distributed protocol ensures that dishonest parties have no advantage over honest parties in learning their protocol’s output. What makes fairness a particularly intriguing research topic is Cleve’s seminal result [STOC’86], which proved that fairness is impossible to achieve in the presence of dishonest majorities and ignited a quest for more relaxed, yet meaningful definitions of fairness. A common pattern in existing works, however, is that they only treat the case of
computation—i.e., distributed computation of “one-shot” (stateless) functions, in which parties give all inputs strictly before any output is computed. Yet, many natural cryptographic tasks are of a
In this work, we introduce the first notion of fairness tailored to reactive distributed computation, which can be realized in the presence of dishonest majorities. Our definition builds on the recently suggested utility-based fairness notion (for non-reactive functions) by Garay
. [PODC’15], which, informally, measures the protocol’s fairness by means of the utility of an adversary who aims to break it As in the [PODC’15] work, our approach enjoys the advantage of offering a comparative notion, inducing a partial order on protocols with respect to fairness.
We investigate protocols that restrict the adversary’s utility and provide, for each choice of parameters specifying this utility, a protocol for fair and reactive two-party computation, which is optimal for a (natural) range of parameters. Our study shows that achieving fairness in the reactive setting is more complex than in the much-studied case of one-shot functions, as increasing the number of rounds used for reconstructing the output can lead to improved fairness, and the minimal required number of rounds depends on the
of the adversary’s utility.