Keywords

1 Introduction

Secure multi-party computation (MPC) aims to enable multiple players to cooperatively compute various functions in the presence of adversaries. MPC was first introduced by Yao [10] and because of its importance in cryptography, there have been presented many variants so far [35, 79]. In CRYPTO 2014 [2], Beimel et al. have introduced a novel type of MPC, called non-interactive MPC (NIMPC), against honest-but-curious adversaries in the information theoretical setting, which completely avoids interaction while realizing as strong security as possible. They have succeeded to obtain unconditional positive results for some special cases of interest. In particular, they have presented fully robust protocols for various classes of functions including the class of arbitrary functions. The fully robustness here means that any set of corrupted players cannot obtain any information other than those obtained by an oracle access to the function restricted to the input values of uncorrupted players. However, except for special functions like the summation in an abelian group, the communication complexity is not less than polynomial in the size of the input domain (i.e., exponential in the input length) (Table 1).

Table 1. The communication complexity of n-player NIMPC protocols for a family of functions \(h:\mathcal{X} \rightarrow \{0,1\}^m\) where \(\mathcal{X}=\mathcal{X}_1\times \cdots \times \mathcal{X}_n\) and \(d'\le |\mathcal{X}_i|\le d\) for all \(1\le i\le n\).
Full size table

The question we ask is whether there is a room to reduce the communication complexity of NIMPC. Unfortunately, relatively less has been known about limitations on the communication complexity of MPC. Recently, the research to tackle the difficult problem of lower bounds for communication in MPC becomes active like Data et al. in CRYPTO 2014 [6]. They have developed novel information-theoretic tools to prove lower bounds on the communication complexity in the traditional (i.e., interactive) model involving 3-parties.

In this paper, we study the communication complexity of NIMPC defined in [2]. As a result, we show that the inefficiency on communication of NIMPC is essentially unavoidable except for special classes of functions. The contributions of this paper are as follows.

  • Communication complexity of NIMPC for the set of any functions: We derive the first lower bound on the communication complexity of NIMPC for any set of functions. The derived lower bound is the logarithm of the size of the function set. In particular, for the set of arbitrary functions \(f:\mathcal{X}\rightarrow \{0,1\}^m\) where \(\mathcal{X}\) is the input domain and m is the output length, the lower bound is \(|\mathcal{X}|\cdot m\), i.e., exponential in the input length.

  • Communication complexity for the set of indicator functions: On the other hand, for the set of indicator functions, where the number of functions is linear in the input and output length, we have a significantly small lower bound. However, the communication complexity of the previous NIMPC protocol for indicator functions in [2] is exponential in the input length. This gap implies an exponential gap between the lower and upper bounds of NIMPC protocols for arbitrary functions because the NIMPC protocol for indicator functions is used as a building block.

  • Efficient NIMPC protocol for indicator functions: We then reduce the exponential gap between the lower and upper bounds on the communication complexity to quadratic by constructing a much more efficient NIMPC protocol for indicator functions. Specifically, we present a construction of NIMPC protocols for indicator functions whose communication complexity is quadratic in the input length.

Our technique for deriving lower bounds is quite simple and useful for approximating the amount of communication. For the target class of functions, we first assume the existence of a correct NIMPC protocol with some communication complexity and show a method for a server to send data to a client by encoding data into a function and evaluating the function with the use of the NIMPC protocol. Thus, the communication complexity is bounded by the size of target class. If the assumed communication complexity is smaller than the logarithm of the size of the target class, the contradiction is implied. Thus, the communication complexity is lower bounded by the logarithm of the size of the target class. A similar technique is used in [1] for proving impossibility of multiplicative secret sharing rather than derivation of lower bounds.

2 Preliminaries

We recall the notations and definitions of NIMPC introduced in [2]. For an integer n, let [n] be the set \(\{1,2,\ldots , n\}\). For a set \(\mathcal{X}=\mathcal{X}_1\times \cdots \times \mathcal{X}_n\) and \(T\subseteq [n]\), we denote \(\mathcal{X}_T {\triangleq }\prod _{i\in T}\mathcal{X}_i\). For \(x\in \mathcal{X}\), we denote by \(x_T\) the restriction of x to \(\mathcal{X}_T\), and for a function \(h:\mathcal{X}\rightarrow \varOmega \), a subset \(T\subseteq [n]\), and \(x_{\overline{T}}\in \mathcal{X}_{\overline{T}}\), we denote by \(h|_{\overline{T},x_{\overline{T}}}: \mathcal{X}\rightarrow \varOmega \) the function h where the inputs in \(\mathcal{X}_{\overline{T}}\) are fixed to \(x_{\overline{T}}\). For a set S, let |S| denote its size (i.e., cardinality of S).

An NIMPC protocol for a family of functions \(\mathcal{H}\) is defined by three algorithms: (1) a randomness generation function \(\mathsf{GEN}\), which given a description of a function \(h\in \mathcal{H}\) generates n correlated random inputs \(R_1,\ldots ,R_n\), (2) a local encoding function \(\mathsf{ENC}_i\) \((1\le i\le n)\), which takes an input \(x_i\) and a random input \(R_i\) and outputs a message, and (3) a decoding algorithm \(\mathsf{DEC}\) that reconstructs \(h(x_1,\ldots ,x_n)\) from the n messages. The formal definition is given as follows:

Definition 1

(NIMPC: Syntax and Correctness). Let \(\mathcal{X}_1, \ldots , \mathcal{X}_n\), \(\mathcal{R}_1,\ldots \), \(\mathcal{R}_n\), \(\mathcal{M}_1, \ldots , \mathcal{M}_n\) and \(\varOmega \) be finite domains. Let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\) and let \(\mathcal{H}\) be a family of functions \(h:\mathcal{X}\rightarrow \varOmega \). A non-interactive secure multi-party computation (NIMPC) protocol for \(\mathcal{H}\) is a triplet \(\varPi =(\mathsf{GEN},\mathsf{ENC},\mathsf{DEC})\) where

  • \(\mathsf{GEN}:\mathcal{H}\rightarrow \mathcal{R}_1\times \cdots \times \mathcal{R}_n\) is a random function,

  • \(\mathsf{ENC}\) is an n-tuple deterministic functions \((\mathsf{ENC}_1,\ldots ,\mathsf{ENC}_n)\), where \(\mathsf{ENC}_i:\mathcal{X}_i\times \mathcal{R}_i\rightarrow \mathcal{M}_i\),

  • \(\mathsf{DEC}:\mathcal{M}_1\times \cdots \times \mathcal{M}_n\rightarrow \varOmega \) is is a deterministic function satisfying the following correctness requirement: for any \(x=(x_1,\ldots ,x_n)\in \mathcal{X}\) and \(h\in \mathcal{H}\),

    $$\begin{aligned} \Pr [R=(R_1,\ldots ,R_n)\leftarrow \mathsf{GEN}(h): \mathsf{DEC}(\mathsf{ENC}(x,R))=h(x)]=1, \end{aligned}$$
    (1)

    where \(\mathsf{ENC}(x,R){\triangleq }(\mathsf{ENC}_1(x_1,R_1),\ldots ,\mathsf{ENC}_n(x_n,R_n))\).

The individual communication complexity of \(\varPi \) is the maximum of \(\log |\mathcal{R}_1|,\ldots \), \(\log |\mathcal{R}_n|\), \(\log |\mathcal{M}_1|,\ldots \), \(\log |\mathcal{M}_n|\). The total communication complexity of \(\varPi \) is the summation of \(\log |\mathcal{R}_1|,\ldots \), \(\log |\mathcal{R}_n|\), \(\log |\mathcal{M}_1|,\ldots \), \(\log |\mathcal{M}_n|\).

We next show the definition of robustness for NIMPC, which states that a coalition can only learn the information they should. In the above setting, a coalition T can repeatedly encode any inputs for T and decode h with the new encoded inputs and the original encoded inputs of \(\overline{T}\). Thus, the following robustness requires that they learn no other information than the information obtained from oracle access to \(h|_{\overline{T},x_{\overline{T}}}\).

Definition 2

(NIMPC: Robustness). For a subset \(T\subseteq [n]\), we say that an NIMPC protocol \(\varPi \) for \(\mathcal{H}\) is T-robust if there exists a randomized function \(Sim_T\) (a “simulator”) such that, for every \(h\in \mathcal{H}\) and \(x_{\overline{T}}\in \mathcal{X}_{\overline{T}}\), we have \(Sim_T(h|_{\overline{T},x_{\overline{T}}})\equiv (M_{\overline{T}},R_{T})\), where R and M are the joint randomness and messages defined by \(R\leftarrow \mathsf{GEN}(h)\) and \(M_i\leftarrow \mathsf{ENC}_i(x_i,R_i)\).

For an integer \(0\le t\le n\), we say that \(\varPi \) is t-robust if it is T-robust for every \(T\subseteq [n]\) of size \(|T|\le t\). We say that \(\varPi \) is fully robust (or simply refer to \(\varPi \) as an NIMPC for \(\mathcal{H}\)) if \(\varPi \) is n-robust. Finally, given a concrete function \(h:\mathcal{X}\rightarrow \varOmega \), we say that \(\varPi \) is a (t-robust) NIMPC protocol for h if it is a (t-robust) NIMPC for \(\mathcal{H}=\{h\}\).

As the same simulator \(Sim_T\) is used for every \(h\in \mathcal{H}\) and the simulator has only access to \(h|_{\overline{T},x_{\overline{T}}}\), NIMPC hides both h and the inputs of \(\overline{T}\). An NIMPC protocol is 0-robust if it is \(\emptyset \)-robust. In this case, the only requirement is that the messages \((M_1,\ldots ,M_n)\) reveal h(x) and nothing else.

An NIMPC protocol is also described in the language of protocols in [2]. Such a protocol involves n players \(P_1,\ldots ,P_n\), each holding an input \(x_i\in \mathcal{X}_i\), and an external “output server,” a player \(P_0\) with no input. The protocol may have an additional input, a function \(h\in \mathcal{H}\).

Definition 3

(NIMPC: Protocol Description). For an NIMPC protocol \(\varPi \) for \(\mathcal{H}\), let P \((\varPi )\) denote the protocol that may have an additional input, a function \(h\in \mathcal{H}\), and proceeds as follows.

\(\underline{\mathbf{Protocol}\ \mathrm{P}(\varPi )(h)}\)

  • Offline preprocessing: Each player \(P_i\), \(1\le i\le n\), receives the random input \(R_i{\triangleq }\mathsf{GEN}(h)_i\in \mathcal{R}_i\).

  • Online messages: On input \(R_i\), each player \(P_i\), \(1\le i\le n\), sends the message \(M_i{\triangleq }\mathsf{ENC}_i(x_i,R_i)\in \mathcal{M}_i\) to \(P_0\).

  • Output: \(P_0\) computes and outputs \(\mathsf{DEC}(M_1,\ldots ,M_n)\).

Informally, the relevant properties of protocol P\((\varPi )\) are given as follows:

  • For any \(h\in \mathcal{H}\) and \(x\in \mathcal{X}\), the output server \(P_0\) outputs, with probability 1, the value \(h(x_1,\ldots ,x_n)\).

  • Fix \(T\subseteq [n]\). Then, \(\varPi \) is T-robust if in P\((\varPi )\) the set of players \(\{P_i\}_{i\in T}\cup \{P_0\}\) can simulate their view of the protocol (i.e., the random inputs \(\{R_i\}_{i\in T}\) and the messages \(\{M_i\}_{i\in \overline{T}}\)) given oracle access to the function h restricted by the other inputs (i.e., \(h|_{\overline{T},x_{\overline{T}}}\)).

  • \(\varPi \) is 0-robust if and only if in P\((\varPi )\) the output server \(P_0\) learns nothing but \(h(x_1,\ldots ,x_n)\).

We show a claim in [2] stating that for functions outputting more than one bit, we can compute each output bit separately. Based on this fact, in [2], a fully robust NIMPC protocol for the set of indicator functions was first constructed, and then NIMPC protocols for the set of arbitrary functions are constructed based on it.

Proposition 1

(Claim 7 in [2]). Let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\), where \(\mathcal{X}_1,\ldots ,\mathcal{X}_n\) are some finite domains. Fix an integer \(m>1\). Suppose \(\mathcal{H}\) is a family of boolean functions \(h:\mathcal{X}\rightarrow \{0,1\}\) admitting an NIMPC protocol with communication complexity \(\delta \). Then, the family of functions \(\mathcal{H}^m=\{h:\mathcal{X}\rightarrow \{0,1\}^m|h=h_1\circ \cdots \circ h_m, h_i\in \mathcal{H}\}\) admits an NIMPC protocol with communication complexity \(\delta \cdot m\).

Definition 4

(Indicator Functions). Let \(\mathcal{X}\) be a finite domain. For n-tuple \(a=(a_1,\ldots ,a_n)\in \mathcal{X}\), let \(h_a:\mathcal{X}\rightarrow \{0,1\}\) be the function defined by \(h_a(a)=1\), and \(h_a(x)=0\) for all \(a\not =x\in \mathcal{X}\). Let \(h_0:\mathcal{X}\rightarrow \{0,1\}\) be the function that is identically zero on \(\mathcal{X}\). Let \(\mathcal{H}_\mathrm{ind}{\triangleq }\{h_a\}_{a\in \mathcal{X}}\cup \{h_0\}\) be the set of all indicator functions together with \(h_0\).

Note that every function \(h:\mathcal{X}\rightarrow \{0,1\}\) can be expressed as the sum of indicator functions, namely, \(h=\sum _{a\in \mathcal{X}, h(a)=1}h_a\).

We review the previous results on upper bounds on the individual communication complexity of NIMPC. As described above, the NIMPC protocols in [2] are constructed from NIMPC for \(\mathcal{H}_\mathrm{ind}\). Thus, the previous upper bounds depend on the upper bound for \(\mathcal{H}_\mathrm{ind}\). This means we have a better upper bound if we obtain a more efficient NIMPC protocol for \(\mathcal{H}_\mathrm{ind}\).

Proposition 2

(Arbitrary Functions \(\mathcal{H}_\mathrm{all},\) Proof of Theorem 10 in [2]). Fix finite domains \(\mathcal{X}_1, \ldots , \mathcal{X}_n\) such that \(|\mathcal{X}_i|\le d\) for all \(1\le i\le n\) and let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\). Let \(\mathcal{H}_\mathrm{all}\) be the set of all functions \(h:\mathcal{X}\rightarrow \{0,1\}^m\). If there exists an NIMPC protocol for \(\mathcal{H}_\mathrm{ind}\) with individual communication complexity \(\delta \), then there exists an NIMPC protocol for \(\mathcal{H}\) with individual (resp. total) communication complexity \(|\mathcal{X}|\cdot m\cdot \delta \) (resp. \(|\mathcal{X}|\cdot m\cdot \delta \cdot n\)).

3 Lower Bounds on the Communication Complexity

We derive a lower bound on the total communication complexity for any finite set of functions, \(\mathcal{H}_\mathrm{all}\), and \(\mathcal{H}_\mathrm{ind}\), respectively.

As described in the introduction, the total communication complexity is bounded by the size of target class. In other words, the total communication complexity cannot be smaller than the logarithm of the size of the target class.

Theorem 1

(Lower bound for any Finite Set of Functions). Fix finite domains \(\mathcal{X}_1, \ldots , \mathcal{X}_n\) and \(\varOmega \). Let \(\mathcal{X}{\triangleq }\mathcal{X}_1,\ldots ,\mathcal{X}_n\) and \(\mathcal{H}\) a set of functions \(h:\mathcal{X}\rightarrow \varOmega \). Then, any fully robust NIMPC protocol \(\varPi \) for \(\mathcal{H}\) satisfies

$$\begin{aligned} \sum _{i=1}^n\log |\mathcal{R}_i|\ge & {} \log |\mathcal{H}|, \end{aligned}$$
(2)
$$\begin{aligned} \sum _{i=1}^n\log |\mathcal{M}_i|\ge & {} \log |\varOmega |. \end{aligned}$$
(3)

Proof

We first prove Eq. (2). Let \(H=|\mathcal{H}|\). Let \(\varphi \) be a one-to-one mapping from \(\mathcal{H}\) to \(\{0,1,\ldots ,H-1\}\). (That is, all functions in \(\mathcal{H}\) are numbered on some rule.) Suppose a server holding a random number \(a\in \{0,\ldots ,H-1\}\) aims to send a to a client. Suppose also that there is an NIMPC protocol \((\mathsf{GEN}\), \(\mathsf{ENC}\), \(\mathsf{DEC})\) for \(\mathcal{H}\) that satisfies \(\sum _{i=1}^n\log |\mathcal{R}_i| < \log H\). For the function \(h=\varphi (a)\), the server executes \(R\leftarrow \mathsf{GEN}(h)\) and sends R to the client. The client obtains a by executing \(\mathsf{ENC}\) and \(\mathsf{DEC}\) for all possible inputs \(x\in \mathcal{X}\) and identifying the function h. We conclude that the server can communicate any \(a\in \{0,\ldots ,H-1\}\) to the client using \(R=(R_1,\ldots ,R_n)\) of which domain size \(\prod _{i=1}^n |\mathcal{R}_i|\) is smaller than H, that is impossible. Thus, we have \(\sum _{i=1}^n\log |\mathcal{R}_i|\ge \log H\).

In a similar way, we next prove Eq. (3). Suppose a server holding a random element \(b\in \varOmega \) and aiming to send b to a client and that there is an NIMPC protocol \((\mathsf{GEN},\) \(\mathsf{ENC}\), \(\mathsf{DEC})\) for \(\mathcal{H}\) that satisfies \(\sum _{i=1}^n\log |\mathcal{M}_i| < \log |\varOmega |\). For a function \(h\in \mathcal{H}\) and an element \(a\in \mathcal{X}\) such that \(h(a)=b\), the server executes \(R\leftarrow \mathsf{GEN}(h)\) and \(M\leftarrow \mathsf{ENC}(a,R)\), and sends M to the client. The client obtains b by executing \(\mathsf{DEC}\). We conclude that the server can communicate any \(b\in \varOmega \) to the client using \(M=(M_1,\ldots ,M_n)\) of which domain size \(\prod _{i=1}^n |\mathcal{M}_i|\) is smaller than \(|\varOmega |\), that is impossible. Thus, we have \(\sum _{i=1}^n\log |\mathcal{M}_i|\ge \log |\varOmega |\).    \(\square \)

The following corollary shows a lower bound on the total communication complexity of NIMPC for the set of arbitrary functions. The lower bounds indicate the impossibility of reducing the communication complexity to polynomial in the input length.

Corollary 1

(Lower bound for Arbitrary Functions). Fix finite domains \(\mathcal{X}_1, \ldots \), \(\mathcal{X}_n\) such that \(|\mathcal{X}_i|\ge d\) for all \(1\le i\le n\). Let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\) and \(\mathcal{H}_\mathrm{all}\) the set of all functions \(h:\mathcal{X}\rightarrow \{0,1\}^m\). Any NIMPC protocol \(\varPi \) for \(\mathcal{H}_\mathrm{all}\) satisfies

$$\begin{aligned} \sum _{i=1}^n\log |\mathcal{R}_i|\ge & {} m\cdot |\mathcal{X}|\ge d^n\cdot m, \end{aligned}$$
(4)
$$\begin{aligned} \sum _{i=1}^n\log |\mathcal{M}_i|\ge & {} m. \end{aligned}$$
(5)

Proof

The proof is obvious from Theorem 1 by setting \(\mathcal{H}=\mathcal{H}_\mathrm{all}\). A function maps each input value to some output value. Thus, \(|\mathcal{H}|\) is given by multiplying the number of all possible input values by the number of all possible output values, i.e., \(2^{m\cdot |\mathcal{X}|}\). Then, \(\sum _{i=1}^n\log |\mathcal{R}_i|\ge \log |\mathcal{H}|=m\cdot |\mathcal{X}|\).    \(\square \)

The following corollary shows a lower bounds on the total communication complexity of NIMPC for \(\mathcal{H}_\mathrm{ind}\). The gap between this lower bound (linear in the input length) and the previous upper bound (exponential in the input length) is large. In the next section, we will present an efficient NIMPC protocol for \(\mathcal{H}_\mathrm{ind}\) with individual (resp. total) communication complexity \(O(n\cdot \log ^2 d)\) (resp. \(O(n^2\cdot \log ^2 d)\)).

Corollary 2

(Lower bound for Indicator Functions). Fix finite domains \(\mathcal{X}_1, \ldots \), \(\mathcal{X}_n\) such that \(|\mathcal{X}_i|\ge d\) for all \(1\le i\le n\) and let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\). Then, any NIMPC protocol \(\varPi _\mathrm{ind}\) for \(\mathcal{H}_\mathrm{ind}\) satisfies

$$\begin{aligned} \sum _{i=1}^n\log |\mathcal{R}_i|\ge & {} \log |\mathcal{X}| \ge n\cdot \log d. \end{aligned}$$
(6)

Though the proof is obvious from Theorem 1, we give a more constructive proof, which need not to assume an existence of a one-to-one mapping \(\phi \).

Proof

Suppose a server holding a random vector \(a=(a_1,\ldots ,a_n)\in \mathcal{X}\) and aiming to send a to a client. Suppose that there is an NIMPC protocol \((\mathsf{GEN},\) \(\mathsf{ENC}\), \(\mathsf{DEC})\) for \(\mathcal{H}_\mathrm{ind}\) that satisfies \(\sum _{i=1}^n\log |\mathcal{R}_i| < \log |\mathcal{X}|\). The server executes \(R\leftarrow \mathsf{GEN}(h_a)\) and sends R to the client. The client obtains a by executing \(\mathsf{ENC}\) and \(\mathsf{DEC}\) for all possible inputs \(a'\in \mathcal{X}\) and checking whether the output is 1 or not. The input \(a'\) for which the output is 1 is considered as a. We conclude that the server can communicate any \(a\in \mathcal{X}\) to the client using \(R=(R_1,\ldots ,R_n)\) of which domain size \(\prod _{i=1}^n |\mathcal{R}_i|\) is smaller than \(|\mathcal{X}|\), that is impossible. Thus, we have \(\sum _{i=1}^n\log |\mathcal{R}_i|\ge \log |\mathcal{X}|\).    \(\square \)

4 Efficient Constructions

We now present an efficient construction of NIMPC for \(\mathcal{H}_\mathrm{ind}\). In the previous construction in [2], all the possible input values are encoded in a unary way, and thus the communication complexity depends on the size of the input domain. Specifically, each possible input value is represented by a single vector over \(\mathbb F_2\) so that the summation of vectors corresponding to \(a=(a_1,\ldots , a_n)\) is equal to the zero vector while the other combination is linearly independent to satisfy the robustness. Our idea to reduce the communication complexity is to encode all the possible input values in a binary way. Specifically, for each bit in the binary representation, two vectors representing “0” and “1” are generated so that the summation of all vectors over the binary representation of a is equal to zero. Since the proposed encoding reduces the required dimension of vectors, the communication complexity of resulting NIMPC is greatly reduced, too.

The detailed description of the protocol is as follows. For \(i\in [n]\), let \(d_i=|\mathcal{X}_i|\) and \(\phi _i\) a one-to-one mapping from \(\mathcal{X}_i\) to \([d_i]\). Let \(l_i=\lceil \log _2 (d_i+1) \rceil \) and \(s=\sum _{i=1}^n l_i\). Fix a function \(h\in \mathcal{H}_\mathrm{ind}\) that we want to compute.

\(\underline{\mathbf{The\ proposed\ NIMPC}\ P(\varPi _\mathrm{ind})(h)}\)

  • Offline preprocessing: If \(h=h_0\), then choose s linearly independent random vectors \(\{m_{i,j}\}_{i\in [n],j\in [l_i]}\) in \(\mathbb F_2^s\). If \(h=h_a\) for some \(a=(a_1,\ldots ,a_n)\in \mathcal{X}\), denote the binary representation of \(\phi _i(a_i)\) by \(b_i=(b_{i,1},\ldots ,b_{i,l_i})\) and define a set of indices \(I_i\) by \(I_i=\{j\in [l_i]\;|\; b_{i,j}=1\}\). Choose s random vectors \(\{m_{i,j}\}_{i\in [n],j\in [l_i]}\) in \(\mathbb F_2^s\) under the constraint that \(\sum _{i=1}^{n} \sum _{j\in I_j} m_{i,j}=0\) and there are no other linear relations between them (that is, choose all the vectors \(m_{i,j}\) except \(m_{n,\max I_n}\), as random linear independent vectors and set \(m_{n,\max I_n}=-\sum _{i=1}^{n-1}\sum _{j\in I_i} m_{i,j} - \sum _{j\in I_n\setminus \{\max I_n\}} m_{n,j}\)). Define \(\mathsf{GEN}(h)=R=(R_1,\ldots ,R_n)\), where \(R_i=\{m_{i,j}\}_{j\in [l_i]}\).

  • Online messages: For an input \(x_i\), let \(\hat{b}_i=(\hat{b}_{i,1},\ldots ,\hat{b}_{i,l_i})\) be the binary representation of \(\phi _i(x_i)\). Let \(\hat{I}_i\) be the set of indices defined by \(\hat{I}_i=\{j\in [l_i]\;|\; \hat{b}_{i,j}=1\}\). \(\mathsf{ENC}(x,R)=(M_1,\ldots ,M_n)\) where \(M_i=\sum _{j\in \hat{I}_i} m_{i,j}\).

  • Output \(h(x_1,\ldots ,x_n)\) : \(\mathsf{DEC}(M_1,\ldots ,M_n)=1\) if \(\sum _{i=1}^n M_i=\mathbf{0 }\).

Theorem 2

Fix finite domains \(\mathcal{X}_1, \ldots , \mathcal{X}_n\) such that \(|\mathcal{X}_i|\le d\) for all \(1\le i\le n\) and let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\). Then, there is an NIMPC protocol \(\varPi _\mathrm{ind}\) for \(\mathcal{H}_\mathrm{ind}\) with individual (resp. total) communication complexity at most \(\lceil \log _2 (d+1)\rceil ^2\cdot n\) (resp. \(\lceil \log _2 (d+1)\rceil ^2\cdot n^2\)).

Proof

For the correctness, note that \(\sum _{i=1}^n M_i=\sum _{i=1}^n\sum _{j\in \hat{I}_i} m_{i,j}\). If \(h=h_a\) for \(a\in \mathcal{X}\), this sum equals 0 if and only if \(I_{i}=\hat{I}_i\) for all \(i\in [n]\), i.e., \(a=x\). If \(h=h_0\), this sum is never zero, as all vectors were chosen to be linearly independent in this case.

To prove robustness, fix a subset \(T\subset [n]\) and \(x_{\overline{T}}\in \mathcal{X}_{\overline{T}}\). The encodings \(M_{\overline{T}}\) of \(\overline{T}\) consist of the vectors \(\{M_i\}_{i\in \overline{T}}\). The randomness \(R_T\) consists of the vectors \(\{m_{i,j}\}_{i\in [n],j\in [l_i]}\). If \(h|_{\overline{T},x_{\overline{T}}}\equiv 0\), then these vectors are uniformly distributed in \(\mathbb F_2^s\) under the constraint that they are linearly independent. If \(h|_{\overline{T},x_{\overline{T}}}(x_T)= 1\) for some \(x_T\in \mathcal{X}_T\), then \(\sum _{i\in \overline{T}}M_i + \sum _{i\in T}\sum _{j\in \hat{I}_i} m_{i,j}=0\) and there are no other linear relations between them. Formally, to prove the robustness, we describe a simulator \(\text {Sim}_T\): the simulator queries \(h|_{\overline{T},x_{\overline{T}}}\) on all possible inputs in \(\mathcal{X}_T\). If all answers are zero, this simulator generates random independent vectors. Otherwise, there is an \(x_T\in \mathcal{X}_T\) such that \(h|_{\overline{T},x_{\overline{T}}}(x_T)= 1\), and the simulator outputs random vectors under the constrains described above, that is, all vectors are independent with the exception that \(\sum _{i\in T}M_i+ \sum _{i\in \overline{T}} \sum _{j\in \hat{I}_j} m_{i,j}=0\).

The correlated randomness \(R_i\) is composed of \(l_i\le \lceil \log _2 (d +1)\rceil \) binary vectors of length \(s\le \lceil \log _2 (d+1)\rceil \cdot n\) and the encoding is the summation of some of them. Hence, the communication complexity is at most \(\lceil \log _2 (d +1)\rceil ^2 \cdot n\).    \(\square \)

Corollary 3

Fix finite domains \(\mathcal{X}_1, \ldots , \mathcal{X}_n\) such that \(|\mathcal{X}_i|\le d\) for all \(1\le i\le n\) and let \(\mathcal{X}{\triangleq }\mathcal{X}_1\times \cdots \times \mathcal{X}_n\). Then, there is an NIMPC protocol for \(\mathcal{H}_\mathrm{all}\) with individual (resp. total) communication complexity at most \(|\mathcal{X}|\cdot m\cdot \lceil \log _2 (d+1)\rceil ^2\cdot n\) (resp. \(|\mathcal{X}|\cdot m\cdot \lceil \log _2 (d+1)\rceil ^2\cdot n^2\)).

From Proposition 2 and Theorem 1, it is obvious.

5 Conclusion

We have presented the first lower bound on the communication complexity of n-player NIMPC protocols for any set of functions including the set of arbitrary functions and the set of indicator functions. We have constructed novel NIMPC protocols for the set of arbitrary functions and the set of indicator functions. The proposed protocols are much more efficient than the previous protocols. For example, for the set of arbitrary functions, while the previous best known protocol in [2] requires \(|\mathcal{X}|\cdot m\cdot d^2 \cdot n\) communication complexity, the communication complexity of the proposed construction is only \(|\mathcal{X}|\cdot m\cdot \lceil \log _2(d+1)\rceil ^2 \cdot n\), where \(\mathcal{X}\) denote the (total) input domain, d is the maximum domain size of a player, and m is the output length. By this result, the gap between the lower and upper bounds on the communication complexity is significantly reduced from \(d^2 \cdot n\) to \(\lceil \log _2(d+1)\rceil ^2 \cdot n\), that is, from the exponential in the input length to the quadratic.

The lower bounds in this paper are derived from the correctness property of NIMPC. While this approach is useful for approximating the communication complexity, there may be a room to improve the lower bounds by taking the robustness property into account. Thus, a possible future work is to derive a tighter lower bound and present an optimum construction of NIMPC.