Cryptology ePrint Archive: Report 2021/1682

Making Private Function Evaluation Safer, Faster, and Simpler

Yi Liu and Qi Wang and Siu-Ming Yiu

Abstract: In the problem of two-party \emph{private function evaluation} (PFE), one party $P_A$ holds a \emph{private function} $f$ and (optionally) a private input $x_A$, while the other party $P_B$ possesses a private input $x_B$. Their goal is to evaluate $f$ on $x_A$ and $x_B$, and one or both parties may obtain the evaluation result $f(x_A, x_B)$ while no other information beyond $f(x_A, x_B)$ is revealed.

In this paper, we revisit the two-party PFE problem and provide several enhancements. We propose the \emph{first} constant-round actively secure PFE protocol with linear complexity. Based on this result, we further provide the \emph{first} constant-round publicly verifiable covertly (PVC) secure PFE protocol with linear complexity to gain better efficiency. For instance, when the deterrence factor is $\epsilon = 1/2$, compared to the passively secure protocol, its communication cost is very close and its computation cost is around $2.6\times$. In our constructions, as a by-product, we design a specific protocol for proving that a list of ElGamal ciphertexts is derived from an \emph{extended permutation} performed on a given list of elements. It should be noted that this protocol greatly improves the previous result and may be of independent interest. In addition, a reusability property is added to our two PFE protocols. Namely, if the same function $f$ is involved in multiple executions of the protocol between $P_A$ and $P_B$, then the protocol could be executed more efficiently from the second execution. Moreover, we further extend this property to be \emph{global}, such that it supports multiple executions for the same $f$ in a reusable fashion between $P_A$ and \emph{arbitrary} parties playing the role of $P_B$.

Category / Keywords: cryptographic protocols / Extended permutation, Private function evaluation, Publicly verifiable covert security, Secure two-party computation

Original Publication (with major differences): IACR-PKC-2022

Date: received 22 Dec 2021, last revised 24 Dec 2021

Contact author: liuy7 at mail sustech edu cn

Available format(s): PDF | BibTeX Citation

Version: 20211224:064659 (All versions of this report)

Short URL: ia.cr/2021/1682


[ Cryptology ePrint archive ]