Abstract
Solitary output secure computation models scenarios, where a single entity wishes to compute a function over an input that is distributed among several mutually distrusting parties. The computation should guarantee some security properties, such as correctness, privacy, and guaranteed output delivery. Full security captures all these properties together. This setting is becoming very important, as it is relevant to many real-world scenarios, such as service providers wishing to learn some statistics on the private data of their users.
In this paper, we study full security for solitary output three-party functionalities in the point-to-point model (without broadcast) assuming at most a single party is corrupted. We give a characterization of the set of three-party Boolean functionalities and functionalities with up to three possible outputs (over a polynomial-size domain) that are computable with full security in the point-to-point model against a single corrupted party. We also characterize the set of three-party functionalities (over a polynomial-size domain) where the output receiving party has no input. Using this characterization, we identify the set of parameters that allow certain functionalities related to private set intersection to be securely computable in this model. Our characterization in particular implies that, even in the solitary output setting, without broadcast not many “interesting” three-party functionalities can be computed with full security.
Our main technical contribution is a reinterpretation of the hexagon argument due to Fischer et al. [Distributed Computing ’86]. While the original argument relies on the agreement property (i.e., all parties output the same value) to construct an attack, we extend the argument to the solitary output setting, where there is no agreement. Furthermore, using our techniques, we were also able to advance our understanding of the set of solitary output three-party functionalities that can be computed with full security, assuming broadcast but where two parties may be corrupted. Specifically, we extend the set of such functionalities that were known to be computable, due to Halevi et al. [TCC ’19].
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Formally, full security is defined via the real vs. ideal paradigm, where a (real-world) protocol is required to emulate an ideal setting, in which the adversary is limited to selecting inputs for the corrupted parties and receiving their outputs.
- 2.
We abuse notations and write f(y, z) instead of \(f({\lambda },y,z)\) where \({\lambda } \) is the empty string (which is the input of \(\textsf{A}\)).
- 3.
A combinatorial rectangle is subset \(\mathcal {R}\subseteq \mathcal {Y}\times \mathcal {Z}\) that can be written as \(\mathcal {R}=\mathcal {S}\times \mathcal {T}\) where \(\mathcal {S}\subseteq \mathcal {Y}\) and \(\mathcal {T}\subseteq \mathcal {Z}\).
- 4.
A similar condition was given by [15] for the symmetric case, where all parties output the same value. There, every party must be able to fix the output to be w.
- 5.
Fitzi et al. [20] defined the convergecast functionality as the NIORP randomized solitary output functionality, where \(\textsf{A}\) outputs y with probability 1/2, and outputs z with probability 1/2.
- 6.
Gordon et al. [23] showed that the symmetric two-party variant of this functionality can be computed with full security.
- 7.
In fact, [24] gave three different protocols for computing \(\textsf{soGHKL}\) securely.
- 8.
Note that even though f is assumed to be deterministic, it is not guaranteed that the output of an honest \(\textsf{A}\) is a fixed value even when interacting with a semi-honest adversary. This is due to the fact that the semi-honest adversaries are emulated in the three-party protocol using malicious adversaries.
- 9.
Note that the choice of taking the lexicographically smallest elements of \(\mathcal {Y}\) and \(\mathcal {Z}\) is arbitrary, and any other element would work.
- 10.
Although \(\textsf{B}\) and \(\textsf{C}\) are supposed to receive no output from f, in a fair computation they either receive the empty string indicating that \(\textsf{A}\) received its output, or a special symbol \(\bot \) indicating abort.
- 11.
Formally, the marginal distribution of the first value in the output of \(\textsf{S}_3\) is identically distributed to \(f(x,y^*_2,z)\).
- 12.
Note that if strictly more than two-thirds of the parties are honest any functionality can be computed with full security [10].
- 13.
The typical convention in secure computation is to let \(f:\left( {\{0,1\}^*}\right) ^3\rightarrow {\{0,1\}^*}\). However, we will mostly be dealing with functionalities whose domain is of polynomial size in \(\kappa \), which is why we introduce this notation.
- 14.
Note that if we had defined \(\preceq _{\scriptstyle \textsf{B}}\), \(\preceq _{\scriptstyle \textsf{C}}\), and \(\preceq \) directly over \(\mathcal {X}\), then they would not correspond to partial orders. Indeed, for the relations to be partial orders, it required that they are antisymmetric, i.e., if \(x\preceq x'\) and \(x'\preceq x\) then \(x=x'\). Observe that this is not generally the case, as the only guarantee we have is that \(x\equiv x'\).
- 15.
Note that there may be several minimum inputs, however, the assumption implies that they are all equivalent.
References
Agarwal, N., Anand, S., Prabhakaran, M.: Uncovering algebraic structures in the MPC landscape. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 381–406. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_14
Alon, B., Omri, E.: On secure computation of solitary output functionalities with and without broadcast. Cryptology ePrint Archive, Paper 2022/934 (2022). https://eprint.iacr.org/2022/934
Alon, B., Cohen, R., Omri, E., Suad, T.: On the power of an honest majority in three-party computation without broadcast. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 621–651. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_22
Asharov, G.: Towards characterizing complete fairness in secure two-party computation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 291–316. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_13
Asharov, G., Lindell, Y., Rabin, T.: A full characterization of functions that imply fair coin tossing and ramifications to fairness. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 243–262. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_14
Asharov, G., Beimel, A., Makriyannis, N., Omri, E.: Complete characterization of fairness in secure two-party computation of Boolean functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 199–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_10
Badrinarayanan, S., Miao, P., Mukherjee, P., Ravi, D.: On the round complexity of fully secure solitary MPC with honest majority. Cryptology ePrint Archive (2021)
Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., Paskin-Cherniavsky, A.: Non-interactive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_22
Bell, J.H., Bonawitz, K.A., Gascón, A., Lepoint, T., Raykova, M.: Secure single-server aggregation with (poly) logarithmic overhead. In: ACM CCS (2020)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computations. In: STOC (1988)
Bonawitz, K., et al.: Practical secure aggregation for privacy-preserving machine learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1175–1191 (2017)
Burkhalter, L., Lycklama, H., Viand, A., Kuchler, N., Hithnawi, A.: Rofl: attestable robustness for secure federated learning (2021). arXiv preprint arXiv:2107.03311
Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC (1986)
Cohen, R., Lindell, Y.: Fairness versus guaranteed output delivery in secure multiparty computation. J. Cryptol. 30(4), 1157–1186 (2017)
Cohen, R., Haitner, I., Omri, E., Rotem, L.: Characterization of secure multiparty computation without broadcast. J. Cryptol. 31(2), 587–609 (2018)
Dachman-Soled, D.: Revisiting fairness in MPC: polynomial number of parties and general adversarial structures. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12551, pp. 595–620. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64378-2_21
Daza, V., Makriyannis, N.: Designing fully secure protocols for secure two-party computation of constant-domain functions. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 581–611. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_20
Feige, U., Killian, J., Naor, M.: A minimal model for secure computation. In: Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, pp. 554–563 (1994)
Fischer, M.J., Lynch, N.A., Merritt, M.: Easy impossibility proofs for distributed consensus problems. Distrib. Comput. 1(1), 26–39 (1986)
Fitzi, M., Garay, J.A., Maurer, U.M., Ostrovsky, R.: Minimal complete primitives for secure multi-party computation. J. Cryptol. 18(1), 37–61 (2005)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC (1987)
Gordon, S.D., Katz, J.: Complete fairness in multi-party computation without an honest majority. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 19–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_2
Gordon, S.D., Hazay, C., Katz, J., Lindell, Y.: Complete fairness in secure two-party computation. In: STOC (2008)
Halevi, S., Ishai, Y., Kushilevitz, E., Makriyannis, N., Rabin, T.: On fully secure MPC with solitary output. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 312–340. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36030-6_13
Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. (TOPLAS) 4(3), 382–401 (1982)
Makriyannis, N.: On the classification of finite Boolean functions up to fairness. In: Proceedings of the 9th Conference on Security and Cryptography for Networks (SCN), pp. 135–154 (2014)
Pease, M.C., Shostak, R.E., Lamport, L.: Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)
Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: FOCS, pp. 73–85 (1989)
Acknowledgments
Research supported in part by grants from the Israel Science Foundation (no.152/17), and by the Ariel Cyber Innovation Center in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office. The first author is also supported by Israel Science Foundation grant 391/21.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Alon, B., Omri, E. (2023). On Secure Computation of Solitary Output Functionalities with and Without Broadcast. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14370. Springer, Cham. https://doi.org/10.1007/978-3-031-48618-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-48618-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48617-3
Online ISBN: 978-3-031-48618-0
eBook Packages: Computer ScienceComputer Science (R0)
