Ad Hoc PSM Protocols: Secure Computation Without Coordination
 2 Citations
 1.5k Downloads
Abstract
We study the notion of ad hoc secure computation, recently introduced by Beimel et al. (ITCS 2016), in the context of the Private Simultaneous Messages (PSM) model of Feige et al. (STOC 2004). In ad hoc secure computation we have n parties that may potentially participate in a protocol but, at the actual time of execution, only k of them, whose identity is not known in advance, actually participate. This situation is particularly challenging in the PSM setting, where protocols are noninteractive (a single message from each participating party to a special output party) and where the parties rely on predistributed, correlated randomness (that in the adhoc setting will have to take into account all possible sets of participants).
We present several different constructions of ad hoc PSM protocols from standard PSM protocols. These constructions imply, in particular, that efficient informationtheoretic ad hoc PSM protocols exist for NC\(^1\) and different classes of logspace computation, and efficient computationallysecure ad hoc PSM protocols for polynomialtime computable functions can be based on a oneway function. As an application, we obtain an informationtheoretic implementation of orderrevealing encryption whose security holds for two messages.
We also consider the case where the actual number of participating parties t may be larger than the minimal k for which the protocol is designed to work. In this case, it is unavoidable that the output party learns the output corresponding to each subset of k out of the t participants. Therefore, a “best possible security” notion, requiring that this will be the only information that the output party learns, is needed. We present connections between this notion and the previously studied notion of trobust PSM (also known as “noninteractive MPC”). We show that constructions in this setting for even simple functions (like AND or threshold) can be translated into nontrivial instances of program obfuscation (such as point function obfuscation and fuzzy point function obfuscation, respectively). We view these results as a negative indication that protocols with “best possible security” are impossible to realize efficiently in the informationtheoretic setting or require strong assumptions in the computational setting.
Keywords
Security Requirement Secure Protocol Secure Computation Secret Sharing Scheme Computational Setting1 Introduction
The notion of ad hoc secure computation was recently put forward in [4]. In the adhoc secure computation problem, there are n parties that may potentially take part in a secure computation protocol. At the time that the protocol is executed, some k of these n parties actually participate in the execution. The goal is to design (efficient) protocols that can work for every set of k parties S, without knowing the set of participants in advance. As a concrete example, think of a voting application, where n parties are registered to the elections but only k of them (the identity of which becomes known only in real time) end up participating in the vote.
In most standard secure computation models, the adhoc nature of the protocol does not pose a significant challenge: the participating parties can interact with each other and use a standard generalpurpose secure protocol to perform the computation. The problem is most challenging in situations where preprocessing or setup are required, or where interaction is limited. In the extreme, where noninteractive secure protocols are needed, the single message sent by each party \(P_i\) cannot depend on the messages of other parties, whose identities are not even known to \(P_i\).
A simple model for noninteractive secure computation is the Private Simultaneous Messages (PSM) model of [14, 17]. In this model, there are n parties \(P_1,\ldots ,P_n\) and a special party called the referee. Before the input is known, the parties are given correlated randomness^{1} \((r_1,\ldots ,r_n)\). In the online phase, each party \(P_i\) gets an input \(x_i\) and sends a single message \(m_i\), depending on \(x_i\) and \(r_i\), to the referee. Based on the n received messages, the referee should be able to compute the value of a predetermined function f on the input \(x=(x_1,\ldots ,x_n)\), namely f(x). The security requires that the referee learns no additional information about x. It is known that PSM protocols exist for every finite function f [14] and efficient PSM protocols exist for every function in NC\(^1\) and for classes of functions defined by different types of (polynomialsize) branching programs [14, 17]. In a computational setting, efficient PSM protocols for all polynomialtime computable functions can be based on oneway functions by using Yao’s garbled circuit construction [14, 20]. The simplicity of the PSM model makes it an attractive candidate for a complexity theoretic study (see, e.g., [2]) and its limited interaction pattern makes it useful in applications, such as minimizing the roundcomplexity of secure protocols in the standard pointtopoint model (see, e.g., [18]).
In this paper, we study the ad hoc version of the PSM model, where the referee receives messages from a subset of size k out of the n parties. We assume that the parameter k is known in advance, but the parties are not aware of the identity of other participating parties. Before describing our results in detail (in Sect. 1.1), we discuss some possible variants of the question. First, the original PSM model was mainly studied in the informationtheoretic security setting. In this work, we consider both the informationtheoretic variant and the computational variant. In fact, the computational version of ad hoc PSM was first considered in [4], where it was shown that such protocols can be constructed based on the existence of a weak form of MultiInput Functional Encryption (MIFE) [15], a primitive whose general realization is essentially equivalent to the existence of general indistinguishability obfuscation.
Second, the problem of ad hoc PSM is significantly different in the case where we are guaranteed that exactly k parties will send messages vs. the case where possibly more than k parties may participate. Most of the time, we will assume that only k parties send messages and that this guarantee is assured by some other mechanism, such as a public bulletin board reporting the current participant count, or an anonymous communication medium that hides all information except the fact that a message has been sent. On the other hand, in a setting where a set S of more than k parties may send messages in the protocol, the referee unavoidably may compute the function f on any subset \(S'\subset S\) of size k and learn the value \(f(x_{S'})\). Therefore, in this case, our security notion is a “best possible security” definition, requiring that this will be the only information that the referee learns in the protocol. This can be formalized either using a strong simulationbased definition or a weaker indistinguishabilitybased definition.
Finally, it will be convenient and, in fact, very natural in the adhoc setting to think of f as a symmetric function. Most of our results do not rely on this and can be extended to even allow the computed function to depend on the set of participants S, i.e. to output \(f_S(x_S)\).
1.1 Our Results
Let us start by demonstrating our results using a concrete task of computing the SUM function. In this case, each party \(P_i\) is given an input \(x_i\in {\mathbb {Z}}_m\) and the goal is to compute their sum \(\sum _{i\in [n]}x_i\) (all additions in this example are mod m). A standard PSM protocol for SUM works by giving the parties randomness \(r_1,\ldots ,r_n\in _R{\mathbb {Z}}_m\) subject to the constraint that \(\sum _{i\in [n]} r_i=0\). Then, each party \(P_i\), sends a message \(m_i=x_i+r_i\) to the referee who outputs \(\sum _{i\in [n]}m_i=\sum _{i\in [n]}x_i\), as needed. Moreover, due to the choice of the \(r_i\)’s, no additional information about the inputs is revealed to the referee.
In the adhoc version of the problem, we wish to compute the SUM of any set S of k parties that may send messages in the protocol. One option is to prepare, for each potential set S of size k, independent randomness \(r_1^S,\ldots ,r_k^S\) that is random subject to their sum being 0 and proceed by \(P_i\) sending a message (using the corresponding randomness \(r_j^S\)), for each set S to which it belongs. While this solution works, its randomness complexity and communication complexity are proportional to \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \), which is much more than what we are shooting for. Instead, we describe an efficient solution for this problem.
In our ad hoc PSM protocol, the randomness consists of values \(r_1,\ldots ,r_n\in _R{\mathbb {Z}}_m\) subject to the constraint that \(\sum _{i\in [n]} r_i=0\), as in the original PSM protocol. In addition, we produce shares \(\{r_{j,i}\}_{i\in [n]}\), for each \(r_j\), using a koutofn secret sharing scheme (e.g., Shamir). The randomness given to each \(P_i\) consists of its \(r_i\) and its shares of all other random values; that is \(\{r_{j,i}\}_{j\in [n]\setminus \{i\}}\). Then, each party \(P_i\) that participates in the protocol (i.e., \(i\in S\)) sends as its message the value \(m_i=x_i+r_i\), as well as all its shares. The referee sums up all the \(m_i\)’s that it got from the k participants, as well as all the values \(r_j\), for \(j\notin S\), that it can reconstruct from the k shares that it received for each such \(r_j\), to get \(\sum _{i\in S}(x_i+r_i)+\sum _{i\notin S}r_i= \sum _{i\in S}x_i\), as needed. In terms of security, each \(r_i\), for \(i\in S\), remains hidden as the referee receives exactly \(k1\) shares for these random elements. In fact, the view of the referee can be simulated from its view in the original PSM, where parties \(P_j\), for \(j\notin S\), have input \(x_j=0\). Also note that if, say, \(k+1\) parties send messages then the referee learns all inputs. However, for the SUM function, the best possible security definition (that allows the referee to learn the output on all subsets of size k) allows to recover all \(k+1\) inputs in most cases (at least when \(\gcd (k,m)=1\)).
Next, we describe in some detail our main results. The first question that we ask (in Sect. 3) is whether the existence of a standard kparty PSM computing a function f guarantees the existence of a koutofn ad hoc PSM protocol for f. We first prove the existence of an inefficient transformation of this kind but that has an overhead of \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \). While this transformation may be useful for the case where the number of parties is small (and also proves the existence of an ad hoc PSM protocol for every function f), our aim is to get an efficient transformation (i.e., with poly(n) overhead). We next present such a transformation that works whenever f is symmetric, and is efficient whenever k is small (essentially, \(2^{O(k)}\log n\)). When \(k=O(1)\), the overhead is as small as \(O(\log n)\) (this construction relies on perfect hash families, and its complexity depends on the size of such families of functions from [n] to [k]). The fact that the complexity of each party grows only logarithmically with the number of parties will be useful for the application discussed in Sect. 6.
Then, in Sect. 4, we ask whether an ad hoc PSM protocol for f can be constructed more efficiently based on a standard PSM protocol for a related (nargument) function g. We prove that this is indeed possible, while incurring only O(n) overhead over the complexity of the protocol for g. Moreover, the computational complexity of g is closely related to that of f in computational models for which efficient PSM protocols are known (e.g., if f is in NC\(^1\) then so is g, and if f has a polynomialsize branching program then so does g). This implies efficient ad hoc PSM protocols for branching programs in the informationtheoretic setting and for circuits in the computational setting, where the latter relies on the existence of a oneway function. In addition, in Sect. 5, we present an explicit ad hoc PSM for the equality function.
In Sect. 6, we show an interesting application of ad hoc PSM protocols. Specifically, we show how to construct an order revealing encryption (ORE) from an ad hoc PSM protocol for the “greaterthan” function. An order revealing encryption, presented in [10] as a generalization of order preserving encryption [1], is a privatekey encryption that enables computing the order between two messages (that is, checking if \(m_1 < m_2\), \(m_1=m_2\), or \(m_1 > m_2\)), given their encryptions (without knowing the private key), but does not disclose any additional information. We construct informationtheoretically secure order revealing encryption that is secure as long as only two messages are encrypted. In our construction, we use an ad hoc PSM protocol constructed in Sect. 3 with \(n=2^\lambda \) parties (where \(\lambda \) is the security parameter), relying on the fact that the complexity of each party in the protocol from Sect. 3 only grows logarithmically with the number of parties. We also give a solution for a bigger number of messages, but with a weaker security guarantee.
The above results refer to the case where exactly k parties send messages in the protocol. We next examine (in Sect. 7) the case where more than k (but up to some threshold t) parties may send messages. In this case, as discussed above, one needs to settle for a “best possible security” definition. We extend the above transformation from standard PSM to ad hoc PSM to this case, showing that it is possible to construct a PSM protocol for f with best possible security from a socalled “trobust PSM” protocol [5] for a related function \(g'\), incurring only O(n) overhead. A trobust PSM is a protocol where up to t parties may collaborate with the referee in trying to learn information about the inputs of other parties. In this case, it is always possible for the adversary to get the output of f on many inputs, by replacing the messages of the collaborating parties with messages that correspond to other inputs. Therefore, for such protocols also one may only hope for a “best possible security”. Our results connect these two best possible security settings (in both directions). It should be noted, however, that efficient trobust PSM protocols in the informationtheoretic setting are currently known only for limited families of functions, and limited values of t [5].
In Sect. 8, we examine the possibility of constructing efficient PSM protocols with best possible security, in the computational setting. (The naive transformation of Sect. 3 shows that it is possible to get best possible security even in the information theoretic case but without efficiency.) The twoway connection with trobust PSM already implies a twoway connection between this problem and generalpurpose obfuscation. However, it is not clear apriori that the connection has relevance in the case of simple functions. We give evidence that efficient adhoc PSM protocols with best possible security are difficult to design even for very simple functions. For instance, a protocol for a threshold function implies a construction of fuzzy point function obfuscation [7], a primitive whose only known constructions rely on multilinear maps. In fact, even a protocol for the AND function, gives a construction of point function obfuscation.
2 The Setting
We consider a network of n parties, denoted \(P_1,\dots ,P_n\), and a referee; Each party \(P_i\) holds an input \(x_i\), and the parties hold correlated random strings \(r_1,\ldots ,r_n\). We want to execute a protocol, where only a subset of the parties \(S\subseteq \{P_1,\dots ,P_n\}\) participates in the protocol, each one of them sends a single message to the referee. If exactly k parties participate and send messages then, based on these k messages, the referee should be able to compute the value \(f(x_S)\) but learn no other information about \(x_S\), where \(x_S=(x_i)_{i\in S}\). The subset S of participating parties is selected in an ad hoc manner and, in particular, the participating parties are not aware of each other. This is the main source of difficulty in this model. The referee itself necessarily learns the set of participants S (as it receives messages directly from the participants; avoiding this would require the use of anonymous communication). We often assume that f is symmetric; while this is a natural assumption in such a setting, most of our constructions can handle a much more general requirement, where the computed function itself may also depend on the set of participants S (i.e., the output is \(f_S(x_S)\)). We call the above model ad hoc PSM. We formalize this notion below starting with informationtheoretic secure protocols.
Definition 2.1

\(\textsc {Gen}()\) is a randomized function with output in \({{\mathcal {R}}}_1\times \cdots \times {{\mathcal {R}}}_n\),

\(\textsc {Enc}\) is an ntuple of deterministic functions \((\textsc {Enc}_1,\ldots ,\textsc {Enc}_n)\), where \(\textsc {Enc}_i:{{{\mathcal {X}}}}\times {{\mathcal {R}}}_i \rightarrow {{\mathcal {M}}}\),
 \(\textsc {Dec}:\left( {\begin{array}{c}[n]\\ k\end{array}}\right) \times {{\mathcal {M}}}^k \rightarrow \varOmega \) is a deterministic function satisfying the following correctness requirement: for any \(S=\{i_1,\dots ,i_k\}\subseteq [n]\) and \(x_S=(x_{i_1},\ldots ,x_{i_k})\in {{\mathcal {X}}}^k\),$$\begin{aligned} \Pr \Big [ \begin{array}{l} r=(r_1,\ldots ,r_n)\leftarrow \textsc {Gen}() \, : \\ \textsc {Dec}(S,\textsc {Enc}_{i_1}(x_{i_1},r_{i_1}), \dots ,\textsc {Enc}_{i_k}(x_{i_k},r_{i_k}))=f(x_S) \end{array} \Big ]= & {} 1. \end{aligned}$$
The randomness complexity of \(\varPi \) is the maximum of \(\log {{{\mathcal {R}}}_1},\ldots ,\) \(\log {{{\mathcal {R}}}_n}\). The communication complexity of \(\varPi \) is \(\log {{{\mathcal {M}}}}\).
Definition 2.2

For every set \(S \in \left( {\begin{array}{c}[n]\\ k\end{array}}\right) \), given the messages of S, the referee does not get any additional information beyond the value of \(f(x_S)\). Formally, there exists a randomized function \(\textsc {Sim}\) (a “simulator”) such that, for every \(S\in \left( {\begin{array}{c}[n]\\ k\end{array}}\right) \) and for every \(x_{S} \in {{\mathcal {X}}}^k\), we have \(\textsc {Sim}(S,f(x_S))\equiv M_S,\) where \(M_S\) are the messages defined by \(R \leftarrow \textsc {Gen}()\) and \(M_S=(\textsc {Enc}_{i}(x_{i},R_{i}))_{i \in S}\).

For every \(k'<k\) and every set \(S' \in \left( {\begin{array}{c}[n]\\ k'\end{array}}\right) \), given the messages of \(S'\), the referee does not get any information on the input \(x_{S'}\). Formally, there exists a randomized function \(\textsc {Sim}\) such that, for every \(k'<k\), every \(S' \in \left( {\begin{array}{c}[n]\\ k'\end{array}}\right) \) and every \(x_{S'} \in {{\mathcal {X}}}^{k'}\), we have \(\textsc {Sim}(S')\equiv M_{S'},\) where \(M_{S'}\) is defined as above.
Example 2.3
We next describe a very simple ad hoc PSM protocol for computing the difference of inputs for \(k=2\) parties; that is, for \(i<j\) we want to compute \(f(x_i,x_j)=x_ix_j\) (over some Abelian group G). The randomness generation chooses a random element \(r\in _R G\) and gives it to each party. The message of each \(P_i\) on input \(x_i\) is \(m_i=x_i+r\). The output of the referee on messages \(m_i,m_j\) from parties \(P_i,P_j\) (where \(i<j\)) is \(m_im_j=x_ix_j\). The simulator Sim proving the security of the protocol gets as an input a set \(S=\{i,j\}\) and \(\varDelta =x_ix_j\). It chooses a random value r and outputs \(r,r\varDelta \). Notice that both the messages in the protocol and the output of \(\textsc {Sim}\) is a pair (a, b), where a is uniformly distributed in G and b is \(af(x_i,x_j)\), thus the simulation is as required.
While in most parts of this paper we will assume that at most k parties send messages, we next consider the scenario that parties execute an ad hoc PSM protocol and a set T of more than k parties sends messages. Clearly, for every \(S \subset T\) of size k, the referee can compute the output of f on the inputs of S. Thus, the best possible security requirement is that the referee does not learn any additional information.
Definition 2.4
Remark 2.5
In Sect. 3.2, for every function f, we construct an inefficient (k, n) ad hoc PSM protocol. It follows from [16] (together with our result that (k, n)secure ad hoc PSM protocols imply obfuscation) that efficient (k, n)secure ad hoc PSM protocols for every function in NC\(^1\) do not exist unless the polynomialtime hierarchy collapses. This impossibility result does not rule out, for example, efficient (2, n)secure ad hoc PSM protocols for every function in NC\(^1\) (and beyond) or efficient \((k,k+1)\)secure ad hoc PSM protocols. We do not know if such efficient ad hoc PSM protocols exist.
For some functions the (k, t)security requirement is not interesting as the best possible security already reveals a lot of information. For other functions this notion is interesting.
Example 2.6
Let f be the 2party addition function over a field whose characteristic is not 2. Suppose that a referee got messages from parties \(P_1,P_2,P_3\) in an ad hoc PSM for f, thus, it can compute the sum of every two inputs of these parties, namely, \(x_1+x_2=s_{1,2},x_1+x_3=s_{1,3},\) and \(x_2+x_3=s_{2,3}\). From these sums it can compute the inputs, e.g., \(x_1=2^{1}(s_{1,2}+s_{1,3}s_{2,3})\).
Example 2.7
Consider the n / 2party AND function and an input where the value of exactly n / 2 of the input variables is 1. Assume that the referee gets messages from the n parties for this input. If the referee does not know the set of variables whose value is 1, then it will not be able to efficiently determine it.
We next consider computationallysecure ad hoc PSM protocols. In such protocols we want all algorithms to be efficient. We start by defining their syntax.
Definition 2.8

Algorithm \(\textsc {Gen}(1^\lambda )\) is a polynomial time algorithm that generates \(n(\lambda )\) random strings (for \(n(\lambda )\) parties).

Algorithms \(\textsc {Enc}\) and \(\textsc {Dec}\) run in polynomial time.
 There exists a negligible function \({\text {negl}}()\) such that for any \(\lambda \in {\mathbb {N}}\), any \(S\subseteq [n(\lambda )]\), and any \(x_S=(x_{i})_{i \in S}\in \left( \{0,1\}^{\ell (\lambda )}\right) ^{k(\lambda )}\),$$\begin{aligned} \Pr \left[ \begin{array}{l} r\leftarrow \textsc {Gen}(1^\lambda ): \textsc {Dec}\left( S,(\textsc {Enc}_{i}(x_{i},r_{i}))_{i \in S}\right) =f_\lambda (x_S) \end{array} \right]\ge & {} 1{\text {negl}}(\lambda ). \nonumber \end{aligned}$$
We next present three definitions of security for computational ad hoc PSM protocols. The first definition is simulationbased and it applies to ksecurity (i.e., to the scenario where exactly k parties send their messages).
Definition 2.9
Simulationbased security is a strong requirement that cannot be achieved for computational ad hoc PSM protocols with best possible security (see discussion in [3]). Thus, for such protocols, we define weaker security – virtual blackbox (VBB) security, where the adversary can output only one bit and that uses indistinguishabilitybased security. To simplify the notation, we only consider the case where \(t=n(\lambda )\).
Definition 2.10

The first probability is over the messages generated in the following way: first compute \(r\leftarrow \textsc {Gen}(1^\lambda )\) and then \( m_i\leftarrow \textsc {Enc}(x_i,r_i)\), for every \(i\in [n(\lambda )]\).

The second probability is over the randomness of the simulator, which has access to an oracle \(f_\lambda \) that on query \(S \in \left( {\begin{array}{c}[n(\lambda ]\\ k(\lambda )\end{array}}\right) \) returns \(f_\lambda (x_S)\).
Definition 2.11
 1.
The adversary on input \(1^\lambda \) chooses a set \(T \subseteq [n(\lambda )]\) and two inputs \((x_i^0)_{i\in T}\) and \((x_i^1)_{i\in T}\) and sends T and the two inputs to the challenger.
 2.
The challenger chooses a uniformly random bit \(b \in \{0,1\}\) and computes \((r_1,\dots ,r_n)\leftarrow \textsc {Gen}(1^\lambda )\) and \(m_i\leftarrow \textsc {Enc}(x_i^b,r_i)\), for every \(i \in T\). It then sends \((m_i)_{i \in T}\) to the adversary.
 3.
The adversary outputs a bit \(b'\).
The adversary wins the game if \(b'=b\) and \(f_\lambda (x^0_S)=f_\lambda (x^1_S)\), for every \(S \subseteq T\) such that \(S=k(\lambda )\).
We say that a computational ad hoc PSM protocol \((\textsc {Gen},\textsc {Enc},\textsc {Dec})\) is a \((k(\lambda ),n(\lambda ))\)indistinguishablysecure ad hoc PSM protocol for F if, for every nonuniform polynomialtime adversary \({\mathcal {A}}\), the probability that \({\mathcal {A}}\) wins is at most \(1/2+{\text {negl}}(\lambda )\) for some negligible function \({\text {negl}}\).
Our default model in the rest of the paper, unless explicitly mentioned, is (k, k)secure ad hoc PSM protocol with perfect security.
3 Ad hoc PSM Protocols for a Function f from a PSM for f
In this section we present a koutofn ad hoc PSM protocol for any function f by applying transformations to kparty PSM protocols for the same f.
3.1 From a PSM for f to an noutofn ad hoc PSM for f
In an nparty PSM protocol for f, if all n parties send messages, then the referee learns \(f(x_1,\dots ,x_n)\) and does not learn any additional information. In an noutofn ad hoc PSM protocol, there is an additional requirement: if less than n parties send messages, then the referee should learn no information. The definition of PSM does not imply the latter requirement.
Example 3.1
Consider a function which returns \(x_1\). In a PSM for this function, \(P_1\) can send its input, while in an ad hoc PSM protocol, this should not be done.
In many PSM protocols this additional requirement does hold. Furthermore, for many functions, the requirement for smaller sets of active participants follows from the security requirements of the PSM.
Example 3.2
Consider a PSM protocol for the AND function. If the input of \(P_n\) is 0, then the output of AND is 0 for every input for \(P_1,\dots ,P_{n1}\). Thus, the messages \(m_1,\dots ,m_n\) of \(P_1,\dots ,P_n\) are equally distributed when \(x_n=0\), for every input for \(P_1,\dots ,P_{n1}\). Since the messages of \(P_1,\dots ,P_{n1}\) are independent of \(x_n\), the messages of parties \(P_1,\dots ,P_{n1}\) are equally distributed for every input for these parties. I.e., in any PSM protocol for AND the referee does not learn any information from the messages of \(P_1,\dots ,P_{n1}\) or, similarly, any other set of less than n active participants.
Lemma 3.3
If there is an nparty PSM protocol \(\varPi \) for f with randomness complexity \({\mathrm {Rand}}(\varPi )\) and communication complexity \({\mathrm {Comm}}(\varPi )\), then there is an noutofn ad hoc PSM protocol for f with randomness complexity \({\mathrm {Rand}}(\varPi )+n\cdot {\mathrm {Comm}}(\varPi )\) and communication complexity \(n\cdot {\mathrm {Comm}}(\varPi )\).
Proof
We construct an ad hoc PSM protocol \(\varPi _\mathrm{ah}\) for f from the PSM protocol \(\varPi \) for f, as follows.

Randomness generation:

Generate randomness for the PSM protocol \(\varPi \); denote \(r_1,\dots ,r_n\) the generated randomness of \(P_1,\dots ,P_n\), respectively.

Choose n uniformly random strings \(u_1,\dots ,u_n\), each of length \({\mathrm {Comm}}(\varPi )\).

Share each \(u_j\), for \(j\in [n]\), using an noutofn secret sharing scheme; let \(u_{j,i}\) be the ith share of \(u_j\).

The randomness of \(P_i\) in \(\varPi _\mathrm{ah}\) is \(r_i,(u_{j,i})_{j\in [n]}\).

Message generation:

Let \(m_i\) be the messages of \(P_i\) in \(\varPi \) on input \(x_i\) and randomness \(r_i\).

The message of \(P_i\) in \(\varPi _\mathrm{ah}\) is \(m_i \oplus u_i\) and \((u_{j,i})_{j\in [n]}\).
If the n parties send their messages, then the referee can reconstruct \(u_i\) for every \(i \in [n]\), compute \(m_i\), and reconstruct \(f(x_1,\dots ,x_n)\) using the decoding algorithm of \(\varPi \).
The security of \(\varPi _\mathrm{ah}\) when n parties send messages follows from the security of \(\varPi \) (as the strings \(u_1,\dots ,u_n\) are random). When less than n parties send their messages, the referee gets less than n shares of each \(u_i\), thus, these strings act as random pads and the referee learns no information. \(\square \)
3.2 A Naive ad hoc PSM Protocol for Any f
In this section we show how to construct, given a (standard) kparty PSM protocol for f, a koutofn ad hoc PSM protocol for f that is nsecure (that is, if a set T of at least k parties send their messages, then the referee can compute the output of f on any subset of inputs of size k and learns no additional information).
Theorem 3.4
If there is a kparty PSM protocol \(\varPi \) for f with randomness complexity \({\mathrm {Rand}}(\varPi )\) and communication complexity \({\mathrm {Comm}}(\varPi )\), then there is a (k, n)secure ad hoc PSM protocol for f with randomness complexity \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \cdot ({\mathrm {Rand}}(\varPi )+n\cdot {\mathrm {Comm}}(\varPi ))\) and communication complexity \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \cdot n\cdot {\mathrm {Comm}}(\varPi )\).
Proof
Let \(\varPi _\mathrm{ah}\) be the koutofk ad hoc PSM protocol constructed from \(\varPi \) in Lemma 3.3. We construct an ad hoc PSM protocol \(\varPi '\) for f as follows:

For each set \(S \in \left( {\begin{array}{c}[n]\\ k\end{array}}\right) \), independently generate randomness for \(\varPi _\mathrm{ah}\) and give this randomness to the parties in S.

Each party \(P_i\) sends its message in protocol \(\varPi _\mathrm{ah}\), associated with the set \(S'\), for every \(S'\) of size k such that \(i \in S'\).

Function reconstruction by the referee: For a set S of k participating parties, the referee (only) uses the messages of the parties in S of the PSM \(\varPi _\mathrm{ah}\) for S to reconstruct \(f(x_S)\).
We next prove the security when a set T of size at least k sends messages. We claim that the referee only learns \(f(x_S)\) for every \(S\subseteq T\) of size k. Since the randomness of each execution of the PSM protocol \(\varPi _\mathrm{ah}\) is chosen independently, the referee can only learn information from the messages of \(\varPi _\mathrm{ah}\) for each set S of size k. In an execution for a set \(S \subseteq T\) it can only learn \(f(x_S)\). In any execution of the PSM protocol for S such that \(S \not \subseteq T\), the referee misses a message of at least one party thus, by Lemma 3.3, learns no information from this execution.
The randomness and communication of the ad hoc PSM protocol \(\varPi '\) are \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) times larger than the randomness and communication, respectively, of the PSM protocol \(\varPi _\mathrm{ah}\). \(\square \)
As every function f has a PSM realizing it [14, 17], the previous theorem implies that every function has an ad hoc PSM protocol.
Corollary 3.5
For every kargument function f, there is an nsecure koutofn ad hoc PSM protocol realizing f.
3.3 A 2outofn ad hoc PSM Protocol from a PSM Protocol for f
Suppose that we have a 2party PSM protocol \(\varPi \) for a symmetric function f. We denote the parties in this PSM by \(Q_0\) and \(Q_1\). We want to construct an ad hoc PSM protocol \(\varPi ^*\) for f using \(\varPi \). The idea is to instruct the first party \(P_i\) to simulate \(Q_0\) and instruct the second party \(P_j\) to simulate \(Q_1\). The problem is that in an ad hoc PSM protocol a party does not know who the other party is; informally, it does not know if it is the “first party” or the “second party”. Instead, we execute a few copies of the PSM protocol \(\varPi \) where, in some copies of the PSM, party \(P_i\) plays the role of \(Q_0\), and in other copies it plays the role of \(Q_1\). Specifically, we view each \(i\in [n]\) in its \(\log n\)bit binary representation \(i=(i_1,\dots ,i_{\log n})\), and execute \(\log n\) copies of \(\varPi \), where in the \(\ell \)th copy \(P_i\) plays the role of \(Q_{i_\ell }\). Since for any \(i\ne j\), there exists an index \(\ell \) such that \(i_\ell \ne j_\ell \), in the \(\ell \)th copy \(P_i,P_j\) simulate both \(Q_0\) and \(Q_1\) and the referee can compute f from this copy.
However, information can now leak when \(P_i\) and \(P_j\) simulate, in some copy, the same \(Q_b\); that is, if \(i_\ell =j_\ell \), for some \(\ell \). In particular, in such copy, \(P_i\) and \(P_j\) send the same message if \(x_i=x_j\). To overcome this problem, in the \(\ell \)th copy, where party \(P_i\) plays the role of \(Q_{i_\ell }\), party \(P_i\) “encrypts” its message m using a key \(k_{i_\ell }\) and each party playing the role of \(Q_{\bar{i_\ell }}\) sends the key \(k_{i_\ell }\) as part of its message. Thus, if both \(P_i,P_j\) play the role of the same party \(Q_b\), then the referee does not obtain the key, and cannot learn any information from this copy of the PSM. The formal description of the ad hoc PSM protocol \(\varPi ^*\) follows.

Let p be a prime such that \(\log p \ge \max \{{\mathrm {Comm}}(\varPi ),\log n\}\), where \({\mathrm {Comm}}(\varPi )\) is the length of the messages in the PSM protocol \(\varPi \). All arithmetic in the protocol is in \({\mathbb {F}}_p\).
 For \(\ell =1\) to \(\log n\):

Independently generate randomness for the PSM protocol \(\varPi \); denote by \(r_{\ell ,0},r_{\ell ,1}\) the generated randomness of \(Q_0,Q_1\), respectively.

Choose four random values \(a_{\ell ,0},b_{\ell ,0},a_{\ell ,1},b_{\ell ,1} \in _R {\mathbb {F}}_p\).

 The randomness of \(P_i\), where \(i=(i_1,\dots ,i_{\log n})\), is$$\begin{aligned}(r_{\ell ,i_\ell },a_{\ell ,0},b_{\ell ,0},a_{\ell ,1},b_{\ell ,1})_{1 \le \ell \le \log n}.\end{aligned}$$

For every \(\ell \in \{1,\dots ,\log n\}\), party \(P_i\) computes \(m_{i,\ell }\) – the message that \(Q_{i_\ell }\) sends in \(\varPi \) on input \(x_i\) with randomness \(r_{\ell ,i_\ell }\). \(P_i\) sends \((m_{i,\ell } + a_{\ell ,i_\ell } \cdot i +b_{\ell ,i_\ell } )_{1 \le \ell \le \log n}\) and \((a_{\ell ,\bar{i_\ell }},b_{\ell ,\bar{i_\ell }})_{1 \le \ell \le \log n}\).
Assume that \(P_i\) and \(P_j\) send messages and the referee wants to compute \(f(x_i,x_j)\). It finds an index \(\ell \) such that \(i_\ell \ne j_\ell \). Without loss of generality, \(i_\ell =0\) and \(j_\ell =1\), that is, in the \(\ell \)th copy of \(\varPi \), party \(P_i\) plays the role of \(Q_0\) and \(P_j\) plays the role of \(Q_1\). As \(P_i\) sends \(m_{i,\ell }+ a_{\ell ,0} \cdot i+b_{\ell ,0} \) and \(P_j\) sends \(a_{\ell ,0},b_{\ell ,0}\), the referee can recover \(m_{i,\ell }\) – the message of \(Q_0\). Similarly, the referee can recover \(m_{j,\ell }\) – the message of \(Q_1\) – and, using the reconstruction procedure of \(\varPi \), it can compute \(f(x_i,x_j)\).
By the privacy property of protocol \(\varPi \), the referee does not learn any additional information from an \(\ell \)th copy of the PSM, where \(i_\ell \ne j_\ell \). Furthermore, this is true also for the concatenation of the messages in all the copies where \(i_\ell \ne j_\ell \); note that since f is symmetric the output of the protocol in each such copy is the same. On the other hand, in any copy where \(i_\ell = j_\ell \), the referee gets two “encrypted” messages \(m_{i,\ell }+a_{\ell ,i_\ell } \cdot i+b_{\ell ,i_\ell }\) and \(m_{j,\ell }+a_{\ell ,i_\ell } \cdot j +b_{\ell ,i_\ell }\). Since \(i\ne j\) (and \(a_{\ell ,i_\ell } ,b_{\ell ,i_\ell }\) are random), then all pairs of “encrypted” messages are possible and the referee learns no information from this copy of \(\varPi \). The security of \(\varPi ^*\) follows.
3.4 A koutofn ad hoc PSM Protocol from a PSM Protocol for f
We want to generalize the above ad hoc PSM protocol \(\varPi ^*\) to larger values of k. Again, we will execute many copies of the original kparty PSM protocol \(\varPi \). The properties we require are: (1) for every set \(S \subseteq [n]\) of size k, there exists a copy in which the parties in S play roles of distinct parties in \(\varPi \), and (2) in copies where the parties in S do not play roles of distinct parties in \(\varPi \), no information is leaked. To achieve the first requirement, we use a perfect hash family.
Definition 3.6
A perfect hash family \(H=\{h:[n]\rightarrow [k]\}\) is a set of functions such that for any set \(S\subseteq [n]\) of size k, there exists at least one \(h \in H\) that is 11 over S.
Example 3.7
For \(k=2\), the family of bitfunctions \(H=\{h_1,\dots ,h_{\log n}\}\), where \(h_\ell (i)=i_\ell +1\) (and \(i_\ell \) is the \(\ell \)th bit in the binary representation of i) is a perfect hash family.
A perfect hash family with \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) functions can be easily constructed, but much more efficient constructions, probabilistic or explicit, are possible. E.g., picking the h’s at random, it is enough to have \(H \approx e^k\cdot k \log n\) (for a specific sizek set S, a random function is 11 w/prob \(k!/k^k > e^{k}\), by Sterling formula, and we need to take care of about \(n^k\) such sets).
We next describe the ad hoc PSM protocol, assuming a kparty PSM protocol \(\varPi \) for a symmetric function f and a perfect hash family H.
Theorem 3.8
Assume that there is a kparty PSM protocol \(\varPi \) for a symmetric function f with randomness complexity \({\mathrm {Rand}}(\varPi )\) and communication complexity \({\mathrm {Comm}}(\varPi )\). Then, there is a koutofn ad hoc PSM protocol for f with randomness complexity \(O(e^k\cdot k \log n\cdot \left( {\mathrm {Rand}}(\varPi )+k^2\cdot \max \{{\mathrm {Comm}}(\varPi ),\log n\}\right) )\) and communication complexity \(O(e^k \cdot k^3 \log n \max \{{\mathrm {Comm}}(\varPi ),\log n\})\).
Proof
Denote the parties of \(\varPi \) by \(Q_1,\dots ,Q_k\). We construct a koutofn ad hoc PSM protocol \(\varPi ^*\) as follows.

Let p be a prime such that \(\log p \ge \max \{{\mathrm {Comm}}(\varPi ),\log n\}\), where \({\mathrm {Comm}}(\varPi )\) is the length of the messages in \(\varPi \).
 For every \(h \in H\) do:

Independently generate randomness for the hth copy of \(\varPi \); let \(r_{h,1},\dots ,r_{h,k}\) be the generated randomness for \(Q_1,\dots ,Q_k\) respectively.

Choose k random polynomials \(A_{h,1}(Y),\dots ,A_{h,k}(Y)\) of degree \(k1\) over \({\mathbb {F}}_p\).

Consider each polynomial \(A_{h,j}(Y)\) as an element in \({\mathbb {F}}_p^k\) and share it in a koutofk additive sharing scheme; denotes its shares as \(A_{h,j,1},\dots ,A_{h,j,k}\).

 The randomness of \(P_i\) in the ad hoc PSM protocol \(\varPi ^*\) is$$\begin{aligned}(r_{h,h(i)},A_{h,h(i)},A_{h,1,h(i)},\dots ,A_{h,k,h(i)})_{h\in H}.\end{aligned}$$

For every \(h\in H\), party \(P_i\) computes \(m_{i,h}\) – the messages that \(Q_{h(i)}\) sends in the PSM protocol \(\varPi \) on input \(x_i\) with randomness \(r_{h,h(i)}\). Party \(P_i\) sends \((A_{h,h(i)}( i )+ m_{i,h})_{h\in H}\) and, in addition, the shares \((A_{h,j,h(i)})_{h \in H,j\in [k]}\).
Assume that a set S of size k sends messages and the referee wants to compute \(f(x_S)\). The referee finds a function \(h \in H\) that is 11 on S. Let \(i \in S\). Party \(P_i\) plays the role of \(Q_{h(i)}\) in the hth copy of \(\varPi \), and sends the message \(A_{h,h(i)}( i )+ m_{i,h}\). Furthermore, all k parties in S send their shares in a koutofk secretsharing scheme with the secret \(A_{h,h(i)}\). Thus, the referee can reconstruct \(A_{h,h(i)}\), compute \(A_{h,h(i)}( i )\), and recover \(m_{i,h}\). Similarly, the referee can recover all k messages in the hth copy of \(\varPi \) and can decode \(f(x_S)\).
By the privacy property of protocol \(\varPi \), the referee does not learn any additional information from an hth copy of \(\varPi \), for every h such that h is 11 on S. Furthermore, this is true also for the concatenation of the messages in all such copies and, since f is symmetric, the output of the protocol in each such copy is the same. On the other hand, in any copy where h is not 11 on S, the referee does not get any information on \(A_{h,h(i)}\), since it gets at least two identical shares of this secret. The referee gets at most k messages “encrypted” by the same secret key \(A_{h,h(i)}\). The values \(\{A_{h,h(i)}( i )\}_{i \in S}\) are k points on a random polynomial of degree \(k1\), thus, they are uniformly distributed and serve as random pads, i.e., the referee gets no information from such hth copy of the PSM \(\varPi \).
Remark 3.9
There may be several functions in H, say \(h,h'\), that are 11 on S (and, moreover, \(h_S\) is different than \(h'_S\)). Since we assume here that the function f is symmetric, the output is the same in both copies of \(\varPi \) and, since the randomness is independent, there is no additional information. If f was not symmetric the referee may learn multiple outputs (under different orders) and hence additional information on the input.
4 An ad hoc PSM Protocol Based on a PSM Protocol for a Related Function
In this section we construct an ad hoc PSM protocol for f from a PSM protocol for a related function g. The construction is similar to the construction of the ad hoc PSM protocol for SUM described in Sect. 1.1. To construct the ad hoc PSM protocol for the k argument function \(f:X^k\rightarrow Y\), we define a (partial) nargument function \(g:(X\cup \{\bot \})^n\rightarrow Y\cup \{\bot \}\), where if there are more than \(nk\) inputs that are \(\bot \), the function outputs \(\bot \), if there are exactly \(nk\) inputs that are \(\bot \), the function outputs the output of f on the k non\(\bot \) inputs, and if there are less than \(nk\) inputs that are \(\bot \), then the function is undefined (in the latter case, we do not care what g outputs).
Lemma 4.1
If there exists a PSM protocol \(\varPi _g\) for g with randomness complexity \({\mathrm {Rand}}(\varPi _g)\) and communication complexity \({\mathrm {Comm}}(\varPi _g)\), then there exists an ad hoc PSM protocol for f with randomness complexity \({\mathrm {Rand}}(\varPi _g)+ n\cdot \max \{{\mathrm {Comm}}(\varPi _g),\log n\}\) and communication complexity \(n\cdot \max \{{\mathrm {Comm}}(\varPi _g),\log n\}\).
Proof
We construct an ad hoc PSM protocol \(\varPi _f\) for f from the PSM protocol \(\varPi _g\) as follows.

Generate randomness for the PSM protocol \(\varPi _g\); let \(r_1,\dots ,r_n\) be the generated randomness of \(P_1,\dots ,P_n\), respectively.

Let \(m_{\bot ,j}\) be the message that \(P_j\) sends in \(\varPi _g\) with randomness \(r_j\) and input \(\bot \). Share \(m_{\bot ,j}\) using a koutofn secret sharing scheme; let \(m_{\bot ,j,i}\) be the ith share.

The randomness of \(P_i\) in the ad hoc PSM protocol is \(r_i,(m_{\bot ,j,i})_{j\ne i}\).

The message of \(P_i\) on input \(x_i\) is its message on input \(x_i\) and randomness \(r_i\) in the PSM protocol \(\varPi _g\) and, in addition, \((m_{\bot ,j,i})_{j\ne i}\).
Assume that parties in a set S of size exactly k send messages. Then, the referee has the k messages in \(\varPi _g\) of the parties in S with inputs \(x_i\ne \bot \) and, for each \(j \notin S\), it has k shares of the message \(m_{\bot ,j}\). Thus, the referee can reconstruct \(g(y_1,\dots ,y_n)=f((x_i)_{i \in S})\), where \(y_i=x_i\) if \(i \in S\) and \(y_i=\bot \) otherwise. On the other hand, since each party \(p_i \in S\) does not send its share of \(m_{\bot ,i}\), the referee gets \(k1\) shares of \(m_{\bot ,i}\); hence, the referee has no information on \(m_{\bot ,i}\). Thus, when k parties send messages, the referee in \(\varPi _f\) has the same information that the referee has in \(\varPi _g\) and the privacy requirement for \(\varPi _f\) protocol follows from the privacy requirement of the PSM \(\varPi _g\).
Assume that parties in a set S of size less than k parties send messages. In this case, we claim that the referee in \(\varPi _f\) gets no information even if we give it more information, namely, \(m_{\bot ,j}\) for every \(P_j \notin S\). In this case, the referee gets messages of inputs whose output is \(\bot \). By the privacy of the PSM protocol, these messages are distributed as the messages when all the inputs are \(\bot \), that is, the referee does not learn any information on the inputs.
The randomness in the above ad hoc PSM \(\varPi _f\) is \({\mathrm {Rand}}(\varPi _g)+ n\cdot {\mathrm {Comm}}(\varPi _g)\). The communication in \(\varPi _f\) is \(O(n\cdot {\mathrm {Comm}}(\varPi _g))\) (assuming \({\mathrm {Comm}}(\varPi _g)\) is at least \(\log n\)). \(\square \)
Example 4.2
Assume that \(f:\{0,1\}^k\rightarrow \{0,\dots ,k\}\) is a symmetric function (that is, the output of f only depends on the number of 1’s in the input). The function f has a small branching program (i.e., the size of the branching program is \(O(k^2)\)), thus f itself has an efficient PSM protocol [17]. Furthermore, the function g has a branching program of size \(O(nk^2)\), thus, it has an efficient PSM protocol, i.e., a PSM with communication complexity \(O(n^2k^4)\). This implies an ad hoc PSM protocol for f with communication \(O(n^3k^4)\).
If a function f has a small nondeterministic branching program, then the corresponding function g has a small nondeterministic branching program, thus, by [17], g has an efficient PSM protocol. By Lemma 4.1, we get for all \(k\le n\) efficient ksecure ad hoc PSM protocols for every function that has a small nondeterministic branching programs.
Similarly, if f has a small circuit, then g has a small circuit, thus, by using Yao’s garbled circuit construction [14, 20] we get a simulationbasedsecure PSM for g assuming the existence of a oneway function. By Lemma 4.1, we get for all \(k\le n\) efficient computational ksecure ad hoc PSM protocols (with simulationbasedsecurity) for every function that has a small circuit assuming the existence of a oneway function.
5 A Protocol for Equality
Define the equality function \(\mathrm {EQ}:(\{0,1\}^\ell )^k \rightarrow \{0,1\}\) as the function, whose input is k strings of length \(\ell \) and whose output is 1 if and only if all strings are equal. We next present an ad hoc PSM protocol for \(\mathrm {EQ}\).
Lemma 5.1
There is a statisticallysecure ad hoc PSM protocol for \(\mathrm {EQ}\) whose randomness complexity and communication complexity are \(O(n+\ell )\).
Proof
We next describe the ad hoc PSM protocol.

Let p be a prime number such that \(\log p > \max \{n,\ell \}\).

Choose at random an element \(a\in {\mathbb {F}}_p\) such that \(a \ne 0\).

Choose \(k1\) random elements \(r_0,\dots ,r_{k2}\) in \({\mathbb {F}}_p\) and define the polynomial \(Q(Y)=\sum _{i=0}^{k2} r_i Y^i\) (over \({\mathbb {F}}_p\)).

Choose n random elements \(j_1,\dots ,j_{n}\) in \({\mathbb {F}}_p\)

The randomness of \(P_i\) in the ad hoc PSM protocol is \((j_i,Q(j_i),a)\).

\(P_i\) sends \(j_i,Q(j_i)+a x_i\).

Assume the referee gets k pairs \((\ell _1,z_1),\dots ,(\ell _k,z_k)\). If all point lie on a polynomial of degree \(k2\) answer “equal”, otherwise answer “not equal”.
First assume that all k inputs are equal, say to \(\alpha \). In this case the k pairs lie on the polynomial \(Q(Y)+a\alpha \) and the referee answers “equal”. Furthermore, since the free coefficient of \(Q(Y)+a\alpha \) is \(r_0+a\alpha \), the values \((\ell _1,z_1),\dots ,(\ell _k,z_k)\) are independent of \(\alpha \).
We next consider the case that not all of the k inputs are equal. Since \(j_1,\dots ,j_{n}\) are uniformly distributed, we can assume, without loss of generality, that \(S=\{P_1,\dots ,P_k\}\). Fix any inputs \(x_1,\dots ,x_k\) such that \(x_k\ne x_\ell \) for some \(1\le \ell <k\) (again, this is w.l.o.g.). We prove that with probability at least \(1k/p\) over the choice of \(j_1,\dots ,j_{k}\), the values \(z_1,\dots ,z_k\) are uniformly distributed in \({\mathbb {F}}_p^k\). In particular, this implies that with probability at least \(1k/p\), the referee answers “not equal”. Furthermore, it implies the privacy for this case.
6 Order Revealing Encryption from an Ad Hoc PSM Protocol
An order revealing encryption is a privatekey encryption that enables computing the order between two messages (that is, checking if \(m_1 < m_2\), \(m_1=m_2\), or \(m_1 > m_2\)), given their encryptions (without knowing the private key), but does not disclose any additional information. In this section, we show how to use ad hoc PSM protocols to construct informationtheoretically secure order revealing encryption that is 2bounded (namely, the encryption is secure as long as only two messages are encrypted).
Definition 6.1
Definition 6.2

\({\textsc {Gen}}_{\text {ORE}}\) is a randomized key generation algorithm, that on input \(1^\lambda \) (where \(\lambda \) is a security parameter), outputs a key k;

\({\textsc {Enc}}_{\text {ORE}}\) is an encryption algorithm, that on input message m and a key k, outputs an encryption c;
 \({\textsc {Dec}}_{\text {ORE}}\) is a decryption algorithm, that on input an encryption c and a key k, outputs a message m satisfying the following correctness requirement for any \(m\in \{0,1\}^\ell \):$$\begin{aligned} \Pr \Big [k\leftarrow {\textsc {Gen}}_{\text {ORE}}(1^\lambda ) : {\textsc {Dec}}_{\text {ORE}}\left( {\textsc {Enc}}_{\text {ORE}}(m,k),k\right) =m\Big ] \,\ge \,1\epsilon (\lambda ). \end{aligned}$$
 \({\textsc {Comp}}_{\text {ORE}}\) is a comparison algorithm, that given any two encryptions \(c_1,c_2\), outputs a value in \(\{1,0,1\}\) such that for any \(m_1,m_2\in \{0,1\}^\ell \):$$\begin{aligned}\Pr \left[ \begin{array}{l} k\leftarrow {\textsc {Gen}}_{\text {ORE}}(1^\lambda ), c_1 \leftarrow {\textsc {Enc}}_{\text {ORE}}(m_1,k), \\ c_2 \leftarrow {\textsc {Enc}}_{\text {ORE}}(m_2,k) : {\textsc {Comp}}_{\text {ORE}}\left( c_1,c_2\right) =\mathrm{GTE}_\ell (m_1,m_2) \end{array} \right] \ge 1\epsilon (\lambda ).\end{aligned}$$
If the comparison algorithm is the comparison over the integers (e.g., it returns \(1\) whenever \(c_1 < c_2\)), then the encryption is called Order Preserving Encryption (OPE).
Remark 6.3
Given the private key k and an encryption c, one can use a binary search using \({\textsc {Comp}}_{\text {ORE}}\) to decrypt c. That is, we do not need to specify the decryption algorithm. For efficiency, one can avoid this binary search by encrypting the message using a standard (semantically secure) encryption scheme in addition to the ORE encryption.
We next define the security requirement of ORE. Our definition is the information theoretic analogue of the INDOCPA security requirement from [8]. The definition of INDOCPA is similar to the traditional INDCPA definition of private key encryption, however, as the adversary can learn the order between two messages from their encryptions, the INDOCPA definition prevents the adversary from using this information by limiting the encryption queries that it can make (see (1) in Definition 6.4 below).
Definition 6.4

The input of both parties is a security parameter \(1^\lambda \) and a bound on the number of queries \(1^t\).

The challenger chooses a random bit b with uniform distribution and generates a key \(k \leftarrow {\textsc {Gen}}_{\text {ORE}}(1^\lambda )\).
 For \(i=1\) to t do:

The adversary chooses two message \(m^i_0,m^i_1\in \{0,1\}^\ell \) and sends them to the challenger.

The challenger computes \(c_i \leftarrow {\textsc {Enc}}_{\text {ORE}}(m^i_b,k)\) and sends \(c_i\) to the adversary.


The adversary returns a bit \(b'\).
We next describe some relevant results for OPE and ORE. In this discussion all encryption schemes are computationally secure. Order preserving encryption was introduced by Agrawal et al. [1]; their motivation was encrypting a database while allowing to answer range queries given the encrypted data (without the secret key). A cryptographic treatment of OPE was given by Boldyreva et al. [8, 9]; they gave a formal definition of OPE (called INDOCPA) and showed that, in any OPE satisfying this definition, the length of the encryption is \(2^{\omega (\ell )}\), where \(\ell \) is the length of the messages (this is true even if the attacker can only ask to encrypt 3 messages). In a follow up work, Boldyreva et al. [10, 11] defined ORE. As ORE is a special case of multiinput functional encryption (MIFE) [15], it is implied by indistinguishability obfuscation (iO). Boneh et al. [12] constructed ORE directly from multilinear maps (with bounded multilinearity). tbounded ORE can be constructed based on the LWE assumption or from pseudorandom generators computable by smalldepth circuits [13].
We next show how to construct ORE from an ad hoc PSM protocol for the greater than function \(\mathrm{GTE}_\ell \).
Theorem 6.5
There exists a 2bounded \(1/2^\lambda \)secure ORE with messages in \(\{0,1\}^\ell \) and encryptions of length \(O(\ell ^2\lambda +\lambda ^2)\).
Proof
We start with a 2outofn ad hoc PSM protocol \(\varPi _{\mathrm{GTE}}\) for \(\mathrm{GTE}\): The function \(\mathrm{GTE}_\ell \) has a deterministic branching program of size \(O(\ell )\) thus, by [17], it has a PSM protocol with randomness and communication complexity \(O(\ell ^2)\). By Theorem 3.8, \(\mathrm{GTE}_\ell \) has an ad hoc PSM protocol with complexity \(O( \ell ^2 \log n+\log ^2 n)\). Note that Theorem 3.8 requires that the function for which we construct an ad hoc PSM protocol is symmetric. As \(\mathrm{GTE}_\ell (m_2,m_1)=\mathrm{GTE}_\ell (m_1,m_2)\), the transformation described in Theorem 3.8 from a PSM protocol to an ad hoc PSM protocol is valid for \(\mathrm{GTE}_\ell \).
We next describe a construction of ORE, that is, we desribe algorithms \(({\textsc {Gen}}_{\text {ORE}},{\textsc {Enc}}_{\text {ORE}},{\textsc {Comp}}_{\text {ORE}})\) (by Theorem 6.3 we do not need to describe \({\textsc {Dec}}_{\text {ORE}}\)). We use the ad hoc PSM \(\varPi _{\mathrm{GTE}}\) with \(n=2^\lambda \) parties (where \(\lambda \) is the security parameter).

Algorithm \({\textsc {Gen}}_{\text {ORE}}\) generates a key k by choosing a random string for \(\textsc {Gen}_{\mathrm{GTE}}\), this key has length \(O( \ell ^2 \log n+\log ^2 n)\). We emphasize that during the key generation we do not apply \(\textsc {Gen}_{\mathrm{GTE}}\) as its output is too long (it contains n stings).

Algorithm \({\textsc {Enc}}_{\text {ORE}}\) encrypts a message x by choosing a random party \(P_i\) (where \(1 \le i \le n\)) and using \(\textsc {Gen}_{\mathrm{GTE}}(k)\) to generate the random string \(r_i\) of \(P_i\) in \(\varPi _{\mathrm{GTE}}\).^{2} The encryption of x is i and \(c\leftarrow \textsc {Enc}_{\mathrm{GTE},i}(x,r_i)\) – the message of \(P_i\) on input x and randomness \(r_i\).

Algorithm \({\textsc {Comp}}_{\text {ORE}}((i_1,c_1),(i_2,c_2))\) returns \(\textsc {Dec}_{\mathrm{GTE}}(\{i_1,i_2\},c_1,c_2)\) if \(i_1\ne i_2\) and “FAIL” otherwise.
If two messages are encrypted using different parties (i.e., \(i_1\ne i_2\)), then the correctness of the comparison and the security of \(\varPi _{\mathrm{GTE}}\) guarantees that, given the two encryptions, exactly their order is revealed (i.e., the first message is smaller, equal, or greater than the second message). If the two messages are encrypted using the same party (i.e., \(i_1=i_2\)), then correctness and security are not guaranteed. However, the probability of this event is \(1/n=1/2^\lambda \), which is negligible. \(\square \)
Remark 6.6
In the proof of Theorem 6.5, we can replace the ad hoc PSM protocol for \(\mathrm{GTE}_\ell \) obtained via the PSM protocol from [17] by any ad hoc PSM protocol for \(\mathrm{GTE}_\ell \) as long as its complexity is \(\eta (n,\lambda ) \log ^c n\) for some function \(\eta \) and constant c. In particular, if we use a (2, t)secure ad hoc PSM protocol for \(\mathrm{GTE}_\ell \), then the resulting ORE would be tbounded secure.

The key generation algorithms generates keys for \(\alpha ={\text {poly}}(\lambda ,t)\) copies of the ORE of Theorem 6.5.

The encryption algorithms encrypts m using a random subset of the keys of size \(\lambda \sqrt{\alpha }\).

Given encryptions of two messages, if there is a key that was used to encrypt both messages, then use the comparison algorithm of that copy to compare the two messages. The probability that no such key exists is \(2^{O(\lambda )}\).
The security of the above ORE is guaranteed as long as no 3 messages are encrypted with the same key. The probability that there are 3 messages that are encrypted under the same key can be reduced to \(1/\lambda \) if \(\alpha \) is big enough.
7 NIMPC Vs. (k, t)Secure Ad Hoc PSM
In this section we consider two notions of PSM protocols, (k, t)secure ad hoc PSM protocols and NonInteractive secure MPC (NIMPC) protocols. Recall that an ad hoc PSM is (k, t)secure if the referee getting at most t messages does not learn any information beyond the value of f on any subset of size k of the inputs. A trobust NIMPC for a function f is a PSM protocol, where a referee colluding with t parties can only compute the values of the function when the inputs of the noncolluding parties is fixed (see [4] for a formal definition of NIMPC protocols). We show that the existence of NIMPC protocols is equivalent to the existence of (k, t)secure ad hoc PSM protocols.
In the informationtheoretic setting, these results should be interpreted as negative results, maybe implying that efficient protocols do not exists in both models. In the computaional setting, this results imply an efficient construction of computational ad hoc PSM protocols.
7.1 Ad hoc PSM \(\Rightarrow \) NIMPC
Given an noutof2n ad hoc PSM protocol for a boolean function f, we construct an nparty robust NIMPC protocol for f with the same complexity.
Lemma 7.1
If there exists an (n, t)secure noutof2n ad hoc PSM protocol for a boolean function \(f:\{0,1\}^n \rightarrow \{0,1\}\), then there exists an nparty \((tn)\)robust NIMPC protocol for f with the same communication complexity.
Proof
Let \(\varPi ^*\) be the guaranteed ad hoc PSM protocol. Consider the following NIMPC protocol \(\varPi \).

Let \(r_1,\dots ,r_{2n}\leftarrow \textsc {Gen}_{\varPi ^*}()\).

Choose at random n random bits \(b_1,\dots ,b_n\).
 For \(i\in [n]\) let

\(M_{i,0} \leftarrow (2ib_i,\textsc {Enc}_{\varPi ^*,2ib_i}(r_{2ib_i},0))\).

\(M_{i,1} \leftarrow (2i1+b_i,\textsc {Enc}_{\varPi ^*,2i1+b_i}(r_{2i1+b_i},1))\).


The randomness of \(P_i\) is \(M_{i,0},M_{i,1}\).

\(P_i\) on input \(x_i \in \{0,1\}\) sends \(M_{i,x_i}\).

The referee gets n messages, where for each i it gets from \(P_i\) either the messages of \(P_{2i}\) or \(P_{2i1}\). It uses the decryption of \(\varPi ^*\) to compute f.
We next argue that \(\varPi \) is robust. Let A be a set of parties in \(\varPi \) of size \(\tau \le tn\). The randomness of A and the messages of all other parties in \(\varPi \) are messages of distinct \(n+\tau \le t\) parties in \(\varPi ^*\). By the (n, t)security of \(\varPi ^*\), from these messages the referee in \(\varPi ^*\) can only compute the output of f on any subset of size n of these parties in \(\varPi ^*\), i.e., the inputs of the parties in \(\varPi \) that are not in A are fixed. Thus, in \(\varPi \), the referee and the set A can only compute the residential function. Thus, the (n, t)security of \(\varPi ^*\) implies the \((tn)\)robustness of \(\varPi \). Notice that the referee knows the identity of the party in \(\varPi ^*\) for which the messages was generated; however, by choosing random \(b_i\)’s, it does not know if this message is for an input 0 or 1. \(\square \)
7.2 NIMPC \(\Rightarrow \) Ad Hoc PSM
Our goal is to construct a (k, t)secure ad hoc PSM protocol for a boolean function f from an NIMPC protocol \(\varPi \) computing a related function. We would like to use ideas similar to the construction in Sect. 4. Recall that, given a kargument function \(f:X^k\rightarrow Y\), we defined an nargument function \(g:(X\cup \{\bot \})^n\rightarrow Y\cup \{\bot \}\), where if there are exactly \(nk\) inputs that are \(\bot \) then the output of g is the output of f on the k non\(\bot \) inputs, and it is \(\bot \) otherwise.^{3} We constructed a ksecure ad hoc PSM protocol for f by first generating the randomness using the PSM for g, and sharing the messages of each party with input \(\bot \). We would like to start from an NIMPC protocol for g and get a (k, t)secure ad hoc PSM protocol for f. There is a problem with this solution – in the resulting ad hoc PSM protocol the referee will get for each active party messages for some input \(x_i\) and for the input \(\bot \). The definition of the robustness of NIMPC protocols guarantees that if it gets one message from a party, then the referee can only evaluate the function on points where the input of this party is fixed to some (unknown) value. The definition does not guarantee that if a referee gets two messages from one party then it can only evaluate the output on points where the input of this party is fixed to one of these two (unknown) values.
Theorem 7.2
If there is a 3nparty 2nrobust NIMPC protocol \(\varPi _{g''}\) for \(g''\) with randomness complexity \({\mathrm {Rand}}(\varPi _{g''})\) and communication complexity \({\mathrm {Comm}}(\varPi _{g''})\) then there exists a (k, n)secure ad hoc PSM protocol for f with randomness complexity \(O({\mathrm {Rand}}(\varPi _{g''})+n\cdot {\mathrm {Comm}}(\varPi _{g''}))\) and communication complexity \(O(n\cdot {\mathrm {Comm}}(\varPi _{g''}))\).
Proof
Denote the parties of the NIMPC \(\varPi _{g''}\) by \(P_{1,0},P_{1,1},\dots ,P_{n,0},P_{n,1},Q_1,\) \(\dots ,Q_n\). We next describe an ad hoc PSM protocol \(\varPi _f\) for f.

Generate the randomness of \(\varPi _{g''}\) for \(g''\); let \(r_{1,0},r_{1,1},\) \(\dots ,r_{n,0},r_{n,1},q_1,\) \(\dots ,q_n\) be the generated randomness of \(P_{1,0},P_{1,1},\dots ,P_{n,0},P_{n,1},Q_1,\dots ,Q_n\) respectively.
 For every \(1\le j \le n\):

Choose \(c_i\in \{0,1\}\) at random and let \(m_i\) be the message that \(Q_i\) sends in \(\varPi _{g''}\) with randomness \(q_i\) and input \(c_i\).

For every \(b \in \{0,1\}\), let \(m_{j,b}\) be the message that \(P_{j,b}\) sends in \(\varPi _{g''}\) with randomness \(r_{j,b}\) and input 0.

 The randomness of \(P_i\) in the ad hoc PSM protocol is$$\begin{aligned}r_{i,0},r_{i,1},c_i,(m_i)_{1\le i \le n},(m_{j,b})_{1\le i\le n,b\in \{0,1\}}. \end{aligned}$$

Let \(u_{i}\) be the message that \(P_{i,c_i\oplus x_i}\) sends in \(\varPi _{g''}\) with input 1 and randomness \(r_{i,c_i\oplus x_i}\).

\(P_i\) sends \((c_i \oplus x_i),u_{i}\) and, in addition, \((m_i)_{1\le i \le n},(m_{j,b})_{j\ne i,b\in \{0,1\}}\).

If \(i\in S\), then the message of \(P_{i,c_i \oplus x_i}\) is \(u_i\) (i.e., an encoding of 1); otherwise it is \(m_{i,c_i \oplus x_i}\) (i.e., an encoding of 0),

the message of \(P_{i,1(c_i \oplus x_i)}\) is \(m_{i,1(c_i \oplus x_i)}\) (i.e., an encoding of 0), and

the message of \(Q_i\) is \(m_i\) (i.e., an encoding of \(c_i\)).

If \(i \notin S\), then \(z_{i,0}=z_{i,1}=0\), that is, it correspond to the input \(a_i=\bot \) of g.
 If \(i\in S\), then \(z_{i,c_i \oplus x_i}=1\) and \(z_{1(i,c_i \oplus x_i)}=0\),

If \(x_i=c_i\), then \(z_{i,0}=1\) and \(z_{i,0}=0\), that is, it correspond to the input \(a_i=c_i=x_i\) of g,

If \(x_i\ne c_i\), then \(z_{i,0}=0\) and \(z_{i,0}=1\), that is, it correspond to the input \(a_i=1c_i=x_i\) of g.
That is, if \(i \in S\), then it correspond to the input \(a_i=x_i\) of g.

The transformation of Theorem 7.2 also applies if the NIMPC protocol is computationallysecure. Specifically, in [4] it is shown that if iO and oneway functions exist, then there is a computational indistinguishablysecure NIMPC protocol for every function. This implies that if iO and oneway functions exist then there is a computational (k, n)indistinguishablysecure ad hoc PSM protocol for every function f.
8 Ad Hoc Protocols for and Threshold Imply Nontrivial Obfuscation
Computational ad hoc PSM protocols for general functions imply obfuscation. This follows from Lemma 7.1, showing that ad hoc PSM protocols imply NIMPC protocols, and by results of [4], showing that NIMPC protocols imply obfuscation. To prove this result, ad hoc PSM protocols for fairly complex functions, i.e., universal functions, are used. In this section, we show that ad hoc PSM protocols for simple functions already imply obfuscation for interesting functions. Specifically, computational ad hoc PSM protocols for AND with VBB security imply point function obfuscation and ad hoc PSM protocols for threshold functions with VBB security imply fuzzy point function obfuscation [7]. There are several definitions of point function obfuscation in the literature (see [6]). In this paper, we consider the strong virtual blackbox notion of obfuscation of Barak et al. [3] for point function and fuzzy point function obfuscation. This notion was considered for point function obfuscation in, e.g., [19]. As the only known constructions for fuzzy point function obfuscation are based on strong assumptions (e.g., iO), these results imply that even ad hoc PSM protocols with VBB security for the threshold function may require strong assumptions.
Notation 8.1
For every \(x \in \{0,1\}^n\), define the point function \(I_x:\{0,1\}^n\rightarrow \{0,1\}\) where \(I_x(y)=1\) if \(x=y\) and \(I_x(y)=0\) otherwise. For every \(x \in \{0,1\}^n\) and \(0< \delta <1\), define the fuzzy point function \(F^\delta _x:\{0,1\}^n\rightarrow \{0,1\}\) where \(F^\delta _x(y)=1\) if \({\mathrm {dist}}(x,y) \le \delta n\) and \(F^\delta _x(y)=0\) otherwise, where \({\mathrm {dist}}(x,y)\) is the Hamming distance. We will also denote by \(I_x\) and \(F_x\) the canonical circuits that compute these functions.
Lemma 8.2
If there exists an (n, 2n)VBBsecure ad hoc PSM protocol for AND, then there is a point function obfuscation, i.e., an obfuscation for \(\{I_x\}_{x \in \{0,1\}^n}\).
Proof

Let \((r_{i,b})_{i \in [n],b\in \{0,1\}} \leftarrow \textsc {Gen}_\mathrm{AND}(1^n)\).

For every \(i \in [n]\) let \(z_{i,x_i}\leftarrow 1\) and \(z_{i,\overline{x_i}}\leftarrow 0\).

For every \(i \in [n]\) and \(b \in \{0,1\}\) let \(m_{i,b}\leftarrow \textsc {Enc}_\mathrm{AND}(z_{i,b},r_{i,b})\).
 Return a circuit C that on input \(y\in \{0,1\}^n\) computes$$\begin{aligned} \textsc {Dec}_\mathrm{AND}(\{(i,y_i)\}_{i\in [n]},(m_{i,y_i})_{i\in [n]}). \end{aligned}$$
Correctness: The circuit C returns the output of the decoding algorithm \(\textsc {Dec}\) on the messages \((m_{i,y_i})_{i\in [n]}\), which encode the inputs \((z_{i,y_i})_{i\in [n]}\). Hence, C returns \(\mathrm{AND}((z_{i,y_i})_{i\in [n]})\). If \(y=x\), then for every \(i \in [n]\), \(y_i=x_i\) and \(z_{i,y_i}=1\), thus C returns 1. If \(y\ne x\), then \(y_i= \overline{x_i}\) for at least one \(i \in [n]\), thus \(z_{i,y_i}=0\) and C returns 0.
We first define an attacker \({\mathcal {A}}_\mathrm{AND}\) against the ad hoc PSM protocol \(\varPi _\mathrm{AND}\): \({\mathcal {A}}_\mathrm{AND}\) gets as an input 2n messages and generates a circuit C from these messages as Obf does, and executes \(\mathcal {A}\) on C. By the VBBsecurity of \(\varPi _\mathrm{AND}\), there exists a simulator \(\textsc {Sim}_{\mathrm{_\mathrm{AND}}}\) for the adversary \({\mathcal {A}}_\mathrm{AND}\); this simulator \(\textsc {Sim}_\mathrm{AND}\) should have an oracle access to the function AND on any n of the 2n inputs \((z_{i,b})_{i\in [n],b\in \{0,1\}}\).
The simulator Sim for the obfuscation, with oracle access to \(I_x\), emulates \(\textsc {Sim}_\mathrm{AND}\), where the queries to AND are answered as follows: if a query contains two variables \(z_{i,0}\) and \(z_{i,1}\), for some \(i\in [n]\), then the answer is 0 (as the value of one of them is zero). Otherwise, for every i there is exactly one \(y_i\) such that \(z_{i,y_i}\) is in the query; in this case \(z_{i,y_i}=1\) if and only if \(y_i=x_i\), i.e., AND\(((z_{i,y_i})_{i\in [n],b \in \{0,1\}})=1\) iff \(x=(y_1,\dots ,y_n)\) iff \(I_x((y_1,\dots ,y_n))=1\). In this case, \(\textsc {Sim}\) answers the query by invoking its oracle \(I_x\). The VBBsecurity of \(\varPi _\mathrm{AND}\) implies that (2) holds. \(\square \)
Claim 8.3
Let \(\delta <0.5\). There is an efficient algorithm that, given a point w such that \(F^\delta _x(w)=1\) and an oracle access to \(F^\delta _x\), can find x.
Proof

For \(i=1\) to n: if \(F^\delta _x(x,v\oplus e_i)=0\) then \(x_i=v_i\), otherwise \(x_i=\overline{v_i}\).
Lemma 8.4
Let \(\delta <0.5\). If there is an (n, 2n)VBBsecure ad hoc PSM protocol for \({\text {Th}}_\delta \), then there is a fuzzy point function obfuscation, i.e., an obfuscation for \(\{F^\delta _x\}_{x \in \{0,1\}^\ell }\).
Proof

Let \((r_{i,b})_{i \in [n],b\in \{0,1\}} \leftarrow \textsc {Gen}_\mathrm{Th}(1^n)\).

For every \(i \in [n]\) let \(z_{i,x_i}\leftarrow 1\) and \(z_{i,\overline{x_i}}\leftarrow 0\).

For every \(i \in [n]\) and \(b \in \{0,1\}\) let \(m_{i,b}\leftarrow \textsc {Enc}_\mathrm{Th}(z_{i,b},r_{i,b})\).
 Return a circuit C that on input \(y\in \{0,1\}^n\) computes$$\begin{aligned}\textsc {Dec}_\mathrm{Th}(\{(i,y_i)\}_{i\in [n]},(m_{i,y_i})_{i\in [n]}).\end{aligned}$$
Correctness: The circuit C returns the output of the decoding algorithm \(\textsc {Dec}\) on the messages \(((m_{i,y_i})_{i\in [n]})\), which encode the inputs \((z_{i,y_i})_{i\in [n]}\). Hence, C returns \({\text {Th}}_\delta ((z_{i,y_i})_{i\in [n]})\). If \({\mathrm {dist}}(x,y)\le \delta n\), then \(y_i=x_i\) for at least \((1\delta )n\) values of i, and \(z_{i,y_i}=1\) for at least \((1\delta )n\) values of i, thus, C returns 1. If \({\mathrm {dist}}(x,y) >\delta n\), then \(y_i=\overline{ x_i}\) for more than \((1\delta )n\) values of i, thus, \(z_{i,y_i}=1\) for less than \((1\delta )n\) values of i and C returns 0.
We first define an attacker \({\mathcal {A}}_\mathrm{Th}\) against the ad hoc PSM protocol \(\varPi _\mathrm{Th}\): \({\mathcal {A}}_\mathrm{Th}\) gets as an input 2n messages and generates a circuit C from these messages as \(\textsc {Obf}_\mathrm{fuzzy}\) does, and executes \(\mathcal {A}\) on C. By the VBBsecurity of \(\varPi _\mathrm{Th}\), there exists a simulator \(\textsc {Sim}_\mathrm{Th}\) for the adversary \({\mathcal {A}}_\mathrm{Th}\); this simulator \(\textsc {Sim}_\mathrm{Th}\) should have an oracle access to the function \({\text {Th}}_\delta \) of any n of the inputs \((z_{i,b})_{i\in [n],b\in \{0,1\}}\).
The simulator \(\textsc {Sim}_\mathrm{fuzzy}\) for the obfuscation, with oracle access to \(F^\delta _x\), emulates \(\textsc {Sim}_\mathrm{Th}\), where the queries to \({\text {Th}}_\delta \) are answered as follows: If for every i there is exactly one \(y_i\) such that \(z_{i,y_i}\) is in the query, then \(z_{i,y_i}=1\) if and only if \(y_i=x_i\), i.e., \({\text {Th}}_\delta ((z_{i,y_i})_{i\in [n],b \in \{0,1\}})=1\) iff \({\mathrm {dist}}(x,(y_1,\dots ,y_n)) \le \delta n\) iff \(F^\delta _x((y_1,\dots ,y_n))=1\). Thus, in this case, \(\textsc {Sim}_\mathrm{fuzzy}\) answers the query by invoking its oracle \(F^\delta _x\).
The challenging case is when a query contains two variables \(z_{i,0}\) and \(z_{i,1}\) for some \(i\in [n]\); we call such queries “illegal”. In this case, we do not know how to answer the query directly (e.g., as we did in Lemma 8.2). The idea of answering the query is that if \({\text {Th}}_k\) returns 1 on the query, then the simulator can find a point w such that \(F^\delta _x(w)=1\) (as explained below), from such point it finds x (using Claim 8.3), computes \((z_{i,b})_{i\in [n],b\in \{0,1\}}\) as \(\textsc {Obf}_\mathrm{fuzzy}\) does, and answers the current and future queries using these values. If the simulator does not find such point w, then it returns 0.
Footnotes
 1.
Both in the original PSM model and in its adhoc variant, it suffices for the parties to share a source of common randomness that is unknown to the referee. The use of more general correlated randomness can help reduce the randomness complexity.
 2.
The time required to generate \(r_i\) is \(O( \ell ^2 \log n+\log ^2 n)\).
 3.
In Sect. 4, if there were less than \(nk\) inputs that are \(\bot \), then the function was undefined; here we need to define the output as \(\bot \).
Notes
Acknowledgments
We thank David Cash and David Wu for helpful discussions about Order Revealing Encryption.
The first author was supported by ISF grant 544/13 and by a grant from the BGU Cyber Security Research Center. The second and third authors were partially supported by ISF grant 1709/14, BSF grant 2012378, and NSFBSF grant 2015782. Research of the second author was additionally supported from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF15C0205. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government.
References
 1.Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, pp. 563–574 (2004)Google Scholar
 2.Applebaum, B., Raykov, P.: From private simultaneous messages to zeroinformation ArthurMerlin protocols and back. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 65–82. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_3 CrossRefGoogle Scholar
 3.Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E.: Distribution design. In: Sudan, M. (ed.) Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science, pp. 81–92. ACM, New York (2016)CrossRefGoogle Scholar
 5.Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., PaskinCherniavsky, A.: Noninteractive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_22 CrossRefGoogle Scholar
 6.Bellare, M., Stepanovs, I.: Pointfunction obfuscation: a framework and generic constructions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 565–594. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_21 CrossRefGoogle Scholar
 7.Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O.: On virtual grey box obfuscation for general circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 108–125. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_7 CrossRefGoogle Scholar
 8.Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Orderpreserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). doi: 10.1007/9783642010019_13 CrossRefGoogle Scholar
 9.Boldyreva, A., Chenette, N., Lee, Y., O’neill, A.: Orderpreserving symmetric encryption. Technical report 2012/624, IACR Cryptology ePrint Archive (2012). http://eprint.iacr.org/2012/624
 10.Boldyreva, A., Chenette, N., O’Neill, A.: Orderpreserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011). doi: 10.1007/9783642227929_33 CrossRefGoogle Scholar
 11.Boldyreva, A., Chenette, N., O’Neill, A.: Orderpreserving encryption revisited: improved security analysis and alternative solutions. Technical report 2012/625, IACR Cryptology ePrint Archive (2012). http://eprint.iacr.org/2012/625
 12.Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure orderrevealing encryption: multiinput functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). doi: 10.1007/9783662468036_19 Google Scholar
 13.Brakerski, Z., Komargodski, I., Segev, G.: Multiinput functional encryption in the privatekey setting: stronger security from weaker assumptions. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 852–880. Springer, Heidelberg (2016). doi: 10.1007/9783662498965_30 CrossRefGoogle Scholar
 14.Feige, U., Kilian, J., Naor, M.: A minimal model for secure computation. In: Proceedings of the 26th ACM Symposium on the Theory of Computing, pp. 554–563 (1994)Google Scholar
 15.Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.H., Sahai, A., Shi, E., Zhou, H.S.: Multiinput functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_32 CrossRefGoogle Scholar
 16.Goldwasser, S., Rothblum, G.N.: On bestpossible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_11 CrossRefGoogle Scholar
 17.Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: 5th Israel Symposium on Theory of Computing and Systems, pp. 174–183 (1997)Google Scholar
 18.Ishai, Y., Kushilevitz, E., Paskin, A.: Secure multiparty computation with minimal interaction. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 577–594. Springer, Heidelberg (2010). doi: 10.1007/9783642146237_31 CrossRefGoogle Scholar
 19.Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 20–39. Springer, Heidelberg (2004). doi: 10.1007/9783540246763_2 CrossRefGoogle Scholar
 20.Yao, A.C.: How to generate and exchange secrets. In: Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, pp. 162–167 (1986)Google Scholar