Security Analysis of the Protocol

A two-party computation is secure and complete fairness if the view of the adversary in the real protocol is computationally indistinguishable from the view in the ideal model of computation. The view consists of the outputs of both parties.

This is formalized by first considering an ideal model of computing the same function f . In the ideal model, there is a trusted third party T P, which is trusted by both party and is incorruptible. Two parties send their inputs x and y to the trusted third party in a secure way. The trusted third party computes the function f on their inputs x and y. Finally, the trusted party sends to each party the value of the functions f on input x and y.

A protocol π is said to securely compute f with complete fairness if for every non-uniform probabilistic polynomial adversary A in a real model, there exists a non-uniform probabilistic polynomial-time adversary S in the ideal model such that the view of the adversary in the real execution of the protocol is computationally indistinguishable from the view in the ideal implementation.

{IDEAL_f,S(z)(x, y)}(x,y)∈X×Y,z∈{0,1}^∗

≡ {REALc _π,A(z)(x, y)}(x,y)∈X×Y,z∈{0,1}^∗

In set disjointness problem, phase 1 is the same as phase 1 of our protocol.

Phase 2 of the ideal model can be described in Figure 4.2.

It is reasonable to assume that the ideal model computes the set disjointness problem securely with complete fairness.

for i = 1, 2, . . . , n do

0 otherwise. , and sends c to Alice and Bob;

if c = 1 then

Figure 4.2: Phase 2 of the Ideal Model for Complete Fairness Secure Computation of Set Disjointness

As in the real world model, we require that one party output 1 whenever the other party aborts the protocol in any iteration.

Theorem 2 Our first protocol securely computes the set disjointness problem with complete fairness.

Proof Let A be an adversary in our protocol who can learn the value of f (A, B) and, at the same time, can prevent the other party from learning it, with non-negligible probability. We show that our protocol computes the set disjointness problem with complete fairness by showing that if there is an adversary A in our protocol, then there is an adversary S corrupting the same party in the ideal model. In the ideal model, the adversary S can also learn the value of f (A, B) and, at the same time, can prevent the other party from learning it, with non-negligible probability.

First, let Alice be the adversary A in our protocol. The adversary A is also called the real world adversary. We construct an ideal world adversary S given black-box access to A. A sketch diagram of the construction is given in Figure 4.3.

S Aliceg

(A)

? 6

Bobg

- T P _ ^- Bob

Figure 4.3: Construct an adversary S from adversary A corrupting Alice

Note that, in Figure 4.3, we use “Bob” and “Bob” to distinguish the two dif-^g ferent parties in different models. “Bob” is in the real world model, and “Bob” is^g in the ideal Model.

The detailed construction of S from A are given as follows.

1. S invokes A on the input the set A.

2. If A aborts in Phase 1, then S outputs whatever A outputs, and halts.

Otherwise, S proceeds the phase 2 as below.

3. To simulate each iteration i = 1, 2, . . . , n and j = 1, 2, . . . , m,

(a) If A aborts, then S sends b⁽²⁾_j to T P, outputs whatever A outputs, and halts.

(b) If A does not abort and uses x_ito compareBob’s element in the protocol.^g S sends x_i to T P and obtains c_i from T P.

(c) If c_i = 1, then S uses x_i to compare Bob’s element. Otherwise, c = 0, S^g chooses a random integer x⁰_j 6= x_i and uses x⁰_j to compareBob’s element.^g We analyze the adversary S described above. Let A denote the input of Alice.

The view of A in an execution with S is identical to its view in a real world execution withBob. The only difference is that the elements sent by S is a random^g integer x⁰_j, instead of b⁽²⁾_j . This does not affect the view of A, since the equality test used in the protocol is secure, and the comparison result is the same for x⁰_j or a⁽²⁾_j is used. Hence, what is left to proof is that the joint distribution of A’s view and Alice’s output is identical in the real world and the ideal world. We show this by separately considering different cases:

1. S sends nothing to the trusted third party because A aborted the protocol in Phase 1. There will be no output for both party in the real world or in the ideal world models.

2. A aborts the protocol for some i, 1 ≤ i ≤ n. In the real world, Bob would assume that Alice knows the intersection is not empty and then output 1. In the ideal world, Bob would also output 1, because S sends b⁽²⁾_j to T P at this round, or he has already know the value of f (A, B) in the previous iteration.

3. If A does not abort the protocol, and the protocol ended normally, then both party out puts f (A, B), in the real world model and in the ideal world model.

Based on the above argument, we conclude that the joint distribution of A’s view and Alice’s output is identical in the real world and the ideal world.

Now, let Bob be a real world adversary A. We construct an adversary S given black-box access to A. A sketch diagram of the construction is given in Figure 4.4.

Alice

Figure 4.4: Construct an adversary S from adversary A corrupting Bob

Note that, in Figure 4.4, we use “Alice” and “Alice” to distinguish the two^g different parties in different models. “Alice” is in the real world model, and “Alice”^g is in the ideal Model.

The details of the construction are given as follows.

1. S invokes A on the input the set B.

2. If A sends abort in Phase 1, then S outputs whatever A outputs, and halts.

Otherwise, S proceeds phase 2 as below.

3. To simulate each iteration i = 1, 2, . . . , n and j = 1, 2, . . . , m.

A proof for the case when Alice is real world adversary is similar to the previous case, and it is omitted.