Multi-party PSM, Revisited:

Abstract

We improve the communication complexity in the Private Simultaneous Messages (PSM) model, which is a minimal model of non-interactive information-theoretic multi-party computation. The state-of-the-art PSM protocols were recently constructed by Beimel, Kushilevitz and Nissim (EUROCRYPT 2018).

We present new constructions of k-party PSM protocols. The new protocols match the previous upper bounds when \(k=2\) or 3 and improve the upper bounds for larger k. We also construct 2-party PSM protocols with unbalanced communication complexity. More concretely,

• For infinitely many k (including all \(k \le 20\)), we construct k-party PSM protocols for arbitrary functionality \(f:[N]^k\rightarrow \{0,1\}\), whose communication complexity is \(O_k(N^{\frac{k-1}{2}})\). This improves the former best known upper bounds of \(O_k(N^{\frac{k}{2}})\) for \(k\ge 6\), \(O(N^{7/3})\) for \(k=5\), and \(O(N^{5/3})\) for \(k=4\).

• For all rational \(0<\eta <1\) whose denominator is \(\le 20\), we construct 2-party PSM protocols for arbitrary functionality \(f:[N]\times [N]\rightarrow \{0,1\}\), whose communication complexity is \(O(N^\eta )\) for one party, \(O(N^{1-\eta })\) for the other. Previously the only known unbalanced 2-party PSM has communication complexity \(O(\log (N)), O(N)\).

Appendices

A Proof of Eq. (9) and (10)

Proof

(Proof of Eq. (9)). By definition:

where \((*)\) denotes “for all unordered \(E = \{S_1, \ldots , S_t\}\) being a partition of [2k] such that \(\{|S_1|, \ldots ,|S_t|\} = P\)”. Thus,

where \(\beta (P,G)\) accounts for the redundancy: define \(\beta (P,G)\) as the number of unordered partitions E of [2k] such that \(G\subseteq E\) and P is the shape of E. It is equivalent to count the number of \(F \mathrel {:=}E \setminus G\). That is, \(\beta (P,G)\) also equals the number of unordered partitions F of such that Q is the shape of F. Thus by definition, \(\beta (P,G) = \alpha (Q)\). The proof is concluded by

   \(\square \)

Proof

(Proof of Eq. (10)). Let \(n = {\text {sum}}(Q)\). By definition, \(\alpha (Q)\) is the number of unsorted partitions \(E = \{S_1,\dots ,S_t\}\) of [n] such that the multiset \(\{|S_1|,\dots ,|S_t|\}\) (i.e. the shape of E) equals Q.

To compute \(\alpha (Q)\), we count the number of ways to arranging \(1,\dots ,n\) into a sequence.

• First, pick an unsorted partitions E of [n] s.t. the shape of E equals Q. The number of choices is \(\alpha (Q)\).

• Then, sort the sets in the partion \(E = \{S_1,\dots ,S_t\}\). Sort them by their sizes, i.e. \(|S_1| \le |S_2| \le \dots \le |S_t|\). For any m, if several sets are of the size m, their order has to be specified, the number of such choices is .

• Finally, arrange the elements in each \(S_i\) into a sub-sequence, the number of possible sequences is \(|S_i|!\). Concatenate these sub-sequences in order.

   \(\square \)

B Auxiliary PSM Protocols for \(\langle \mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k, \mathbf {Y} \rangle + s\)

1.1 B.1 The Multi-party Variant

In this section, we present an auxiliary PSM protocol that is used as a subroutine by our multi-party PSM in Sect. 3.

The functionality is \(\langle \mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k, \mathbf {Y} \rangle + s\). It is a \((k+1)\)-party functionality where the i-th party has as input \(\mathbf {x}_i\in \mathbb F^N\) for \(i\in [k]\), and the \((k+1)\)-th party has as inputs \(\mathbf {Y}\in \mathbb F^{\smash {\underset{k \text { times}}{N \times \dots \times N}}}\) and \(s\in \mathbb F\). We will present a PSM protocol for this functionality with a communication complexity of \(O(\mathop {{\text {poly}}}(k) \cdot N^k)\) field elements. This protocol is implicitly used in [8].

First, we consider the special case when \(k=1\). That is, there are only two parties. Say we call them Alice and Bob. Alice has \(\mathbf {x}\in \mathbb F^N\), Bob has \(\mathbf {y}\in \mathbb F^N, s\in \mathbb F\). The functionality output is \(\langle \mathbf {x},\mathbf {y} \rangle + s\). The PSM protocol works as follows:

• Random \(\mathbf {a}, \mathbf {b}\in \mathbb F^{N}, c\in \mathbb F\) are sampled from the common random string, which is known by both Alice and Bob.

• Alice sends to the referee.

• Bob sends to the referee.

• The referee outputs .

For the case \(k \ge 2\), the first k parties need to jointly emulate Alice. The protocol works as follows:

• Random \(\mathbf {A}, \mathbf {B},\mathbf {C}\in \mathbb F^{N \times \dots \times N}\) are sampled from the common random string. Define \(c\in \mathbb F\) as the sum of entries in \(\mathbf {C}\).

• The \((k+1)\)-th party sends to the referee.

• The first k parties jointly reveal , \(w \mathrel {:=}c - \langle \mathbf {B},\mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k \rangle \) to the referee. Since every coordinate of \(\bar{\mathbf {X}}\) can be computed by an arithmetic formula of size O(k), each of these coordinates can be computed by the referee by using a PSM protocol with communication complexity of \(O(\mathop {{\text {poly}}}(k))\) field elements [13]. The referee learns \(\bar{\mathbf {X}}\) after receiving \(O(\mathop {{\text {poly}}}(k) \cdot N^k)\) field elements. The term \(w \mathrel {:=}c - \langle \mathbf {B},\mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k \rangle \) equals the sum of all entries in \(\mathbf {W}\mathrel {:=}\mathbf {C}- \mathbf {B}\circ _\text {p.w.} (\mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k)\), where \(\circ _\text {p.w.}\) denotes the point-wise product. In other words, we defines \(\mathbf {W}\in \mathbb F^{N\times \dots \times N}\) as

  $$\begin{aligned} \mathbf {W}[i_1,\dots ,i_k] = \mathbf {C}[i_1,\dots ,i_k] - \mathbf {B}[i_1,\dots ,i_k] \mathbf {x}_1[i_1] \dots \mathbf {x}_k[i_k]. \end{aligned}$$

  Due to the randomness of \(\mathbf {C}\), we know \(\mathbf {W}\) is a randomized encoding of w. Thus, it is equivalent for the first k parties to jointly reveal \(\mathbf {W}\) to the referee. Since every coordinate of \(\mathbf {W}\) can be computed by an arithmetic formula of size O(k), each of them can be revealed by using the Ishai-Kushilevitz PSM protocol [13], which has a communication complexity of \(O(\mathop {{\text {poly}}}(k))\) field elements. The referee learns w after receiving \(O(\mathop {{\text {poly}}}(k) \cdot N^k)\) field elements.

• The referee outputs \(\langle \bar{\mathbf {X}}, \bar{\mathbf {Y}} \rangle + z + w\).

The correctness of the protocol can be verified in the following equation:

The privacy is guaranteed by the following simulator:

• Simulate \(\bar{\mathbf {X}}, \bar{\mathbf {Y}}, \mathbf {W}\) as uniform random, since they are one-time-padded by \(\mathbf {A},\mathbf {B},\mathbf {C}\).

• Given \(\bar{\mathbf {X}}, \bar{\mathbf {Y}}, \mathbf {W}\) and the function output, w, z are uniquely determined since \(w=\sum (\mathbf {W})\) and \(\langle \bar{\mathbf {X}}, \bar{\mathbf {Y}} \rangle + z + w = \text {output}\).

• Simulate the transcripts of the inner Ishai-Kushilevitz PSM protocols using its own simulator, which takes \(\bar{\mathbf {X}},\mathbf {W}\) as input.

1.2 B.2 The 2-party Variant

In this section, we present an auxiliary PSM protocol that is used as a subroutine by our unbalanced 2-party PSM in Sect. 4.

The functionality is \(\langle \mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k, \mathbf {Y} \rangle + s\). It is a 2-party functionality where the first party, namely Alice, has as inputs \(\mathbf {x}_1,\ldots ,\mathbf {x}_k\in \mathbb F^N\) and the second party, namely Bob, has as inputs \(\mathbf {Y}\in \mathbb F^{\smash {\underset{k \text { times}}{N \times \dots \times N}}}\) and \(s\in \mathbb F\). We will present a PSM protocol for this functionality with unbalanced communication complexity, where Alice sends O(kN) field elements and Bob sends \((N+1)^k\) field elements.

As the first step, we consider a harder problem instead. Bob’s input is replaced by a multi-affine function \(f:\mathbb F^N \times \dots \times \mathbb F^N \rightarrow \mathbb F\). Corresponding, the functionality is replaced by \(f(\mathbf {x}_1,\ldots ,\mathbf {x}_k)\). Every multi-affine function f can be uniquely represented by its coefficient tensor \(\mathbf {F}\in \mathbb F^{(N+1)\times \dots \times (N+1)}\) such that for any \(\mathbf {z}_1,\ldots ,\mathbf {z}_k\in \mathbb F^N\),

$$ f(\mathbf {z}_1,\dots ,\mathbf {z}_k) = \langle \mathbf {z}_1 \Vert 1 \otimes \dots \otimes \mathbf {z}_k\Vert 1, \mathbf {F} \rangle . $$

Here \(\mathbf {z}_i \Vert 1\) denotes the concatenation of \(\mathbf {z}_i\) and 1, which is a dimension-\((N+1)\) vector. Notice that, if we let the “first” \(N \times \dots \times N\) subtensor of \(\mathbf {F}\) equal \(\mathbf {Y}\), let its “last” entry \(\mathbf {F}[N+1,\dots ,N+1] = s\), and let all other entries in \(\mathbf {F}\) be 0, we have

$$ f(\mathbf {x}_1,\dots ,\mathbf {x}_k) = \langle \mathbf {x}_1 \Vert 1 \otimes \dots \otimes \mathbf {x}_k\Vert 1, \mathbf {F} \rangle = \langle \mathbf {x}_1 \otimes \ldots \otimes \mathbf {x}_k, \mathbf {Y} \rangle + s. $$

The protocol works as follows:

• Random \(\mathbf {r}_1, \dots , \mathbf {r}_k\in \mathbb F^N\) and a random multi-affine function g are sampled from the common random string.

• Alice sends to the referee, for all \(i\in [k]\).

• Bob computes the multi-affine function g, such that

  $$ g(\mathbf {z}_1, \dots , \mathbf {z}_k) \mathrel {:=}f(\mathbf {z}_1 - \mathbf {r}_1, \dots , \mathbf {z}_k - \mathbf {r}_k). $$

  Bob sends \(\bar{g} = g + h\) to the referee.

• Alice additionally sends to the referee.

• The referee outputs .

The correctness follows directly from the following equation:

The privacy is guaranteed by the following simulator:

• Simulate as uniform random, since they are one-time padded by \(\mathbf {r}_1, \dots , \mathbf {r}_k, h\).

• Given and the function output, simulate s by computing s from the equation .