Keywords

1 Introduction

A popular definition of two-party computation is that it enables two mutually distrusting parties to compute a joint function of their inputs while only revealing what the output suggests. However, the popular definition does not capture all the security requirements one may expect from such a computation. Among these requirements is fairness, which states that either both parties receive output or none of them do. It is a natural security requirement for many real-world tasks. For example, when two parties are signing a contract, the contents of which may be legally binding, it is imperative that one party signs the contract if and only if the second party signs as well.

The study of two-party computation started with the work of Yao [14] in 1982. Secure computation was expanded to the multiparty case by Goldreich, Micali, and Wigderson [10] in 1987. Flagship results from the theory of secure computation state that, when an absolute majority of honest parties can be guaranteed, every task can be realized with full security, i.e. the relevant protocols provide correctness, privacy, independence of inputs, as well as fairness. However, when the honest parties are in the minority, as it happens in the important two-party case, classic protocols satisfy a weaker notion of security known as security-with-abort, which captures all the aforementioned security requirements, except for fairness. This relaxation is often attributed to an inherent limitation that was shown by Cleve [7].

Cleve showed that fairness is impossible to achieve in general when one of the parties behaves dishonestly. Specifically, Cleve proved that the coin-tossing functionality, i.e the inputless functionality that returns the same uniform random bit to the parties, is not computable with fairness. His proof exploits the fact that interactive computation involves exchanging messages back and forth, and thus at some point one party may break fairness by aborting prematurely. It goes without saying that any function that implies coin-tossing is not computable with fairness either, as is the case with the XOR function.

Amazingly, for more than two decades, Cleve’s result led to the mistaken conclusion that interesting functions are not computable with fairness in the two-party setting, or the multi-party setting with dishonest majority. Only in 2008 was this interpretation proven false by Gordon, Hazay, Katz and Lindell [11], who showed that Cleve’s impossibility does not apply to all non-trivial functions, and there are many interesting functions that are inherently fair. The remarkable work of Gordon et al. begins by making a distinction between XOR-embeddedFootnote 1 and non XOR-embedded functions. Functions of the latter type, which includes OR and the greater-than function, are shown to be fair. Yet XOR-embedded functions are not necessarily excluded from fully secure computation. Gordon et al. propose a specific protocol, referred to as GHKL throughout the present paper, that computes many XOR-embedded functions with full security. The authors also show that fair computation of XOR-embedded functions requires super-logarithmic round complexity.

In this paper, we focus on the fundamental question raised by Gordon, Hazay, Katz and Lindell; the characterization of functions with respect to fairness. In particular, we propose a methodology for designing fully secure protocols.

1.1 Previous Works

The problem of characterizing fairness is equivalent to identifying a necessary and sufficient condition for a given two-party function to be fair. There are thus two complementary ways to engage with the problem. The first one attempts to identify necessary conditions for fairness by means of impossibility results [1, 4, 7, 13]. The second one attempts to identify sufficient conditions by means of feasibility results, i.e. by proving fairness for explicit protocols [2, 3, 11, 13]. We mention that most of these works focus on fair computation of Boolean functions that are symmetric – the function returns the same output to both parties, deterministic – the output is fully determined by the inputs, and constant-domain – the function is independent of the security parameter. By abusing terminology, we refer to such functions simply as Boolean functions.

Necessary conditions can be traced back to Cleve’s seminal work [7]. In [1], Agrawal and Prabhakaran generalized the impossibility of coin-tossing to non-trivial sampling functionalities, that is, inputless functionalities that return statistically correlated outputs are not computable with fairness. Asharov, Lindell, and Rabin [4] investigated the problem of characterizing Boolean functions that imply coin-tossing, and are thus inherently unfair. They showed that certain functions, dubbed balanced, can be used to toss a uniform random coin. Conversely, they found that coin-tossing is not reducible to any balanced function in the information theoretic-sense. Boolean functions that imply non-trivial sampling where identified by Makriyannis [13], who expanded the class of Boolean functions that are known to be unfair.

Regarding sufficient criteria, Gordon, Hazay, Katz and Lindell laid the foundation with [11], and all subsequent papers [2, 3, 13] on the topic are based on the GHKL protocol. By digging deep into the security analysis of the GHKL protocol, Asharov [2] deduced sufficient conditions for the protocol to compute functions with full security. Furthermore, the author showed that almost all Boolean functions with unequal-size domains satisfy these conditions, and thus a surprisingly large amount of functions are fair. Sufficient conditions for GHKL were also deduced independently by Makriyannis in [13].

Recently, Asharov, Beimel, Makriyannis and Omri [3] showed that a counter-intuitive modification of GHKL allows for the complete characterization of all Boolean functions. The characterization states that a Boolean function is computable with full security if and only if the all-one vector or the all-zero vector belong to the affine span of either the rows or the columns of the matrix describing the function. Remarkably, the characterization extends to randomized Boolean functions as well as multiparty Boolean functions when exactly half of the parties are corrupted.

Finally, we mention that Gordon and Katz [12] constructed a fully secure three-party protocol for the majority function and a n-party protocol for the AND of n bits.

Limits of the GHKL Approach. While significant progress has been made towards characterizing fairness in secure computation, we argue that the methods that appear in the literature have reached their limits in terms of usefulness. Specifically, regarding the design of fully secure protocols for arbitrary functions, the “standard” approach of generalizing and modifying GHKL to extract sufficient conditions seems to offer few gains. Even for the limited case of Boolean functions that are not symmetric, straightforward generalizations of GHKL are either function-specific i.e. the resulting protocol is tailored to a specific function, or, the protocol computes a family of functions whose description is rather mysterious and artificial. Arguably, the present state of affairs calls for a systematic analysis of fair protocols.

1.2 Our Contributions

In this paper, we propose a framework for designing fully secure protocols. To this end, we introduce two new conceptual tools, refered to as locking strategies and sampling attacks, which are inspired by the impossibility results of [1, 4, 7, 13]. Our investigation naturally leads to a new security notion that we call security against sampling attacks; a strictly weaker notion than fairness and therefore a necessary requirement for fair protocols. An appealing feature of the proposed security notion is that it bypasses lower-bounds on fairness. Specifically, as was shown by Gordon et al. [11], fair functions may require computation in super-logarithmic round-complexity. In contrast, security against sampling attacks seems to be achievable in a constant number of rounds for the same functions. What’s more, security against sampling attacks can be efficiently tested via a collection of linear algebraic properties. The appeal of our approach is further strengthened by our main result, stated next.

We propose a generic construction that transforms any protocol that is – constant-round – passively secure – secure against sampling attacks, into a fully-secure protocol. In the spirit of GHKL, this is achieved by introducing a special threshold round \(i^*\). Our main result may be viewed as a framework for designing fair protocols, and we believe that it demystifies the “standard” approach that appears in the literature. What’s more, it applies to any constant-domain two-party function (i.e. randomized, asymmetric and non-Boolean). Our main result is stated informally below.

Theorem 1.1

(informal). A two-party function is fair if and only if it admits a suitable protocol that is secure against sampling attacks.

Our techniques show the existence of a fair non-Boolean function where both parties have the same number of inputs. We stress that previous results [2] on non-Boolean functions only applied to functions where one party has at least twice as many inputs as the other.

Theorem 1.2

(informal). The non-Boolean function described by the matrix below is computable with full security.

figure a

Next, we propose an algorithm for designing suitable protocols (constant-round, passively secure, secure against sampling attacks). Our algorithm takes an asymmetric Boolean function as input, and it either returns an appropriate protocol, or it returns that it failed to do so. The algorithm is accompanied with a proof of correctness. In Sect. 5.3, we show how our algorithm handles the asymmetric function that was suggested as an open problem in [3], and we prove that it is fair.

Theorem 1.3

(informal). The function from [3] described by the matrices below is computable with full security.

figure b

Unfortunately, our methods do not settle the characterization of constant-domain two-party functions, even for the asymmetric Boolean case. That being said, we believe that the questions that are left unanswered may be as interesting as the results themselves. Specifically, for a function that lies in the gap, we show that it is computable with fairness as long as privacy is relaxed.

Theorem 1.4

(informal). The function described by the matrices below admits a protocol that is fair-but-not-private.

figure c

We emphasize that the function in question may still be computable with full security. However, we believe that our present analysis together with the theorem above strongly indicate that there is an inherent trade-off between fairness and privacy. To the best of our knowledge, the literature does not entertain the idea that fairness and privacy may be attainable only at the expense of one another; the two notions might as well be incomparable.

Organization of the Paper. After recalling some preliminaries in Sect. 2, we introduce locking strategies and sampling attacks in Sect. 3. Section 4 is dedicated to our main result and its proof. In Sect. 5, we show how to obtain suitable protocols by means of the algorithm mentioned above. Finally, open problems and future directions are discussed in Sect. 6.

For clarity, and to alleviate notation, we have decided to restrict our analysis to the family of asymmetric (possibly randomized) Boolean functions. We emphasize that, with the exception of Sect. 5, our results generalize to arbitrary non-Boolean functions. While the generalization is not straightforward, it is beyound the scope of the present abstract. We refer to the full version [8] for the general case.

2 Preliminaries

Throughout this paper, n denotes the security parameter and \(\mathbb {N}\) denotes the set of positive integers. All vectors are column vectors over the real field \(\mathbb {R}\). Vectors are denoted using bold letters, e.g. \(\mathbf {v}\), \(\mathbf {1}\) (the all-one vector). The i-th entry of some vector \(\mathbf {v}\) is denoted \(\mathbf {v}(i)\). If \(\mathbf {v}_1,\ldots , \mathbf {v}_s\) denotes a family of vectors, then \(\left\langle \mathbf {v}_1,\ldots , \mathbf {v}_s\right\rangle \) denotes the vector space generated by those vectors, and let \(\left\langle \mathbf {v}_i \,|\, \mathbf {v}_j\right\rangle =\mathbf {v}_i^T\mathbf {v}_j\). Matrices are denoted with capital letters, e.g. M, P. The i-th row and j-th column of some matrix M are denoted \(\left[ M\right] _{i,*}\) and \(\left[ M\right] _{*,j}\), respectively. Furthermore, the element indexed by (ij) in M is denoted M(ij).

Definition 2.1

Let A and B be arbitrary matrices. We write \(C=A*B\) if C is equal to the entry-wise (Hadamard) product of the two matrices, i.e. \(C(i,j)=A(i,j)\cdot B(i,j)\).

Finally, if \(\mathcal {X}\) and \(\mathcal {Y}\) denote distribution ensembles, we write \(\mathcal {X}=\mathcal {Y}\), \(\mathcal {X}\overset{s}{\equiv }\mathcal {Y}\) and \(\mathcal {X}\overset{c}{\equiv }\mathcal {Y}\), respectively, if the ensembles are perfectly, statistically or computationally indistinguishable.

2.1 Secure Two-Party Computation

Let \(P_1\) and \(P_2\) denote the parties. A two-party function \(f=(f_1,f_2)\) is a random process that maps pair of inputs (one for each party), to pairs of random variables called outputs (again, one for each party). The domain of f is denoted \(X\times Y\). For our purposes, we assume that \(X=\{1,\ldots , \ell \}\), \(Y=\{1,\ldots , k\}\) and the parties’ outputs are sampled from \(\{0,1\}^2\). To every function f, we associate four matrices \(\{M^{(a,b)}\}_{a,b\in \{0,1\}}\) such that

$$\begin{aligned} M^{(a,b)}(x,y)=\mathrm {Pr}\left[ f(x,y)=(a,b)\right] . \end{aligned}$$

In addition, define \(M^{(1,*)}\) and \(M^{(*,1)}\), associated with \(f_1\) and \(f_2\) respectively, such that \(M^{(1,*)}(x,y)=\mathrm {Pr}\left[ f_1(x,y)=1\right] \) and \(M^{(*,1)}(x,y)=\mathrm {Pr}\left[ f_2(x,y)=1\right] \). A two-party protocol \(\varPi \) for computing f is a polynomial-time protocol such that, on global input \(1^n\) (the security parameter) and private inputs \(x\in X\), \(y\in Y\), the joint distribution of the outputs \(\{\varPi (1^n,x,y)\}_n\) is statistically close \((f_1,f_2)(x,y)\), assuming both parties behave honestly. The parties run in polynomial-time in n.

The Adversary. We introduce an adversary \(\mathcal {A}\) given auxiliary input \(z\in \{0,1\}^*\) corrupting one of the parties. We assume the adversary is computationally bounded and malicious, i.e. the adversary runs in polynomial-time in n and she may instruct the corrupted party to deviate from the protocol arbitrarily. Write \((\mathsf {out},\mathsf {view})_{\mathcal {A}(z),\varPi }^{\mathsf {Real}}\) for the pair consisting of the honest party’s output and the adversary’s view in an execution of protocol \(\varPi \). Next, we define security in terms of the ideal model.

Let \(\mathcal {S}\) denote the ideal-world adversary. Write \((\mathsf {out},\mathsf {view})_{\mathcal {S}(z),f}^{\mathsf {Ideal}}\) for the pair consisting of the honest party’s output and the adversary’s view in the ideal model (Fig. 1).

Definition 2.2

Let \(\varPi \) be a protocol for computing f. We say that \(\varPi \) is fully secure if for every non-uniform polynomial time adversary \(\mathcal {A}\) in the real model, there exists a non-uniform polynomial time adversary \(\mathcal {S}\) in the ideal model such that

$$\begin{aligned}&\left\{ (\mathsf {out},\mathsf {view})_{\mathcal {A}(z),\varPi }^{\mathsf {Real}}(1^{n},x,y)\right\} _{n\in \mathbb {N},(x,y)\in X\times Y, z\in \{0,1\}^*}\\ {}&\qquad \qquad \qquad \quad \overset{c}{\equiv }\left\{ (\mathsf {out},\mathsf {view})_{\mathcal {S}(z),f}^{\mathsf {Ideal}}(1^{n},x,y)\right\} _{n\in \mathbb {N},(x,y)\in X\times Y,z\in \{0,1\}^*}. \end{aligned}$$
Fig. 1.
figure 1

The ideal model with full-security for computing f.

Full size image

It is important to note that the only way for the ideal-world adversary to affect the honest party’s output is through the choice of input. Finally, we remark that the fully-secure model is the standard model for the honest-majority multi-party setting.

The Hybrid Model. The hybrid model with ideal access to \(\mathcal {F}\) is a communication model where the parties have access to a trusted computing some functionality \(\mathcal {F}\) with full security. In this model, the parties communicate as in the plain model and they are allowed to make a single call to the trusted party for computing \(\mathcal {F}\). Protocols and security for this communication model are defined along the same lines as above. By [6], as long as \(\mathcal {F}\) admits a secure real-world protocol, the existence of a secure hybrid protocol for f implies the existence of a secure protocol for f in the real model. By contraposition, if f cannot be realized securely, then the existence of a secure protocol for f in the hybrid model implies the impossibility of realizing \(\mathcal {F}\) securely in the real model.

The Dealer Model. Throughout the paper, we define protocols by describing the number of rounds r(n) and the backup outputs \(\{a_i\}_{i=0}^{r}\) for \(P_1\) and \(\{b_i\}_{i=0}^{r}\) for \(P_2\). When executing a protocol, the parties hand their inputs to an entity called the dealer. In turn, the dealer performs all the computations and hands the relevant backup outputs to \(P_1\) and then \(P_2\) in a sequence of r(n) iterations. Either party may abort the execution at any time and the protocol terminates at that point. The remaining party is instructed to output the last backup output he received. This approach is known as the online dealer model, and it does not incur any loss of generality as there is a standard transformation from the online dealer model to the plain model [2, 3, 5]. The online dealer model is convenient in that it provides clarity to our presentation and it greatly simplifies the security analysis.

3 Locking Strategies and Sampling Attacks

In this section, we introduce the notions of locking strategies and sampling attacks. To motivate our discussion, we use specific functions from the literature as illustrative examples. Namely, the XOR function encoded by matrices

$$\begin{aligned} M^{(1,*)}=M^{(*,1)}=\begin{pmatrix}0 &{} 1 \\ 1 &{} 0\end{pmatrix}, \end{aligned}$$

the function \(f^\mathsf {nm}\) from [13] encoded by matrices

$$\begin{aligned} M^{(1,*)}=M^{(*,1)}=\begin{pmatrix}0 &{}1&{} 0&{} 1\\ 1 &{}1 &{}1 &{}0\\ 0 &{}0&{} 1&{} 0\\ 1 &{}0 &{}0 &{}0 \end{pmatrix}, \end{aligned}$$

the function \(f^{\mathsf {sp}}\) from [3] encoded by matrices

$$\begin{aligned} M^{(1,*)}=\begin{pmatrix}1 &{}1&{} 1&{} 0\\ 0 &{}0 &{}0 &{}1\\ 1 &{}0&{} 0&{} 1\\ 0 &{}1 &{}0 &{}1\end{pmatrix} \;, \quad M^{(*,1)}=\begin{pmatrix}1 &{}0&{} 1&{} 0\\ 1 &{}0 &{}0 &{}1\\ 1 &{}0&{} 0&{} 0\\ 0 &{}1 &{}1 &{}1\end{pmatrix}. \end{aligned}$$

We remark that since the functions above are deterministic, the corresponding matrices fully describe these functions. In addition, we note that \(f^{\mathsf {sp}}\) is computable with fairness [3], while XOR and \(f^\mathsf {nm}\) are not [7, 13]. Next, we briefly discuss why that is the case.

3.1 Warm-Up

It is not hard to see that a fully-secure realization of XOR yields a fully-secure coin-toss. Indeed, by instructing the parties to choose their inputs uniformly at random, the output from a fully-secure computation of XOR is uniformly distributed, even in the presence of malicious adversaries. A slightly more involved procedure allows the parties to sample correlated bit, using a fully-secure protocol for \(f^\mathsf {nm}\). Indeed, instruct \(P_1\) to choose his input among \(\{x_1,x_3,x_4\}\) with uniform probability, instruct \(P_2\) to choose \(y_4\) with probability 2/5 or one of his other inputs with probability 1/5. Let c denote the the output from the computation of \(f^\mathsf {nm}\). Party \(P_1\) outputs c, party \(P_2\) outputs \(1-c\) if he chose \(y_2\) and c otherwise.

For us, it is important to note that the procedures described above are encoded by certain vectors. For XOR, these vectors are (1/2, 1/2) for \(P_1\) and (1/2, 1/2) for \(P_2\). For \(f^\mathsf {nm}\), they are (1/3, 0, 1/3, 1/3) for \(P_1\) and \((1/5,-1/5,1/5,2/5)\) for \(P_2\). To elaborate further, each vector instructs the relevant party how to choose its input (by taking the absolute value) and whether to flip the output from the computation of the function (negative values indicate that the party must flip the output). Observe that

$$\begin{aligned} (1/2,1/2)\cdot \begin{pmatrix} 0 &{} 1 \\ 1 &{} 0 \end{pmatrix} \in \langle \mathbf {1}_2^T\rangle , \qquad \begin{pmatrix} 0 &{} 1 \\ 1 &{} 0 \end{pmatrix} \begin{pmatrix} 1/2 \\ 1/2 \end{pmatrix} \in \langle \mathbf {1}_2 \rangle , \end{aligned}$$

and

$$\begin{aligned} (1/3,0,1/3,1/3) \begin{pmatrix}0 &{}1&{} 0&{} 1\\ 1 &{}1 &{}1 &{}0\\ 0 &{}0&{} 1&{} 0\\ 1 &{}0 &{}0 &{}0 \end{pmatrix} \in \langle \mathbf {1}_4^T\rangle ,\qquad \begin{pmatrix} 0 &{}1&{} 0&{} 1\\ 1 &{}1 &{}1 &{}0\\ 0 &{}0&{} 1&{} 0\\ 1 &{}0 &{}0 &{}0 \end{pmatrix} \cdot \begin{pmatrix} 1/5 \\ -1/5 \\ 1/5 \\ 2/5 \end{pmatrix} \in \left\langle \mathbf {1}_4\right\rangle . \end{aligned}$$

The relations above capture the fact that the procedure encoded by the vector yields an output whose distribution is independent of the opponent’s input, i.e. \(P_i\)’s output resulting from the procedure is independent of \(P_{3-i}\)’s choice of input, assuming the underlying function is computed with full security. It is straightforward to check that the parties’ outputs exhibit statistical correlation, and thus the functions in question are not computable with full-security, by [1, 7].

On the other hand, it is interesting to note that similar vectors and procedures can be defined for function \(f^{\mathsf {sp}}\). Specifically, observe that

$$\begin{aligned} (1/2,1/2,0,0)\begin{pmatrix}1 &{}1&{} 1&{} 0\\ 0 &{}0 &{}0 &{}1\\ 1 &{}0&{} 0&{} 1\\ 0 &{}1 &{}0 &{}1\end{pmatrix}\in \langle \mathbf {1}_4^T\rangle \;,\qquad \begin{pmatrix}1 &{}0&{} 1&{} 0\\ 1 &{}0 &{}0 &{}1\\ 1 &{}0&{} 0&{} 0\\ 0 &{}1 &{}1 &{}1\end{pmatrix}\cdot \begin{pmatrix}1/2 \\ 1/2 \\ 0 \\ 0\end{pmatrix}\in \left\langle \mathbf {1}_4\right\rangle . \end{aligned}$$

In more detail, by choosing one of their first two inputs uniformly at random, the outputs from a fully-secure computation of \(f^{\mathsf {sp}}\) are uniformly random, even in the presence of malicious adversaries. However, contrary to the previous cases, the parties’ outputs are independent as random variables.

3.2 Locking Strategies

For an arbitrary function f, let \(\mathcal {L}_2\) denote a basis of the vector space consisting of all vectors \(\mathbf {y}\) such that \(M^{(*,1)} \cdot \mathbf {y}\in \left\langle \mathbf {1}_\ell \right\rangle \). Similarly, let \(\mathcal {L}_1\) denote a basis of the vector space consisting of all vectors \(\mathbf {x}\) such that \(M^{(1,*)T} \cdot \mathbf {x}\in \left\langle \mathbf {1}_k\right\rangle \).

Definition 3.1

Elements of \(\left\langle \mathcal {L}_1\right\rangle \) and \(\left\langle \mathcal {L}_2\right\rangle \) are referred to as locking strategies for \(P_1\) and \(P_2\), respectively.

As discussed above, a locking strategy (after normalization) encodes a distribution over the inputs and a local transformation that depends on the chosen input. Since \(M^{(*,1)} \cdot \mathbf {y}\in \left\langle \mathbf {1}_\ell \right\rangle \) and \(M^{(1,*)T} \cdot \mathbf {x}\in \left\langle \mathbf {1}_k\right\rangle \), it follows that the parties’ outputs resulting from the locking strategies are independent of each others’ inputs, assuming ideal access to f. In loose terms, a party applying some locking strategy “locks” the distribution of its output.

For us, it is important to note that fully-secure protocols “preserve” locking strategies, even in the presence of malicious adversaries. Specifically, the distribution of the honest party’s output resulting from some locking strategy is independent of the adversary’s course of action (e.g. premature abort). We elaborate on this point next.

3.3 Sampling Attacks

Consider the following single-round protocol for \(f^{\mathsf {sp}}=(f_1,f_2)\) defined by means of the backup outputs \(\{a_i,b_i\}_{i=0,1}\):

$$\begin{aligned} \begin{array}{l@{\qquad }l} a_0=f_1(x,\widetilde{y})\;\text {where } \widetilde{y}\in _U Y &{} b_0=f_2( \widetilde{x},y)\;\text {where } \widetilde{x}\in _U X \\ a_1=f_1(x,y) &{} b_1=f_2( x,y) \end{array} \end{aligned}$$

Suppose that party \(P_2\) applies locking strategy \(\mathbf {y}=(1/2,1/2,0,0)^T\). Notice that in an honest execution of \(\varPi \), party \(P_2\) outputs a uniform random bit. Now, suppose that an adversary corrupting \(P_1\) uses \(x_3\) for the computation, and aborts the computation prematurely if \(a_1=0\) (In that case \(P_2\) outputs \(b_0\)). Deduce that the honest party outputs 1 with probability 3/4 and thus the protocol is not fully-secure.

On the other hand, consider the following two-round protocol \(\varPi ^{\mathsf {sp}}\) for \(f^{\mathsf {sp}}\) defined by means of the backup outputs \(\{a_i,b_i\}_{i=0\ldots 2}\):

$$\begin{aligned} \begin{array}{l@{\qquad }l@{\qquad }l} a_0=f_1(x,\widetilde{y})\;\text {where } \widetilde{y}\in _U Y &{} b_0=f_2( \widetilde{x},y)\;\text {where } \widetilde{x}\in _U X \\ a_1={\left\{ \begin{array}{ll}f_1(x,y) &{} \text {if } x\in \{x_1,x_2\} \\ f_1(x,\widetilde{y}')\;\text {where } \widetilde{y}'\in _U Y &{} \text {if } x\in \{x_3,x_4\} \end{array}\right. } \qquad &{} b_1=f_2( x,y) \\ a_2=f_1(x,y) &{} b_2=f_2( x,y) \end{array} \end{aligned}$$

Already, we see that the attack described above will not work for this protocol. In fact, a straightforward analysis shows that it is impossible to alter the distribution of the honest party’s output resulting from a locking strategy, both for \(P_1\) and \(P_2\). To see that, let \(\widehat{b}_j\) (resp. \(\widehat{a}_j\)) denote the bit obtained from \(b_j\) (resp. \(a_j\)) by applying some locking strategy, and observe that the random variables \(\widehat{b}_{i-1}\) and \(\widehat{b}_2\) (resp. \(\widehat{a}_i\) and \(\widehat{a}_2\)) conditioned on the adversary’s view at round i are identically distributed. For similar attacks on arbitrary protocols and functions, security is captured by the definition below.

Definition 3.2

Let \(\varPi \) be an arbitrary protocol defined by means of its backup outputs \(\{a_i,b_i\}_{i\in \{0,\ldots , r\}}\). We say that \(\varPi \) is secure against sampling attacks if

  • for every \(i\le r\), for every \(x\in X\), for every \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \), it holds that the random sequences \((a_{0},\ldots , a_{i},\widehat{b}_{i-1})\) and \((a_{0},\ldots , a_{i},\widehat{b}_{r})\) are statistically close.

  • for every \(i\le r\), for every \(y\in Y\), for every \(\mathbf {x}\in \left\langle \mathcal {L}_1\right\rangle \), it holds that the random sequences \((b_{1},\ldots , b_{i},\widehat{a}_{i})\) and \((b_{1},\ldots , b_{i},\widehat{a}_{r})\) are statistically close.

Remark 3.3

Rather awkwardly, we define security against sampling attacks without defining sampling attacks. For the purposes of the present abstract, sampling attacks are simply fail-stop attacks with the intent of altering the distribution of the honest party’s output resulting from some locking strategy. Furthermore, we note that Definition 3.2 is information-theoretic. We remark that this is probably too strong. However, since the protocols we will consider are constant-round, it does not affect our analysis.

3.3.1 Sampling Attacks in Linear-Algebraic Terms

In this section, we show how security against sampling attacks can be expressed in linear-algebraic terms. First, we define closeness for vectors. Let \(\{\mathbf {v}_n\}_{n\in \mathbb {N}}\) and \(\{\mathbf {u}_n\}_{n\in \mathbb {N}}\) denote two families of vectors indexed by \(\mathbb {N}\). We say that \(\mathbf {v}_n\) is close to \(\mathbf {u}_n\) if \(\Vert \mathbf {u}_n-\mathbf {v}_n\Vert \le \mathsf {negl}(n)\). By abusing notation, we write \(\mathbf {u}_n\overset{s}{\equiv } \mathbf {v}_n \) if the vectors are close.

Definition 3.4

For every \(i\le r\), for every \(\vec {\alpha }_{i}=(\alpha _{1},\ldots , \alpha _{i})\in \{0,1\}^{i}\), and every \(\beta \in \{0,1\}\), define matrices \(B_-^{(\vec {\alpha }_{i},\beta )}\), \(B_+^{(\vec {\alpha }_{i},\beta )} \in \mathbb {R}^{\ell \times k}\) such that

$$\begin{aligned} B_-^{(\vec {\alpha }_{i},\beta )}(x,y)&=\mathrm {Pr}\left[ (\vec {a}_{i},b_{i-1} )(x,y)=(\vec {\alpha }_{i},\beta ) \right] \\ B_+^{(\vec {\alpha }_{i},\beta )}(x,y)&=\mathrm {Pr}\left[ (\vec {a}_{i},b_{r} )(x,y)=(\vec {\alpha }_{i},\beta ) \right] . \end{aligned}$$

Similarly, for every \(\vec {\beta }_{i}=(\beta _{1},\ldots , \beta _{i})\in \{0,1\}^{i}\) and every \(\alpha \in \{0,1\}\) define matrices \(A_-^{(\alpha , \vec {\beta }_{i})}\), \(A_+^{(\alpha , \vec {\beta }_{i})} \in \mathbb {R}^{\ell \times k}\) such that

$$\begin{aligned} A_-^{(\alpha , \vec {\beta }_{i})}(x,y)&=\mathrm {Pr}\left[ ( a_{i},\vec {b}_{i} )(x,y)=(\alpha ,\vec {\beta }_{i}) \right] \\ A_+^{(\alpha , \vec {\beta }_{i})}(x,y)&=\mathrm {Pr}\left[ ( a_{r},\vec {b}_{i} )(x,y)=(\alpha ,\vec {\beta }_{i}) \right] . \end{aligned}$$

Proposition 3.5

Protocol \(\varPi \) is secure against sampling attacks if and only if

  • for every \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \), for every \(i\le r\), for every \(\vec {\alpha }_{i}\in \{0,1\}^{i}\), the vector below is close to \(\mathbf {0}_\ell \).

    $$\begin{aligned} \left( B_+^{(\vec {\alpha }_{i},1)}-B_-^{(\vec {\alpha }_{i},1)} \right) \cdot \mathbf {y}. \end{aligned}$$
    (1)

  • for every \(\mathbf {x}\in \left\langle \mathcal {L}_1\right\rangle \), for every \(i\le r\), for every \(\vec {\beta }_{i}\in \{0,1\}^{i}\), the vector below is close to \(\mathbf {0}_k\).

    $$\begin{aligned} \left( A_+^{(1, \vec {\beta }_{i})T}-A_-^{(1, \vec {\beta }_{i})T} \right) \cdot \mathbf {x}. \end{aligned}$$
    (2)

For example, for protocol \(\varPi ^{\mathsf {sp}}\), the distributions of \((a_1,b_0)\) and \((a_1,b_2)\) is given by the following matrices.

$$\begin{aligned} B_-^{(0,1)}=\begin{pmatrix}0 &{} 0 &{} 0 &{} 1/2\\ 3/4 &{} 1/4 &{} 1/2 &{} 0 \\ 3/8 &{} 1/8 &{} 1/4 &{} 1/4\\ 3/8 &{} 1/8 &{} 1/4 &{} 1/4\end{pmatrix} ,\qquad&B_+^{(0,1)}=\begin{pmatrix}0 &{} 0 &{} 0 &{} 0\\ 1 &{} 0 &{} 0 &{} 0 \\ 1/2 &{} 0&{} 0 &{} 0\\ 0 &{} 1/2 &{} 1/2 &{} 1/2\end{pmatrix} \\ B_-^{(1,1)}=\begin{pmatrix}3/4 &{} 1/4 &{} 1/2 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1/2\\ 3/8 &{} 1/8 &{} 1/4 &{} 1/4\\ 3/8 &{} 1/8 &{} 1/4 &{} 1/4\end{pmatrix} ,\qquad&B_+^{(1,1)}=\begin{pmatrix}1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 \\ 1/2 &{} 0&{} 0 &{} 0\\ 0 &{} 1/2 &{} 1/2 &{} 1/2\end{pmatrix}. \end{aligned}$$

Similarly, the distributions of \((a_1,b_1)\) and \((a_2,b_1)\) is given by the following matrices.

$$\begin{aligned} A_-^{(0,1)}=\begin{pmatrix}0 &{} 1 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1/2 &{} 1/2 &{} 1/2\\ 1/2 &{} 0 &{} 0 &{} 0\end{pmatrix} ,\qquad&A_+^{(0,1)}=\begin{pmatrix}0 &{} 1 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1\\ 0 &{} 0 &{} 0 &{} 0\end{pmatrix} \\ A_-^{(1,1)}= \begin{pmatrix}1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 \\ 1/2 &{} 0&{} 0 &{} 0\\ 0 &{} 1/2 &{} 1/2 &{} 1/2\end{pmatrix},\qquad&A_+^{(1,1)}=\begin{pmatrix}1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 0&{} 0 &{} 0\\ 0 &{} 1 &{} 0 &{} 1\end{pmatrix}. \end{aligned}$$

Notice that the matrices above satisfy Proposition 3.5.

4 Towards Full Security

In this section, we show that constant-round protocols that satisfy passive security and security against sampling attacks are easily transformed into fully secure protocols. The present section is dedicated to the construction and its security proof. Let \(\varPi \) be a protocol for computing f. We model the protocol in the usual way. The parties’ backup outputs for \(\varPi \) will be denoted \((c_0,\ldots ,c_{r'})\) and \((d_0,\ldots ,d_{r'})\), respectively, where \(r'\) denotes the number of rounds.

Assumption on the round-complexity. We assume that \(r'\) is constant in the security parameter. This assumption is desirable for for the proof of our main theorem, and it is good enough for our purposes. Nevertheless, the question of determining the optimal round complexity for protocols that are passively secure and secure against sampling attacks may be of independent interest.

We assume that the protocol is passively secure. Therefore, there exist simulators, denoted \(\{\mathcal {S}^{\textsf {p}}_{i}\}_{i\in \{1,2\}}\), that can recreate the backup sequences in the ideal model. In addition, since the protocol is constant-round, it follows that the ideal sequences are statistically close to the real ones. Formally,

$$\begin{aligned} (c_0, \ldots , c_{r'},d_{r'})^{\textsf {Real}}&\overset{s}{\equiv } (c_0, \ldots , c_{r'},f_2)^{\textsf {Ideal}}\\ (d_0, \ldots , d_{r'},c_{r'})^{\textsf {Real}}&\overset{s}{\equiv } (d_0, \ldots , d_{r'},f_1)^{\textsf {Ideal}} . \end{aligned}$$

Finally, we assume that \(\varPi \) is secure against sampling attacks. Theorem 3.5 applies to \(\varPi \) in a very straightforward way. Using the notation from the previous section,

  • For every \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \), for every \(i=1,\ldots , r'\), for every \(\vec {\alpha }_i\in \{0,1\}^{i+1}\), the vector below is close \(\mathbf {0}_\ell \).

    $$\begin{aligned} \left( B_+^{(\vec {\alpha }_{i},1)}-B_-^{(\vec {\alpha }_{i},1)} \right) \cdot \mathbf {y}. \end{aligned}$$
    (3)

  • For every \(\mathbf {x}\in \left\langle \mathcal {L}_1\right\rangle \), for every \(i=0,\ldots , r'-1\), for every \(\vec {\beta }_i\in \{0,1\}^{i+1}\), the vector below is close to \(\mathbf {0}_k\).

    $$\begin{aligned} \left( A_+^{(1, \vec {\beta }_{i})T}-A_-^{(1, \vec {\beta }_{i})T} \right) \cdot \mathbf {x}. \end{aligned}$$
    (4)
Fig. 2.
figure 2

Protocol SecSamp2Fair \((\varPi )\) for computing f.

Full size image

4.1 Protocol SecSamp2Fair \( (\varPi ) \)

We are going to combine the main ingredient of the GHKL protocol – the threshold round \(i^*\) – with the protocol above. Specifically, we are going to instruct the parties to run a protocol such that, at some point in the execution, unbeknownst to them, the parties begin running \(\varPi \).

This is achieved by choosing a random threshold round according to a geometric distribution. Prior to that round, the parties exchange backup outputs that are independent of each other, and, once the threshold round has been reached, the parties exchange backups according to the specifications of \(\varPi \). Formally, consider protocol SecSamp2Fair \((\varPi )\) from Fig. 2. For the new protocol, \(i^*\ge r'+1\) is chosen according to a geometric distribution with parameter \(\gamma \). If \(i< i^*-r'\), then \(a_i\) and \(b_i\) are independent of one another. If \(i^*-r'\le i < i^*\), then \(a_i\) and \(b_i\) are equal to \(c_{i-i^*+r'}\) and \(d_{i-i^*+r'}\), respectively. Finally, if \(i\ge i^*\), then \((a_i,b_i)=(c_{r'},d_{r'})\overset{s}{\equiv }(f_1,f_2) \).

Theorem 4.1

Suppose that protocol \(\varPi \) for f is constant-round, passively secure, and secure against sampling attacks. There exists \(\gamma _0\in [0,1]\) such that protocol SecSamp2Fair \((\varPi )\) is fully secure for f, for every \(\gamma <\gamma _0\).

As a corollary, we show the existence of fair non-Boolean function where both parties have roughly the same number of inputs. We stress that previous results [2] on non-Boolean functions only applied to functions where one party has at least twice as many inputs as the other.

Corollary 4.2

The non-Boolean function described by the matrix below is computable with full security.

figure d

Proof

Consider the following 2-round protocol defined by means of the backup outputs \(\{a_i,b_i\}_{i=1\ldots 2}\).

$$\begin{aligned} a_0&=f(x,\widetilde{y}) \;\text {where }\widetilde{y}\in _U Y&b_0&=2\\ a_1&={\left\{ \begin{array}{ll} a\in _U \{0,1\} &{} \text {if } x=x_2 \text { and } f(x,y)\ne 2 \\ f(x,y) &{} \text {otherwise} \end{array}\right. } \qquad&b_1&= f(x,y). \\ a_2&=f(x,y)&b_2&=f(x,y) \end{aligned}$$

The protocol is constant-round, passively secure and secure against sampling attacks. By Theorem 4.1, the function is fair.

4.2 Security Analysis

We only deal with the case where \(P_1\) is corrupted. The other case is virtually analogous. Write \(\mathcal {A}\) for the adversary corrupting \(P_1\). We begin with a high-level description of the simulator. The simulator \(\mathcal {S}\) chooses \(i^*\) according to the specifications of the protocol, and simulates the rounds of the protocol as follows. Prior to iteration/round \(i^*-r'\), the simulator generates backup outputs in exactly the same way as the dealer does in the real model. If the adversary decides to abort, \(\mathcal {S}\) sends \(x_0\in X\) to the trusted party, where \(x_0\) is sampled according to probability vector \(\mathbf {z}_x^{(\vec {\alpha }_{r'})}\in \mathbb {R}^\ell \). As the notation suggests, \(\mathbf {z}_x^{(\vec {\alpha }_{r'})}\) depends on x (the input handed by the adversary for the computation) and the last \(r'+1\) backup outputs computed by the simulator. At iteration \(i^*-r'\), assuming the adversary is still active, the simulator hands x to the trusted party, and receives output \(a=f_1(x,y)\). In order to reconstruct the next values of the backup sequence, the simulator invokes \(\mathcal {S}^{\textsf {p}}_2\), and hands one-by-one to \(\mathcal {A}\) the values computed by \(\mathcal {S}^{\textsf {p}}_2\). At every iteration following \(i^*\), the simulator hands a to \(\mathcal {A}\). At any given point, if the adversary aborts, the simulator outputs the sequence of values he handed to \(\mathcal {A}\), and halts.

Intuition. By definition, the simulator’s output together with the honest party’s output in the ideal model is required to be indistinguishable from the adversary’s view and the honest party’s output in the real model. In our case, the adversary’s view corresponds to the sequence of backup outputs she observes. Notice that the backup up sequences of each world are statistically close, which follows from the way \(i^*\) is chosen in both worlds, the passive security of \(\varPi \), and the fact that prior to \(i^*-r'\) the backup outputs in the real and ideal world are identically distributed. The hard part is to argue that there exists \(\mathbf {z}_x^{(\vec {\alpha }_{r'})}\) from which the simulator can sample from. As we shall see, the existence of \(\mathbf {z}_x^{(\vec {\alpha }_{r'})}\) follows from a corollary of the fundamental theorem of Linear Algebra, which comes into play because of the security against sampling attacks assumption (Fig. 3).

Fig. 3.
figure 3

The simulator \(\mathcal {S}\) for protocol SecSamp2Fair \((\varPi )\)

Full size image

Recall that for \(i=1\ldots r'\) matrices \(B_-^{(\alpha _0,\ldots , \alpha _i,\beta )}\) and \(B_+^{(\alpha _0,\ldots , \alpha _i,\beta )}\) denote

$$\begin{aligned} B_-^{(\alpha _0\ldots \alpha _i,\beta )}(x,y)&= \mathrm {Pr}\left[ (c_0,\ldots ,c_i,d_{i-1} )(x,y)=(\alpha _0,\ldots ,\alpha _i, {\beta } ) \right] \\ B_+^{(\alpha _0\ldots \alpha _i,\beta )}(x,y)&= \mathrm {Pr}\left[ (c_0,\ldots ,c_i, d_{r'} )(x,y)=( \alpha _0,\ldots , \alpha _i,\beta )\right] \end{aligned}$$

Now, define \(p_x^{(\alpha )}=\mathrm {Pr}\left[ f_1(x,\widetilde{y})=\alpha \,|\, \widetilde{y}\in _U Y \right] \). To alleviate notation, we will omit the security parameter. As mentioned earlier, the corrupted party’s backup sequences in the real and ideal world are statistically close. Therefore, if the adversary quits in the real world, then the adversary quits in the ideal world as well, with all but negligible probability – and vice versa. The whole point of the simulation is to show that early aborts do not breach security. In particular, if the adversary quits after round \(i^*\), then the relevant distributions in the real and ideal world are statistically close. Our analysis only deals with aborts that take place prior to round \(i^*\).

We only focus on the last \(r'+1\) elements of the corrupted party’s backup sequence. Having assumed that \(i^*\) has not been surpassed, anything prior to the last \(r'+1\) elements is essentially noise, and it has no bearing on the security analysis. For every sequence of elements \(\vec {\alpha }_{r'}\in \{0,1\}^{r'+1}\) and every \(\beta \in \{0,1\}\), we compute the probability that the adversary’s view and honest party’s output in the real world is equal to \((\vec {\alpha }_{r'},\beta )\), and we express the result in terms of the \(B^{( {\cdot }, {\cdot })}_-\)-matrices. Similarly, for the ideal world, we compute the probability that the simulator’s output and honest party’s output is equal to \((\vec {\alpha }_{r'},\beta )\), and we express the result in terms of the \(B^{( {\cdot }, {\cdot })}_+\)-matrices and vector \(\mathbf {z}_x^{(\vec {a}_{r'})}\).

The point of the exercise is to obtain (linear) constraints for vector \(\mathbf {z}_x^{(\vec {a}_{r'})}\). Then, we ask if the constraints are satisfiable, and, if so, whether solutions can be found efficiently. The second question can be readily answered. If an appropriate solution exists, the simulator can compute it efficiently. Indeed, the simulator can approximate the probability of all possible sequences of size \(r'+1\), and, assuming it exists, the simulator computes \(\mathbf {z}_x^{(\vec {a}_{r'})}\) by solving a linear system of size \(|X|\times |Y|\). Thus, it suffices to show that \(\mathbf {z}_x^{(\vec {a}_{r'})}\) exists. The security features of \(\varPi \) come into play in this regard.

An early abort on the part of the adversary alters the conditionalFootnote 2 probability distribution of the honest party’s output. Security against sampling attacks guarantees that the output remains consistent with the function at hand. Thus, by introducing a threshold round and fine-tuning its parameter, we restrict the distribution of the output until it falls within the range of the function, and the simulator can match it with an appropriate input.

Three Simplifying Assumptions. The case where the adversary aborts before round \(r'\) needs special consideration. However, the only difference is that \(\mathbf {z}_x^{(\vec {a}_{i})}\) depends on fewer elements. The analysis is largely the same and we do not address this case any further. Furthermore, we assume that \(p_x^{(\alpha )}\ne 0\), for every \(\alpha \in \{0,1\}\) and \(x\in X\). This assumption allows for a smoother exposition by disregarding degenerate cases. Finally, regarding \(\varPi \), we will assume that security against sampling attacks holds perfectly, i.e. (3) and (4) are equal to \(\mathbf {0}_\ell \) and \(\mathbf {0}_k\) respectively. Again, the latest assumption is not necessary to prove the theorem. We do so in order to avoid introducing notions from Topology to deal with the convergent sequences.

4.3 Real vs Ideal

For every sequence \(\vec {\alpha }_{r'}=(\alpha _0,\ldots ,\alpha _{r'})\in \{0,1\}^{r'+1}\) and every \(\beta \in \{0,1\}\), we compute the probability that the adversary quitting at round \(i\le i^*\) observes \(\vec {\alpha }_{r'}\) and the honest party outputs \(\beta \). The adversary is assumed to use input \(x\in X\) for the computation. To account for every possible input of the honest party, the relevant probabilities are expressed in terms of vectors.

Claim 4.3

In the real model, it holds that

where \(\mathbf {q}^{(\beta )}=M^{(*,\beta )T}\cdot \mathbf {1}_\ell /\ell \).

Proof

Simple expansion over possible values of \(i^*\).

Define

Claim 4.4

In the ideal model, it holds that

Thus, for every \(\beta \in \{0,1\}\), we require that \(\mathbf {c}^{(\vec {\alpha }_{r'},\beta ) T}_{ x}\) is close to

$$\begin{aligned} \mathbf {q}^{(\beta )T} + \sum _{i=0}^{r'} \lambda _{i}(\gamma ,\vec {\alpha }_{r'}) \cdot \left[ B_-^{(\alpha _{{r'}-i}\ldots \alpha _{r'},\beta )} - B_{+}^{(\alpha _{{r'}-i}\ldots \alpha _{r'},\beta )}\right] _{x,*} , \end{aligned}$$

where

$$\begin{aligned} \lambda _i(\gamma ,\vec {\alpha }_{r'})&= \dfrac{\gamma (1-\gamma )^{{r'}-i}\cdot p_x^{(\alpha _0)} \cdots p_x^{(\alpha _{r'-i-1})} }{(1-\gamma )^{{r'+1}}\cdot p_x^{(\alpha _0)} \cdots p_x^{(\alpha _{r'})} }&=\dfrac{\gamma }{(1-\gamma )^{i+1}}\cdot \dfrac{1}{p_x^{(\alpha _{r'-i})} \cdots p_x^{(\alpha _{r'})} } . \end{aligned}$$

Knowing that \( \mathbf {c}^{(\vec {\alpha }_{r'},\beta ) T}_{ x} =\mathbf {z}_x^{(\vec {\alpha }_{r'})T}\cdot M^{(*,\beta )} \) and that \(M^{(*,0)}=\mathbf {1}_{\ell \times k}-M^{(*,1)}\), the simulation is successful if there exists probability vector \(\mathbf {z}_x^{(\vec {\alpha }_{r'})}\in \mathbb {R}^k\) such that

$$\begin{aligned}&\mathbf {z}_x^{(\vec {\alpha }_{r'})T}\cdot \,M^{(*,1)} \nonumber \\&\quad \overset{s}{\equiv } \mathbf {q}^{(1)T} + \lambda _0 \cdot \left[ B_+^{(\alpha _{r'},1)}-B_-^{(\alpha _{r'},1)} \right] _{x,*} + \ldots + \lambda _{{r'}} \cdot \left[ B_+^{(\vec {\alpha }_{r'},1)}-B_-^{(\vec {\alpha }_{r'},1)} \right] _{x,*}. \end{aligned}$$
(5)

Define \(\mathbf {u}_x^{(\vec {\alpha }_{r'})}=\mathbf {z}_x^{(\vec {\alpha }_{r'})}-\mathbf {1}_\ell /\ell \) and notice that (5) is equivalent to

$$\begin{aligned}&\mathbf {u}_x^{(\vec {\alpha }_{r'})T}\cdot \,M^{(*,1)} \nonumber \\&\quad \overset{s}{\equiv } \lambda _0 \cdot \left[ B_+^{(\alpha _{r'},1)}-B_-^{(\alpha _{r'},1)} \right] _{x,*} + \cdots + \lambda _{{r'}} \cdot \left[ B_+^{(\vec {\alpha }_{r'},1)}-B_-^{(\vec {\alpha }_{r'},1)} \right] _{x,*} , \end{aligned}$$
(6)

and

$$\begin{aligned} {\left\{ \begin{array}{ll} \displaystyle \sum _{x_0}\mathbf {u}_x^{(\vec {\alpha }_{r'})}(x_0)=0\\ \displaystyle \forall x_0\in X, \; \mathbf {u}_x^{(\vec {\alpha }_{r'})}(x_0)\in [-1/\ell ,1-1/\ell ]\end{array}\right. }. \end{aligned}$$

Lemma 4.5

Let \(\mathbf {c}\) be an arbitrary vector and let M be an arbitrary matrix. There exists \(\mathbf {u}\) such that \(\sum _{z}\mathbf {u}(z)=0\) and \(\mathbf {u}^T\cdot M= \mathbf {c}^T\) if and only if \(\mathbf {c}^T\mathbf {v}=0\), for every \(\mathbf {v}\) such that \(M\mathbf {v}\in \left\langle \mathbf {1}\right\rangle \).

Proof

Define

$$\begin{aligned} M'=\begin{pmatrix}-1&{} 1 &{}\ldots &{} 0 \\ \vdots &{} \vdots &{}\ddots &{} \vdots \\ -1 &{}0 &{}\ldots &{}1 \end{pmatrix}\cdot M . \end{aligned}$$

Observe that the row-space of \(M'\) is equal to the image of the hyperplane \(\{\mathbf {u}\,|\, \sum _z \mathbf {u}(z) =0 \}\) by \(M^T\) and that \(\ker (M')=\{\mathbf {v}\,|\, M\mathbf {v}\in \left\langle \mathbf {1}\right\rangle \}\). Conclude by applying the fundamental theorem of linear algebra.    \(\square \)

Proof of Theorem

4.1. We show that there exist suitable vectors \(\mathbf {u}_{x}^{(\vec {\alpha }_{r'})}\) satisfying (6), for every \(x\in X\) and \(\vec {\alpha }_{r'}\in \{0,1\}^{r'+1}\). By assumption, security against sampling attacks holds perfectly for \(\varPi \). It follows that

$$\begin{aligned} \left( B_+^{(\vec {\alpha }_{i},1)}-B_-^{(\vec {\alpha }_{i},1)} \right) \cdot \mathbf {y}= \mathbf {0}_\ell , \end{aligned}$$

for every \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \). By Lemma 4.5, there exists \(\mathbf {u}_{x,i}^{(\vec {\alpha }_{r'})}\) such that \(\sum _{x_0}\mathbf {u}_{x,i}^{(\vec {\alpha }_{r'})T}(x_0)=0\) and

$$\begin{aligned}&\mathbf {u}_{x,i}^{(\vec {\alpha }_{r'})T}\cdot \,M^{(*,1)} = \left[ B_+^{(\vec {\alpha }_{i},1)}-B_-^{(\vec {\alpha }_{i},1)} \right] _{x,*} . \end{aligned}$$

Thus, \(\mathbf {u}_{x}^{(\vec {\alpha }_{r'})}\overset{\mathrm {def}}{=}\sum _i \lambda _i \mathbf {u}_{x,i}^{(\vec {\alpha }_{r'})}\) satisfies (6). To conclude, we argue that there exists \(\gamma _0\) such that \(\mathbf {u}_x^{(\vec {\alpha }_{r'})}(x_0)\in [-1/\ell ,1-1/\ell ]\), for every \(\gamma <\gamma _0\). Recall that

Observe that \(\lambda _i\) tends to 0 as \(\gamma \) tends to 0.    \(\square \)

5 The Asymmetric Case

Our analysis of locking strategies and sampling attacks culminates in Theorem 4.1 from the previous section. The theorem states that, in order to demonstrate that a given function is computable with full security, it suffices to design a constant-round, passively-secure protocol that is secure against sampling attacks. In this section, we look for relevant protocols for asymmetric Boolean functions. We propose an algorithm that takes a description of the function as input, and, depending on the termination step, either returns the description of an appropriate protocol, or it returns that it failed to do so.

We begin by visiting some mathematical tools and a few useful lemmas. Next, we define a game involving the parties computing f and the dealer. The game simulates the last interaction in a correct protocol computing f, and whose purpose is for the dealer to hand a backupFootnote 3 output to the disadvantaged party without compromising any of the security requirements. Finally, largely as an extension of the game, we obtain an algorithm for designing constant-round protocols that are passively secure and secure against sampling attacks. Using the tools and the lemmas from Sect. 5.1, we demonstrate that our algorithm satisfies correctness.

Speculative Remark. For what it is worth, numerical results on small cases indicate that our algorithm accounts for the overwhelmingly majority of non semi-balanced functions. We also encountered a handful of non semi-balanced functions for which our algorithm fails to come up with a suitable protocol. These functions are noteworthy because we suspect that their unknown status cannot be attributed to potential shortcomings of our algorithm. We believe that our algorithm is as good at finding suitable protocols as can be expected.

5.1 Irreducible Locking Strategies

Let \(f:X\times Y \rightarrow \{0,1\}^2\) denote some Boolean asymmetric (possibly randomized) finite function. Since f is asymmetric, it has four associated matrices \(M^{(0,0)}\), \(M^{(0,1)}\), \(M^{(1,0)}\), \(M^{(1,1)}\in [0,1]^{\ell \times k}\). Recall that locking strategies for \(P_1\) and \(P_2\) correspond to elements of the vector spaces \(\left\langle \mathcal {L}_1 \right\rangle = \{ \mathbf {x}\in \mathbb {R}^\ell \, |\, \mathbf {x}^TM^{(1,*)}\in \left\langle \mathbf {1}_k^T\right\rangle \}\) and \(\left\langle \mathcal {L}_2 \right\rangle = \{ \mathbf {y}\in \mathbb {R}^k \, |\, M^{(*,1)}\mathbf {y}\in \left\langle \mathbf {1}_\ell \right\rangle \}\), where \(\mathcal {L}_1\) and \(\mathcal {L}_2\) denote arbitrary bases of each space. Without loss of generality, assume \(|\mathcal {L}_1|=s_1\) and \(|\mathcal {L}_2|=s_2\). Locking strategies endow a matrix with a matroid structure, in the same way that linear dependence does. We define the matroid by means of its minimally dependent sets, i.e. circuits.

Definition 5.1

We say that the columns of \(M^{(*,1)}\) indexed by \(Y'\subseteq Y\) are minimally dependent if

  • \(\left\{ M^{(*,1)}\mathbf {e}_y\right\} _{y\in Y'}\cup \left\{ \mathbf {1}_\ell \right\} \) are linearly dependent,

  • for every \(y_0\in Y'\), it holds that \(\left\{ M^{(*,1)}\mathbf {e}_y\right\} _{y\in Y'\setminus \{y_0\}}\cup \left\{ \mathbf {1}_\ell \right\} \) are linearly independent.

Similarly, we say that the rows of \(M^{(1,*)}\) indexed by \(X'\subseteq X\) are minimally dependent if

  • \(\left\{ \mathbf {e}_x^TM^{(1,*)}\right\} _{x\in X'}\cup \left\{ \mathbf {1}_k^T\right\} \) are linearly dependent,

  • for every \(x_0\in X'\), it holds that \(\left\{ \mathbf {e}_x^TM^{(1,*)}\right\} _{x\in X'\setminus \{x_0\}}\cup \left\{ \mathbf {1}_k^T\right\} \) are linearly independent.

Proposition 5.2

Suppose that the columns of \(M^{(*,1)}\) indexed by \(Y'\subseteq Y\) are minimally dependent. Up to a multiplicative factor, there exists a unique \(\mathbf {q}\in \mathbb {R}^k\setminus \{\mathbf {0}_k\}\) such that \( M^{(*,1)}\mathbf {q}\in \left\langle \mathbf {1}_\ell \right\rangle \) and \( \mathsf {supp}(\mathbf {q})=Y'\).

Proof

By definition, there exists \(\mathbf {q}\in \mathbb {R}^k\) such that \(M^{(*,1)}\mathbf {q}\in \left\langle \mathbf {1}_\ell \right\rangle \) and \(\mathsf {supp}(\mathbf {q})=Y'\). The non-trivial task is to show that this vector is unique, up to a multiplicative factor. Suppose there exists \(\mathbf {q}'\) such that \(\mathsf {supp}(\mathbf {q}')\subseteq Y'\) and \(M^{(*,1)}\mathbf {q}'\in \left\langle \mathbf {1}_\ell \right\rangle \). In pursuit of a contradiction, assume that \(\mathbf {q}'\ne \lambda \mathbf {q}\), for every \(\lambda \in \mathbb {R}\). Equivalently, there exists i, \(j\in Y'\) such that \(\mathbf {q}(i)=\lambda _i\mathbf {q}'(i)\) and \(\mathbf {q}(j)=\lambda _j\mathbf {q}'(j)\), with \(\lambda _i\ne \lambda _j\). Without loss of generality, say that \(\lambda _i\ne 0\) and define \(\mathbf {q}''= \lambda _i\cdot \mathbf {q}' - \mathbf {q}\). Deduce that \( M^{(*,1)}\mathbf {q}''\in \left\langle \mathbf {1}_\ell \right\rangle \) and \(\mathsf {supp}(\mathbf {q}'')\subsetneq Y'\), in contradiction with the fact that the columns indexed by \(Y'\) are minimally dependent. \(\square \)

Definition 5.3

If \(\mathbf {q}\in \mathbb {R}^k\) is as in Proposition 5.2, we say that \(\mathbf {q}\) is irreducible.

Proposition 5.4

There exists a basis of \(\left\langle \mathcal {L}_2\right\rangle \) consisting of irreducible strategies.

Proof

It is a well known that any generating set contains a basis. Thus, it suffices to show that irreducible locking strategies form a generating set. Let \(\mathbf {y}\in \langle \mathcal {L}_2 \rangle \) and consider \(\mathsf {supp}(\mathbf {y})\). Let \(\mu _1,\ldots , \mu _{t_\mathbf {y}}\) denote all the subsets of \(\mathsf {supp}(\mathbf {y})\) that index minimally dependent columns, and write \(\mathbf {q}_1,\ldots , \mathbf {q}_{t_\mathbf {y}}\) for the associated unique irreducible locking strategies. We show that \(\mathbf {y}\in \langle \mathbf {q}_1,\ldots , \mathbf {q}_{t_\mathbf {y}} \rangle \) by constructing a sequence of locking strategies \(\mathbf {y}_0,\ldots , \mathbf {y}_{s_\mathbf {y}}\) such that

$$\begin{aligned} {\left\{ \begin{array}{ll}\mathbf {y}_0 =\mathbf {y}\\ \mathbf {y}_{j+1} =\mathbf {y}_j - \alpha _j\cdot \mathbf {q}^{(j)} \\ \mathbf {y}_{s_\mathbf {y}} =\mathbf {0}_\ell \end{array}\right. }, \end{aligned}$$

where \(\alpha _j\in \mathbb {R}\) and \( \mathbf {q}^{(j)}\in \{\mathbf {q}_1,\ldots , \mathbf {q}_{t_\mathbf {y}}\}\). Let \(\mathbf {q}^{(0)}\) be an arbitrary element of \(\{\mathbf {q}_1,\ldots , \mathbf {q}_{t_\mathbf {y}}\}\) and fix \(j_0\) such that \(\mathbf {q}^{(0)}(j_0)\ne 0\). Define \(\mathbf {y}_1=\mathbf {y}- \frac{\mathbf {y}(j_0)}{\mathbf {q}^{(0)}(j_0)} \cdot \mathbf {q}^{(0)}\). Notice that \(\mathbf {y}_1\) is a locking strategy and that \(\mathsf {supp}(\mathbf {y}_1)\subsetneq \mathsf {supp}(\mathbf {y})\). Since \(\mathbf {y}_1\) is a locking strategy, it follows that \(\mu ^{(1)}\subset \mathsf {supp}(y_1)\), for some \(\mu ^{(1)}\in \{\mu _1,\ldots , \mu _{t_\mathbf {y}}\}\). Write \(\mathbf {q}^{(1)}\) for the associated locking strategy. Similarly to what we just did, fix \(j_1\) such that \(\mathbf {q}^{(1)}(j_1)\ne 0\), define \(\mathbf {y}_2=\mathbf {y}_1 - \frac{\mathbf {y}_1(j_1)}{\mathbf {q}^{(1)}(j_1)} \cdot \mathbf {q}^{(1)}\), and notice that \(\mathbf {y}_2\) is a locking strategy and that \(\mathsf {supp}(\mathbf {y}_2)\subsetneq \mathsf {supp}(\mathbf {y}_1)\). Repeat the procedure and conclude that it terminates in at most \(|\mathsf {supp}(\mathbf {y})|\) steps.    \(\square \)

Define \(Y_0,\ldots , Y_{k'}\) to be a partitioning of the input domain Y that we construct as follows. First, \(y\in Y_0\) if \(\mathbf {e}_y \) is orthogonal to \( \left\langle \mathcal {L}_2\right\rangle \). Next, for \(i\ge 1\), let \(\mathbf {q}^{(i)}\) be an irreducible locking strategy such that \(\mathsf {supp}(\mathbf {q}^{(i)})\cap \left( Y_{i-1}\cup \ldots , \cup Y_0\right) =\emptyset \). Finally, \(y\in Y_{i}\) if there exist irreducibles \(\mathbf {q}_1^{(i)},\ldots , \mathbf {q}_{t_y}^{(i)}\) such that

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {q}^{(i)} = \mathbf {q}_1^{(i)}\\ \mathsf {supp}(\mathbf {q}^{(i)}_{j})\cap \mathsf {supp}(\mathbf {q}^{(i)}_{j+1})\ne \emptyset \\ y\in \mathsf {supp}(\mathbf {q}_{t_y}^{(i)})\end{array}\right. }. \end{aligned}$$

5.2 The Dealer Game

In this section, we present a game involving the parties computing f and the dealer. The purpose of the game is to define a simplified variant of the security against sampling attacks requirement. Assume that the honest party, say \(P_2\), applies some locking strategy \(\mathbf {y}\) while executing a protocol for computing f. If the protocol is secure against sampling attacks, then the adversary cannot distinguish between the correct output and the backup output of the honest party. In the worst case, the adversary is handed the output of the corrupted party before the honest party’s receives his. In such an event, we ask what the honest party’s backup output ought to be, other than the correct output.

Write \(a_i\) (resp. \(b_i\)) for \(P_1\)’s (resp. \(P_2\)’s) backup output at round i. Let \(\widehat{b}_*\) denote the bit obtained from \(b_*\) by applyingFootnote 4 \(\mathbf {y}\), and r denotes the number of rounds. From an honest \(P_2\)’s perspective, we require that the pairs \((a_i,\widehat{b}_{i-1})\) and \( (a_i,\widehat{b}_{r})\) are statistically close, for every \(x\in X\), \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \) and \(i\in \{1\ldots r\}\). Consider the following process involving a dealer. The dealer receives inputs x and y from \(P_1\) and \(P_2\), respectively, and computes \(f(x,y)=(f_1(x,y),f_2(x,y))\). Then, the dealer hands \(f_1(x,y)\) to \(P_1\) and a bit b to \(P_2\), where b is a probabilistic function of \(P_2\)’s input and \(f_2(x,y)\). We investigate how to construct b with the following goals in mind.

  1. 1.

    minimize the information b contains about \(f_2(x,y)\)

  2. 2.

    \((f_1,\widehat{f}_2)\) is statistically close to \((f_1,\widehat{b})\), for every \(x\in X\) and \(\mathbf {q}\in \left\langle \mathcal {L}_2\right\rangle \).

Let us introduce vectors \(\mathbf {b}^{(0)}\), \(\mathbf {b}^{(1)}\in \mathbb {R}^k\) such that

$$\begin{aligned} \mathbf {b}^{(\beta )}(y_0)=\mathrm {Pr}\left[ b=1 \,\Big |\, f_2(x,y)=\beta \,\wedge \, y=y_0\right] . \end{aligned}$$

Fix \(y\in Y\), and notice that \(b\equiv f_2\) on input y if \(\mathbf {b}^{(0)}(y)=0\) and \(\mathbf {b}^{(1)}(y)=1\). On the other hand, b contains no information about \(f_2(x,y)\) if and only if \(\mathbf {b}^{(0)}(y)=\mathbf {b}^{(1)}(y)\). Consequently, our aim is for \(\mathbf {b}^{(0)}\) and \(\mathbf {b}^{(1)}\) to be equal on as many indices as possible.

Claim 5.5

Using the notation above, It holds that \((f_1,\widehat{f}_2)\) is statistically close to \((f_1,\widehat{b})\) if and only if, for every \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \),

$$\begin{aligned} {\left\{ \begin{array}{ll}M^{(0,0)}\left( \mathbf {b}^{(0)}*\mathbf {y}\right) + M^{(0,1)}\left( \mathbf {b}^{(1)}*\mathbf {y}\right) = M^{(0,1)}\mathbf {y}\\ M^{(1,0)}\left( \mathbf {b}^{(0)}*\mathbf {y}\right) + M^{(1,1)}\left( \mathbf {b}^{(1)}*\mathbf {y}\right) = M^{(1,1)}\mathbf {y}\end{array}\right. } . \end{aligned}$$
(7)

Proof

Fix \(x\in X\), \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \), \(\alpha \in \{0,1\}\), and note that

$$\begin{aligned} \mathrm {Pr}\left[ (f_1,\widehat{f}_2)=(\alpha ,1)\right]&= \mathbf {e}_x^T \left( \sum _{\mathbf {y}(y)\ge 0} \left[ M^{(\alpha ,1)}\right] _{*,y} \mathbf {y}(y) + \sum _{\mathbf {y}(y)< 0} \left[ M^{(\alpha ,0)}\right] _{*,y} |\mathbf {y}(y)| \right) \\ {}&= \mathbf {e}_x^T \left( M^{(\alpha ,1)}\mathbf {y}+ \sum _{\mathbf {y}(y)< 0} \left[ M^{(\alpha ,*)}\right] _{*,y} |\mathbf {y}(y)| \right) \end{aligned}$$

On the other hand, \(\mathrm {Pr}\left[ (f_1,\widehat{b})=(\alpha ,1)\right] \)

$$\begin{aligned} = \sum _{\mathbf {y}(y)\ge 0}\mathbf {e}_x^T\left( \left[ M^{(\alpha ,1)}\right] _{*,y} \cdot \mathbf {b}^{(1)}(y) + \left[ M^{(\alpha ,0)}\right] _{*,y}\cdot \mathbf {b}^{(0)}(y)\right) \mathbf {y}(y) \\ \quad +~\sum _{\mathbf {y}(y)< 0} \left( \left[ M^{(\alpha ,1)}\right] _{*,y}\cdot (1-\mathbf {b}^{(1)}(y)) + \left[ M^{(\alpha ,0)}\right] _{*,y}\cdot (1-\mathbf {b}^{(0)}(y))\right) |\mathbf {y}(y)|, \end{aligned}$$

and thus \(\mathrm {Pr}\left[ (f_1,\widehat{b})=(\alpha ,1)\right] \)

$$\begin{aligned} = \mathbf {e}_x^T\left( M^{(\alpha ,0)}\left( \mathbf {b}^{(0)}*\mathbf {y}\right) + M^{(\alpha ,1)}\left( \mathbf {b}^{(1)}*\mathbf {y}\right) + \sum _{\mathbf {y}(y)< 0} \left[ M^{(\alpha ,*)}\right] _{*,y} |\mathbf {y}(y)| \right) . \end{aligned}$$

To conclude, note that since \(\mathbf {b}^{(0)}, \mathbf {b}^{(1)}\) are fixed vectors, it holds that \((f_1,\widehat{f}_2)\) and \((f_1,\widehat{b})\) are statistically close if and only if they are identically distributed.    \(\square \)

Moving on, fix \(Y_i\in \{Y_0, \ldots , Y_{k'}\}\) and suppose there exist \(\mathbf {b}^{(0)}, \mathbf {b}^{(1)}\) satisfying Eq. (7) such that \(\mathbf {b}^{(0)}(y_0)\ne 0\) or \(\mathbf {b}^{(1)}(y_0)\ne 1\), for some \(y_0\in Y_i\). We show that there exist \(\mathbf {b}'^{(0)}, \mathbf {b}'^{(1)}\) satisfying Eq. (7) such that \(\mathbf {b}'^{(0)}(y)=\mathbf {b}'^{(1)}(y)\), for every \(y\in Y_i\). This is where the underlying matroid structure will come in handy.

Proposition 5.6

It holds that \(\mathbf {b}^{(1)}(y)-\mathbf {b}^{(0)}(y)=\mathbf {b}^{(1)}(y_0)-\mathbf {b}^{(0)}(y_0)\), for every \(y\in Y_i\). In addition, vectors \(\mathbf {b}'^{(1)}\), \(\mathbf {b}'^{(0)}\) satisfy Eq. (7), where

$$\begin{aligned} \mathbf {b}'^{(b)}(y)={\left\{ \begin{array}{ll} \mathbf {b}^{(b)}(y) &{} \text { if } y\notin Y_j\\ \dfrac{\mathbf {b}^{(0)}(y)}{\mathbf {b}^{(0)}(y_0)-\mathbf {b}^{(1)}(y_0)+1}&{} \text { if } y\in Y_j\end{array}\right. } . \end{aligned}$$

Proof

For the first part of the claim, we apply Proposition 5.2. The case \(i=0\) is left to the reader. Let \(i\ge 1\) and fix irreducible \(\mathbf {q}\) such that \(y_0\in \mathsf {supp}(\mathbf {q})\). We know that, for any \(\mathbf {y}\in \left\langle \mathcal {L}_2\right\rangle \),

$$\begin{aligned} M^{(0,0)}\left( \mathbf {b}^{(0)}*\mathbf {y}\right) + M^{(0,1)}\left( \mathbf {b}^{(1)}*\mathbf {y}\right) = M^{(0,1)}\mathbf {y},\end{aligned}$$
(8)
$$\begin{aligned} M^{(1,0)}\left( \mathbf {b}^{(0)}*\mathbf {y}\right) + M^{(1,1)}\left( \mathbf {b}^{(1)}*\mathbf {y}\right) = M^{(1,1)}\mathbf {y}. \end{aligned}$$
(9)

Let \(\mathbf {y}=\mathbf {q}\) and add the two expressions.

$$\begin{aligned} \left( \mathbf {1}_{\ell \times k}-M^{(*,1)}\right) \left( \mathbf {b}^{(0)}*\mathbf {q}\right) + M^{(*,1)}\left( \mathbf {b}^{(1)}*\mathbf {q}\right) = M^{(*,1)}\mathbf {q}. \end{aligned}$$

By moving a few terms around, deduce that \(M^{(*,1)}\left( (\mathbf {b}^{(1)}-\mathbf {b}^{(0)})*\mathbf {q}\right) \in \left\langle \mathbf {1}_\ell \right\rangle \). Consequently, by Proposition 5.2, \(\mathbf {b}^{(1)}(y)\,-\,\mathbf {b}^{(0)}(y)=\mathbf {b}^{(1)}(y_0)\,-\,\mathbf {b}^{(0)}(y_0)\), for every \(y\in \mathsf {supp}(\mathbf {q})\). Moving on, fix an arbitrary \(y\in Y_i\). We know there exists a sequence of irreducibles \(\mathbf {q}^{(i)}_1\ldots \mathbf {q}_{t'_y}^{(i)}\) such that

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {q}= \mathbf {q}_1^{(i)}\\ \mathsf {supp}(\mathbf {q}^{(i)}_{j})\cap \mathsf {supp}(\mathbf {q}^{(i)}_{j+1})\ne \emptyset \\ y\in \mathsf {supp}(\mathbf {q}_{t'_y}^{(i)})\end{array}\right. }, \end{aligned}$$

Apply the same argument as above and, by induction, deduce that \(\mathbf {b}^{(1)}(y)-\mathbf {b}^{(0)}(y)=\mathbf {b}^{(1)}(y_0)-\mathbf {b}^{(0)}(y_0)\). For the second part of the claim, we rely on the following observations.

  • Vectors \(\mathbf {b}_0^{(0)}\) and \(\mathbf {b}_0^{(1)}\) satisfy Eqs. (8) and (9), where

    $$\begin{aligned} \mathbf {b}_0^{(0)}= {\left\{ \begin{array}{ll}\mathbf {b}^{(0)}(y) &{} \text { if } y\notin Y_i \\ 0 &{} \text { if } y\in Y_i\end{array}\right. }, \qquad \mathbf {b}_0^{(1)}= {\left\{ \begin{array}{ll}\mathbf {b}^{(1)}(y) &{} \text { if } y\notin Y_i \\ 1 &{} \text { if } y\in Y_i\end{array}\right. }. \end{aligned}$$

  • Solutions to Eqs. (8) and (9) can be combined linearly.

The second item is trivial. For the first item, we show that vectors \(\mathbf {b}_0^{(0)}\) and \(\mathbf {b}_0^{(1)}\) are solutions to the equations for a particular basis of \(\left\langle \mathcal {L}_2\right\rangle \). By Proposition 5.4, consider a basis of \(\left\langle \mathcal {L}_2\right\rangle \) that consists of irreducible strategies. Conclude by observing that \(Y_i\cap \mathsf {supp}(\mathbf {q}')=\emptyset \), for every irreducible \(\mathbf {q}'\) such that \(\mathsf {supp}(\mathbf {q}) \nsubseteq Y_i\). Next, define

$$\begin{aligned} \mathbf {b}'^{(b)}= \frac{1}{\mathbf {b}^{(0)}(y_0)-\mathbf {b}^{(1)}(y_0)+1}\cdot \mathbf {b}^{(b)} +\left( 1-\frac{1}{\mathbf {b}^{(0)}(y_0)-\mathbf {b}^{(1)}(y_0)+1}\right) \cdot \mathbf {b}_0^{(b)} . \end{aligned}$$

We note that \(\mathbf {b}'^{(0)} \), \(\mathbf {b}'^{(1)}\) admit the right expression. It remains to show that \(\mathbf {b}'^{(b)}(y)\in [0,1]\), for every y. Since \(\mathbf {b}'^{(b)}(y)=\mathbf {b}^{(b)}(y)\) if \(y\notin Y_j\), it suffices to show that

$$\begin{aligned} \frac{\mathbf {b}^{(0)}(y)}{\mathbf {b}^{(0)}(y)-\mathbf {b}^{(1)}(y)+1}\in [0,1] , \end{aligned}$$
(10)

for \(y\in Y_i\). We conclude by observing that (10) is equivalent to \(0\le \mathbf {b}^{(0)}(y)\) and \(\mathbf {b}^{(1)}(y)\le 1\).   \(\square \)

5.3 The Algorithm

Next, we show how to construct passively-secure protocols that are also secure against sampling attacks. The idea is to build the backup outputs from the bottom-up, i.e. start with \(a_r\equiv f_1\) and \(b_r\equiv f_2\), and construct \(a_{r-1}\) and \(b_{r-1}\) such that \(a_{r-1}\) (resp. \(b_{r-1}\)) only depends on x and \(f_1(x,y)\) (resp. y and \(f_2(x,y)\)) without compromising security against sampling attacks.

To this end, we employ a minimization algorithm in combination with Proposition 5.6. Without loss of generality, we begin by assuming that \(P_1\) is corrupted, and that he observes \(a_r\equiv f_1(x,y)\). To define \(b_{r-1}\), we run an optimization algorithm that constructs vectors \(\{\mathbf {b}^{(\beta )}\}_{\beta \in \{0,1\}}\), and we delete any input \(y\in Y\) for which \(\mathbf {b}^{(1)}(y)-\mathbf {b}^{(0)}(y)\ne 1\). Then, in order to define \(a_{r-1}\), we run an optimization algorithm that constructs vectors \(\{\mathbf {a}^{(\alpha )}\}_{\alpha \in \{0,1\}}\), assuming \(P_2\) is corrupted, and the party is privy to the output only if the input he used was not deleted in the previous step. We proceed by deleting any input \(x\in X\) for which \(\mathbf {a}^{(1)}(y)-\mathbf {a}^{(0)}(y)\ne 1\). We carry on in this fashion until one party runs out of inputs, or the process does not allow for any further deletions.

Getting ahead of ourselves, we note that deleted inputs cannot be used by the adversary to mount a successful sampling attack. In light of Proposition 5.6, if an input was deleted at iteration i, then every backup output until round \(r-i\) contains no information about the output.

Additional Notation. Before we describe the algorithm, let us introduce some notation. For every \(\mathbf {q}\in \mathcal {L}_2\) and \(X'\subseteq X\), define

$$\begin{aligned} A_\mathbf {q}(X')&=\begin{pmatrix}\left[ M^{(0,0)}* Q\right] _{X'} &{} \left[ M^{(0,1)}_{X'} * Q\right] _{X'}\\ \left[ M^{(1,0)}* Q\right] _{X'} &{} \left[ M^{(1,1)}* Q\right] _{X'} \\ M^{(*,0)}* Q &{} M^{(*,1)}* Q \end{pmatrix},\qquad \vec {b}_\mathbf {q}= \begin{pmatrix} \left[ M^{(0,1)}\right] _{X'}\mathbf {q}\\ \left[ M^{(1,1)}\right] _{X'}\mathbf {q}\\ M^{(*,1)}\mathbf {q}\end{pmatrix} \end{aligned}$$

where \(Q=\mathbf {1}_\ell \cdot \mathbf {q}^T\) and the notation \([\cdot ]_{X'} \) indicates that only the rows indexed by \(X'\subseteq X\) appear. Write \(\mathcal {L}_2=\{\mathbf {q}_1,\ldots , \mathbf {q}_{s_2}\}\) and consider the following linear system for unknown \((\mathbf {b}^{(0)T},\mathbf {b}^{(1)T})\).

$$\begin{aligned} \begin{pmatrix} A_{\mathbf {q}_1}(X')\\ A_{\mathbf {q}_2}(X')\\ \vdots \\ A_{\mathbf {q}_{s_2}}(X') \end{pmatrix} \cdot&\begin{pmatrix}\mathbf {b}^{(0)}\\ \mathbf {b}^{(1)}\end{pmatrix} = \begin{pmatrix} \vec {b}_{\mathbf {q}_1}(X')\\ \vec {b}_{\mathbf {q}_2}(X')\\ \vdots \\ \vec {b}_{\mathbf {q}_{s_2}}(X') \end{pmatrix} \\ \begin{pmatrix}\mathbf {0}_k\\ \mathbf {0}_k \end{pmatrix}\le&\begin{pmatrix}\mathbf {b}^{(0)}\\ \mathbf {b}^{(1)}\end{pmatrix} \le \begin{pmatrix}\mathbf {1}_k\\ \mathbf {1}_k \end{pmatrix}\nonumber \end{aligned}$$
(11)

Similarly, for every \(\mathbf {p}\in \mathcal {L}_1\) and \(Y\subseteq Y'\), define

$$\begin{aligned} B_\mathbf {p}(Y')&=\begin{pmatrix}\left[ M^{(0,0)T} * P\right] _{Y'} &{} \left[ M^{(1,0)T} * P\right] _{Y'}\\ \left[ M^{(0,1)T} * P\right] _{Y'} &{} \left[ M^{(1,1)T} * P\right] _{Y'} \\ M^{(0,*)T} * P &{} M^{(1,*)T} * P \end{pmatrix},\qquad \vec {a}_\mathbf {p}= \begin{pmatrix} \left[ M^{(1,0)T} \right] _{Y'}\mathbf {p}\\ \left[ M^{(1,1)T} \right] _{Y'}\mathbf {p}\\ M^{(1,*)T}\mathbf {p}\end{pmatrix} \end{aligned}$$

where \(P=\mathbf {1}_k\cdot \mathbf {p}^T\) and the notation \([\cdot ]_{Y'} \) indicates that only the rows indexed by \(Y'\subseteq Y\) appear. Write \(\mathcal {L}_1=\{\mathbf {p}_1,\ldots , \mathbf {p}_{s_1}\}\) and consider the following linear system for unknown \((\mathbf {a}^{(0)T},\mathbf {a}^{(1)T})\).

$$\begin{aligned} \begin{pmatrix} B_{\mathbf {p}_1}(Y')\\ B_{\mathbf {p}_2}(Y')\\ \vdots \\ B_{\mathbf {p}_{s_1}}(Y') \end{pmatrix} \cdot&\begin{pmatrix}\mathbf {a}^{(0)}\\ \mathbf {a}^{(1)}\end{pmatrix} = \begin{pmatrix} \vec {a}_{\mathbf {p}_1}(Y')\\ \vec {a}_{\mathbf {p}_2}(Y')\\ \vdots \\ \vec {a}_{\mathbf {p}_{s_1}}(Y') \end{pmatrix} \\ \begin{pmatrix}\mathbf {0}_\ell \\ \mathbf {0}_\ell \end{pmatrix}\le&\begin{pmatrix}\mathbf {a}^{(0)}\\ \mathbf {a}^{(1)}\end{pmatrix} \le \begin{pmatrix}\mathbf {1}_\ell \\ \mathbf {1}_\ell \end{pmatrix}\nonumber \end{aligned}$$
(12)

As noted earlier, the idea is to delete inputs from the parties in a sequence of iterations. Namely, we begin by running a linear program that minimizes \(-\mathbf {1}_k^T\mathbf {b}^{(0)} +\mathbf {1}_k^T\mathbf {b}^{(1)}\) under the constraints of Eq. (11), with \(X'=X\). At this point, we delete any input \(y\in Y\) for which \(\mathbf {b}^{(1)}(y)-\mathbf {b}^{(0)}(y)<1\). Write \(Y^-\subseteq Y\) for the remaining inputs. We proceed by running a linear program that minimizes \(-\mathbf {1}_\ell ^T\mathbf {a}^{(0)} +\mathbf {1}_\ell ^T\mathbf {a}^{(1)}\) under the constraints of Eq. (12), with \(Y'=Y^-\). Again, we delete any input \(x\in X\) for which \(\mathbf {a}^{(1)}(x)-\mathbf {a}^{(0)}(x)<1\). We repeat the procedure until either one of the parties runs out of inputs or no further deletions can be made, for either party. See Fig. 4 for a full description of the algorithm. Before we discuss the general ramifications of the terminating step, we illustrate the usefulness of our algorithm with an example.

Fig. 4.
figure 4

An algorithm for designing fully-secure protocols.

Full size image
Fig. 5.
figure 5

Protocol SecSamp \((\mathcal {T}_f)\) for computing f.

Full size image

Example

Consider the deterministic asymmetric Boolean function from [3] described by the following matrices.

$$\begin{aligned} M^{(1,*)}= \left( \begin{matrix} 0 &{} 1 &{} 1 &{} 0 \\ 1 &{} 0 &{} 1 &{} 1 \\ 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 &{} 1 \end{matrix}\right) ,\qquad M^{(*,1)}= \left( \begin{matrix} 1 &{} 1 &{} 1 &{} 0 \\ 1 &{} 0 &{} 1 &{} 1 \\ 0 &{} 1 &{} 0 &{} 1 \\ 1 &{} 1 &{} 0 &{} 0 \end{matrix} \right) . \end{aligned}$$

For this function, each party has a unique locking strategy. Namely, \(\mathbf {p}^T=(1,1,1,1)\) and \(\mathbf {q}^T=(1,1,0,1)\) respectively. Let us walk through each iteration of the algorithm. The first optimization returns \(\mathbf {b}^{(0)T}=(0,0,1,0)\) and \(\mathbf {b}^{(1)T}=(1,1,0,1)\). Notice that \(Y^+=\{y_1,y_2,y_4\}\). The algorithm assigns \(Y^-=Y^+\) and moves on to the next step. The second optimization returns \(\mathbf {a}^{(0)T}=(1/2,0,1,1/2)\) and \(\mathbf {a}^{(1)T}=(1/2,0,1,1/2)\). Notice that \(X^+=\emptyset \), and the algorithm terminates. Now, we will use these vectors to define backup outputs for the parties. Consider the following two-round protocol described by means of the backup outputs \(\{(a_i,b_i)\}_{i=0\ldots 2}\). Assuming the parties use \(x\in X\) and \(y\in Y\) for the computation,

Observe that \(a_1\) and \(b_1\) are constructed in accordance with \(\mathbf {a}^{(0)}\), \(\mathbf {a}^{(1)}\) and \(\mathbf {b}^{(0)}\), \(\mathbf {b}^{(1)}\), respectively. It is not hard to see that the resulting protocol is passively secure and secure against sampling attacks. In light of Theorem 4.1, function f is computable with full security. Next, we discuss the general case.

General Case. Assume that the algorithm terminates because one of the parties ran out of inputs. Without loss of generality, say that \(Y^+=\emptyset \) and write

$$\begin{aligned} \begin{pmatrix}\mathbf {b}_0^{(0)}\\ \mathbf {b}_0^{(1)}\end{pmatrix} \cdots \begin{pmatrix}\mathbf {b}_{t}^{(0)}\\ \mathbf {b}_t^{(1)}\end{pmatrix} ,\qquad \begin{pmatrix}\mathbf {a}_1^{(0)}\\ \mathbf {a}_1^{(1)}\end{pmatrix} \cdots \begin{pmatrix}\mathbf {a}_{t}^{(0)}\\ \mathbf {a}_{t}^{(1)}\end{pmatrix} \end{aligned}$$

for the vectors computed in the execution of the algorithm – starting from the bottom-up – i.e. \(\mathbf {b}_0^{(0)}, \mathbf {b}_0^{(1)}\) denote the last vectors computed for \(P_2\) and \(\mathbf {b}_t^{(0)}, \mathbf {b}_t^{(1)}\) denote the first vectors computed for \(P_2\). Similarly, \(\mathbf {a}_1^{(0)}, \mathbf {a}_1^{(1)}\) denote the last vectors computed for \(P_1\) and \(\mathbf {a}_t^{(0)}, \mathbf {a}_t^{(1)}\) denote the first vectors computed for \(P_1\). Now, assumeFootnote 5 that for every \(i\in \{1,\ldots , t\}\), and every \(j\in \{1,\ldots , \ell \}\), either \(\mathbf {a}_i^{(1)}(j)-\mathbf {a}_i^{(0)}(j)=1\) or \(\mathbf {a}_i^{(1)}(j)=\mathbf {a}_i^{(0)}(j)\). Similarly, for every \(i\in \{0,\ldots , t\}\), and every \(j\in \{1,\ldots , k\}\), either \(\mathbf {b}_i^{(1)}(j)-\mathbf {b}_i^{(0)}(j)=1\) or \(\mathbf {b}_i^{(1)}(j)=\mathbf {b}_i^{(0)}(j)\). Write \(\mathcal {T}_f\) for the transcript of the algorithm and consider the protocol from Fig. 5.

Theorem 5.7

Using the notation above, Protocol SecSamp \((\mathcal {T}_f)\) is passively secure and secure against sampling attacks.

Proof

(Sketch). The fact that the protocol is passively secure is trivial. Regarding security against sampling attacks, notice that, at any given round, the adversary either knows the output or knows nothing about it (other than what the corrupted party’s input suggests). The adversary will not be able to mount a successful sampling attack in neither case. If the output has not been revealed to her, then her view is independent of the honest party’s output resulting from some locking strategy (regardless of whether she quits at that round or at the end). If the output has been revealed to the adversary, then sampling attacks are foiled by design thanks to the algorithm.

   \(\square \)

When the algorithm fails. We turn our attention to functions for which the algorithm returns \(Y^+\ne \emptyset \) and \(X^+\ne \emptyset \). Semi-balanced functions fall under this category. By Cleve [7], protocols that satisfy both correctness and security against sampling attacks do not exist in the plain model. However, there are functions other than semi-balanced for which the algorithm fails. Unfortunately, we do not fully understand why that is the case and there appears to be a trade off between fairness and privacy. To illustrate, we show that a certain function that lies in the gap can be computed with fairness but not privacy.

We emphasize that the function in question may still be computable with full security. However, our previous analysis together with the theorem below strongly indicate that the trade-off may be inherent.

Theorem 5.8

The function described by the matrices below admits a protocol that is fair-but-not-private.

$$\begin{aligned} M^{(1,*)}=\begin{pmatrix} 1 &{} 1 &{} 1 &{} 1 &{} 0 \\ 0 &{} 1 &{} 0 &{} 1 &{} 1 \\ 1 &{} 1 &{} 1 &{} 1 &{} 1 \\ 0 &{} 0 &{} 1 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 &{} 0 &{} 1 \end{pmatrix},\qquad M^{(*,1)}=\begin{pmatrix} 1 &{} 1 &{} 0 &{} 0 &{} 0 \\ 1 &{} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 &{} 1 &{} 0 \\ 0 &{} 0 &{} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 0 &{} 1 &{} 0 \end{pmatrix}. \end{aligned}$$

Proof

Consider the following 2-round protocol defined by means of the backup outputs \(\{a_i,b_i\}_{i=1\ldots 2}\).

$$\begin{aligned} \begin{array}{l@{\qquad }l@{\qquad }l@{\qquad }l} a_0=f_1(x,\widetilde{y}) \, \;\text {where } \,\widetilde{y}\in _U Y &{} &{} b_0 =b\in _U \{0,1\}\\ \text { If } y\in \{y_1,y_3,y_5\} \quad &{} a_1= {\left\{ \begin{array}{ll}a\in _U \{0,1\} &{} \text {if }x=x_1 \\ 0 &{}\text {if }x=x_5 \\ 1 &{} \text {otherwise} \end{array}\right. } \qquad &{}b_1 = f(x,y). \\ \\ \text {If } y\in \{y_2,y_4\} \quad &{} a_1= {\left\{ \begin{array}{ll}0 &{}\text {if }x\in \{x_4,x_5\} \\ 1 &{} \text {otherwise} \end{array}\right. } \\ a_2=f(x,y)&{} &{} b_2 =f(x,y) \end{array} \end{aligned}$$

A straightforward computation shows that the protocol is secure against sampling attacks. However, the protocol is obviously not passively secure. Notice that the backup output \(a_1\) leaks information about \(P_2\)’s input. Nevertheless, by plugging the protocol into our compiler, the resulting protocol satisfies fairness. Formally, by having the trusted party leak the honest party’s input to the simulator in the ideal model, one can show that the resulting protocol is secure with respect to the new model.   \(\square \)

6 Conclusions and Open Problems

In this paper, we introduced a notion of security referred to as security against sampling attacks. The notion of security is useful because it is necessary for fairness and it appears easier to achieve compared to fairness. What is more, we showed how certain protocols satisfying security against sampling attacks can be transformed into fully-secure protocols. We emphasize that the route towards full-security we propose is not arbitrary; every known protocol based on GHKL can be viewed as a special case of our approach. Finally, for asymmetric functions, we showed how to design suitable protocols by means of an algorithm. Given an asymmetric (possibly randomized) Boolean function, our algorithm either returns an appropriate protocol or it returns that it failed to do so. Unfortunately, our algorithm fails for functions other than semi-balanced, and the status of these functions is still unknown. We provide a few conjectures as to why that may be the case.

First, we believe that a failure on the part of the algorithm is essentially a proof of impossibility. In other words, we believe that if our algorithm fails to come up with an suitable protocol for some function, then any realization of the function is susceptible to some attack. At the same time, we believe that the attack in question cannot rely solely on sampling attacks, but on some combination of passive and sampling attacks. The motivation behind this belief is that we suspect certain functions to be computable with fairness-but-privacyFootnote 6 but not with full security. A candidate for such a function is given at the end of the last section.

The Multi-party Case. We note that, like [3], our analysis extends to the multi-party case where the total number of parties is constant and exactly half of the parties are corrupted. Specifically, if \(f=(f_1, \ldots , f_t): Z_1\times \ldots \times Z_t \rightarrow [m]^t\) denotes a (possibly randomized) t-party function, there are \({t\atopwithdelims ()t/2}\) two-party functions that result from partitioning the set into two equal-sized subsets. These functions can be viewed as non-Boolean asymmetric functions in \(X\times Y\rightarrow [m^{t/2}]^2\). Using the techniques from [3, 5], functionality f is fair if and only if all of the underlying two-party functions are fair as well. Thus, our framework is also useful in this regard.

Finally, our work says little about the multi-party case with absolute dishonest majorities as well as two-party and multi-party functionalities that depend on the security parameter \(\mathcal {F}=\{f_n\}_{n\in \mathbb {N}}\). Of course, locking strategies and sampling attacks are still meaningful in these settings, and it would be interesting to see how they can be put to use.