On Complete Primitives for Fairness
- Dov GordonAffiliated withUniversity of Maryland
- , Yuval IshaiAffiliated withTechnionUniversity of California
- , Tal MoranAffiliated withHarvard SEAS
- , Rafail OstrovskyAffiliated withUniversity of California
- , Amit SahaiAffiliated withUniversity of California
For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results:
No “short” primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions.
A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a “fairness hierarchy”. We show that for every “short” ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast.
Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting.
Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.
- On Complete Primitives for Fairness
- Book Title
- Theory of Cryptography
- Book Subtitle
- 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9-11, 2010. Proceedings
- pp 91-108
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer Berlin Heidelberg
- Additional Links
- Industry Sectors
- Daniele Micciancio (16)
- Editor Affiliations
- 16. Computer Science & Engineering Department, University of California,
- Author Affiliations
- 17. University of Maryland,
- 18. Technion, Israel
- 19. University of California, Los Angeles
- 20. Harvard SEAS,
To view the rest of this content please follow the download PDF link above.