gilad asharov - cornell universityasharov/slides/ash14.pdf · if the adversary learns the output,...
TRANSCRIPT
![Page 1: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/1.jpg)
Gilad Asharov
![Page 2: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/2.jpg)
Gilad Asharov
![Page 3: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/3.jpg)
𝑛 parties, each has some private input, wish to compute a function on their joint inputs
– average of salaries, auctions, private database query, private data mining
![Page 4: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/4.jpg)
𝑛 parties, each has some private input, wish to compute a function on their joint inputs
– average of salaries, auctions, private database query, private data mining
Security should be preserved even when some of the parties are corrupted
– correctness, privacy, independence of inputs and.. fairness
![Page 5: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/5.jpg)
If the adversary learns the output, then all parties should learn also
– In some sense, parties receive outputs simultaneously
![Page 6: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/6.jpg)
If the adversary learns the output, then all parties should learn also
– In some sense, parties receive outputs simultaneously
![Page 7: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/7.jpg)
If the adversary learns the output, then all parties should learn also
– In some sense, parties receive outputs simultaneously
![Page 8: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/8.jpg)
• Complete fairness can be achieved in multiparty with honest majority [GMW87,BGW88,CCD88,RB89,Be91]
• What about no honest majority?
– Special case: Two party setting?
![Page 9: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/9.jpg)
• Beginning of execution – no knowledge about the outputs
• End of execution – full knowledge about it
• Protocols proceed in rounds
• The parties cannot exchange information simultaneously
f(x,y) f(x,y)
![Page 10: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/10.jpg)
• Beginning of execution – no knowledge about the outputs
• End of execution – full knowledge about it
• Protocols proceed in rounds
• The parties cannot exchange information simultaneously
• There must be a point when a party knows more than the other
abort
![Page 11: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/11.jpg)
• Take a fair protocol
• Remove the last round -> still fair protocol
• Continue the process..
• We stay with an empty protocol
![Page 12: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/12.jpg)
• Take a fair protocol
• Remove the last round -> still fair protocol
• Continue the process..
• We stay with an empty protocol
![Page 13: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/13.jpg)
• Take a fair protocol
• Remove the last round -> still fair protocol
• Continue the process..
• We stay with an empty protocol
![Page 14: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/14.jpg)
• Take a fair protocol
• Remove the last round -> still fair protocol
• Continue the process..
• We stay with an empty protocol
![Page 15: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/15.jpg)
• In 1986, Cleve showed that fairness is impossible in general (two party)
![Page 16: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/16.jpg)
• In 1986, Cleve showed that fairness is impossible in general (two party)
• The coin-tossing functionality is impossible:
– both parties agree on the same uniform bit
– no party can bias the result
![Page 17: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/17.jpg)
• In 1986, Cleve showed that fairness is impossible in general (two party)
• The coin-tossing functionality is impossible:
– both parties agree on the same uniform bit
– no party can bias the result
• Implies that the boolean XOR function is also impossible
![Page 18: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/18.jpg)
• Since 1986, the accepted belief was that nothing non-trivial can be computed fairly
![Page 19: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/19.jpg)
• Since 1986, the accepted belief was that nothing non-trivial can be computed fairly
• Many notions of partial fairness – Gradual release , Probabilistic fairness, Optimistic
exchange, fairness at expectation [BeaverGoldwasser89][GoldwasserLevin90] [BonehNaor2000][Micali98]…
![Page 20: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/20.jpg)
• Since 1986, the accepted belief was that nothing non-trivial can be computed fairly
• Many notions of partial fairness – Gradual release , Probabilistic fairness, Optimistic
exchange, fairness at expectation [BeaverGoldwasser89][GoldwasserLevin90] [BonehNaor2000][Micali98]…
• Even two definitions of security – one with fairness, one without
• For two decades – no results on complete fairness
![Page 21: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/21.jpg)
Gordon, Hazay, Katz and Lindell [STOC08] showed that there exist some non-trivial functions that can be computed with complete fairness!
![Page 22: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/22.jpg)
Gordon, Hazay, Katz and Lindell [STOC08] showed that there exist some non-trivial functions that can be computed with complete fairness!
![Page 23: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/23.jpg)
Gordon, Hazay, Katz and Lindell [STOC08] showed that there exist some non-trivial functions that can be computed with complete fairness!
y2 y1
1 0 x1
0 1 x2
1 1 x3
![Page 24: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/24.jpg)
• A fundamental question:
What functions can and cannot be securely computed with complete fairness?
![Page 25: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/25.jpg)
• A fundamental question:
What functions can and cannot be securely computed with complete fairness?
• Impossibility: Cleve
![Page 26: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/26.jpg)
• A fundamental question:
What functions can and cannot be securely computed with complete fairness?
• Impossibility: Cleve
• Only few examples of functions that are possible
![Page 27: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/27.jpg)
• A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness A, Lindell and Rabin [TCC 2013]
• Towards Characterizing Complete Fairness in Secure Two-Party Computing A [TCC 2014]
![Page 28: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/28.jpg)
![Page 29: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/29.jpg)
![Page 30: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/30.jpg)
Set Membership
– X input: 𝑆 ⊆ Ω (possible inputs: 2 Ω )
– Y input: 𝜔 ∈ Ω (possible inputs: |Ω|)
– The function 𝑓 𝑆, 𝜔 = 𝜔 ∈ 𝑆?
![Page 31: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/31.jpg)
Set Membership
– X input: 𝑆 ⊆ Ω (possible inputs: 2 Ω )
– Y input: 𝜔 ∈ Ω (possible inputs: |Ω|)
– The function 𝑓 𝑆, 𝜔 = 𝜔 ∈ 𝑆?
Private Evaluation of a Boolean Function – X input: 𝑔 ∈ F (𝐹 = {𝑔: Ω → 0,1 })
– Y input: 𝑦 ∈ Ω
– The function 𝑓 𝑔, 𝑦 = 𝑔 𝑦
![Page 32: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/32.jpg)
Private Matchmaking: – X holds set of preferences (“what I am looking for”) – Y holds a profile (“who I am”) – Output: Does Y match X
![Page 33: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/33.jpg)
Private Matchmaking: – X holds set of preferences (“what I am looking for”) – Y holds a profile (“who I am”) – Output: Does Y match X
𝑨 ⊆ 𝑩: – X holds 𝐴 ⊆ Ω – Y holds 𝐵 ⊆ Ω – Output: 𝐴 ⊆ 𝐵?
![Page 34: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/34.jpg)
Private Matchmaking: – X holds set of preferences (“what I am looking for”) – Y holds a profile (“who I am”) – Output: Does Y match X
𝑨 ⊆ 𝑩: – X holds 𝐴 ⊆ Ω – Y holds 𝐵 ⊆ Ω – Output: 𝐴 ⊆ 𝐵?
Set Disjointness: – X holds 𝐴 ⊆ Ω – Y holds 𝐵 ⊆ Ω – Output: 𝐴 ∩ 𝐵 = ∅?
![Page 35: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/35.jpg)
1 𝟎 𝟎 𝟎0 1 𝟎 𝟎0 0 1 𝟎0 0 0 1
1 𝟏 𝟏 𝟏0 1 𝟎 𝟏0 0 1 𝟏0 0 0 1
1 𝟎 𝟏 𝟏0 1 𝟏 𝟏0 0 1 𝟎0 0 0 1
![Page 36: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/36.jpg)
1 𝟎 𝟎 𝟎0 1 𝟎 𝟎0 0 1 𝟎0 0 0 1
1 𝟏 𝟏 𝟏0 1 𝟎 𝟏0 0 1 𝟏0 0 0 1
1 𝟎 𝟏 𝟏0 1 𝟏 𝟏0 0 1 𝟎0 0 0 1
Impossible 𝐴 = 𝐵
implies coin-tossing [ALR13]
![Page 37: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/37.jpg)
1 𝟎 𝟎 𝟎0 1 𝟎 𝟎0 0 1 𝟎0 0 0 1
1 𝟏 𝟏 𝟏0 1 𝟎 𝟏0 0 1 𝟏0 0 0 1
1 𝟎 𝟏 𝟏0 1 𝟏 𝟏0 0 1 𝟎0 0 0 1
Impossible 𝐴 = 𝐵
implies coin-tossing [ALR13]
Possible 𝐴 ⊆ 𝐵
![Page 38: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/38.jpg)
1 𝟎 𝟎 𝟎0 1 𝟎 𝟎0 0 1 𝟎0 0 0 1
1 𝟏 𝟏 𝟏0 1 𝟎 𝟏0 0 1 𝟏0 0 0 1
1 𝟎 𝟏 𝟏0 1 𝟏 𝟏0 0 1 𝟎0 0 0 1
Impossible 𝐴 = 𝐵
implies coin-tossing [ALR13]
Possible 𝐴 ⊆ 𝐵
Unknown not coin-tossing not [GHKL08]*
![Page 39: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/39.jpg)
Asharov, Lindell, Rabin
A Full Characterization of Functions that Imply Fair Coin Tossing and
Ramifications to Fairness
![Page 40: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/40.jpg)
The coin-tossing functionality is impossible: 𝑓 𝜆, 𝜆 = 𝑈, 𝑈
(𝑈 is the uniform distribution over {0,1})
– both parties agree on the same uniform bit
– no party can bias the result
![Page 41: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/41.jpg)
The coin-tossing functionality is impossible: 𝑓 𝜆, 𝜆 = 𝑈, 𝑈
(𝑈 is the uniform distribution over {0,1})
– both parties agree on the same uniform bit
– no party can bias the result
Which Boolean functions are ruled out by this impossibility? Which functions imply fair coin-tossing?
Question:
![Page 42: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/42.jpg)
Assume a fair protocol for the XOR function
How can we use it to toss a coin?
Question:
![Page 43: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/43.jpg)
Assume a fair protocol for the XOR function
How can we use it to toss a coin?
Each party chooses a uniform bit, then XOR them
Question:
Answer:
![Page 44: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/44.jpg)
0 11 0
𝑝1 𝑝2 𝑞1
𝑞2
distribution over the inputs of X
distribution over the inputs of Y
Pr[𝑜𝑢𝑡𝑝𝑢𝑡 = 1]=
![Page 45: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/45.jpg)
0 11 0
𝑝1 𝑝2 𝑞1
𝑞2
distribution over the inputs of X
distribution over the inputs of Y
Pr[𝑜𝑢𝑡𝑝𝑢𝑡 = 1]=
0 11 0
1
2
1
2 =
1
2
1
2
![Page 46: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/46.jpg)
0 11 0
𝑝1 𝑝2 𝑞1
𝑞2
distribution over the inputs of X
distribution over the inputs of Y
Pr[𝑜𝑢𝑡𝑝𝑢𝑡 = 1]=
0 11 0
1
2
1
2 =
1
2
1
2
𝑞1
𝑞2
𝑞1
𝑞2 =
1
2
![Page 47: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/47.jpg)
0 11 0
𝑝1 𝑝2 𝑞1
𝑞2
distribution over the inputs of X
distribution over the inputs of Y
Pr[𝑜𝑢𝑡𝑝𝑢𝑡 = 1]=
0 11 0
1
2
1
2 =
1
2
1
2
𝑞1
𝑞2
𝑞1
𝑞2 =
1
2
0 11 0
1/21/2
![Page 48: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/48.jpg)
0 11 0
𝑝1 𝑝2 𝑞1
𝑞2
distribution over the inputs of X
distribution over the inputs of Y
Pr[𝑜𝑢𝑡𝑝𝑢𝑡 = 1]=
0 11 0
1
2
1
2 =
1
2
1
2
𝑞1
𝑞2
𝑞1
𝑞2 =
1
2
0 11 0
𝑝1 𝑝2 1/21/2
=1
2
1/21/2
= 𝑝1 𝑝2
![Page 49: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/49.jpg)
if there exist probability vectors 𝒑 = 𝑝1, … , 𝑝𝑚 , 𝒒 = 𝑞1, … , 𝑞ℓ and 0 < 𝛿 < 1 s.t:
𝒑 ⋅ 𝑀𝑓 = 𝛿 ⋅ 𝟏ℓ AND 𝑀𝑓 ⋅ 𝒒𝑇 = 𝛿 ⋅ 𝟏𝑚𝑇
𝒇 is 𝜹 balanced
![Page 50: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/50.jpg)
if there exist probability vectors 𝒑 = 𝑝1, … , 𝑝𝑚 , 𝒒 = 𝑞1, … , 𝑞ℓ and 0 < 𝛿 < 1 s.t:
𝒑 ⋅ 𝑀𝑓 = 𝛿 ⋅ 𝟏ℓ AND 𝑀𝑓 ⋅ 𝒒𝑇 = 𝛿 ⋅ 𝟏𝑚𝑇
𝒇 is 𝜹 balanced
If 𝑓 is 𝛿-balanced then it implies fair coin-tossing
Theorem
![Page 51: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/51.jpg)
1 0 00 1 00 0 1
1 0 10 1 00 0 1
1 00 11 1
1 00 1
(left-balanced, right-unbalanced)
![Page 52: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/52.jpg)
1 0 00 1 00 0 1
1 0 10 1 00 0 1
1 00 11 1
1 00 1
(left-balanced, right-unbalanced)
1 00 11 1
𝑝
1 − 𝑝 =
𝑝1 − 𝑝
1
![Page 53: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/53.jpg)
if 𝑓 is not 𝛿-balanced for any 0 < 𝛿 < 1, then it does not imply coin tossing*
Theorem
![Page 54: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/54.jpg)
if 𝑓 is not 𝛿-balanced for any 0 < 𝛿 < 1, then it does not imply coin tossing*
Theorem
• We show that for any coin-tossing protocol in the 𝑓-hybrid model, there exists an adversary that can bias the result
![Page 55: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/55.jpg)
if 𝑓 is not 𝛿-balanced for any 0 < 𝛿 < 1, then it does not imply coin tossing*
Theorem
• We show that for any coin-tossing protocol in the 𝑓-hybrid model, there exists an adversary that can bias the result
• Unlike Cleve – here we do have something simultaneously. A completely different argument is given
![Page 56: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/56.jpg)
if 𝑓 is not 𝛿-balanced for any 0 < 𝛿 < 1, then it does not imply coin tossing*
Theorem
• We show that for any coin-tossing protocol in the 𝑓-hybrid model, there exists an adversary that can bias the result
• Unlike Cleve – here we do have something simultaneously. A completely different argument is given
• Caveat: the adversary is inefficient
![Page 57: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/57.jpg)
if 𝑓 is not 𝛿-balanced for any 0 < 𝛿 < 1, then it does not imply coin tossing*
Theorem
• We show that for any coin-tossing protocol in the 𝑓-hybrid model, there exists an adversary that can bias the result
• Unlike Cleve – here we do have something simultaneously. A completely different argument is given
• Caveat: the adversary is inefficient
• However, impossibility holds also when the parties have OT-oracle (and so commitments, ZK, etc.)
![Page 58: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/58.jpg)
Asharov
![Page 59: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/59.jpg)
Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol
![Page 60: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/60.jpg)
Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol
What functions can be computed using this protocol?
Question:
![Page 61: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/61.jpg)
• Almost all functions with |X|≠ 𝐘 : can be computed using the protocol
• Almost all functions with 𝐗 = |𝐘|: cannot be computed using the protocol
– If the function has monochromatic input, it may be possible even if 𝑋 = 𝑌
• Characterization of [GHKL08] is not tight!
– There are functions that are left unknown
![Page 62: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/62.jpg)
• Special round 𝑖∗ • Until round 𝑖∗ - the outputs are random and
uncorrelated (𝑓 𝑥, 𝑦 , 𝑓 𝑥 , 𝑦 ) • Starting at 𝑖∗ - the outputs are correct • At 𝑖∗, Px learns before Py
![Page 63: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/63.jpg)
• Special round 𝑖∗ • Until round 𝑖∗ - the outputs are random and
uncorrelated (𝑓 𝑥, 𝑦 , 𝑓 𝑥 , 𝑦 ) • Starting at 𝑖∗ - the outputs are correct • At 𝑖∗, Px learns before Py
• Security: – Py is always the second to receive output
• Simulation is possible for all functions
– Px is always the first to receive output • Simulation is possible only for some functions
![Page 64: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/64.jpg)
Trusted Party
![Page 65: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/65.jpg)
Trusted Party
𝑦
![Page 66: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/66.jpg)
Trusted Party
𝑦 𝑥
![Page 67: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/67.jpg)
Trusted Party
𝑦 𝑥
𝑓(𝑥, 𝑦)
![Page 68: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/68.jpg)
Trusted Party
𝑦 𝑥
𝑓(𝑥, 𝑦)
𝑓(𝑥, 𝑦)
![Page 69: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/69.jpg)
1/3
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
1/3
1/3
(2
3 ,
2
3)
![Page 70: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/70.jpg)
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
(2
3+ 𝜖,
2
3)
![Page 71: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/71.jpg)
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
(2
3+ 𝜖,
2
3)
1/3−ϵ 1/3 1/3+ϵ
![Page 72: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/72.jpg)
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
(2
3+ 𝜖,
2
3)
1/3−ϵ 1/3 1/3+ϵ
![Page 73: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/73.jpg)
y2 y1
1 0 x1 1/2
0 1 x2 1/2
1/2) (1/2,
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
![Page 74: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/74.jpg)
y2 y1
1 0 x1 1/2
0 1 x2 1/2
1/2) (1/2,
1/2) (1/2+𝝐
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
![Page 75: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/75.jpg)
y2 y1
1 0 x1 1/2 1/2
0 1 x2 1/2 1/2+𝜖
1/2) (1/2,
1/2) (1/2+𝝐
Before 𝑖∗ : 𝑓(𝑥 , 𝑦)
![Page 76: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/76.jpg)
(1 − 𝑝, 𝑝)
(1 − 𝑝1, 1 − 𝑝2)
![Page 77: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/77.jpg)
(1 − 𝑝, 𝑝)
(1 − 𝑝1, 1 − 𝑝2)
![Page 78: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/78.jpg)
(1 − 𝑝, 𝑝)
(1 − 𝑝1, 1 − 𝑝2)
![Page 79: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/79.jpg)
1) General for multiparty computation: “The power of the ideal adversary”
– Geometric representation
2) Specific for the [GHKL08] protocol: Adding more rounds – less to correct!
![Page 80: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/80.jpg)
REAL Before 𝒊∗: 𝑓(𝑥 , 𝑦) for uniform 𝑥 (1/3,1/3,1/3)
⇒(2/3, 2/3)
𝐸 𝑅 = 5 𝐸 𝑅 = 100
![Page 81: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/81.jpg)
All points that the simulator needs are inside some “ball” • The center – the output distribution of REAL • The radius – a function of number of rounds
![Page 82: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/82.jpg)
All points that the simulator needs are inside some “ball” • The center – the output distribution of REAL • The radius – a function of number of rounds
![Page 83: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/83.jpg)
• Let 𝑓: 𝑥1, … , 𝑥ℓ × 𝑦1, … , 𝑦𝑚 → {0,1} • Consider the ℓ points 𝑋1, … , 𝑋ℓ in ℝ𝑚 (the “rows” of the
matrix)
![Page 84: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/84.jpg)
• Let 𝑓: 𝑥1, … , 𝑥ℓ × 𝑦1, … , 𝑦𝑚 → {0,1} • Consider the ℓ points 𝑋1, … , 𝑋ℓ in ℝ𝑚 (the “rows” of the
matrix)
If the geometric object defined by 𝑋1, … , 𝑋ℓ ∈ ℝ𝑚 is of dimension 𝑚, Then the function is full-dimensional
Definition
![Page 85: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/85.jpg)
If 𝑓 is of full-dimension, then it can be computed with complete fairness
Theorem
![Page 86: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/86.jpg)
If 𝑓 is of full-dimension, then it can be computed with complete fairness
• We use the protocol of [GHKL08]
Theorem
Proof:
![Page 87: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/87.jpg)
If 𝑓 is of full-dimension, then it can be computed with complete fairness
• We use the protocol of [GHKL08]
• We show that all the points that the simulator needs are inside a small “ball”
Theorem
Proof:
![Page 88: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/88.jpg)
If 𝑓 is of full-dimension, then it can be computed with complete fairness
• We use the protocol of [GHKL08]
• We show that all the points that the simulator needs are inside a small “ball”
• The ball is embedded inside the geometric object defined by the function
Theorem
Proof:
![Page 89: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/89.jpg)
y3 y2 y1
0 0 1 x1
0 1 0 x2
1 0 0 x3
1 1 1 x4
![Page 90: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/90.jpg)
• In ℝ2 - all points do not lie on a single LINE • In ℝ3 - all points do not lie on a single PLANE • … • In ℝ𝑚 - all points do not lie on a single HYPERPLANE
• In ℝ2 - 𝑧1, 𝑧2 ∃ 𝑞1, 𝑞2, 𝛿 ∈ ℝ s.t. 𝑞1𝑧1 + 𝑞2𝑧2 = 𝛿?
• In ℝ3 - (𝑧1, 𝑧2, 𝑧3)
∃ 𝑞1, 𝑞2, 𝑞3, 𝛿 ∈ ℝ s.t. 𝑞1𝑧1 + 𝑞2𝑧2 + 𝑞3𝑧3 = 𝛿?
Not Full-Dimensional
![Page 91: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/91.jpg)
• Full-dimensional function
• The function is right-unbalanced:
– For every non-zero 𝒒 ∈ ℝ𝑚, 𝛿 ∈ ℝ it holds that: 𝑀𝑓 ⋅ 𝒒 ≠ 𝛿 ⋅ 𝟏
![Page 92: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/92.jpg)
• Full-dimensional function
• The function is right-unbalanced:
– For every non-zero 𝒒 ∈ ℝ𝑚, 𝛿 ∈ ℝ it holds that: 𝑀𝑓 ⋅ 𝒒 ≠ 𝛿 ⋅ 𝟏
Easy to Check Criterion:
No solution 𝒒 for: 𝑀𝑓 ⋅ 𝒒 = 𝟏
Only trivial solution for: 𝑀𝑓 ⋅ 𝒒 = 𝟎
![Page 93: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/93.jpg)
Balanced with respect to probability vector: IMPOSSIBLE!
![Page 94: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/94.jpg)
Balanced with respect to probability vector: IMPOSSIBLE!
Unbalanced with respect to arbitrary vectors: FAIR!
![Page 95: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/95.jpg)
Balanced with respect to probability vector: IMPOSSIBLE!
Unbalanced with respect to probability vector, balanced with respect to arbitrary vectors:
• If the hyperplanes do not contain the origin: cannot be computed using [GHKL08] (with particular simulation strategy)
• If the hyperplanes contain the origin: not characterized (sometimes the GHKL protocol is possible)
Unbalanced with respect to arbitrary vectors: FAIR!
![Page 96: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/96.jpg)
CONCLUSIONS
![Page 97: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/97.jpg)
Pd: The probability that a 0/1 matrix is singular?
![Page 98: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/98.jpg)
• Pd: The probability that a 0/1 matrix is singular?
– Conjecture: (1/2+o(1))d (roughly the probability to have two rows that are the same)
– Komlos (67): 0.999𝑑
– Tao and Vu [STOC 05]: (3/4+o(1))d
– Best known today [Vu and Hood 09]: (1/√2+o(1))d
![Page 99: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/99.jpg)
• Pd: The probability that a 0/1 matrix is singular?
– Conjecture: (1/2+o(1))d (roughly the probability to have two rows that are the same)
– Komlos (67): 0.999𝑑
– Tao and Vu [STOC 05]: (3/4+o(1))d
– Best known today [Vu and Hood 09]: (1/√2+o(1))d
![Page 100: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/100.jpg)
• Pd: The probability that a 0/1 matrix is singular?
– Conjecture: (1/2+o(1))d (roughly the probability to have two rows that are the same)
– Komlos (67): 0.999𝑑
– Tao and Vu [STOC 05]: (3/4+o(1))d
– Best known today [Vu and Hood 09]: (1/√2+o(1))d
d Pd
1 0.5
5 0.627
10 0.297
15 0.047
20 0.0025
25 0.0000689
30 0.0000015
![Page 101: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/101.jpg)
• The 𝑑 + 1 random 0/1-points in ℝ𝑑 defines full-dimensional geometric object? 1- Pd (tends to 1)
• 𝑑 points in ℝ𝑑 define hyperplane that passes through 0,1? 4Pd (tends to 0)
![Page 102: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/102.jpg)
• The 𝑑 + 1 random 0/1-points in ℝ𝑑 defines full-dimensional geometric object? 1- Pd (tends to 1)
• 𝑑 points in ℝ𝑑 define hyperplane that passes through 0,1? 4Pd (tends to 0)
• Almost all functions with |X|≠ 𝑌 :
can be computed with complete fairness • Almost all functions with 𝑋 = |𝑌|:
cannot be computed with [GHKL08] framework
![Page 103: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/103.jpg)
•𝒅 × 𝒅 functions with monochromatic input
– Define hyperplanes that pass through 0 or 1
– Almost always – possible
•Asymmetric functions
–𝑓 𝑥, 𝑦 = 𝑓1, 𝑓2
– If 𝑓1 or 𝑓2 are full-dimensional ⇒ possible!
•Non-binary outputs 𝒇:𝑿 × 𝒀 → 𝚺 –General criteria, holds when 𝑋 /|𝑌| > Σ − 1
y1 y2
x1 0 1
x2 1 0
x3 1 1
x4 2 0
x5 1 2
![Page 104: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/104.jpg)
• The characterization is not complete
• We have a better understanding of the “power” of the ideal world adversary
• We have no real understanding of the “power” of the real-world adversary
• Open problem:
– Finalize the characterization!
– Almost all functions with 𝑋 = 𝑌 are unknown
![Page 105: Gilad Asharov - Cornell Universityasharov/slides/Ash14.pdf · If the adversary learns the output, then all parties should learn also –In some sense, parties receive outputs simultaneously](https://reader033.vdocument.in/reader033/viewer/2022051802/5ae8428a7f8b9a8b2b8fc0cd/html5/thumbnails/105.jpg)
• The characterization is not complete
• We have a better understanding of the “power” of the ideal world adversary
• We have no real understanding of the “power” of the real-world adversary
• Open problem:
– Finalize the characterization!
– Almost all functions with 𝑋 = 𝑌 are unknown
Thank you!