Des. Codes Cryptogr. (2018) 86:1793–1805 https://doi.org/10.1007/s10623-017-0424-7 On the (in)efﬁciency of non-interactive secure multiparty computation 1 2 Maki Yoshida · Satoshi Obana Received: 13 May 2016 / Revised: 22 May 2017 / Accepted: 3 October 2017 / Published online: 26 March 2018 © The Author(s) 2018 Abstract Secure multi-party computation (MPC) enables multiple players to coopera- tively evaluate various functions in the presence of adversaries. In this paper, we consider non-interactive MPC (NIMPC) against honest-but-curious adversaries in the information- theoretic setting, which was introduced by Beimel et al. at CRYPTO 2014. Their main focus is to realize stronger security while completely avoiding interaction, and succeeded to show that every function admits a fully robust NIMPC protocol. In this paper, we further develop the study of NIMPC. We ﬁrst present a simple lower bound on the communication complex- ity derived from the correctness requirement of NIMPC. Secondly, we present an efﬁcient NIMPC protocol for indicator functions, which is an important building block of NIMPC protocols. An NIMPC protocol for arbitrary functions is also constructed from the proposed NIMPC for indicator functions by using the generic compiler introduced by Beimel et al. in CRYPTO 2014. The communication complexities of NIMPC protocols presented in this paper are much more efﬁcient than the previous ones. In fact, the gap between the lower and upper bounds of the communication complexity is reduced from exponential in the input length to quadratic. Finally, we show some improvements on the efﬁciency in the so-called ofﬂine-online model. Speciﬁcally, for some sets of functions, the exponential amount of ofﬂine communication reduces the online communication to almost optimum amount in the standard model. Communicated by L. Perret. The preliminary version of this paper is presented in [16]. The difference is an extension to the so-called ofﬂine-online model, by which the efﬁciency of online communication is further improved. B Maki Yoshida maki-yos@nict.go.jp Satoshi Obana obana@hosei.ac.jp NICT, Tokyo, Japan Hosei University, Tokyo, Japan 123 1794 M. Yoshida, S. Obana Keywords Secure multi-party computation · Non-interactive · Information theoretical security · Communication complexity · Lower bound Mathematics Subject Classiﬁcation 94A15 · 94A60 1 Introduction Secure multi-party computation (MPC) aims to enable multiple players to cooperatively compute various functions in the presence of adversaries. MPC was ﬁrst introduced by Yao [15] and because of its importance in cryptography, there have been presented many variants so far [6–8,10–14]. At CRYPTO 2014 [2] (and its full version [3]), Beimel et al. have introduced a novel type of MPC, called non-interactive MPC (NIMPC), against honest-but- curious adversaries in the information theoretical setting, which completely avoids interaction while realizing as strong security as possible: an NIMPC protocol for a function f (x ,..., x ) is deﬁned by a joint probability 1 n distribution R = (R ,..., R ) and local encoding functions ENC (x , R ), where 1 n i i i 1 ≤ i ≤ n; for a set T ⊆[n]={1,..., n}, the protocol is said to be T -it robust (with respect to f ) if revealing the messages (ENC (x , R )) together with the ran- i i i i ∈ /T domness (R ) , where (R ,..., R ) is sampled from R, gives the same information i i ∈T 1 n about (x ) as an oracle access to the function f restricted to these input values; i i ∈ /T for 0 ≤ t ≤ n, the protocol is said to be t-robust if it is T -robust for every T of size at most t, and it is said to be fully robust if it is n-robust. In [2,3], Beimel et al. have succeeded to obtain unconditional positive results for some special cases of interest. In particular, they have presented fully robust NIMPC protocols for various classes of functions including the class of arbitrary functions. However, except for special functions like the summation in an abelian group, the communication complexity is not less than polynomial in the size of the input domain (i.e., exponential in the input length). The question we ask is whether there is a room to reduce the communication complexity of NIMPC. Unfortunately, a few results has been known about limitations on the communication complexity of MPC. Recently, the research to tackle the difﬁcult problem of lower bounds for communication in MPC becomes active like Data et al. in CRYPTO 2014 [9]. They have developed novel information-theoretic tools to prove lower bounds on the communication complexity in the traditional (i.e., interactive) model involving three parties. In this paper, we study the communication complexity of NIMPC deﬁned in [2,3]. As a result, we show that the inefﬁciency of NIMPC is essentially unavoidable except for special classes of functions. The contributions of this paper are as follows. Communication complexity of NIMPC for the set of arbitrary functions: We derive the ﬁrst lower bound on the communication complexity of NIMPC for any set of functions. The derived lower bound is the logarithm of the size of the function set. In particular, for the set of arbitrary functions f : X →{0, 1} where X is the input domain and m is the output length, the lower bound is |X |· m, i.e., exponential in the input length. Communication complexity for the set of indicator functions: On the other hand, for the set of indicator functions, where the number of functions is linear in the input and output length, we have a signiﬁcantly small lower bound. However, the communication complexity of the previous fully robust NIMPC protocol for indicator functions in [2,3] is exponential in the input length. NIMPC for indicator functions is used as the main building block of NIMPC for 123 On the (in)efﬁciency of NIMPC 1795 Table 1 The communication complexity of n-player NIMPC protocols for a family of functions h : X → {0, 1} where X = X ×· · · × X and d ≤|X |≤ d for all 1 ≤ i ≤ n 1 n Arbitrary functions Indicator functions (m = 1) 2 2 Previous protocols in [2,3] |X |· m · d ·nd · n Lower bound (Sect. 3) |X |· m log |X |(≥ log d · n) 2 2 2 2 Our protocols (Sect. 4) |X |· m ·log d · n log d · n 2 2 arbitrary functions in [2,3]. Thus, for the previous fully robust NIMPC protocol for arbitrary functions in [2,3], there is also an exponential gap between the lower and upper bounds. Efﬁcient fully robust NIMPC protocol for indicator functions: We then reduce the exponen- tial gap between the lower and upper bounds on the communication complexity to quadratic by constructing a much more efﬁcient fully robust NIMPC protocol for indicator functions. Speciﬁcally, we present a construction of fully robust NIMPC protocols for indicator func- tions whose communication complexity is quadratic in the input length (Table 1). Some improvements in the ofﬂine-online model: In [2] and the above, it is assumed that all communication happens after the inputs are known. It is mentioned in [3] (Remark 2.6) that it is sometimes useful to separate between ofﬂine communication, that can take place after the function is known but before the inputs are known, and online communication that takes place once the inputs are known. For this ofﬂine-online model for NIMPC, one desirable feature is low online complexity [3]. For the proper set of indicator functions, we show that the exponential amount of ofﬂine communication reduces the online communication to the optimum amount in the standard model. This result is useful for any set H of functions that have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Our technique for deriving the lower bounds is quite simple and useful for approximating the amount of communication. We use the fact that the NIMPC model considered in [2,3] requires that the computed function itself is “private” and, in particular, not known in advance while the target class of functions is public. For the target class of functions, we ﬁrst assume the existence of a correct NIMPC protocol with some communication complexity and show a method for a server to send data to a client by encoding data into a function and evaluating the function with the use of the NIMPC protocol. Thus, the communication complexity is bounded by the size of target class. If the assumed communication complexity is smaller than the logarithm of the size of the target class, the contradiction is implied. Thus, the communication complexity is lower bounded by the logarithm of the size of the target class. A similar technique is used in [1] for proving impossibility of multiplicative secret sharing rather than derivation of lower bounds. We note that we only use the correctness requirement for deriving the lower bound. Thus, the lower bound in this paper is applicable not only to NIMPC against any collusion including constant-size ones considered in [4,5]but also to other security models including computational and statistical ones. In addition, our lower bound techniques work for such MPC models that the function itself is private rather than for the standard one where the function is assumed to be known (and the protocol may depend on it). 123 1796 M. Yoshida, S. Obana 2 Preliminaries We recall the notations and deﬁnitions of NIMPC introduced in [2]. For an integer n, let [n] be the set {1, 2,..., n}. For a set X = X ×···× X and T ⊆[n], we denote X X . 1 n T i i ∈T For x ∈ X , we denote by x the restriction of x to X , and for a function h : X → Ω, a T T subset T ⊆[n], and x ∈ X , we denote by h| : X → Ω the function h where the T T T , x inputs in X are ﬁxed to x . For a set S, let |S| denote its size (i.e., cardinality of S). T T An NIMPC protocol for a family of functions H is deﬁned by three algorithms: (1) a randomness generation function GEN, which given a description of a function h ∈ H generates n correlated random inputs R ,..., R , (2) a local encoding function ENC (1 ≤ 1 n i i ≤ n), which takes an input x and a random input R and outputs a message, and (3) a i i decoding algorithm DEC that reconstructs h(x ,..., x ) from the n messages. The formal 1 n deﬁnition is given as follows: Deﬁnition 1 (NIMPC: syntax and correctness)Let X ,..., X , R ,..., R , M ,..., M 1 n 1 n 1 n and Ω be ﬁnite domains. Let X X ×···×X and let H be a family of functions h : X → Ω. 1 n A non-interactive secure MPC (NIMPC) protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × ··· × R is a randomized function, 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : M × ··· × M → Ω is a deterministic function satisfying the following 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R ,..., R ) ← GEN(h) : DEC(ENC(x , R)) = h(x ) = 1, (1) 1 n where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The individual communication complexity of Π is the maximum of log |R |,..., log |R |, 1 n log |M |,..., log |M |. The total communication complexity of Π is max{ log |R |, 1 n i i ∈[n] log |M |}. i ∈[n] We next show the deﬁnition of robustness for NIMPC, which states that a coalition can only learn the information they should. In the above setting, a coalition T can repeatedly encode any inputs for T and decode h with the new encoded inputs and the original encoded inputs of T . Thus, the following robustness requires that they learn no other information than the information obtained from oracle access to h| . T , x Deﬁnition 2 (NIMPC: robustness) For a subset T ⊆[n], we say that an NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ (M , R ), where R and M are T T T T T , x T the joint randomness and messages deﬁned by R ← GEN(h) and M ← ENC (x , R ). i i i i For an integer 0 ≤ t ≤ n, we say that Π is t-robust if it is T -robust for every T ⊆[n] of size |T|≤ t. We say that Π is fully robust (or simply refer to Π as an NIMPC for H)if Π is n-robust. Finally, given a concrete function h : X → Ω, we say that Π is a (t-robust) NIMPC protocol for h if it is a (t-robust) NIMPC for H ={h}. As the same simulator Sim is used for every h ∈ H and the simulator has only access to h| , NIMPC hides both h and the inputs of T . An NIMPC protocol is 0-robust if it is T ,x ∅-robust. In this case, the only requirement is that the messages (M ,..., M ) reveal h(x ) 1 n and nothing else. 123 On the (in)efﬁciency of NIMPC 1797 An NIMPC protocol is also described in the language of protocols in [2]. Such a protocol involves n players P ,..., P , each holding an input x ∈ X , and an external “output server,” 1 n i i aplayer P with no input. The protocol may have an additional input, a function h ∈ H. Deﬁnition 3 (NIMPC: protocol description) For an NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Ofﬂine preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . i i i – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(M ,..., M ). 0 1 n Informally, the relevant properties of protocol P(Π ) are given as follows: –For any h ∈ H and x ∈ X , the output server P outputs, with probability 1, the value h(x ,..., x ). 1 n –Fix T ⊆[n]. Then, Π is T -robust if in P(Π ) the set of players {P } ∪{P } can i i ∈T 0 simulate their view of the protocol (i.e., the random inputs {R } and the messages i i ∈T {M } ) given oracle access to the function h restricted by the other inputs (i.e., h| ). i ∈T T ,x – Π is 0-robust if and only if in P(Π ) the output server P learns nothing but h(x ,..., x ). 0 1 n We show a claim in [2] stating that for functions outputting more than one bit, we can compute each output bit separately. Based on this fact, in [2], a fully robust NIMPC protocol for the set of indicator functions was ﬁrst constructed, and then NIMPC protocols for the set of arbitrary functions are constructed based on it. Proposition 1 (Claim 7 in [2]) Let X X × ··· × X , where X ,..., X are some ﬁnite 1 n 1 n domains. Fix an integer m > 1. Suppose H is a family of boolean functions h : X →{0, 1} admitting an NIMPC protocol with communication complexity δ. Then, the family of functions m m H ={h : X →{0, 1} |h = h ◦ ··· ◦ h , h ∈ H} admits an NIMPC protocol with 1 m i communication complexity δ · m. Deﬁnition 4 (Indicator functions)Let X be a ﬁnite domain. For n-tuple a = (a ,..., a ) ∈ 1 n X , let h : X →{0, 1} be the function deﬁned by h (a) = 1, and h (x ) = 0for all a a a a = x ∈ X . Let h : X →{0, 1} be the function that is identically zero on X . Let H {h } ∪{h } be the set of all indicator functions together with h . ind a a∈X 0 0 Note that every function h : X →{0, 1} can be expressed as the sum of indicator functions, namely, h = h . a∈X ,h(a)=1 We review the previous results on upper bounds on the individual communication complex- ity of NIMPC. As described above, the fully robust NIMPC protocols in [2] are constructed from fully robust NIMPC for H . Thus, the previous upper bounds depend on the upper ind bound for H . This means we have a better upper bound if we obtain a more efﬁcient fully ind robust NIMPC protocol for H . ind Proposition 2 (Arbitrary functions H , Proof of Theorem 10 in [2]) Fix ﬁnite domains all X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let X X × ··· × X . Let H be 1 n i 1 n all the set of all functions h : X →{0, 1} . If there exists an NIMPC protocol for H with ind individual communication complexity δ, then there exists an NIMPC protocol for H with individual (resp. total) communication complexity |X |· m · δ (resp. |X |· m · δ · n). 123 1798 M. Yoshida, S. Obana 3 Lower bounds on the communication complexity We derive a lower bound on the total communication complexity for any ﬁnite set of functions, and in particular H and H . all ind As described in the Sect. 1, the total communication complexity is bounded by the size of target class. In other words, the total communication complexity cannot be smaller than the logarithm of the size of the target class. Theorem 1 (Lower bound for any ﬁnite set of functions) Fix ﬁnite domains X ,..., X and 1 n Ω. Let X X ,..., X and H a set of functions h : X → Ω. Then, any fully robust NIMPC 1 n protocol Π for H satisﬁes log |R | ≥ log |H|, (2) i =1 log |M | ≥ log |Ω|. (3) i =1 Proof We ﬁrst prove Eq. (2). Let H =|H|. Let ϕ be a one-to-one mapping from H to {0, 1,..., H −1}. (That is, all functions in H are numbered according to some rule.) Suppose a server holding a random number a ∈{0,..., H −1} aims to send a to a client. Suppose also that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisﬁes log |R | < i =1 log H. For the function h = ϕ(a), the server executes R ← GEN(h) and sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs x ∈ X and identifying the function h. We conclude that the server can communicate any a ∈{0,..., H − 1} to the client using R = (R ,..., R ) of which domain size |R | is smaller than H, that is 1 n i i =1 impossible. Thus, we have log |R |≥ log H. i =1 In a similar way, we next prove Eq. (3). Suppose a server holding a random element b ∈ Ω and aiming to send b to a client and that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisﬁes log |M | < log |Ω|. For a function h ∈ H andanelement a ∈ X i =1 such that h(a) = b, the server executes R ← GEN(h) and M ← ENC(a, R), and sends M to the client. The client obtains b by executing DEC. We conclude that the server can communicate any b ∈ Ω to the client using M = (M ,..., M ) of which domain size 1 n n n |M | is smaller than |Ω|, that is impossible. Thus, we have log |M |≥ log |Ω|. i i i =1 i =1 The following corollary shows a lower bound on the total communication complexity of NIMPC for the set of arbitrary functions. The lower bounds indicate the impossibility of reducing the communication complexity to polynomial in the input length. Corollary 1 (Lower bound for arbitrary functions) Fix ﬁnite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n. Let X X × ··· × X and H the set of all functions i 1 n all h : X →{0, 1} . Any NIMPC protocol Π for H satisﬁes all log |R | ≥ m ·|X|≥ d · m, (4) i =1 log |M | ≥ m. (5) i =1 123 On the (in)efﬁciency of NIMPC 1799 Proof The proof is obvious from Theorem 1 by setting H = H . A function maps each all input value to some output value. Thus, |H| is given by multiplying the number of all possible m·|X | input values by the number of all possible output values, i.e., 2 . Then, log |R |≥ i =1 log |H|= m ·|X |. The following corollary shows a lower bounds on the total communication complexity of NIMPC for H . The gap between this lower bound (linear in the input length) and the ind previous upper bound (exponential in the input length) is large. In the next section, we will present an efﬁcient NIMPC protocol for H with individual (resp. total) communication ind 2 2 2 complexity at most log d · n (resp. log d · n ). 2 2 Corollary 2 (Lower bound for indicator functions) Fix ﬁnite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n and let X X × ··· × X . Then, any NIMPC protocol Π for i 1 n ind H satisﬁes ind log |R | ≥ log |X|≥ n · log d . (6) i =1 Proof The proof is obvious from Theorem 1 by setting H = H . A function h maps each ind a input value x to zero or one depending on whether x = a or not. Thus, |H| is given by the number of all possible values of a, i.e., |X |. Then, log |R |≥ log |H|= log |X |. i =1 Remark. We can give a more constructive proof, which need not to assume the existence of a one-to-one mapping φ. Suppose a server holding a random vector a = (a ,..., a ) ∈ X and 1 n aiming to send a to a client. Suppose that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisﬁes log |R | < log |X |. The server executes R ← GEN(h ) and ind i a i =1 sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs a ∈ X and checking whether the output is 1 or not. The input a for which the output is 1 is considered as a. We conclude that the server can communicate any a ∈ X to the client using R = (R ,..., R ) of which domain size |R | is smaller than |X |, that is impossible. 1 n i i =1 Thus, we have log |R |≥ log |X |. i =1 4 Efﬁcient constructions We now present an efﬁcient construction of fully robust NIMPC for H . In the previous ind construction in [2], all the possible input values are encoded in a unary way, and thus the communication complexity depends on the size of the input domain. Speciﬁcally, each pos- sible input value is represented by a single vector over F so that the summation of vectors corresponding to a = (a ,..., a ) is equal to the zero vector while the other combination is 1 n linearly independent to satisfy the robustness. Our idea to reduce the communication com- plexity is to encode all the possible input values in a binary way. Speciﬁcally, for each bit in the binary representation, a vector representing “1” is generated so that the summation of all vectors of “1” over the binary representation of a is equal to zero. Since the proposed encod- ing reduces the required dimension of vectors, the communication complexity of resulting NIMPC is greatly reduced, too. The detailed description of the protocol is as follows. For i ∈[n], let d =|X | and φ be i i i a one-to-one mapping from X to [d ]. Let l =log d and s = l . Fix a function i i i i i 2 i =1 h ∈ H that we want to compute. ind 123 1800 M. Yoshida, S. Obana The proposed fully robust NIMPC P(Π )(h) ind – Ofﬂine preprocessing: If h = h , then choose s linearly independent random vectors {m } in F . If h = h for some a = (a ,..., a ) ∈ X , denote the binary i, j i ∈[n], j ∈[l ] a 1 n i 2 representation of φ (a ) by b = (b ,..., b ) and deﬁne a set of indices I by I = i i i i,1 i,l i i { j ∈[l ]| b = 1}. Choose s random vectors {m } in F under the constraint i i, j i, j i ∈[n], j ∈[l ] i 2 that m = 0 and there are no other linear relations between them (that is, i, j i =1 j ∈I choose all the vectors m except m , as random linear independent vectors and i, j n,max I n−1 set m =− m − m ). Deﬁne GEN(h) = R = n,max I i, j n, j i =1 j ∈I j ∈I \{max I } i n n (R ,..., R ), where R ={m } . 1 n i i, j j ∈[l ] ˆ ˆ ˆ – Online messages: For an input x , let b = (b ,..., b ) be the binary representation i i i,1 i,l ˆ ˆ ˆ of φ (x ). Let I be the set of indices deﬁned by I ={ j ∈[l ]| b = 1}. ENC(x , R) i i i i i i, j (M ,..., M ) where M = m . 1 n i ˆ i, j j ∈I – Output h(x ,..., x ): DEC(M ,..., M ) = 1if M = 0. 1 n 1 n i i =1 Mapping from X to [d ], which does not contain zero, is an important point of the proposed i i protocol. If an input x were mapped to the zero vector, M would be always 0. This would i i disclose extra information (that could not be simulated). That is, whether x = 0 leaked. Because every φ does not map no value of x to the zero vector, no information on the inputs i i x is disclosed (robustness), and the summation of vectors becomes zero if and only if x are i i equal to a (correctness). Theorem 2 Fix ﬁnite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and 1 n i let X X × ··· × X . Then, there is a fully robust NIMPC protocol Π for H with 1 n ind ind 2 2 2 individual (resp. total) communication complexity at most log d · n (resp. log d · n ). 2 2 n n Proof For the correctness, note that M = m . If h = h for a ∈ X , i i, j a i =1 i =1 j ∈I this sum equals 0 if and only if I = I for all i ∈[n], i.e., a = x . If h = h , this sum is i i 0 never zero, as all vectors were chosen to be linearly independent in this case. To prove robustness, ﬁx a subset T ⊆[n] and x ∈ X . The encodings M of T consist of T T T the vectors {M } . The randomness R consists of the vectors {m } . If h| ≡ i T i, j i ∈[n], j ∈[l ] i ∈T i T ,x 0, then these vectors are uniformly distributed in F under the constraint that they are linearly independent. If h| (x ) = 1for some x ∈ X , then M + m = 0 T T T i ˆ i, j T ,x i ∈T i ∈T j ∈I and there are no other linear relations between them. Formally, to prove the robustness, we describe a simulator Sim : the simulator queries h| on all possible inputs in X . If all T T T ,x answers are zero, this simulator generates random independent vectors. Otherwise, there is an x ∈ X such that h| (x ) = 1, and the simulator outputs random vectors under T T T T ,x the constrains described above, that is, all vectors are independent with the exception that M + m = 0. i i, j i ∈T ˆ i ∈T j ∈I In the proposed protocol, log |R | is larger than log |M | for every i ∈[n]. Thus, i i 2 2 the individual communication complexity is given by the maximum length of correlated randomness. The correlated randomness R is composed of l ≤log d binary vectors of i i length s ≤log d · n and the encoding is the summation of some of them. Hence, the individual communication complexity is at most log d · n. Corollary 3 Fix ﬁnite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust NIMPC protocol for H with individual 1 n all 2 2 (resp. total) communication complexity at most |X |·m ·log d ·n (resp. |X |·m ·log d · 2 2 n ). Proof From Proposition 2 and Theorem 1, it is obvious. 123 On the (in)efﬁciency of NIMPC 1801 5 Some improvements in the ofﬂine-online model The ofﬂine-online model is deﬁned by modifying the output of GEN to include an additional entry R , which represents the ofﬂine communication and is given as an additional input to the decoder DEC [3]. The random variable R is redeﬁned to always include R . That is, T 0 the value of R should be correctly simulated by Sim. Let R be a ﬁnite domain of R . We 0 0 0 refer to NIMPC protocols in the ofﬂine-online model as ofﬂine-online NIMPC protocols. To distinguish the ofﬂine-online protocols, we refer to the NIMPC protocols considered in the previous sections as standard NIMPC protocols. The formal deﬁnition of ofﬂine-online NIMPC is given as follows [3]: Deﬁnition 5 (Ofﬂine-online NIMPC: syntax and correctness)Let X ,..., X , R , R ,..., 1 n 0 1 R , M ,..., M and Ω be ﬁnite domains. Let X X × ··· × X and let H be a fam- n 1 n 1 n ily of functions h : X → Ω. An ofﬂine-online NIMPC protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × R × ··· × R is a randomized function, 0 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : R × M × ··· × M → Ω is a deterministic function satisfying the following 0 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R , R ,..., R ) ← GEN(h) : DEC (R , ENC(x , R)) = h(x ) = 1, (7) 0 1 n 0 where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The (online) individual communication complexity of Π is the maximum of log |R |,..., log |R |, log |M |,..., log |M |. n 1 n Deﬁnition 6 (Ofﬂine-online NIMPC: robustness) For a subset T ⊆[n], we say that an ofﬂine-online NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ T T T T T ,x (M , R ), where R and M are the joint randomness and messages deﬁned by R ← T ∪{0} GEN(h) and M ← ENC (x , R ). The t-robustness and fully robustness are deﬁned in a i i i i similar way to the standard model. Deﬁnition 7 (Ofﬂine-online NIMPC: protocol description) For an ofﬂine-online NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Ofﬂine preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . P receives R GEN(h) ∈ R . i i i 0 0 0 0 = = – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(R , M ,..., M ). 0 0 1 n It is obvious to construct an n-player ofﬂine-online protocol for a function h from an n-player standard protocol for h by taking R to be empty (or some constant). However, in this construction, the ofﬂine communication R cannot be used for reducing the individual communication complexity of P with 1 ≤ i ≤ n. 123 1802 M. Yoshida, S. Obana In the following, for any set of functions that have the same output frequency such as H = H \{h }, we show a fully robust ofﬂine-online protocol whose individual com- ind 0 ind munication complexity is smaller than that in Sect. 4. We ﬁrst consider the set H , i.e., the functions that have just one “1” output. We use ind a fully robust standard NIMPC protocol Π = (GEN , ENC , DEC ) giveninSect. 4 as ind a subroutine. Our idea to reduce the individual communication complexity is simple: use (R ,..., R ) ← GEN (h ) as the ofﬂine communication R and specify the inputs x by a 0 i 1 n using the online communication M while keeping a and x secret. To hide a and x , we shift i i i a = (a ,..., a ) and x = (x ,..., x ) by random values s = (s ,..., s ). 1 n i n 1 n The detailed description of the proposed ofﬂine-online protocol Π = (GEN, ENC, proper DEC) is as follows. For i ∈[n], let d =|X | and ψ be a one-to-one mapping from X to i i i i {0, 1,..., d − 1}. Fix a function h ∈ H that we want to compute. i a ind The proposed ofﬂine-online NIMPC P(Π )(h ) proper a – Ofﬂine preprocessing: Randomly choose values s ∈{0,..., d − 1} with i ∈[n]. Let i i −1 σ : X →{0,..., d −1} be the one-to-one mapping such that σ (x ) = ψ ((ψ (x )+s ) i i i i i i mod d ), i.e., shifting the input x by s . Set b = (b ,..., b ) = (σ (a ), ...,σ (a )). i i 1 n 1 1 n n Deﬁne GEN(h ) = R = (R , R ,..., R ), where R = (R ,..., R ) = GEN (h ) a 0 1 n 0 b 1 n and R = s with i ∈[n]. i i – Online messages: ENC(x , R) = (M ,..., M ) where M = σ (x ). 1 n i i i – Output h (x ,..., x ): Let M = ENC (R , M ). DEC(R , M ,..., M ) = a 1 n i 0 1 n i i DEC (M ,..., M ). Theorem 3 Fix ﬁnite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust ofﬂine-online NIMPC protocol Π for 1 n proper H \{h } with individual communication complexity at most log (d − 1) . ind 0 Proof For the correctness, note that the output is that of h for inputs σ (x ). Thus, the output b i i is one if and only if (x ,..., x ) = a, as the tuple (M ,..., M ) equals b if and only if 1 n 1 n (x ,..., x ) = a. 1 n To prove the robustness, ﬁx a subset T ⊆[n] and x ∈ X . Let σ (x ) denote T T T T (σ (x ), ...,σ (x )) . 1 1 n n The encodings M of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The i i randomness R consists of the vectors {m } and T integers s ∈{0,..., d − 1} T i, j i ∈[n], j ∈[l ] i i with i ∈ T . The vectors {m } are uniformly distributed under the constraint that i, j i ∈[n], j ∈[l ] for some b ∈ X , m = 0 and there are no other linear relations between them. i, j i =1 j ∈I If h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T T ,x T T T ,x T T b = M . T T We construct Sim for the protocol P(Π ) on function h . The simulator ﬁrst T proper a generates random vectors {m } under the constraint that for some b ∈ i, j i ∈[n], j ∈[l ] X , m = 0 and there are no other linear relations between them. The simu- i, j i =1 j ∈I lator then queries h| on all possible inputs in X . If all answers are zero, this simulator T ,x generates random M ∈{0,..., d − 1} with i ∈ T so that b = M , and generates random i i T T R ∈{0,..., d − 1} with i ∈ T . Otherwise, there is an x ∈ X such that h| (x ) = 1, i i T T T T ,x and the simulator sets R and M so that b = σ (x ) and b = M where σ is deﬁned as i i T T T i T T above with s = R . i i 1 ∗ We note that the communication complexity for H is the same as that for H . ind ind 123 On the (in)efﬁciency of NIMPC 1803 The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d −1) . Hence, the (online) individual communication complexity is at most log (d − 2 2 1) . We extend the above result to any set of functions that have the same output frequency. In the fully robust standard NIMPC protocol for H in [2], h plays the role of hiding all 0 information on how many 1’s the function h has. This is the motivation of including h in H and a standard NIMPC protocol for H is used as a subroutine. Our target set of ind ind functions has the same output frequency. Thus, we no longer need to hide this information and thus the ofﬂine-online NIMPC protocol Π for H \{h } is enough for our target proper ind 0 sets. Corollary 4 Fix ﬁnite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Fix an integer m > 1. Let H be a set of functions h : X →{0, 1} that 1 n have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Then, there is a fully robust ofﬂine-online NIMPC protocol for H with individual communication complexity at most |X |· m ·log (d − 1) . Proof Fix a function h ∈ H. Assume for simplicity that m = 1. The ofﬂine-online protocol Π for H, which uses Π = (GEN, ENC, DEC), is as follows. proper −1 – Ofﬂine preprocessing: Let I = h (1) ⊆ X , i.e., the set of ones of h. Let D =|I |, i.e., the number of ones of h, and I ={a ,..., a }. Choose a random permutation φ. 1 D (k) (k) (k) (k) For each k ∈[D], let R = (R , R ,..., R ) ← GEN(h ). Deﬁne a matrix n a 0 1 (φ (k)) R, where R R for 0 ≤ i ≤ n and k ∈[D]. Send to P the random strings i,k i (R ) , i.e., the ith row of R. i,k k∈[D] (k) – Online messages: For every i ∈[n] and k ∈[D], let M ENC (x , R ). Deﬁne i i i,k (k) amatrix M, where M M for 0 ≤ i ≤ n and k ∈[D]. Each P sends to P the i,k i 0 message M (M ) . i i,k k∈[D] – Output h(x ,..., x ): The output is 1 if for some k ∈[D], DEC(R , M ,..., M ) = 1 n 0,k 1,k n,k 1. Otherwise, the output is zero. First, we will show the correctness of the above protocol. Fix x = (x ,..., x ) ∈ X . 1 n The output is 1 if and only if DEC(R , M ,..., M ) = 1for some k ∈[D], that is, 0,k 1,k n,k (φ (k)) (φ (k)) (φ (k)) DEC(R , ENC(x , R ), ..., ENC(x , R )) = 1for some k ∈[D]. Since the 1 n n 0 1 underlying Π = (GEN, ENC, DEC) satisﬁes the correctness, this happens if and only proper if h (x ) = 1 holds for some a ∈ I. a k Next, we will show the robustness. The robustness is proven in a similar way to Theorem 3. Fix T ⊆[n] and x ∈ X . We construct a simulator for (M , R ) given h| . Each T T T T ,x (k) (k) (k) row k is of the form (M , R ) for k ∈[D]. For each k ∈[D], the encodings M T T (k) (k) of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The randomness R i T (k) (k) consists of the vectors {m } and T integers s ∈{0,..., d − 1} with i ∈ T . i ∈[n], j ∈[l ] i i, j i (k) The vectors {m } are uniformly distributed under the constraint that for some i ∈[n], j ∈[l ] i, j i (k) (k) b ∈ X , m = 0 and there are no other linear relations between them. If i =1 j ∈I i, j (k) (k) h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T ,x T T ,x T T T (k) b = M . We construct Sim for the protocol P(Π ) on function h . For each k ∈[D], the simulator T a (k) (k) ﬁrst generates random vectors {m } under the constraint that for some b ∈ i ∈[n], j ∈[l ] i, j 123 1804 M. Yoshida, S. Obana n (k) X , m = 0 and there are no other linear relations between them. The simulator i =1 j ∈I i, j then queries h| on all possible inputs in X . T ,x (1) (D ) Let I ⊆ X be the set of ones of h| . Let D =|I | and I ={x ,..., x }. For T ,x T T (k) 1 ≤ k ≤ D , this simulator generates random M ∈{0,..., d − 1} with i ∈ T so that (k) (k) (k) b = M , and generates random R ∈{0,..., d − 1} with i ∈ T . For D < k ≤ D, the T T i (k) (k) (k) (k) (k) (k) (k) (k) simulator sets R and M so that b = σ (x ) and b = M where σ is deﬁned i i T T T i T T with s = R as in Theorem 3. i i (k) (k) The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d − 1) . Hence, the (online) individual communication complexity is at most |X |· m · log (d − 1) . 6 Conclusion We have presented the ﬁrst lower bound on the communication complexity of n-player NIMPC protocols for any set of functions including the set of arbitrary functions and the set of indicator functions. We have constructed novel fully robust NIMPC protocols for the set of arbitrary functions H and the set of indicator functions H . The proposed all ind protocols are much more efﬁcient than the previous protocols. For example, for the set of arbitrary functions, while the previous best known protocol in [2] requires |X|· m · d · n communication complexity, the communication complexity of the proposed construction is only |X|· m ·log d · n, where X denote the (total) input domain, d is the maximum domain size of a player, and m is the output length. By this result, the gap between the lower and upper bounds on the communication complexity is signiﬁcantly reduced from d · n to log d · n, that is, from exponential in the input length to quadratic. In addition, we have shown a possibility of reducing the individual communication complexity much more by employing the ofﬂine-online model for some sets of functions (e.g., H \{h }). ind 0 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 Interna- tional License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. References 1. Barkol O., Ishai Y., Weinreb E.: On d-multiplicative secret sharing. J. Cryptol. 23(4), 580–593 (2010). 2. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive secure multiparty computation. In: Advances in Cryptology– -CRYPTO2014. Lecture Notes in Computer Science, vol. 8617, p. 387–404 (2014). 3. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive Secure Multiparty Computation. Cryptology ePrint Archive: Report 2014/960 (2014). 4. Benhamouda F., Krawczyk H., Rabin T.: Robust non-interactive multiparty computation against constant- size collusion. In: Advances in Cryptology—CRYPTO2017. Lecture Notes in Computer Science, vol. 10401, pp. 391–419. 5. Benhamouda F., Krawczyk H., Rabin T.: Robust Non-interactive Multiparty Computation Against Constant-Size Collusion. Cryptology ePrint Archive: Report 2017/555. 6. Ben-Or M., Goldwasser S., Wigderson A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 1–10 (1988). 123 On the (in)efﬁciency of NIMPC 1805 7. Chaum D., Crèpeau C., Damgård I.: Multiparty unconditionally secure protocols. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 11–19 (1988). 8. Cramer R., Damagård I., Maurer U.: General secure multi-party computation from any linear secret sharing scheme. In: Advances in Cryptology—EUROCRYPT2000. Lecture Notes in Computer Science, vol. 1807, pp. 316–335 (2000). 9. Data D., Prabhakaran M., Prabhakaran V.: On the communication complexity of secure computation. In: Advances in Cryptology—CRYPTO2014. Lecture Notes in Computer Science, vol. 861, pp. 199–216 (2014). 10. Goldwasser S., Micali S., Wigderson A.: How to play any mental game, or a completeness theorem for protocols with an honest majority. In: The 19th Annual ACM Symposium on Theory of Computing (STOC ’87), pp. 218–229 (1987). 11. Hirt M., Maurer U.: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000). 12. Hirt M., Tschudi D.: Efﬁcient general-adversary multi-party computation. In: Advances in Cryptology— ASIACRYPT 2013. Part II: Lectures Notes in Computer Science, vol. 8270, pp. 181–200 (2013). 13. Maurer U.: Secure multi-party computation made simple. In: Security in Communication Networks, Third International Conference, SCN 2002. Lecture Notes in Computer Science, vol. 2576, pp. 14–28 (2003). 14. Rabin T., Ben-Or M.: Veriﬁable secret sharing and multiparty protocols with honest majority. In: The 21st Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 73–85 (1989). 15. Yao A.C.: Protocols for secure computations. In: The 23rd Annual Symposium on Foundations of Com- puter Science (FOCS ’82), pp. 160–164 (1982). 16. Yoshida M., Obana S.: On the (in)efﬁciency of non-interactive secure multiparty computation. In: The 18th Annual International Conference on Information Security and Cryptology, ICISC2015. Lecture Notes in Computer Science, vol. 9558, pp. 185–193 (2016).
Designs, Codes and Cryptography – Springer Journals
Published: Mar 26, 2018
It’s your single place to instantly
discover and read the research
that matters to you.
Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.
All for just $49/month
Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly
Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.
Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.
Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.
All the latest content is available, no embargo periods.
“Hi guys, I cannot tell you how much I love this resource. Incredible. I really believe you've hit the nail on the head with this site in regards to solving the research-purchase issue.”
Daniel C.
“Whoa! It’s like Spotify but for academic articles.”
@Phil_Robichaud
“I must say, @deepdyve is a fabulous solution to the independent researcher's problem of #access to #information.”
@deepthiw
“My last article couldn't be possible without the platform @deepdyve that makes journal papers cheaper.”
@JoseServera
DeepDyve Freelancer | DeepDyve Pro | |
---|---|---|
Price | FREE | $49/month |
Save searches from | ||
Create lists to | ||
Export lists, citations | ||
Read DeepDyve articles | Abstract access only | Unlimited access to over |
20 pages / month | ||
PDF Discount | 20% off | |
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.
ok to continue