Partial Fairness in Secure Two-Party Computation

Dov Gordon&

Jonathan Katz University of Maryland

What is Fairness?Before the days of secure computation…

(way back in 1980)It meant a “fair exchange”:

of two signaturesof two secret keysof two bitscertified mail

Over time, developed to include general computation:F(x,y): X × Y → Z(1) × Z(2)

Does that

verify?NO.

Does that

verify?NO.

Exchanging Signatures [Even-Yacobi80]

Impossible: if we require both players to receive the signature “at the same time”

Does that

verify?NO.

Does that

verify?NO.

Does that

verify?Yes!!

Sucker!

Impossible: later, in 1986, Cleve would show that exchanging two bits is impossible!

“Gradual Release”Reveal it “bit by bit”! (halve the brute force time.)

Prove each bit is correct and not junk. Assume that the resulting “partial

problem” is still (relatively) hard.Notion of fairness: almost equal time

to recover output on an early abort.[Blum83, Even81, Goldreich83, EGL83,

Yao86, GHY87, D95, BN00, P03, GMPY06]

“Gradual Convergence”Reduce the noise, increase the confidence;

(probability of correctness increases over time)E.g., resulti = output ci, where ci → 0 with increasing

i.

Removes assumptions about resources.Notion of fairness: almost equal

confidence at the time of an early abort.[LMR83, VV83, BG89, GL90]

Drawbacks (release, convergence)Key decisions are external to the protocol:

Should a player brute force the output? Should a player trust the output?

If the adversary knows how the decision is made, can violate fairness.

Fairness can be violated by an adversary who is willing to:run slightly longer than the honest parties are willing to run.accept slightly less confidence in the output.

No a priori bound on honest parties’ running time.Assumes known computational resources for each party.If the adversary has prior knowledge, they will receive

“useful output” first.

Our ResultsWe demonstrate a new framework for partial

fairness.

We place the problem in the real/ideal paradigm.

We demonstrate feasibility for a large class of functions.

We show that our feasibility result is tight.

Defining Security (2 parties)

protocolx

Real world:

x y

F1(x, y) F2(x, y)

view

output

view

F1(x, y)

Ideal world:

x

Defining Security (2 parties)Real world:

Ideal world:

view

output

Indistinguishable!

view

F1(x, y)

“Security with Complete Fairness”

The Standard Relaxation

protocolx

Real world:

x y

F1(x, y) F2(x, y)

view

output

view

F1(x, y)/“

continue

”

“abort”

Ideal world:

x

The Standard RelaxationReal world:

Ideal world:

view

output

Indistinguishable!

view

F1(x, y)/

“Security with abort” Note: no fairness at all!

Our RelaxationStick with real/ideal paradigm

Real world and ideal world are indistinguishable

relaxed-ideal

-indistinguishable*

*I.e., For all PPT A, |Pr[A(real)=1] – Pr[A(ideal)=1]| < (n) + negl (Similar to: [GL01], [Katz07])

“Full security”“Security with abort”“-Security”

Offers complete fairness, but it can onlybe achieved for a limited set of functions.Can be achieved for any poly-time function,but it offers no fairness!

Protocol 1

ShareGenx y

a1, …, ar

b1, …, br

a1(2), …, ar

(2)

b1(2), …, br

(2)

a1(1), …, ar

(1)

b1(1), …, br

(1)ai

(1) ai(2) = ai

bi(1) bi

(2) = bi

ai: output of Alice if Bob aborts in round i+1.bi: output of Bob if Alice aborts in round i+1.To compute F(x,y): X × Y → Z(1) × Z(2)

Protocol 1 similar to: [GHKL08], [MNS09]

a1a2a3

ai

ar

... ...

a

1a2a3

ai

ar

...

...

b

1

b2

b3

bi

br

... ......

b1

b2

b3

bi

br

...

a1

b1

a2a3

b2

b3

ai bi

ar br

x y

Protocol 1s1s2s3

si

ar

... ...ar

...bi

br

......

s1s2s3

bi

br

...

a1

b

1a2a3

b2

b3

ai

bi-

1

x y

Protocol 1a

1a2a3

ai

ar

...

......

b

1

b2

b3

bi

br

...

a

1

b

1a2a3

b2

b3

ai bi

ar br

Choose round i* uniformly at random.

For i ≥ i* ai = bi = F(x,y)

For i ˂ i*: ai = F(x,Y) where Y is uniformFor i ˂ i*: bi = F(X,y) where X is uniformx y

= F1(x,y) F2(x,y) =

= F1(x,y) F2(x,y) =

How does we choose ?

...bi

br ar

...

Protocol 1: analysisWhat are the odds that aborts in round i*?

If she knows nothing about F1(x, y), it is at most 1/r.But this is not a reasonable assumption!

Probability that F1(x, Y) = z or F1(x, Y) = z’ may be small! Identifying F1(x, y) in round i* may be simple.

I know the

output is z or z’

a1

a2

a3

z’ za6

a7

z’

A Key LemmaConsider the following game,

(parameterized by (0,1] and r ≥ 1):Fix distributions D1 and D2 s.t. for every z

Pr[D1=z] ≥ Pr[D2=z]Challenger chooses i* uniformly from {1, …, r}For i < i* choose ai according to D1

For i ≥ i* choose ai according to D2

For i = 1 to r, give ai to the adversary in iteration iThe adversary wins if it stops the game in

iteration i*

Lemma: Pr[Win] ≤ 1/r

Protocol 1: analysisD1 = F1(x, Y) for uniform YD2 = F1(x, y) So Pr[D1 = F1(x, y)] ≥ Pr[Y=y] = 1/|Y|Probability that P1 aborts in iteration i* is at

most |Y|/rSetting r = |Y|-1 gives -security

Need |Y| to have polynomial sizeNeed to be 1/poly

α = 1/|Y|

Protocol 1: summaryTheorem: Fix function F and = 1/poly: If F

has poly-size domain (for at least one player) then there is an -secure protocol computing F (under standard assumptions).

The protocol is privateAlso secure-with-abort (after a small tweak)

Handling large domainsWith the previous approach, = 1/|Y|

becomes negligibly small: this causes r to become exponentially large

Solution: if the range of Alice’s function is poly-sizeWith probability 1-, choose ai as before: ai =

F1(x, Y)

With probability , choose ai Z(1)(uniformly) is polynomial again!

I know the

output is z or z’

but…Pr[ai = z] ≥ ε/|Z(1)|

α = ε/|Z(1)|

Protocol 2: summaryTheorem: Fix function F and = 1/poly: If F

has poly-size range (for at least one player) then there is an -secure protocol computing F (under standard assumptions).

The protocol is privateThe protocol is not secure-with-abort

anymore

Our Results are Tight (wrt I/O size)

Theorem: There exists a function with super-polynomial size domain and range that cannot be efficiently computed with -security.

Theorem: There exists a function with super-polynomial size domain and poly-size range that cannot be computed with -security and with security-with-abort simultaneously.

SummaryWe suggest a clean notion of partial fairness.

Based on the real/ideal paradigm.Parties have well defined outputs at all times.

We show feasibility for functions with poly-size domain/range, and infeasibility for certain functions outside that class.

Open: can we find a definition of partial fairness that has the above properties, and can be achieved for all functions?

Thank You!

Gradual Convergence: equality

b ⊕ c1 = 0

F(x,y) = 1 if x = y

0 if x ≠ y

Suppose b = f(x,y) = 0 whpAllice can bias Bob to output

1

x y

b ⊕ c2 = 1

b ⊕ c3 = 1

Hope I’m lucky!

For small i, ci has a lot of entropy! Bob’s output is

(almost) random

Accordingly, [BG89] instructs Bob to always respond by

aborting.

Can’t trust that

output⊥But what if Alice runs until

the last round!

Gradual Convergence: drawbacksIf parties always trust their output,

adversary can induce a bias.Decision of whether an honest party should

trust the output is external to the protocol:If made explicit, the adversary can abort just at

that point.If the adversary is happy with less confidence,

he can receive “useful” output alone.If the adversary has higher confidence a

priori, he will receive “useful” output first.