Complete Fairness in Secure Two-Party Computation
Journal of the ACM
In the setting of secure two-party computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable property is fairness which guarantees, informally, that if one party receives its output, then the other party does too. Cleve (STOC 1986) showed that complete fairness cannot be achieved in general without an honest majority. Since then, the
... ed folklore has been that nothing non-trivial can be computed with complete fairness in the two-party setting, and the problem has been treated as closed since the late '80s. In this paper, we demonstrate that this folklore belief is false by showing completely-fair protocols for various non-trivial functions in the two-party setting based on standard cryptographic assumptions. We first show feasibility of obtaining complete fairness when computing any function over polynomial-size domains that does not contain an "embedded XOR"; this class of functions includes boolean AND/OR as well as Yao's "millionaires' problem". We also demonstrate feasibility for certain functions that do contain an embedded XOR, and prove a lower bound showing that any completely-fair protocol for such functions must have round complexity super-logarithmic in the security parameter. Our results demonstrate that the question of completely-fair secure computation without an honest majority is far from closed. Theorem Let f be a two-input function defined over polynomial-size domains that does not contain an embedded XOR. Then, under suitable cryptographic assumptions, there exists a protocol for securely computing f with complete fairness. This result is described in Section 3. The round complexity of our protocol in this case is linear in the domain size, explaining the restriction that the domains be of polynomial size. Examples of functions without an embedded XOR include boolean OR and AND, as well as Yao's "millionaires' problem"  (i.e., the greater than function). We remark that even "simple" functions such as OR/AND are non-trivial in the context of secure two-party computation since they cannot be computed with information-theoretic privacy  and are in fact complete for two-party secure computation (with abort)  . Recall that Cleve's result rules out completely-fair computation of boolean XOR. Given this and the fact that our first protocol applies only to functions without an embedded XOR, a natural conjecture is that the presence of an embedded XOR serves as a barrier to completely-fair computation of a given function. Our next result shows that this conjecture is false: Theorem (Under suitable cryptographic assumptions) there exist two-party functions containing an embedded XOR that can be securely computed with complete fairness. This result is described in Section 4. The round complexity of the protocol proving our second result is super-logarithmic in the security parameter. We show that this is, in fact, inherent: Theorem Let f be a two-party function containing an embedded XOR. Then any protocol securely computing f with complete fairness (assuming one exists) requires ω(log n) rounds. Our proof of the above is reminiscent of Cleve's proof  , except that Cleve only needed to consider bias whereas we must jointly consider both bias and privacy (since, for certain functions containing an embedded XOR, it may be possible for an adversary to bias the output even in the ideal world). This makes the proof considerably more complex. Related Work Questions of fairness have been studied since the early days of secure computation [33, 17, 4, 21] . Previous work has been dedicated to achieving various relaxations of fairness (i.e., "partial fairness"), both for the case of specific functionalities like coin tossing [12, 13, 29] and contract signing/exchanging secrets [7, 27, 15, 5, 14] , as well as for the case of general functionalities [33, 17, 4, 21, 16, 8, 30, 18, 23] . While relevant, such work is tangential to our own: here, rather than try to achieve partial fairness for all functionalities, we are interested in obtaining complete fairness and then set out to determine for which functionalities this is possible.