On the (in)efficiency of non-interactive secure multiparty computation

On the (in)efficiency of non-interactive secure multiparty computation Des. Codes Cryptogr. (2018) 86:1793–1805 https://doi.org/10.1007/s10623-017-0424-7 On the (in)efficiency of non-interactive secure multiparty computation 1 2 Maki Yoshida · Satoshi Obana Received: 13 May 2016 / Revised: 22 May 2017 / Accepted: 3 October 2017 / Published online: 26 March 2018 © The Author(s) 2018 Abstract Secure multi-party computation (MPC) enables multiple players to coopera- tively evaluate various functions in the presence of adversaries. In this paper, we consider non-interactive MPC (NIMPC) against honest-but-curious adversaries in the information- theoretic setting, which was introduced by Beimel et al. at CRYPTO 2014. Their main focus is to realize stronger security while completely avoiding interaction, and succeeded to show that every function admits a fully robust NIMPC protocol. In this paper, we further develop the study of NIMPC. We first present a simple lower bound on the communication complex- ity derived from the correctness requirement of NIMPC. Secondly, we present an efficient NIMPC protocol for indicator functions, which is an important building block of NIMPC protocols. An NIMPC protocol for arbitrary functions is also constructed from the proposed NIMPC for indicator functions by using the generic compiler introduced by Beimel et al. in CRYPTO 2014. The communication complexities of NIMPC protocols presented in this paper are much more efficient than the previous ones. In fact, the gap between the lower and upper bounds of the communication complexity is reduced from exponential in the input length to quadratic. Finally, we show some improvements on the efficiency in the so-called offline-online model. Specifically, for some sets of functions, the exponential amount of offline communication reduces the online communication to almost optimum amount in the standard model. Communicated by L. Perret. The preliminary version of this paper is presented in [16]. The difference is an extension to the so-called offline-online model, by which the efficiency of online communication is further improved. B Maki Yoshida maki-yos@nict.go.jp Satoshi Obana obana@hosei.ac.jp NICT, Tokyo, Japan Hosei University, Tokyo, Japan 123 1794 M. Yoshida, S. Obana Keywords Secure multi-party computation · Non-interactive · Information theoretical security · Communication complexity · Lower bound Mathematics Subject Classification 94A15 · 94A60 1 Introduction Secure multi-party computation (MPC) aims to enable multiple players to cooperatively compute various functions in the presence of adversaries. MPC was first introduced by Yao [15] and because of its importance in cryptography, there have been presented many variants so far [6–8,10–14]. At CRYPTO 2014 [2] (and its full version [3]), Beimel et al. have introduced a novel type of MPC, called non-interactive MPC (NIMPC), against honest-but- curious adversaries in the information theoretical setting, which completely avoids interaction while realizing as strong security as possible: an NIMPC protocol for a function f (x ,..., x ) is defined by a joint probability 1 n distribution R = (R ,..., R ) and local encoding functions ENC (x , R ), where 1 n i i i 1 ≤ i ≤ n; for a set T ⊆[n]={1,..., n}, the protocol is said to be T -it robust (with respect to f ) if revealing the messages (ENC (x , R )) together with the ran- i i i i ∈ /T domness (R ) , where (R ,..., R ) is sampled from R, gives the same information i i ∈T 1 n about (x ) as an oracle access to the function f restricted to these input values; i i ∈ /T for 0 ≤ t ≤ n, the protocol is said to be t-robust if it is T -robust for every T of size at most t, and it is said to be fully robust if it is n-robust. In [2,3], Beimel et al. have succeeded to obtain unconditional positive results for some special cases of interest. In particular, they have presented fully robust NIMPC protocols for various classes of functions including the class of arbitrary functions. However, except for special functions like the summation in an abelian group, the communication complexity is not less than polynomial in the size of the input domain (i.e., exponential in the input length). The question we ask is whether there is a room to reduce the communication complexity of NIMPC. Unfortunately, a few results has been known about limitations on the communication complexity of MPC. Recently, the research to tackle the difficult problem of lower bounds for communication in MPC becomes active like Data et al. in CRYPTO 2014 [9]. They have developed novel information-theoretic tools to prove lower bounds on the communication complexity in the traditional (i.e., interactive) model involving three parties. In this paper, we study the communication complexity of NIMPC defined in [2,3]. As a result, we show that the inefficiency of NIMPC is essentially unavoidable except for special classes of functions. The contributions of this paper are as follows. Communication complexity of NIMPC for the set of arbitrary functions: We derive the first lower bound on the communication complexity of NIMPC for any set of functions. The derived lower bound is the logarithm of the size of the function set. In particular, for the set of arbitrary functions f : X →{0, 1} where X is the input domain and m is the output length, the lower bound is |X |· m, i.e., exponential in the input length. Communication complexity for the set of indicator functions: On the other hand, for the set of indicator functions, where the number of functions is linear in the input and output length, we have a significantly small lower bound. However, the communication complexity of the previous fully robust NIMPC protocol for indicator functions in [2,3] is exponential in the input length. NIMPC for indicator functions is used as the main building block of NIMPC for 123 On the (in)efficiency of NIMPC 1795 Table 1 The communication complexity of n-player NIMPC protocols for a family of functions h : X → {0, 1} where X = X ×· · · × X and d ≤|X |≤ d for all 1 ≤ i ≤ n 1 n Arbitrary functions Indicator functions (m = 1) 2 2 Previous protocols in [2,3] |X |· m · d ·nd · n Lower bound (Sect. 3) |X |· m log |X |(≥ log d · n) 2 2 2 2 Our protocols (Sect. 4) |X |· m ·log d · n log d · n 2 2 arbitrary functions in [2,3]. Thus, for the previous fully robust NIMPC protocol for arbitrary functions in [2,3], there is also an exponential gap between the lower and upper bounds. Efficient fully robust NIMPC protocol for indicator functions: We then reduce the exponen- tial gap between the lower and upper bounds on the communication complexity to quadratic by constructing a much more efficient fully robust NIMPC protocol for indicator functions. Specifically, we present a construction of fully robust NIMPC protocols for indicator func- tions whose communication complexity is quadratic in the input length (Table 1). Some improvements in the offline-online model: In [2] and the above, it is assumed that all communication happens after the inputs are known. It is mentioned in [3] (Remark 2.6) that it is sometimes useful to separate between offline communication, that can take place after the function is known but before the inputs are known, and online communication that takes place once the inputs are known. For this offline-online model for NIMPC, one desirable feature is low online complexity [3]. For the proper set of indicator functions, we show that the exponential amount of offline communication reduces the online communication to the optimum amount in the standard model. This result is useful for any set H of functions that have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Our technique for deriving the lower bounds is quite simple and useful for approximating the amount of communication. We use the fact that the NIMPC model considered in [2,3] requires that the computed function itself is “private” and, in particular, not known in advance while the target class of functions is public. For the target class of functions, we first assume the existence of a correct NIMPC protocol with some communication complexity and show a method for a server to send data to a client by encoding data into a function and evaluating the function with the use of the NIMPC protocol. Thus, the communication complexity is bounded by the size of target class. If the assumed communication complexity is smaller than the logarithm of the size of the target class, the contradiction is implied. Thus, the communication complexity is lower bounded by the logarithm of the size of the target class. A similar technique is used in [1] for proving impossibility of multiplicative secret sharing rather than derivation of lower bounds. We note that we only use the correctness requirement for deriving the lower bound. Thus, the lower bound in this paper is applicable not only to NIMPC against any collusion including constant-size ones considered in [4,5]but also to other security models including computational and statistical ones. In addition, our lower bound techniques work for such MPC models that the function itself is private rather than for the standard one where the function is assumed to be known (and the protocol may depend on it). 123 1796 M. Yoshida, S. Obana 2 Preliminaries We recall the notations and definitions of NIMPC introduced in [2]. For an integer n, let [n] be the set {1, 2,..., n}. For a set X = X ×···× X and T ⊆[n], we denote X X . 1 n T i i ∈T For x ∈ X , we denote by x the restriction of x to X , and for a function h : X → Ω, a T T subset T ⊆[n], and x ∈ X , we denote by h| : X → Ω the function h where the T T T , x inputs in X are fixed to x . For a set S, let |S| denote its size (i.e., cardinality of S). T T An NIMPC protocol for a family of functions H is defined by three algorithms: (1) a randomness generation function GEN, which given a description of a function h ∈ H generates n correlated random inputs R ,..., R , (2) a local encoding function ENC (1 ≤ 1 n i i ≤ n), which takes an input x and a random input R and outputs a message, and (3) a i i decoding algorithm DEC that reconstructs h(x ,..., x ) from the n messages. The formal 1 n definition is given as follows: Definition 1 (NIMPC: syntax and correctness)Let X ,..., X , R ,..., R , M ,..., M 1 n 1 n 1 n and Ω be finite domains. Let X X ×···×X and let H be a family of functions h : X → Ω. 1 n A non-interactive secure MPC (NIMPC) protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × ··· × R is a randomized function, 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : M × ··· × M → Ω is a deterministic function satisfying the following 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R ,..., R ) ← GEN(h) : DEC(ENC(x , R)) = h(x ) = 1, (1) 1 n where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The individual communication complexity of Π is the maximum of log |R |,..., log |R |, 1 n log |M |,..., log |M |. The total communication complexity of Π is max{ log |R |, 1 n i i ∈[n] log |M |}. i ∈[n] We next show the definition of robustness for NIMPC, which states that a coalition can only learn the information they should. In the above setting, a coalition T can repeatedly encode any inputs for T and decode h with the new encoded inputs and the original encoded inputs of T . Thus, the following robustness requires that they learn no other information than the information obtained from oracle access to h| . T , x Definition 2 (NIMPC: robustness) For a subset T ⊆[n], we say that an NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ (M , R ), where R and M are T T T T T , x T the joint randomness and messages defined by R ← GEN(h) and M ← ENC (x , R ). i i i i For an integer 0 ≤ t ≤ n, we say that Π is t-robust if it is T -robust for every T ⊆[n] of size |T|≤ t. We say that Π is fully robust (or simply refer to Π as an NIMPC for H)if Π is n-robust. Finally, given a concrete function h : X → Ω, we say that Π is a (t-robust) NIMPC protocol for h if it is a (t-robust) NIMPC for H ={h}. As the same simulator Sim is used for every h ∈ H and the simulator has only access to h| , NIMPC hides both h and the inputs of T . An NIMPC protocol is 0-robust if it is T ,x ∅-robust. In this case, the only requirement is that the messages (M ,..., M ) reveal h(x ) 1 n and nothing else. 123 On the (in)efficiency of NIMPC 1797 An NIMPC protocol is also described in the language of protocols in [2]. Such a protocol involves n players P ,..., P , each holding an input x ∈ X , and an external “output server,” 1 n i i aplayer P with no input. The protocol may have an additional input, a function h ∈ H. Definition 3 (NIMPC: protocol description) For an NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Offline preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . i i i – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(M ,..., M ). 0 1 n Informally, the relevant properties of protocol P(Π ) are given as follows: –For any h ∈ H and x ∈ X , the output server P outputs, with probability 1, the value h(x ,..., x ). 1 n –Fix T ⊆[n]. Then, Π is T -robust if in P(Π ) the set of players {P } ∪{P } can i i ∈T 0 simulate their view of the protocol (i.e., the random inputs {R } and the messages i i ∈T {M } ) given oracle access to the function h restricted by the other inputs (i.e., h| ). i ∈T T ,x – Π is 0-robust if and only if in P(Π ) the output server P learns nothing but h(x ,..., x ). 0 1 n We show a claim in [2] stating that for functions outputting more than one bit, we can compute each output bit separately. Based on this fact, in [2], a fully robust NIMPC protocol for the set of indicator functions was first constructed, and then NIMPC protocols for the set of arbitrary functions are constructed based on it. Proposition 1 (Claim 7 in [2]) Let X X × ··· × X , where X ,..., X are some finite 1 n 1 n domains. Fix an integer m > 1. Suppose H is a family of boolean functions h : X →{0, 1} admitting an NIMPC protocol with communication complexity δ. Then, the family of functions m m H ={h : X →{0, 1} |h = h ◦ ··· ◦ h , h ∈ H} admits an NIMPC protocol with 1 m i communication complexity δ · m. Definition 4 (Indicator functions)Let X be a finite domain. For n-tuple a = (a ,..., a ) ∈ 1 n X , let h : X →{0, 1} be the function defined by h (a) = 1, and h (x ) = 0for all a a a a = x ∈ X . Let h : X →{0, 1} be the function that is identically zero on X . Let H {h } ∪{h } be the set of all indicator functions together with h . ind a a∈X 0 0 Note that every function h : X →{0, 1} can be expressed as the sum of indicator functions, namely, h = h . a∈X ,h(a)=1 We review the previous results on upper bounds on the individual communication complex- ity of NIMPC. As described above, the fully robust NIMPC protocols in [2] are constructed from fully robust NIMPC for H . Thus, the previous upper bounds depend on the upper ind bound for H . This means we have a better upper bound if we obtain a more efficient fully ind robust NIMPC protocol for H . ind Proposition 2 (Arbitrary functions H , Proof of Theorem 10 in [2]) Fix finite domains all X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let X X × ··· × X . Let H be 1 n i 1 n all the set of all functions h : X →{0, 1} . If there exists an NIMPC protocol for H with ind individual communication complexity δ, then there exists an NIMPC protocol for H with individual (resp. total) communication complexity |X |· m · δ (resp. |X |· m · δ · n). 123 1798 M. Yoshida, S. Obana 3 Lower bounds on the communication complexity We derive a lower bound on the total communication complexity for any finite set of functions, and in particular H and H . all ind As described in the Sect. 1, the total communication complexity is bounded by the size of target class. In other words, the total communication complexity cannot be smaller than the logarithm of the size of the target class. Theorem 1 (Lower bound for any finite set of functions) Fix finite domains X ,..., X and 1 n Ω. Let X X ,..., X and H a set of functions h : X → Ω. Then, any fully robust NIMPC 1 n protocol Π for H satisfies log |R | ≥ log |H|, (2) i =1 log |M | ≥ log |Ω|. (3) i =1 Proof We first prove Eq. (2). Let H =|H|. Let ϕ be a one-to-one mapping from H to {0, 1,..., H −1}. (That is, all functions in H are numbered according to some rule.) Suppose a server holding a random number a ∈{0,..., H −1} aims to send a to a client. Suppose also that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |R | < i =1 log H. For the function h = ϕ(a), the server executes R ← GEN(h) and sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs x ∈ X and identifying the function h. We conclude that the server can communicate any a ∈{0,..., H − 1} to the client using R = (R ,..., R ) of which domain size |R | is smaller than H, that is 1 n i i =1 impossible. Thus, we have log |R |≥ log H. i =1 In a similar way, we next prove Eq. (3). Suppose a server holding a random element b ∈ Ω and aiming to send b to a client and that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |M | < log |Ω|. For a function h ∈ H andanelement a ∈ X i =1 such that h(a) = b, the server executes R ← GEN(h) and M ← ENC(a, R), and sends M to the client. The client obtains b by executing DEC. We conclude that the server can communicate any b ∈ Ω to the client using M = (M ,..., M ) of which domain size 1 n n n |M | is smaller than |Ω|, that is impossible. Thus, we have log |M |≥ log |Ω|. i i i =1 i =1 The following corollary shows a lower bound on the total communication complexity of NIMPC for the set of arbitrary functions. The lower bounds indicate the impossibility of reducing the communication complexity to polynomial in the input length. Corollary 1 (Lower bound for arbitrary functions) Fix finite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n. Let X X × ··· × X and H the set of all functions i 1 n all h : X →{0, 1} . Any NIMPC protocol Π for H satisfies all log |R | ≥ m ·|X|≥ d · m, (4) i =1 log |M | ≥ m. (5) i =1 123 On the (in)efficiency of NIMPC 1799 Proof The proof is obvious from Theorem 1 by setting H = H . A function maps each all input value to some output value. Thus, |H| is given by multiplying the number of all possible m·|X | input values by the number of all possible output values, i.e., 2 . Then, log |R |≥ i =1 log |H|= m ·|X |. The following corollary shows a lower bounds on the total communication complexity of NIMPC for H . The gap between this lower bound (linear in the input length) and the ind previous upper bound (exponential in the input length) is large. In the next section, we will present an efficient NIMPC protocol for H with individual (resp. total) communication ind 2 2 2 complexity at most log d · n (resp. log d · n ). 2 2 Corollary 2 (Lower bound for indicator functions) Fix finite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n and let X X × ··· × X . Then, any NIMPC protocol Π for i 1 n ind H satisfies ind log |R | ≥ log |X|≥ n · log d . (6) i =1 Proof The proof is obvious from Theorem 1 by setting H = H . A function h maps each ind a input value x to zero or one depending on whether x = a or not. Thus, |H| is given by the number of all possible values of a, i.e., |X |. Then, log |R |≥ log |H|= log |X |. i =1 Remark. We can give a more constructive proof, which need not to assume the existence of a one-to-one mapping φ. Suppose a server holding a random vector a = (a ,..., a ) ∈ X and 1 n aiming to send a to a client. Suppose that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |R | < log |X |. The server executes R ← GEN(h ) and ind i a i =1 sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs a ∈ X and checking whether the output is 1 or not. The input a for which the output is 1 is considered as a. We conclude that the server can communicate any a ∈ X to the client using R = (R ,..., R ) of which domain size |R | is smaller than |X |, that is impossible. 1 n i i =1 Thus, we have log |R |≥ log |X |. i =1 4 Efficient constructions We now present an efficient construction of fully robust NIMPC for H . In the previous ind construction in [2], all the possible input values are encoded in a unary way, and thus the communication complexity depends on the size of the input domain. Specifically, each pos- sible input value is represented by a single vector over F so that the summation of vectors corresponding to a = (a ,..., a ) is equal to the zero vector while the other combination is 1 n linearly independent to satisfy the robustness. Our idea to reduce the communication com- plexity is to encode all the possible input values in a binary way. Specifically, for each bit in the binary representation, a vector representing “1” is generated so that the summation of all vectors of “1” over the binary representation of a is equal to zero. Since the proposed encod- ing reduces the required dimension of vectors, the communication complexity of resulting NIMPC is greatly reduced, too. The detailed description of the protocol is as follows. For i ∈[n], let d =|X | and φ be i i i a one-to-one mapping from X to [d ]. Let l =log d and s = l . Fix a function i i i i i 2 i =1 h ∈ H that we want to compute. ind 123 1800 M. Yoshida, S. Obana The proposed fully robust NIMPC P(Π )(h) ind – Offline preprocessing: If h = h , then choose s linearly independent random vectors {m } in F . If h = h for some a = (a ,..., a ) ∈ X , denote the binary i, j i ∈[n], j ∈[l ] a 1 n i 2 representation of φ (a ) by b = (b ,..., b ) and define a set of indices I by I = i i i i,1 i,l i i { j ∈[l ]| b = 1}. Choose s random vectors {m } in F under the constraint i i, j i, j i ∈[n], j ∈[l ] i 2 that m = 0 and there are no other linear relations between them (that is, i, j i =1 j ∈I choose all the vectors m except m , as random linear independent vectors and i, j n,max I n−1 set m =− m − m ). Define GEN(h) = R = n,max I i, j n, j i =1 j ∈I j ∈I \{max I } i n n (R ,..., R ), where R ={m } . 1 n i i, j j ∈[l ] ˆ ˆ ˆ – Online messages: For an input x , let b = (b ,..., b ) be the binary representation i i i,1 i,l ˆ ˆ ˆ of φ (x ). Let I be the set of indices defined by I ={ j ∈[l ]| b = 1}. ENC(x , R) i i i i i i, j (M ,..., M ) where M = m . 1 n i ˆ i, j j ∈I – Output h(x ,..., x ): DEC(M ,..., M ) = 1if M = 0. 1 n 1 n i i =1 Mapping from X to [d ], which does not contain zero, is an important point of the proposed i i protocol. If an input x were mapped to the zero vector, M would be always 0. This would i i disclose extra information (that could not be simulated). That is, whether x = 0 leaked. Because every φ does not map no value of x to the zero vector, no information on the inputs i i x is disclosed (robustness), and the summation of vectors becomes zero if and only if x are i i equal to a (correctness). Theorem 2 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and 1 n i let X X × ··· × X . Then, there is a fully robust NIMPC protocol Π for H with 1 n ind ind 2 2 2 individual (resp. total) communication complexity at most log d · n (resp. log d · n ). 2 2 n n Proof For the correctness, note that M = m . If h = h for a ∈ X , i i, j a i =1 i =1 j ∈I this sum equals 0 if and only if I = I for all i ∈[n], i.e., a = x . If h = h , this sum is i i 0 never zero, as all vectors were chosen to be linearly independent in this case. To prove robustness, fix a subset T ⊆[n] and x ∈ X . The encodings M of T consist of T T T the vectors {M } . The randomness R consists of the vectors {m } . If h| ≡ i T i, j i ∈[n], j ∈[l ] i ∈T i T ,x 0, then these vectors are uniformly distributed in F under the constraint that they are linearly independent. If h| (x ) = 1for some x ∈ X , then M + m = 0 T T T i ˆ i, j T ,x i ∈T i ∈T j ∈I and there are no other linear relations between them. Formally, to prove the robustness, we describe a simulator Sim : the simulator queries h| on all possible inputs in X . If all T T T ,x answers are zero, this simulator generates random independent vectors. Otherwise, there is an x ∈ X such that h| (x ) = 1, and the simulator outputs random vectors under T T T T ,x the constrains described above, that is, all vectors are independent with the exception that M + m = 0. i i, j i ∈T ˆ i ∈T j ∈I In the proposed protocol, log |R | is larger than log |M | for every i ∈[n]. Thus, i i 2 2 the individual communication complexity is given by the maximum length of correlated randomness. The correlated randomness R is composed of l ≤log d binary vectors of i i length s ≤log d · n and the encoding is the summation of some of them. Hence, the individual communication complexity is at most log d · n. Corollary 3 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust NIMPC protocol for H with individual 1 n all 2 2 (resp. total) communication complexity at most |X |·m ·log d ·n (resp. |X |·m ·log d · 2 2 n ). Proof From Proposition 2 and Theorem 1, it is obvious. 123 On the (in)efficiency of NIMPC 1801 5 Some improvements in the offline-online model The offline-online model is defined by modifying the output of GEN to include an additional entry R , which represents the offline communication and is given as an additional input to the decoder DEC [3]. The random variable R is redefined to always include R . That is, T 0 the value of R should be correctly simulated by Sim. Let R be a finite domain of R . We 0 0 0 refer to NIMPC protocols in the offline-online model as offline-online NIMPC protocols. To distinguish the offline-online protocols, we refer to the NIMPC protocols considered in the previous sections as standard NIMPC protocols. The formal definition of offline-online NIMPC is given as follows [3]: Definition 5 (Offline-online NIMPC: syntax and correctness)Let X ,..., X , R , R ,..., 1 n 0 1 R , M ,..., M and Ω be finite domains. Let X X × ··· × X and let H be a fam- n 1 n 1 n ily of functions h : X → Ω. An offline-online NIMPC protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × R × ··· × R is a randomized function, 0 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : R × M × ··· × M → Ω is a deterministic function satisfying the following 0 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R , R ,..., R ) ← GEN(h) : DEC (R , ENC(x , R)) = h(x ) = 1, (7) 0 1 n 0 where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The (online) individual communication complexity of Π is the maximum of log |R |,..., log |R |, log |M |,..., log |M |. n 1 n Definition 6 (Offline-online NIMPC: robustness) For a subset T ⊆[n], we say that an offline-online NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ T T T T T ,x (M , R ), where R and M are the joint randomness and messages defined by R ← T ∪{0} GEN(h) and M ← ENC (x , R ). The t-robustness and fully robustness are defined in a i i i i similar way to the standard model. Definition 7 (Offline-online NIMPC: protocol description) For an offline-online NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Offline preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . P receives R GEN(h) ∈ R . i i i 0 0 0 0 = = – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(R , M ,..., M ). 0 0 1 n It is obvious to construct an n-player offline-online protocol for a function h from an n-player standard protocol for h by taking R to be empty (or some constant). However, in this construction, the offline communication R cannot be used for reducing the individual communication complexity of P with 1 ≤ i ≤ n. 123 1802 M. Yoshida, S. Obana In the following, for any set of functions that have the same output frequency such as H = H \{h }, we show a fully robust offline-online protocol whose individual com- ind 0 ind munication complexity is smaller than that in Sect. 4. We first consider the set H , i.e., the functions that have just one “1” output. We use ind a fully robust standard NIMPC protocol Π = (GEN , ENC , DEC ) giveninSect. 4 as ind a subroutine. Our idea to reduce the individual communication complexity is simple: use (R ,..., R ) ← GEN (h ) as the offline communication R and specify the inputs x by a 0 i 1 n using the online communication M while keeping a and x secret. To hide a and x , we shift i i i a = (a ,..., a ) and x = (x ,..., x ) by random values s = (s ,..., s ). 1 n i n 1 n The detailed description of the proposed offline-online protocol Π = (GEN, ENC, proper DEC) is as follows. For i ∈[n], let d =|X | and ψ be a one-to-one mapping from X to i i i i {0, 1,..., d − 1}. Fix a function h ∈ H that we want to compute. i a ind The proposed offline-online NIMPC P(Π )(h ) proper a – Offline preprocessing: Randomly choose values s ∈{0,..., d − 1} with i ∈[n]. Let i i −1 σ : X →{0,..., d −1} be the one-to-one mapping such that σ (x ) = ψ ((ψ (x )+s ) i i i i i i mod d ), i.e., shifting the input x by s . Set b = (b ,..., b ) = (σ (a ), ...,σ (a )). i i 1 n 1 1 n n Define GEN(h ) = R = (R , R ,..., R ), where R = (R ,..., R ) = GEN (h ) a 0 1 n 0 b 1 n and R = s with i ∈[n]. i i – Online messages: ENC(x , R) = (M ,..., M ) where M = σ (x ). 1 n i i i – Output h (x ,..., x ): Let M = ENC (R , M ). DEC(R , M ,..., M ) = a 1 n i 0 1 n i i DEC (M ,..., M ). Theorem 3 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust offline-online NIMPC protocol Π for 1 n proper H \{h } with individual communication complexity at most log (d − 1) . ind 0 Proof For the correctness, note that the output is that of h for inputs σ (x ). Thus, the output b i i is one if and only if (x ,..., x ) = a, as the tuple (M ,..., M ) equals b if and only if 1 n 1 n (x ,..., x ) = a. 1 n To prove the robustness, fix a subset T ⊆[n] and x ∈ X . Let σ (x ) denote T T T T (σ (x ), ...,σ (x )) . 1 1 n n The encodings M of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The i i randomness R consists of the vectors {m } and T integers s ∈{0,..., d − 1} T i, j i ∈[n], j ∈[l ] i i with i ∈ T . The vectors {m } are uniformly distributed under the constraint that i, j i ∈[n], j ∈[l ] for some b ∈ X , m = 0 and there are no other linear relations between them. i, j i =1 j ∈I If h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T T ,x T T T ,x T T b = M . T T We construct Sim for the protocol P(Π ) on function h . The simulator first T proper a generates random vectors {m } under the constraint that for some b ∈ i, j i ∈[n], j ∈[l ] X , m = 0 and there are no other linear relations between them. The simu- i, j i =1 j ∈I lator then queries h| on all possible inputs in X . If all answers are zero, this simulator T ,x generates random M ∈{0,..., d − 1} with i ∈ T so that b = M , and generates random i i T T R ∈{0,..., d − 1} with i ∈ T . Otherwise, there is an x ∈ X such that h| (x ) = 1, i i T T T T ,x and the simulator sets R and M so that b = σ (x ) and b = M where σ is defined as i i T T T i T T above with s = R . i i 1 ∗ We note that the communication complexity for H is the same as that for H . ind ind 123 On the (in)efficiency of NIMPC 1803 The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d −1) . Hence, the (online) individual communication complexity is at most log (d − 2 2 1) . We extend the above result to any set of functions that have the same output frequency. In the fully robust standard NIMPC protocol for H in [2], h plays the role of hiding all 0 information on how many 1’s the function h has. This is the motivation of including h in H and a standard NIMPC protocol for H is used as a subroutine. Our target set of ind ind functions has the same output frequency. Thus, we no longer need to hide this information and thus the offline-online NIMPC protocol Π for H \{h } is enough for our target proper ind 0 sets. Corollary 4 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Fix an integer m > 1. Let H be a set of functions h : X →{0, 1} that 1 n have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Then, there is a fully robust offline-online NIMPC protocol for H with individual communication complexity at most |X |· m ·log (d − 1) . Proof Fix a function h ∈ H. Assume for simplicity that m = 1. The offline-online protocol Π for H, which uses Π = (GEN, ENC, DEC), is as follows. proper −1 – Offline preprocessing: Let I = h (1) ⊆ X , i.e., the set of ones of h. Let D =|I |, i.e., the number of ones of h, and I ={a ,..., a }. Choose a random permutation φ. 1 D (k) (k) (k) (k) For each k ∈[D], let R = (R , R ,..., R ) ← GEN(h ). Define a matrix n a 0 1 (φ (k)) R, where R  R for 0 ≤ i ≤ n and k ∈[D]. Send to P the random strings i,k i (R ) , i.e., the ith row of R. i,k k∈[D] (k) – Online messages: For every i ∈[n] and k ∈[D], let M  ENC (x , R ). Define i i i,k (k) amatrix M, where M  M for 0 ≤ i ≤ n and k ∈[D]. Each P sends to P the i,k i 0 message M  (M ) . i i,k k∈[D] – Output h(x ,..., x ): The output is 1 if for some k ∈[D], DEC(R , M ,..., M ) = 1 n 0,k 1,k n,k 1. Otherwise, the output is zero. First, we will show the correctness of the above protocol. Fix x = (x ,..., x ) ∈ X . 1 n The output is 1 if and only if DEC(R , M ,..., M ) = 1for some k ∈[D], that is, 0,k 1,k n,k (φ (k)) (φ (k)) (φ (k)) DEC(R , ENC(x , R ), ..., ENC(x , R )) = 1for some k ∈[D]. Since the 1 n n 0 1 underlying Π = (GEN, ENC, DEC) satisfies the correctness, this happens if and only proper if h (x ) = 1 holds for some a ∈ I. a k Next, we will show the robustness. The robustness is proven in a similar way to Theorem 3. Fix T ⊆[n] and x ∈ X . We construct a simulator for (M , R ) given h| . Each T T T T ,x (k) (k) (k) row k is of the form (M , R ) for k ∈[D]. For each k ∈[D], the encodings M T T (k) (k) of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The randomness R i T (k) (k) consists of the vectors {m } and T integers s ∈{0,..., d − 1} with i ∈ T . i ∈[n], j ∈[l ] i i, j i (k) The vectors {m } are uniformly distributed under the constraint that for some i ∈[n], j ∈[l ] i, j i (k) (k) b ∈ X , m = 0 and there are no other linear relations between them. If i =1 j ∈I i, j (k) (k) h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T ,x T T ,x T T T (k) b = M . We construct Sim for the protocol P(Π ) on function h . For each k ∈[D], the simulator T a (k) (k) first generates random vectors {m } under the constraint that for some b ∈ i ∈[n], j ∈[l ] i, j 123 1804 M. Yoshida, S. Obana n (k) X , m = 0 and there are no other linear relations between them. The simulator i =1 j ∈I i, j then queries h| on all possible inputs in X . T ,x (1) (D ) Let I ⊆ X be the set of ones of h| . Let D =|I | and I ={x ,..., x }. For T ,x T T (k) 1 ≤ k ≤ D , this simulator generates random M ∈{0,..., d − 1} with i ∈ T so that (k) (k) (k) b = M , and generates random R ∈{0,..., d − 1} with i ∈ T . For D < k ≤ D, the T T i (k) (k) (k) (k) (k) (k) (k) (k) simulator sets R and M so that b = σ (x ) and b = M where σ is defined i i T T T i T T with s = R as in Theorem 3. i i (k) (k) The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d − 1) . Hence, the (online) individual communication complexity is at most |X |· m · log (d − 1) . 6 Conclusion We have presented the first lower bound on the communication complexity of n-player NIMPC protocols for any set of functions including the set of arbitrary functions and the set of indicator functions. We have constructed novel fully robust NIMPC protocols for the set of arbitrary functions H and the set of indicator functions H . The proposed all ind protocols are much more efficient than the previous protocols. For example, for the set of arbitrary functions, while the previous best known protocol in [2] requires |X|· m · d · n communication complexity, the communication complexity of the proposed construction is only |X|· m ·log d · n, where X denote the (total) input domain, d is the maximum domain size of a player, and m is the output length. By this result, the gap between the lower and upper bounds on the communication complexity is significantly reduced from d · n to log d · n, that is, from exponential in the input length to quadratic. In addition, we have shown a possibility of reducing the individual communication complexity much more by employing the offline-online model for some sets of functions (e.g., H \{h }). ind 0 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 Interna- tional License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. References 1. Barkol O., Ishai Y., Weinreb E.: On d-multiplicative secret sharing. J. Cryptol. 23(4), 580–593 (2010). 2. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive secure multiparty computation. In: Advances in Cryptology– -CRYPTO2014. Lecture Notes in Computer Science, vol. 8617, p. 387–404 (2014). 3. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive Secure Multiparty Computation. Cryptology ePrint Archive: Report 2014/960 (2014). 4. Benhamouda F., Krawczyk H., Rabin T.: Robust non-interactive multiparty computation against constant- size collusion. In: Advances in Cryptology—CRYPTO2017. Lecture Notes in Computer Science, vol. 10401, pp. 391–419. 5. Benhamouda F., Krawczyk H., Rabin T.: Robust Non-interactive Multiparty Computation Against Constant-Size Collusion. Cryptology ePrint Archive: Report 2017/555. 6. Ben-Or M., Goldwasser S., Wigderson A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 1–10 (1988). 123 On the (in)efficiency of NIMPC 1805 7. Chaum D., Crèpeau C., Damgård I.: Multiparty unconditionally secure protocols. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 11–19 (1988). 8. Cramer R., Damagård I., Maurer U.: General secure multi-party computation from any linear secret sharing scheme. In: Advances in Cryptology—EUROCRYPT2000. Lecture Notes in Computer Science, vol. 1807, pp. 316–335 (2000). 9. Data D., Prabhakaran M., Prabhakaran V.: On the communication complexity of secure computation. In: Advances in Cryptology—CRYPTO2014. Lecture Notes in Computer Science, vol. 861, pp. 199–216 (2014). 10. Goldwasser S., Micali S., Wigderson A.: How to play any mental game, or a completeness theorem for protocols with an honest majority. In: The 19th Annual ACM Symposium on Theory of Computing (STOC ’87), pp. 218–229 (1987). 11. Hirt M., Maurer U.: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000). 12. Hirt M., Tschudi D.: Efficient general-adversary multi-party computation. In: Advances in Cryptology— ASIACRYPT 2013. Part II: Lectures Notes in Computer Science, vol. 8270, pp. 181–200 (2013). 13. Maurer U.: Secure multi-party computation made simple. In: Security in Communication Networks, Third International Conference, SCN 2002. Lecture Notes in Computer Science, vol. 2576, pp. 14–28 (2003). 14. Rabin T., Ben-Or M.: Verifiable secret sharing and multiparty protocols with honest majority. In: The 21st Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 73–85 (1989). 15. Yao A.C.: Protocols for secure computations. In: The 23rd Annual Symposium on Foundations of Com- puter Science (FOCS ’82), pp. 160–164 (1982). 16. Yoshida M., Obana S.: On the (in)efficiency of non-interactive secure multiparty computation. In: The 18th Annual International Conference on Information Security and Cryptology, ICISC2015. Lecture Notes in Computer Science, vol. 9558, pp. 185–193 (2016). http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Designs, Codes and Cryptography Springer Journals

On the (in)efficiency of non-interactive secure multiparty computation

Free
13 pages
Loading next page...
 
/lp/springer_journal/on-the-in-efficiency-of-non-interactive-secure-multiparty-computation-iPFhXXNNZl
Publisher
Springer US
Copyright
Copyright © 2018 by The Author(s)
Subject
Mathematics; Combinatorics; Coding and Information Theory; Data Structures, Cryptology and Information Theory; Data Encryption; Discrete Mathematics in Computer Science; Information and Communication, Circuits
ISSN
0925-1022
eISSN
1573-7586
D.O.I.
10.1007/s10623-017-0424-7
Publisher site
See Article on Publisher Site

Abstract

Des. Codes Cryptogr. (2018) 86:1793–1805 https://doi.org/10.1007/s10623-017-0424-7 On the (in)efficiency of non-interactive secure multiparty computation 1 2 Maki Yoshida · Satoshi Obana Received: 13 May 2016 / Revised: 22 May 2017 / Accepted: 3 October 2017 / Published online: 26 March 2018 © The Author(s) 2018 Abstract Secure multi-party computation (MPC) enables multiple players to coopera- tively evaluate various functions in the presence of adversaries. In this paper, we consider non-interactive MPC (NIMPC) against honest-but-curious adversaries in the information- theoretic setting, which was introduced by Beimel et al. at CRYPTO 2014. Their main focus is to realize stronger security while completely avoiding interaction, and succeeded to show that every function admits a fully robust NIMPC protocol. In this paper, we further develop the study of NIMPC. We first present a simple lower bound on the communication complex- ity derived from the correctness requirement of NIMPC. Secondly, we present an efficient NIMPC protocol for indicator functions, which is an important building block of NIMPC protocols. An NIMPC protocol for arbitrary functions is also constructed from the proposed NIMPC for indicator functions by using the generic compiler introduced by Beimel et al. in CRYPTO 2014. The communication complexities of NIMPC protocols presented in this paper are much more efficient than the previous ones. In fact, the gap between the lower and upper bounds of the communication complexity is reduced from exponential in the input length to quadratic. Finally, we show some improvements on the efficiency in the so-called offline-online model. Specifically, for some sets of functions, the exponential amount of offline communication reduces the online communication to almost optimum amount in the standard model. Communicated by L. Perret. The preliminary version of this paper is presented in [16]. The difference is an extension to the so-called offline-online model, by which the efficiency of online communication is further improved. B Maki Yoshida maki-yos@nict.go.jp Satoshi Obana obana@hosei.ac.jp NICT, Tokyo, Japan Hosei University, Tokyo, Japan 123 1794 M. Yoshida, S. Obana Keywords Secure multi-party computation · Non-interactive · Information theoretical security · Communication complexity · Lower bound Mathematics Subject Classification 94A15 · 94A60 1 Introduction Secure multi-party computation (MPC) aims to enable multiple players to cooperatively compute various functions in the presence of adversaries. MPC was first introduced by Yao [15] and because of its importance in cryptography, there have been presented many variants so far [6–8,10–14]. At CRYPTO 2014 [2] (and its full version [3]), Beimel et al. have introduced a novel type of MPC, called non-interactive MPC (NIMPC), against honest-but- curious adversaries in the information theoretical setting, which completely avoids interaction while realizing as strong security as possible: an NIMPC protocol for a function f (x ,..., x ) is defined by a joint probability 1 n distribution R = (R ,..., R ) and local encoding functions ENC (x , R ), where 1 n i i i 1 ≤ i ≤ n; for a set T ⊆[n]={1,..., n}, the protocol is said to be T -it robust (with respect to f ) if revealing the messages (ENC (x , R )) together with the ran- i i i i ∈ /T domness (R ) , where (R ,..., R ) is sampled from R, gives the same information i i ∈T 1 n about (x ) as an oracle access to the function f restricted to these input values; i i ∈ /T for 0 ≤ t ≤ n, the protocol is said to be t-robust if it is T -robust for every T of size at most t, and it is said to be fully robust if it is n-robust. In [2,3], Beimel et al. have succeeded to obtain unconditional positive results for some special cases of interest. In particular, they have presented fully robust NIMPC protocols for various classes of functions including the class of arbitrary functions. However, except for special functions like the summation in an abelian group, the communication complexity is not less than polynomial in the size of the input domain (i.e., exponential in the input length). The question we ask is whether there is a room to reduce the communication complexity of NIMPC. Unfortunately, a few results has been known about limitations on the communication complexity of MPC. Recently, the research to tackle the difficult problem of lower bounds for communication in MPC becomes active like Data et al. in CRYPTO 2014 [9]. They have developed novel information-theoretic tools to prove lower bounds on the communication complexity in the traditional (i.e., interactive) model involving three parties. In this paper, we study the communication complexity of NIMPC defined in [2,3]. As a result, we show that the inefficiency of NIMPC is essentially unavoidable except for special classes of functions. The contributions of this paper are as follows. Communication complexity of NIMPC for the set of arbitrary functions: We derive the first lower bound on the communication complexity of NIMPC for any set of functions. The derived lower bound is the logarithm of the size of the function set. In particular, for the set of arbitrary functions f : X →{0, 1} where X is the input domain and m is the output length, the lower bound is |X |· m, i.e., exponential in the input length. Communication complexity for the set of indicator functions: On the other hand, for the set of indicator functions, where the number of functions is linear in the input and output length, we have a significantly small lower bound. However, the communication complexity of the previous fully robust NIMPC protocol for indicator functions in [2,3] is exponential in the input length. NIMPC for indicator functions is used as the main building block of NIMPC for 123 On the (in)efficiency of NIMPC 1795 Table 1 The communication complexity of n-player NIMPC protocols for a family of functions h : X → {0, 1} where X = X ×· · · × X and d ≤|X |≤ d for all 1 ≤ i ≤ n 1 n Arbitrary functions Indicator functions (m = 1) 2 2 Previous protocols in [2,3] |X |· m · d ·nd · n Lower bound (Sect. 3) |X |· m log |X |(≥ log d · n) 2 2 2 2 Our protocols (Sect. 4) |X |· m ·log d · n log d · n 2 2 arbitrary functions in [2,3]. Thus, for the previous fully robust NIMPC protocol for arbitrary functions in [2,3], there is also an exponential gap between the lower and upper bounds. Efficient fully robust NIMPC protocol for indicator functions: We then reduce the exponen- tial gap between the lower and upper bounds on the communication complexity to quadratic by constructing a much more efficient fully robust NIMPC protocol for indicator functions. Specifically, we present a construction of fully robust NIMPC protocols for indicator func- tions whose communication complexity is quadratic in the input length (Table 1). Some improvements in the offline-online model: In [2] and the above, it is assumed that all communication happens after the inputs are known. It is mentioned in [3] (Remark 2.6) that it is sometimes useful to separate between offline communication, that can take place after the function is known but before the inputs are known, and online communication that takes place once the inputs are known. For this offline-online model for NIMPC, one desirable feature is low online complexity [3]. For the proper set of indicator functions, we show that the exponential amount of offline communication reduces the online communication to the optimum amount in the standard model. This result is useful for any set H of functions that have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Our technique for deriving the lower bounds is quite simple and useful for approximating the amount of communication. We use the fact that the NIMPC model considered in [2,3] requires that the computed function itself is “private” and, in particular, not known in advance while the target class of functions is public. For the target class of functions, we first assume the existence of a correct NIMPC protocol with some communication complexity and show a method for a server to send data to a client by encoding data into a function and evaluating the function with the use of the NIMPC protocol. Thus, the communication complexity is bounded by the size of target class. If the assumed communication complexity is smaller than the logarithm of the size of the target class, the contradiction is implied. Thus, the communication complexity is lower bounded by the logarithm of the size of the target class. A similar technique is used in [1] for proving impossibility of multiplicative secret sharing rather than derivation of lower bounds. We note that we only use the correctness requirement for deriving the lower bound. Thus, the lower bound in this paper is applicable not only to NIMPC against any collusion including constant-size ones considered in [4,5]but also to other security models including computational and statistical ones. In addition, our lower bound techniques work for such MPC models that the function itself is private rather than for the standard one where the function is assumed to be known (and the protocol may depend on it). 123 1796 M. Yoshida, S. Obana 2 Preliminaries We recall the notations and definitions of NIMPC introduced in [2]. For an integer n, let [n] be the set {1, 2,..., n}. For a set X = X ×···× X and T ⊆[n], we denote X X . 1 n T i i ∈T For x ∈ X , we denote by x the restriction of x to X , and for a function h : X → Ω, a T T subset T ⊆[n], and x ∈ X , we denote by h| : X → Ω the function h where the T T T , x inputs in X are fixed to x . For a set S, let |S| denote its size (i.e., cardinality of S). T T An NIMPC protocol for a family of functions H is defined by three algorithms: (1) a randomness generation function GEN, which given a description of a function h ∈ H generates n correlated random inputs R ,..., R , (2) a local encoding function ENC (1 ≤ 1 n i i ≤ n), which takes an input x and a random input R and outputs a message, and (3) a i i decoding algorithm DEC that reconstructs h(x ,..., x ) from the n messages. The formal 1 n definition is given as follows: Definition 1 (NIMPC: syntax and correctness)Let X ,..., X , R ,..., R , M ,..., M 1 n 1 n 1 n and Ω be finite domains. Let X X ×···×X and let H be a family of functions h : X → Ω. 1 n A non-interactive secure MPC (NIMPC) protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × ··· × R is a randomized function, 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : M × ··· × M → Ω is a deterministic function satisfying the following 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R ,..., R ) ← GEN(h) : DEC(ENC(x , R)) = h(x ) = 1, (1) 1 n where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The individual communication complexity of Π is the maximum of log |R |,..., log |R |, 1 n log |M |,..., log |M |. The total communication complexity of Π is max{ log |R |, 1 n i i ∈[n] log |M |}. i ∈[n] We next show the definition of robustness for NIMPC, which states that a coalition can only learn the information they should. In the above setting, a coalition T can repeatedly encode any inputs for T and decode h with the new encoded inputs and the original encoded inputs of T . Thus, the following robustness requires that they learn no other information than the information obtained from oracle access to h| . T , x Definition 2 (NIMPC: robustness) For a subset T ⊆[n], we say that an NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ (M , R ), where R and M are T T T T T , x T the joint randomness and messages defined by R ← GEN(h) and M ← ENC (x , R ). i i i i For an integer 0 ≤ t ≤ n, we say that Π is t-robust if it is T -robust for every T ⊆[n] of size |T|≤ t. We say that Π is fully robust (or simply refer to Π as an NIMPC for H)if Π is n-robust. Finally, given a concrete function h : X → Ω, we say that Π is a (t-robust) NIMPC protocol for h if it is a (t-robust) NIMPC for H ={h}. As the same simulator Sim is used for every h ∈ H and the simulator has only access to h| , NIMPC hides both h and the inputs of T . An NIMPC protocol is 0-robust if it is T ,x ∅-robust. In this case, the only requirement is that the messages (M ,..., M ) reveal h(x ) 1 n and nothing else. 123 On the (in)efficiency of NIMPC 1797 An NIMPC protocol is also described in the language of protocols in [2]. Such a protocol involves n players P ,..., P , each holding an input x ∈ X , and an external “output server,” 1 n i i aplayer P with no input. The protocol may have an additional input, a function h ∈ H. Definition 3 (NIMPC: protocol description) For an NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Offline preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . i i i – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(M ,..., M ). 0 1 n Informally, the relevant properties of protocol P(Π ) are given as follows: –For any h ∈ H and x ∈ X , the output server P outputs, with probability 1, the value h(x ,..., x ). 1 n –Fix T ⊆[n]. Then, Π is T -robust if in P(Π ) the set of players {P } ∪{P } can i i ∈T 0 simulate their view of the protocol (i.e., the random inputs {R } and the messages i i ∈T {M } ) given oracle access to the function h restricted by the other inputs (i.e., h| ). i ∈T T ,x – Π is 0-robust if and only if in P(Π ) the output server P learns nothing but h(x ,..., x ). 0 1 n We show a claim in [2] stating that for functions outputting more than one bit, we can compute each output bit separately. Based on this fact, in [2], a fully robust NIMPC protocol for the set of indicator functions was first constructed, and then NIMPC protocols for the set of arbitrary functions are constructed based on it. Proposition 1 (Claim 7 in [2]) Let X X × ··· × X , where X ,..., X are some finite 1 n 1 n domains. Fix an integer m > 1. Suppose H is a family of boolean functions h : X →{0, 1} admitting an NIMPC protocol with communication complexity δ. Then, the family of functions m m H ={h : X →{0, 1} |h = h ◦ ··· ◦ h , h ∈ H} admits an NIMPC protocol with 1 m i communication complexity δ · m. Definition 4 (Indicator functions)Let X be a finite domain. For n-tuple a = (a ,..., a ) ∈ 1 n X , let h : X →{0, 1} be the function defined by h (a) = 1, and h (x ) = 0for all a a a a = x ∈ X . Let h : X →{0, 1} be the function that is identically zero on X . Let H {h } ∪{h } be the set of all indicator functions together with h . ind a a∈X 0 0 Note that every function h : X →{0, 1} can be expressed as the sum of indicator functions, namely, h = h . a∈X ,h(a)=1 We review the previous results on upper bounds on the individual communication complex- ity of NIMPC. As described above, the fully robust NIMPC protocols in [2] are constructed from fully robust NIMPC for H . Thus, the previous upper bounds depend on the upper ind bound for H . This means we have a better upper bound if we obtain a more efficient fully ind robust NIMPC protocol for H . ind Proposition 2 (Arbitrary functions H , Proof of Theorem 10 in [2]) Fix finite domains all X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let X X × ··· × X . Let H be 1 n i 1 n all the set of all functions h : X →{0, 1} . If there exists an NIMPC protocol for H with ind individual communication complexity δ, then there exists an NIMPC protocol for H with individual (resp. total) communication complexity |X |· m · δ (resp. |X |· m · δ · n). 123 1798 M. Yoshida, S. Obana 3 Lower bounds on the communication complexity We derive a lower bound on the total communication complexity for any finite set of functions, and in particular H and H . all ind As described in the Sect. 1, the total communication complexity is bounded by the size of target class. In other words, the total communication complexity cannot be smaller than the logarithm of the size of the target class. Theorem 1 (Lower bound for any finite set of functions) Fix finite domains X ,..., X and 1 n Ω. Let X X ,..., X and H a set of functions h : X → Ω. Then, any fully robust NIMPC 1 n protocol Π for H satisfies log |R | ≥ log |H|, (2) i =1 log |M | ≥ log |Ω|. (3) i =1 Proof We first prove Eq. (2). Let H =|H|. Let ϕ be a one-to-one mapping from H to {0, 1,..., H −1}. (That is, all functions in H are numbered according to some rule.) Suppose a server holding a random number a ∈{0,..., H −1} aims to send a to a client. Suppose also that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |R | < i =1 log H. For the function h = ϕ(a), the server executes R ← GEN(h) and sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs x ∈ X and identifying the function h. We conclude that the server can communicate any a ∈{0,..., H − 1} to the client using R = (R ,..., R ) of which domain size |R | is smaller than H, that is 1 n i i =1 impossible. Thus, we have log |R |≥ log H. i =1 In a similar way, we next prove Eq. (3). Suppose a server holding a random element b ∈ Ω and aiming to send b to a client and that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |M | < log |Ω|. For a function h ∈ H andanelement a ∈ X i =1 such that h(a) = b, the server executes R ← GEN(h) and M ← ENC(a, R), and sends M to the client. The client obtains b by executing DEC. We conclude that the server can communicate any b ∈ Ω to the client using M = (M ,..., M ) of which domain size 1 n n n |M | is smaller than |Ω|, that is impossible. Thus, we have log |M |≥ log |Ω|. i i i =1 i =1 The following corollary shows a lower bound on the total communication complexity of NIMPC for the set of arbitrary functions. The lower bounds indicate the impossibility of reducing the communication complexity to polynomial in the input length. Corollary 1 (Lower bound for arbitrary functions) Fix finite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n. Let X X × ··· × X and H the set of all functions i 1 n all h : X →{0, 1} . Any NIMPC protocol Π for H satisfies all log |R | ≥ m ·|X|≥ d · m, (4) i =1 log |M | ≥ m. (5) i =1 123 On the (in)efficiency of NIMPC 1799 Proof The proof is obvious from Theorem 1 by setting H = H . A function maps each all input value to some output value. Thus, |H| is given by multiplying the number of all possible m·|X | input values by the number of all possible output values, i.e., 2 . Then, log |R |≥ i =1 log |H|= m ·|X |. The following corollary shows a lower bounds on the total communication complexity of NIMPC for H . The gap between this lower bound (linear in the input length) and the ind previous upper bound (exponential in the input length) is large. In the next section, we will present an efficient NIMPC protocol for H with individual (resp. total) communication ind 2 2 2 complexity at most log d · n (resp. log d · n ). 2 2 Corollary 2 (Lower bound for indicator functions) Fix finite domains X ,..., X such that 1 n |X |≥ d for all 1 ≤ i ≤ n and let X X × ··· × X . Then, any NIMPC protocol Π for i 1 n ind H satisfies ind log |R | ≥ log |X|≥ n · log d . (6) i =1 Proof The proof is obvious from Theorem 1 by setting H = H . A function h maps each ind a input value x to zero or one depending on whether x = a or not. Thus, |H| is given by the number of all possible values of a, i.e., |X |. Then, log |R |≥ log |H|= log |X |. i =1 Remark. We can give a more constructive proof, which need not to assume the existence of a one-to-one mapping φ. Suppose a server holding a random vector a = (a ,..., a ) ∈ X and 1 n aiming to send a to a client. Suppose that there is an NIMPC protocol (GEN, ENC, DEC) for H that satisfies log |R | < log |X |. The server executes R ← GEN(h ) and ind i a i =1 sends R to the client. The client obtains a by executing ENC and DEC for all possible inputs a ∈ X and checking whether the output is 1 or not. The input a for which the output is 1 is considered as a. We conclude that the server can communicate any a ∈ X to the client using R = (R ,..., R ) of which domain size |R | is smaller than |X |, that is impossible. 1 n i i =1 Thus, we have log |R |≥ log |X |. i =1 4 Efficient constructions We now present an efficient construction of fully robust NIMPC for H . In the previous ind construction in [2], all the possible input values are encoded in a unary way, and thus the communication complexity depends on the size of the input domain. Specifically, each pos- sible input value is represented by a single vector over F so that the summation of vectors corresponding to a = (a ,..., a ) is equal to the zero vector while the other combination is 1 n linearly independent to satisfy the robustness. Our idea to reduce the communication com- plexity is to encode all the possible input values in a binary way. Specifically, for each bit in the binary representation, a vector representing “1” is generated so that the summation of all vectors of “1” over the binary representation of a is equal to zero. Since the proposed encod- ing reduces the required dimension of vectors, the communication complexity of resulting NIMPC is greatly reduced, too. The detailed description of the protocol is as follows. For i ∈[n], let d =|X | and φ be i i i a one-to-one mapping from X to [d ]. Let l =log d and s = l . Fix a function i i i i i 2 i =1 h ∈ H that we want to compute. ind 123 1800 M. Yoshida, S. Obana The proposed fully robust NIMPC P(Π )(h) ind – Offline preprocessing: If h = h , then choose s linearly independent random vectors {m } in F . If h = h for some a = (a ,..., a ) ∈ X , denote the binary i, j i ∈[n], j ∈[l ] a 1 n i 2 representation of φ (a ) by b = (b ,..., b ) and define a set of indices I by I = i i i i,1 i,l i i { j ∈[l ]| b = 1}. Choose s random vectors {m } in F under the constraint i i, j i, j i ∈[n], j ∈[l ] i 2 that m = 0 and there are no other linear relations between them (that is, i, j i =1 j ∈I choose all the vectors m except m , as random linear independent vectors and i, j n,max I n−1 set m =− m − m ). Define GEN(h) = R = n,max I i, j n, j i =1 j ∈I j ∈I \{max I } i n n (R ,..., R ), where R ={m } . 1 n i i, j j ∈[l ] ˆ ˆ ˆ – Online messages: For an input x , let b = (b ,..., b ) be the binary representation i i i,1 i,l ˆ ˆ ˆ of φ (x ). Let I be the set of indices defined by I ={ j ∈[l ]| b = 1}. ENC(x , R) i i i i i i, j (M ,..., M ) where M = m . 1 n i ˆ i, j j ∈I – Output h(x ,..., x ): DEC(M ,..., M ) = 1if M = 0. 1 n 1 n i i =1 Mapping from X to [d ], which does not contain zero, is an important point of the proposed i i protocol. If an input x were mapped to the zero vector, M would be always 0. This would i i disclose extra information (that could not be simulated). That is, whether x = 0 leaked. Because every φ does not map no value of x to the zero vector, no information on the inputs i i x is disclosed (robustness), and the summation of vectors becomes zero if and only if x are i i equal to a (correctness). Theorem 2 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and 1 n i let X X × ··· × X . Then, there is a fully robust NIMPC protocol Π for H with 1 n ind ind 2 2 2 individual (resp. total) communication complexity at most log d · n (resp. log d · n ). 2 2 n n Proof For the correctness, note that M = m . If h = h for a ∈ X , i i, j a i =1 i =1 j ∈I this sum equals 0 if and only if I = I for all i ∈[n], i.e., a = x . If h = h , this sum is i i 0 never zero, as all vectors were chosen to be linearly independent in this case. To prove robustness, fix a subset T ⊆[n] and x ∈ X . The encodings M of T consist of T T T the vectors {M } . The randomness R consists of the vectors {m } . If h| ≡ i T i, j i ∈[n], j ∈[l ] i ∈T i T ,x 0, then these vectors are uniformly distributed in F under the constraint that they are linearly independent. If h| (x ) = 1for some x ∈ X , then M + m = 0 T T T i ˆ i, j T ,x i ∈T i ∈T j ∈I and there are no other linear relations between them. Formally, to prove the robustness, we describe a simulator Sim : the simulator queries h| on all possible inputs in X . If all T T T ,x answers are zero, this simulator generates random independent vectors. Otherwise, there is an x ∈ X such that h| (x ) = 1, and the simulator outputs random vectors under T T T T ,x the constrains described above, that is, all vectors are independent with the exception that M + m = 0. i i, j i ∈T ˆ i ∈T j ∈I In the proposed protocol, log |R | is larger than log |M | for every i ∈[n]. Thus, i i 2 2 the individual communication complexity is given by the maximum length of correlated randomness. The correlated randomness R is composed of l ≤log d binary vectors of i i length s ≤log d · n and the encoding is the summation of some of them. Hence, the individual communication complexity is at most log d · n. Corollary 3 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust NIMPC protocol for H with individual 1 n all 2 2 (resp. total) communication complexity at most |X |·m ·log d ·n (resp. |X |·m ·log d · 2 2 n ). Proof From Proposition 2 and Theorem 1, it is obvious. 123 On the (in)efficiency of NIMPC 1801 5 Some improvements in the offline-online model The offline-online model is defined by modifying the output of GEN to include an additional entry R , which represents the offline communication and is given as an additional input to the decoder DEC [3]. The random variable R is redefined to always include R . That is, T 0 the value of R should be correctly simulated by Sim. Let R be a finite domain of R . We 0 0 0 refer to NIMPC protocols in the offline-online model as offline-online NIMPC protocols. To distinguish the offline-online protocols, we refer to the NIMPC protocols considered in the previous sections as standard NIMPC protocols. The formal definition of offline-online NIMPC is given as follows [3]: Definition 5 (Offline-online NIMPC: syntax and correctness)Let X ,..., X , R , R ,..., 1 n 0 1 R , M ,..., M and Ω be finite domains. Let X X × ··· × X and let H be a fam- n 1 n 1 n ily of functions h : X → Ω. An offline-online NIMPC protocol for H is a triplet Π = (GEN, ENC, DEC) where – GEN : H → R × R × ··· × R is a randomized function, 0 1 n – ENC is an n-tuple of deterministic functions (ENC ,..., ENC ), where ENC : X × 1 n i i R → M , i i – DEC : R × M × ··· × M → Ω is a deterministic function satisfying the following 0 1 n correctness requirement: for any x = (x ,..., x ) ∈ X and h ∈ H, 1 n Pr R = (R , R ,..., R ) ← GEN(h) : DEC (R , ENC(x , R)) = h(x ) = 1, (7) 0 1 n 0 where ENC(x , R) (ENC (x , R ), ..., ENC (x , R )). 1 1 1 n n n The (online) individual communication complexity of Π is the maximum of log |R |,..., log |R |, log |M |,..., log |M |. n 1 n Definition 6 (Offline-online NIMPC: robustness) For a subset T ⊆[n], we say that an offline-online NIMPC protocol Π for H is T -robust if there exists a randomized function Sim (a “simulator”) such that, for every h ∈ H and x ∈ X , we have Sim (h| ) ≡ T T T T T ,x (M , R ), where R and M are the joint randomness and messages defined by R ← T ∪{0} GEN(h) and M ← ENC (x , R ). The t-robustness and fully robustness are defined in a i i i i similar way to the standard model. Definition 7 (Offline-online NIMPC: protocol description) For an offline-online NIMPC protocol Π for H, let P(Π ) denote the protocol that may have an additional input, a function h ∈ H, and proceeds as follows. Protocol P(Π )(h) – Offline preprocessing: Each player P , 1 ≤ i ≤ n, receives the random input R GEN(h) ∈ R . P receives R GEN(h) ∈ R . i i i 0 0 0 0 = = – Online messages: On input R , each player P , 1 ≤ i ≤ n, sends the message i i M ENC (x , R ) ∈ M to P . i i i i i 0 – Output: P computes and outputs DEC(R , M ,..., M ). 0 0 1 n It is obvious to construct an n-player offline-online protocol for a function h from an n-player standard protocol for h by taking R to be empty (or some constant). However, in this construction, the offline communication R cannot be used for reducing the individual communication complexity of P with 1 ≤ i ≤ n. 123 1802 M. Yoshida, S. Obana In the following, for any set of functions that have the same output frequency such as H = H \{h }, we show a fully robust offline-online protocol whose individual com- ind 0 ind munication complexity is smaller than that in Sect. 4. We first consider the set H , i.e., the functions that have just one “1” output. We use ind a fully robust standard NIMPC protocol Π = (GEN , ENC , DEC ) giveninSect. 4 as ind a subroutine. Our idea to reduce the individual communication complexity is simple: use (R ,..., R ) ← GEN (h ) as the offline communication R and specify the inputs x by a 0 i 1 n using the online communication M while keeping a and x secret. To hide a and x , we shift i i i a = (a ,..., a ) and x = (x ,..., x ) by random values s = (s ,..., s ). 1 n i n 1 n The detailed description of the proposed offline-online protocol Π = (GEN, ENC, proper DEC) is as follows. For i ∈[n], let d =|X | and ψ be a one-to-one mapping from X to i i i i {0, 1,..., d − 1}. Fix a function h ∈ H that we want to compute. i a ind The proposed offline-online NIMPC P(Π )(h ) proper a – Offline preprocessing: Randomly choose values s ∈{0,..., d − 1} with i ∈[n]. Let i i −1 σ : X →{0,..., d −1} be the one-to-one mapping such that σ (x ) = ψ ((ψ (x )+s ) i i i i i i mod d ), i.e., shifting the input x by s . Set b = (b ,..., b ) = (σ (a ), ...,σ (a )). i i 1 n 1 1 n n Define GEN(h ) = R = (R , R ,..., R ), where R = (R ,..., R ) = GEN (h ) a 0 1 n 0 b 1 n and R = s with i ∈[n]. i i – Online messages: ENC(x , R) = (M ,..., M ) where M = σ (x ). 1 n i i i – Output h (x ,..., x ): Let M = ENC (R , M ). DEC(R , M ,..., M ) = a 1 n i 0 1 n i i DEC (M ,..., M ). Theorem 3 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Then, there is a fully robust offline-online NIMPC protocol Π for 1 n proper H \{h } with individual communication complexity at most log (d − 1) . ind 0 Proof For the correctness, note that the output is that of h for inputs σ (x ). Thus, the output b i i is one if and only if (x ,..., x ) = a, as the tuple (M ,..., M ) equals b if and only if 1 n 1 n (x ,..., x ) = a. 1 n To prove the robustness, fix a subset T ⊆[n] and x ∈ X . Let σ (x ) denote T T T T (σ (x ), ...,σ (x )) . 1 1 n n The encodings M of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The i i randomness R consists of the vectors {m } and T integers s ∈{0,..., d − 1} T i, j i ∈[n], j ∈[l ] i i with i ∈ T . The vectors {m } are uniformly distributed under the constraint that i, j i ∈[n], j ∈[l ] for some b ∈ X , m = 0 and there are no other linear relations between them. i, j i =1 j ∈I If h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T T ,x T T T ,x T T b = M . T T We construct Sim for the protocol P(Π ) on function h . The simulator first T proper a generates random vectors {m } under the constraint that for some b ∈ i, j i ∈[n], j ∈[l ] X , m = 0 and there are no other linear relations between them. The simu- i, j i =1 j ∈I lator then queries h| on all possible inputs in X . If all answers are zero, this simulator T ,x generates random M ∈{0,..., d − 1} with i ∈ T so that b = M , and generates random i i T T R ∈{0,..., d − 1} with i ∈ T . Otherwise, there is an x ∈ X such that h| (x ) = 1, i i T T T T ,x and the simulator sets R and M so that b = σ (x ) and b = M where σ is defined as i i T T T i T T above with s = R . i i 1 ∗ We note that the communication complexity for H is the same as that for H . ind ind 123 On the (in)efficiency of NIMPC 1803 The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d −1) . Hence, the (online) individual communication complexity is at most log (d − 2 2 1) . We extend the above result to any set of functions that have the same output frequency. In the fully robust standard NIMPC protocol for H in [2], h plays the role of hiding all 0 information on how many 1’s the function h has. This is the motivation of including h in H and a standard NIMPC protocol for H is used as a subroutine. Our target set of ind ind functions has the same output frequency. Thus, we no longer need to hide this information and thus the offline-online NIMPC protocol Π for H \{h } is enough for our target proper ind 0 sets. Corollary 4 Fix finite domains X ,..., X such that |X |≤ d for all 1 ≤ i ≤ n and let 1 n i X X × ··· × X . Fix an integer m > 1. Let H be a set of functions h : X →{0, 1} that 1 n have the same output frequency, that is, |{x ∈ X | h(x ) = y}| = |{x ∈ X | h (x ) = y}| holds for any h, h ∈ H and for any y ∈{0, 1} . Then, there is a fully robust offline-online NIMPC protocol for H with individual communication complexity at most |X |· m ·log (d − 1) . Proof Fix a function h ∈ H. Assume for simplicity that m = 1. The offline-online protocol Π for H, which uses Π = (GEN, ENC, DEC), is as follows. proper −1 – Offline preprocessing: Let I = h (1) ⊆ X , i.e., the set of ones of h. Let D =|I |, i.e., the number of ones of h, and I ={a ,..., a }. Choose a random permutation φ. 1 D (k) (k) (k) (k) For each k ∈[D], let R = (R , R ,..., R ) ← GEN(h ). Define a matrix n a 0 1 (φ (k)) R, where R  R for 0 ≤ i ≤ n and k ∈[D]. Send to P the random strings i,k i (R ) , i.e., the ith row of R. i,k k∈[D] (k) – Online messages: For every i ∈[n] and k ∈[D], let M  ENC (x , R ). Define i i i,k (k) amatrix M, where M  M for 0 ≤ i ≤ n and k ∈[D]. Each P sends to P the i,k i 0 message M  (M ) . i i,k k∈[D] – Output h(x ,..., x ): The output is 1 if for some k ∈[D], DEC(R , M ,..., M ) = 1 n 0,k 1,k n,k 1. Otherwise, the output is zero. First, we will show the correctness of the above protocol. Fix x = (x ,..., x ) ∈ X . 1 n The output is 1 if and only if DEC(R , M ,..., M ) = 1for some k ∈[D], that is, 0,k 1,k n,k (φ (k)) (φ (k)) (φ (k)) DEC(R , ENC(x , R ), ..., ENC(x , R )) = 1for some k ∈[D]. Since the 1 n n 0 1 underlying Π = (GEN, ENC, DEC) satisfies the correctness, this happens if and only proper if h (x ) = 1 holds for some a ∈ I. a k Next, we will show the robustness. The robustness is proven in a similar way to Theorem 3. Fix T ⊆[n] and x ∈ X . We construct a simulator for (M , R ) given h| . Each T T T T ,x (k) (k) (k) row k is of the form (M , R ) for k ∈[D]. For each k ∈[D], the encodings M T T (k) (k) of T consists of |T | integers M ∈{0,..., d − 1} with i ∈ T . The randomness R i T (k) (k) consists of the vectors {m } and T integers s ∈{0,..., d − 1} with i ∈ T . i ∈[n], j ∈[l ] i i, j i (k) The vectors {m } are uniformly distributed under the constraint that for some i ∈[n], j ∈[l ] i, j i (k) (k) b ∈ X , m = 0 and there are no other linear relations between them. If i =1 j ∈I i, j (k) (k) h| ≡ 0, then b = M . If h| (x ) = 1for some x ∈ X , then b = σ (x ) and T T T T T T ,x T T ,x T T T (k) b = M . We construct Sim for the protocol P(Π ) on function h . For each k ∈[D], the simulator T a (k) (k) first generates random vectors {m } under the constraint that for some b ∈ i ∈[n], j ∈[l ] i, j 123 1804 M. Yoshida, S. Obana n (k) X , m = 0 and there are no other linear relations between them. The simulator i =1 j ∈I i, j then queries h| on all possible inputs in X . T ,x (1) (D ) Let I ⊆ X be the set of ones of h| . Let D =|I | and I ={x ,..., x }. For T ,x T T (k) 1 ≤ k ≤ D , this simulator generates random M ∈{0,..., d − 1} with i ∈ T so that (k) (k) (k) b = M , and generates random R ∈{0,..., d − 1} with i ∈ T . For D < k ≤ D, the T T i (k) (k) (k) (k) (k) (k) (k) (k) simulator sets R and M so that b = σ (x ) and b = M where σ is defined i i T T T i T T with s = R as in Theorem 3. i i (k) (k) The correlated randomness R with i ∈[n] and encoding M are integers of length i i log (d − 1) . Hence, the (online) individual communication complexity is at most |X |· m · log (d − 1) . 6 Conclusion We have presented the first lower bound on the communication complexity of n-player NIMPC protocols for any set of functions including the set of arbitrary functions and the set of indicator functions. We have constructed novel fully robust NIMPC protocols for the set of arbitrary functions H and the set of indicator functions H . The proposed all ind protocols are much more efficient than the previous protocols. For example, for the set of arbitrary functions, while the previous best known protocol in [2] requires |X|· m · d · n communication complexity, the communication complexity of the proposed construction is only |X|· m ·log d · n, where X denote the (total) input domain, d is the maximum domain size of a player, and m is the output length. By this result, the gap between the lower and upper bounds on the communication complexity is significantly reduced from d · n to log d · n, that is, from exponential in the input length to quadratic. In addition, we have shown a possibility of reducing the individual communication complexity much more by employing the offline-online model for some sets of functions (e.g., H \{h }). ind 0 Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 Interna- tional License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. References 1. Barkol O., Ishai Y., Weinreb E.: On d-multiplicative secret sharing. J. Cryptol. 23(4), 580–593 (2010). 2. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive secure multiparty computation. In: Advances in Cryptology– -CRYPTO2014. Lecture Notes in Computer Science, vol. 8617, p. 387–404 (2014). 3. Beimel A., Gabizon A., Ishai Y., Kushilevitz E., Meldgaard S., Paskin-Cherniavsky A.: Non-interactive Secure Multiparty Computation. Cryptology ePrint Archive: Report 2014/960 (2014). 4. Benhamouda F., Krawczyk H., Rabin T.: Robust non-interactive multiparty computation against constant- size collusion. In: Advances in Cryptology—CRYPTO2017. Lecture Notes in Computer Science, vol. 10401, pp. 391–419. 5. Benhamouda F., Krawczyk H., Rabin T.: Robust Non-interactive Multiparty Computation Against Constant-Size Collusion. Cryptology ePrint Archive: Report 2017/555. 6. Ben-Or M., Goldwasser S., Wigderson A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 1–10 (1988). 123 On the (in)efficiency of NIMPC 1805 7. Chaum D., Crèpeau C., Damgård I.: Multiparty unconditionally secure protocols. In: The 20th Annual ACM Symposium on Theory of Computing (STOC ’88), pp. 11–19 (1988). 8. Cramer R., Damagård I., Maurer U.: General secure multi-party computation from any linear secret sharing scheme. In: Advances in Cryptology—EUROCRYPT2000. Lecture Notes in Computer Science, vol. 1807, pp. 316–335 (2000). 9. Data D., Prabhakaran M., Prabhakaran V.: On the communication complexity of secure computation. In: Advances in Cryptology—CRYPTO2014. Lecture Notes in Computer Science, vol. 861, pp. 199–216 (2014). 10. Goldwasser S., Micali S., Wigderson A.: How to play any mental game, or a completeness theorem for protocols with an honest majority. In: The 19th Annual ACM Symposium on Theory of Computing (STOC ’87), pp. 218–229 (1987). 11. Hirt M., Maurer U.: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000). 12. Hirt M., Tschudi D.: Efficient general-adversary multi-party computation. In: Advances in Cryptology— ASIACRYPT 2013. Part II: Lectures Notes in Computer Science, vol. 8270, pp. 181–200 (2013). 13. Maurer U.: Secure multi-party computation made simple. In: Security in Communication Networks, Third International Conference, SCN 2002. Lecture Notes in Computer Science, vol. 2576, pp. 14–28 (2003). 14. Rabin T., Ben-Or M.: Verifiable secret sharing and multiparty protocols with honest majority. In: The 21st Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 73–85 (1989). 15. Yao A.C.: Protocols for secure computations. In: The 23rd Annual Symposium on Foundations of Com- puter Science (FOCS ’82), pp. 160–164 (1982). 16. Yoshida M., Obana S.: On the (in)efficiency of non-interactive secure multiparty computation. In: The 18th Annual International Conference on Information Security and Cryptology, ICISC2015. Lecture Notes in Computer Science, vol. 9558, pp. 185–193 (2016).

Journal

Designs, Codes and CryptographySpringer Journals

Published: Mar 26, 2018

References

You’re reading a free preview. Subscribe to read the entire article.


DeepDyve is your
personal research library

It’s your single place to instantly
discover and read the research
that matters to you.

Enjoy affordable access to
over 18 million articles from more than
15,000 peer-reviewed journals.

All for just $49/month

Explore the DeepDyve Library

Search

Query the DeepDyve database, plus search all of PubMed and Google Scholar seamlessly

Organize

Save any article or search result from DeepDyve, PubMed, and Google Scholar... all in one place.

Access

Get unlimited, online access to over 18 million full-text articles from more than 15,000 scientific journals.

Your journals are on DeepDyve

Read from thousands of the leading scholarly journals from SpringerNature, Elsevier, Wiley-Blackwell, Oxford University Press and more.

All the latest content is available, no embargo periods.

See the journals in your area

DeepDyve

Freelancer

DeepDyve

Pro

Price

FREE

$49/month
$360/year

Save searches from
Google Scholar,
PubMed

Create lists to
organize your research

Export lists, citations

Read DeepDyve articles

Abstract access only

Unlimited access to over
18 million full-text articles

Print

20 pages / month

PDF Discount

20% off