We briefly present the standard definition for secure multiparty computation and refer to [Gol04, Chapter 7] for more details and motivating discussions. A two-party protocol problem is cast by specifying a random process that maps pairs of inputs to pairs of outputs (one for each party). We refer to such a process as a
functionalityand denote itf :{0,1}∗× {0,1}∗ → {0,1}∗× {0,1}∗, wheref = (f1, f2). That is, for every pair of inputs(x, y), the output-vector is a random variable(f1(x, y), f2(x, y))ranging over pairs of strings whereP1 receivesf1(x, y)andP2 receivesf2(x, y). We use the notation(x, y) 7→ (f1(x, y), f2(x, y))to describe a functionality. We prove the security of our protocols in the settings ofmaliciouscomputationally bounded adversaries. Security is analyzed by comparing what an adversary can do in arealprotocol execu- tion to what it can do in anidealscenario. In the ideal scenario, the computation involves an incorruptible
trusted third partyto whom the parties send their inputs. The trusted party computes the functionality on the inputs and returns to each party its respective output. Informally, the protocol is secure if any adversary interacting in the real protocol (i.e., where no trusted third party exists) can do no more harm than what it could do in the ideal scenario. In this paper we follow the 1p-secure computation definition from [GK10] which presented a simulation based definition for which the difference between the real and the simulated distributions differ within 1p.
Execution in the ideal model. In an ideal execution, the parties submit inputs to a trusted party, that computes the output. An honest party receives its input for the computation and just directs it to the trusted party, whereas a corrupted party can replace its input with any other value of the same length. Since we do not consider fairness, the trusted party first sends the outputs of the corrupted parties to the adversary, and the adversary then decides whether the honest parties would receive their outputs from the trusted party or an abort symbol ⊥. Let f be a two-party functionality where f = (f1, f2), let A be a PPT algorithm, and let I ⊂ [2] be the set of corrupted parties (either P1 is corrupted or P2 is corrupted or neither). Then, theideal execution off on inputs(x, y), auxiliary inputz toAand security parametern, denotedIDEALf,A(z),I(n, x, y), is defined as the output pair of the honest party and the adversaryAfrom the above ideal execution.
Execution in the real model. In the real model there is no trusted third party and the parties interact directly. The adversaryAsends all messages in place of the corrupted party, and may follow an arbitrary polynomial-time strategy. The honest parties follow the instructions of the specified protocolπ.
Let f be as above and letπ be a two-party protocol for computing f. Furthermore, letA be a PPT algorithm and letI be the set of corrupted parties. Then, thereal execution ofπ on inputs(x, y), auxiliary inputztoAand security parametern, denotedREALπ,A(z),I(n, x, y), is defined as the output vector of the honest parties and the adversaryAfrom the real execution ofπ.
Security as emulation of a real execution in the ideal model. Having defined the ideal and real models, we can now define security of protocols. Loosely speaking, the definition asserts that a secure party protocol
(in the real model) emulates the ideal model (in which a trusted party exists). This is formulated by saying that adversaries in the ideal model are able to simulate executions of the real-model protocol.
Definition A.6 Letfandπbe as above. Protocolπis said tosecurely computefwith abort in the presence of malicious adversariesif for everyPPTadversaryAfor the real model, there exists aPPTadversaryS for the ideal model, such that for everyI ⊂[2],
{
IDEALf,S(z),I(n, x, y)}n∈N,x,y,z∈{0,1}∗ 1/p≈ {REALπ,A(z),I(n, x, y)}n∈N,x,y,z∈{0,1}∗ wherenis the security parameter.
TheF-hybrid model. In order to construct some of our protocols, we will use secure two-party protocols as subprotocols. The standard way of doing this is to work in a “hybrid model” where parties both interact with each other (as in the real model) and use trusted help (as in the ideal model). Specifically, when constructing a protocolπthat uses a subprotocol for securely computing some functionalityF, we consider the case that the parties run π and use “ideal calls” to a trusted party for computingF. Upon receiving the inputs from the parties, the trusted party computesF and sends all parties their output. Then, after receiving these outputs back from the trusted party the protocolπcontinues. LetF be a functionality and letπ be a two-party protocol that uses ideal calls to a trusted party computingF. Furthermore, letAbe a non-uniform probabilistic polynomial-time algorithm. Then, theF-hybrid execution ofπon inputs(x, y), auxiliary inputztoAand security parametern, denotedhybπF,A(z)(n, x, y), is defined as the output vector
of the honest parties and the adversaryAfrom the hybrid execution ofπwith a trusted party computingF. By the composition theorem of [Can00] any protocol that securely implementsF can replace the ideal calls toF.
B
Proving Corollary6.4
In this section, we argue that our OT protocol from Section6and ensuing 2PC due to [IKO+11], satisfy the notion of input-indistinguishable computation (IIC) due to [MPR06].
We first recall our protocol below:
1. Sen→Rec :Sensamples(i,tk0,tk1)←Gen(1n)and sendsito the receiverRec. 2. Rec→Sen :Recsamplesx←Diand sendsy=fib(x).
3. Sen → Rec : Upon receivingy, Sen computesxβ = (fiβ)−1(y) for allβ ∈ {0,1}, and sends
(⟨x0, r0⟩ ⊕s0, r0)and(⟨x1, r1⟩ ⊕s1, r1)for randomr0, r1.14
To prove that our protocol satisfies IIC we need to show there exist implicit input functions IN1 and IN2that respectively satisfy implicit computation and input-indistinguishability for the sender and receiver. First, since the sender does not receive any output in the OT protocol, it follows immediately that implicit computation w.r.t the sender holds against a malicious receiver. On the other hand, input indistinguishability against a malicious sender follows since the receiver’s message information theoretically hides its input bit. Next, we argue implicit computation w.r.t the receiver against a malicious sender. This follows from the fact that the functionsfibare permutations and the third message perfectly binds the sender’s inputs. Hence, it is possible to defineIN1for which the receiver learns the value corresponding to this input.
14
In order to argue input-indistinguishability against a malicious receiver we need to show that there exists an implicit input function IN2 for which this property holds. However, this follows from the fact that if there does not exist any implicit input function for which the property holds, then there must exist a malicious receiverR∗, polynomialp(·), infinitely many lengthsn, and valuessn0, sn1,sb0n,bsn1,se0n,es1nsuch that sn1 ̸=esn1,sb0n̸=esn0 andR∗can distinguish with probability at least p(n)1 in both the following cases:
1. Sender’s inputs are(sn
0,sn1)and(sn0,sen1), and 2. Sender’s inputs are(bsn0,bsn1)and(esn0,sbn1)
In other words, the receiver can distinguish both the sender values (from random) for infinitely many lengths. This contradicts the fact that our protocol is private against a malicious receiver as proved in Theorem6.2 (which in turn was proved by showing thatR∗can break the claw-freeness of the family of the functions).