Converses for Secret Key Agreement and Secure Computing

We consider information theoretic secret key agreement and secure function computation by multiple parties observing correlated data, with access to an interactive public communication channel. Our main result is an upper bound on the secret key length, which is derived using a reduction of binary hypothesis testing to multiparty secret key agreement. Building on this basic result, we derive new converses for multiparty secret key agreement. Furthermore, we derive converse results for the oblivious transfer problem and the bit commitment problem by relating them to secret key agreement. Finally, we derive a necessary condition for the feasibility of secure computation by trusted parties that seek to compute a function of their collective data, using an interactive public communication that by itself does not give away the value of the function. In many cases, we strengthen and improve upon previously known converse bounds. Our results are single-shot and use only the given joint distribution of the correlated observations. For the case when the correlated observations consist of independent and identically distributed (in time) sequences, we derive strong versions of previously known converses

On the Communication Complexity of Secure Computation

Information theoretically secure multi-party computation (MPC) is a central primitive of modern cryptography. However, relatively little is known about the communication complexity of this primitive. In this work, we develop powerful information theoretic tools to prove lower bounds on the communication complexity of MPC. We restrict ourselves to a 3-party setting in order to bring out the power of these tools without introducing too many complications. Our techniques include the use of a data processing inequality for residual information - i.e., the gap between mutual information and G\'acs-K\"orner common information, a new information inequality for 3-party protocols, and the idea of distribution switching by which lower bounds computed under certain worst-case scenarios can be shown to apply for the general case. Using these techniques we obtain tight bounds on communication complexity by MPC protocols for various interesting functions. In particular, we show concrete functions that have "communication-ideal" protocols, which achieve the minimum communication simultaneously on all links in the network. Also, we obtain the first explicit example of a function that incurs a higher communication cost than the input length in the secure computation model of Feige, Kilian and Naor (1994), who had shown that such functions exist. We also show that our communication bounds imply tight lower bounds on the amount of randomness required by MPC protocols for many interesting functions.Comment: 37 page

On the Cryptographic Complexity of the Worst Functions

We study the complexity of realizing the “worst ” functions in several standard models of informationtheoretic cryptography. For each of these models, we obtain the first solution whose complexity is sublinear in the relevant domain size. In particular, for the case of security against passive adversaries, we obtain the following main results. • OT complexity of secure two-party computation. Every function f: [N] × [N] → {0, 1} can be securely evaluated using Õ(N 2/3) invocations of an oblivious transfer oracle. A similar result holds for securely sampling a uniform pair of outputs from a set S ⊆ [N] × [N]. • Correlated randomness complexity of secure two-party computation. Every function f: [N] × [N] → {0, 1} can be securely evaluated using 2 Õ( √ log N) bits of correlated randomness. • Communication complexity of private simultaneous messages. Every function f: [N] × [N] → {0, 1} can be securely evaluated in the non-interactive model of Feige, Kilian, and Naor (STOC 1994) with messages of length O ( √ N). • Share complexity of forbidden graph access structures. For every graph G on N nodes, there is a secret-sharing scheme for N parties in which each pair of parties can reconstruct the secret if and only if the corresponding nodes in G are connected, and where each party gets a share of size Õ( √ N). For all of these problems, the worst-case complexity of the best previous solutions was Ω(N / log N). The above results are obtained by applying general transformations to variants of private information retrieval (PIR) protocols from the literature, where different flavors of PIR are required for different applications