IACR News item: 10 December 2012
Yehuda Lindell, Kobbi Nissim, Claudio Orlandi
ePrint ReportIn this work, we initiate a theoretical study of input-size hiding secure computation, and focus on the two-party case. We present definitions for this task, and deal with the subtleties that arise in the setting where there is no a priori polynomial bound on the parties\' input sizes. Our definitional study yields a multitude of classes of input-size hiding computation, depending on whether a single party\'s input size remains hidden or both parties\' input sizes remain hidden, and depending on who receives output and if the output size is hidden from a party in the case that it does not receive output. We prove feasibility and impossibility results for input-size hiding secure two-party computation. Some of the highlights are as follows:
Under the assumption that fully homomorphic encryption (FHE) exists, there exist non-trivial functions (e.g., the millionaire\'s problem) that can be securely computed while hiding the input size of both parties.
Under the assumption that FHE exists, every function can be securely computed while hiding the input size of one party, when both parties receive output (or when the party not receiving output does learn the size of the output). In the case of functions with fixed output length, this implies that every function can be securely computed while hiding one party\'s input size.
There exist functions that cannot be securely computed while hiding both parties\' input sizes. This is the first formal proof that, in general, some information about the size of the parties\' inputs must be revealed.
Our results are in the semi-honest model. The problem of input-size hiding is already challenging in this scenario. We discuss the additional difficulties that arise in the malicious setting and leave this extension for future work.
Additional news items may be found on the IACR news page.