• PDF / 295,702 Bytes
• 16 Pages / 439.37 x 666.142 pts Page_size
• 62 Downloads / 172 Views

DOWNLOAD

REPORT

Deptartment of Computer Science, Bar-Ilan University, Ramat Gan, Israel [email protected] 2 IBM T.J. Watson Research Center, New York, USA [email protected]

Abstract. Protocols for secure two-party computation enable a pair of mutually distrustful parties to carry out a joint computation of their private inputs without revealing anything but the output. One important security property that has been considered is that of fairness which guarantees that if one party learns the output then so does the other. In the case of two-party computation, fairness is not always possible, and in particular two parties cannot fairly toss a coin (Cleve, 1986). Despite this, it is actually possible to securely compute many two-party functions with fairness (Gordon et al., 2008 and follow-up work). However, all known two-party protocols that achieve fairness have the unique property that the effective input of the corrupted party is determined at an arbitrary point in the protocol. This is in stark contrast to almost all other known protocols that have an explicit fixed round at which the inputs are committed. In this paper, we ask whether or not the property of not having an input committal round is inherent for achieving fairness for two parties. In order to do so, we revisit the definition of security of Micali and Rogaway (Technical report, 1992), that explicitly requires the existence of such a committal round. We adapt the definition of Canetti in the two-party setting to incorporate the spirit of a committal round, and show that under such a definition, it is impossible to achieve fairness for any non-constant two-party function. This result deepens our understanding as to the type of protocol construction that is needed for achieving fairness. In addition, our result discovers a fundamental difference between the definition of security of Micali and Rogaway and that of Canetti (Journal of Cryptology, 2000) which has become the standard today. Specifically, many functions can be securely computed with fairness under the definition of Canetti but no non-constant function can be securely computed with fairness under the definition of Micali and Rogaway.

Keywords: Secure two-party computation security

·

Fairness

·

Definitions of

c International Association for Cryptologic Research 2017  Y. Kalai and L. Reyzin (Eds.): TCC 2017, Part I, LNCS 10677, pp. 565–580, 2017. https://doi.org/10.1007/978-3-319-70500-2_19

566

1

Y. Lindell and T. Rabin

Introduction

In the setting of secure two-party computation, a pair of parties P1 and P2 wish to compute a joint function of their private inputs in a secure manner. The standard requirements for security are privacy (meaning that nothing but the output is revealed), correctness (meaning that the output is correctly computed) and independence of inputs (meaning that a corrupted party cannot make its input dependent on the honest party’s input). An additional property that is highly desired in many applications is that of fairness, which guarantees that corrupted parties cannot receive output wi

Recommend Documents

Efficient Secure Multiparty Computation with Identifiable Abort

194 98 19MB

Cross-Domain Secure Computation

151 89 8MB

Application-Scale Secure Multiparty Computation

175 73 977KB

Compilation for Secure Multi-party Computation

159 30 2MB

Four Round Secure Computation Without Setup

161 104 1MB

Binary AMD Circuits from Secure Multiparty Computation

176 79 19MB

Secure Multiparty RAM Computation in Constant Rounds

187 45 19MB

Secure Massively Parallel Computation for Dishonest Majority

213 9 29MB

Secure Computation of the Vector Dominance Problem

176 71 8MB

Secure Two-Party Computation in a Quantum World

164 2 10MB

Secure Matrix Computation: A Viable Alternative to Record Linkage?

97 44 24MB

Secure Database Design

186 32 2MB