ABSTRACT
We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input χA, Bob has an input χB and we want Bob to learn some function y = f(χA, χB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encrypted database and we want Bob to learn the decrypted data without learning anything else about Alice's key. In a trivial insecure protocol, Alice can just send her short input χA to Bob. However, all known SFE protocols have communication complexity that scales with size of the output y, which can potentially be much larger. Is such 'output-size dependence' inherent in SFE'
Surprisingly, we show that output-size dependence can be avoided in the honest-but-curious setting. In particular, using indistinguishability obfuscation (iO) and fully homomorphic encryption (FHE), we construct the first honest-but-curious SFE protocol whose communication complexity only scales with that of the best insecure protocol for evaluating the desired function, independent of the output size. Our construction relies on a novel way of using iO via a new tool that we call a 'somewhere statistically binding (SSB) hash', and which may be of independent interest.
On the negative side, we show that output-size dependence is inherent in the fully malicious setting, or even already in an honest-but-deterministic setting, where the corrupted party follows the protocol as specified but fixes its random tape to some deterministic value. Moreover, we show that even in an offline/online protocol, the communication of the online phase must have output-size dependence. This negative result uses an incompressibility argument and it generalizes several recent lower bounds for functional encryption and (reusable) garbled circuits, which follow as simple corollaries of our general theorem.
- S. Agrawal, S. Gorbunov, V. Vaikuntanathan, and H. Wee. Functional encryption: New perspectives and lower bounds. In R. Canetti and J. A. Garay, editors, CRYPTO (2), volume 8043 of LNCS, pages 500--518. Springer, 2013.Google Scholar
- P. Ananth, D. Boneh, S. Garg, A. Sahai, and M. Zhandry. Differing-inputs obfuscation and applications. IACR Cryptology ePrint Archive, 2013:689, 2013.Google Scholar
- B. Applebaum, Y. Ishai, E. Kushilevitz, and B. Waters. Encoding functions with constant online rate or how to compress garbled circuits keys. In R. Canetti and J. A. Garay, editors, CRYPTO (2), volume 8043 of LNCS, pages 166--184. Springer, 2013.Google Scholar
- G. Asharov, A. Jain, A. López-Alt, E. Tromer, V. Vaikuntanathan, and D. Wichs. Multiparty computation with low communication, computation and interaction via threshold FHE. In D. Pointcheval and T. Johansson, editors, EUROCRYPT, volume 7237 of LNCS, pages 483--501. Springer, 2012. Google ScholarDigital Library
- B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. In J. Kilian, editor, CRYPTO, volume 2139 of LNCS, pages 1--18. Springer, 2001. Google ScholarDigital Library
- E. Boyle, K.-M. Chung, and R. Pass. On extractability obfuscation. In Y. Lindell, editor, TCC, volume 8349 of LNCS, pages 52--73. Springer, 2014.Google Scholar
- Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In S. Goldwasser, editor, ITCS, pages 309--325. ACM, 2012. Google ScholarDigital Library
- Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In R. Ostrovsky, editor, FOCS, pages 97--106. IEEE, 2011. Google ScholarDigital Library
- A. De Caro and V. Iovino. On the power of rewinding simulators in functional encryption. IACR Cryptology ePrint Archive, 2013:752, 2013.Google Scholar
- A. De Caro, V. Iovino, A. Jain, A. O'Neill, O. Paneth, and G. Persiano. On the achievability of simulation-based security for functional encryption. In R. Canetti and J. A. Garay, editors, CRYPTO (2), volume 8043 of LNCS, pages 519--535. Springer, 2013.Google Scholar
- S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS, pages 40--49. IEEE Computer Society, 2013. Google ScholarDigital Library
- S. Garg, C. Gentry, S. Halevi, and D. Wichs. On the implausibility of differing-inputs obfuscation and extractable witness encryption with auxiliary input. In J. A. Garay and R. Gennaro, editors, CRYPTO (1), volume 8616 of LNCS, pages 518--535. Springer, 2014.Google Scholar
- C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, editor, STOC, pages 169--178. ACM, 2009. Google ScholarDigital Library
- C. Gentry, S. Halevi, M. Raykova, and D. Wichs. Outsourcing private RAM computation. IACR Cryptology ePrint Archive, 2014:148, 2014. Google ScholarDigital Library
- C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay, editors, CRYPTO (1), volume 8042 of LNCS, pages 75--92. Springer, 2013.Google Scholar
- S. Goldwasser, V. Goyal, A. Jain, and A. Sahai. Multi-input functional encryption. IACR Cryptology ePrint Archive, 2013:727, 2013.Google Scholar
- S. Goldwasser, Y. T. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich. Reusable garbled circuits and succinct functional encryption. In D. Boneh, T. Roughgarden, and J. Feigenbaum, editors, STOC, pages 555--564. ACM, 2013. Google ScholarDigital Library
- J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364--1396, 1999. Google ScholarDigital Library
- C.-Y. Hsiao, C.-J. Lu, and L. Reyzin. Conditional computational entropy, or toward separating pseudoentropy from compressibility. In M. Naor, editor, EUROCRYPT, volume 4515 of LNCS, pages 169--186. Springer, 2007. Google ScholarDigital Library
- P. Hubácek and D. Wichs. On the communication complexity of secure function evaluation with long output. IACR Cryptology ePrint Archive, 2014:669, 2014.Google Scholar
- J. Kilian. A note on efficient zero-knowledge proofs and arguments (extended abstract). In S. R. Kosaraju, M. Fellows, A. Wigderson, and J. A. Ellis, editors, STOC, pages 723--732. ACM, 1992. Google ScholarDigital Library
- Y. Lindell, K. Nissim, and C. Orlandi. Hiding the input-size in secure two-party computation. In K. Sako and P. Sarkar, editors, ASIACRYPT, volume 8270 of LNCS, pages 421--440. Springer, 2013.Google Scholar
- M. Naor and K. Nissim. Communication preserving protocols for secure function evaluation. In J. S. Vitter, P. G. Spirakis, and M. Yannakakis, editors, STOC, pages 590--599. ACM, 2001. Google ScholarDigital Library
- A. C.-C. Yao. Protocols for secure computations (extended abstract). In FOCS, pages 160--164. IEEE Computer Society, 1982. Google ScholarDigital Library
- A. C.-C. Yao. Theory and applications of trapdoor functions (extended abstract). In FOCS, pages 80--91. IEEE Computer Society, 1982. Google ScholarCross Ref
Index Terms
- On the Communication Complexity of Secure Function Evaluation with Long Output
Recommendations
Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs
A non-interactive zero-knowledge (NIZK) proof can be used to demonstrate the truth of a statement without revealing anything else. It has been shown under standard cryptographic assumptions that NIZK proofs of membership exist for all languages in NP. ...
Communication Complexity in Algebraic Two-Party Protocols
CRYPTO 2008: Proceedings of the 28th Annual conference on Cryptology: Advances in CryptologyIn cryptography, there has been tremendous success in building various two-party protocols with small communication complexity out of homomorphic semantically-secure encryption schemes, using their homomorphic properties in a black-box way. A few ...
Limits of random oracles in secure computation
ITCS '14: Proceedings of the 5th conference on Innovations in theoretical computer scienceThe seminal result of Impagliazzo and Rudich (STOC 1989) gave a black-box separation between one-way functions and public-key encryption: a public-key encryption scheme cannot be constructed using one-way functions in a black-box way. In addition, their ...
Comments