Paper 2013/593

One-Sided Adaptively Secure Two-Party Computation

Carmit Hazay and Arpita Patra

Abstract

Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures scenarios in which the attacker chooses which party to corrupt based on the protocol communication. It further captures real-world scenarios where ``hackers'' actively break into computers, possibly while they are executing secure protocols. Studying this setting is interesting from both theoretical and practical points of view. The former is because the theoretical understanding of this setting is not yet profound and important questions are still unresolved; a notable example is the question regarding the feasibility of constant round adaptively secure protocols. From practical viewpoint, generic adaptively secure protocols are far more complicated and less efficient than static protocols. A primary building block in designing adaptively secure protocols is a non-committing encryption or NCE that implements secure communication channels in the presence of adaptive corruptions. Current NCE constructions require a number of public key operations that grows linearly with the length of the message. Furthermore, general two-party protocols require a number of NCE calls that is linear in the circuit size (or otherwise the protocol is not round efficient). As a result the number of public key operations is inflated and depends on the circuit size as well. In this paper we study the two-party setting in which at most one of the parties is adaptively corrupted, which we believe is the right security notion in the two-party setting. We study the feasibility of (1) NCE with constant number of public key operations for any message space. (2) Oblivious transfer with constant number of public key operations for any sender's input space, and (3) constant round secure computation protocols with a number of NCE calls, and an overall number of public key operations, that are independent of the circuit size. Our study demonstrates that such primitives indeed exist in the presence of single corruptions, while this is not the case for fully adaptive security (where both parties may get corrupted).