Randomness complexity of private computation

Abstract.

We consider the problem of n honest but curious players with private inputs \( x_1,\ldots,x_n, \) who wish to compute the value of a fixed function \( {\cal F}(x_1,\ldots,x_n) \) in such way that at the end of the protocol every player knows the value \( {\cal F}(x_1,\ldots,x_n) \). Each pair of players is connected by a secure point-to-point communication channel. The players have unbounded computational resources and they intend to compute \( {\cal F} \) in a t-private way. That is, after the execution of the protocol, no coalition of size at most \( t \le n - 1 \) can get any information about the inputs of the remaining players other than what can be deduced from their own inputs and the value of \( \cal F \).¶ We study the amount of randomness needed in t-private protocols. We prove a lower bound on the randomness complexity of any t-private protocol to compute a function with sensitivity n. As a corollary, we obtain that when the private inputs are uniformly distributed, at least k(n—1)(n—2)/2 random bits are needed to compute the sum modulo 2^k of n k-bit integers in an (n—2)-private way. This result is tight as there are protocols for this problem that use exactly this number of random bits.