Goldwasser, and Wigderson [8] and Chaum, Crepeau, and Damgärd [9] showed how information theoretically secure computation can be achieved through interactive communication....

[...]

••

01 Jan 1988-

Abstract: Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that: If no faults occur, no set of size t

2,093 citations

••

01 Jan 1988-

TL;DR: It is shown that any reasonable multiparty protocol can be achieved if at least 2n/3 of the participants are honest and the secrecy achieved is unconditional.

Abstract: Under the assumption that each pair of participants can communicate secretly, we show that any reasonable multiparty protocol can be achieved if at least 2n/3 of the participants are honest. The secrecy achieved is unconditional. It does not rely on any assumption about computational intractability.

1,559 citations

### "Lower bounds and optimal protocols ..." refers methods in this paper

...While the founding works [3]-[7] were based on computational Iimitations of the users, seminal papers by Ben-Or, Goldwasser, and Wigderson [8] and Chaum, Crepeau, and Damgärd [9] showed how information theoretically secure computation can be achieved through interactive communication....

[...]