Efficient Constructions of Non-interactive Secure Multiparty
Computation from Pairwise Independent Hashing
Satoshi Obana
1 a
and Maki Yoshida
2 b
1
Hosei University, Tokyo, Japan
2
NICT, Tokyo, Japan
Keywords:
Secure Multiparty Computation, Non-interactive, Information Theoretical Security, Communication
Complexity, Pairwise Independent Hash Functions.
Abstract:
An important issue of secure multi-party computation (MPC) is to improve the efficiency of communication.
Non-interactive MPC (NIMPC) introduced by Beimel et al. in Crypto 2014 completely avoids interaction in
the information theoretical setting by allowing a correlated randomness setup where the parties get correlated
random strings beforehand and locally compute their messages sent to an external output server. Existing
studies have been devoted to constructing NIMPC with small communication complexity, and many NIMPC
have been presented so far. In this paper, we present a new generic construction of NIMPC for arbitrary func-
tions from a class of functions called indicator functions. We employ pairwise independent hash functions to
construct the proposed NIMPC, which results in smallest communication complexity compared to the existing
generic constructions. We further present a concrete construction of NIMPC for the set of indicator functions
with smallest communication complexity known so far. The construction also employs pairwise independent
hash functions. It will be of independent interest to see how pairwise independent hash functions helps in
constructing NIMPC.
1 INTRODUCTION
Since the seminal paper by Yao (Yao, 1982), secure
multiparty computation (MPC for short) have been
a central topic in the area of cryptographic research.
The work is followed by a large number of literatures
(Ben-Or et al., 1988; Chaum et al., 1988; Data et al.,
2014; Hirt and Tschudi, 2013), and some of efficient
implementations even possess a potential to deal with
real-world application. Though, such efficient im-
plementations are attractive, they demand high speed
network connection (i.e., 10Gbps network) among
parties for achieving high-throughput computation,
and do not work well in poor network environment.
Beimel et al. have introduced a novel type of
MPC called non-interactive multiparty computation
(NIMPC for short). In NIMPC for a function f : X
1
×
··· × X
n
→ {0, 1}
L
, each party P
i
receives correlated
randomness r
i
, and outputs m
i
computed from r
i
and
a private input x
i
so that f (x
1
, .., x
n
) is computed only
from m
1
, m
2
, . . . , m
n
. The notable feature of NIMPC
a
https://orcid.org/0000-0003-4795-4779
b
https://orcid.org/0000-0002-1267-0058
is that it completely gets rid of interaction among par-
ties since the message m
i
is locally computed by P
i
.
The security model presented by Beimel et al. guar-
antees information-theoretic security against honest-
but-curious adversaries. More precisely, it guarantees
any set of corrupted parties learns nothing about in-
puts of uncorrupted parties and the function they aim
to evaluate other than the information inferred from
their inputs and output. Beimel et al. also showed
NIMPC for various classes of functions. In particu-
lar, they showed that NIMPC for arbitrary functions
is possible by showing an exact construction of an
NIMPC for arbitrary functions. Though, since the
communication complexity of their NIMPC is very
large (exponential in the input length), their construc-
tion is valuable only in the sense it shows the possi-
bility of realizing NIMPC for arbitrary functions.
Since the seminal work by Beimel et al., the the-
ory of NIMPC has been further developed by litera-
tures (Yoshida and Obana, 2016; Obana and Yoshida,
2016; Halevi et al., 2016; Halevi et al., 2017; Agar-
wal et al., 2019). In Eurocrypt 2019, Agarwal et
al. present elegant construction of NIMPC for arbi-
trary functions (Agarwal et al., 2019). In their con-
322
Obana, S. and Yoshida, M.
Efficient Constructions of Non-interactive Secure Multiparty Computation from Pairwise Independent Hashing.
DOI: 10.5220/0009819203220329
In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 322-329
ISBN: 978-989-758-446-6
Copyright
c
2020 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
Table 1: The communication complexity of n-player NIMPC protocols for arbitrary functions h : X → {0, 1}
L
where d ≤ |X
i
|,
and δ
ind
is the communication complexity of NIMPC for the set of indicator functions.
The communication complexity
Construction in (Agarwal et al., 2019) dlog
2
de + L · |X |
Construction in (Beimel et al., 2014) δ
ind
· L · |X |
Construction in (Obana and Yoshida, 2016) (δ
ind
+ L · dlog
2
(d + 1)e) · |X |
Our construction (generic) (δ
ind
+ max(2L, L + dlog
2
de)) · |X |
Our construction (concrete) (4 · dlog
2
de · n + max(2L, L + dlog
2
de)) · |X |
Table 2: The communication complexity of n-player NIMPC protocols for the set of indicator functions.
The communication complexity
Construction in (Beimel et al., 2014) d
2
· n
Construction in (Yoshida and Obana, 2016) dlog
2
(d + 1)e
2
· n
Our construction 4 · dlog
2
de · n
struction, the correlated randomness r
i
consists of ad-
ditively shared output table of the target function f
where input and output are masked with random val-
ues, and the message m
i
consists of masked output ta-
ble of f (x
1
, . . . , x
i−1
, a
i
, x
i+1
, . . . , x
n
), together with the
masked value of a
i
. Such direct construction is very
efficient in the sense that the communication com-
plexity of the scheme is as small as dlog
2
de + L · |X |
where d = max
i∈[n]
{|X
i
|} and X = X
1
× · · · × X
n
. The
communication complexity of their NIMPC is close
to the lower bound on the communication complexity
shown by Yoshida and Obana in (Yoshida and Obana,
2016), though, there is still a gap between the lower
bound and the most efficient scheme known so far.
To deepen understanding of theory and practice
of NIMPC, it is important to clarify to what extent
we can construct a scheme with the communication
complexity close to the lower bound. To answer the
question, we must try various approaches to construct
efficient NIMPCs. One of major and prominent ap-
proaches is generic construction. Generic construc-
tion of NIMPC is methodology to construct complex
classes of function (e.g., arbitrary functions) based
on simple classes of function. All the generic con-
structions known so far employ indicator function as
a simple class of function, where indicator function
h
a
(x) : X → {0, 1} equals 1 if and only if the input x
is identical to a. There is line of research that tries
to construct an efficient NIMPC with small commu-
nication complexity based on NIMPC for the set of
indicator functions (Beimel et al., 2014; Yoshida and
Obana, 2016; Obana and Yoshida, 2016).
The contribution of the paper is twofold. First, we
presents an efficient generic construction of NIMPC
for arbitrary functions based on any NIMPC for the
set of indicator functions. Second, we presents an
efficient construction of NIMPC for the set of indi-
cator functions. Combining the first and the second
contributions, we obtain a concrete construction of
NIMPC for arbitrary functions with the smallest com-
munication complexity compared to existing generic
constructions of NIMPC for arbitrary functions. Ta-
bles 1 and 2 summarize the communication complex-
ity of existing NIMPC for arbitrary functions with L-
bit output, and that of existing NIMPC for the set of
indicator functions, respectively.
We see that the proposed NIMPC for the set of
indicator function is the most efficient one, and the
proposed generic construction is most efficient among
generic constructions based on NIMPC for the set of
indicator functions. Let δ
ind
be the communication
complexity of underlying NIMPC for set of indicator
functions, and let log
2
d = L for simplicity. Then the
communication complexity of the proposed NIMPC
for arbitrary functions is (δ
ind
+ 2L) · |X | while that
of (Obana and Yoshida, 2016) is (δ
ind
+ L
2
) · |X |.
Compared to the most efficient NIMPC presented in
(Agarwal et al., 2019), proposed NIMPC is less effi-
cient, though, the overhead is not so large. Again, let
dlog
2
de = L for the sake of simplicity, then the com-
munication complexity of the proposed NIMPC for
arbitrary functions becomes L ·(4n + 2) · |X |, which is
about 4n + 2 times larger than that of (Agarwal et al.,
2019).
2 PRELIMINARIES
For an integer n, let [n] be the set {1, 2, . . . , n}. For
a set X = X
1
× ··· × X
n
and T ⊆ [n], we denote
X
T
4
=
∏
i∈T
X
i
. For x ∈ X , we denote by x
T
the re-
striction of x to X
T
, and for a function h : X → Ω, a
subset T ⊆ [n], its complement T ⊆ [n], and x
T
∈ X
T
,
we denote by h|
T ,x
T
: X → Ω the function h where the
Efficient Constructions of Non-interactive Secure Multiparty Computation from Pairwise Independent Hashing
323
inputs of T are fixed to x
T
. For a set S, let |S| denote
its size (i.e., cardinality of S).
An NIMPC protocol for a family of functions H
is defined by three algorithms: (1) a randomness gen-
eration function GEN, which given a description of
a function h ∈ H generates n correlated random in-
puts R
1
, . . . , R
n
, (2) a local encoding function ENC
i
(1 ≤ i ≤ n), which takes an input x
i
and a random in-
put R
i
and outputs a message, and (3) a decoding al-
gorithm DEC that reconstructs h(x
1
, . . . , x
n
) from the
n messages. The formal definition given in (Beimel
et al., 2014) is given as follows.
Definition 1 (Syntax and Correctness) . Let
X
1
, . . . , X
n
, R
1
, . . ., R
n
, M
1
, . . . , M
n
and Ω be finite
domains. Let X
4
=
X
1
×··· × X
n
and let H be a family
of functions h : X → Ω. A non-interactive secure
multi-party computation (NIMPC) protocol for H is
a triplet Π = (GEN, ENC, DEC) where
GEN : H → R
1
× ··· × R
n
is a random function,
ENC is an n-tuple deterministic functions
(ENC
1
, . . . , ENC
n
), where ENC
i
: X
i
× R
i
→ M
i
,
DEC : M
1
× · · · × M
n
→ Ω is a deterministic function
satisfying the following correctness requirement: for
any x = (x
1
, . . . , x
n
) ∈ X and h ∈ H ,
Pr[R = (R
1
, . . . , R
n
) ← GEN(h) :
DEC(ENC(x, R)) = h(x)] = 1, (1)
where ENC(x, R)
4
=
(ENC
1
(x
1
, R
1
), . . . , ENC
n
(x
n
,
R
n
)).
The communication complexity of NIMPC
Π is defined to be the maximum value of
log
2
|R
1
|, . . . , log
2
|R
n
|, log
2
|M
1
|, . . . , log
2
|M
n
|.
We next show the definition of robustness for
NIMPC (Beimel et al., 2014), which states that a
coalition can only learn the information they should.
In the above setting, a coalition T can repeatedly en-
code any inputs for T and decode h with the new en-
coded inputs and the original encoded inputs of T .
Thus, the following robustness requires that they learn
no other information than the information obtained
from oracle access to h|
T ,x
T
.
Definition 2 (Robustness) . For a subset T ⊆ [n], we
say that an NIMPC protocol Π for H is T -robust if
there exists a randomized function Sim
T
(a “simula-
tor”) such that, for every h ∈ H and x
T
∈ X
T
, we have
Sim
T
(h|
T ,x
T
) ≡ (M
T
, R
T
), where R and M are the joint
randomness and messages defined by R ← GEN(h)
and M
i
← ENC
i
(x
i
, R
i
).
For an integer 0 ≤ t ≤ n, we say that Π is t-robust
if it is T -robust for every T ⊆ [n] of size |T | ≤ t. We
say that Π is fully robust (or simply refer to Π as an
NIMPC for H ) if Π is n-robust. Finally, given a con-
crete function h : X → Ω, we say that Π is a (t-robust)
NIMPC protocol for h if it is a (t-robust) NIMPC for
H = {h}.
As the same simulator Sim
T
is used for every h ∈ H
and the simulator has only access to h|
T ,x
T
, NIMPC
hides both h and the inputs of T . An NIMPC proto-
col is 0-robust if it is
/
0-robust. In this case, the only
requirement is that the messages (M
1
, . . . , M
n
) reveal
h(x) and nothing else.
An NIMPC protocol is also described in the lan-
guage of protocols in (Beimel et al., 2014). Such a
protocol involves n players P
1
, . . . , P
n
, each holding an
input x
i
∈ X
i
, and an external “output server,” a player
P
0
with no input. The protocol may have an additional
input, a function h ∈ H .
Definition 3 (Protocol Description) . For an NIMPC
protocol Π for H , let P(Π) denote the protocol that
may have an additional input, a function h ∈ H , and
proceeds as follows.
Protocol P(Π)(h)
Offline Preprocessing. Each player P
i
, 1 ≤ i ≤ n,
receives the random input R
i
4
=
GEN(h)
i
∈ R
i
.
Online Messages. On input R
i
, each player P
i
, 1 ≤
i ≤ n, sends the message M
i
4
=
ENC
i
(x
i
, R
i
) ∈ M
i
to
P
0
.
Output. P
0
computes and outputs DEC(M
1
, . . . , M
n
).
Informally, the relevant properties of protocol P(Π)
are given as follows:
• For any h ∈ H and x ∈ X , the output server P
0
outputs, with probability 1, the value h(x
1
, . . . , x
n
).
• Fix T ⊆ [n]. Then, Π is T-robust if in P(Π) the set
of players {P
i
}
i∈T
∪ {P
0
} can simulate their view
of the protocol (i.e., the random inputs {R
i
}
i∈T
and the messages {M
i
}
i∈T
) given oracle access to
the function h restricted by the other inputs (i.e.,
h|
T ,x
T
).
• Π is 0-robust if and only if in P(Π) the output
server P
0
learns nothing but h(x
1
, . . . , x
n
).
A lower bound on the communication complexity for
any finite set of functions including the set of arbitrary
functions was derived in (Yoshida and Obana, 2016).
The result states that the communication complexity
cannot be smaller than the logarithm of the size of the
target class.
Proposition 1 (Lower Bound) . Fix finite domains
X
1
, . . . , X
n
and Ω. Let X
4
=
X
1
, . . . , X
n
and H a set of
functions h : X → Ω. Then, any fully robust NIMPC
protocol Π for H satisfies
∑
n
i=1
log|R
i
| ≥ log |H |, and
∑
n
i=1
log|M
i
| ≥ log |Ω|.
SECRYPT 2020 - 17th International Conference on Security and Cryptography
324
Proposition 2 (Lower Bound) . Fix finite domains
X
1
, . . ., X
n
. Let X
4
=
X
1
× ··· × X
n
and H
L
all
the set
of all functions h : X → {0, 1}
L
. Any NIMPC pro-
tocol Π for H
L
all
satisfies
∑
n
i=1
log|R
i
| ≥ L · |X |, and
∑
n
i=1
log|M
i
| ≥ L.
Here, we give definitions of indicator functions
(Beimel et al., 2014), and generalized indicator func-
tions (Obana and Yoshida, 2016) which are important
classes of functions for our proposed construction.
Definition 4 (Indicator Functions) . Let X be a fi-
nite domain. For n-tuple a = (a
1
, . . . , a
n
) ∈ X , let
h
a
: X → {0, 1} be the function defined by h
a
(a) = 1,
and h
a
(x) = 0 for all a 6= x ∈ X . Let h
0
: X → {0, 1}
be the function that is identically zero on X . Let
H
ind
4
=
{h
a
}
a∈X
∪{h
0
} be the set of all indicator func-
tions together with h
0
.
Definition 5 (Generalized Indicator Func.) . Let L
be a positive integer L > 0. For v ∈ {0, 1}
L
\ {0
L
}
and a = (a
1
, . . . , a
n
) ∈ X , we define the generalized
indicator function h
a,v
as follows.
h
a,v
(x) =
(
v if x = a
0
L
otherwise
Let h
L
0
: X → {0, 1}
L
be the function that is identically
0
L
on X . We define the family of functions H
L
ind
=
{h
a,v
}
a∈X ,v∈{0,1}
L
\{0
L
}
∪ {h
0
}.
In the next section, we will presents a generic con-
struction of NIMPC for arbitrary set of functions.
We employ pairwise independent hash functions to
construct NIMPC for the set of generalized indica-
tor functions. We note that pairwise independent hash
function plays an important role in constructing vari-
ous cryptographic protocols.
Definition 6 . A family of functions G = {g | g : X →
Y } is pairwise independent if the following two condi-
tions hold when g ∈ G is a function chosen uniformly
at random from G:
1. For any x ∈ X, the random variable g (x) is uni-
formly distributed in Y .
2. For any distinct x
1
, x
2
∈ X, the random variables
g(x
1
) and g(x
2
) are independent.
When the function g is chosen uniformly at random
from G, we can guarantee g(x) does not reveal any
information about x. Further, the value g(x) does not
reveal any information about the value g(x
0
) such that
x
0
6= x. These properties of pairwise independent hash
family help us in constructing NIMPC.
The following proposition gives a well-known
fact about pairwise independent hash functions (e.g.,
(Vadhan, 2012)).
Proposition 3 . For every positive integer n, m, there
is an family of pairwise independent functions G
n,m
=
{g : {0, 1}
n
→ {0, 1}
m
} where a random function
function from G
n,m
can be selected using max(m, n) +
m random bits.
Let G
n,m,≥
and G
n,m,<
be function families defined as
follows where k denotes concatenation of bit strings,
and φ
n,m
: F
2
n
→ F
2
m
denotes any surjective linear
mapping:
G
n,m,≥
=
g
0
a,b
g
0
a,b
(x) = a · (0
m−n
kx) + b,
a, b ∈ F
2
n
G
n,m,<
=
g
00
a,b
g
00
a,b
(x) = φ
n,m
(a · x) + b,
a ∈ F
2
n
, b ∈ F
2
m
Then pairwise independent function family is con-
structed as follows
G
n,m
=
(
G
n,m,≥
if m ≥ n
G
n,m,<
if m < n
We note that any function in G
n,m
can be described
by max(m, n) + m bits (i.e., (a, b)) which we call
description of the function g
a,b
, and denote it by
desc(g
a,b
). We also note some pairwise independent
function families (including G
n,m
described above)
possess such an extra property that desc(g) can be
sampled efficiently even when an output of g(a) is
fixed to some value b for a single input a. We will use
such function family in our constructions.
3 PROPOSED CONSTRUCTION
In this section, we presents NIMPC for H
L
all
, arbitrary
functions with L-bit output from any NIMPC for H
ind
.
The communication complexity of the proposed con-
struction is (δ
ind
+ max(2L, L + dlog
2
de)) · |X | where
δ
ind
denotes the communication complexity of under-
lying NIMPC for H
ind
.
3.1 Overview of the Protocol
Historically, there two different approaches to con-
struct NIMPC for arbitrary functions from NIMPC
for the set of indicator functions. The first approach
adopted in (Beimel et al., 2014; Yoshida and Obana,
2016) makes use of the fact that every function h :
X → {0, 1} can be expressed as the sum of indi-
cator functions h =
∑
a∈X ,h(a)=1
h
a
. They construct
NIMPC for arbitrary function h : X → {0, 1} by |X |
independent invocation of NIMPC for H
ind
, and re-
alize NIMPC for H
L
ind
by L independent invocation
of NIMPC for H
ind
. Let δ
ind
be the communication
Efficient Constructions of Non-interactive Secure Multiparty Computation from Pairwise Independent Hashing
325
complexity of underlying NIMPC for indicator func-
tion. Then the communication complexity of result-
ing NIMPC for arbitrary functions is δ
ind
· L · |X |.
In (Obana and Yoshida, 2016), Obana and Yoshida
present the second approach to construct NIMPC for
arbitrary functions. While the first approach sepa-
rately compute each output bit, the second approach
simultaneously computes all output bits. The key idea
of the second approach is to introduce generalized
indicator functions h
a,v
(x) outputting v ∈ {0, 1}
L
if
x = a holds, and otherwise 0
L
. Their construction
is based on the observation that arbitrary function h :
X → {0, 1}
L
is represented by the sum of h
a,v
∈ H
L
ind
(i.e., h =
∑
a∈X ,h(a)6=0
L
h
a,h(a)
), and use the fact to con-
struct NIMPC for H
L
all
. The generic construction of
(Obana and Yoshida, 2016) reduces the communica-
tion complexity to
δ
ind
·L
δ
ind
+L·dlog
2
|X |e
times smaller than
that of the first approach.
In the proposed construction, we adopt the same
approach as in (Obana and Yoshida, 2016), that is,
starting from an NIMPC for the set of indicator func-
tion, we construct an NIMPC for the set of gener-
alized indicator function, which is used to construct
NIMPC for the set of arbitrary function. The main dif-
ference between our construction and that in (Obana
and Yoshida, 2016) is in the building block to con-
struct an NIMPC for the set of generalized indicator
functions. The construction in (Obana and Yoshida,
2016) employs binary vectors to extend the range of
indicator function. On the other hands, we employ
pairwise independent hash functions to extend the
range, which results in NIMPC for arbitrary functions
with smaller communication complexity.
3.2 NIMPC H
ind
⇒ NIMPC H
L
ind
Here, we will give a generic construction of NIMPC
for H
L
ind
from any NIMPC for H
ind
. The basic idea be-
hind the proposed generic construction is as follows.
We will use an NIMPC Π
ind
= (GEN
0
, ENC
0
, DEC
0
)
for H
ind
to check whether the function h ∈ H
L
ind
out-
puts non-zero value with the input (x
1
, . . . , x
n
) ∈ X .
To obtain the actual output value (i.e., h(x
1
, . . . , x
n
)),
we employ functions g
i
from pairwise independent
hash family G
i
: X
i
→ F
2
L
for i ∈ [n]. Functions
g
i
∈ G
i
are chosen in such a way that
∑
n
i=1
g
i
(x
i
) =
h(x
1
, . . . , x
n
) holds if the input (x
1
, . . . , x
n
) is identical
to the input with which DEC
0
outputs 1.
Let Π
ind
= (GEN
0
, ENC
0
, DEC
0
) be any NIMPC
for H
ind
. Then the concrete description of the pro-
posed construction of NIMPC for H
L
ind
, denoted by
Π
gind
= (GEN, ENC, DEC), is given as follows. For
i ∈ [n], let g
i
be an element of pairwise independent
hash family G
i
: X
i
→ {0, 1}
L
.
Fix a function h ∈ H
L
ind
that we want to compute.
Offline Preprocessing. First, define a function h
0
∈
H
ind
as follows,
h
0
=
(
h
0
if h = h
L
0
h
a
otherwise
i.e.,
∃a∈X ,v∈{0,1}
L
\{0
L
}
s.t. h = h
a,v
and let R
0
= (R
0
1
, . . . , R
0
n
) ← GEN(h
0
). Next, if h = h
L
0
then choose n random functions g
i
∈ G
i
. If h = h
a,v
for some a = (a
1
, . . . , a
n
) ∈ X and v ∈ {0, 1}
L
\ {0
L
},
choose n − 1 functions g
i
uniformly and randomly
from G
i
for i ∈ [n − 1] and choose a function g
n
∈
G
n
such that
∑
n
i=1
g
i
(a
i
) = v holds, which can be
done by choosing g
n
from the function family {g
n
|
g
n
∈ G
n
, g
n
(a
n
) = v −
∑
n−1
i=1
g(a
i
)} uniformly and ran-
domly. Define GEN(h) , R = (R
1
, . . . , R
n
) where
R
i
= (R
0
i
, desc(g
i
))
Online Messages. For R
i
= (R
0
i
, desc
i
) and an in-
put x
i
, we first evaluate (M
0
1
, . . . , M
0
n
) ← ENC(x, R
0
).
Next, we evaluate v
i
= g
i
(x
i
) where g
i
is an element
of G
i
described by desc
i
. Finally, let ENC(x, R) ,
(M
1
, . . . , M
n
) where M
i
= (M
0
i
, v
i
).
Output h(x
1
, . . . , x
n
). DEC(M
1
, . . . , M
n
) =
∑
n
i=1
v
i
if DEC(M
0
1
, . . . , M
0
n
) = 1 holds. Otherwise
DEC(M
1
, . . . , M
n
) = 0
L
.
Theorem 1 . Fix finite domains X
1
, . . . , X
n
, and let
X
4
=
X
1
× ··· × X
n
. If there exists a robust NIMPC
for H
ind
: X → {0, 1} with communication complexity
δ
ind
, then there is an NIMPC protocol for H
L
ind
with
the communication complexity δ
ind
+ max(2L, L +
dlog
2
de).
Proof: First, we will show the correctness. Let M
i
=
(M
0
i
, v
i
). It holds that
∑
n
i=1
v
i
=
∑
n
i=1
g
i
(x
i
). If h =
h
a,v
, then DEC
0
(M
0
1
, . . . , M
0
n
) = 1 holds if and only if
a = x. In this case
∑
n
i=1
v
i
=
∑
n
i=1
g
i
(a
i
) = v holds.
This means DEC(M
1
, . . . , M
n
) = v if and only if x = a.
If h = h
0
, then DEC(M
0
1
, . . . , M
0
n
) = 1 never happens
because of the correctness of the underlying NIMPC
for H
ind
. This means DEC(M
1
, . . . , M
n
) = 0
L
holds for
any x ∈ X .
To prove robustness, fix a subset T ⊆ [n] and
x
T
∈ X
T
. The encodings M
T
of T consist of
{(M
0
i
, v
i
)}
i∈T
. The randomness R
T
consists of
{(R
0
i
, desc(g
i
))}
i∈T
. Now we will construct a simu-
lator Sim
T
which queries h|
T ,x
T
on all possible in-
puts in X
T
. First we will simulate (R
0
T
, M
0
T
). Since
R
0
= GEN
0
(h
0
) and M
0
= ENC
0
(R
0
, x) hold, and Π
ind
=
(GEN
0
, ENC
0
, DEC
0
) is robust, it is possible to simu-
lates (R
0
T
, M
0
T
) if we can answer to a query to h
0
|
T ,x
T
,
which is easily computed from h|
T ,x
T
as follows.
SECRYPT 2020 - 17th International Conference on Security and Cryptography
326
h
0
|
T ,x
T
(x
T
) =
(
0 if h|
T ,x
T
(x
T
) = 0
L
1 otherwise
Next, we will simulate desc(g
i
) for i ∈ T and v
i
(=
g
i
(x
i
)) for i ∈ T . If h|
T ,x
T
≡ 0
L
, there are two pos-
sible cases. The first case is h = h
0
. In this case
desc(g
i
) (i ∈ T ) and v
i
(i ∈ T ) are uniformly and inde-
pendently distributed since all g
i
are uniformly and in-
dependently distributed. The second case to consider
is h = h
a,v
for some a, v and a
T
6= x
T
. In this case,
g
i
(and therefore desc(g
i
)) for i ∈ [n] are uniformly
and independently distributed under the constraint
∑
i∈[n]
g
i
(a
i
) = v. In this case, from the properties of
pairwise independent hash functions, g
i
(i ∈ T ) and
v
i
(= g
i
(x
i
)) (i ∈ T ) are uniformly and independently
distributed. From the above argument, we conclude
that the desc(g
i
) for i ∈ T and v
i
for i ∈ T are uni-
formly and independently distributed in both cases.
Therefore, if h|
T ,x
T
≡ 0 then desc(g
i
) (i ∈ T ) and v
i
(=
g
i
(x
i
)) are simulated simply by assigning uniformly
distributed random strings to them. On the other hand,
if h|
T ,x
T
(x
T
) = v(6= 0
L
) holds for some x
T
∈ X
T
, then
∑
i∈[n]
g(a
i
) = v holds. Let
ˆ
i ∈ T , then desc(g
i
) (i ∈ T )
and g
i
(x
i
) (i ∈ T ) are simulated by assigning uniform
random strings to desc(g
i
) (i ∈ T ) and v
i
(i ∈ T \ {
ˆ
i})
and by assigning v+(
∑
i∈T
g
i
(a
i
))+(
∑
i∈T \{
ˆ
i}
v
i
) to v
ˆ
i
.
Now, we will evaluate the communication com-
plexity of the resulting NIMPC. Let δ
ind
be the com-
munication complexity of the underlying NIMPC for
H
ind
. The correlated randomness R
i
is composed of
R
0
i
and L + max(L, dlog
2
de) binary string, whereas
the encoding M
i
is composed of M
0
i
and L-bit binary
string. Therefore, the communication complexity is
at most δ
ind
+ max(2L, L + dlog
2
de). 2
3.3 NIMPC H
L
ind
⇒ NIMPC H
L
all
In this section, we present a generic construction of
NIMPC for all L-bit boolean functions H
L
all
with input
domain X = X
1
× ··· × X
n
from any NIMPC for H
L
ind
with the same input domain. The idea is to express
any h : X → {0, 1}
L
as a sum of generalized indica-
tor functions H
L
ind
with L-bit output. The communica-
tion complexity of the resulting construction is much
smaller than the existing constructions since a single
invocation of the proposed NIMPC for H
L
ind
given in
§3.2 is much more efficient than L invocation of the
existing NIMPC for H
ind
for most L.
The detailed description of the compiler to
construct H
all
from H
L
ind
is identical to that pre-
sented in (Obana and Yoshida, 2016). Let Π
L
ind
=
(GEN
0
, ENC
0
, DEC
0
) be any NIMPC for H
L
ind
and let
h : X → {0, 1}
L
that we want to compute. We con-
struct a protocol P(Π)(h) for H
all
, whose algorithms
are denoted by (GEN, ENC, DEC), as follows.
Offline Preprocessing. Let I ⊆ X be the set of in-
puts x ∈ X such that h(x) 6= 0
L
. For each a ∈ I, let
R
a
= (R
a
1
, . . . , R
a
n
) ← GEN
0
(h
a,v
). For a ∈ X \ I, let
R
a
← GEN
0
(h
0
). Then, choose random permutation
π of X and let R
i,b
= R
π(b)
i
for i ∈ [n], b ∈ X . Define
GEN(h) , R = (R
1
, . . . , R
n
), where R
i
= {R
i,b
}
b∈X
.
Online Messages. For an input x
i
, P
i
computes M
i,b
,
ENC
0
i
(x
i
, R
i,b
) for every b ∈ X . Define ENC(x, R) ,
(M
1
, . . . , M
n
) where M
i
= {M
i,b
}
b∈X
.
Output h(x
1
, . . . , x
n
). DEC(M
1
, . . . , M
n
) = v
if and only if there exists b ∈ X such
that DEC
0
(M
1,b
, . . . , M
n,b
) = v. Otherwise
DEC(M
1
, . . . , M
n
) = 0
L
.
Theorem 2 . Fix finite domains X
1
, . . . , X
n
, and let
X
4
=
X
1
× ··· × X
n
. Let H
all
be the set of all functions
h : X → {0, 1}
L
. If there exists a robust NIMPC for
H
L
ind
: X → {0, 1}
L
with communication complexity
δ
gind
, then there is an NIMPC protocol for H
all
with
the communication complexity δ
gind
· |X |.
The proof is almost identical to that of Theorem 2 of
(Obana and Yoshida, 2016), and is omitted here.
By combining Theorem 1 and Theorem 2, we ob-
tain the following corollary.
Corollary 1 Fix finite domains X
1
, . . . , X
n
, and let
X
4
=
X
1
× ··· × X
n
. Let H
all
be the set of all func-
tions h : X → {0, 1}
L
. If there exists a robust NIMPC
for H
ind
: X → {0, 1} with communication complexity
δ
ind
, then there is an NIMPC protocol for H
all
with
the communication complexity (δ
ind
+ max(2L, L +
dlog
2
de)) · |X |.
4 EFFICIENT NIMPC for H
ind
In this section, we present a construction of NIMPC
for H
ind
, which results in H
L
all
via generic construc-
tion given in the previous section. As the generic
construction to construct H
L
ind
, we also employ pair-
wise independent hash family to construct H
ind
. It
should be noted that, if d ≥ 4 (i.e., if the maximum
bit length of input is larger then 1), the proposed
construction of NIMPC for H
ind
offers smallest com-
munication complexity known so far. Namely, the
communication complexity of the proposed construc-
tion is 4 · dlog
2
de · n whereas that of the best known
construction (i.e., the construction in (Yoshida and
Obana, 2016)) is (dlog
2
(d + 1)e)
2
· n.
Efficient Constructions of Non-interactive Secure Multiparty Computation from Pairwise Independent Hashing
327
The detailed description of the protocol is as fol-
lows. For i ∈ [n], let φ
i
be a one-to-one mapping from
X
i
to a finite field F with the order lager than max
i
|X
i
|.
Fix a function h ∈ H
ind
that we want to compute.
The proposed NIMPC Π
ind
(h)
Offline Preprocessing. If h = h
0
, then choose 2n
linearly independent random vectors {v
i
, v
0
i
}
i∈[n]
in
F
2n
. If h = h
a
for some a = (a
1
, . . . , a
n
) ∈ X , then
choose 2n random vectors {v
i
, v
0
i
}
i∈[n]
in F
2n
such that
∑
n
i=1
(v
i
+ φ(a
i
)v
0
i
) = 0, and there are no other linear
relations other than
∑
n
i=1
c·(v
i
+φ(a
i
)v
0
i
) = 0 for c ∈ F.
Let GEN(h) = R = (R
1
, . . . , R
n
), where R
i
= {v
i
, v
0
i
}.
Online Messages. For an input x
i
, let ENC(x, R) =
(M
1
, . . . , M
n
) where M
i
= v
i
+ φ
i
(x
i
)v
0
i
.
Output h(x
1
, . . . , x
n
). DEC(M
1
, . . . , M
n
) = 1 if
∑
n
i=1
M
i
= 0.
Theorem 3 . Fix finite domains X
1
, . . . , X
n
Then, there
is an NIMPC protocol Π
ind
for H
ind
with the commu-
nication complexity 4 · dlog
2
de · n.
Proof: The correctness is obvious from the
description of Offline preprocessing. Namely,
∑
n
i=1
(v
i
+ x
0
i
v
0
i
) = 0 never happen with (x
0
1
, . . . , x
0
n
) 6=
(a
1
, . . . , a
n
). In fact,
∑
n
i=1
(v
i
+ a
i
v
0
i
) = 0 is the only
possible solution since coefficient of v
i
is fixed to
1. Moreover,
∑
n
i=1
(v
i
+ x
0
i
v
0
i
) = 0 never happen when
h = h
0
since all v
i
, v
0
i
are linearly independent in this
case.
To prove the robustness, we describe a simulator
Sim
T
: the simulator queries h|
T ,x
T
on all possible in-
puts in X
T
. If all answers are zero, this simulator gen-
erates random independent vectors v
i
, v
0
i
(for i ∈ T )
and m
i
(for i ∈ T ). Otherwise, there is an ˆx
T
∈ X
T
such
that h|
T ,x
T
( ˆx
T
) = 1, and the simulator outputs ran-
dom vectors such that
∑
i∈T
m
i
+
∑
i∈T
(v
i
+φ
i
( ˆx
i
)v
0
i
) =
0, and there are no other linear relations other than
∑
n
i=1
c · (v
i
+ φ( ˆx
i
)v
0
i
) = 0 for c ∈ F.
The communication complexity of the resulting
protocol is 4 · dlog
2
de · n since R
i
consists of 2 · 2n
elements of finite field F with |F| ≤ d. 2
By combining Theorem 3 and Corollary 2, we obtain
the following corollary.
Corollary 2 Fix finite domains X
1
, . . . , X
n
with |X
i
| ≤
d for all 1 ≤ i ≤ n and let X
4
=
X
1
× ··· × X
n
. Then,
there is an NIMPC protocol for H
all
: X → {0, 1}
L
with communication complexity at most (4 · dlog
2
de ·
n + max(2L, L + dlog
2
de)) · |X |.
Let δ
ind
be the communication complexity of un-
derlying NIMPC for H
ind
, and suppose, for the sake of
simplicity, |X
i
| = 2
L
for any i ∈ [n]. Then the commu-
nication complexity of the proposed NIMPC for H
L
all
becomes (δ
ind
+ 2L)|X |, which is the most efficient
construction among existing NIMPCs for arbitrary
functions constructed based on NIMPC for the set of
indicator functions since the best known communica-
tion complexity of such NIMPC is (δ
ind
+ L
2
)|X |.
5 CONCLUSION
In this paper, we have presented a novel generic con-
struction of NIMPC for the set of arbitrary functions
H
L
all
from NIMPC for the set of indicator functions
H
ind
. The communication complexity of the result-
ing scheme is the most efficient compared to that of
NIMPC for arbitrary functions constructed based on
NIMPC for the set of indicator functions. Further,
we have presented an NIMPC for the set of indica-
tor functions with the smallest communication com-
plexity known so far. By combining the proposed
generic construction and the proposed NIMPC for
H
ind
, we have obtained a concrete NIMPC for arbi-
trary functions with the communication complexity
(4 · dlog
2
de · n + max(2L, L + dlog
2
de)) · |X |. Com-
pared to the most efficient NIMPC known so far (i.e.,
NIMPC presented in (Agarwal et al., 2019), the pro-
posed NIMPC is less efficient, though, the gap is as
small as 4n + 2.
Though the proposed construction is pretty effi-
cient with respect to the communication complexity,
there still remains a gap between the lower bound
in (Yoshida and Obana, 2016) and our upper bound.
Therefore, reducing the gap will be a challenging fu-
ture work.
REFERENCES
Agarwal, N., Anand, S., and Prabhakaran, M. (2019). Un-
covering algebraic structures in the mpc landscape.
In Advances in Cryptology – EUROCRYPT 2019 in
Lecture Notes in Comput. Sci. 11477, pages 381–406.
Springer Verlag.
Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E.,
Meldgaard, S., and Paskin-Cherniavsky, A. (2014).
Non-interactive secure multiparty computation. In Ad-
vances in Cryptology - CRYPTO2014 in Lecture Notes
in Comput. Sci. 8617, pages 387–404. Springer Ver-
lag.
Ben-Or, M., Goldwasser, S., and Wigderson, A. (1988).
Completeness theorems for non-cryptographic fault-
tolerant distributed computation. In The 20th Annual
ACM Symposium on Theory of Computing (STOC
’88), pages 1–10. ACM Press.
Chaum, D., Cr
`
epeau, C., and Damg
˚
ard, I. (1988). Multi-
party unconditionally secure protocols. In The 20th
SECRYPT 2020 - 17th International Conference on Security and Cryptography
328
Annual ACM Symposium on Theory of Computing
(STOC ’88), pages 11–19. ACM Press.
Data, D., Prabhakaran, M., and Prabhakaran, V. (2014).
On the communication complexity of secure compu-
tation. In Advances in Cryptology - CRYPTO2014 in
Lecture Notes in Comput. Sci. 861, pages 199–216.
Springer Verlag.
Halevi, S., Ishai, Y., A. Jain, I. K., Sahai, A., , and Yogev, E.
(2017). Non-interactive multiparty computation with-
out correlated randomness. In Advances in Cryptology
- Asiacrypt 2017, Part III in Lecture Notes in Comput.
Sci. 10626, page 181–211. Springer Verlag.
Halevi, S., Ishai, Y., Jain, A., Kushilevitz, E., and .Rabin, T.
(2016). Secure multiparty computation with general
interaction patterns. In the 2016 ACM Conference on
Innovations in Theoretical Computer Science, pages
157—-168. ACM Press.
Hirt, M. and Tschudi, D. (2013). Efficient general-
adversary multi-party computation. In Advances in
Cryptology - Asiacrypt 2013, Part II in Lecture Notes
in Comput. Sci. 8270, pages 181–200. Springer Ver-
lag.
Obana, S. and Yoshida, M. (2016). An efficient construc-
tion of non-interactive secure multiparty computation.
In the 15th International Conference on Cryptology
and Network Security, CANS2016, in Lecture Notes in
Comput. Sci. 10052, pages 604–614. Springer Verlag.
Vadhan, S. (2012). Pseudorandomness. In Foundations and
Trends in Theoretical Computer Science, vol. 7, no.
1–3, pages 1–336.
Yao, A. C. (1982). Protocols for secure computations. In
The 23rd Annual Symposium on Foundations of Com-
puter Science (FOCS ’82), pages 160–164. IEEE.
Yoshida, M. and Obana, S. (2016). On the (in)efficiency of
non-interactive secure multiparty computation. In the
18th Annual International Conference on Information
Security and Cryptology, ICISC2015, in Lecture Notes
in Comput. Sci. 9558, pages 185–93. Springer Verlag.
Efficient Constructions of Non-interactive Secure Multiparty Computation from Pairwise Independent Hashing
329
