Communication Complexity and Secure Function Evaluation

A secure function evaluation protocol allows two parties to jointly compute a function f(x; y) of their inputs in a manner not leaking more information than necessary. A major result in this eld is: \any function f that can be computed using polynomial resources can be computed securely using polynomial resources" (where `resources' refers to communication and computation). This result follows by a general transformation from any circuit for f to a secure protocol that evaluates f . Although the resources used by protocols resulting from this transformation are polynomial in the circuit size, they are much higher (in general) than those required for an insecure computation of f . For the design of e cient secure protocols we suggest two new methodologies, that di er with respect to their underlying computational models. In one methodology we utilize the communication complexity tree (or branching program) representation of f . We start with an e cient (insecure) protocol for f and transform it into a secure protocol. In other words, \any function f that can be computed using communication complexity c can be can be computed securely using communication complexity that is polynomial in c and a security parameter". The second methodology uses the circuit computing f , enhanced with look-up tables as its underlying computational model. It is possible to simulate any RAM machine in this model with polylogarithmic blowup. Hence it is possible to start with a computation of f on a RAM machine and transform it into a secure protocol. We show many applications of these new methodologies resulting in protocols e cient either in communication or in computation. In particular, we exemplify a protocol for the \millionaires problem", where two participants want to compare their values but reveal no other information. Our protocol is more e cient than previously known ones in either communication or computation. A preliminary version of this paper appeared under the title Communication Preserving Protocols for Secure Function Evaluation in Proceedings of the 33rd ACM Symposium on Theory of Computing, 2001. y Work done while the author was visiting Stanford University and the IBM Almaden research center.