Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Secure multi-party computation (MPC) is perhaps the most generic cryptographic task. A collection of n parties, each with its own input \(x_i\), wish to jointly compute function of all of their inputs \((y_1, \ldots , y_n) = f(x_1, \ldots , x_n)\) so that each party learns its \(y_i\) and nothing else, and even a coalition of adversarial players should not learn more than the collection of outputs of its members. Throughout this work, we will be concerned with the most basic variant of this problem, denoted as private computation, where even adversarial parties are assumed to follow the protocol but try to learn as much as they can from their view (a.k.a semi-honest adversaries). Unless stated otherwise, we further assume that the adversary is computationally unbounded, and correspondingly, require information-theoretic (perfect) privacy.

The seminal works of Ben-Or, Goldwasser and Wigderson [7] and Chaum, Crépeau and Damgård [11] established that in this setting security for non-trivial functions can only be achieved if the adversarial coalition includes strictly less than half of the total number of parties (a.k.a honest majority). They showed that in the presence of honest majority, any function f can be privately computed, thus existentially resolving the problem.

However, as with all computational tasks, one wishes to minimize the resources required to carry out an MPC protocols. A resource that received much attention is the round complexity: the number of rounds of communication required to carry out the protocol. We consider the standard simultaneous communication model where at each round each party can send a message to any other party, but these messages can only depend on information received in previous rounds. The aforementioned [7, 11] solutions depend on the (multiplicative) depth of (the arithmetic representation of) the function f. For depth d, they require d rounds of communication (and the communication and computational complexity are polynomial in the number of parties n and the circuit size of f). In terms of lower bound, it is not hard to show that most functions cannot be privately computed with less than two rounds, but no better lower bound is known.

Constant-round information-theoretic protocols were first constructed by Bar-Ilan and Beaver [5] and were later extended in several works (cf. [13]). Ishai and Kushilevitz [21, 22] approached the 2-round lower bound: They presented a 3-round protocol, and in fact showed that a 2-round protocol is possible if instead of honest majority one requires that more than two-thirds of the parties are honest. Ishai and Kushilevitz note that their methods fall short of achieving the ultimate result and leave it as an open problem to resolve whether it is possible to achieve 2-round honest-majority protocol for all functions [21, Sect. 6]:

“An open question of a somewhat different flavor is that of finding the exact number of rounds required for privately evaluating an arbitrary (i.e., a worst-case) function f with an optimal privacy threshold. Using randomizing polynomials, an upper bound of 3 was obtained. If this bound is tight (i.e., 2 rounds are not enough) then, in a very crude sense, the randomizing polynomials approach is non-restrictive.”

In this work, we resolve the aforementioned open question. We show that indeed any functionality can be privately computed in a 2-round protocol that only requires honest majority. The communication and computational complexity are asymptotically comparable to previous solutions.

Theorem 1

(2-round unconditional MPC). At the presence of honest majority, privately computing any functionality with perfect correctness and perfect privacy reduces non-interactively to the task of privately computing a degree-2 functionality. Consequently, in this setting, any function f can be privately computed in two rounds with polynomial efficiency in the number of parties and in the size of the formula (or even branching program) that computes f.Footnote 1

Furthermore, under the assumption that one-way functions exist, it is possible to improve the computational and communication complexity to polynomial in the size of the circuit computing f (rather than its formula size or exponential in the circuit depth), at the cost of only achieving computational security. Note that the honest majority condition cannot be lifted in this setting (unless one-way functions imply oblivious transfer).

Theorem 2

(2-round MPC in minicrypt). Assume the existence of one-way functions. Then, privately computing any polynomial-time functionality with computational privacy and honest majority reduces non-interactively to the task of privately computing a polynomial-time computable degree-2 functionality. Consequently, in this setting, any function f can be privately computed in two rounds with polynomial efficiency in the number of parties and the circuit size of f. The protocol makes only a black-box use of the one-way function.

Prior to this work, Beaver, Micali and Rogaway [6, 24] (henceforth BMR) constructed the first constant-round computationally private MPC assuming honest majority and one-way functions. A careful analysis of their construction leads to 3 rounds.Footnote 2

See Sect. 1.3 below for comparison with recent related results such as [1, 14].

The Client-Server Setting. Our results extend to the so-called client-server setting [12], which considers a communication graph of the following form: A set of clients that have inputs send messages (in a single round) to a set of servers, the servers perform local computation and send messages (in a single round) back to the clients, who can then recover their outputs. Our methods show how to achieve security in the semi-honest setting so long as there is an honest majority among clients and an honest majority among servers. We note that ideally we would like to only require honest majority among servers, our methods provide a path towards this goal but falls short of achieving it. (This point will be further discussed towards the end of Sect. 1.1.)

1.1 Our Techniques

Ishai and Kushilevitz introduced the notion of randomizing polynomials, which was since generalized to the notion of randomized encoding (RE) [3]. A function f is encoded by a function g if the output of g allows to reconstruct the output of f and nothing else. The [21] result essentially shows that any function f can be encoded by a function g of multiplicative degree 3 (over the binary field). Thus, instead of applying the [7, 11] protocol to compute the function f directly, it is possible to apply it to compute g (the encoding of f). Since degree 3 functions can be computed in 3 rounds with honest majority, or in 2 rounds if more than two-thirds of the parties are honest, the encoding of [21, 22] implies MPC protocols with these properties for all functions. We note that the computational complexity and output length of the encoding g may be significantly larger than those of f and indeed scale (roughly) polynomially with its formula size. An additional minor caveat is that the encoding g is a randomized function, even if f was deterministic. This is resolved using the standard technique of secret sharing the random tape between all users, i.e. each user holds private randomness and the function g is computed with a random tape that is the XOR of all private tapes. This transformation does not effect the multiplicative degree and therefore does not change the round complexity of the resulting protocol (though it incurs a \(\mathrm{poly}(n)\) factor in computational and communication complexity).

It is evident from the above outline that if one could find a RE with multiplicative degree 2, the round complexity of MPC will be resolved. However, it was shown in [21] that such randomized encodings do not exist, at least if perfect correctness and security are sought (we recall that our solution achieves perfect correctness and security). The quotation above therefore suggests that the resolution of the round complexity of MPC will also resolve the question of optimality of the RE approach to the problem.

In this work, we show that indeed RE is too restrictive to resolve the round complexity problem. We present a natural generalization that we call multi-party randomized encoding (MPRE). This object allows to analyze randomized encodings in the specific context of MPC, and naturally translate it to protocols similarly to RE. While RE encodes a computation and ignores the partitioning of inputs between the parties, an MPRE takes into account the way that inputs and outputs are distributed among parties. Correspondingly, this notion of encoding allows to encode a multiparty functionality by another multiparty functionality (in contrast to the RE notion which allows to encode a function by another function). In this sense MPRE is much closer in spirit to MPC protocols, and one can easily go from protocols to MPREs and back. Being a multiparty functionality, in MPRE inputs are split between different parties who may also employ private local randomness (which does not make sense in the context of standard RE). The round complexity of the protocol induced by the MPRE depends on the effective degree, which allows preprocessing of local randomness. Theorem 1 follows by showing that any functionality has MPRE with effective degree 2 which is private against adversarial minority.

Multi-party Randomized Encoding (MPRE). The definition of MPRE is inspired by that of RE, but with the emphasis that inputs and outputs can belong to different players. If we consider a multi-party functionality \(f(x_1, \ldots , x_n) = (y_1, \ldots , y_n)\), then an MPRE of f would be a randomized functionality

$$\begin{aligned} g((x_1, r_1), \ldots , (x_n, r_n); s) = (z_1, \ldots , z_n), \end{aligned}$$

where s is a global random string (which, we bear in mind, will be shared among users when a protocol is to be derived) and \(r_i\) is the local random string of player i. Decoding requires that for each i, \(y_i\) can be recovered from \(z_i\). The privacy requirement is that for any “legitimate” adversarial coalition \(A \subseteq [n]\), the r and z values of all players in A can be simulated given their x and y values. In the context of honest majority we can consider protecting against all A of cardinality strictly less than n / 2, but the MPRE notion is more general and allows some function classes to be encoded while allowing any adversarial \(A \subseteq [n]\) (indeed we show such an encoding for a useful class). It is possible to show the expected composition theorem, arguing that if g is MPRE of f which is private against some class of adversarial coalitions \(\mathcal{A}_1 \subseteq 2^{[n]}\), and there is a protocol that privately computes g against some class of adversarial coalitions \(\mathcal{A}_2\subseteq 2^{[n]}\), then the same protocol (augmented with local decoding) can be used to compute f, and is private against \(\mathcal{A}_1 \cap \mathcal{A}_2\). It thus follows that if g is MPRE of f which is private against all adversarial minorities, and if g has effective degree 2 (allowing preprocessing of local randomness), then f has a 2-round protocol which is private against any adversarial minority.Footnote 3 Showing that all functions have such encoding will be our goal towards proving Theorem 1. For formal definitions of MPRE, composition and relation to other notions see Sect. 3.

How to Encode any Function. As explained above, our goal is to show that any functionality \(f(x_1, \ldots , x_n) = (y_1, \ldots , y_n)\) has an encoding that is both secure against all adversarial minorities and has effective degree 2. We do this in a sequence of steps. The first step is noticing that we can get a “friendly” MPRE from any protocol for computing f, even one with many rounds. We stress that this will not be our final MPRE. The definition of this MPRE g is straightforward: the output of party i is simply its view in the protocol, augmented with all the intermediate values computed locally by i. Note that this new functionality now requires local randomness of the parties. The fact that these views were generated by a protocol will be of particular use to us since the outputs of g can be viewed as wires of a boolean circuit, where each wire belongs to a different party in the computation. The view of each party in the protocol (i.e. its output in the functionality g) consists of values that it received from other parties, and values that it computed locally. We can thus envision a circuit whose gates are “owned” by players, and there are additional syntactic “transmission gates” that represent a message passing from one player to the other. Transmission gates do not have any functionality but rather represent change of ownership, still they will be useful for our next step. We call such an MPRE “protocol compatible” and describe their properties formally in Sect. 4. Specifically, we will consider the MPRE induced (essentially) by the 3-round protocol that is based on [7, 22].

By employing a composition theorem for MPRE, it suffices to encode the functionality g by an MPRE h of effective degree 2. Indeed, we show that any protocol-compatible functionality g (i.e. one whose outputs can be represented as local views of parties in a multi-party protocol, or equivalently as wires of a circuit of the structure described above), can be encoded with effective degree-2 and privacy against any adversarial coalition. The MPRE takes great resemblance to the well known RE scheme that is based on information-theoretic garbled circuit [22]. (Specifically, it is based on the point-and-permute variant of Yao’s garbled circuit [6, 24, 26].) This randomized encoding scheme takes a circuit, and for each wire it samples two wire keys and a permutation bit, and its output is a list of “garbled tables” together with the permutation bits of the output wires. Expressing this in algebraic form leads to degree 3 randomized encoding. More generally, the degree of each garbled gate G is \(\deg (G)+1\).

In our MPRE, the wire keys will be sampled using the global randomness (which down the line is shared between all parties). Crucially, the permutation bits will be generated using the local randomness of the party that “owns” this wire, as per the protocol compatible functionality. One can verify that this description results in an encoding with effective degree 2. Indeed, the encoding consists of two type of gates: local-computation gates and transmission gates. In local-computation gates G, the input and output wires of the gate are owned by the same party, thus this party can preprocess the permutation bits and reduce the degree to 2. In the case of transmission gates, the fan-in is 1, and so the degree is only 2. The same proof as in [4, 6, 22, 24] can be used to show MPRE privacy. The construction is described in detail in Sect. 5.

Putting the two components together results in an MPRE h for every f which is secure against all adversarial minorities and has effective degree 2, giving rise to our final 2-round protocol. The computational and communication complexity are analyzed in the respective sections. Section 6 contains the proof of Theorem 1, putting together all relevant components.

The Computational Setting. To prove Theorem 2, we start with the standard observation that for shallow circuits the computational and communication complexity of the information theoretic protocol are polynomial. We again use standard properties of the [6] protocol, to obtain an MPRE that can be written as an evaluation of a shallow circuit over values that are computed locally by the players with a black-box access to a pseudorandom generator. This allows us to apply Theorem 1 towards proving Theorem  2. See Sect. 6 for details.

The Client-Server Setting and an Open Problem. MPREs are applicable to the client-server setting in an immediate manner. Let g be an MPRE of f which is secure against some class of adversarial coalitions \(\mathcal{A}\). Assume that g can be computed in the client-server setting with security against a class \(\mathcal{A}\) of client coalitions and a class \(\mathcal{B}\) of server coalitions. Then f is computable in the client-server setting with security against \(\mathcal{A}\) client coalitions and \(\mathcal{B}\) server coalitions.

In our setting, we show that all functions f have g with effective degree 2 and security against dishonest minority. One can verify that the protocols of [7, 11], when applied to degree 2 functions, imply client-server protocols with security against arbitrary client collusion and dishonest server minority. The conclusion is that security is achieved if there is honest majority of both clients and servers.

This application constitutes an additional motivation to investigate whether every function f has an MPRE g with effective degree 2 and security against arbitrary collusion. We are not aware of any impossibility result for such encoding (in particular, honest majority will still be needed for our MPC application in order to compute g). Its existence, however, will allow to remove the requirement for honest majority of clients in the client-server setting and is expected to have other interesting consequences.

1.2 Broader Perspective: Degree vs. Round Complexity

Since the pioneering constructions of perfect MPC [7, 11], there appears to be a tight relation between the round complexity of privately computing a functionality f at the presence of honest majority to its algebraic degree. This relation was refined by [21], who showed that instead of considering the degree of f, one should focus on the degree of a RE \(\hat{f}\) of f. Our work further replaces the notion of RE-degree with the effective degree of an MPRE \(\hat{f}\) of f. As a result, we finally prove the conjectured equivalence between round complexity and (the “right” notion of) degree.

It is instructive to take a closer look at the notion of effective degree and see how it relates to existing notions. Recall that effective degree essentially allows the parties to apply arbitrary local-preprocessing of their private randomness (and inputs) “for free”, without charging it towards the degree. This relaxation is crucial for our results. Indeed, it can be shown that degree-d MPRE directly imply degree-d RE (see full version). Also observe that the notion of effective degree inherently requires to treat the encoding \(\hat{f}\) as a multiparty functionality, and therefore effective degree becomes meaningless in the case of RE. In this sense, MPRE is a convenient intermediate point between a protocol to RE; It takes into account the views of different players (which is crucial for defining effective degree) while being a non-interactive (and therefore easy to manipulate) object.

Let us further note that the methodology of degree-reduction via local preprocessing is not new. In particular, it is crucially employed in classical constant-round MPC protocols including Yao’s two-party protocol [26] and its multiparty variant [6, 24]. Using our terminology, these protocols implicitly yield computational MPRE of constant effective degree. In particular, assuming one-way functions, Yao’s protocol yields a computational MPRE of effective degree 2 for any efficiently computable 2-party functionality, and the BMR protocol yields a computational MPRE of effective degree 3 for any efficiently computable n-party functionality. Indeed, an important part of our conceptual contribution is to provide a formal, easy-to-handle, framework that captures this use of degree-reduction via preprocessing.

1.3 Other Related Works

Benhamouda and Lin [8] and Garg and Srinivasan [16] have recently constructed 2-round computationally-private protocols for arbitrary (efficiently computable) functions. This result is incomparable to Theorem 2: It does not require honest majority (i.e., privacy holds against arbitrary coalitions), but relies on a stronger computational assumption (the existence of (two-round) Oblivious Transfer which is minimal in this setting). We further note that our high level approach shares some similarities with these works. Indeed, our notion of MPRE abstracts and generalizes the notion of garbled protocols, introduced by Garg and Srinivasan [15], which plays a key role in both [8] and [16].

Independently of our work, two recent papers study the notion of minimal round complexity for MPC in the honest majority setting. Ananth et al. [1] focus on secure computation in the presence of certain types of active (malicious) adversaries, and present protocols under the assumption of honest majority in addition to some computational and/or setup assumptions. Most relevant to our work is a consequence of one of their result showing that based on one-way functions there is a 2-round protocol against semi-honest adversarial minority (in fact, they achieve a stronger notion called “security with abort”). Contrary to our work, the [1] protocol is not applicable in the information theoretic setting, and therefore does not have bearing on the question of MPC with perfect security. Furthermore, our approach shows a reduction from the computation of general functionalities to the computation of degree-2 functionalities, which is not achieved by [1] (even implicitly, as far as we can tell).

Garg, Ishai and Srinivasan [14] study the construction of information theoretic security for semi-honest MPC in various settings. Most relevant to this work is their construction of a 2-round protocol with perfect security for formulas. However, in their protocol, unlike ours, communication complexity grows super-polynomially with the number of players. One can again attribute this to falling short of reducing the general MPC task to the task of computing degree-2 functionalities.

1.4 Paper Organization

We begin with some general background on multiparty functionalities and secure multiparty computation in Sect. 2. In Sect. 3, we introduce the notion of multipatry randomized encoding, and discuss its properties. In Sect. 4 we show how to use MPC protocols (in particular [7]) to obtain “protocol-compatible” MPRE, and in Sect. 5 show how to transform such an encoding into a degree-2 MPRE based on information-theoretic garbled circuits. Section 6 uses these tools to prove our main theorems. Some of the proofs are omitted from this version and can be found in the full version (available on eprint).

2 Preliminaries

This section defines multiparty functionalities and provides some basic background on secure computation. It will convenient to use a somewhat non-standard notation for functionalities, and so even an expert reader may want to read this part carefully. (In contrast, the MPC subsection can be safely skipped.)

2.1 Multi-party Functionalities

An n-party functionality is a function that maps the inputs of n parties to a vector of outputs that are distributed among the parties. Without loss of generality, we assume that the inputs of each party are taken from some fixed input domain X (e.g., bit strings of fixed length). It will be convenient to represent a functionality by a pair \(f:X^n\rightarrow \{0,1\}^m\) and \(P:[m]\rightarrow 2^{[n]}\). The function f maps the joint inputs of all parties \(x=(x_1,\ldots , x_n)\) to an output vector \(y=(y_1,\ldots ,y_m)\), and the mapping \(P:[m]\rightarrow 2^{[n]}\) determines the distribution of outputs between the parties, i.e., the i-th output \(y_i\) should be delivered to the parties in the set P(i). By default (and without loss of generality), we assume that P(i) is always a singleton and therefore think of P as a mapping from [m] to [n]. Sometimes the output partition function P will be implicit, and refer to f as a functionality. We further use the convention that, for a string \(y=f(x)\) and a subset of parties \(T\subseteq [n]\), the restriction of y to the coordinates held by the parties is denoted by \(y[T]=(y_j)_{j:P(j)\in T}\). When \(T=\{ i \}\) is a singleton, we simply write y[i].

We will also make use of randomized functionalities. In this case, we let f take an additional random input \(r_0\) and view \(r_0\) as an internal source of randomness that does not belong to any party. We typically write \(f(x_1,\ldots ,x_n;r_0)\) and use semicolon to separate the inputs of the parties from the internal randomness of the functionality.

Finally, a central notion in this work is that of effective degree of a functionality, which generalizes the standard notion of degree. A multi-output functionality f has degree D if each of its outputs can be written as an \(\mathbb {F}_2\)-polynomial of degree D over the deterministic and random inputs. Intuitively, the effective degree is the degree of the functionality if the parties are allowed arbitrary local preprocessing. A formal definition follows.

Definition 1

(Effective degree). A (possibly randomized) n-party functionality \(f:X^n \times R'\rightarrow \{0,1\}^m\) has effective degree d if there exists a tuple of local preprocessing functions \((h_1,\ldots ,h_n)\) and a degree-d function h such that

$$\begin{aligned} h(h_1(x_1),\ldots ,h_n(x_n);r')=f(x_1,\ldots ,x_n;r'), \end{aligned}$$
(1)

for every \(x_1,\ldots ,x_n\) and internal randomness \(r'\).

2.2 Standard Background on Secure Computation

Through the paper, we assume a fully-connected network with point-to-point private channels. We focus on semi-honest (aka passive) secure computation hereafter referred to as private computation. (See, e.g., [9, 10, 17], for more detailed and concrete definitions.)

Definition 2

(Private computation). Let \(f(x_1,\ldots ,x_n)\) be a (possibly randomized) n-party functionality. Let \(\pi \) be an n-party protocol. We say that the protocol \(\tau \)-privately computes f with perfect privacy if there exists an efficient randomized simulator \(\mathsf {Sim}\) for which the following holds. For any subset of corrupted parties \(T\subseteq [n]\) of size at most \(\tau \), and every tuple of inputs \(x=(x_1,\ldots ,x_n)\) the joint distribution of the simulated view of the corrupted parties together with output of the honest parties in an ideal implementation of f,

$$\begin{aligned} \mathsf {Sim}(T, x[T],y[T]), \quad y[\bar{T}], \qquad where\;y=f(x)\;{and}\;\bar{T}=[n]\setminus T, \end{aligned}$$

is identically distributed to

$$\begin{aligned} \mathsf {View}_{\pi ,T}(x), \quad \mathsf {Output}_{\pi ,\bar{T}}(x), \end{aligned}$$

where \(\mathsf {View}_{\pi ,T}(x)\) and \(\mathsf {Output}_{\pi ,\bar{T}}(x)\) are defined by executing \(\pi \) on x with fresh randomness and concatenating the joint view of the parties in T (i.e., their inputs, their random coin tosses, and all the incoming messages), with the output that the protocol delivers to the honest parties in \(\bar{T}\). The computational variant of the definition is obtained by settling for computational indistinguishability with respect to non-uniform polynomial-time adversaries.

Secure Reductions. To define secure reductions, consider the following hybrid model. An n-party protocol augmented with an oracle to the n-party functionality g is a standard protocol in which the parties are allowed to invoke g, i.e., a trusted party to which they can securely send inputs and receive the corresponding outputs. The notion of \(\tau \)-security generalizes to protocols augmented with an oracle in the natural way.

Definition 3

Let f and g be n-party functionalities. A \(\tau \) perfectly-private reduction from f to g is an n-party protocol that given an oracle access to the functionality g, \(\tau \)-privately realizes the functionality f with perfect security. We say that the reduction is non-interactive if it involves a single call to f (and possibly local computations on inputs and outputs), but no further communication. The notions of \(\tau \) computationally-private reduction is defined analogously.

Appropriate composition theorems, e.g. [17, Theorems 7.3.3, 7.4.3] and [9], guarantee that the call to g can be replaced by any protocol that \(\tau \)-privately realize g, without violating the security of the high-level protocol for f.

3 Multi-party Randomized Encodings

In this section we formally present the notion of multi-party randomized encodings (Sect. 3.2), relate it to MPC protocols (Sect. 3.3), and study its properties (Sect. 3.4). As discussed in the introduction, this new notion can be viewed as a relaxation of the more standard notion of randomized encoding of functions. (See Sect. 3.1).

3.1 Randomized Encoding of Functions

We begin with the standard notion of randomized encoding (RE) [3, 21]. In the following let XYZ, and R be finite sets.

Definition 4

(Randomized Encoding [3, 4]). Let \(f:X\rightarrow Y\) be a function. We say that a function \(\hat{f}: X\times R \rightarrow Z\) is a \(\delta \)-correct, \((t,\epsilon )\)-private randomized encoding of f if the following hold:

  • \(\delta \)-Correctness: There exist a deterministic decoder \(\mathsf {Dec}\) such that for any input \(x \in X\),

    $$\begin{aligned} \Pr _{r{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}R}[\mathsf {Dec}(\hat{f}(x;r)) \ne f(x)]\le \delta . \end{aligned}$$

  • \((t,\epsilon )\)-Privacy: There exists a randomized simulator \(\mathsf {Sim}\) such that for any \(x \in X\) and any circuit \(\mathsf {Adv}\) of size t

    $$\begin{aligned} \left| {\Pr [\mathsf {Adv}(\mathsf {Sim}(f(x)))=1]-\Pr _{r{\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}R}[\mathsf {Adv}(\hat{f}(x;r))=1]} \right| \le \epsilon . \end{aligned}$$

We refer to the second input of \(\hat{f}\) as its random input, and a use semicolon (;) to separate deterministic inputs from random inputs.

An encoding \(\hat{f}\) is useful if it is simpler in some sense than the original function f. In the context of MPC the main notion of simplicity is the degree of the encoding, where the each output of \(\hat{f}\) is viewed as a polynomial over (xr). Other notions of simplicity have been used in other contexts. (See [2, 20] for surveys on REs.)

3.2 MPRE Definition

Inspired by the notion of randomized encoding of functions [3, 21], we define the notion of multiparty randomized encoding (MPRE). Syntactically, we encode a functionality \(f(x_1,\ldots ,x_n)\) by a randomized functionality

$$\begin{aligned} \hat{f}((x_1,r_1),\ldots ,(x_n,r_n);r_0) \end{aligned}$$

that employs internal randomness \(r_0\in R\) and augments the input of each party by an additional random input \(r_i\in R\), for some fixed domain R (by default bit-string of fixed length). Roughly speaking, the view of the encoding \(\hat{f}((x_1,r_1),\ldots ,(x_n,r_n);r_0)\) that is available to a subset T of parties (i.e., the parties inputs, randomness and outputs) should contain the same information that is revealed to the subset T by the functionality f(x) (i.e., the inputs and outputs).

The following heavily relies on our (somewhat non-standard) formalization of multi-party functionalities, see Sect. 2.1.

Definition 5

(Multi-Party Randomized Encoding (MPRE). Let \(f:X^n\rightarrow \{0,1\}^m\) be an n-party deterministic functionality with an output partition \(P:[m]\rightarrow [n]\). We say that an n-party randomized functionality \(\hat{f}: (X\times R)^n\times R\rightarrow \{0,1\}^{s}\) with output partition Q is a multi-party randomized encoding of f with privacy threshold of \(\tau \) if the following hold:

  • Perfect Correctness: There exists a deterministic decoder \(\mathsf {Dec}\) such that for every party \(i\in [n]\), and every tuple of input-randomness pairs

    $$\begin{aligned} ((x_1,r_1),\ldots , (x_n,r_n))\in (X\times R)^n \end{aligned}$$

    and every internal randomness \(r_0\in R\) it holds that

    $$\begin{aligned} \mathsf {Dec}\left( i,\hat{y}[i], x_i,r_i\right) = y[i], \end{aligned}$$

    where \(y=f(x_1,\ldots ,x_n)\), \(\hat{y}=\hat{f}((x_1,r_1),\ldots , (x_n,r_n);r_0)\), and, recall that \(\hat{y}[i]\) is the restriction of \(\hat{y}\) to the coordinates delivered to party i by \((\hat{f},Q)\), and y[i] is the restriction of y to the coordinates delivered to party i by (fP).Footnote 4

  • \((\tau ,t,\epsilon )\)-Privacy: There exists a randomized simulator \(\mathsf {Sim}\) such that for every set \(T \subseteq [n]\) of parties of size at most \(\tau \) and every set of inputs \(x=(x_1,\ldots ,x_n)\) it holds that the random variable

    $$\begin{aligned} \mathsf {Sim}(T,x[T],y[T]), \qquad \text {where } y=f(x_1,\ldots ,x_n) \end{aligned}$$

    and the random variable

    $$\begin{aligned} (x[T],r[T],\hat{y}[T]), \end{aligned}$$

    where

    $$\begin{aligned} \hat{y}=\hat{f}((x_1,r_1),\ldots ,(x_n,r_n);r_0), \text { and } (r_0,r_1,\ldots ,r_n){\mathop {\leftarrow }\limits ^{\scriptscriptstyle {\$}}}R^{n+1}, \end{aligned}$$

    cannot be distinguished by a t-size circuit with advantage better than \(\epsilon \).

We say that privacy is perfect if \((\tau ,t,\epsilon )\)-privacy holds for any t and \(\epsilon =0\). We always represent an MPRE \(\hat{f}\) by a Boolean circuit that computes \(\hat{f}\), and define the size and depth of \(\hat{f}\) to be the size and depth of the corresponding circuit. We refer to the randomness \(r_0\) as the internal randomness of the encoding. When such randomness is not used, we refer to \(\hat{f}\) as an MPRE with no internal randomness.

Observe that any functionality trivially encodes itself. Indeed, MPRE \(\hat{f}\) becomes useful only if it is simpler in some sense than f. Jumping ahead, our main notion of simplicity will be effective degree.

Remark 1

(Perfect and Computational encodings of infinite functionalities). Definition 5 naturally extends to an infinite sequence of functionalities \(f=\{ f_{\lambda } \}_{\lambda \in \mathbb {N}}\) where \(f_\lambda \) is an \(n(\lambda )\)-party functionality whose domain, range, and complexity may grow polynomially with \(\lambda \). We say that a sequence of \(n(\lambda )\)-party functionalities \(\hat{f}=\{ \hat{f}_{\lambda } \}_{\lambda \in \mathbb {N}}\) is a perfectly correct \((\tau (\lambda ),t(\lambda ),\epsilon (\lambda ))\)-private MPRE of f if there exists an efficient algorithm (compiler) which gets as an input \(1^{\lambda }\) and outputs (in time polynomial in \(\lambda \)) three circuits \((\hat{f}_{\lambda },\mathsf {Dec}_{\lambda },\mathsf {Sim}_{\lambda })\) which form a perfectly correct \((\tau (\lambda ),t(\lambda ),\epsilon (\lambda ))\)-private MPRE of \(f_{\lambda }\). We refer to an MPRE as perfect if the above holds for any function \(t(\cdot )\) and for \(\epsilon =0\), and refer to it as being computational if the above holds for \(t(\lambda )=\lambda ^{\omega (1)}\) and \(\epsilon (\lambda )=1/\lambda ^{\omega (1)}\). Similar extensions applies to REs (as was done in previous works).

Remark 2

The parameter \(\lambda \) is being used to quantify both the complexity of f (circuit size and input length) and the security level (computational privacy). When describing some of our constructions, it will be convenient to separate between these two different roles and treat \(\lambda \) solely as a security parameter (independently from the complexity of f). Computational privacy will be guaranteed (in the sense of the above definition) as long as \(\lambda \) is set to be polynomial in the complexity of f.

3.3 From MPRE to MPC Protocol

The main motivation for studying MPRE’s is the following simple observation.

Proposition 1

Let f be an n-party functionality. Let g be a perfect (resp., computational) MPRE of f with privacy threshold of \(\tau \). Then, the task of \(\tau \)-privately computing f with perfect privacy (resp., computational privacy) reduces non-interactively to the task of \(\tau \)-privately computing g with perfect privacy (resp., computational privacy).

In particular, by using standard composition theorems any protocol \(\pi \) that \(\tau \)-privately computes g with perfect (resp., computational) privacy can be turned into a protocol \(\pi '\) with the same complexity and round complexity that \(\tau \)-privately computes f with perfect (resp., computational) privacy.

The proof of Proposition 1 appears in the full version.

3.4 Manipulating MPRE

One can always get rid of the internal randomness \(r_0\) of an MPRE

$$\begin{aligned} \hat{f}((x_1,r_1),\ldots ,(x_n,r_n);r_0) \end{aligned}$$

by extending the randomness of each party with an additional random string \(r'_i\) and applying the functionality \(\hat{f}\) with \(r_0\) set to \(\sum _i r'_i\). Here, we assume that the randomness domain R is a set of fixed length strings and so addition stands for bit-wise XOR. (More generally, this transformation works as long as “addition” forms a group operation over the randomness space R.) Formally, the following holds.

Proposition 2

(Removing internal randomness). Suppose that the functionality \(\hat{f}((x_1,r_1),\ldots ,(x_n,r_n);r_0)\) is a perfectly correct \((\tau ,t,\epsilon )\)-private MPRE of (fP). Then the functionality

$$\begin{aligned} g((x_1,r_1,r'_1),\ldots ,(x_n,r_n,r'_n)):= \hat{f}((x_1,r_1),\ldots ,(x_n,r_n);\sum _i r'_i) \end{aligned}$$

is a perfectly correct \((\tau ,t,\epsilon )\)-private MPRE of (fP).

Note that g has the same algebraic degree and the same effective degree as \(\hat{f}\) over \(\mathbb {F}_2\). (A multi-output functionality f has degree D if each of its outputs can be written as an \(\mathbb {F}_2\)-polynomial of degree D over the deterministic and random inputs. For effective degree see Definition)

Composition (Re-Encoding MPRE). The composition property of REs ([3, 4]) asserts that if we take an encoding g(xr) of f(x), view it as a deterministic function \(g'(x,r)\) over x and r, and re-encode this function by a another RE \(h(x,r;r')\), then the function \(h'(x;(r,r'))\) is an encoding of f. We prove a similar statement regarding MPRE’s.

Lemma 1

(Composition). Let \((f(x_1,\ldots ,x_n),P)\) be an n-party functionality and assume that the functionality \((g((x_1,r_1)\ldots ,(x_n,r_n)),Q)\) perfectly encodes f with threshold \(\tau _1\) and no internal randomness. Further assume that the functionality \((h(((x_1,r_1),r'_1)\ldots ,((x_n,r_n),r'_n);r'_0),M)\) perfectly encodes the functionality (gQ) (viewed as a deterministic functionality over the domain \((X')^n\) where \(X'=(X\times R)\) with threshold \(\tau _2\)). Then, the functionality \((h',M)\), where

$$\begin{aligned} h'((x_1,(r_1,r'_1)),\ldots , (x_n,(r_n,r'_n));r'_0):= h(((x_1,r_1),r'_1)\ldots ,((x_n,r_n),r'_n)), \end{aligned}$$

is a perfect MPRE of f with threshold \(\min (\tau _1,\tau _2)\).

(Observe that \(h'\) is defined identically to h except each party i treats \(x_i\) as its deterministic input of i and \((r_i,r'_i)\) as its randomness.)

A similar lemma holds in the computational setting as well.

Lemma 2

(Composition (Computational version)). Let \(f=\{ f_{\lambda } \}\) be an infinite family of \(n(\lambda )\)-party functionalities which is computationally encoded by the families of functionalities \(g=\{ g_{\lambda } \}\) with privacy threshold \(\tau (\lambda )\) and with no internal randomness. Suppose that \(h=\{ h_{\lambda } \}\) computationally encode g with privacy threshold of \(\tau '(\lambda )\). Then, \((h',P)\), defined as in Lemma 1, forms a computational encoding of f with privacy threshold of \(\min (\tau ,\tau ')\).

4 Encoding via Protocol-Compatible Functionalities

In this section we show that any functionality f can be encoded by a so-called protocol compatible functionality g that enjoys “nice” syntactic properties.

4.1 From MPC Protocol to MPRE

We begin by noting that any protocol naturally induces an MPRE as shown below.

Definition 6

(The view functionality). Let \(\pi \) be an n-party protocol in which the i-th party holds a deterministic input \(x_i\) and private randomness \(r_i\). The n-party view functionality \(g_{\pi }\) is defined as follows:

  • The input of the i-th party is \((x_i,r_i)\).

  • The output of the i-th party consists of all the messages that are sent to her in an execution of \(\pi \) (on the inputs \((x_1,r_1),\ldots ,(x_n,r_n)\)).

We also consider the extended view functionality in which, in addition to the above, \(g_{\pi }\) delivers to each party i all intermediate values that are computed locally by i, where the local computation of every party is viewed as a Boolean circuit.

Note that the view and extended view can deterministically be derived from each other.

Proposition 3

Let \(\pi \) be a protocol that implements the n-party functionality \(f(x_1,\ldots ,x_n)\) with perfect correctness and perfect (resp., computational) privacy against a passive adversary that may corrupt up to \(\tau \) players. Then the view functionality and the extended view functionality of \(\pi \) encode the functionality f with perfect correctness and perfect (resp., computational) privacy threshold \(\tau \).

Proof

The proposition follows immediately from the fact that \(\pi \) privately implements f as per Definition 2. The correctness of \(\pi \) translates into correctness of \(g_{\pi }\) and the \(\tau \)-privacy of the protocol immediately translates into \(\tau \)-privacy of the MPRE.

An extended view functionality \(g_{\pi }\) has several useful syntactic properties. These are captured by the following notion of protocol compatible functionality.

Definition 7

A protocol compatible functionality (fP) is a functionality with no internal randomness that can be represented by a Boolean circuit C as follows.

  • The circuit C takes the same inputs as f. The outputs \(y=(y_1,\ldots ,y_m)\) of f(x) consist of the values of all the wires in the circuit (including internal wires and input wires) sorted under some topological order (inputs are first).

  • The computation in C is performed via two types of gates.

    • A transmission gate delivers a value from one party to another, i.e.  it maps a single input \(y_a\) to a single output \(y_b\) such that \(y_a = y_b\) and possibly \(P(a) \ne P(b)\).

    • A local computation gate (wlog, NAND gate) maps two inputs \((y_a,y_b)\) to a single output \(y_c\), where \(P(a) = P(b) = P(c)\).

Proposition 4

Let \(\pi \) be an n-party protocol and let \(g_{\pi }\) be its extended view functionality. Then, \(g_{\pi }\) is protocol compatible.

Proof

By definition, every output bit of \(g_{\pi }\) is either an input bit, the result of some local computation, or some incoming message.

Remark 3

(Extended view in a hybrid model). Consider a protocol \(\pi \) operates in a h-hybrid model where h is some n-party functionality. (Recall that this means that the parties can invoke a call to an ideal version of h.) In this case, the view functionality and the extended view functionality (which are still well defined) still form an MPRE of f just like in Proposition 3. However it will not satisfy the syntax of Definition 7.

4.2 BGW-Based MPRE

The extended view functionality of the semi-honest protocol from [7], henceforth denoted BGW, gives rise to the following MPRE.

Theorem 3

(BGW-based protocol-compatible encoding). Every n-party functionality f can be perfectly encoded with threshold privacy of \(\tau =\left\lfloor \frac{n-1}{2} \right\rfloor \) by a protocol-compatible MPRE g of size \(O(S\cdot \mathrm{poly}(n))\) and depth \(O(D\cdot \log n)\) where S denotes the circuit size of f and D denotes the multiplicative depth of f.

Jumping ahead, we mention that in order to derive our main theorem with complexity which grows polynomially in the number of parties, it is crucial to make sure that the depth of g is at most logarithmic in n.

Proof

We consider the BGW protocol \(\pi \) for computing f against a passive adversary that corrupts up to \(\tau \) parties. By Propositions 3 and 4, it suffices to show that \(\pi \) can be implemented so that its extended-view functionality \(g_{\pi }\) is of size \(O(S\cdot \mathrm{poly}(n))\) and depth \(O(D\cdot \log n)\).

Recall that \(\pi \) interprets f as an arithmetic circuit over a sufficiently large field \(\mathbb {F}\) of size \(|\mathbb {F}|>n\) and that each party i is associated with a fixed public field element \(\alpha _i\in \mathbb {F}\) (as a property of the protocol and independently of the input). Thus the first n powers of each \(\alpha _i\) are to be treated as pre-computed constants. The local computation L of every party for each multiplication gate (and for the input gates) can be implemented by a \(\mathrm{poly}(n)\)-size arithmetic circuit of constant depth whose addition gates have unbounded fan-in and the multiplication gates have fan-in 2. (Indeed, all local computation can be written as matrix-vector multiplications.) This gives rise to an arithmetic circuit with bounded fan-in gates, \(\mathrm{poly}(n)\) size, \(O(\log n)\) depth and constant multiplicative depth.

We continue by showing that such an arithmetic circuit L can be realized by a Boolean \({\mathrm {NC}}^1\) circuit (of size \(\mathrm{poly}(n)\), depth \(O(\log n)\) and bounded-fan gates). Indeed, letting \(\mathbb {F}=\mathrm {GF}[2^{O(\log n)}]\) be a binary extension field, we can trivially implement field addition by a Boolean circuit of constant depth and \(O(\log n)\) size (and bounded-fan gates). Field multiplication can be implemented by an \({\mathrm {AC}}^0[\oplus ]\) circuit of size \(\mathrm{polylog}(n)\) [19], and therefore by a Boolean circuit of size \(\mathrm{polylog}(n)\), depth \(\log (\mathrm{polylog}(n))\) and bounded-fan gates. It follows that L is in \({\mathrm {NC}}^1\).

Finally, we note that in BGW addition gates require only local computation. This local computation consists of O(n) parallel fan-in-2 additions of field elements. Since \(\mathbb {F}\) is a binary extension field this can be implemented by a constant depth (\({\mathrm {NC}}^0\)) circuit of size \(O(n\log n)\). We conclude that the extended view functionality \(g_{\pi }\) has the desired complexity.

5 Degree-2 Encodings for Protocol-Compatible Functionalities

In this section we show that any protocol-compatible functionality f can be encoded by a functionality \(\hat{f}\) with effective degree 2. That is, each output of \(\hat{f}\) can be computed as a degree-2 function over n values that can be computed by the parties locally (see Definition 1).

The following theorem will be proved in Sect. 5.1.

Theorem 4

Let (fP) be a protocol-compatible n-party functionality of depth d and output length m. Then, f has a perfect n-private MPRE \(\hat{f}\) of effective-degree 2 and total complexity \(\mathrm{poly}(2^d,m)\).Footnote 5

Remark 4

(Other properties of the MPRE). The encoding \(\hat{f}\) constructed in Theorem 4 satisfies several additional properties that will not be used in our work, but may be useful elsewhere.

  1. 1.

    The encoding \(\hat{f}\) is fully-decomposable and affine in x, that is for any fixing of the private randomness the residual functionality \(\hat{f}(x)\) is a degree-1 function in x and each output bit of \(\hat{f}\) depends on at most a single bit of the input x.

  2. 2.

    The preprocessing functions \((h_1,\ldots ,h_n)\) that achieve effective degree of 2 only manipulate the private randomness. That is, we construct \(h_i(x_i,r_i)\) s.t. \(h_i(x_i,r_i)=(x_i, h'_i(r_i))\), where \(h'_i\) is a degree-2 function.

5.1 Proof of Theorem 4

Let \(f: X^n \rightarrow \{0,1\}^m\) be a protocol-compatible functionality of depth d. We now show how to encode f via a functionality

$$\begin{aligned} \hat{f}:(X \times R)^n \times R' \rightarrow Y' \end{aligned}$$

with effective degree of 2. In addition to the private randomness \(r_i\) of each party, the functionality \(\hat{f}\) uses internal randomness \(r'\). (The latter can be removed via Proposition 2 while keeping an effective degree of 2.)

Notation. Let C be the Boolean circuit that represents f (as per Definition 7). Recall that the circuit C has m wires and it contains gates of two types: local computation gates and transmission (identity) gates. We prove the theorem with respect to circuits C in which the fan-out of transmission gates is one and the fan-out of local computation gates is two. This is without loss of generality, since any circuit C can be transformed to satisfy these restrictions while preserving the size (up to a constant factor), and at the expense of increasing the depth to \(d'=d \log m\); we may ignore this overhead since \(\mathrm{poly}(2^{d'},m)=\mathrm{poly}(2^{d},m)\). For every \(i \in [m]\), let \(P(i) \in [n]\) denote the party that holds the value of the ith wire in C.

Randomness. Our MPRE employs the following random bits. For every wire \(i \in [m]\), the party P(i) samples a random masking bit \(\alpha _i\). In addition, for every wire i, the functionality uses the internal randomness to sample a pair of random strings (keys) \(s_i^0,s_i^1\) of length \(\omega _i\). The length \(\omega _i\) of an “output wire” (i.e., a wire that does not enter any gate) is set to zero and the length of all other keys will be defined recursively (from top-to bottom) later. We assume that both strings, \(s_i^0,s_i^1\), are partitioned to two equal-size blocks, and index these blocks by a bit \(b\in \{0,1\}\), where \(s_i^{a,b}\) denotes the bth block of \(s_i^a\).

The outputs of the MPRE. We traverse the circuit C gate-by-gate in reverse topological order (from the output gates to the input wires), and let the functionality \(\hat{f}\) deliver the following outputs to all parties.

  • For every local computation gate g with incoming wires ij and outgoing wires \(k,\ell \), we output four values (known as the gate table) defined as follows. For every \(\beta _i, \beta _j \in \{0,1\}\), set

    $$\begin{aligned} \gamma = G(\alpha _i \oplus \beta _i, \alpha _j \oplus \beta _j), \end{aligned}$$
    (2)

    where \(G(\cdot ,\cdot )\) is the function computed by the gate, and output the value

    $$\begin{aligned} Q_g^{\beta _i, \beta _j}&:= \left( (s_k^{\gamma }\Vert \gamma \oplus \alpha _k) \Vert (s_{\ell }^{\gamma }\Vert \gamma \oplus \alpha _{\ell })\right) \\&\qquad \oplus \ s_i^{\alpha _i\oplus \beta _i,\beta _j} \ \oplus \ s_j^{\alpha _j\oplus \beta _j,\beta _i}. \nonumber \end{aligned}$$
    (3)

    One should view \(Q_g^{\beta _i, \beta _j}\) as a ciphertext where the message is associated with the outgoing wires (first line of Eq. 3) is encrypted using a one-time pad under the combination of the keys associated with the incoming wires (second line of Eq. 3). Correspondingly, we set the length \(\omega _i\) (resp., \(\omega _j\)) of the keys \(s^0_i,s^1_i\) (resp., \(s^0_j,s^1_j\)) to be \(2 (\omega _k+1+\omega _{\ell }+1)\).

  • Transmission gates are treated analogously. That is, for every transmission (identity) gate g with incoming wire i and outgoing wire k, we output the following two values. For every \(\beta _i \in \{0,1\}\), set \(\gamma = \beta _i \oplus \alpha _i\) and output the value

    $$\begin{aligned} Q_g^{\beta _i} := (s_k^{\gamma }\Vert \gamma \oplus \alpha _k) \ \oplus \ s_i^{\alpha _i\oplus \beta _i}. \end{aligned}$$

    Correspondingly, we set the length \(\omega _i\) of the keys \(s^0_i,s^1_i\) to be \(\omega _k+1\).

  • For every input wire i, output the masked value \( x_i \oplus \alpha _i\) and the active key \(s_i^{x_i}\).

Effective Degree and Complexity. Observe that a term of the form \(s^{a}\) can be written as a degree-2 function of a and \(s\) (i.e., \(a \cdot s^1+(1-a)\cdot s^0\)). Hence, all the outputs of the encoding are of degree 2 except for ciphertexts that correspond to local computation gates as in Eq. (3) in which the selection bit \(\gamma \) itself is a degree-2 function (and so the overall degree of \(Q_g^{\beta _i, \beta _j}\) increases to 3). However, since the party \(p=P(i)=P(j)\) knows both \(\alpha _i\) and \(\alpha _j\), the value \(\gamma \) can be locally pre-computed and so the effective degree of the encoding is 2.

The complexity of the encoding is polynomial in the circuit size and the size of the largest key. A proof by induction shows that the length \(\omega _i\) of the ith key is at most \(O(4^{h_i})\) where \(h_i\) is the height of the ith wire (i.e., the length of the longest path from i to an “output wire” that does not enter any gate). Following this analysis, the complexity of \(\hat{f}\) is bounded by \(\mathrm{poly}(2^d,m)\).

Correctness. Fix some input \(x=(x_1, \dots x_n) \in X^n\) and let \(y_i\) denote the value induced by x on the ith wire. We show that the party P(i) can recover \(y_i\) from the encoding \(\hat{y}\) and its private randomness. Since the ith mask \(\alpha _i\) is given to P(i) as part of its private randomness, it suffices to show that P(i) can recover the masked value \(\hat{y}_i := y_i \oplus \alpha _i\). Indeed, as in standard garbled circuits, every party can recover the masked bit \(\hat{y}_k := y_k \oplus \alpha _k\) together with the active key \(s_k^{y_k}\), for every wire k. This is done by traversing the circuit from the inputs to the outputs as follows. For input wires the pair \(\hat{y}_k, s_k^{y_k}\) is given explicitly as part of the encoding. For an internal wire k, that leaves a local computation gate g with incoming wires ij this is done by using the masked bits \(\hat{y}_i,\hat{y}_j\) of the input wires to select the ciphertext \(Q^{\hat{y}_i,\hat{y}_j}_k\) and then decrypting (i.e., XOR-ing) it with \(s_i^{y_i,\hat{y}_j} \oplus s_j^{y_j,\hat{y}_i}\) that can be computed based on the active keys of the incoming wires. One can verify that this procedure recovers the desired values correctly. The case of transmission gates is treated similarly.

Privacy. We first claim that an external observer (that does not see the private randomness) can perfectly simulate the encoding given the list of masked values \((\hat{y}_k)_{k\in [m]}\).

Claim 1

There exists a simulator \(\mathsf {Sim}'\) that takes as an input an m-bit vector \(\hat{y}=(\hat{y}_i)_{i\in [m]}\), runs in time \(\mathrm{poly}(m,2^d)\) and satisfies the following guarantee. For every input x and every fixing of \(\alpha =(\alpha _i)_{i\in [m]}\), the random variable

$$\begin{aligned} \mathsf {Sim}'(y_1\oplus \alpha _1,\ldots , y_m\oplus \alpha _m), \end{aligned}$$

where \(y_i\) is the value induced by x on the ith wire, is distributed identically to the encoding \(\hat{f}(x)\) conditioned on the above fixing of \(\alpha \).

The claim is implicit in the standard proof of information-theoretic garbled circuit (cf. [22]); it is proved in the full version.

Based on Claim 1, we define a perfect simulator \(\mathsf {Sim}\) for the MPRE. Fix an arbitrary coalition \(T\subseteq [n]\) and let I be the set of wires owned by parties in T, i.e., \(I=\{ i:P(i)\in T \}\). Given the inputs x[T] of T, and a vector of output values \((y_i)_{i\in I}\), the simulator does the following. For \(i\in I\), sample uniformly the local randomness \(\alpha _i\) and set \(\hat{y}_i=y_i \oplus \alpha _i\). For \(i\notin I\) sample \(\hat{y}_i\) uniformly at random. Next invoke the simulator \(\mathsf {Sim}'\) on \(\hat{y}=(\hat{y}_i)_{i\in [m]}\) and output the result.

We prove that the simulation is perfect. Fix some input x, some \(\alpha _I=(\alpha _i)_{i\in I}\), and let \(y=f(x)\) and \(y_I=(y_i)_{i\in I}\). We claim that the distribution sampled by \(\mathsf {Sim}(T,x[T], \alpha _I, y_I)\) is identical to the joint distribution of the encoding \(\hat{f}(x)\) induced by the choice of \(\alpha _{[m]\setminus I}, (s^0_i,s^1_i)_{i\in [m]}\) (and conditioned on the above fixing of \(\alpha _I\)). Indeed, since the marginal distribution of the vector of masked bits \((\hat{y}_1,\ldots ,\hat{y}_m)\) is perfectly simulated, this follows from Claim 1.

6 Putting It All Together

In this section we prove the following theorems using the tools we developed in previous sections.

Theorem 5

Every n-party functionality f can be encoded by a perfect MPRE g with privacy threshold of \(\tau =\left\lfloor \frac{n-1}{2} \right\rfloor \), effective degree 2 and complexity polynomial in n and S where S is the size of the branching program that computes f.

Theorem 6

Every n-party functionality f can be encoded by a computational MPRE g with privacy threshold of \(\tau =\left\lfloor \frac{n-1}{2} \right\rfloor \), effective degree 2 and complexity polynomial in n and S where S is the size of the circuit that computes f. Moreover, the MPRE makes use of one-way functions in a balck-box way only as part of the local preprocessing step.

Theorems 5 and 6 (whose proof is deferred to Sects. 6.1 and 6.2) can be used to derive our main results (Theorems 1 and 2).

Proof

(Proof of Theorems 1 and 2). We prove Theorem 1 (resp., Theorem 2): Given an n-party functionality f that is computable by a branching program of size S (resp., computable by a Boolean circuit of size S), construct the perfect MPRE g promised by Theorem 5 (resp., the computational MPRE g promised by Theorem 6). By Proposition 1, f non-interactively \(\left\lfloor \frac{n-1}{2} \right\rfloor \)-reduces to g with perfect privacy (resp., computational privacy). Since g has an effective degree 2, the functionality g itself n-privately reduces to a degree-2 functionality \(g'\) (in a trivial way). A composition of these reductions yields the desired reduction.

To prove the second (“Consequently”) part of the theorem, we employ the BGW protocol \(\pi _{g'}\) to privately compute \(g'\) in 2 rounds (since its degree is 2) and complexity of \(\mathrm{poly}(n,S)\) at the presence of honest majority. Plugging this protocol into the above reduction and using standard composition theorems (cf. [9]), we get a 2-round protocol for f with similar complexity and perfect (resp., computational) privacy.

6.1 Perfect MPRE for Branching Programs (Proof of Theorem 5)

Let f be an n-party functionality that is computable by a branching program of size S. By [21], such a function has degree-3 perfect randomized encoding \(g_1(x;r)\) of \(\mathrm{poly}(S)\) size. Recall that such an RE yields an n-private MPRE, and let us get rid of the private randomness by applying Proposition 2. This gives us a degree-3 MPRE \(g_2\) of f whose complexity is \(\mathrm{poly}(S)\) with privacy threshold of n. Next, we encode \(g_2\) by the BGW-based protocol-compatible encoding (Theorem 3) and get a protocol-compatible perfect MPRE \(g_{3}\) of size \(O(S\cdot \mathrm{poly}(n))\), depth \(O(\log n)\) and privacy threshold of \(\tau =\left\lfloor \frac{n-1}{2} \right\rfloor \). Using our information-theoretic encoding from Theorem 4 (based on garbled circuits), we get a \(\tau \)-private perfect MPRE \(g_4\) of \(g_3\) with complexity \(\mathrm{poly}(n,S)\) and effective degree 2. By the composition lemma (Lemma 1), the MPRE \(g_4\) perfectly encode f with privacy threshold of \(\tau \). \(\square \)

6.2 Computational MPRE for Circuits (Proof of Theorem 6)

To prove the theorem we make use of the following MPRE that is based on the BMR protocol [6].

Claim 2

Let f be an n-party functionality that is computable by an S-size circuit. Then f has a computational MPRC g that does not use internal randomness and has privacy threshold of \(n-1\) and polynomial complexity in n and S. Most importantly, the function g can be written as

$$\begin{aligned} A(B_1(x_{1},r_1),\ldots ,B_n(x_{n},r_n)), \end{aligned}$$

where the combining function A can be computed by a circuit of size \(\mathrm{poly}(n,S)\) and depth \(O(\log (nS))\), and each of the functions \(B_i\) (that correspond to local computations) make a black-box use of a PRG.

The proof of the Claim appears in the full version. The proof of Theorem 6 proceeds as follows. It suffices to prove the theorem with respect to PRG, since the latter reduce to OWF via a black-box reduction [18].

Let f be an n-party functionality with complexity S and let g denote the computational MPRE

$$\begin{aligned} g(x,r)=A(B_1(x_{1},r_1),\ldots ,B_n(x_{n},r_n)), \end{aligned}$$

promised in Claim 2.

Since A can be computed by a circuit of size \(\mathrm{poly}(n,S)\) and depth \(O(\log (nS))\) it can also be computed by a branching program of size \(S'=\mathrm{poly}(n,S)\). Therefore, by Theorem 5, the function A admits a perfect MPRE

$$\begin{aligned} \hat{A}((y_1,r'_1),\ldots ,(y_n,r'_n)) \end{aligned}$$

with privacy threshold of \(\tau =\left\lfloor \frac{n-1}{2} \right\rfloor \), effective degree 2 and complexity \(\mathrm{poly}(n,S')=\mathrm{poly}(n,S)\). Consider the functionality \(\hat{g}\) obtained by substituting \(y_i\) with \(B_i(x_{i},r_i)\), i.e.,

$$\begin{aligned} \hat{g}\left( (x_1,(r_1,r'_1)),\ldots , (x_n,(r_n,r'_n))\right) :=\hat{A}\left( (B_1(x_{1},r_1),r'_1),\ldots ,(B_n(x_{n},r_n),r'_n)\right) . \end{aligned}$$

Observe that \(\hat{g}\) has an effective degree 2 and complexity of \(\mathrm{poly}(n,S)\). Moreover, since \(\hat{A}\) perfectly encodes A with \(\tau \)-privacy, \(\hat{g}\) also perfectly encodes g with \(\tau \)-privacy. (Indeed, one can verify that this form of local substitution preserves privacy and correctness.) By the composition property of MPRE (Lemma 2), this means that \(\hat{g}\) is a computational \(\tau \)-private MPRE of f as required. \(\square \)