Abstract. In this paper we introduce a new model for private compu- tation, the Shared Randomness over Broadcast Channel model (SRoBC for short).
Private Computation with Shared Randomness over Broadcast Channel� Clemente Galdi and Pino Persiano Dipartimento di Informatica ed Applicazioni Universit` a di Salerno, 84081 Baronissi (SA), Italy {clegal,giuper}@dia.unisa.it
Abstract. In this paper we introduce a new model for private computation, the Shared Randomness over Broadcast Channel model (SRoBC for short). Following the classical model for private computation [2,4], we consider a set of n computationally unbounded honest but curious players P1 , . . . , Pn with private inputs x1 , x2 , . . . , xn . The players wish to compute a function f of their inputs in a private way. Unlike in the classical model, no private channel is available to the players but all the communication takes place using a broadcast channel. Moreover, the only available source of randomness is a shared random string. We show that even in this minimal setting private computation is possible: we present a protocol for computing the sum modulo 2 in a t-private way in the SRoBC model. The protocol uses n(t + 1)/2 random bits. We show that this is the optimal randomness complexity in the case each random bit is shared between two players (low-contention protocols). We further show that, in the case t = 1, this protocol is optimal with respect to the randomness complexity regardless of the contention of the protocol. Keywords: Secure Distributed Protocols; Private Function Evaluation; Broadcast Channel.
1
Introduction
The study and the design of protocols for private computation has been a fecund line of research in distributed computation and cryptography. Typically, we have a set of n players P = {P1 , P2 , . . . , Pn } with unbounded computational resources each holding a private input that wish to compute a function f of their inputs in a private way. This means that after the protocol has been carried out every player knows the value of the function but has no information on the inputs of the other players except what can be deduced from his own input and the value of the function. This notion of private computation can be extended to the notion of t-private computation where the requirement that no information is obtained is required to hold for arbitrary coalitions of t players. Two fundamental ingredients for private computations are randomness and private channels. A private channel is point-to-point communication channel �
Partially supported by a Research Grant of the Universit` a di Salerno.
K. Kim (Ed.): ICICS 2001, LNCS 2288, pp. 244–257, 2002. c Springer-Verlag Berlin Heidelberg 2002 �
Private Computation with Shared Randomness over Broadcast Channel
245
between two parties Pi and Pj that can be read or written only by Pi and Pj . In fact, it is well know that no non-trivial function can be computed if the players are deterministic or if all communications have to take place using broadcast communication channels. A broadcast channel is a communication channel that can be read or written by all parties. This is unfortunate as randomness is a scarce resource and the privacy of a communication channel is most often hard to assess. In this paper we introduce the Shared Randomness over Broadcast Channel model (SRoBC for short) for private computation. As we shall see, the SRoBC is a very restricted model for private computation but, nonetheless, we show that it is possible to perform some non-trivial private computations. In the SRoBC model parties can communicate only by means of a broadcast channel and have access to a shared random string. The protocol specifies for each party which random bits of the shared random string to read. Following the classical model for private computation, we assume the parties to be honest; that is they follow the protocol specification and thus read only the random bits they have been assigned. The SRoBC model is similar to the model presented in [5,12], but we point out the following differences. In [5,12] the main objective was to obtain anonymous communication, whereas our main goal is multiparty computation. Moreover, our research aims at a quantitative study of the randomness complexity of private multiparty computation in the SRoBC model. Another related model for private computation has been proposed by Feige et. al. in [8]. There, we have 2 players, each connected through a private channel to a distinguished player C whose only task is to allow the communication among the players. In this model they show, quite surprisingly, that all functions have secure protocol and that all functions in NL have efficient secure protocols. The extension of this model to n players has been considered in [10]. We stress here that our model is much more restrictive. Indeed all protocols in our model can be simulated in the standard model and thus all impossibility result apply in our model as well. Moreover in the model of [8,10] it only makes sense to consider 1-private protocols. Our model instead allows a meaningful definition of t-privacy also for t > 1. Our first result is a t-private protocol for computing the modular sum of n inputs in the SRoBC using n(t + 1)/2 random bits. We also show that this is the minimum number of bits necessary, if each random bit is shared by 2 players. The proof uses graph theoretic tools: the relation between players and random bits is encoded by a graph, with each player being a vertex and each random bit an edge, and then we show that the graph has to satisfy certain connectivity requirements. We further show a lower bound on the number of random bits for the case of 1-private protocols with no assumption on the number of players that share each random bit. We prove that, in this case, at least n bits are required to execute the protocols and, thus, that our protocol is optimal with respect to the randomness complexity.
246
1.1
Clemente Galdi and Pino Persiano
Notations and definitions
A protocol is said to be r-random if the total number of random bits used by the players in every execution of the protocol does not exceed r. We consider the protocols divided in rounds of interactions. Each round is identified from the following steps: receiving messages, performing local computation, sending messages. A protocol is said to be m-round if for every possible input and for any possible choice of the random string, the protocol terminates after at most m rounds. A protocol is said to be d-message if, for every possible input vector and for every choice of the random string, the total number of bits exchanged during the protocol execution does not exceeds d. In the following, boldface capital letters, say X, denote a random variable taking value on a set denoted by the corresponding capital letter, X = {x1 , . . . , x|X| }, according to some probability distribution {P rX (x)}x∈X . Let X be the random variable describing the players’ inputs during the execution of the algorithm, let R be the random variable describing the random tape the players use and let M be the random variable representing the messages sent by the players. Let Y = {i1 , . . . , ik } ⊂ [n] = {1, . . . , n} and i ∈ [n] We denote by Xi (resp., Ri , Mi ) the inputs (resp., the random tape, the messages) of player Pi and by XY (resp., RY , MY ) the inputs (resp., the random tape, the messages) of the players in Y . In other words, it is possible to write XY = Xi1 , . . . , Xik , X = X1 X2 . . . , Xn , M = M1 M2 . . . , Mn , and R = R1 R2 . . . , Rn . Analogously, it is possible to write xY = xi1 , . . . , xik , x = x1 x2 . . . , xn , and r = r1 r2 . . . , rn . Definition 1 (Privacy). A n-player protocol for computing a function f is t-private if for any subset T ⊆ P of at most t players, for any input vectors x, y such that f (x) = f (y) and such that xi = yi for each i ∈ T , for any communication string m and for any random string rT , P r [M = m|RT = rT , X = x] = P r [M = m|RT = rT , X = y] where the distribution probability is taken on the random string of the other players.
2
The SRoBC Model for t-Private Computation
We consider the following model for private computation. There is a set P = {P1 , P2 , . . . , Pn } of n players, each holding a private input xi taken from {0, 1}. The players have unbounded computational resources and are supposed to be honest, that means that each player follows the protocol, but curious, that is, after the execution of the protocol some players can try to infer information about the private inputs of the remaining players by collecting the messages they have received during the protocol execution. The players wish to distributively compute a function f of their private inputs We assume that there exists a string R of random bits and the protocol specifies which bits from the string each player reads. Each player reads his
Private Computation with Shared Randomness over Broadcast Channel
247
“assigned” random bits in a private way and, as players are honest, each random bit will be read exclusively by those players that are supposed to read it. We encode the assignment of bits to players through a “distribution matrix” M. A distribution matrix is a 0-1 matrix which has one row for each player and one column for each random bit of R and player i reads the j-th bit in R iff M(i, j) = 1. We denote by Si the set of indices corresponding to the bits read by player i; i.e., j ∈ Si iff M(i, j) = 1. Moreover the players are connected by means of a broadcast channel that is, each message sent by player Pi is read by all other players. Thus each player can read random bits privately, but can not send private messages to any other player. 2.1
Equivalence between Two Models
In this section we give evidence that the model presented in this paper is a nonstronger model then the standard one in the sense that all the protocols that can be executed in the SRoBC model can be simulated in the standard one. On the other hand we give simulation in the SRoBC model only for a small class of protocols that can be executed in the standard model. Lemma 2. Let A be an m-round, d-message, r-random t-private n-player protocol that computes a function f in the SRoBC model. There exists an (m + 1)round, (d(n − 1) + r(k − 1))-message, r-random, t-private n-player protocol B that computes the same function in the standard model, where k is the maximum number of players sharing the same random bit. Proof. To run this simulation, the players executing the protocol B need the following two primitive: (a) privately reading a bit from the shared random string and (b) broadcasting a message. In the first round, the players in the standard model simulate the random bits distribution as follows: Assume the players Pi1 , . . . , Pik share a random bit and, w.l.o.g., assume that i1 = min{i1 , . . . , ik }. The players Pi1 in B generates a random bit b and sends it to any other player in the set. As the communication channel is private, only players Pi1 , . . . , Pij know the value of b. The number of messages exchanged for this simulation is, thus, r(k − 1). To simulate the broadcast of a message m, the sender simply sends the same message to all the players. Thus the cost for broadcasting a message is n − 1. The correctness and the privacy of the protocol B follow immediately from the correctness of A. Let us consider the private protocols for which the behaviour of the players is independent on the inputs and on the random string. The following lemma shows that it is possible to simulate these protocols in the SRoBC model. Lemma 3. Let A be an m-round, d-message, r-random t-private n-player protocol that computes a function f in the standard model. There exists an m-round, d-message, (r + d)-random, t-private n-player protocol B that computes the same function in the SRoBC model.
248
Clemente Galdi and Pino Persiano
Proof. The players in the standard model needs the following two primitive: (a) privately generating a random bit and (b) sending a message on a point-to-point private channel. Let us denote by ri the number of random bits read by player Pi during the execution of the protocol A. Recall that, since the protocol is independent on the inputs and on the random string, these ri s are known a priori. Player P1 reads the first r1 random bits from the shared random string, player P2 reads r2 new random bits from the random string and so on. In this way, each player holds the necessary private random source for his execution. The total number of bits read in this phase is, by hypothesis, r. The shared random string has d random bits left. We use these random bits to simulate the private channels. In particular, we associate to each (one-bit) message a random bit in the shared random string. As the protocol is independent on the inputs and on the random coins tosses, the sender and the receiver of each message sent during the execution of protocol A are also known a priori. Thus it is possible for the players to read the random bits they will need to send and receive private message in a first phase.
3
t-Private Distribution Matrices
Security and correctness of the protocols in the SRoBC model, critically depends on certain properties of the distribution matrix used to encode the association between players and random bits. We begin by giving the definition of t-private distribution matrices. As we shall see in Section 6, a t-private distribution matrix with n rows can be used to construct a t-private n-player protocol for computing the modular sum. Let A and B be two sets. We denote by A ⊕ B the set defined as (A \ B) ∪ (B \ A). Let M be a 0 − 1 matrix. In the following we denote by Si the set Si = {j|M (i, j) �= 0}. Definition 4 (t-Private Distribution Matrix). A distribution matrix M = j∈[�] (mi,j )i∈[n] is a t-private distribution matrix if the following conditions are satisfied. �n 1. (Correctness) i=1 Si = ∅ 2. (Privacy) For all T, P ⊆ [n] such that 0 ≤ |T | ≤ t, P ∩ T = ∅ and T ∪ P �= [n]: � � Si �⊆ Si . i∈P
i∈T
Remark: The Correctness condition of Definition 4 is equivalent to the requirement that each element of [�] belongs to an even number of Si s. We say that a distribution matrix M has contention k if each column of M has at most k ones, corresponding to the fact that each bit is shared by at most k players. The contention of a distribution matrix is an important efficiency measure and
Private Computation with Shared Randomness over Broadcast Channel
249
we shall consider primarily distribution matrices with contention 2. The reason for this choice is that, in a distributed environment, the larger is the number of players accessing a resource (a random bit in our case), the larger is the latency in the resource allocation (the actual reading). Another important measure of efficiency we consider in this paper is the number of column of the distribution matrix. Indeed, this is equal to the length of the random string R and thus to the total number of random bits used. Our goal is to distribute to each player Pi , a subset Ri = {rj s.t. j ∈ Si ⊆ [�]} in such a way that the protocol described is t-private, correct and the value of � is minimum. It should be expected that, by allowing contention larger than 2, should lead to a better randomness complexity. Surprisingly, this is not true. Indeed, in Section 7 we show a lower bound on the number of random bits for computing any boolean defining a commutative operation over the group {0, 1}. This minimal randomness complexity is achieved by our protocol using distribution matrices with contention 2.
4
Constructing a (n − 2)-Private Distribution Matrix
In this section we give a simple method for constructing (n − 2)-private distribution matrices. We denote by In the n by n identity matrix and by 1n the vector (1, 1, . . . , 1) consisting of n 1’s. We define recursively M (n) as follow: � � � n−1 � 1 00 · · · 0 1 M (2) = , M (n) = for n > 2. 1 In−1 M (n − 1) Notice that M (n) has n rows and n(n−1)/2 columns. In the following we denote by Si,n the i-th row in the matrix M (n). Lemma 5. For any k, |{i|k ∈ Si }| = 2. Proof. We proceed by induction on n. For n = 2, the Lemma holds obviously. Suppose the proposition holds for all l < n. We can identify two cases: If k ∈ [n − 1], the proposition holds since Sk+1,n ∩ S1,n = Sk+1,n ∩ [n − 1] = k and Si,n ∩ Sj,n = ∅ for all i �= j with i, j �= 1. If k ∈ {n, . . . , �(n)} the proposition holds by inductive hypothesis. Lemma 6. For all i �= j we have that |Si ∩ Sj | = 1. Proof. We proceed by induction on n with the case n = 2 omitted. We can consider two cases: i = 1, and i > 1. For the first case we observe that S1,n = [n − 1] and, for each j, |[n − 1] ∩ Sj,n | = 1. Thus |S1 ∩ Sj | = 1. For the second case recall that, for any i ≥ 1, Si,n ∩ [n − 1] = i − 1. Thus, for any i, j > 1, with i �= j, Si,n ∩ Sj,n ∩ [n − 1] = ∅. It is possible to write: |Si ∩ Sj | = |Si,n ∩ Sj,n ∩ [n − 1]| + |Si,n ∩ Sj,n ∩ {n, . . . , �(n)}| = |Si−1,n−1 ∩ Sj−1,n−1 | =1 by inductive hypothesis.
250
Clemente Galdi and Pino Persiano
Theorem 7. The Matrix M (n) is a (n − 2)-private distribution matrix. Proof. We have to prove that M (n) meets the two properties of Definition 4. The Correctness condition follows from Lemma 5 since each column has exactly two 1s. Let us consider the Privacy condition. Let T and P be two disjoint subsets of [n] with P ∪ T �= [n] and 0 ≤ |T | ≤ t. Consider j ∈ [n] such that j �∈ P ∪ T and fix any i ∈ P . By Lemma 6 there exists k such that Si ∩ Sj = {k}. By Lemma 5, for all h �= i, j, we have � column k has exactly two � that k �∈ Sh , since 1s. Therefore we have that k ∈ i∈P Si but k �∈ i∈T Si .
5
Graph Theoretic View of t-Private Distribution Matrices
In this section we give a graph theoretic interpretation of distribution matrices. In particular we show that t-private distribution matrices with contention equal to 2 correspond to (t + 1)-connected undirected graphs. An r-regular graph G = (V, E) is a graph in which each vertex has degree r. An undirected graph G is connected iff for each pair of nodes u, v in V , there exist a path from u to v in G. The graph G is d-connected if, after the removal of at most d − 1 vertices (and of all the incident edges), the remaining graph is still connected. Obviously if a graph G is d connected, the degree of the each vertex in the graph is at least d. G is maximally connected if it is d-connected and d is the minimum degree of vertices in G. Definition 8. The edge matrix of a graph G = ([n], E) is a boolean n × |E| matrix M such that for each edge (u, v) ∈ E exists exactly one column j for which: M (i, j) = 1 iff i = u or i = v M (i, j) = 0 i �= u, v.
The above definition, naturally gives rise to a mapping between graphs with vertex set [n] and distribution matrices with n rows and contention equal to 2, by identifying the vertices of the graph with rows of distribution matrices and the edges with the columns. The mapping is 1-to-1 up to isomorphism. In particular with Si we can identify the set of edges � incident on the vertex associated to player Pi . Notice that, if we consider i∈W Si for some W ⊆ [n], we obtain the set of edges with one end-point in W and the other end-point outside W . Notice that the matrix we have constructed in the previous section is the edge matrix of a clique of size n. Theorem 9. A matrix M is a t-private distribution matrix with contention 2 iff. M is the edge matrix of a (t + 1)-connected graph. Proof. (=⇒) Let M be a t-private distribution matrix with contention 2. By definition of contention, M is an edge matrix and let G be the graph with
Private Computation with Shared Randomness over Broadcast Channel
251
edge matrix M . By way of contradiction, suppose that, by removing a set T of most t vertices from the graph, we disconnect the graph. Let C be one of the maximal connected component obtained by removing T . Thus all the edges � with an endpoint in C, have the other endpoint either in C or T . The set i∈C Si (where Si = {j|M (i, j) �= 0}) contains all the � � edges with an end-point in C and the other end-point in T thus i∈C Si ⊆ i∈T Si . But this means that the Privacy Condition does not hold. Contradiction. (⇐=) We have to prove that the edge matrix M of a (t + 1)-connected graph G meets the properties in Definition 4. For the Correctness condition, we observe that, by Definition 8, for each column in M , exist exactly two 1s (one for each endpoint of the edge). Thus this property holds. Let us consider the Privacy Condition. Let T, P ⊆ [n] be two disjoint sets of vertices such that 0 ≤ |T | ≤ t, P ∪ T �= [n]. Since the graph is (t + 1)-connected, after the removal of T from G, the graph is still connected. Thus there must exist at least � �one edge from P to an element that is not in P nor in T and thus S ⊆ � i i∈P i∈T Si holds Corollary 10 (Number of Random Bits). Each t-private distribution macolumns. trix with n rows has at least n(t+1) 2 Proof. Theorem 9 shows that exists a 1-to-1 mapping between (t + 1)-connected graphs and t private distribution matrices. Moreover in (t + 1)-connected graph each vertex has degree at least t + 1. To minimize the number of edges, we can consider the class of (t + 1)-regular maximally connected graphs. But each (t + 1)-regular graph with n nodes has n(t+1) edges. 2
6
A 1-Round t-Private Protocol for Computing the Sum
In this section we describe a protocol that computes the sum1 of n bit t-privately. The protocol presented is a 1-round protocol and uses only broadcast communication channels. That is each player Pi privately reads the random bit from the string R according to the distribution matrix M; computes its message yi as function of its input and the random bits read and it broadcasts yi . The sum of the inputs is then computed as function of all the messages sent by the players. Recall that, in the graph-theoretic interpretation of the distribution matrices, Si represents the set of edges incident to the vertex associated to player Pi . In the following we say that an edge is shared between two players in P if both the end points of the edge belong to the set P . An edge is known to the coalition T if exactly one end-point of the edge is in T and the other one is in P . Finally an edge is outgoing P if one end-point of the edge is in P and the other end-point is in [n] \ (P ∪ T ). 1
All the summations in this work are intended to be modulo 2.
252
Clemente Galdi and Pino Persiano
Theorem 11. If there exists a t-private distribution matrix M with n rows than there exists s t-private n-player protocol for computing the function XOR. Proof. The protocol for computing the sum is the following: Protocol XOR Program for player Pi Input: xi ∈ {0, 1} t-private distribution matrix: M = {mi,j } Shared random string R = r1 r2 . . . r� 1 2 3 4
Let Si = {j such that�M(i, j) = 1}. Compute mi = xi + j∈Si rj . Publish mi . �n Compute XOR = i=1 mi .
Correctness. For the correctness of the protocol, we want the value XOR, computed by each player, to be equal to the sum of the private inputs. Indeed we have: n n n n � n � � � � � � xi + XOR = mi = rj = xi + rj = xi i=1
i=1
j∈Si
i=1
i=1 j∈Si
i=1
The last equation holds since, by Correctness condition of Definition 4, each random bit belongs to an even number of Si ’s. Privacy. Let T, P ⊆ [n] such that 0 ≤ |T | ≤ t, P ∩ T = ∅, T ∪ P �= [n] and, w.l.o.g., assume that P = {1, . . . , k}. Let x, y be two input vectors satisfying the requirement of Definition 1. We need to show that P r [M = m|RT = rT , X = x] = P r [M = m|RT = rT , X = y] . Write m = m1 , . . . , mn , where mj is the message broadcast by player Pj . For any i ∈ P , let us denote by Hi (resp., Oi , Ai ) the set of random bits shared (resp., outgoing or known to the players in T ) held by Pi and let us denote by χ(W, j) the characteristic function of the set W , i.e., χ(W, j) = 1 if j ∈ W or χ(W, j) = 0 if j �∈ W . By construction, mi = xi +
� j∈Si
rj = xi +
n � j=1
χ(Hi , j)rj +
n � j=1
χ(Ai , j)rj +
n �
χ(Oi , j)rj
j=1
Consider the following system of linear equations in the unknown rj s: �n �n m1 = x1 + j=1 χ(H1 , j)rj + j=1 χ(O1 , j)rj .. . �n �n mk = xk + j=1 χ(Hk , j)rj + j=1 χ(Ok , j)rj
(1)
Private Computation with Shared Randomness over Broadcast Channel
253
�n Where mi = mi + j=1 χ(Ai , j)rj . All we need to show is that for any fixed m, for any fixed random tape rT , i.e., the view of the coalition T , and for any possible value of the input vector xP , there exists the same number of possible random tapes rP , consistent with rT , that are a solution for (1). By simple linear algebra, it is sufficient to show that the number of unknown (to the players in T ) variables in the system is at least k. Let us denote by ns be the number of edges shared by players in P and by no the number of edges outgoing P . Informally, the idea of the proof is the following: Consider a (k + t + 1)-vertex (t + 1)-connected graph G. Moreover, consider a set P of k vertices and a set T of t in this graph. The number of edges in G can be computed as the sum of the number ns of shared edges in P , the shared edges in T , the number na of the edges of P known to T and the edges incident on the vertex v = [k + t + 1] \ {P ∪ T }. Notice that the number of edges incident on v is given by the sum of the no outgoing edges and the number of edges of v known to T . We can consider the following two cases: – k > t: In this case, it holds that na ≤ t(t+1) since each player in T can share each of his edges with one player in P , i.e., players in T do not share edges among them and do not share edges with the vertex v. Thus it is possible to write: (k + t + 1)(t + 1) − t(t + 1) 2 (k − t + 1)(t + 1) . = 2
ns + n o ≥
Simple algebra shows that ns + no ≥ k holds for every k > t. – k ≤ t: In this case, it holds that na ≤ kt since each player in P can share at most one edge with each other player in T . Also in this case, the number of edges incident on v is exactly no . Thus it is possible to write: ns + no ≥
(k + t + 1)(t + 1) − kt. 2
As before, simple algebra shows that ns + no ≥ k for every k ≤ t.
7
Lower Bound on the Number of Random Bits
The protocol presented in this paper does not use private channels to run private computation. This means that the privacy of the protocols relies exclusively on the randomization of the messages. In this section we show a lower bound on the number of random bits needed to compute any function f , 1-privately, in the broadcast model. We briefly review some definition we use in this section. We say that a function f : X n → X is sensitive to its i-th variable on an assignment x = (x1 , . . . , xn ), if it results that |{f (x1 , . . . , xi−1 , z, xx+1 , . . . , xn ) :
254
Clemente Galdi and Pino Persiano
z ∈ X }| = |X |. We say that f is i-sensitive if it is sensitive to its i-th variable for any assignment x. The sensitivity of a function f is the number of indices i to which the function f is i-sensitive. For instance, the sensitivity of the function � n i=1 xi mod q is n. More generally, if (G, ⊗) is a group then the function f : n G → G defined by f (x1 , x2 , . . . , xn ) = x1 ⊗ . . . ⊗ xn has sensitivity n. In our proofs we use some concepts of Information Theory. We refer the reader to [7] for a complete treatment of this subject. Lemma 12 ([3]). In any protocol computing an i-sensitive function f , it holds that: H(Xi |Mi , Ri ) = 0, where H(·|·) is Shannon conditioned entropy function. Corollary 13. In any protocol computing a function f with sensitivity n, it results that: H(XY |M, RY ) = 0 for any Y = {i1 , i2 , . . . , i|Y | } ⊆ [n]. Proof. 0 ≤ H(XY |M, RY ) =
|Y | �
H(Xik |M, RY , Xi1 , Xi2 , . . . , Xik−1 )
k=1
≤
|Y | �
H(Xik |M, RY )
k=1
≤
|Y | �
H(Xik |Mik , Rik )
k=1
=0 Lemma 14 ([3]). Let X1 , . . . , Xn be independent and uniformly distributed random variables and let F be a function with sensitivity n. For any W, Y ⊆ {1, 2, . . . , n} such that W ∩ Y = ∅ and |W ∪ Y | < n it results that H(XY |XW , F) = H(XY ). The privacy requirement of the protocol can be written as follows (see [3] for a more detailed description): Definition 15 (Privacy). For any Y ⊂ [n] such that |Y | ≤ n − 2 and for any j ∈ [n] \ Y it holds that H(XY |M, Rj , Xj , F) = H(XY |F).
(2)
Private Computation with Shared Randomness over Broadcast Channel
255
Notice that, by Lemma 14, Equation 2 can be rewritten as follows: H(XY |M, Rj , Xj , F) = H(XY )
(3)
Lemma 16. For any Y ⊂ [n] such that |Y | ≤ n − 2 and for any j ∈ [n] \ Y it holds that H(RY |Rj ) ≥ H(XY ). Proof. By Corollary 13 and by Definition 15: I(XY ; RY |M, Rj , Xj , F) = H(XY |M, Rj , Xj , F) − H(XY |M, Rj , Xj , F, RY ) = H(XY ) = H(RY |M, Rj , Xj , F) − H(RY |M, Rj , Xj , F, XY ) Thus it follows that: H(RY |Rj ) ≥ H(RY |M, Rj , Xj , F) ≥ H(RY |M, Rj , Xj , F) − H(RY |M, Rj , Xj , XY , F) = H(XY ) Corollary 17. For any i ∈ [n] it holds that H(Ri ) ≥ H(Xi ). We are now ready to prove the following bound: Theorem 18. For any protocol computing an n-sensitive function in the broadcast model, if the Xi ’s are independent and H(X) = H(X1 ) = . . . = H(Xn ), it holds that: H(R) > (n − 1)H(X). Proof. If Ri are independent, the for each i ∈ [n], it holds that H(Ri |R1 . . . Ri−1 ) = H(Ri ) thus, by Corollary 17 it holds that: H(R) = H(R1 . . . Rn ) = = ≥
n � i=1 n � i=1 n �
H(Ri |R1 . . . Ri−1 ) H(Ri ) H(Xi )
i=1
= nH(X) If the Ri ’s are not independent then there exists i, j such that H(Ri ) > H(Ri |Rj ) ≥ H(Xi ). Let V ⊂ [n] such that |V | = n − 2 and i �∈ V . H(R1 . . . Rn ) = H(Ri ) + H(RV |Ri ) + H(Rk |RV Ri ) ≥ H(Ri ) + H(RV |Ri ) > H(Xi ) + H(XV ) = (n − 1)H(X)
256
Clemente Galdi and Pino Persiano
Corollary 19. For any protocol computing an n-sensitive f : {0, 1}n → {0, 1} in the broadcast model, if the Xi ’s are independent and H(X) = H(X1 ) = . . . = H(Xn ), it holds that: H(R) ≥ n. Proof. In the case of boolean functions, |X| = |X1 | = . . . = |Xn | = |F | = 2. Thus: log(|R|) ≥ (n − 1) log |X| + 1 = n This corollary states that computing any boolean function in the broadcast model, 1-privately requires at least n random bits. It also implies that the protocol presented in this paper is optimal since, for the 1-private case, it uses exactly this minimal randomness.
8
Conclusions and Open Problems
In this paper we have introduced a new model for private computation, the SRoBC model. We have show that, in this model, it is possible to compute any function over a finite commutative group in a t-private way, for any possible value of t using constant number of rounds of interaction. For the whole paper we have restricted the attention to the case in which each random bit is shared between two players and we modelled the association between players and random bits by a graph. The natural question could be “What happens if one random bit is shared among more than two players ?” In this case hypergraphs could be used to model the distribution of random bits to use. Unfortunately, it is not hard to see that the hypergraph connectivity requirement is still necessary but, not sufficient to guarantee the privacy of the protocol. However, we have shown that in the case of boolean functions at least n bits are required to run a 1-private protocol in this model. Since this bound matches the number of random bits needed by our protocol, it is useless for 1-private protocols to allow more than 2 players to share a single random bit. It remains an open problem the study of the lower bound for number of random bits for t-privately computing a function f for any t > 1.
References 1. D. Beaver. Perfect privacy for two-party protocols. Technical Report TR-11-89, Harvard University, 1989. 2. M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for noncryptographic fault-tolerant distributed computation. In Proceedings of 20th Symposium on Theory of Computation, pages 1–10, 1988. 3. C. Blundo, A. De Santis, G. Persiano, and U. Vaccaro. Randomness complexity of private multiparty protocols. Computational Complexity, 8(2):145–168, 1999. 4. D. Chaum, C. Crepeau, and I. Damg¨ ard. Multiparty unconditionally secure protocols. In Proceedings of 20th Symposium on Theory of Computation, pages 11–19, 1988.
Private Computation with Shared Randomness over Broadcast Channel
257
5. D. Chaum. The Dining Cryptographers Problem: Unconditional sender and recipient untraceability. Journal of Cryptology, 1(1):65–75, 1988. 6. B. Chor and E. Kushilevitz. A communication-privacy tradeoff for modular addition. Information Processing Letters, 45:205–210, 1991. 7. T.M. Cover and J.A. Thomas. Elements of Information Theory. John Wiley & Sons, Singapore, 1991. 8. U. Feige, J. Kilian, and M. Naor. A minimal model for secure computation. In Proceedings of 26th ACM Symposium on Theory of Computation, pages 554–563, 1994. 9. M. Franklin and M. Yung. Secure hypergraphs: Privacy from partial broadcast. In Proceedings of 27th ACM Symposium on Theory of Computing, pages 36–44, 1995. 10. Y. Ishai and E. Kushilevitz. Private simultaneous messages protocols and applications. In Proceedings of ISCTS 97. 11. E. Kushilevitz. Privacy and communication complexity. SIAM Journal of Disc. Mat., 5(2):273–284, 1992. 12. Michael Waidner. Unconditional sender and recipient untraceability in spite of active attacks. In Advances in cryptology — EUROCRYPT ’89, volume 434 of Lecture Notes in Computer Science, 1989. Springer-Verlag.
