On the Power of an Honest Majority in Three-Party Computation Without Broadcast

Abstract

Fully secure multiparty computation (MPC) allows a set of parties to compute some function of their inputs, while guaranteeing correctness, privacy, fairness, and output delivery. Understanding the necessary and sufficient assumptions that allow for fully secure MPC is an important goal. Cleve (STOC’86) showed that full security cannot be obtained in general without an honest majority. Conversely, by Rabin and Ben-Or (STOC’89), assuming a broadcast channel and an honest majority enables a fully secure computation of any function. Our goal is to characterize the set of functionalities that can be computed with full security, assuming an honest majority, but no broadcast. This question was fully answered by Cohen et al. (TCC’16)—for the restricted class of symmetric functionalities (where all parties receive the same output). Instructively, their results crucially rely on agreement and do not carry over to general asymmetric functionalities. In this work, we focus on the case of three-party asymmetric functionalities, providing a variety of necessary and sufficient conditions to enable fully secure computation. An interesting use-case of our results is server-aided computation, where an untrusted server helps two parties to carry out their computation. We show that without a broadcast assumption, the resource of an external non-colluding server provides no additional power. Namely, a functionality can be computed with the help of the server if and only if it can be computed without it. For fair coin tossing, we further show that the optimal bias for three-party (server-aided) r-round protocol remains \(\Theta \left( 1/r\right) \) (as in the two-party setting).

Generalized Properties of Split-Brain Simulatable Functionalities

In this section, we provide generalizations of the properties of \(\textsf{C}\)-split-brain functionalities from Sect. 3.1.1.

Proposition A.1

(Generalization of Proposition 3.7) Let \(f=(f_1,f_2,f_3)\) where \(f_1,f_2,f_3:\left( {\{0,1\}^*}\right) ^3\mapsto \left( {\{0,1\}^*}\right) ^3\), be a computationally CSB simulatable three-party functionality such that \(f_1=f_2\). Assume there exist inputs \(x,y,z_1,z_2\in {\{0,1\}^*}\), and two distribution ensembles \(\mathcal {W}_1=\left\{ W_{1,\kappa }\right\} _{\kappa \in {\mathbb {N}}}\), \(\mathcal {W}_2=\left\{ W_{2,\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) over \({\{0,1\}^*}\), such that \(f_1(x,\cdot ,z_1)\equiv W_{1,\kappa }\) and \(f_1(\cdot ,y,z_2)\equiv W_{2,\kappa }\), for all sufficiently large \(\kappa \in {\mathbb {N}}\). Then .

Proof

Let \(\mathcal {P}\), \(\mathcal {Q}\), and \(\mathcal {R}\), be the three ensembles guaranteed from the CSB simulatability of f. Then

where \(x^*\leftarrow P_{\kappa ,y,z_2}\) and \(y^*\leftarrow Q_{\kappa ,x,z_1}\). The claim follows from the assumption \(f_1(x,\cdot ,z_1)\equiv W_{1,\kappa }\) and \(f_1(\cdot ,y,z_2)\equiv W_{2,\kappa }\) for large enough \(\kappa \in {\mathbb {N}}\). \(\square \)

Proposition A.2

(Generalization of Proposition 3.8) Let \(f:\left( {\{0,1\}^*}\right) ^3\mapsto \left( {\{0,1\}^*}\right) ^3\) be a computationally \(\left( \mathcal {P},\mathcal {Q},\mathcal {R}\right) \)-CSB simulatable 2-output 3-party functionality. Assume there exist inputs \(x,z\in {\{0,1\}^*}\) and a distribution ensemble \(\mathcal {W}=\left\{ W_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) over \({\{0,1\}^*}\) such that \(f(x,\cdot ,z)\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Then there exists a sequence of inputs \(\left\{ x^*_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) such that \(f(x^*_{\kappa },\cdot ,\cdot )\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Similarly, assuming there exist inputs \(y,z\in {\{0,1\}^*}\) such that \(f(\cdot ,y,z)\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\), then there exists a sequence of inputs \(\left\{ y^*_{\kappa }\right\} _{\kappa \in {\mathbb {N}}}\) such that \(f(\cdot ,y^*_{\kappa },\cdot )\equiv W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\). Moreover, if f and W are independent of \(\kappa \) then the sequences are constant.

Proof

We prove the first part of the claim. The second part is done using an analogous argument. Fix inputs \(x,z_1\in {\{0,1\}^*}\) such that \(f(x,y,z_1)=W_{\kappa }\) for all \(\kappa \in {\mathbb {N}}\) and \(y\in {\{0,1\}^*}\). Since f is perfectly CSB simulatable, it follows that for every \(\kappa \in {\mathbb {N}}\) and \(y,z_2\in {\{0,1\}^*}\)

$$\begin{aligned} f(x^*,y,z_2)\equiv f(x,y^*,z_1)\equiv W_{\kappa }, \end{aligned}$$

where \(x^*\leftarrow P_{\kappa ,x,z_1}\) and \(y^*\leftarrow Q_{\kappa ,y,z_2}\). Since \(x^*\) is sampled independently of y and \(z_2\), it follows that \(f(x^*,y,z_2)\equiv W_{\kappa }\), for any \(x^*\in {\text {Supp}}\left( P_{\kappa ,x,z_1}\right) \) and any \(y,z_2\in {\{0,1\}^*}\) concluding the proof. To see the “moreover” part, observe that if f is independent of \(\kappa \), it follows that we can pick \(\mathcal {P}\) to be independent of \(\kappa \) and hence we can choose the same \(x^*\). \(\square \)

1.1 Split-Brain Simulatability as a System of Linear Equations

We next present a different way to view \(\textsf{C}\)-split-brain simulatability. Specifically, we write the condition for CSB simulatability in terms of a system of linear equations. We start with some notations.

Notations. For a vector \(\textbf{v}\), we use either \(v_i\) or v(i) for its \(i\)^th coordinate. A vector \(\textbf{p}\in {\mathbb R}^{n}\) is called a probability vector, if all of its entries are non-negative and \(\sum _{i=1}^n p_i=1\). For a distribution P over a domain \(\mathcal {D}\in {\mathbb {N}}\) of size n, we write \(\textbf{p}\) for the probability vector associated with P, that is \(p_i=\Pr _{S\leftarrow P}[S=i]\) for all \(i\in \mathcal {D}\). The distribution ensemble \(\mathcal {P}\), \(\mathcal {Q}\), and \(\mathcal {R}\) will be replaced with a collection of probability vectors \(\{\textbf{p}_{x,z_1}\in {\mathbb R}^{|\mathcal {X}|}\}_{x\in \mathcal {X},z_1\in \mathcal {Z}}\), \(\{\textbf{q}_{y,z_2}\in {\mathbb R}^{|\mathcal {Y}|}\}_{y\in \mathcal {Y},z_2\in \mathcal {Z}}\), and \(\{\textbf{r}_{z_1,z_2}\in {\mathbb R}^{|\mathcal {Z}|}\}_{z_1,z_2\in \mathcal {Z}}\), respectively, representing those distributions. We next describe a way to view the functionality f and CSB simulatability in linear algebraic terms. For simplicity, we assume that f has a finite domain and range, and is perfectly CSB simulatable, where the ensembles are independent of \(\kappa \).

Symmetric Boolean functionalities. Let us start with Boolean functionalities \(f=(f_1,f_2,f_3)\), where \( f_1,f_2,f_3:\mathcal {X}\times \mathcal {Y}\times \mathcal {Z}\mapsto \{0,1\}\) and \(f_1\equiv f_2\). We denote it as a single function f. We associate with f a collection of \(|\mathcal {Z}|\) matrices \(\{M_z\in {\mathbb R}^{|\mathcal {X}|\times |\mathcal {Y}|}\}_{z\in \mathcal {Z}}\) defined as \(M_z(x,y)=\Pr \left[ f(x,y,z)=1\right] \). That is, we can think of the functionality as if \(\textsf{C}\) chooses a matrix, \(\textsf{A}\) chooses a row, and \(\textsf{B}\) chooses a column, and the entries represent the probability that the output is 1. Perfectly CSB simulatability asserts that for all \(x\in \mathcal {X}\), \(y\in \mathcal {Y}\), and \(z_1,z_2\in \mathcal {Z}\), it holds that

$$\begin{aligned} \Pr _{x^*\leftarrow P_{x,z_1}}[f(x^*,y,z_2)=1]&=\Pr _{y^*\leftarrow Q_{y,z_2}}[f(x,y^*,z_1)=1] =\Pr _{z^*\leftarrow R_{z_1,z_2}}[f(x,y,z^*)=1]. \end{aligned}$$

(6)

Observe that the left term can be written as \(\textbf{p}^T_{x,z_1}\cdot M_{z_2}\left( \cdot ,y\right) \), the middle term as \(M_{z_1}\left( x,\cdot \right) \cdot \textbf{q}_{y,z_2}\), and the right term as \(\sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}(z^*)\cdot M_{z^*}\left( x,y\right) \). Next, define the square \(|\mathcal {X}|\times |\mathcal {X}|\) matrix and the square \(|\mathcal {Y}|\times |\mathcal {Y}|\) matrix . Additionally, we define the \(|\mathcal {X}|\times |\mathcal {Y}|\) matrix . Then, Eq. 6 can be written as

$$\begin{aligned} P_{z_1} M_{z_2} = M_{z_1} Q_{z_2} =\widetilde{M}_{z_1,z_2}, \end{aligned}$$

for all \(z_1,z_2\in \mathcal {Z}\).

Asymmetric non-Boolean functionalities. We next generalize the above discussion to a broader class of functionalities, namely, asymmetric non-Boolean functionalities. This time, we associate two collection of matrices, one will represent the output of \(\textsf{A}\) and the other the output of \(\textsf{B}\) (recall that we ignore the output of \(\textsf{C}\)). Furthermore, the matrices will be indexed with a possible output w, to represent the probability that w is the output. Formally, we associate the \(2\cdot |\mathcal {Z}|\cdot |\mathcal {W}|\) matrices \(\{M^{\textsf{P}}_{z,w}\in {\mathbb R}^{|\mathcal {X}|\times |\mathcal {Y}|}\}_{z\in \mathcal {Z},w\in \mathcal {W},\textsf{P} \in \{\textsf{A},\textsf{B}\}}\), where each is defined as

$$\begin{aligned} M^{\textsf{A}}_{z,w}(x,y)=\Pr \left[ f_1(x,y,z)=w\right] \quad \text { and } \quad M^{\textsf{B}}_{z,w}(x,y)=\Pr \left[ f_2(x,y,z)=w\right] . \end{aligned}$$

Perfectly CSB simulatability asserts that for all \(x\in \mathcal {X}\), \(y\in \mathcal {Y}\), \(z_1,z_2\in \mathcal {Z}\), and \(w_1,w_2\in \mathcal {W}\), it holds that

(7)

and that

(8)

Observe that the left-hand side of Eq. (7) is equal to

$$\begin{aligned} M^{\textsf{A}}_{z_1,w_1}(x,\cdot )\cdot \textbf{q}_{y,z_2}, \end{aligned}$$

and left-hand side of Eq. (8) is equal to

$$\begin{aligned} \textbf{p}^T_{x,z_1}\cdot M^{\textsf{B}}_{z_2,w_2}\left( \cdot ,y\right) . \end{aligned}$$

As for the right-hand side, notice that in Eq. (7) it equals to

$$\begin{aligned} \sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}\left( z^*\right) \cdot M^{\textsf{A}}_{z^*,w_1}\left( x,y\right) , \end{aligned}$$

and in Eq. (8) it equals to

$$\begin{aligned} \sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}\left( z^*\right) \cdot M^{\textsf{B}}_{z^*,w_2}\left( x,y\right) . \end{aligned}$$

We define the matrices \(P_{z_1}\) and \(Q_{z_2}\) as before, and for every \(\textsf{P} \in \{\textsf{A},\textsf{B}\}\) define the \(|\mathcal {X}|\times |\mathcal {Y}|\) matrix \(\widetilde{M}^{\textsf{P}}_{z_1,z_2,w}\left( x,y\right) :=\sum _{z^*\in \mathcal {Z}}r_{z_1,z_2}\left( z^*\right) \cdot M^{\textsf{P}}_{z^*,w_1}\left( x,y\right) \). Then Eq. (7) can be written as

$$\begin{aligned} M^{\textsf{A}}_{z_1,w_1}Q_{z_2}=\widetilde{M}^{\textsf{A}}_{z_1,z_2,w_1}, \end{aligned}$$

and Eq. (8) can be written as

$$\begin{aligned} P_{z_1}M^{\textsf{B}}_{z_2,w_2}=\widetilde{M}^{\textsf{B}}_{z_1,z_2,w_2}, \end{aligned}$$

for all \(z_1,z_2\in \mathcal {Z}\) and \(w_1,w_2\in \mathcal {W}\).