How to Solve any Protocol

Remark: A version identical in contents, but very diierent in form has appeared in the proceedings of the 19th STOC, pp. 218{229, 1987. This version was produced, from an old draft (dating to 1986), by automatic convertion of a old troff le into a latex le. The output was not carefully checked; hopefully, it does not contain too many typos. ABSTRACT: This extended abstract present a general theorem in the eld of fault tolerant distributed computing. Following is a simpliied description of a special case of this theorem. Loosely speaking, a protocol problem is a multi-argument function f and its solution is a multi-party fault-tolerant protocol having the following two properties: (1) Correctness: The protocol allows each party to obtain the value of the function on arguments scattered among all the parties. Namely, the local input of party P i is x i , and his local output (obtained by execution of the protocol) is f(x 1 ; x 2 ; :::; x n). (2) Privacy: Whatever a party (P i) can eeciently compute after participating in the protocol, he can also eeciently compute from his local input (x i) and his local output (i.e. i=1 x i then a solution is a protocol at the end of which each party gets the sum of the x i 's without gaining any additional knowledge as to how the residual sum is partitioned among his counterparts. Assuming the existence of secure encryption functions, it will be shown that every protocol problem has a solution with complexity polynomial in the complexity of the problem. Furthermore , we present an eecient algorithm that, on input a Turing machine description of a function, outputs an eecient solution for this problem.