Information-Theoretic Conditions for Two-Party Secure Function Evaluation

The standard security definition of unconditional secure function evaluation, which is based on the ideal/real model paradigm, has the disadvantage of being overly complicated to work with in practice. On the other hand, simpler ad-hoc definitions tailored to special scenarios have often been flawed. Motivated by this unsatisfactory situation, we give an information-theoretic security definition of two-party secure function evaluation which is very simple yet provably equivalent to the standard, simulation-based definitions. We adopt the standard stand-alone security definition based on the ideal/real model paradigm of Goldreich [2] for computationally-bounded parties, and adapt it to a model where the parties are allowed to be computationally unbounded and to use independent sources of randomness such as channels. In this setting, we can see an admissible pair of players (i.e. at least one of the two is honest) of a protocol as conditional probability distribution PUV |XY Z , i.e. for every input X = x (for player 1), Y = y (for player 2) and auxiliary input Z = z, protocol-runs with these players generate a distribution over the outputs U and V . An adversarial player 1 in the ideal model is restricted in that he can only replace his original input X by another input X ′ which he computes based on X and Z, but independently of Y . X ′ is then input into the ideal functionality and the final output U of the adversary is computed based on X, X ′, Z and U ′ (the output from the ideal functionality), but independent of the honest player’s input Y and output V . Formally, this yields the following criterion: There exist random variables X ′ and U ′ such that • I(X ′;Y | ZX) = 0, • U ′ and V are the outputs of the ideal functionality on inputs X ′, Y , • I(U ;V Y | ZXX ′U ′) = 0. Such a criterion can be analogously derived for an adversarial player 2. We prove that despite its apparent simplicity, such a characterisation of the conditional output distribution PUV |XY Z is in fact equivalent to the original security definition based on the ideal/real model paradigm. We then examine the important special case of Oblivious Transfer, and show that in this case, the resulting security requirements can be significantly simplified. We also revisit some of the information-theoretic definitions of security used in the past and point out subtle flaws that some of them contain.