Randomness complexity of private computation

Abstract

We consider the problem of n honest but curious players with private inputs $ x_1,\ldots,x_n, $ who wish to compute the value of a fixed function $ {\cal F}(x_1,\ldots,x_n) $ in such way that at the end of the protocol every player knows the value $ {\cal F}(x_1,\ldots,x_n) $ . Each pair of players is connected by a secure point-to-point communication channel. The players have unbounded computational resources and they intend to compute $ {\cal F} $ in a t-private way. That is, after the execution of the protocol, no coalition of size at most $ t \le n - 1 $ can get any information about the inputs of the remaining players other than what can be deduced from their own inputs and the value of $ \cal F $ .¶ We study the amount of randomness needed in t-private protocols. We prove a lower bound on the randomness complexity of any t-private protocol to compute a function with sensitivity n. As a corollary, we obtain that when the private inputs are uniformly distributed, at least k(n—1)(n—2)/2 random bits are needed to compute the sum modulo 2 k of n k-bit integers in an (n—2)-private way. This result is tight as there are protocols for this problem that use exactly this number of random bits.