## Communication Complexity and Secure Function Evaluation (2001)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.wisdom.weizmann.ac.il]
- [arxiv.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 13 - 1 self |

### BibTeX

@MISC{Naor01communicationcomplexity,

author = {Moni Naor and Kobbi Nissim},

title = {Communication Complexity and Secure Function Evaluation},

year = {2001}

}

### OpenURL

### Abstract

A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this field is: "any function f that can be computed using polynomial resources can be computed securely using polynomial resources" (where `resources' refers to communication and computation). This result follows by a general transformation from any circuit for f to a secure protocol that evaluates f . Although the resources used by protocols resulting from this transformation are polynomial in the circuit size, they are much higher (in general) than those required for an insecure computation of f . For the design of efficient secure protocols we suggest two new methodologies, that differ with respect to their underlying computational models. In one methodology we utilize the communication complexity tree (or branching program) representation of f . We start with an efficient (insecure) protocol for f and transform it into a secure protocol. In other words, "any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". The second methodology uses the circuit computing f , enhanced with look-up tables as its underlying computational model. It is possible to simulate any RAM machine in this model with polylogarithmic blowup. Hence it is possible to start with a computation of f on a RAM machine and transform it into a secure protocol. We show many applications of these new methodologies resulting in protocols efficient either in communication or in computation. In particular, we exemplify a protocol for the "millionaires problem", where two partici...

### Citations

896 | The design and implementation of a log-structured file system
- Rosenblum, Ousterhout
- 1992
(Show Context)
Citation Context ...lowup. Our constructions are similar in nature to that of Goldreich and Ostrovsky [19, 24] and Ostrovsky and Shoup [44]. A similar luck of efficiency problem was addressed by Rosenblum and Ousterhout =-=[46]-=- in the context of file systems. They suggest log-structured file systems that optimize write operations to the file system by sequentially logging modifications to existing data rather than overwriti... |

721 | Proof verification and the hardness of approximation problems - Arora, Lund, et al. - 1998 |

677 |
Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract
- Ben-Or, Goldwasser, et al.
(Show Context)
Citation Context ...ame a few examples, Kilian [28] as well as [23, 5] used permutation branching programs, appealing to Barrington’s Theorem. In the multiparty computation with an honest majority setting, Ben-Or et el. =-=[9]-=-, followed by many of the works in the area, used a representation of f by an algebraic circuit. Feige et al. [14] and [26] used a representation of f as a product of matrices over a large enough fiel... |

621 | Communication complexity
- Kushilevitz, Nisan
- 1997
(Show Context)
Citation Context ...previously considered in the information theoretic setting by Kushilevitz 4 . In the two party case only very special functions have an information theoretic private protocol (see characterization in =-=[32]-=- and Kilian [29]). For functions that have private protocols in the information theoretic setting, Kushilevitz [32] showed that their secure version protocol may be much more expensive than their inse... |

562 |
How to generate and exchange secrets
- Yao
- 1986
(Show Context)
Citation Context ...n the parties – they do not necessarily correspond to the minimum communication complexity protocol for f. Many of the works in the field followed the ‘garbled circuit’ construction introduced by Yao =-=[49, 50]-=- and [23] and thus concentrated on the representation of f by a Boolean (combinatorial) circuit. The drawback of this representation is that operations such as accessing a single element from a table ... |

531 |
Protocols for secure computations
- Yao
- 1982
(Show Context)
Citation Context ...n the parties – they do not necessarily correspond to the minimum communication complexity protocol for f. Many of the works in the field followed the ‘garbled circuit’ construction introduced by Yao =-=[49, 50]-=- and [23] and thus concentrated on the representation of f by a Boolean (combinatorial) circuit. The drawback of this representation is that operations such as accessing a single element from a table ... |

438 |
How to play ANY mental game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ... function f(x1, x2, . . ., xp) it is possible in principle to construct a protocol that allows a group of p parties, where party i has as its private input xi, to jointly evaluate f(x1, x2, . . .,xp) =-=[23]-=-. Following the protocol, the parties learn f(x1, x2, . . .,xp) but no party i can learn about the other inputs {xj}j=i more than can be computed from her own input xi and the outcome f(x1, x2, . . .... |

429 | Property testing and its connection to learning and approximation
- Goldreich, Goldwasser, et al.
- 1996
(Show Context)
Citation Context ...es. Property testing A great source of applications for circuits with LUT is property testing, where a (typically large) object is locally queried in order to check whether some global property holds =-=[7, 47, 22]-=-. I.e. the number of queries to the object is very small with respect to the object size (at the extreme - independent of the object size). The object is assumed either to have the property or to be f... |

418 | Private Information Retrieval
- Chor, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...transfer should take much more work than w. Complexity of OT and PIR A lot of work was devoted recently to the communication complexity of OT, under the heading of Private Information Retrieval – PIR =-=[6]-=-. The results on single PIR by Kushilevitz and Ostrovsky [35] and Cachin et al. [12] solve “half the problem” by protecting the chooser from the sender (i.e. at the end of the protocol the sender cann... |

392 | Security and Composition of Multi-party Cryptographic Protocol
- Canetti
(Show Context)
Citation Context ...Goldreich [20, 21] for definitions and notation. In the design and proof of our protocol we make extensive use of composition theorems for secure protocols. This has been an active research area (see =-=[11, 20]-=-). An important tool in our design are efficient protocols for Oblivious Transfer (OT) and Private Information Retrieval (PIR). We briefly overview OT and PIR as well as some other cryptographic tools... |

348 | Self-testing/correcting with applications to numerical problems
- Blum, Luby, et al.
- 1993
(Show Context)
Citation Context ...the inputs of the parties. Therefore one can also have a round preserving protocol. Example Applying the Construction 4.1 to the Hamming distance protocol in Figure 2 we get: j = 0 ¯y1 = [1, 2] ¯x2 = =-=[1, 3, 5, 7]-=- ¯y3 = [1, 2, 5, 6, 9, 10, 13, 14] ¯x4 = [0, 1, 0, 1, 1, 2, 1, 2, 0, 1, 0, 1, 1, 2,1, 2]. Going through the lists we get: x4[y3[x2[y1[j]]]] = x4[y3[x2[y1[0]]]] = x4[y3[x2[1]]] = x4[y3[3]] = x4[6] = 1.... |

275 | Foundations of Cryptography: Basic Tools - Goldreich - 2001 |

236 |
Founding cryptography on oblivious transfer
- Kilian
- 1988
(Show Context)
Citation Context ...an have a great impact on the complexity of its secure function evaluation protocol. Some representations of f, other than Boolean circuits were used in previous works. To name a few examples, Kilian =-=[28]-=- as well as [23, 5] used permutation branching programs, appealing to Barrington’s Theorem. In the multiparty computation with an honest majority setting, Ben-Or et el. [9], followed by many of the wo... |

223 | Computationally private information retrieval with polylogarithmic communication
- Cachin, Micali, et al.
- 1999
(Show Context)
Citation Context ...was devoted recently to the communication complexity of OT, under the heading of Private Information Retrieval – PIR [6]. The results on single PIR by Kushilevitz and Ostrovsky [35] and Cachin et al. =-=[12]-=- solve “half the problem” by protecting the chooser from the sender (i.e. at the end of the protocol the sender cannot distinguish which value the chooser has learned), but the chooser may learn more ... |

215 | Replication is not needed: single database, computationally-private information retrieval
- Kushilevitz, Ostrovsky
- 1997
(Show Context)
Citation Context ... and PIR A lot of work was devoted recently to the communication complexity of OT, under the heading of Private Information Retrieval – PIR [6]. The results on single PIR by Kushilevitz and Ostrovsky =-=[35]-=- and Cachin et al. [12] solve “half the problem” by protecting the chooser from the sender (i.e. at the end of the protocol the sender cannot distinguish which value the chooser has learned), but the ... |

209 | An O(n log n) sorting network - Ajtai, Komlós, et al. - 1983 |

198 |
Oblivious transfer and polynomial evaluation
- Naor, Pinkas
- 1999
(Show Context)
Citation Context ...he φ-hiding assumption and is more efficient in terms of communication. The communication complexity of their construction is k · polylog(n). 7 In order to protect the sender as well, Naor and Pinkas =-=[41]-=- proposed a method that turns any computational PIR into an OT w 1 protocol, by applying log w times (concurrently) an OT2 1 described recently an OT w 1 protocol, without increasing the communication... |

185 | Privacy preserving auctions and mechanism design
- Naor, Pinkas, et al.
- 1999
(Show Context)
Citation Context ...rations such as accessing a single element from a table result in a relatively large penalty in the circuit size. More specifically, if one follows the ‘garbled circuit’ construction, as discussed in =-=[43]-=-, then 1 One of the first problems considered is Yao’s “millionaires problem” [49], where two participants want to check which one has a larger value but leak no other information. Note that the name ... |

169 | Software protection and simulation on oblivious RAMs
- Goldreich, Ostrovsky
- 1996
(Show Context)
Citation Context ...· S(n)). Simulation by oblivious RAM The access pattern of an oblivious machine does not depend on its input, hence it hides all information about the input (except its size). Goldreich and Ostrovsky =-=[19, 24]-=- utilized this property of oblivious machines to protect software from leaking its memory access sequence. However, to allow for efficient simulation of a RAM machine by oblivious RAM machine, they ex... |

155 |
B.: Efficient Oblivious Transfer Protocols
- Naor, Pinkas
- 2001
(Show Context)
Citation Context ...urrently) an OT2 1 described recently an OT w 1 protocol, without increasing the communication complexity otherwise. Furthermore, they protocol based on the Decisional Diffie-Hellman (DDH) assumption =-=[42]-=-. In their protocol the chooser performs a constant number of exponentiations and the sender performs O(w) exponentiations, while the communication complexity is increased by a single element in addit... |

153 | Monotone Circuits for Connectivity Require SuperLogarithmic Depth - Karchmer, Wigderson - 1990 |

150 | A note on efficient zero-knowledge proofs and arguments (extended abstract
- Kilian
- 1992
(Show Context)
Citation Context ...1 Input commitment The cryptographic primitive we need is a communication efficient commitment to a large string. Such a commitment scheme is used in Kilian’s construction of zero-knowledge arguments =-=[30]-=-. It is based on any perfectly binding commitment scheme (applied to each bit of the committed string) combined with a hash tree of a collision intractable hash function. The communication complexity ... |

117 | On syntactic versus computational views of approximability - Khanna, Motwani, et al. - 1999 |

115 |
Non-Cryptographic Fault-Tolerant Computing
- Bar-Ilan, Beaver
- 1989
(Show Context)
Citation Context ...impact on the complexity of its secure function evaluation protocol. Some representations of f, other than Boolean circuits were used in previous works. To name a few examples, Kilian [28] as well as =-=[23, 5]-=- used permutation branching programs, appealing to Barrington’s Theorem. In the multiparty computation with an honest majority setting, Ben-Or et el. [9], followed by many of the works in the area, us... |

100 |
Relations Among Complexity Measures
- Pippenger, Fischer
- 1979
(Show Context)
Citation Context ... Machine T may be simulated by an oblivious Turing Machine – where the head position, as a function of time, is independent of the input. The oblivious simulation results in a polylogarithmic blow-up =-=[45]-=-. (See further discussion in Section 5.1.1.) The situation regarding circuits vs. RAM machines is not known. Since a RAM machine M running in time T(n) using space S(n) may be simulated by a Turing Ma... |

99 | Secure multiparty computation of approximations - FEIGENBAUM, ISHAI, et al. |

78 | Emde Boas. Machine models and simulations - van - 1990 |

63 |
Towards a theory of software protection and simulation by oblivious RAMs
- Goldreich
- 1987
(Show Context)
Citation Context ...· S(n)). Simulation by oblivious RAM The access pattern of an oblivious machine does not depend on its input, hence it hides all information about the input (except its size). Goldreich and Ostrovsky =-=[19, 24]-=- utilized this property of oblivious machines to protect software from leaking its memory access sequence. However, to allow for efficient simulation of a RAM machine by oblivious RAM machine, they ex... |

50 |
Computing with noisy information
- Feige, Raghavan, et al.
- 1994
(Show Context)
Citation Context ...mined equality so far or not regarding prefix i). Therefore the total number of OT O(n) ). A more careful 1 performed is a log n which is O(log n · log 1 ε implementation based on noisy binary search =-=[15]-=- can yield O(log n + log 1 ) many OTO(n) ε 1 . Note that these results mean that whether one is interested in a communication efficient protocol or a whether in a computational efficient protocol this... |

47 | E.: Randomizing polynomials: A new representation with applications to round-efficient secure computation
- Ishai, Kushilevitz
- 2000
(Show Context)
Citation Context ...d [26] used a representation of f as a product of matrices over a large enough field. Beaver et al. [8] used the representation of f as a low degree polynomial. A recent work by Ishai and Kushilevitz =-=[27]-=- introduced a representation of functions via randomizing polynomials and used it to construct round-efficient secure multiparty protocols. Communication complexity and privacy The question of whether... |

43 |
Security with low communication overhead
- Beaver, Feigenbaum, et al.
- 1991
(Show Context)
Citation Context ...y of the works in the area, used a representation of f by an algebraic circuit. Feige et al. [14] and [26] used a representation of f as a product of matrices over a large enough field. Beaver et al. =-=[8]-=- used the representation of f as a low degree polynomial. A recent work by Ishai and Kushilevitz [27] introduced a representation of functions via randomizing polynomials and used it to construct roun... |

43 |
Communication complexity of secure computation
- Franklin, Yung
(Show Context)
Citation Context ...roblem of private two-party computation of a function. A more general problem of the secure computation of a function in a multiparty setting with faulty processors was addressed by Franklin and Yung =-=[40]-=-. 2the disparity in the communication complexity does not exist: it is possible to compute any function privately while preserving the communication. Circuit complexity vs. Turing Machines and RAM ma... |

39 | A minimal model for secure computation
- Feige, Kilian, et al.
- 1994
(Show Context)
Citation Context ... Theorem. In the multiparty computation with an honest majority setting, Ben-Or et el. [9], followed by many of the works in the area, used a representation of f by an algebraic circuit. Feige et al. =-=[14]-=- and [26] used a representation of f as a product of matrices over a large enough field. Beaver et al. [8] used the representation of f as a low degree polynomial. A recent work by Ishai and Kushilevi... |

34 |
Private information storage
- Ostrovsky, Shoup
- 1997
(Show Context)
Citation Context ... read and write operations to be polylogarithmic in s, resting in a polylogarithmic blowup. Our constructions are similar in nature to that of Goldreich and Ostrovsky [19, 24] and Ostrovsky and Shoup =-=[44]-=-. A similar luck of efficiency problem was addressed by Rosenblum and Ousterhout [46] in the context of file systems. They suggest log-structured file systems that optimize write operations to the fil... |

30 |
Correlated pseudorandomness and the complexity of private computations
- Beaver
- 1996
(Show Context)
Citation Context ...aluation protocols is dominated by the cost of the oblivious transfer invocations. Intuitively, the number of oblivious transfer invocations is a good measure for the efficiency of a protocol. Beaver =-=[4]-=- showed that it is possible to implement poly(k) oblivious transfers from an initial “seed” of just k oblivious transfers, assuming only the existence of one-way functions (where k is a security param... |

28 |
More general completeness theorems for two-party games
- Kilian
- 2000
(Show Context)
Citation Context ...dered in the information theoretic setting by Kushilevitz 4 . In the two party case only very special functions have an information theoretic private protocol (see characterization in [32] and Kilian =-=[29]-=-). For functions that have private protocols in the information theoretic setting, Kushilevitz [32] showed that their secure version protocol may be much more expensive than their insecure version. Th... |

25 | Digital signets: Self-enforcing protection of digital information (preliminary version
- Dwork, Lotspiech, et al.
- 1996
(Show Context)
Citation Context ...arties. Therefore one can also have a round preserving protocol. Example Applying the Construction 4.1 to the Hamming distance protocol in Figure 2 we get: j = 0 ¯y1 = [1, 2] ¯x2 = [1, 3, 5, 7] ¯y3 = =-=[1, 2, 5, 6, 9, 10, 13, 14]-=- ¯x4 = [0, 1, 0, 1, 1, 2, 1, 2, 0, 1, 0, 1, 1, 2,1, 2]. Going through the lists we get: x4[y3[x2[y1[j]]]] = x4[y3[x2[y1[0]]]] = x4[y3[x2[1]]] = x4[y3[3]] = x4[6] = 1. 4.2.1 Simple applications Computi... |

24 | Private simultaneous messages protocols with applications,” in Israel Symposium on Theory of Computing Systems
- Ishai, Kushilevitz
- 1997
(Show Context)
Citation Context ... In the multiparty computation with an honest majority setting, Ben-Or et el. [9], followed by many of the works in the area, used a representation of f by an algebraic circuit. Feige et al. [14] and =-=[26]-=- used a representation of f as a product of matrices over a large enough field. Beaver et al. [8] used the representation of f as a low degree polynomial. A recent work by Ishai and Kushilevitz [27] i... |

20 |
Improved efficient arguments (preliminary version
- Kilian
(Show Context)
Citation Context ...ication complexity polylog(n) · poly(k). This problem has not been explicitly treated in the past. We observe however that the construction of zero knowledge arguments for NP by Kilian [30] (see also =-=[31]-=-), combined with the PCP system of Arora et al. [3] gives the desired properties. Kilian’s construction is based on the PCP Theorem [3] and uses a commitment scheme that allows to open the commitment ... |

19 |
Robust Characterizations of Polynomials and Their Applications to Program Testing
- Rubinfeld, Sudan
- 1996
(Show Context)
Citation Context ...es. Property testing A great source of applications for circuits with LUT is property testing, where a (typically large) object is locally queried in order to check whether some global property holds =-=[7, 47, 22]-=-. I.e. the number of queries to the object is very small with respect to the object size (at the extreme - independent of the object size). The object is assumed either to have the property or to be f... |

18 | Secure games with polynomial expressions
- Kiayias, Yung
- 2001
(Show Context)
Citation Context ...one is interested in a low computational protocol, then the overhead can be as little as one exponentiation plus w private-key operations, using the first scheme in [42]. 7 Recently, Kiayias and Yung =-=[37]-=- presented a new polylogarithmic communication PIR scheme. 8 A similar construction was suggested by Aiello, Ishai and Reingold [1]. 9 Φ-hiding for the PIR scheme [12], and DDH for [42]. 8Counting ob... |

8 | Communication-space tradeoffs for unrestricted protocols
- Beame, Tompa, et al.
- 1994
(Show Context)
Citation Context ...arties. Therefore one can also have a round preserving protocol. Example Applying the Construction 4.1 to the Hamming distance protocol in Figure 2 we get: j = 0 ¯y1 = [1, 2] ¯x2 = [1, 3, 5, 7] ¯y3 = =-=[1, 2, 5, 6, 9, 10, 13, 14]-=- ¯x4 = [0, 1, 0, 1, 1, 2, 1, 2, 0, 1, 0, 1, 1, 2,1, 2]. Going through the lists we get: x4[y3[x2[y1[j]]]] = x4[y3[x2[y1[0]]]] = x4[y3[x2[1]]] = x4[y3[3]] = x4[6] = 1. 4.2.1 Simple applications Computi... |

7 |
Priced Oblivious Transfer: How to
- Aiello, Ishai, et al.
(Show Context)
Citation Context ...ut and the other party (the chooser) learns some aspect of the information without ‘hinting’ which aspect of the information was transferred. Definition 2.4 (1-out-of-w oblivious transfer) Let x[0], x=-=[1]-=-, . . .,x[w−1] be elements chosen from {0, 1} X . Let j ∈ {0, . . .,w − 1} be an index to one of these elements. 7An oblivious transfer protocol is a protocol that privately computes the function OT ... |

4 |
Secure multi-party Computation, Theory of Cryptography Library
- Goldreich
- 1998
(Show Context)
Citation Context ...ny function privately. What this work shows is, essentially, that 2 OT 2 1 is 1-out-of-2 oblivious transfer (see Section 2.2.1) and is a basic building of these protocols. 3 The protocol described in =-=[20]-=- results in invoking one OT for each gate as well as each input bit. 4 Kushilevitz addresses the problem of private two-party computation of a function. A more general problem of the secure computatio... |

4 |
An O(n logn) sorting network
- Ajtai, Komlos, et al.
- 1983
(Show Context)
Citation Context ...ot depend on the inputs of the parties. Therefore one can also have a round preserving protocol. Example Applying the Construction 4.1 to the Hamming distance protocol in Figure 2 we get: j = 0 ¯y1 = =-=[1, 2]-=- ¯x2 = [1, 3, 5, 7] ¯y3 = [1, 2, 5, 6, 9, 10, 13, 14] ¯x4 = [0, 1, 0, 1, 1, 2, 1, 2, 0, 1, 0, 1, 1, 2,1, 2]. Going through the lists we get: x4[y3[x2[y1[j]]]] = x4[y3[x2[y1[0]]]] = x4[y3[x2[1]]] = x4[... |

3 |
The Power of Randomness for Communication Complexity
- Furer
- 1987
(Show Context)
Citation Context ...elements x1, . . .,xn and y1, . . .,yn respectively, each element is in {0, 1} n . They want to determine whether there exists an index i such that xi = yi or not. This problem was suggested by Furer =-=[18]-=- as demonstrating a function with low Las Vegas communication complexity, compared with the deterministic one. Applying a private protocol for this task based on a circuit computing the relation resul... |

2 |
Privacy Preserving Data
- Lindell, Pinkas
(Show Context)
Citation Context ...ossible to create private protocols for some of these tasks, without resorting to the garbled circuit transformation, resulting in protocols with much lower communication complexity, see [16, 17] and =-=[38]-=-. As a consequence of our work, many more of these algorithms can be evaluated securely with low communication overhead. Impact of the representation of f on the complexity of secure function evaluati... |

1 |
Private communication
- Halevi
(Show Context)
Citation Context ...e ‘security’ parameter), and thus the circuits computing them are small. For these components, one may use for example the garbles circuit construction. Computing on encrypted data Halevi and Mironov =-=[25, 39]-=- noted that some popular private-key encryption functions (e.g. Data Encryption Standard – DES and Advanced Encryption Standard – AES) are defined with look-up tables, hence they are readily expressib... |

1 |
Private communication
- Mironov
(Show Context)
Citation Context ...e ‘security’ parameter), and thus the circuits computing them are small. For these components, one may use for example the garbles circuit construction. Computing on encrypted data Halevi and Mironov =-=[25, 39]-=- noted that some popular private-key encryption functions (e.g. Data Encryption Standard – DES and Advanced Encryption Standard – AES) are defined with look-up tables, hence they are readily expressib... |

1 |
Secure multiparty computation of approximations, DIMACS workshop on Cryptography and Intractability
- Feigenbaum, Fong, et al.
- 2000
(Show Context)
Citation Context ... that it is possible to create private protocols for some of these tasks, without resorting to the garbled circuit transformation, resulting in protocols with much lower communication complexity, see =-=[16, 17]-=- and [38]. As a consequence of our work, many more of these algorithms can be evaluated securely with low communication overhead. Impact of the representation of f on the complexity of secure function... |