Robust Noninteractive Multiparty Computation Against ConstantSize Collusion
 4 Citations
 3.1k Downloads
Abstract
NonInteractive Multiparty Computations (Beimel et al., Crypto 2014) is a very powerful notion equivalent (under some corruption model) to garbled circuits, Private Simultaneous Messages protocols, and obfuscation. We present robust solutions to the problem of NonInteractive Multiparty Computation in the computational and informationtheoretic models. Our results include the first efficient and robust protocols to compute any function in \(NC^1\) for constantsize collusions, in the informationtheoretic setting and in the computational setting, to compute any function in P for constantsize collusions, assuming the existence of oneway functions. Our constructions start from a Private Simultaneous Messages construction (Feige, Killian Naor, STOC 1994 and Ishai, Kushilevitz, ISTCS 1997) and transform it into a NonInteractive Multiparty Computation for constantsize collusions.
We also present a new NonInteractive Multiparty Computation protocol for symmetric functions with significantly better communication complexity compared to the only known one of Beimel et al.
Keywords
Noninteractive multiparty computation Private Simultaneous Messages1 Introduction
A noninteractive multiparty computation enables n parties \(P_1,\dots ,P_n\), each holding a private input, and a special party \(P_0\), called an evaluator, to compute a joint function of the n parties’ inputs so that the evaluator learns the output. The communication structure in this setting is that each party sends a single message to the evaluator. This is a highly desired mode of interaction as the required connectivity between the parties is extremely simple, yet it enables to carry out natural computations such as voting and auctions.
Feige et al. [4] were first to study such a model, referred to as the Private Simultaneous Messages (PSM) ^{1} model. They considered informationtheoretic security, namely, in a PSM protocol for a function f, the evaluator of the function learns the output of the function on the parties’ inputs and nothing else. Essential to their solutions was the assumption that the evaluator does not collude with any of the n parties. If such collusions were possible, even with a single misbehaving party, their protocols would lose the privacy guarantee.
Beimel et al. [3] generalized the PSM model to what they call NonInteractive Multiparty Computation (NIMPC), by considering the possibility of collusions between parties and the evaluator. In this setting the notion of security needs to be modified as clearly we cannot prevent the evaluator from computing the function on all possible inputs of the colluding parties. Thus, they define the notion of “best possible security” by utilizing the residual function [8] for a set of colluding parties T. The residual function of f is all the values \(f(y_1,\dots ,y_n)\) where \(y_i = x_i\) if \(P_i \notin T\) (\(x_i\) being the input of the noncolluding party \(P_i\)) and \(y_i \in \{0,1\}\) for \(P_i \in T\). A secure protocol would enable the adversary to learn the residual function and nothing more. An NIMPC protocol that can withstand collusions of up to t parties is called trobust. If \(t=n\) the protocol is said to be fully robust.
Due to their very restricted communication pattern, both PSM and NIMPC require some form of setup arrangement. PSM assumes a common random string shared by the parties while NIMPC allows for a setup phase where parties are provided with correlated randomness. The latter models an offline stage run independently of the parties’ inputs with the actual computation of the function happening in a later online phase.
We note that while the above notions were introduced in the informationtheoretic setting, they apply to the computational case as well. The notion of NIMPC turns out to be extremely powerful both in the computational and informationtheoretic setting, and for a wide range of applications. It generalizes such notions as obfuscation and garbling schemes, and is a weaker variant of multiinput functional encryption. At the same time, in more practical settings, NIMPC can be used for voting, auctions, or distributed computations on bulletin boards.
The wide applicability of the NIMPC abstraction is also reflected in the wide range of results (and open questions) for what is computable in this model. In the informationtheoretic setting, Feige et al. [4] show that any function can be computed with exponential size messages sent from parties to evaluator. At the same time, they show that any function in \(NC^1\) can be computed with polynomialsize messages. Ishai and Kushilevitz [9] further expanded the class of functions that can be computed by PSM protocols to logspace language classes such as \(\bmod _p L\) and to logspace counting classes such as #L.
Not surprisingly, the NIMPC model proves to be more challenging, even for restricted robustness. Beimel et al. [3] prove that some nontrivial functions can be computed with informationtheoretic security in this model. They showed that the iterated product function \(f(x_1,\dots ,x_n) = x_1\cdots x_n\) over a group \(\mathbb {G}\) can be computed efficiently with a collusion of any size. In addition, for any function f, they exhibit a solution that can tolerate arbitrary collusions but is exponential in the total bitlength of the inputs. Their strongest result shows that symmetric functions over a domain \(\mathcal {X}_1\times \cdots \times \mathcal {X}_n\) where each \(\mathcal {X}_i\) is of constantsize admits a trobust NIMPC with polynomial complexity for constant t.
Can these informationtheoretic NIMPC results be extended to a larger class, e.g., \(NC^1\), as in the PSM case? A negative result follows from Goldwasser and Rothblum [6] implicitly stating that the existence of an efficient protocol for \(NC^1\) that can tolerate a polynomialsize collusion (i.e., of size \(t=\varOmega (n^{\alpha })\), with \(\alpha > 0\) being constant) in the informationtheoretic setting would imply the collapse of the polynomialtime hierarchy. This still leaves the possibility that robust NIMPC with restricted, say constantsize, collusions are still possible for \(NC^1\). Yet, Beimel et al. show evidence that even achieving 1robustness, i.e., security against a collusion of one party with the evaluator, may require a new technical approach (they show that natural approaches to realize NIMPC based on known PSM or garbling techniques fail even for \(t=1\)). They leave this question open.
In the computational setting the situation is strikingly different. First of all, in the PSM model or the equivalent 0robust NIMPC, one can compute any polynomialtime computable function with polynomialsize messages under the sole assumption of the existence of oneway functions. Indeed, note that a Yao garbled circuit is a 0robust NIMPC. At the other end, fullyrobust NIMPC for any polynomial function can be constructed using multiinput functional encryption which Goldwasser et al. [5] build on the basis of indistinguishability obfuscation (iO) and oneway functions. Actually, the existence of efficient NIMPC protocols for P that can tolerate a polynomialsize collusion implies iO.
The above results leave two wide gaps in our knowledge regarding the feasibility of constructing robust NIMPC protocols. In the informationtheoretic setting, PSM exists for at least all of \(NC^1\) while NIMPC with nonzero robustness is only known for a handful of simple functions [3]. In the computational setting, oneway functions suffice for 0robust NIMPC for all polynomial functions, and under iO fullyrobust NIMPC for all P is possible.
 1.
Do informationtheoretic robust NIMPC protocols exist, even for 1robustness, for a class of functions covered by PSM, e.g., \(NC^1\)?
 2.
Do computational robust NIMPC protocols exist for P, with restricted robustness, under weaker assumptions than iO?
These are open questions postulated in the work of Beimel et al. [3] and the ones that we set to answer.
1.1 Our Results
From PSM to NIMPC. Our main theorem shows an informationtheoretic transformation which takes any PSM (or 0robust NIMPC) construction and transforms it into a trobust NIMPC protocol. The resultant protocol has complexity that is, roughly, \(n^{O(t)}\) times that of the given PSM protocol. Furthermore, if the original PSM relied on some assumptions the new protocol relies on the same assumptions without needing to introduce any further assumptions.
This single theorem is extremely powerful and its corollaries give an affirmative answer to the two questions raised above.
In the informationtheoretic setting we have that for constant t, there exist efficient trobust protocols for the same class of functions for which efficient PSM protocols exist, in particular for the whole class \(NC^1\) and the classes shown in [9], namely, \(\bmod _p L\) and logspace counting classes such as #L.
In the computational setting, we achieve robust NIMPC solutions for constantsize collusions for any polynomialtime function, solely based on one way functions. That is, we narrow the gap between the PSM solutions based on oneway functions that tolerate no collusions, and the solutions based on iO, that can tolerate any number of collusions. Recall that robust NIMPC solutions for any polynomialtime function, even for polynomialsize collusions, implies iO.
Design. The idea governing our result was to directly find a solution to the problem identified by Beimel et al. [3, Sect. 6]. The essence of the problem can be understood by considering a Yao garbled circuit. The circuit is set up so that each input wire i has two possible labels \(m'_{i,0},m'_{i,1}\) one of which will be used by party \(P_i\) to convey its input to the evaluator. The problem arises when \(P_i\) colludes with the evaluator providing both labels for input wire i. One might hope that this would only enable the evaluator to compute the residual function, i.e., \(f(x_1,\dots ,x_{i1},0,x_{i+1},\dots ,x_n)\) and \(f(x_1,\dots ,x_{i1},1,x_{i+1},\dots ,x_n)\), which is allowed. However, the above paper shows that in fact more is exposed via the knowledge of both labels, thus violating the security of the computation. This problem also arises in similar constructions based on Barrington theorem [2] and Kilian randomization [12], or the IshaiKushilevitz protocol in [9].
The issue is that the adversary can learn two different labels \(m'_{i,0}\) and \(m'_{i,1}\) for the same input wire i, when \(P_i\) is colluding. If we could prevent it, this would resolve the problem described above. Yet, this seems challenging as we need to enable \(P_i\) to still have a message for a possible input of 0 and a message for a possible input of 1, otherwise it will render the computation impossible. But maybe this counterintuitive approach can be achieved?
Given a function f, n parties, \(P_1,\dots ,P_n,\) holding inputs \(x_1,\dots ,x_n\) (resp.), an evaluator \(P_0\), and a PSM which computes the function we will do the following. We duplicate the PSM a number of times (this number is a function of the number of colluding parties; we denote it for now by \(\kappa \)), creating the copies \(\mathcal {PSM}_1,\dots ,\mathcal {PSM}_{\kappa }\). Each PSM will have a fresh set of labels for its input wires. Concretely, \(\mathcal {PSM}_{\varvec{\sigma }}\) will have labels \(m'_{\varvec{\sigma },i,0},m'_{\varvec{\sigma },i,1}\) for \(i = \{1,\dots ,n\}\). On top of these copies of the PSM we will put NIMPC protocols which we call selectors. There will be n selectors \(\mathcal {S}\! el _1,\dots ,\mathcal {S}\! el _n\), one for each party. The input wires for all the selectors will be labeled by \(m_{i,0},m_{i,1}\) for \(i = \{1,\dots ,n\}\). The selector \(\mathcal {S}\! el _i\) is expected to output a label \(m'_{\varvec{\sigma },i,x_i}\) for exactly one index \(\varvec{\sigma }\). Each selector will have one output wire for a total of n output wires for all the selectors combined.
Clearly, the adversary can still utilize both \(m_{i,0},m_{i,1}\) of a colluding party on the input wires to the selectors. But the selectors will be sophisticated. Given a specific set of labels for the inputs wires, they will provide a full set of labels for only one of the copies of the PSM. Given a different set of input wire labels, they will provide a full set of labels for a different PSM. So for the example above, on input the set of labels \(m_{1,x_1},\dots ,m_{i1,x_{i1}},m_{i,0},m_{i+1,x_{i+1}},\dots ,m_{n,x_n}\), the adversary will receive the labels for \(\mathcal {PSM}_{\varvec{\sigma }}\) and on input the set of labels \(m_{1,x_1},\dots ,m_{i1,x_{i1}},m_{i,1},,m_{i+1,x_{i+1}},\dots ,m_{n,x_n}\) it will receive the labels for \(\mathcal {PSM}_{\varvec{\sigma }'}\). Thus, effectively disarming the adversary from the ability to learn two different labels for the same input of the same PSM. Note, that the adversary can still run the selectors multiple times on different inputs, in fact, on \(2^t\) if there are t colluding parties. But the selectors can “tolerate” such behavior without violating the privacy of the inputs of the noncolluding parties.
Thus we have achieved that the combination of selectors \(\mathcal {S}\! el _i\) and \(\kappa \) copies of the original PSM yield a trobust NIMPC for the function computed by the PSM. See Fig. 1.
Let us examine the output of the selector and see that it works properly. W.l.o.g., assume that \(P_i\) is the colluding party and that the evaluator first uses the message corresponding to an input of 0 for \(P_i\) and that this sets the sum of all the parties’ inputs to 0. In this case the selector for all parties, colluding or not, will output one of the values from the two top rows depending on the party’s individual input. These are all labels for \(\mathcal {PSM}_1\). Now, if the evaluator flips the input value of the colluding party to be 1, this causes the sum of all the parties’ inputs to flip to 1, resulting in the selector outputting a value from the bottom two rows of the function. Those outputs are all labels of \(\mathcal {PSM}_2\). Thus, we manage to prevent the evaluator from learning two labels for the same input of the same PSM.
NIMPC for Symmetric Functions. While our above result and also [3] provide NIMPC protocols for symmetric functions (both of complexity \(n^{O(t)}\)), here we present a specialized solution that improves significantly the level of robustness it can offer.
A symmetric Boolean function can be seen as a function of the sum of its inputs over \(\mathbb {Z}_{n+1}.\) Our core idea is to start with an inefficient NIMPC solution based on an informationtheoretic implementation of Yao’s garbling and then improve its complexity via a “divideandconquer” approach that uses the Chinese remainder theorem to create small instances of the problem. The NIMPC protocols on these smaller instances provide much stronger collusion resistance. Using this technique we show that there exists an informationtheoretic trobust NIMPC for symmetric Boolean functions with communication complexity \(n^{\log \log n + \log t + O(1)}\), improving significantly on the best prior protocol in [3, Theorem 4.17] that has communication complexity \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \cdot O(2^t \cdot n^4)\).
1.2 Related Work
Halevi et al. [8] wanted to avoid the need for a fresh common or correlated randomness string for each execution. However, their model requires the parties to sequentially interact with the evaluator. They provide solutions for very specific patterns of interaction, assuming a publickey infrastructure (PKI).
Halevi et al. [7] expand the graphs of interaction patterns that can be handled in [8] to directed graphs, chains, and star. They examine which functions can be computed under these communication patterns and show that any interaction pattern can be reduced via an information theoretic protocol to a star, while providing the best possible security that can be achieved. Note that a star communication pattern is equivalent to the pattern presented in NIMPC. Using our new trobust NIMPC protocols for the star communication pattern can enable a constant number of colluding parties for general communication patterns without relying on strong assumptions such as iO.
In [16] the authors provide an exponential lower bound of the communication complexity of NIMPC protocols for arbitrary functions, and improve the polynomial factors of the communication complexity of the NIMPC protocol for arbitrary functions of Beimel et al. They further extend their result in [14] improved complexity of the previous NIMPC protocol for arbitrary function with multibit inputs, yet it still has exponential complexity.
1.3 Organization of the Paper
In Sect. 2, we start by an extensive overview to provide intuition for the techniques we use in our transformation of PSM into trobust NIMPC. After some formal preliminaries in Sect. 3, we present one of the main components of the transformation and of our NIMPC protocol for symmetric functions, namely selectors, in Sect. 4. In Sect. 5, we define and construct another component of the transformation, namely admissible linear indexing function. The transformation itself is formally described and proven in Sect. 6. Finally, in Sect. 7, we show our new NIMPC protocol for symmetric functions.
2 Overview
In this section we provide an extensive overview of the techniques we use in our transformation from PSM to trobust NIMPC with emphasis on ideas and intuition at the expense of formalism. For the sake of simplicity, we assume that the inputs of the parties are bits.
2.1 Defining the Indexing Function
In the Introduction we showed that we need selectors that, for every given set of inputs of the parties, choose a different PSM, and then output a consistent set of labels for the input wires of the chosen PSM. In this section, we explain how to choose the PSM. This is done via what we call an indexing function \(\mathsf {ind}\).
The indexing function \(\mathsf {ind}\) takes as input a vector \(\varvec{x}\), which reflects the inputs of the parties. The entry for a noncolluding \(P_i\) will be set to its actual input, \(x_i\) and the rest of the entries are fixed by the adversary. When the adversary controls t parties it can create \(2^t\) distinct vectors \(\varvec{x}\), running over all possible inputs of the colluding parties. These \(2^t\) vectors can in fact be reflected in \(2^t\) evaluations of the selectors. Thus, we want to have (at least) \(2^t\) PSM and in return require that the indexing function, \(\mathsf {ind}\), will map each one of the possible vectors into a different PSM. We will index the PSM by \(\varvec{\sigma }\) in some set \(\mathcal {S}\).
We now build the indexing function \(\mathsf {ind}\). Let \(\mathsf {ind}\) be a function that on input \(\varvec{x}=(x_1,\ldots , x_n)\) outputs an index \(\varvec{\sigma }\in \mathcal {S}\). The function \(\mathsf {ind}\) should have the property that if a party \(P_i\) is colluding then any input \(\varvec{x}\) to \(\mathsf {ind}\) that has \(x_i=0\) should produce a different \(\varvec{\sigma }\) than the same \(\varvec{x}\) but with \(x_i=1\). In general, no coalition of t colluding parties should be able to choose their inputs so that two different inputs lead to the selection of the same index \(\varvec{\sigma }\). Note that this does not mean that \(\mathsf {ind}\) should be injective but rather that if one fixes the inputs of the noncolluding parties, then any two assignments of the remaining t inputs should result in a different value \(\varvec{\sigma }\) output by \(\mathsf {ind}\). Going back to the example from the Introduction, for \(t=1\) we implicitly defined \(\mathsf {ind}(\varvec{x}) = x_1 + \dots + x_n\) and obtained the desired property. Indeed, if all the inputs are fixed except the one of a single colluding party \(P_i\), each input \(x_i\) of \(P_i\) yields a different value \(\mathsf {ind}(\varvec{x})\) (note that this property assumes a single colluding party but does not require to know who this party is).
For the general case of t colluding parties we build \(\mathsf {ind}\) using a linear code. We first observe that for any value \(\varvec{\sigma }\) in the range of \(\mathsf {ind}\), it should be that the set \(\mathsf {ind}^{1}(\varvec{\sigma })\) forms a code of distance at least \(t+1\). Indeed, assume that two different elements \(\varvec{x_1}, \varvec{x_2}\) in the set \(\mathsf {ind}^{1}(\varvec{\sigma })\) have Hamming distance \(\le t\) and let \(T\subseteq \{1,\ldots ,n\}\) be the set of entries where the two differ. Choosing T as the set of colluding parties, we have that \(\varvec{x_1}, \varvec{x_2}\) coincide in all the honest parties’ inputs, differ on the colluding parties’ inputs, yet they are mapped to the same value \(\varvec{\sigma }\). This contradicts our requirement from \(\mathsf {ind}\). We can thus define \(\mathsf {ind}\) via a linear code of distance \(t+1\) over a linear space \(\mathbb {F}_q^n\) (for some prime power q) as follows. Let \(H \in \mathbb {F}_q^{\ell \times n}\) be the paritycheck matrix of such a code, namely, the code is formed by all vectors \(\varvec{x}\in \mathbb {F}_q^n\) for which \(H\cdot \varvec{x} = 0\). This means that \(H^{1}(0)\) is a code of distance \(t+1\) and the same is also true, by linearity, for \(H^{1}(\varvec{\sigma })\) for any other \(\varvec{\sigma }\) in the range of H. Thus, defining \(\mathsf {ind}(\varvec{x})=H\cdot \varvec{x} \) we get the property we needed. See Sect. 5 for the details.
We note that using such an H, we get that the set of possible values \(\varvec{\sigma }\) (i.e., the range of the function \(\mathsf {ind}\)) is of size \(q^\ell \) (\(\ell =t\) in our implementation, for wellchosen prime powers q) and that is also the number of PSMs. This is the source of exponential complexity in our construction and the reason for why we are polynomialtime only for constant t.
2.2 Reduction of \(\mathcal {S}\! el _i\) to MessageOutputting Protocols
To sum up, we have reduced the task of designing the selectors \(\mathcal {S}\! el _i\) to the task of designing outputtingmessage protocols, i.e., NIMPC for \( h_{M,\varvec{u},\tilde{m}}\). At this point, we can completely ignore the process that lead us to considering these functions \(h_{M,\varvec{u},\tilde{m}}\).
2.3 Robust MessageOutputting Protocols
Let us now design robust messageoutputting protocols, i.e., NIMPC for \( h_{M,\varvec{u},\tilde{m}}\). We note that while in our application M is public and \(\varvec{u}\) and \(\tilde{m}\) are to remain hidden, here our presentation treats \(\varvec{u}\) as public. A full description of the NIMPC protocol for \(h_{M,\varvec{u},\tilde{m}}\), including addressing the secrecy of \(\varvec{u}\), is presented in Sect. 4.2.
Linear Secret Sharing Scheme. We start by recalling the following linear secret sharing scheme LSSS [11], a variant of which is at the core of our construction.
Recall that an NIMPC protocol starts with a setup phase (a.k.a. offline preprocessing) in order to generate the correlated randomness. It is indeed impossible to achieve any reasonable security notion without correlated randomness in this noninteractive setting.
The above shows correctness of the NIMPC scheme for the family \(h_{M,\varvec{u},\tilde{m}}\). We now argue robustness, namely, only \(\tilde{m}\) is disclosed and only in case that \(M\cdot \varvec{x} =\varvec{u}\). All other information remains (informationtheoretically) hidden.
Detecting When \(\varvec{h}_{\varvec{M},\varvec{u},\tilde{\varvec{m}}}(\varvec{x}) =\,\perp \) . The above NIMPC protocol is almost a protocol for \(h_{M,\varvec{u},\tilde{m}}\), except that it always outputs something even when it should output \(\perp \). To finish the construction, we need to add a way to detect whether \(h_{M,\varvec{u},\tilde{m}}(\varvec{x})=\perp \) or not, i.e., whether \(M \cdot \varvec{x} = \varvec{u}\) or not.
This is simple to achieve: in the setup phase, we just pick uniform independent vectors \(\varvec{r}'_1,\dots ,\varvec{r}'_n \in \mathbb {F}_q^n\), compute \(\varvec{r}'_0 = \sum _{i=1}^n \varvec{r}'_i\), publish \(\varvec{\nu _0} = \varvec{u} + \varvec{r}'_0\), and give to each party \(P_i\) the vector \(\varvec{r}'_i\) as part of its correlated randomness.
2.4 Putting It All Together
We now summarize the steps in our transformation from a PSM for a function f to a trobust NIMPC for the same function f. Full and formal details are presented in Sects. 4.2, 5, and 6 (see Fig. 4).
First, we choose a linear code of length n and of distance at least \(t+1\), for a wellchosen prime power q. Let \(H \in \mathbb {F}_q^{\ell \times n}\) be its paritycheck matrix (we can choose q as the smallest prime power greater or equal to n, and \(\ell = t\)). We define the indexing function as \(\mathsf {ind}:\varvec{x} \mapsto H \cdot \varvec{x} \in \mathbb {F}_q^\ell \).
Second, in the setup phase, we consider \(q^\ell \) copies of the PSM, indexed by elements \(\varvec{\sigma }\) of \(\mathbb {F}_q^\ell \). We generate the correlated randomness of all these PSMs, and denote by \(m'_{\varvec{\sigma },i,b}\) the message that party \(P_i\) would send on input b in the PSM \(\mathcal {PSM}_{\varvec{\sigma }}\) of index \(\varvec{\sigma }\), for \(\varvec{\sigma }\in \mathbb {F}_q^\ell \), \(i \in \{1,\dots ,n\}\), and \(b \in \{0,1\}\).
The correlated randomness of the resulting trobust NIMPC protocol just consists in the concatenation of the correlated randomness of \(\mathcal {S}\! el _1,\dots ,\mathcal {S}\! el _n\). The message that party \(P_i\) sends on input \(x_i\) is the concatenation of the ones it would send in \(\mathcal {S}\! el _1,\dots ,\mathcal {S}\! el _n\) on input \(x_i\). To compute the output, the evaluator first simulates the evaluators of \(\mathcal {S}\! el _1,\dots ,\mathcal {S}\! el _n\) to get \(m'_{\varvec{\sigma },i,x_i}\) for all \(i \in \{1,\dots ,n\}\) and for \(\varvec{\sigma }= \mathsf {ind}(\varvec{x})\). It then simulates the evaluator of the original PSM on these messages to get the output \(f(x_1,\dots ,x_n)\).
3 Preliminaries
3.1 NIMPC Definition
We recall the definition of NIMPC protocols from [3]. We first introduce the following notation.
Let \(\mathcal {X}_1,\dots , \mathcal {X}_n\) be nonempty sets and let \(\mathcal {X}\) denote their Cartesian product, namely, \(\mathcal {X}:=\mathcal {X}_1 \times \dots \times \mathcal {X}_n\). We use vector notation (boldface font) to denote the elements in \(\mathcal {X}\), e.g., \(\varvec{x}\in \mathcal {X}\) (even though \(\mathcal {X}\) is not necessarily a vector space). For a subset \(T=\{i_1,\ldots ,i_t\} \subseteq \{1,\dots ,n\}\) and \(\varvec{x}=(x_1,\ldots ,x_n)\in \mathcal {X}\) we denote by \(\varvec{x}_T\) the tcoordinate projection vector \((x_{i_1},\dots ,x_{i_t})\). For a function \(f :\mathcal {X}\rightarrow \varOmega \), we denote by \({ \left. f \right _{{\bar{T}},\varvec{x}_{\bar{T}}} }\) the function f with the inputs corresponding to positions \({\bar{T}}\) fixed to the entries of vector \(\varvec{x}_{\bar{T}}\).^{4}
Definition 3.1

\(\mathsf {Setup}\) takes as input unary representations of n and of the security parameter \(\mathfrak {K}\), and (a representation of) a function \(f \in \mathcal {F}_n\) and outputs a tuple \((\rho _0,\rho _1,\dots ,\rho _n)\);^{5}

\(\mathsf {Msg}\) takes as input a value \(\rho _i\) and an input \(x_i \in \mathcal {X}_i\), and deterministically outputs a message \(m_{i,x_i}\);

\(\mathsf {Rec}\) takes as input a value \(\rho _0\) and a tuple of n messages \({(m_{i,x_i})}_{i=1,\dots ,n}\) and outputs an element of \(\varOmega \).
 Correctness. For any values \(n \in \mathbb {N}_{>0}\), security parameter \(\mathfrak {K}\in \mathbb {N}\), \(f \in \mathcal {F}_n\), \(\varvec{x} \in \mathcal {X}\) and \((\rho _0,\dots ,\rho _n) \mathop {\leftarrow }\limits ^{{}_R}\mathsf {Setup}(f)\):$$\begin{aligned} \mathsf {Rec}(\rho _0, \mathsf {Msg}(\rho _1,x_1), \dots , \mathsf {Msg}(\rho _n,x_n)) = f(\varvec{x}). \end{aligned}$$

Offline preprocessing. For the security parameter \(\mathfrak {K}\) and the function \(f \in \mathcal {F}_n\), a trusted party generates \((\rho _0,\rho _1,\dots ,\rho _n) \mathop {\leftarrow }\limits ^{{}_R}\mathsf {Setup}(1^n,1^\mathfrak {K},f)\) and gives \(\rho _i\) to party \(P_i\) (for \(i \in \{1,\dots ,n\}\)) and \(\rho _0\) to the evaluator \(P_0\).

Online messages. On input \(x_i\), party \(P_i\) computes \(m_{i,x_i} :=\mathsf {Msg}(\rho _i,x_i)\) and outputs \(m_{i,x_i}\) to the evaluator \(P_0\).

Reconstruction. After receiving \(m_{i,x_i}\) from all the parties \(P_i\) (for \(i \in \{1,\dots ,n\}\)), the evaluator \(P_0\) computes and outputs \(\mathsf {Rec}(\rho _0,m_{1,x_1},\dots ,m_{n,x_n})\).
A polynomialtime NIMPC protocol for \(\mathcal {F}\) is an NIMPC protocol \((\mathsf {Setup},\mathsf {Msg},\mathsf {Rec})\) where \(\mathsf {Setup}\), \(\mathsf {Msg}\), and \(\mathsf {Rec}\) run in polynomial time in n and \(\mathfrak {K}\). In particular, functions \(f \in \mathcal {F}\) should be representable by polynomialsize bit strings.
The online communication complexity of \(\varPi \), \(\textsf {CC}_{\textsf {on}}(\varPi )\), is defined as the maximum of the size of the messages \(m_{i,x_i}\). The offline communication complexity of \(\varPi \), \(\textsf {CC}_{\textsf {off}}(\varPi )\), is defined as the maximum of the size of the correlated randomness \(\rho _{i}\). The communication complexity \(\textsf {CC}(\varPi )\) is defined as the maximum of the online communication complexity and of the offline communication complexity.
Robustness. We now recall the notions of robustness for NIMPC protocols. Informally, Trobustness for a set \(T\subseteq \{1,\ldots ,n\}\) of colluding parties means that if \(\varvec{x}_{\bar{T}}\) represents the inputs of the honest parties, then an evaluator colluding with the parties in set T can compute the residual function \({ \left. f \right _{{\bar{T}},\varvec{x}_{\bar{T}}} }\) on any input \(\varvec{x}_T\) but cannot learn anything else about the input of the honest parties. This describes the best privacy guarantee attainable in this adversarial setting. The formal definition is stated in terms of a simulator that can generate the view of the adversary (evaluator plus the colluding parties in set T) with sole oracle access to the residual function \({ \left. f \right _{{\bar{T}},\varvec{x}_{\bar{T}}} }\).
All our constructions and transformations are unconditional. But when combined with statistically or computationally robust 0NIMPC protocols, the resulting protocols are only statistically or computationally robust. Therefore, we also need to define statistical and computational variants of robustness.
Definition 3.2
Let t be an integer which is a function of n, then an NIMPC protocol \(\varPi \) is perfectly (resp., statistically, computationally) trobust if for any \(n \in \mathbb {N}_{>0}\) and any subset \(T \subseteq \{1,\dots ,n\}\) of size at most \(t=t(n)\), \(\varPi \) is perfectly (resp., statistically, computationally) trobust. It is perfectly (resp., statistically, computationally) fully robust, if it is perfectly (resp., statistically, computationally) nrobust.
Computational robustness is defined nonuniformly to simplify the definition. However, it is also possible to define a uniform version with an explicit distinguisher which first chooses n, f, T, and \(\varvec{x}_{\bar{T}}\).
Robustness does not necessarily imply that the simulator \(\mathsf {Sim}\) is the same for any n and T nor that it runs in polynomial time in n and \(\mathfrak {K}\). Our constructions are efficient in the sense that the simulators are polynomialtime (in the communication complexity of the underlying protocols), and our transformations preserve the efficiency of the simulator.
Simplifications. In the sequel, we simplify notations as follows. The security parameter \(\mathfrak {K}\) is dropped for all perfectly robust protocols. Furthermore, we suppose all the functions \(f \in \mathcal {F}_n\) have the same domain \(\mathcal {X}\) and the same number of parties n. The set \(\mathcal {F}_n\) is simply denoted \(\mathcal {F}\). We will sometimes refer to NIMPC for single functions f, to mean NIMPC for \(\mathcal {F}= \{f\}\).
3.2 Group Embedding
While the definition of NIMPC is stated for arbitrary sets \(\mathcal {X}_i\), for our treatment it is convenient (but not mandatory) to associate to these sets an addition operation and a neutral element 0. For this, we use the convention that each input set \(\mathcal {X}_i\) is embedded (via an arbitrary injective mapping) into a group of cardinality \(\ge \mathcal {X}_i\) (same group for all \(i\in \{1,\ldots ,n\}\)). Thus, hereafter, we treat the sets \(\mathcal {X}_i\) as subsets of a group where these subsets always include the neutral element 0; in our applications the group is typically a field \(\mathbb {F}_q\) or a ring.
Finally, we define the Hamming weight of an element \(\varvec{x} \in \mathcal {X}\) as the number of coordinates i for which \(x_i\ne 0\), and define Hamming distance between elements \(\varvec{x_1}\) and \(\varvec{x_2}\) in \(\mathcal {X}\) as the Hamming weight of \(\varvec{x_1}\varvec{x_2}\).
4 Selectors
In this section, we introduce the notion of selectors, which are used both in our transformation from PSM to O(1)robust NIMPC and in our construction of NIMPC for symmetric functions. Intuitively, a selector is an NIMPC which selects a given message in a collection of messages depending on the inputs of the parties. In our construction, the collection of messages correspond to various inputs of other PSMs or NIMPCs. In other words, selectors compose easily with other NIMPCs. That is why they play a central role in our constructions.
We start by defining general selectors, before considering and constructing two particular cases: linear selectors and NIMPC for Abelian programs. The former selectors are used in our transformation from PSM to O(1)robust NIMPC, while the latter selectors are used for symmetric functions. Our constructions are perfectly fully robust. An interesting point if that these selectors are also new constructions of fully robust NIMPCs (of which very few are known, even assuming the existence of oneway functions).
4.1 Definitions
General Definition. The next definition is the general definition. Definitions of the two interesting particular cases follow.
Definition 4.1
The message set \(\mathcal {M}\) is often implicitly defined. We also implicitly assume that elements of \(\mathcal {M}\) can be represented by vectors of \(\lceil \log _q \mathcal {M} \rceil \) elements in \(\mathbb {F}_q\). The set \(\mathcal {M}^\mathcal {U}\) is the set of tuples \(\varvec{\tilde{m}}= {(\tilde{m}_{{\varvec{u}}})}_{{\varvec{u}}\in \mathcal {U}}\) of messages in \(\mathcal {M}\), indexed by elements in \(\mathcal {U}\).
In this paper, we are interested in two specific types of selectors: linear selectors and NIMPC for Abelian program.
Linear Selectors. Linear selectors are used for our transformation from PSM to O(1)robust NIMPC and are defined as follows.
Definition 4.2
In the above definition, \(\mathcal {X}_1\), ..., \(\mathcal {X}_n\) are implicitly defined as \(\mathbb {F}_q\). The set of messages \(\mathcal {M}\) can be any finite set.
NIMPC for Abelian Programs. For our construction of NIMPC for symmetric functions, we need to introduce another type of selectors.
Abelian programs can be seen a generalization of symmetric functions introduced in [3, Sect. 4]. More precisely, we have the following definition.
Definition 4.3
An NIMPC for Abelian program is just an NIMPC for the class of Abelian programs for a given group \(\mathbb {G}\), input set \(\mathcal {X}\), and output set \(\varOmega \). In this paper, we prefer to view NIMPC for Abelian programs as selectors, as follows.
Definition 4.4
The message \(\mathcal {M}\) corresponds to the set \(\varOmega \).
We remark that if \(\mathbb {G}\) is a finite field \(\mathbb {F}_q\) and \(\mathcal {X}_1 = \dots = \mathcal {X}_n = \mathbb {G}\), then an NIMPC for Abelian programs for \(\mathcal {X}\) and \(\mathbb {G}\) is a exactly a linear selector for the matrix \(M = (1,\dots ,1) \in \mathbb {F}_q^{1\times n}\). However, for our constructions, the sets \(\mathcal {X}_i\) are strictly included in the group \(\mathbb {G}\). We therefore need to use completely different techniques for the construction of NIMPC for Abelian programs, compared to the ones used for the construction of linear selectors.
4.2 Construction of Linear Selectors
Let us now show how to construct linear selectors. As explained in Sect. 2.2, we first define and construct outputtingmessage NIMPC protocols.
OutputtingMessage NIMPC
Definition 4.5
As for linear selectors, in the above definition, \(\mathcal {X}_1\), ..., \(\mathcal {X}_n\) are implicitly defined as \(\mathbb {F}_q\).
Theorem 4.6
The term \(q^{\min (t,k)}\) in the simulator running time comes from the following fact. The simulator needs to enumerate all the possible input values \(\varvec{x}_T\) of the colluding parties \(P_i\) (\(i \in T\); there are \(q^t\) such values) or all the resulting values \(M \cdot \varvec{x}_T\) (there are at most \(q^k\) such values) to find whether there exists \(\varvec{x}_T \in \mathcal {X}_T\), such that \({ \left. h_{M,\varvec{u},\tilde{m}} \right _{{\bar{T}},\varvec{x}_{\bar{T}}} }(\varvec{x}_T) \ne \perp \).
Proof
Theorem (4.6 ). Fig. 2 describes the construction of the outputtingmessage NIMPC \((\mathsf {Setup}_M,\mathsf {Msg}_M,\mathsf {Rec}_M)\) for \(M \in \mathbb {F}_q^{k \times n}\), when the message set is \(\mathcal {M}= \mathbb {F}_q\). The security proof follows the informal presentation from Sect. 2.3 and is provided in the full version.
To construct an outputtingmessage NIMPC for an arbitrary message set \(\mathcal {M}\) (instead of \(\mathbb {F}_q\)), we just split the messages in submessages in \(\mathbb {F}_q\) (in other words, we represent a message in \(\mathcal {M}\) as a vector of \(\lceil \log _q \mathcal {M} \rceil \) elements of \(\mathbb {F}_q\)) and using an independent instance of the linear selector for each submessage. To get the communication complexities of the theorem, we remark that the vectors \(\varvec{r}'_{i}\) can be the same for each submessage. \(\square \)
Construction of Linear Selectors. We can now construct linear selectors. More precisely, we have the following theorem.
Theorem 4.7
Proof
Fig. 3 describes the construction of a fully robust linear selector \((\mathsf {Setup}_M,\mathsf {Msg}_M,\mathsf {Rec}_M)\) for \(M \in \mathbb {F}_q^{k \times n}\), from an outputtingmessage NIMPC. Complexities are computed assuming the outputtingmessage NIMPC is the one from Theorem 4.6. The security proof is provided in the full version. \(\square \)
4.3 NIMPC for Abelian Programs
In [3], Beimel et al. constructed a trobust NIMPC for any Abelian program. But the complexity is at least \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \cdot \mathcal {M}\). Because of the factor \(\left( {\begin{array}{c}n\\ t\end{array}}\right) = \omega (n^{\log \log n + \log t})\), this trobust NIMPC protocol is not useful for our construction.
Instead, we propose a fully robust construction based on an informationtheoretic variant of Yao’s garbled circuits [10, 15] (for a specific circuit with gates over \(\mathbb {G}\) instead of classical Boolean gates) with communication complexity \(O(n \cdot {\mathbb {G}}^{\log n} \cdot (\log \varOmega  + \log \mathbb {G}))\). When \(\mathbb {G}\) has logarithmic size in n, the communication complexity is only \(n^{O(\log \log n)}\), which is only slightly quasipolynomial.
More formally, we prove the following theorem in the full version.
Theorem 4.8
5 Admissible Linear Indexing Functions
We recall that the high level idea behind our transformation from a given PSM (or 0robust NIMPC) protocol to a trobust NIMPC, is to create a collection of instances (in the form of messages \(m_{i,x_i}\)) of the underlying PSM protocol and then use an indexing function that maps parties’ inputs to an index that identifies one and only one of these instances. Here we describe the indexing function we use. An informal presentation of the ideas behind this function and its design are presented in Sect. 2 (more specifically, Sect. 2.1).
5.1 Definition
Definition 5.1
Let \(\mathcal {X}_1,\dots ,\mathcal {X}_n\) be subsets of \(\mathbb {F}_q\) all containing 0. Let \(\mathcal {X}:=\mathcal {X}_1 \times \dots \times \mathcal {X}_n \subseteq \mathbb {F}_q^n\) denote their Cartesian product. Let \(\mathcal {S}\) be a finite set and \(\mathsf {ind}:\mathcal {X}\rightarrow \mathcal {S}\) be a function. Let \(T \subseteq \{1,\dots ,n\}\) be a subset and \(t \in \{0,\dots ,n\}\) be an integer.
The function \(\mathsf {ind}\) is a Tadmissible indexing function if for any \(\varvec{x} \in \mathcal {X}_{\bar{T}}\), the values \(\mathsf {ind}(\varvec{x}+\varvec{y})\) for \(\varvec{y} \in \mathcal {X}_T\) are all distinct. The function \(\mathsf {ind}\) is a tadmissible indexing function if it is Tadmissible for every subset \(T \subseteq \{1,\dots ,n\}\) of size \(T \le t\).
We want \(\mathcal {S}\) to be as small as possible as in our transformation we need to consider \(\mathcal {S}\) instances of the 0robust protocol. In particular, to have polynomial communication complexity, we need \(\mathcal {S}\) to be polynomial in n.
5.2 Relation with Codes
A qary code of length n is a subset C of \(\mathbb {F}_q^n\) and the distance \(\delta \) of C is the smallest Hamming distance of two distinct vectors in C.
We have the following lemma.
Lemma 5.2
Let \(t \in \{1,\dots ,n\}\) be an integer. Let \(\mathcal {X}_1,\dots ,\mathcal {X}_n,\mathcal {X},\mathcal {S}\) be defined as in Definition 5.1. Then a function \(\mathsf {ind}:\mathcal {X}\rightarrow \mathcal {S}\) is a tadmissible indexing function (not necessarily linear) if and only if for any \(\varvec{\sigma }\in \mathcal {S}\), \(\mathsf {ind}^{1}(\varvec{\sigma })\) is a code of distance \(\delta \ge t+1\).
Proof
The proof follows from the fact that two vectors \(\varvec{x}\) and \(\varvec{y}\) of \(\mathcal {X}\) have distance at most t if and only if \(\varvec{x}_{\bar{T}}= \varvec{y}_{{\bar{T}}}\) for a subset \(T \subseteq \{1,\dots ,n\}\) of size at most t. \(\square \)
When we restrict ourselves to linear indexing functions, the corresponding codes are either empty or shifts of the same linear code \(\mathsf {ind}^{1}(\varvec{0})\). We recall that a qary linear code of length n and dimension \(k=n\ell \) is a qary code of length n that is also a linear subspace C of \(\mathbb {F}_q^{n}\). It can be defined as the kernel of a fullrank matrix \(H \in \mathbb {F}_q^{\ell \times n}\) where H is called the paritycheck matrix of the code, namely, \(C = \{ \varvec{x} \in \mathbb {F}_q^n \mid H \cdot \varvec{x} = \varvec{0} \}\). A qary linear code of length n, of dimension k, and of minimum distance \(\delta \) is called a \([n,\,k,\,\delta ]_{q}\)code.
We have the following lemma which is a specialization of Lemma 5.2 to the linear case.
Lemma 5.3
Let \(t \in \{1,\dots ,n\}\) be an integer. Let \(H \in \mathbb {F}_q^{\ell \times n}\) be a fullrank matrix. The function \(\mathsf {ind}:\varvec{x} \in \mathbb {F}_q^n \mapsto H \cdot \varvec{x}\) is a tadmissible linear indexing function if and only if H is a paritycheck matrix of a linear code of distance \(\delta \ge t+1\).
Proof
H is a paritycheck matrix of a linear code of distance \(\delta \) if and only if \(\mathsf {ind}^{1}(\varvec{0})\), the kernel of matrix H, is a linear code of distance \(\delta \), and this holds if and only if \(\mathsf {ind}^{1}(\varvec{\sigma })\) is a code of distance \(\delta \) for all \(\varvec{\sigma }\in \mathbb {F}_q^\ell \). By Lemma 5.2 the latter condition holds if and only if \(\mathsf {ind}\) is a tadmissible linear indexing function. \(\square \)
5.3 Constructions
Constructions of tadmissible linear indexing functions can be obtained using different error correcting codes, in particular ReedSolomon codes [13] as stated next.
Lemma 5.4
Let \(t \in \{1,\dots ,n\}\) be an integer. Let \(q \ge n\) be a prime power. Let \(\ell = t\). Then there exists a tadmissible linear indexing function \(\mathsf {ind}:\varvec{x} \in \mathbb {F}_q^n \mapsto H \cdot \varvec{x}\), for a matrix \(H \in \mathbb {F}_q^{\ell \times n}\). In particular, H can be a paritycheck of the ReedSolomon \([n,\,n\ell ,\,\ell +1]_{q}\)code.
We remark that between n and 2n, there always exists a power of 2.^{6} Therefore, the above lemma shows the existence of tadmissible linear indexing functions with \(\mathcal {S} = q^\ell \le {(2n)}^t\).
5.4 Lower Bound (on the Need for Constant t)
Using the relation of tadmissible indexing functions and codes of distance \(\delta \ge t+1\) (Lemma 5.2) together with a spherepackinglike Hamming bound, we get the following lower bound on \(\mathcal {S}\). It shows that if \(t = \omega (1)\) (as a function of \(n \rightarrow \infty \)), \(\mathcal {S}\) cannot be polynomial in n. It is formally proven in the full version.
Lemma 5.5
6 From 0Robustness to O(1)Robustness
Here we present the main construction and result of the paper, namely, a transformation from any PSM (i.e., 0robust NIMPC) to a trobust NIMPC where the latter has polynomial complexity for constant t provided the original protocol is polynomial time and the input set for each party is of polynomial size too. The transformation uses two main tools: the linear selector presented in Sect. 4.2 and admissible linear indexing functions introduced in Sect. 5. The main ideas and intuition about these tools and constructions are described in Sect. 2. The transformation is presented in Fig. 4, but first let us formally define what an NIMPC transformation is.
6.1 Definition of an NIMPC Transformation
An NIMPC transformation is a function \(\mathcal {T}\) which takes as input an NIMPC protocol \(\varPi ' = (\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}')\) (usually 0robust) and outputs a new NIMPC protocol \(\varPi \) (usually trobust for \(t > 0\)). We focus on blackbox transformations that use the original algorithms \(\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}'\) in a blackbox way (i.e., as oracles).
For convenience and without loss of generality we assume that the original NIMPC protocols \(\varPi '\) do not use public randomness, namely, \(\rho _0 = \perp \) (indeed, if \(\rho _0\ne \perp \), \(\rho _0\) can be appended to \(\rho _1\) and to all the messages sent by the first party \(P_1\)).
Definition 6.1

Functionality preservation. If \(\varPi ' = (\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}')\) is an NIMPC protocol for some set \(\mathcal {F}\) of functions, then \(\varPi :=\mathcal {T}(\varPi ') :=(\mathsf {Setup}^{\varPi '},\mathsf {Msg}^{\varPi '},\mathsf {Msg}^{\varPi '})\) ^{7} is also an NIMPC protocol for the same set \(\mathcal {F}\) of functions.
Definition 6.2
Let t be an integer, then an NIMPC transformation is trobust if it is Trobust for any subset \(T \subseteq \{1,\dots ,n\}\) of size at most t.
The power of a Trobust NIMPC transformation for transforming 0robustness into trobustness, is shown in the following lemma whose proof follows directly from the above definition.
Lemma 6.3
Let \(n \in \mathbb {N}_{>0}\), \(T \subseteq \{1,\dots ,n\}\). Let \(\mathcal {T}= (\mathsf {Setup},\mathsf {Msg},\mathsf {Rec})\) be a Trobust NIMPC transformation. If \(\varPi '\) is a perfectly (resp., statistically, computationally) 0robust NIMPC, then \(\varPi = \mathcal {T}(\varPi ')\) is perfectly (resp., statistically, computationally) Trobust, with the simulator \(\mathsf {Sim}\) defined as follows: \(\mathsf {Sim}^{{ \left. f \right _{{\bar{T}},\varvec{x}_{\bar{T}}} }}(1^n,1^\mathfrak {K},T) = \widetilde{\mathsf {Sim}}^{\varPi ',O'_{n,\mathfrak {K},f,T}}(1^n,1^\mathfrak {K},T)\), where \(O'_{n,\mathfrak {K},f,T}: \varvec{x}_T \in \mathcal {X}_T \mapsto \mathsf {Sim}'^{{ \left. f \right _{\emptyset ,\varvec{x}_{\bar{T}}+\varvec{x}_T} }}(1^n,1^\mathfrak {K},\emptyset )\) using notation in Definition 6.2 and where \(\mathsf {Sim}'\) is a simulator for \(\varPi '\)).
6.2 Actual Transformation
The main theorem of the paper is presented next. It proves that the transformation described in Fig. 4 is functionality preserving (Definition 6.1) and robust (Definition 6.2).
Theorem 6.4
 1.Functionality preservation. For any NIMPC protocol \(\varPi '=(\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}')\) for a set of functions \(\mathcal {F}\) from \(\mathcal {X}= \mathcal {X}_1 \times \dots \times \mathcal {X}_n\), the resulting NIMPC protocol \(\varPi = \mathcal {T}(\varPi ')\) has the following online and offline communication complexities (when the underlying linear selector is the one from Theorem 4.7):where \(q \ge \max (\mathcal {X}_1,\dots ,\mathcal {X}_n)\) and q is a prime power, and \(\ell \) is the dimension of the range of the linear indexing function \(\mathsf {ind}:\varvec{x} \in \mathbb {F}_q^n \mapsto H \cdot \varvec{x} \in \mathbb {F}_q^\ell \).^{8}$$\begin{aligned} \textsf {CC}_{\textsf {on}}(\varPi )&\le q^{\ell +1} \cdot n \cdot (\ell +1 + \lceil \textsf {CC}_{\textsf {on}}(\varPi ') / \log q \rceil ) \cdot \lceil \log q \rceil , \\ \textsf {CC}_{\textsf {off}}(\varPi )&\le q^{\ell +1} \cdot n \cdot (\ell +1 + 2 \cdot \lceil \textsf {CC}_{\textsf {on}}(\varPi ') / \log q \rceil ) \cdot \lceil \log q \rceil , \end{aligned}$$
 2.
T  robustness. For any \(T \subseteq \{1,\dots ,n\}\), if \(\mathsf {ind}\) is a Tadmissible indexing function and \(\varPi _M\) is a perfectly Trobust linear selector, the NIMPC transformation from Fig. 4 is Trobust. The corresponding simulator \(\widetilde{\mathsf {Sim}}\) runs in polynomial time in \(n,\mathfrak {K},q^\ell ,\textsf {CC}_{\textsf {on}}(\varPi '),\mathcal {X}_T\) and calls its oracle O once for each vector \(\varvec{x}_T \in \mathcal {X}_T\), when the underlying linear selector is the one from Theorem 4.7.
The proof of the theorem appears in the full version. We have the following corollary.
Corollary 6.5
Let t be a positive integer. Let \(\varPi '=(\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}')\) be an NIMPC protocol for a set of functions \(\mathcal {F}\) from \(\mathcal {X}= \mathcal {X}_1 \times \dots \times \mathcal {X}_n\). Let q be the smallest prime power at least equal to \(\max (n, \mathcal {X}_1,\dots ,\mathcal {X}_n)\). We recall that \(q \le 2\max (n, \mathcal {X}_1,\dots ,\mathcal {X}_n)\).^{9} Let \(\mathsf {ind}:\varvec{x} \in \mathbb {F}_q^n \mapsto H \cdot \varvec{x} \in \mathbb {F}_q^\ell \) be the tadmissible linear indexing function defined in Lemma 5.4 (in particular \(\ell =t\)).
The NIMPC protocol \(\varPi = \mathcal {T}(\varPi ')\) from Fig. 4 is perfectly (resp., statistically, computationally) trobust, if \(\varPi '\) is perfectly (resp., statistically, computationally) 0robust. Furthermore, if \(t = O(1)\) and the communication complexity of \(\varPi '\) and the input size \(\mathcal {X}_i\) (for all i) are all polynomial in n and \(\mathfrak {K}\), then the communication complexity of \(\varPi \) is polynomial in n and \(\mathfrak {K}\). If in addition \(\varPi '\) is polynomialtime, so is \(\varPi \). Similarly, if the simulator for \(\varPi '\) is polynomialtime, so is the simulator for \(\varPi \).
We point out that the simulator \(\widetilde{\mathsf {Sim}}\) is uniform in T and n.
7 NIMPC for Symmetric Functions
In this section, we construct NIMPC protocols for symmetric functions with better asymptotic complexity than with our generic transformation (from an efficient 0robust NIMPC for symmetric function which exists for any symmetric function) or with [3, Sect. 4]. The communication complexity of the latter construction is \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \cdot O(2^t \cdot n^4)\), while our new construction for symmetric functions achieve a communication complexity of \(n^{\log \log n + \log t + O(1)}\). Our construction uses our new fully robust NIMPC for Abelian programs in Sect. 4.3.
7.1 Symmetric Functions
Let us first recall the definition of a symmetric function. We focus on the case where each input is a bit. But our construction can be generalized.
Definition 7.1
Let n be a positive integer and \(\varOmega \) be a finite set. A function \(f :\{0,1\}^n \rightarrow \varOmega \) is symmetric if and only if for any permutation \(\pi \) of \(\{1,\dots ,n\}\) and for any \(\varvec{x} \in \{0,1\}^n\), \(f(x_1,\dots ,x_n) = f(x_{\pi (1)},\dots ,x_{\pi (n)})\).
7.2 Overview of the Construction
If we directly use the construction of NIMPC for Abelian programs in Sect. 4.3, we would get a fully robust NIMPC for symmetric function with communication complexity \(n^{\log n + O(1)} \cdot \log \varOmega \). This is already an interesting result. However, we would like to go further. For that we use the Chinese Remainder Theorem to decompose the initial function over a large group \(\mathbb {Z}_{n+1}\) or \(\mathbb {Z}\) into functions over smaller groups.
Decomposition and Recombination Using CRT. Let \(p_1<\dots <p_\ell \) be the first \(\ell \) prime numbers, such that \(N :=\prod _{j=1}^\ell p_j \ge n+1\). We recall that there is a ring isomorphism \({{\mathrm{CRT}}}:\prod _{j=1}^\ell \mathbb {Z}_{p_j} \rightarrow \mathbb {Z}_{N}\). In particular \({{\mathrm{CRT}}}(y_1,\dots ,y_\ell )\) is the only integer y in \(\{0,\dots ,N1\}\) such that \(y \bmod p_j = y_j\) for any \(j \in \{1,\dots ,\ell \}\). By the prime number theorem, we can choose \(p_j = O(\log n)\) for \(j \in \{1,\dots ,\ell \}\) (and \(\ell = O(\log n)\) too). The main idea is the following: we first compute some wellchosen Abelian programs over each group \(\mathbb {Z}_{p_j}\) (over the original inputs \((x_1,\dots ,x_n) \in \mathcal {X}\)) and then combine back the intermediate results (corresponding to some function of \(\sum _{i=1}^n x_i \bmod p_j\)) to compute \({\tilde{g}}(\sum _{i=1}^n x_i)\).
For each \(j \in \{1,\dots ,\ell \}\), we can then use our construction for Abelian programs in Sect. 4.3 in the groups \(\mathbb {Z}_{p_j}\) for the input sets \(\mathcal {X}_1=\dots =\mathcal {X}_n = \{0,1\}\) and the messages \(\varvec{\tilde{m}}_j\) defined by \(\tilde{m}_{j,v} = m'_{j,v}\) (for each \(v \in \mathbb {Z}_{p_j}\)) to enable the computation (or selection) of \(m'_{j,y_j}\) for \(y_j = \sum _{i=1}^n x_i \bmod p_j\). The resulting construction would have communication complexity \(n^{\log \log n + O(1)} \cdot \log \varOmega \), as \({\mathbb {Z}_{p_j}}^{\log n} = n^{\log \log n + O(1)}\).
For each \(j \in \{1,\dots ,\ell \}\), we now use our construction for Abelian programs in Sect. 4.3 in the groups \(\mathbb {G}_j\) for the input sets \(\mathcal {X}_1=\dots =\mathcal {X}_n = \{0,1\}\) and the messages \(\varvec{\tilde{m}}_j\) defined by \(\tilde{m}_{j,v} = m'_{j,v}\) (for each \(v \in \mathbb {G}_j\)), where \(1 \in \{0,1\}\) is identified to \((1,1) \in \mathbb {G}_j\) and \(0 \in \{0,1\}\) is identified to \((0,0) \in \mathbb {G}_j\). The communication complexity becomes \(n^{\log \log n + \log t + O(1)} \cdot \log \varOmega \).
7.3 Formal Construction
We formally prove the following theorem in the full version.
Theorem 7.2
Let \(\mathcal {F}= {\{f_{\tilde{g}}\}}_{{\tilde{g}}}\) be the set of symmetric functions \(f_{\tilde{g}}:\varvec{x} \in \{0,1\}^n \mapsto {\tilde{g}}(\sum _{i=1}^n x_i) \in \varOmega \), where \({\tilde{g}}:\mathbb {Z}_{n+1} \rightarrow \varOmega \) and \(\varOmega \) is some finite set. Let t be an integer. There exists a trobust NIMPC for \(\mathcal {F}\) with communication complexity \(n^{\log \log n + \log t + O(1)} \cdot \log \varOmega \). In particular, if \(t = O(\log n)\), the communication complexity if \(n^{O(\log \log n)} \cdot \log \varOmega \).
Footnotes
 1.
Name given by Ishai and Kushilevitz [9].
 2.
We can always represent the message \(m'_{\varvec{\sigma },i,b}\) as a tuple of elements in \(\mathbb {F}_q\), and use an independent messageoutputting protocol for each of these elements.
 3.
Note that while the honest parties’ inputs are from \(\{0,1\}\), we cannot control the inputs the adversary uses. The adversary can choose inputs from \(\mathbb {F}_q\).
 4.
In Sect. 3.2 we slightly change notation for vectors \(\varvec{x}_T\).
 5.
One refers to the vector \((\rho _0,\rho _1,\dots ,\rho _n)\) as the correlated randomness of the parties, with \(\rho _0\) called public randomness.
 6.
Better bounds for intervals containing a prime (power) exist. See [1].
 7.
The notation \(\mathsf {Setup}^{\varPi '}\) is a shortcut for \(\mathsf {Setup}^{\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}'}\), i.e., \(\mathsf {Setup}\) with the three oracles \(\mathsf {Setup}',\mathsf {Msg}',\mathsf {Rec}'\).
 8.
We recall that \(\varPi '\) is assumed not to use any public randomness: \(\rho _0 = \perp \).
 9.
Better bounds for intervals containing a prime (power) exist. See [1].
Notes
Acknowledgments
This work was supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF15C0236.
References
 1.Baker, R.C., Harman, G., Pintz, J.: The difference between consecutive primes, ii. Proc. Lond. Math. Soc. 83(3), 532–562 (2001). http://www.cs.umd.edu/~gasarch/BLOGPAPERS/BakerHarmanPintz.pdf
 2.Barrington, D.A.M.: Boundedwidth polynomialsize branching programs recognize exactly those languages in nc\({^1}\). In: Hartmanis, J. (ed.) Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 28–30 May 1986, Berkeley, California, USA, pp. 1–5. ACM (1986). http://doi.acm.org/10.1145/12130.12131
 3.Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., PaskinCherniavsky, A.: Noninteractive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014). doi: 10.1007/9783662443811_22 CrossRefGoogle Scholar
 4.Feige, U., Kilian, J., Naor, M.: A minimal model for secure computation (extended abstract). In: 26th ACM STOC, pp. 554–563. ACM Press, May 1994Google Scholar
 5.Goldwasser, S., et al.: Multiinput functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014). doi: 10.1007/9783642552205_32 CrossRefGoogle Scholar
 6.Goldwasser, S., Rothblum, G.N.: On bestpossible obfuscation. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 194–213. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_11 CrossRefGoogle Scholar
 7.Halevi, S., Ishai, Y., Jain, A., Kushilevitz, E., Rabin, T.: Secure multiparty computation with general interaction patterns. In: Sudan, M. (ed.) ITCS 2016, pp. 157–168. ACM, New York (2016)Google Scholar
 8.Halevi, S., Lindell, Y., Pinkas, B.: Secure computation on the web: computing without simultaneous interaction. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 132–150. Springer, Heidelberg (2011). doi: 10.1007/9783642227929_8 CrossRefGoogle Scholar
 9.Ishai, Y., Kushilevitz, E.: Private simultaneous message protocols with applications. In: Proceedings of ISTCS, pp. 174–184 (1997)Google Scholar
 10.Ishai, Y., Kushilevitz, E.: Perfect constantround secure computation via perfect randomizing polynomials. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). http://dx.doi.org/10.1007/3540454659_22 CrossRefGoogle Scholar
 11.Karchmer, M., Wigderson, A.: On span programs. In: Proceedings of Structures in Complexity Theory, pp. 102–111 (1993)Google Scholar
 12.Kilian, J.: Founding cryptography on oblivious transfer. In: 20th ACM STOC, pp. 20–31. ACM Press, May 1988Google Scholar
 13.MacWilliams, F.J., Sloane, N.J.A.: The Theory of Errorcorrecting Codes. Elsevier, Amsterdam (1977)zbMATHGoogle Scholar
 14.Obana, S., Yoshida, M.: An efficient construction of noninteractive secure multiparty computation. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 604–614. Springer, Cham (2016). doi: 10.1007/9783319489650_39 CrossRefGoogle Scholar
 15.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986Google Scholar
 16.Yoshida, M., Obana, S.: On the (in)efficiency of noninteractive secure multiparty computation. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 185–193. Springer, Cham (2016). doi: 10.1007/9783319308401_12 CrossRefGoogle Scholar