research-article

On the Communication Complexity of Secure Function Evaluation with Long Output

Authors:

Pavel Hubacek,

Daniel WichsAuthors Info & Claims

ITCS '15: Proceedings of the 2015 Conference on Innovations in Theoretical Computer Science

Pages 163 - 172

https://doi.org/10.1145/2688073.2688105

Published: 11 January 2015 Publication History

Get Access

Abstract

We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input χ_A, Bob has an input χ_B and we want Bob to learn some function y = f(χ_A, χ_B) with large output size. For example, Alice has a small secret decryption key, Bob has a large encrypted database and we want Bob to learn the decrypted data without learning anything else about Alice's key. In a trivial insecure protocol, Alice can just send her short input χ_A to Bob. However, all known SFE protocols have communication complexity that scales with size of the output y, which can potentially be much larger. Is such 'output-size dependence' inherent in SFE'

Surprisingly, we show that output-size dependence can be avoided in the honest-but-curious setting. In particular, using indistinguishability obfuscation (iO) and fully homomorphic encryption (FHE), we construct the first honest-but-curious SFE protocol whose communication complexity only scales with that of the best insecure protocol for evaluating the desired function, independent of the output size. Our construction relies on a novel way of using iO via a new tool that we call a 'somewhere statistically binding (SSB) hash', and which may be of independent interest.

On the negative side, we show that output-size dependence is inherent in the fully malicious setting, or even already in an honest-but-deterministic setting, where the corrupted party follows the protocol as specified but fixes its random tape to some deterministic value. Moreover, we show that even in an offline/online protocol, the communication of the online phase must have output-size dependence. This negative result uses an incompressibility argument and it generalizes several recent lower bounds for functional encryption and (reusable) garbled circuits, which follow as simple corollaries of our general theorem.

References

[1]

S. Agrawal, S. Gorbunov, V. Vaikuntanathan, and H. Wee. Functional encryption: New perspectives and lower bounds. In R. Canetti and J. A. Garay, editors, CRYPTO (2), volume 8043 of LNCS, pages 500--518. Springer, 2013.

Abstract

References

Cited By

Index Terms

Recommendations

Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

Communication Complexity in Algebraic Two-Party Protocols

Limits of random oracles in secure computation

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations