On complete primitives for fairness

Dov Gordon; Yuval Ishai; Tal Moran; Rafail Ostrovsky; Amit Sahai

doi:10.1007/978-3-642-11799-2_7

On complete primitives for fairness

Dov Gordon, Yuval Ishai, Tal Moran, Rafail Ostrovsky, Amit Sahai

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

21 Scopus citations

Abstract

For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results: - No "short" primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions. - A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a "fairness hierarchy". We show that for every "short" ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast. - Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting. - Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.

Original language	English
Title of host publication	Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings
Pages	91-108
Number of pages	18
DOIs	https://doi.org/10.1007/978-3-642-11799-2_7
State	Published - 2010
Event	7th Theory of Cryptography Conference, TCC 2010 - Zurich, Switzerland Duration: 9 Feb 2010 → 11 Feb 2010

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5978 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th Theory of Cryptography Conference, TCC 2010
Country/Territory	Switzerland
City	Zurich
Period	9/02/10 → 11/02/10

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-642-11799-2_7

Cite this

Gordon, D., Ishai, Y., Moran, T., Ostrovsky, R., & Sahai, A. (2010). On complete primitives for fairness. In Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings (pp. 91-108). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5978 LNCS). https://doi.org/10.1007/978-3-642-11799-2_7

@inproceedings{547361b3fae54acf8787c675359c0c16,

title = "On complete primitives for fairness",

abstract = "For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results: - No {"}short{"} primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions. - A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a {"}fairness hierarchy{"}. We show that for every {"}short{"} ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast. - Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting. - Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.",

author = "Dov Gordon and Yuval Ishai and Tal Moran and Rafail Ostrovsky and Amit Sahai",

year = "2010",

doi = "10.1007/978-3-642-11799-2_7",

language = "אנגלית",

isbn = "3642117988",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "91--108",

booktitle = "Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings",

note = "7th Theory of Cryptography Conference, TCC 2010 ; Conference date: 09-02-2010 Through 11-02-2010",

}

Gordon, D, Ishai, Y, Moran, T, Ostrovsky, R & Sahai, A 2010, On complete primitives for fairness. in Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5978 LNCS, pp. 91-108, 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, 9/02/10. https://doi.org/10.1007/978-3-642-11799-2_7

On complete primitives for fairness. / Gordon, Dov; Ishai, Yuval; Moran, Tal et al.
Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings. 2010. p. 91-108 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5978 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - On complete primitives for fairness

AU - Gordon, Dov

AU - Ishai, Yuval

AU - Moran, Tal

AU - Ostrovsky, Rafail

AU - Sahai, Amit

PY - 2010

Y1 - 2010

N2 - For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results: - No "short" primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions. - A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a "fairness hierarchy". We show that for every "short" ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast. - Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting. - Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.

AB - For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results: - No "short" primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure computation, no primitive of size O(logk) is complete, where k is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions. - A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a "fairness hierarchy". We show that for every "short" ℓ = O(logk), no protocol making (serial) access to any ℓ-bit primitive can be used to construct even a (ℓ + 1)-bit simultaneous broadcast. - Positive results. To complement the negative results, we exhibit a k-bit primitive that is complete for two-party fair secure computation. We show how to generalize this result to the multi-party setting. - Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show that this is possible when a majority of the instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.

UR - http://www.scopus.com/inward/record.url?scp=77949630830&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-11799-2_7

DO - 10.1007/978-3-642-11799-2_7

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:77949630830

SN - 3642117988

SN - 9783642117985

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 91

EP - 108

BT - Theory of Cryptography - 7th Theory of Cryptography Conference, TCC 2010, Proceedings

T2 - 7th Theory of Cryptography Conference, TCC 2010

Y2 - 9 February 2010 through 11 February 2010

ER -

On complete primitives for fairness

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this