TY - GEN
T1 - Complete characterization of fairness in secure two-party computation of Boolean functions
AU - Asharov, Gilad
AU - Beimel, Amos
AU - Makriyannis, Nikolaos
AU - Omri, Eran
N1 - Funding Information:
The first author is supported by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11). The second author is partially supported by ISF grant 544/13 and by the Frankel Center for Computer Science. The forth author is partially supported by ISF grant 544/13.
Publisher Copyright:
© International Association for Cryptologic Research 2015.
PY - 2015/1/1
Y1 - 2015/1/1
N2 - Fairness is a desirable property in secure computation; informally itmeans that if one party gets the output of the function, then all parties get the output.Alas, an implication of Cleve’s result (STOC86) is that when there is no honest majority, in particular in the important case of the two-party setting, there exist Boolean functions that cannot be computed with fairness. In a surprising result, Gordon et al. (JACM 2011) showed that some interesting functions can be computed with fairness in the twoparty setting, and re-opened the question of understanding which Boolean functions can be computed with fairness, and which cannot. Our main result in this work is a complete characterization of the (symmetric) Boolean functions that can be computed with fairness in the two-party setting; this settles an open problem of Gordon et al. The characterization is quite simple: A function can be computed with fairness if and only if the all one-vector or the all-zero vector are in the affine span of either the rows or the columns of the matrix describing the function. This is true for both deterministic and randomized functions. To prove the possibility result, we modify the protocol of Gordon et al.; the resulting protocol computes with full security (and in particular with fairness) all functions that are computable with fairness. We extend the above result in two directions. First, we completely characterize the Boolean functions that can be computed with fairness in the multiparty case, when the number of parties is constant and at most half of the parties can be malicious. Second, we consider the two-party setting with asymmetric Boolean functionalities, that is, when the output of each party is one bit; however, the outputs are not necessarily the same. We provide both a sufficient condition and a necessary condition for fairness; however, a gap is left between these two conditions. We then consider a specific asymmetric function in this gap area, and by designing a new protocol, we show that it is computable with fairness. However, we do not give a complete characterization for all functions that lie in this gap, and their classification remains open.
AB - Fairness is a desirable property in secure computation; informally itmeans that if one party gets the output of the function, then all parties get the output.Alas, an implication of Cleve’s result (STOC86) is that when there is no honest majority, in particular in the important case of the two-party setting, there exist Boolean functions that cannot be computed with fairness. In a surprising result, Gordon et al. (JACM 2011) showed that some interesting functions can be computed with fairness in the twoparty setting, and re-opened the question of understanding which Boolean functions can be computed with fairness, and which cannot. Our main result in this work is a complete characterization of the (symmetric) Boolean functions that can be computed with fairness in the two-party setting; this settles an open problem of Gordon et al. The characterization is quite simple: A function can be computed with fairness if and only if the all one-vector or the all-zero vector are in the affine span of either the rows or the columns of the matrix describing the function. This is true for both deterministic and randomized functions. To prove the possibility result, we modify the protocol of Gordon et al.; the resulting protocol computes with full security (and in particular with fairness) all functions that are computable with fairness. We extend the above result in two directions. First, we completely characterize the Boolean functions that can be computed with fairness in the multiparty case, when the number of parties is constant and at most half of the parties can be malicious. Second, we consider the two-party setting with asymmetric Boolean functionalities, that is, when the output of each party is one bit; however, the outputs are not necessarily the same. We provide both a sufficient condition and a necessary condition for fairness; however, a gap is left between these two conditions. We then consider a specific asymmetric function in this gap area, and by designing a new protocol, we show that it is computable with fairness. However, we do not give a complete characterization for all functions that lie in this gap, and their classification remains open.
KW - Fairness
KW - Foundations
KW - Malicious adversaries
KW - Secure computation
UR - http://www.scopus.com/inward/record.url?scp=84924709343&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-46494-6_10
DO - 10.1007/978-3-662-46494-6_10
M3 - Conference contribution
AN - SCOPUS:84924709343
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 199
EP - 228
BT - Theory of Cryptography - 12th Theory of Cryptography Conference, TCC 2015, Proceedings
A2 - Dodis, Yevgeniy
A2 - Nielsen, Jesper Buus
PB - Springer Verlag
T2 - 12th Theory of Cryptography Conference, TCC 2015
Y2 - 23 March 2015 through 25 March 2015
ER -