1 Introduction

Understanding the nature of secure multiparty computation has been a key problem in modern cryptography, ever since the notion was introduced. While this has been a heavily researched area, some basic problems have remained open. In this work we explore the following fundamental question:

Which randomized functions have information-theoretic semi-honest secure 2-party computation protocols?

The corresponding question for deterministic functions was answered almost three decades back, by Kushilevitz [Kus89] (originally, restricted to symmetric functions, in which both parties get the same output). The dual question of which functions are complete, initiated by Kilian [Kil88], has also been fully resolved, for semi-honest [MPR12] and even active security [KMPS14]. However, the above question itself has seen little progress since 1989.

In this work, we make progress towards understanding securely computable randomized functions. (Throughout this paper, security will refer to information-theoretic semi-honest security.) We bring tools developed in the study of completeness to bear on this problem. In particular, our characterizations are obtained by considering only symmetric functions with a combinatorial property called simplicity [MPR12]. (As shown in [MPR12], a function is semi-honest securely computable if and only if it is simple, and a related function called its “kernel” – which is always a simple function – is securely computable.)

One may start off by attempting to generalize the result of Kushilevitz [Kus89] so that it applies to randomized functions as well. This characterization showed that any securely computable deterministic function has a secure protocol in which the two parties take turns to progressively reveal more and more information about their respective inputs – by restricting each input to smaller and smaller subsets – until there is exactly enough information to evaluate the function. However, a naïve generalization of this result fails for randomized functions, as it is possible for a securely computable function to have every output value in the support of every input combination; thus the input spaces cannot be shrunk at all during a secure protocol.

A more fruitful approach would be to consider the protocol for deterministic functions as partitioning the output space at each step, and choosing one of the parts. This is indeed true when considering deterministic functions which are simple. Such a protocol results in a unique transcript for each output value. An a priori promising conjecture would be that every securely computable simple function – deterministic or randomized – has such a unique-transcript protocol. Unfortunately, this conjecture turns out to be false.

However, for small output alphabets, we can prove that this conjecture holds. Indeed, we show that the exact threshold on the alphabet size where this conjecture breaks down is 4. When the output alphabet size of a simple function is at most 3, we give a combinatorial characterization of secure computability; our characterization implies that such functions do have unique-transcript secure protocols. We also characterize simple functions which have two-round secure protocols, which again turn out to all have unique-transcript protocols.

We leave the full characterization as an important open problem.

Our Results

  • Our main result is a complete combinatorial characterization of randomized functions with ternary output kernels, that have information-theoretic semi-honest secure 2-party computation protocols. In particular, we show that there exist simple randomized functions with ternary output that do not have secure computation protocols. (For deterministic functions, the smallest output alphabet size of such a function is 5, due to an example given by Beaver [Bea89].)

  • We also give a complete combinatorial characterization of randomized functions that have 2-round information-theoretic semi-honest secure 2-party computation protocols.

  • We also give a counter-example to a natural conjecture for the full characterization, namely, that all securely computable simple functions have secure protocols with a unique transcript for each output value. This conjecture is in fact true for deterministic functions, and – as our results above show – for ternary functions and for functions with 2-round secure protocols.

1.1 Technical Overview

Prior work [MPR12, MPR13] lets us focus on symmetric functions: A randomized function F is securely realizable if and only if it is “isomorphic” – i.e., essentially equivalent, up to sampling additional local outputs – to a symmetric function G called its kernel, and G itself has a secure protocol; see Theorem 3. Further the kernel of F is easy to find and explicitly defined in Definition 2. Hence the problem of characterizing secure computability of general randomized functions reduces to the problem of characterizing secure computability of randomized functions which are kernels. Such functions are symmetric and simple (a symmetric function G is simple, if \(\Pr [G(x,y)=z]=\rho (x,z)\cdot \sigma (y,z)\) for some fixed functions \(\rho :\mathcal {X} \times \mathcal {Z} \rightarrow \mathbb {R}_+ \) and \(\sigma :\mathcal {Y} \times \mathcal {Z} \rightarrow \mathbb {R}_+ \), where \(\mathcal {X} \) and \(\mathcal {Y} \) are Alice’s and Bob’s input domains and \(\mathcal {Z} \) is their common output domain). As such, we work with symmetric and simple functions.

Characterizing Ternary-Kernel Functions. Our main result could be stated as follows:

Theorem 1

If a randomized function F has a kernel G with an output alphabet of size at most 3, then F is securely computable if and only if F is simple and there is some ordering of G’s output alphabet \(\mathcal {Z}\) as \((z_1,z_2,z_3)\) and two functions \(q:\mathcal {X} \rightarrow [0,1]\) and \(r:\mathcal {Y} \rightarrow [0,1]\), such that one of the following holds:

$$\begin{aligned} \begin{aligned} \Pr [G(x,y)=z_1]&= q(x) \\ \Pr [G(x,y)=z_2]&= (1-q(x))\cdot r(y) \\ \Pr [G(x,y)=z_3]&= (1-q(x))\cdot (1-r(y)) \\ \end{aligned} \;\textit{or}\; \begin{aligned} \Pr [G(x,y)=z_1]&= r(y) \\ \Pr [G(x,y)=z_2]&= (1-r(y))\cdot q(x) \\ \Pr [G(x,y)=z_3]&= (1-r(y))\cdot (1-q(x)) \\ \end{aligned} \end{aligned}$$

Note that if the first set of conditions holds, there is a secure protocol in which Alice either sends \(z_1\) as the output to Bob (with probability q(x)) or asks Bob to pick the output; if Bob is asked to pick the output he sends back either \(z_2\) as the output (with probability r(y)) or \(z_3\) otherwise. If the second condition holds there is a symmetric protocol with Bob making the first move.

Surprisingly, these are the only two possibilities for G to have a secure protocol. To prove this, however, takes a careful analysis of the linear-algebraic constraints put on a protocol by the security definition and the fact that the function is simple. We start by observing that a secure protocol for a symmetric simple function must have a simulator that can simulate the transcript of an execution merely from the output (rather than the corrupt party’s input and the output).Footnote 1 Then, supposing that the first message in the protocol is a single bit sent by Alice, we identify that there is a quantity independent of either party’s input, denoted by \(\phi (z)\), that gives the probability of the first message being 0, conditioned on the output being z. Specifying these quantities, \(\phi (z)\) at each round fully specifies the protocol. We show that \(\sum _{z\in \mathcal {Z}} \Pr [G(x,y)=z]\cdot \phi (z) = q(x)\), a quantity independent of y. By carefully analyzing the constraints arising from these equations, we prove Theorem 1.

Characterizing Functions Having 2-Round Protocols. Our second result is as follows:

Theorem 2

A function F has a 2-round secure protocol iff its kernel has a 2-round unique-transcript protocol.

Observe that F has a 2-round secure protocol iff its kernel has one too, as F is isomorphic to its kernel and a secure protocol for a function can be transformed to one for an isomorphic function without changing the communication involved. What needs to be proven is that if the kernel (or any symmetric simple function) has a 2-round secure protocol, then it has a 2-round unique-transcript protocol. We do this by identifying an equivalence relation among the outputs, such that any 2-round protocol with (say) Alice making the first move will have Alice’s input only influencing which equivalence class of the output is chosen, and then Bob’s input influences which output is chosen, given its equivalence class.

1.2 Related Work

There has been a large body of work regarding the complexity of secure multi-party and 2-party computation. [MPR13] surveys many of the important results in the area. Kushilevitz [Kus89] gave a combinatorial characterization of securely computable two-party deterministic functions (with perfect security), along with a generic round-optimal secure protocol for functions that satisfy the characterization condition. This was later extended to statistical security and also to security against active corruption [MPR09, KMQR09].

Among randomized functions in which only Bob gets any output, simple functions have a deterministic kernel corresponding to a function of Alice’s input alone, and hence are always securely computable. This observation was already made by Kilian [Kil00]. Recently, Data [Dat16] considered the same problem with a probability distribution on the inputs, and gave communication-optimal protocols in different security settings.

2 Preliminaries

A general randomized function is denoted by a conditional probability distribution \(p_{Z_AZ_B|XY}\), where \(X,Y,Z_A,Z_B\) take values in finite alphabets \(\mathcal {X},\mathcal {Y},\mathcal {Z} _A,\mathcal {Z} _B\), respectively. In a protocol for computing this function, when Alice and Bob are given inputs \(x\in \mathcal {X} \) and \(y\in \mathcal {Y} \), respectively, they should output \(z_A\in \mathcal {Z} _A\) and \(z_B\in \mathcal {Z} _B\) respectively, such that \((z_A,z_B)\) is distribute according to \(p_{Z_AZ_B|X=x,Y=y}\).

Notation. We shall consider various discrete random variables (inputs, outputs, protocol messages). We denote the probability mass function of a random variable U by \(p_U\). For random variables (UV), we denote the conditional probability mass function of U conditioned on V by \(p_{U|V}\). [n] denotes the set \(\{1,\cdots ,n\}\).

Protocols. We consider computationally unbounded two-party protocols, without any setup. Such a protocol \(\varPi \) is fully defined by the input and output domains, the next message functions and the output functions for Alice and Bob. Let \((\mathcal {X},\mathcal {Z} _A,\mathrm {next}^A_\varPi ,\mathrm {out}^A_\varPi )\) and \((\mathcal {Y},\mathcal {Z} _B,\mathrm {next}^B_\varPi ,\mathrm {out}^B_\varPi )\) denote the input domain, output domain, the next message function and the output function, for Alice and Bob, respectively. The functions are all potentially randomized. \(\mathrm {next}^A_\varPi \) and \(\mathrm {next}^B_\varPi \) output the next message given the transcript so far and the local input. (Note that in the information-theoretic setting, protocols need not maintain local state.) Similarly, \(\mathrm {out}^A_\varPi \) and \(\mathrm {out}^B_\varPi \) map the transcript and local input to a local output in \(\mathcal {Z} _A\) and \(\mathcal {Z} _B\), respectively.

In running a protocol, Alice and Bob are first given inputs \(x\in \mathcal {X} \) and \(y\in \mathcal {Y} \), respectively. Then they take turns sending messages to each other according to their next message functions, and in the end (recognizable by both parties) each party produces an output according to its output function. We assume that the protocol terminates with probability one after a finite number rounds.

Running a protocol induces a distribution over the set of all possible (complete) transcripts, \(\mathcal {M}\). The protocol \(\varPi \) induces a conditional probability distribution \(\mathrm {Pr}_\varPi [m|x,y] \), for every input \(x\in \mathcal {X},y\in \mathcal {Y} \) and every \(m\in \mathcal {M} \). Suppose that \(m=(m_1,m_2,\ldots ,)\) is the transcript generated by \(\varPi \) when parties have inputs x and y, where \(m_i\)’s, for odd i, are sent by Alice, and \(m_i\)’s, for even i, are sent by Bob. Note that during the execution of a protocol, a message sent by any party is determined by its input and all the messages it has exchanged so far; and conditioned on these two, the message is independent of the other party’s input. Using this we can write \(\mathrm {Pr}_\varPi [m|x,y] =\alpha (m,x)\beta (m,y)\), where \(\alpha (m,x)=\varPi _{i:i\text { is odd}}\mathrm {Pr}_\varPi [m_i|m_{<i},x] \), and \(\beta (m,y)=\varPi _{i:i\text { is even}}\mathrm {Pr}_\varPi [m_i|m_{<i},y] \).

Secure Protocols. Throughout this paper security refers to information-theoretic semi-honest security. We restrict ourselves to finite functions and perfect security. We remark that all our results can be extended to statistical security, as we shall show in the full version.

Definition 1

A protocol \(\varPi \) for computing a function \(p_{Z_AZ_B|XY}\), with transcript space \(\mathcal {M}\), is said to be (perfectly semi-honest) secure iff there exist functions \(S_1 : \mathcal {M} \times \mathcal {X} \times \mathcal {Z} _A \rightarrow [0,1]\) and \(S_2 : \mathcal {M} \times \mathcal {Y} \times \mathcal {Z} _B \rightarrow [0,1]\) such that \(\mathrm {Pr}_\varPi [m|x,y,z_A,z_B] = S_1(m,x,z_A) = S_2(m,y,z_B)\) for all \(m\in \mathcal {M} \) and \(x,y,z_A,z_B\) such that \(p_{Z_AZ_B|XY}(z_A,z_B|x,y) > 0\).

Kernel and Simple Functions. Maji et al. [MPR12] simplified the secure computation of a general randomized function \(p_{Z_AZ_B|XY}\) to secure computation of a symmetric randomized function \(p_{Z|XY}\). For that they defined weighted characteristic bipartite graph of a randomized function \(p_{Z_AZ_B|XY}\) as \(\mathcal {G} (p_{Z_AZ_B|XY})=(V,E,\textsf {wt})\), where

  • \(V=(\mathcal {X} \times \mathcal {Z} _A)\cup (\mathcal {Y} \times \mathcal {Z} _B)\),

  • \(E=\{((x,z_A),(y,z_B)):p_{Z_AZ_B|XY}(z_A,z_B|x,y)>0\}\), and

  • the weight function wt:\((\mathcal {X} \times \mathcal {Z} _A)\times (\mathcal {Y} \times \mathcal {Z} _B)\rightarrow [0,1]\) is defined as

    $$\begin{aligned} \textsf {wt}((x,z_A),(y,z_B)):= \frac{p_{Z_AZ_B|XY}(z_A,z_B|x,y)}{|\mathcal {X} |\times |\mathcal {Y} |}. \end{aligned}$$

    Note that if \(((x,z_A),(y,z_B))\notin E\), then \(\textsf {wt}((x,z_A),(y,z_B))=0\).

Let k be the number of connected components in the above-defined graph. We say that \(\mathcal {G} (p_{Z_AZ_B|XY})=(V,E,\textsf {wt})\) is a product distribution graph, if there exist probability distributions p over \(\mathcal {X} \times \mathcal {Z} _A\), q over \(\mathcal {Y} \times \mathcal {Z} _B\), and c over [k], such that for all \((x,z_A)\in \mathcal {X} \times \mathcal {Z} _A\) and \((y,z_B)\times \mathcal {Y} \times \mathcal {Z} _B\), if \(((x,z_A),(y,z_B))\) lies in the \(j^{\text {th}}\) connected component of \(\mathcal {G} (p_{Z_AZ_B|XY})=(V,E,\textsf {wt})\), then \(\textsf {wt}((x,z_A),(y,z_B))=p(x,z_A)\cdot q(y,z_B)/c_j\), otherwise \(\textsf {wt}((x,z_A),(y,z_B))=0\).

Definition 2

(Kernel – Common-information in a randomized function [MPR12]). The kernel of a randomized function \(p_{Z_AZ_B|XY}\) is a symmetric randomized function, which takes x and y from the parties and samples \((z_A,z_B)\) according to \(p_{Z_AZ_B|X=x,Y=y}\). Then it outputs to both parties the connected component of \(\mathcal {G} (p_{Z_AZ_B|XY})\) which contains the edge \(((x,z_A),(y,z_B))\).

Note that the kernel of \(p_{Z_AZ_B|XY}\) is a symmetric randomized function. We denote it by \(p_{Z|XY}\), where the alphabet of Z is \(\mathcal {Z} =\{z_1,z_2,\ldots ,z_k\}\), where k is the number of connected components in \(\mathcal {G} (p_{Z_AZ_B|XY})\). The kernel \(p_{Z|XY}\) is defined as follows: for every \(j\in [k]\), \(p_{Z|XY}(z_j|x,y):=\sum _{(z_A,z_B)}p_{Z_AZ_B|XY}(z_A,z_B|x,y)\), where summation is taken over all \((z_A,z_B)\)’s such that \(((x,z_A),(y,z_B))\) lies in the \(j^{\text {th}}\) connected component in \(\mathcal {G} (p_{Z_AZ_B|XY})\). The following theorem was proved in [MPR12].

Theorem 3

[MPR12, Theorem 3]. A randomized function \(p_{Z_AZ_B|XY}\) is securely computable if and only if \(\mathcal {G} (p_{Z_AZ_B|XY})\) is a product distribution graph and the kernel of \(p_{Z_AZ_B|XY}\) is securely computable.

Theorem 3 reduces secure computablity of \(p_{Z_AZ_B|XY}\) to secure computability of the kernel of \(p_{Z_AZ_B|XY}\) and a simple combinatorial check on \(p_{Z_AZ_B|XY}\) (which is to check whether the weighted characteristic bipartite graph of \(p_{Z_AZ_B|XY}\) is a product distribution graph or not).Footnote 2

Definition 3

A symmetric randomized function \(p_{Z|XY}\) is said to be simple if there exist two functions \(\rho :\mathcal {X} \times \mathcal {Z} \rightarrow \mathbb {R}_+ \) and \(\sigma :\mathcal {Y} \times \mathcal {Z} \rightarrow \mathbb {R}_+ \) such that for all \(x\in \mathcal {X}, y\in \mathcal {Y} \), and \(z\in \mathcal {Z} \), \(p_{Z|XY}(z|x,y)=\rho (x,z)\cdot \sigma (y,z)\).

Here \(\mathbb {R}_+\) denotes the set of non-negative real numbers. For deterministic functions, instead of \(\mathbb {R}_+\), one can take \(\{0,1\}\) in the above definition.

Remark 1

The original definition of a simple function given in [MPR12] seems to be different from our definition. There it was defined for a general randomized function \(p_{Z_AZ_B|XY}\), which defined simplicity in terms of isomorphism between a function and its kernel, whereas we defined simplicity for symmetric functions only. Since isomorphic functions are essentially equivalent – up to sampling additional local outputs – and the kernel of a general randomized function is a symmetric function, our definition of simplicity is equivalent to the one given in [MPR12].

Note that the Kernel of a securely computable randomized function \(p_{Z_AZ_B|XY}\) is a simple function. As shown in [MPR12], a secure protocol for the kernel can be transformed to one for the original function itself, and vice versa, without changing the communication involved. Thus we shall focus on characterizing secure computability for kernel functions, which are all symmetric, simple functions.

The combinatorial definition of simplicity above will be crucially used in our analysis. Indeed, the factorization property clarifies otherwise obscure connections and elusive constraints.

For protocols for simple and symmetric functions, the output can be written as a function merely of the transcript and we can simulate the transcript just based on the (common) output, without needing either party’s input. We prove the following lemma in Appendix A.

Lemma 1

If \(\varPi \) is a perfectly semi-honest secure protocol for a simple symmetric function \(p_{Z|XY}\), then there are (deterministic) functions \(\mathrm {out}_\varPi :\mathcal {M} \rightarrow \mathcal {Z} \) and \(S:\mathcal {M} \rightarrow [0,1]\) such that for all \(x\in \mathcal {X} \), \(y\in \mathcal {Y} \), \(z\in \mathcal {Z} \) and \(m\in \mathcal {M} \),

$$\begin{aligned} \mathrm {out}^A_\varPi (m,x)&=\mathrm {out}^B_\varPi (m,y)=\mathrm {out}_\varPi (m)&{if}\quad \mathrm {Pr}_\varPi [m|x,y]>0, \\ \mathrm {Pr}_\varPi [m|x,y,z]&= S(m,z)&{if}\quad p_{Z|XY}(z|x,y)>0. \end{aligned}$$

Note that above, if \(z\not =\mathrm {out}_\varPi (m)\), \(S(m,z)=\mathrm {Pr}_\varPi [m|x,y,z] =0\). By writing \(\mu (m)=S(m,\mathrm {out}_\varPi (m))\) we have the following: for all \(x\in \mathcal {X} \), \(y\in \mathcal {Y} \), \(z\in \mathcal {Z} \) s.t. \(p_{Z|XY}(z|x,y)>0\), and all \(m\in \mathcal {M} \), we have

$$\begin{aligned} \mathrm {Pr}_\varPi [m|x,y,z] = {\left\{ \begin{array}{ll} \mu (m) &{} \text { if } \,\,\mathrm {out}_\varPi (m) = z \\ 0 &{} \text { otherwise.} \end{array}\right. } \end{aligned}$$
(1)

Thus, for each \(z\in \mathcal {Z} \) (such that for some (xy), \(p_{Z|XY}(z|x,y)>0\)), \(\mu \) defines a probability distribution over \(\{ m \in \mathcal {M}: \mathrm {out}_\varPi (m)=z \}\). Also, since \(\mathrm {Pr}_\varPi [m|x,y] = \mathrm {Pr}_\varPi [m,z|x,y],\) for \(z=\mathrm {out}_\varPi (m)\), and \(\mathrm {Pr}_\varPi [m,z|x,y] = \mathrm {Pr}_\varPi [m|x,y,z] \cdot \mathrm {Pr}_\varPi [z|x,y] = \mu (m) \cdot p_{Z|XY}(z|x,y)\) we have, for all \(x\in \mathcal {X},y\in \mathcal {Y},m\in \mathcal {M} \),

$$\begin{aligned} \mathrm {Pr}_\varPi [m|x,y] = \mu (m) \cdot p_{Z|XY}(\mathrm {out}_\varPi (m)|x,y). \end{aligned}$$
(2)

A Normal Form for \(p_{Z|XY}\). For a symmetric randomized functionality \(p_{Z|XY}\), we define the relation \(x\equiv x'\) for \(x,x'\in \mathcal {X} \) to hold, if \(\forall y\in \mathcal {Y},z\in \mathcal {Z} \), \(p(z|x,y)= p(z|x',y)\); similarly we define \(y\equiv y'\) for \(y,y'\in \mathcal {Y} \). We define \(z\equiv z'\) for \(z,z'\in \mathcal {Z} \), if there exists a constant \(c> 0\) such that \(\forall x\in \mathcal {X},y\in \mathcal {Y} \), \(p(z|x,y)=c\cdot p(z'|x,y)\). We say that \(p_{Z|XY}\) is in normal form if \(x\equiv x'\Rightarrow x=x'\), \(y\equiv y'\Rightarrow y=y'\), and \(z\equiv z'\Rightarrow z=z'\).

It is easy to see that any \(p_{Z|XY}\) can be transformed into one in normal form \(p_{Z^*|X^*Y^*}\) with possibly smaller alphabets, so that \(p_{Z|XY}\) is securely computable if and only if \(p_{Z^*|X^*Y^*}\) is securely computable. We will assume in this paper that \(p_{Z|XY}\) is in normal form.

For the ease of notation, in this paper we often denote a randomized function \(p_{Z|XY}\) by an equivalent function f, such that \(f(x,y,z)=p_{Z|XY}(z|x,y)\), for every \(x\in \mathcal {X},y\in \mathcal {Y},z\in \mathcal {Z} \). We may use f and \(p_{Z|XY}\) interchangeably.

Unique-Transcript Protocols. A unique transcript protocol \(\varPi \) for a symmetric function is one in which each output \(z\in \mathcal {Z} \) has a unique transcript that can result in it: i.e., for every \(z\in \mathcal {Z} \), there is at most one \(m\in \mathcal {M} \) such that \(\mathrm {out}_\varPi (m)=z\). Such a protocol is always a secure protocol for the function it computes (and has a deterministic simulator, which when given an output z assigns probability 1 to the unique transcript m such that \(\mathrm {out}_\varPi (m)=z\)).

It follows from [Kus89] that every securely computable simple deterministic function has a unique-transcript secure protocol. The subset of securely computable simple randomized functions that we characterize also have unique-transcript protocols. However, we shall show an example of a securely computable function (just outside the sets we characterize) which does not have any unique-transcript protocol. Understanding such functions remains the next step in fully characterizing securely computable randomized functions.

3 Characterization of Functions up to Ternary Output Alphabet

As mentioned earlier, we shall represent a randomized function \(p_{Z|XY}\) by an equivalent function \(f:\mathcal {X} \times \mathcal {Y} \times \mathcal {Z} \rightarrow [0,1]\), such that \(f(x,y,z)=p_{Z|XY}(z|x,y)\). For a simple function f, we shall write \(f=(\rho ,\sigma )\) where \(f(x,y,z)=\rho (x,z)\cdot \sigma (y,z)\). Note that for every \(x\in \mathcal {X},y\in \mathcal {Y} \) we have \(\sum _{z\in \mathcal {Z}}f(x,y,z)=1\).

3.1 Compact Representation of Secure Protocols

We assume, w.l.o.g., that both Alice and Bob send only binary messages to each other in every round, and only one party sends a message in one round. Suppose \(\varPi \) is a protocol that securely computes a simple function \(f=(\rho ,\sigma )\). In this section we consider protocols of an arbitrary number of rounds, and so, w.l.o.g., we assume that in \(\varPi \) Alice and Bob take turns exchanging single bits and that Alice sends the first message in \(\varPi \).

Let \(q:\mathcal {X} \rightarrow [0,1]\) be such that, Alice, given an input x chooses 0 as her first message with probability q(x) (and 1 with probability \(1-q(x)\)). We define \(\varPi ^{(0)}\) to be the protocol, with input spaces \(\mathcal {X} ^{(0)} =\{ x\in \mathcal {X}: q(x) > 0 \}\) and \(\mathcal {Y}\), in which Alice’s first message is redefined to be 0 with probability 1 for every input \(x\in \mathcal {X} ^{(0)} \); otherwise \(\varPi ^{(0)}\) has identical next message and output functions as \(\varPi \). Let \(f^{(0)}\) be the function computed by \(\varPi ^{(0)}\): i.e., \(f^{(0)} (x,y,z)=\mathrm {Pr}_{\varPi ^{(0)}}[z|x,y] \) for all \(x\in \mathcal {X} ^{(0)}, y\in \mathcal {Y}, z\in \mathcal {Z} \). \(f^{(1)}\) is defined symmetrically.

Claim 1

There exists a function \(\phi :\mathcal {Z} \rightarrow [0,1]\) such that for all \(x\in \mathcal {X},y\in \mathcal {Y} \),

$$\begin{aligned} q(x) = \sum _{z\in \mathcal {Z}} \phi (z) f(x,y,z). \end{aligned}$$
(3)

Further, \(f^{(0)} (x,y,z) = \frac{\phi (z)}{q(x)}\cdot f(x,y,z) \), for all \(x\in \mathcal {X} ^{(0)},y\in \mathcal {Y},z\in \mathcal {Z} \).

Proof

We define

$$\begin{aligned} \phi (z) := \sum _{\begin{array}{c} m: m_1=0,\\ \mathrm {out}_\varPi (m)=z \end{array}} \mu (m), \end{aligned}$$
(4)

where \(\mu (m)\) is as defined in (1). Here \(m_1\) denotes the first bit in the transcript m. Note that we have \(\phi (z) \in [0,1]\) because for each z, \(\mu \) defines a probability distribution over \(\mathcal {M} _z := \{ m : \mathrm {out}_\varPi (m) = z \}\) and \(\phi (z)\) sums up the probabilities for a subset of \(\mathcal {M} _z\).

To see that \(\phi \) satisfies the claim, note that \(\sum _{z\in \mathcal {Z}} \phi (z)f(x,y,z) = \sum _{m:m_1=0} \mu (m) \cdot f(x,y,\mathrm {out}_\varPi (m))\). Now, from (2), \(\mu (m) \cdot f(x,y,\mathrm {out}_\varPi (m)) = \mathrm {Pr}_\varPi [m|x,y] \). Hence,

$$\begin{aligned} \sum _{z\in \mathcal {Z}} \phi (z) f(x,y,z) = \sum _{m:m_1=0} \mathrm {Pr}_\varPi [m|x,y] = q(x). \end{aligned}$$

Also, for all \(x\in \mathcal {X} ^{(0)},y\in \mathcal {Y},z\in \mathcal {Z} \),

$$\begin{aligned} f^{(0)} (x,y,z)&= \sum _{\begin{array}{c} m:\\ \mathrm {out}_\varPi (m)=z \end{array}} \mathrm {Pr}_{\varPi ^{(0)}}[m|x,y] = \sum _{\begin{array}{c} m: m_1=0,\\ \mathrm {out}_\varPi (m)=z \end{array}} \frac{\mathrm {Pr}_\varPi [m|x,y]}{q(x)} = \sum _{\begin{array}{c} m: m_1=0,\\ \mathrm {out}_\varPi (m)=z \end{array}} \mu (m)\frac{f(x,y,z)}{q(x)} \\&= \frac{f(x,y,z)}{q(x)} \phi (z). \end{aligned}$$

   \(\square \)

Note that since \(\mu (m)\) is the probability of the transcript being m given that the output is \(\mathrm {out}_\varPi (m)\), (4) gives that for every \(z\in \mathcal {Z} \), \(\phi (z)=\Pr [m_1=0|\mathrm {out}_\varPi (m)=z]\), i.e., the probability of the first message being 0, conditioned on the output being z. It follows from Claim 1 that a secure protocol is completely and compactly described by the values of \((\phi (z))_{z\in \mathcal {Z}}\) similarly defined in every round.

Remark 2

If \(\phi (z)=c\) for all \(z\in \mathcal {Z} \), then \(q(x)=c\) for all \(x\in \mathcal {X} \) (because \(\sum _{z\in \mathcal {Z}} f(x,y,z)=1\) for all (xy)). Further, if \(c>0\), \(f^{(0)} = f\), and if \(c<1\), \(f^{(1)} =f\). This corresponds to a protocol in which Alice sends an inconsequential first message, which neither depends on her input, nor influences the output. Hence, if \(\varPi \) is round-optimal, it cannot be the case that \(\phi (z)=c\) for all \(z\in \mathcal {Z} \).

Note that (3) holds for every \(y\in \mathcal {Y} \). Hence, we obtain

$$\begin{aligned} \sum _{z\in \mathcal {Z}} \big (f(x,y,z) - f(x,y',z) \big ) \phi (z) = 0 \qquad \forall x\in \mathcal {X}, y,y'\in \mathcal {Y}. \end{aligned}$$
(5)

For each \(x\in \mathcal {X} \), this gives a system of \(|\mathcal {Y} |-1\) equations, by choosing a fixed \(y\in \mathcal {Y} \) and all \(y'\in \mathcal {Y} \setminus \{y\}\) (one may write the equations resulting from other choices of \(y,y'\) as linear combinations of these \(|\mathcal {Y} |-1\) equations).

3.2 Binary Output Alphabet

Theorem 4

If \(f:\mathcal {X} \times \mathcal {Y} \times \mathcal {Z} \rightarrow [0,1]\) is a simple function with \(|\mathcal {Z} |=2\), then f is securely computable.

Proof

In fact, we can prove a stronger statement: if f is as above, then f(xyz) is either independent of x or independent of y (or both). In that case, clearly f is securely computable by a protocol in which one party computes the output and sends it to the other party.

Since f is simple, we have \(f(x,y,z)=\rho (x,z)\cdot \sigma (y,z)\), for all \(x\in \mathcal {X},y\in \mathcal {Y},z\in \mathcal {Z} \). Since \(|\mathcal {Z} |=2\), we let \(\mathcal {Z} =\{0,1\}\), and abbreviate \(\rho (x,z)\) as \(\rho _z(x)\) and \(\sigma (y,z)\) as \(\sigma _z(y)\) (for \(z\in \{0,1\}\)). Note that we have the following system of equations:

$$\begin{aligned} \rho _0(x)\sigma _0(y) + \rho _1(x)\sigma _1(y) = 1 \qquad \forall (x,y)\in \mathcal {X} \times \mathcal {Y} \end{aligned}$$
(6)

We consider 3 cases:

Case 1:  In this case, one can solve the system in (6) to get two values \(s_0\), \(s_1\) such that \(\sigma _0(y)=s_0\) and \(\sigma _1(y)=s_1\) for all \(y\in \mathcal {Y} \). (Concretely, \(s_0=\frac{\rho _1(x')-\rho _1(x)}{\varDelta }\) and \(s_1=\frac{\rho _0(x)-\rho _0(x')}{\varDelta }\), where \(\varDelta =\rho _0(x)\rho _1(x') - \rho _0(x')\rho _1(x) \not = 0\).) Hence \(f(x,y,z)=\rho (x,z)\cdot s_z\), depends only on x.

Case 2: In this case we shall show that, \(\forall x'\in \mathcal {X} \), \(\rho _0(x')=0\). Hence the function is the constant, deterministic function, with \(f(x,y,0)=0\) for all (xy).

Let x be such that \(\rho _0(x)=0\). Since \(\rho _0(x)\sigma _0(y) + \rho _1(x)\sigma _1(y) = 1\) (for any \(y\in \mathcal {Y} \)), we have \(\rho _1(x)\not =0\). Then, since \(\forall x'\in \mathcal {X} \), \(\rho _0(x)\rho _1(x') = \rho _0(x')\rho _1(x)\), we have \(0 = \rho _0(x')\rho _1(x)\) which implies \(\rho _0(x')=0\), as claimed.

Case 3: In this case, \(\forall x,x'\in \mathcal {X} \), \(\frac{\rho _1(x)}{\rho _0(x)} = \frac{\rho _1(x')}{\rho _0(x')} = \theta \), say. Then, from (6), we have that \(\forall x\in \mathcal {X}, y\in \mathcal {Y} \), \(\rho _0(x) = \frac{1}{\sigma _0(y) + \theta \sigma _1(y)}\) and \(\rho _1(x) = \frac{\theta }{\sigma _0(y) + \theta \sigma _1(y)}\). Since the RHS in these two expressions do not depend on x, there are constants \(r_0,r_1\) such that for all \(x\in \mathcal {X} \), \(\rho _0(x)=r_0\) and \(\rho _1(x)=r_1\). Hence \(f(x,y,z)=r_z\cdot \sigma (y,z)\), depends only on y.    \(\square \)

3.3 Ternary Output Alphabet

To prove Theorem 1, we can focus on kernel functions, or simple symmetric functions. Let \(\mathcal {Z} =\{z_1,z_2,z_3\}\). For a given symmetric function f with \(\mathcal {Z} \) as its output alphabet, we define two binary functions and \(f_i\), for any \(i\in [3]\), as follows:

  1. 1.

    Output alphabet of is \(\{z_i,z_*\}\). For every \(x\in \mathcal {X},y\in \mathcal {Y} \), we define and .

  2. 2.

    Output alphabet of \(f_i\) is \(\mathcal {Z} \setminus \{z_i\}\). For every \(x\in \mathcal {X},y\in \mathcal {Y} \) for which \(f(x,y,z_i)<1\), we define, \(f_i(x,y,z_j):=f(x,y,z_j)/(1-f(x,y,z_i))\), for \(j\in [3]\setminus \{i\}\). If \(f(x,y,z_i)=1\) for some \(x\in \mathcal {X},y\in \mathcal {Y} \), we leave \(f_i(x,y,z_i)\) undefined.

Note that if for some \(\tilde{x}\in \mathcal {X} \), \(f(\tilde{x},y,z_i)=1, \forall y\in \mathcal {Y} \), then we need not define \(f_i\) for this particular \(\tilde{x}\), because \(f(\tilde{x},y,z_j)=0, \forall j\ne i\) and for all \(y\in \mathcal {Y} \). Similarly, if for some \(\tilde{y}\in \mathcal {Y} \), \(f(x,\tilde{y},z_i)=1, \forall x\in \mathcal {X} \), then we need not define \(f_i\) for this particular \(\tilde{y}\), because \(f(x,\tilde{y},z_j)=0, \forall j\ne i\) and for all \(x\in \mathcal {X} \). In the following, when we say that \(f_i\) is securely computable, it must be defined for all inputs.

Theorem 5

Suppose f is simple and in normal form. Then, f is securely computable if and only if there exists an \(i\in [3]\) such that both and \(f_i\) are simple.

Remark 3

Since and \(f_i\) are binary functions, being simple implies that they are functions of only one party’s input (see proof of Theorem 4). Theorem 1 follows by considering the different possibilities of which party’s input they can each depend on.

Remark 4

In the case of functions with a binary output alphabet, we proved in Subsect. 3.2 that if a function is simple, it is securely computable. However, Theorem 5 lets us show that this is not true in general (see in Sect. 5.1).

Proof of Theorem 5

If \(|\mathcal {X} |=1\) or \(|\mathcal {Y} |=1\), then the theorem is trivially true. So, in the following we assume that \(|\mathcal {X} |,|\mathcal {Y} |\ge 2\). First we show the only if (\(\Rightarrow \)) part, and then the if (\(\Leftarrow \)) part.

\(\Rightarrow \): Suppose f is securely computable. Since f is simple, we can write \(f(x,y,z)=\rho (x,z)\sigma (y,z)\). Fix a round-optimal secure protocol \(\varPi \) for f. Below, we assume that Alice sends the first message in \(\varPi \) (the case when Bob sends the first message being symmetric). Let \(\phi \) be as in Claim 1. Since \(\varPi \) is round-optimal, as discussed in Remark 2,

$$\begin{aligned} \exists i,j\in [3] \text { s.t. } \phi (z_i)\not =\phi (z_j). \end{aligned}$$
(7)

For \(i\in [3]\) and \(x\in \mathcal {X} \), \(y,y'\in \mathcal {Y} \), we define

$$\begin{aligned} \nabla \!f_{i}^{x,y,y'} := f(x,y,z_i)-f(x,y',z_i). \end{aligned}$$
(8)

It follows from (5) and (8) that, \(\forall x\in \mathcal {X}, y,y'\in \mathcal {Y} \):

$$\begin{aligned} \nabla \!f_{1}^{x,y,y'} \phi (z_1) + \nabla \!f_{2}^{x,y,y'} \phi (z_2) + \nabla \!f_{3}^{x,y,y'} \phi (z_3) = 0. \end{aligned}$$
(9)

Since \(\sum _{z\in \mathcal {Z}} f(x,y,z)=1\) holds for every \(x\in \mathcal {X},y\in \mathcal {Y} \), we have that \(\sum _{i=1}^3\nabla \!f_{i}^{x,y,y'} =0\), for every \(x\in \mathcal {X} \) and \(y,y'\in \mathcal {Y} \). Using this to replace \(\nabla \!f_{3}^{x,y,y'} \) in (9), we can write, \(\forall x\in \mathcal {X}, y,y'\in \mathcal {Y} \):

$$\begin{aligned} \nabla \!f_{1}^{x,y,y'} (\phi (z_1)-\phi (z_3)) + \nabla \!f_{2}^{x,y,y'} (\phi (z_2)-\phi (z_3)) = 0 \end{aligned}$$
(10)

(and two similar equations, replacing \(\nabla \!f_{1}^{x,y,y'} \) and \(\nabla \!f_{2}^{x,y,y'} \), respectively).

We define a function \(\mathsf {type}_f:\mathcal {X} \times \mathcal {Y} \times \mathcal {Y} \rightarrow \mathbb {T} \), which classifies \((x,y,y')\) into one of 5 possible types in the set \(\mathbb {T} =\{ \mathsf {T}_{1}, \mathsf {T}_{2:1},\mathsf {T}_{2:2}, \mathsf {T}_{2:3}, \mathsf {T}_{3} \}\), depending on for which i, \(\nabla \!f_{i}^{x,y,y'} =0\):

  1. 1.

    \(\mathsf {type}_f (x,y,y') = \mathsf {T}_{1} \) if \(\nabla \!f_{1}^{x,y,y'} =\nabla \!f_{2}^{x,y,y'} =\nabla \!f_{3}^{x,y,y'} =0\).

  2. 2.

    \(\mathsf {type}_f (x,y,y') = \mathsf {T}_{2:i} \) if \(\nabla \!f_{i}^{x,y,y'} =0\) and \(\forall j \in [3]\setminus \{i\}\), \(\nabla \!f_{j}^{x,y,y'} \not =0\).

  3. 3.

    \(\mathsf {type}_f (x,y,y') = \mathsf {T}_{3} \) if \(\forall i \in [3]\), \(\nabla \!f_{i}^{x,y,y'} \not =0\).

Note that since \(\sum _{i=1}^3\nabla \!f_{i}^{x,y,y'} =0\), it cannot be the case that exactly one of \(\nabla \!f_{i}^{x,y,y'} \ne 0\).

We define the type of f itself as the set:

$$\begin{aligned} T (f) := \{ \tau \in \mathbb {T}: \exists (x,y,y')\text { s.t. } \mathsf {type}_f (x,y,y')=\tau \}. \end{aligned}$$
(11)

We prove several claims regarding \(T (f)\) before showing that and \(f_i\) are simple. In proving these claims, we shall use the fact that f is simple, is in normal-form, and \(|\mathcal {X} |,|\mathcal {Y} |>1\).

Claim 2

\(\mathsf {T}_{3} \notin T (f)\).

Proof

For the sake of contradiction, suppose there exists \((x,y,y')\) such that \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{3} \). Consider any \(x'\in \mathcal {X} \setminus \{x\}\). From (10), we have

$$\begin{aligned} \nabla \!f_{1}^{x,y,y'} (\phi (z_1)-\phi (z_3)) + \nabla \!f_{2}^{x,y,y'} (\phi (z_2)-\phi (z_3))&= 0 \\ \nabla \!f_{1}^{x',y,y'} (\phi (z_1)-\phi (z_3)) + \nabla \!f_{2}^{x',y,y'} (\phi (z_2)-\phi (z_3))&= 0 \end{aligned}$$

We shall show that \(\nabla \!f_{1}^{x,y,y'} \nabla \!f_{2}^{x',y,y'} \not = \nabla \!f_{2}^{x,y,y'} \nabla \!f_{1}^{x',y,y'} \). Then, the above system can be uniquely solved for \(\phi (z_1)-\phi (z_3)\) and \(\phi (z_2)-\phi (z_3)\), to yield 0 as the solution in each case. That is, \(\phi (z_1)=\phi (z_2)=\phi (z_3)\), contradicting (7).

To complete the proof, we argue that \(\nabla \!f_{1}^{x,y,y'} \nabla \!f_{2}^{x',y,y'} \not = \nabla \!f_{2}^{x,y,y'} \nabla \!f_{1}^{x',y,y'} \). Suppose not. Then, , say (the denominators being non-zero, since \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{3} \)). Then, . Invoking the simplicity of f, we get that \(\forall j\in [3]\), \(\frac{\rho (x,z_j)}{\rho (x',z_j)}=\theta \). However, since for any y we have \(\sum _j \rho (x,z_j)\sigma (y,z_j) = \sum _j \rho (x',z_j)\sigma (y,z_j)\), we get \(\theta =1\). Then, \(x\equiv x'\), contradicting the normal form of f. This completes the proof.    \(\square \)

Claim 3

There can be at most one \(i\in [3]\) such that \(\mathsf {T}_{2:i} \in T (f)\).

Proof

For the sake of contradiction, suppose \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{2:j} \), and \(\mathsf {type}_f (\tilde{x},\tilde{y},\tilde{y}')=\mathsf {T}_{2:k} \), for \(j\not =k\). We consider the case \(j=1, k=2\), as the other cases are symmetric. Now, \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{2:1} \), implies that \(\nabla \!f_{i}^{x,y,y'} =0\) only for \(i=1\) and hence, by (10), we have \(\nabla \!f_{2}^{x,y,y'} (\phi (z_2)-\phi (z_3))=0\), and so \(\phi (z_2)=\phi (z_3)\). Similarly, \(\mathsf {type}_f (\tilde{x},\tilde{y},\tilde{y}')=\mathsf {T}_{2:2} \) implies that \(\phi (z_1)=\phi (z_3)\). Thus we have \(\phi (z_1)=\phi (z_2)=\phi (z_3)\), contradicting (7).    \(\square \)

Claim 4

If from some \(x\in \mathcal {X} \) and distinct \(y,y'\in \mathcal {Y} \), \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{1} \), then there exists \(x'\in \mathcal {X} \) such that \(\mathsf {type}_f (x',y,y')\not =\mathsf {T}_{1} \).

Proof

Since \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{1} \), we have that for all \(j\in [3]\), \(f(x,y,z_j)=f(x,y',z_j)\). Since f is in normal form, \(y\not \equiv y'\), and hence there exists \(x'\in \mathcal {X} \) such that for some \(j\in [3]\), \(f(x',y,z_j)\not =f(x',y',z_j)\). Hence \(\mathsf {type}_f (x',y,y')\not =\mathsf {T}_{1} \).    \(\square \)

Claim 5

Suppose \(T (f)=\{\mathsf {T}_{1},\mathsf {T}_{2:i} \}\) for some \(i\in [3]\). Then, if for some \(x\in \mathcal {X} \), and distinct \(y,y'\in \mathcal {Y} \), \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{1} \), then for all \(\tilde{y}\in \mathcal {Y} \), \(f(x,\tilde{y},z_i)=1\).

Proof

By Claim 4, we have \(x'\) such that \(\mathsf {type}_f (x',y,y')\not =\mathsf {T}_{1} \); since \(T (f)=\{\mathsf {T}_{1},\mathsf {T}_{2:i} \}\), we have \(\mathsf {type}_f (x',y,y')=\mathsf {T}_{2:i} \). Then, for both values of \(j\not =i\) in [3], we have \(f(x',y,z_j)\not =f(x',y',z_j)\).

Invoking the simplicity of f, we have that for \(j\not =i\), \(\rho (x',z_j)(\sigma (y,z_j)-\sigma (y',z_j))\not =0\), but \(\rho (x,z_j)(\sigma (y,z_j)-\sigma (y',z_j))=0\). Hence \(\rho (x,z_j)=0\) for \(j\not =i\). That is, for all \(\tilde{y}\in \mathcal {Y} \), \(f(x,\tilde{y},z_j)=0\) for \(j\not =i\) and hence \(f(x,\tilde{y},z_i)=1\).    \(\square \)

From the above claims, we have two possibilities for \(T (f)\): either \(\{\mathsf {T}_{2:i} \}\) or \(\{\mathsf {T}_{1},\mathsf {T}_{2:i} \}\) for some \(i\in [3]\). Then we shall prove that and \(f_i\) are simple. Note that both these functions are binary functions. For our case where f has a minimal-round protocol with Alice sending the first bit, and with \(|\mathcal {X} |,|\mathcal {Y} |>1\), we show that this means that is a function of only Alice’s input, and \(f_i\) is a function of only Bob’s input.

Claim 6

If \(T (f) \subseteq \{\mathsf {T}_{1}, \mathsf {T}_{2:i} \}\), then is simple.

Proof

We have that for all \((x,y,y')\), \(\nabla \!f_{i}^{x,y,y'} =0\), i.e., \(\rho (x,z_i)(\sigma (y,z_i)-\sigma (y',z_i))=0\). Now, if \(\rho (x,z_i)=0\) for all x, then is a constant function with and . Otherwise, there is some \(x\in \mathcal {X} \) such that \(\rho (x,z_i)\not =0\). Hence for all \(y,y'\) we have \(\sigma (y,z_i)=\sigma (y',z_i)=s\), say. Then , which is independent of y. Thus, in either case, is simple.    \(\square \)

Claim 7

If \(T (f) \subseteq \{\mathsf {T}_{1}, \mathsf {T}_{2:i} \}\), then \(f_i(x,y,z)\) is simple.

Proof

Recall that \(f_i\) has input spaces \(\mathcal {X} _i\) and \(\mathcal {Y} \), where \(\mathcal {X} _i=\{ x\in \mathcal {X}: \exists y\in \mathcal {Y} \text { s.t. } f(x,y,z_i) < 1 \}\). We shall prove that for all \(x,x'\in \mathcal {X} _i\) and \(y\in \mathcal {Y} \), \(f_i(x,y,z_j)= f_i(x',y,z_j)\) for \(j\not =i\).

By Claim 5, for all \(x\in \mathcal {X} _i\) and distinct \(y,y'\in \mathcal {Y} \), \(\mathsf {type}_f (x,y,y')\not =\mathsf {T}_{1} \), and hence \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{2:i} \). Therefore, for all \(x\in \mathcal {X} _i\) and \(j\not =i\), \(\rho (x,z_j)\not =0\).

Let \(\{j,{\bar{\jmath }} \}=[3]\setminus \{i\}\). Now,

$$ f_i(x,y,z_j)=\frac{f(x,y,z_j)}{1-f(x,y,z_i)} = \frac{\rho (x,z_j)\sigma (y,z_j)}{\rho (x,z_j)\sigma (y,z_j) + \rho (x,z_{\bar{\jmath }})\sigma (y,z_{\bar{\jmath }})} = \frac{\sigma (y,z_j)}{\sigma (y,z_j) + \gamma (x)\sigma (y,z_{\bar{\jmath }})}, $$

where \(\gamma (x):=\frac{\rho (x,z_{\bar{\jmath }})}{\rho (x,z_j)}\). Here we have used the fact that \(\rho (x,z_j)\not = 0\) for all \(x\in \mathcal {X} _i\). Thus to prove the claim, it is enough to show that \(\gamma (x)=\gamma (x')\) for all \(x,x'\in \mathcal {X} _i\).

For any \(x\in \mathcal {X} _i\), as mentioned above, for any distinct \(y,y'\in \mathcal {Y} \), we have \(\mathsf {type}_f (x,y,y')=\mathsf {T}_{2:i} \), which implies that \(\nabla \!f_{j}^{x,y,y'} +\nabla \!f_{{\bar{\jmath }}}^{x,y,y'} =-\nabla \!f_{i}^{x,y,y'} =0\). That is,

$$ \rho (x,z_j)(\sigma (y,z_j)-\sigma (y',z_j)) + \rho (x,z_{\bar{\jmath }})(\sigma (y,z_{\bar{\jmath }})-\sigma (y',z_{\bar{\jmath }})) = 0. $$

Writing the above equation for any \(x,x'\in \mathcal {X} _i\), if \(\rho (x,z_j)\rho (x',z_{\bar{\jmath }}) \not = \rho (x,z_{\bar{\jmath }})\rho (x',z_j)\), we will be able to solve that \((\sigma (y,z_j)-\sigma (y',z_j))=(\sigma (y,z_{\bar{\jmath }})-\sigma (y',z_{\bar{\jmath }}))=0\). But this implies that \(\nabla \!f_{j}^{x,y,y'} =\nabla \!f_{{\bar{\jmath }}}^{x,y,y'} =0\) (for any \(x\in \mathcal {X} _i\)), contradicting the fact that \(\mathsf {type}_f (x,y,y')\not =\mathsf {T}_{1} \) for all \(x\in \mathcal {X} _i\) and distinct \(y,y'\in \mathcal {Y} \). Thus we should have \(\rho (x,z_j)\rho (x',z_{\bar{\jmath }}) = \rho (x,z_{\bar{\jmath }})\rho (x',z_j)\), or (dividing by \(\rho (x,z_j)\cdot \rho (x',z_j) \not = 0\)), \(\gamma (x)=\gamma (x')\).    \(\square \)

Taken together, the above claims prove the only if (\(\Rightarrow \)) part of Theorem 5.

\(\Leftarrow :\) Let \(i\in [3]\) be such that and \(f_i\) are simple, and therefore, securely computable. A 2-round secure protocol for f is as follows. If both and \(f_i\) are independent of x or y (or both), then clearly f is securely computable by a protocol in which one party computes the output and sends it to the other party. The only interesting case is when is independent of y and \(f_i\) is independent of x (the other case when is independent of x and \(f_i\) is independent of y being symmetric): Alice picks \(j\in \{i,*\}\) with probability and sends j to Bob. If \(j=i\), both Alice and Bob output \(z_i\) with probability 1; otherwise, Bob picks \(k\in [3]\setminus \{i\}\) with probability \(f_i(x_1,y,z_k)\) and sends k to Alice. Now both Alice and Bob output \(z_k\) with probability 1. It is clear from the definitions of and \(f_i\) that the output from this protocol is correctly distributed. It is easy to see that this is a unique-transcript protocol, and therefore, is perfectly private.    \(\square \)

4 Functions with 2-Round Secure Protocols

We prove the following theorem which, when applied to the kernel of a given function, implies Theorem 2.

Theorem 6

A simple symmetric function \(p_{Z|XY}\) with XYZ over alphabets \(\mathcal {X},\mathcal {Y},\mathcal {Z} \), has a two-round protocol with Alice making the first move iff there exists a surjective map \(g:\mathcal {Z} \rightarrow \mathcal {W} \) to some set \(\mathcal {W} \) and probability distributions \(p_{W|X}\) and \(p_{Z|WY}\) where W is over the alphabet \(\mathcal {W}\), such that \(p_{Z|WY}(z|w,y)=0\) if \(w\not =g(z)\), and for all \(x\in \mathcal {X},y\in \mathcal {Y},z\in \mathcal {Z} \),

$$\begin{aligned} p_{Z|XY}(z|x,y) = p_{W|X}(g(z)|x)\cdot p_{Z|WY}(z|g(z),y). \end{aligned}$$

In that case, \(p_{Z|XY}\) has a unique-transcript secure protocol in which Alice sends w sampled according to \(p_{W|X=x}\) and Bob sends back z according to \(p_{Z|W=w,Y=y}\).

Proof

It is easy to see that if \(g, p_{W|X}, p_{Z|WY}\) as in the statement exist, then the protocol described is indeed a unique-transcript protocol for \(p_{Z|XY}\): its output is distributed correctly, and since \(p_{Z|WY}(z|w,y)=0\) if \(w\not =g(z)\), the only transcript resulting in the output z is of the form (g(z), z). A unique-transcript protocol is always a secure protocol since the transcript can be simulated from the output by a (deterministic) simulator.

We prove the other direction below. Suppose we are given a two-round protocol \(\varPi _0\) for \(p_{Z|XY}\), with the two messages denoted by a and b. Then, we can construct a secure protocol \(\varPi \) in which Bob computes the second message b as before, but sends out \(z=\mathrm {out}_{\varPi _0} (a,b)\), and both Alice and Bob output z: clearly \(\varPi \) has the same output as \(\varPi _0\) and is also secure since the transcript of \(\varPi \) can be simulated from a (simulated) transcript of \(\varPi _0\) by applying a deterministic function to it.

\(\varPi \) is defined by probability distributions \(\mathrm {Pr}_\varPi [a|x] \) and \(\mathrm {Pr}_\varPi [z|a,y] \). For convenience, we define \(\alpha (a,x):=\mathrm {Pr}_\varPi [a|x] \) and \(\beta (a,z,y):=\mathrm {Pr}_\varPi [z|a,y] \). Also, since \(p_{Z|XY}\) is simple, let us write \(p_{Z|XY}(z|x,y) = \rho (x,z)\cdot \sigma (y,z)\).

Before proceeding further, note that for a transcript \(m=(a,z)\), from (2), we have

$$\begin{aligned} \mathrm {Pr}_\varPi [m|x,y] =\mu (m)\rho (x,z)\sigma (y,z)=\alpha (a,x)\beta (a,z,y). \end{aligned}$$

If \(\mathrm {Pr}_\varPi [m|x,y] >0\) for some xy, then by considering the above equality for (xy) as well as \((x',y)\), and dividing the latter by the former (which is non-zero), we get that for all \(x'\in \mathcal {X} \),

$$\begin{aligned} \frac{\rho (x',z)}{\rho (x,z)} = \frac{\alpha (a,x')}{\alpha (a,x)}. \end{aligned}$$
(12)

We define an equivalence relation \(\equiv \) over \(\mathcal {Z}\) as follows:

$$\begin{aligned} z_1\equiv z_2 \text { if } \exists c>0, \forall x\in \mathcal {X}, \rho (x,z_1)=c\rho (x,z_2). \end{aligned}$$

We let \(\mathcal {W}\) be the set of equivalence classes of \(\equiv \), and define \(g:\mathcal {Z} \rightarrow \mathcal {W} \) which maps z to its equivalence class. Thus, \(z_1\equiv z_2\) iff \(g(z_1)=g(z_2)\). We also define a function h that maps the first message a in a transcript to an element in \(\mathcal {W}\), as follows:

$$\begin{aligned} h(a) = g(z) \text { if } \exists x,y \text { s.t. } \mathrm {Pr}_\varPi [a,z|x,y] > 0. \end{aligned}$$

For h to be well-defined, we need that each a has a unique value h(a) that satisfies the above condition. Suppose \(z_1,z_2\in \mathcal {Z} \) are such that \(\mathrm {Pr}_\varPi [a,z_1|x_1,y_1] >0\) and \(\mathrm {Pr}_\varPi [a,z_2|x_2,y_2] >0\) (from some \((x_1,y_1),(x_2,y_2)\in \mathcal {X} \times \mathcal {Y} \)). By applying (12) to these, we get that for all \(x'\in \mathcal {X} \)

$$ \frac{\rho (x',z_1)}{\rho (x_1,z_1)} = \frac{\alpha (a,x')}{\alpha (a,x_1)} \quad \text {and}\quad \frac{\rho (x',z_2)}{\rho (x_2,z_2)} = \frac{\alpha (a,x')}{\alpha (a,x_2)}. $$

Hence \(\forall x'\in \mathcal {X} \), \(\rho (x',z_2) = c \rho (x',z_1)\), where \(c:=\frac{\rho (x_2,z_2)\alpha (a,x_1)}{\alpha (a,x_2)\rho (x_1,z_1)}\). All the factors in c are positive (as they appear in \(\mathrm {Pr}_\varPi [a,z_1|x_1,y_1] \cdot \mathrm {Pr}_\varPi [a,z_2|x_2,y_2] > 0\)), and also independent of \(x'\). Thus \(z_1\equiv z_2\) and \(g(z_1)=g(z_2)\), making h(a) well defined.

\(p_{W|X}\) is defined as follows: given x, sample a as in \(\varPi \), and output \(w=h(a)\). That is, \(p_{W|X}(w|x) = \sum _{a:h(a)=w} \alpha (a,x)\). Finally, we define \(p_{Z|WY}\) as follows: given w, we argue that we can reverse sample a without access to x (so that \(w=h(a)\)), and then use the protocol \(\varPi \) to sample z from (ay). That is, we define a distribution over a given w, by the probability

$$ \eta (a,w):= {\left\{ \begin{array}{ll} \frac{\alpha (a,x)}{\sum _{a':h(a')=w}\alpha (a',x)} &{} \text {if }\,\, h(a)=w\\ 0 &{} \text {otherwise}, \end{array}\right. } $$

where any \(x\in \mathcal {X} \) such that \(\sum _{a':h(a')=w}\alpha (a',x)>0\) is used. This is well defined because, by (12), switching from x to \(x'\) amounts to multiplying both the numerator and the denominator by the same factor (namely, \(\frac{\rho (x',z)}{\rho (x,z)}\) for any \(z\in g^{-1}(w)\)). Then, \(p_{Z|WY}(z|w,y) = \sum _{a} \eta (a,w)\beta (a,z,y)\). We verify that, when \(w=g(z)\),

$$\begin{aligned} p_{W|X}(w|x)\cdot p_{Z|WY}(z|w,y)&= \left( \sum _{a:h(a)=w} \alpha (a,x)\right) \left( \sum _{a}\eta (a,w)\beta (a,z,y) \right) \\&= \sum _a \alpha (a,x)\beta (a,z,y) = \mathrm {Pr}_\varPi [z|x,y] = p_{Z|XY}(z|x,y). \end{aligned}$$

   \(\square \)

5 Complexity of Randomized Functions

We point out a couple of complexity aspects in which randomized functions differ from deterministic functions. This also points to the difficulty in characterization of securely computable functions in the case of randomized functions.

5.1 Smaller Simple Functions Which Are Not Securely Computable

It is well-known that simple functions are not all securely computable, even for deterministic functions, with a first example given by Beaver [Bea89], with an output alphabet of size 5. This turns out to be the smallest output alphabet for a simple deterministic function that is not securely realizable.

But for randomized functions, we see a higher level of complexity arising even with an output size of 3. In Fig. 1 we show an example of a simple function with ternary output alphabet that is not securely computable, i.e., it does not satisfy the characterization given in Theorem 5.

Fig. 1.
figure 1

This function is not securely computable as it does not satisfy the condition from Theorem 5. However, it is simple, with the functions \(\rho \) and \(\sigma \) given by and .

Full size image

5.2 Limits of Unique-Transcript Protocols

It follows from Sect. 3 that all securely computable randomized functions with a ternary output kernel can be computed using unique-transcript protocols. Also, it follows from Sect. 4 that all randomized functions securely computable by two-round protocols are in fact securely computable using two-round unique-transcript protocols. Also, the characterization by Kushilevitz [Kus89] showed that all securely computable deterministic functions have unique-transcript secure protocols. Thus one may reasonably suspect that all securely computable functions have unique-transcript secure protocols.

However, we show that in some sense, the above results give the limits of unique-transcript protocols: If we go just beyond the above conditions – namely, ternary output, 2-round computable, deterministic – then we can indeed find securely computable functions that do not have any unique-transcript secure protocol. In Appendix B, we demonstrate a simple randomized function with an output alphabet of size 4, securely computable by a 3-round protocol, such that it has no unique-transcript secure protocols.