Unconditional privacy in social choice.

Page 1

Unconditional Privacy in Social Choice
Felix Brandt
Computer Science Department
Stanford University
Stanford CA 94305
brandtf@cs.stanford.edu
Tuomas Sandholm
Computer Science Department
Carnegie Mellon University
Pittsburgh PA 15213
sandholm@cs.cmu.edu
Abstract
The aggregation of conflicting preferences is an important issue in human society and mul-
tiagent systems. Due to its universality, voting among a set of alternatives has a central role
among preference aggregation mechanisms. We consider the most general case of voting in
which the voters’ rankings of alternatives are mapped to a collective ranking of alternatives
by a so-called social welfare functional (SWF). Maintaining privacy of individuals’ preferences
is crucial in order to guarantee freedom of choice (e.g., lack of vote coercing and reputation
effects), and to not facilitate strategic voting. We investigate whether unconditional full privacy
can be achieved in preference aggregation, that is, privacy that relies neither on trusted third
parties (or on a certain fraction of the voters being trusted), nor on computational intractability
assumptions. More precisely, we study the existence of distributed protocols that allow voters
to jointly determine the collective preference ranking without revealing further information.
We prove that there exists no SWF that is non-dictatorial, Paretian, monotonic, and privately
computable (any three of these properties can be achieved). Moreover, we show that replacing
privacy with anonymity enables the joint computation of arbitrary symmetric SWFs.
1 Introduction
Whenever a group of autonomous entities, such as humans or computational agents, strive for a
global decision, they need to aggregate their possibly conflicting preferences. Typically, this is
achieved by voting among a set of alternatives such as candidates, plans, or resource assignments.
One of the most prominent results in social choice theory is Arrow’s impossibility theorem (see
Section 5) which states that even a rather modest set of desiderata cannot be obtained when
aggregating preferences. This explains why a wide variety of social welfare functionals (SWFs),
i.e., functions that aggregate a vector of diverse individual preference rankings into one collective
preference ranking, with differing advantages and disadvantages have evolved.
Computer scientists from various fields such as multiagent systems, artificial intelligence, and
complexity theory are showing increasing interest in social choice theory. Some recent advances
include complexity analyses of strategic voting[Bartholdi, III et al., 1989a; Conitzer and Sandholm,
2003] and of computing the SWF itself [Bartholdi, III et al., 1989b; Hemaspaandra et al., 1997;
Rothe et al., 2003]. This paper deals with the possibility of jointly computing the SWF while
preserving privacy in an information-theoretic sense.
Maintaining privacy of individuals’ preferences is crucial in preference aggregation. For one,
this is required to achieve freedom of choice: avoiding vote coercing, allowing an agent to vote for a
casino over a school without fear of adverse reputation effects, etc. Second, learning about others’

Page 2

preferences opens the possibility for an agent to benefit from voting insincerely—and according
to another seminal impossibility theorem [Gibbard, 1973; Satterthwaite, 1975], all SWFs (except
dictatorial ones) are manipulable in this sense, as long as there are more than two alternatives.
Traditionally, privacy is obtained by introducing one or more third parties who privately re-
ceive the individual preferences and then publicly declare the outcome. In such a model, privacy
completely depends on the trustworthiness of these parties as it is virtually impossible to prevent
a third party from revealing sensitive information. This paper investigates whether privacy that
does not rely on trusted third parties can be achieved in social choice. More precisely, we study the
existence of distributed protocols that allow voters to jointly determine the outcome of a SWF by
exchanging messages without revealing unnecessary information. This makes the problem a special
case of secure multiparty computation as first proposed by Yao [Yao, 1982].
One dimension along which privacy guarantees in distributed protocols differ is how many of
the agents need to collude before privacy is breached. In this paper, we will require the strongest
variant, full privacy or so-called (n − 1)-privacy, which means that no information (beyond what
can be inferred from the outcome) can be uncovered by a coalition that does not include all of the
n agents.
Another criterion along which privacy guarantees differ is whether or not the computational
power of the adversary is limited. In fact, using computational intractability as a barrier against
undesirable behavior has a long tradition in modern cryptography since Diffie and Hellman’s sem-
inal paper [Diffie and Hellman, 1976]. When relying on intractability assumptions (such as the
conjectured hardness of factoring), it has been shown that arbitrary functions can be jointly com-
puted so that no private input can be revealed by a polynomially-bounded adversary [Goldreich et
al., 1987]. Unfortunately, computational intractability not only relies on the unproven assumption
P ?= NP but also on the widely unknown field of average-case complexity and further, more spe-
cific assumptions. Moreover, even when these conjectures are true, it may be possible to breach
privacy in the future when sufficient computational power becomes available. In this paper, we will
study unconditional privacy (aka. non-cryptographic or information-theoretic privacy), where the
adversary’s computational power is unlimited and a complete network of private channels between
agents is given. When we speak of privacy in the rest of this paper, we mean unconditional full
privacy.
It is known that only a restricted class of functions can be computed privately in this model.1
There is yet no complete characterization of this class of functions (except for special cases like
Boolean [Chor and Kushilevitz, 1989] and 2-ary functions [Kushilevitz, 1989]). However, there
are sufficient conditions for showing that a function is not privately computable. Using these
conditions, we derive the the main theorem of this paper which states that any SWF satisfying a
very reasonable set of desiderata cannot be privately computed.
Theorem 1
(a) There is no social welfare functional that is non-dictatorial, Paretian, monotonic, and pri-
vately computable.2
(b) There are social welfare functionals that satisfy any combination of three of these four prop-
erties.
1When assuming that a majority of the agents is trustworthy (this is not full privacy), all functions can be jointly
computed in the unconditional model [Ben-Or et al., 1988; Chaum et al., 1988] (assuming passive adversaries).
2When there are just two alternatives, Pareto-optimality can be replaced with the weaker property of non-
constancy.

Page 3

The remainder of this paper is structured as follows. In Section 2, the underlying social choice
and security model are explained. Theorem 1 (a) (and a similar result for social choice functions)
is proven in Section 3. Section 4 shows that arbitrary symmetric SWFs can be computed when
replacing privacy with anonymity. In Section 5, we review two related impossibility results and
existing work on unconditional privacy in voting. The paper concludes with a summary of the
results in Section 6. Part (b) of Theorem 1 is proven in Appendix A.
2 Preliminaries
We consider a set of n agents A who vote among a set of m alternatives O. Each agent i possesses
a private preference ranking xi ∈ Θ among these alternatives (|Θ| = m!). The unique rational
(i.e., transitive and complete) preference relation induced by xiis denoted by ≻i. A social welfare
functional (SWF) f : Θn→ Θ aggregates preferences into one collective preference ranking x (the
collective preference relation ≻). For ease of notation, we will use f(x1,x2,...,xn) = f(? x) = x
as well as f(≻1,≻2,...,≻n) =≻. Often, only the socially most-preferred alternative is of interest
(rather than a complete ranking of alternatives). A social choice function (SCF) g : Θn→ O maps
preferences to a single alternative or candidate: the election winner. If m = 2, the notions of SWF
and SCF are equivalent. Although our results apply to both SWFs and SCFs, we will refer to the
more general concept of SWFs in the remainder of this section.3
The SWF is jointly computed by agents using a distributed, randomized protocol consisting of
several rounds. In order to enable secure message exchange, we assume a complete synchronous
network of private channels between agents. In each round, each agent may send a message to
any other agent. Each message an agent sends is a function of his preferences, his independent
random input ri, the messages he received so far, and the recipient. When the protocol is finished,
all agents know the value of f(·).
We assume that the adversary is passive (or “honest-but-curious”). In other words, agents do
not deviate from the prescribed protocol but nevertheless try to deduce private information from
any data available to them. Clearly, negative results in the passive adversary model considered in
this paper also hold in more adversarial models, e.g., models with active or adaptive adversaries.
In the following, we formally define the four properties to be used in the main theorem. The first
three properties are traditionally used in social choice theory whereas the last one is commonly used
in secure multiparty computation. Generally, it can be said that we impose very weak restrictions
on the “social” attributes of the SWF and very strong restrictions on privacy.
Definition 1 (Dictatorship) A SWF f(? x) is dictatorial if
∃i ∈ {1,2,...,n} so that ∀? x ∈ Θn: f(? x) = xi.
When using a dictatorial SWF, there is always one agent who alone enforces the “collective”
ranking. Clearly, this is undesirable and consequently non-dictatorship is arguably one of the
weakest properties that any SWF should satisfy.
Another weak property is Pareto-optimality which states that the collective ranking should be
optimal in the sense that no agent can be made better off without reducing the contentment of
another agent. In the context of SWFs, this merely means that if all agents prefer one alternative
over another, then this is also the case in the collective preference ranking. For this reason, it is
sometimes said that a Paretian SWF “respects unanimity”.
3In contrast to common social choice theory, a version of Theorem 1 for SCFs is not “stronger” in the sense that
it trivially implies the same statement for SWFs.

Page 4

Definition 2 (Pareto-optimality) A SWF f(≻1,≻2,...,≻n) =≻ is Paretian if
∀a,b ∈ O :(∀i : a ≻ib)
⇒
a ≻ b.
A related, but slightly stronger, property is monotonicity. Loosely speaking, a SWF is monotonic if
no agent can make an alternative rise in the collective ranking by reducing its rank in his individual
preferences while all remaining preferences are unchanged. This is also called positive responsiveness
or positive association of social and individual values.4
Definition 3 (Monotonicity) Let f(≻1,≻2,...,≻n) =≻, f(≻1,≻2,...,≻′
≻iand ≻′
ionly differ in the relative ranking of alternatives a and b so that b ≻ia and a ≻′
f(·) is monotonic if
i,...,≻n) =≻′, and
ib. SWF
∀i ∈ {1,2,...,n}, a,b ∈ O :
a ≻ b
⇒
a ≻′b.
Monotonicity is a very reasonable property that all common SWFs satisfy. A non-monotonic SWF
is counter-intuitive (at least) because supporting an alternative may reduce its collective rank.
Consequently, a rational agent may have to vote for b ≻ a even though his preference is a ≻ b.5
As usual, full privacy in the context of information-theoretic function evaluation is defined as
follows: A distributed protocol for computing SWF f(x1,x2,...,xn) = x is unconditionally fully
private if any coalition of agents is incapable of uncovering any information besides what can be
inferred from x and the coalition’s preferences. More formally:
Definition 4 (Privacy) For any T ⊆ {1,2,...,n} and every two input vectors ? x,? y ∈ Θnsat-
isfying ∀i ∈ T : xi = yi and f(? x) = f(? y), and for every choice of random inputs {ri}i∈T, the
messages seen by agents belonging to T in both cases are identically distributed. Let viewT be a
function that, given the vector of individual inputs and random values, yields the concatenation of
all (prefix-free) messages exchanged between members of T and¯T = {1,2,...,n}\T. A protocol
for computing f(·) is private if
?viewT(? x,{ri}i∈T)? = ?viewT(? y,{ri}i∈T)?
where ?...? denotes the probability distribution of the inner term with the probability taken over
{ri}i∈¯T.
All four properties defined above can be translated from SWFs to SCFs in a straightforward way.
3Main Theorem
It might seem unlikely that any “relevant” function can be computed at all, given this restrictive
definition of privacy. Indeed, it is well-known and often mentioned that “only very few” functions
are privately computable. However, there are some simple privately computable functions whose
relevance cannot be denied. For example, the sum of individual inputs (and thus the arithmetic
mean) can be computed privately (see Proposition 1). Moreover, it has recently been shown that (in
the absence of ties) the outcome of first-price sealed-bid auctions can be computed privately whereas
4Sometimes, a different, much stronger property that is equivalent to “independence of irrelevant alternatives”
(see Section 5) in the context of SCFs is also called monotonicity.
5It is important to note that monotonicity is weaker than strategy-proofness if m > 2 since “irrelevant” alternatives
are not considered. As a matter of fact, strategy-proofness implies monotonicity but not vice versa.

Page 5

the outcome of second-price sealed-bid (Vickrey) auctions cannot [Brandt and Sandholm, 2004]. As
a matter of course, the lack of a complete characterization of privately computable functions adds
to the obscurity of this class of functions. The main goal of this paper is to investigate whether any
“reasonable” SWF can be computed privately. It turns out that existing results on unconditional
privacy are sufficient to prove the impossibility of privately computing a wide (and relevant) class of
SWFs. We will apply the following necessary conditions for the private computability of a function.
Lemma 1 (Corners Lemma) [Chor and Kushilevitz, 1989] Let f : Y × Z → W be a privately
computable 2-ary function.For every y1,y2 ∈ Y and z1,z2 ∈ Z, if f(y1,z1) = f(y1,z2) =
f(y2,z1) = a, then f(y2,z2) = a.
Lemma 2 (Partition Lemma) [Chor and Kushilevitz, 1989] Let f : Y1× Y2× ··· × Yn→ W
be a privately computable n-ary function. Then, for each i ∈ {1,2,...,n} the 2-ary function
def
= f(y1,y2,...,yn) is privately computable.6
f2(yi,(y1,y2,...,yi−1,yi+1,yi+2,...,yn))
By combining Lemma 1 and Lemma 2, one can obtain a necessary condition for the existence of
protocols that privately compute an n-ary function.7This can be used to prove that a SWF is not
privately computable.
Lemma 3 Let ? y and ? z be vectors of n − 1 preference rankings and y and z be single preference
rankings. It is impossible to privately compute SWF f(·) if
∃? y,? z ∈ Θn−1, y,z ∈ Θ :
f(? y,y) = f(? y,z) = f(? z,y) = a ∧ f(? z,z) ?= a
.
This is called an “embedded or”.
The proof of Theorem 1 is composed as follows. We first show that any non-dictatorial, mono-
tonic, and privately computable SWF for m = 2 is constant. We then reduce the impossibility of
SCFs and SWFs with the same properties and an arbitrary number of candidates m to the former
case by adopting Pareto-optimality.
Theorem 2 Every non-dictatorial, monotonic and privately computable SWF for two alternatives
(m = 2) is constant.
Proof: Let O = {a,b} be a set of two alternatives.
Definition 5 A subset D ⊆ A is called decisive for alternative a if ∀i ∈ D : xi= a implies that
∀xi∈ O with i ∈ A\D : f(x1,x2,...,xn) = a .
In other words, D is decisive for a if all agents in D voting for a always leads to social choice a, no
matter what the remaining agents do.
Lemma 4 Let SWF f(·) be non-dictatorial, monotonic, and privately computable. If any set of
agents D is decisive for a, than f(·) is constant and always yields a.
6This is a special case of the Partition Lemma as defined in [Chor et al., 1994] for t = n − 1.
7In fact, in the Boolean case where Y = Z = W = {a,b} (which we will consider in Theorem 2) this condition is
necessary and sufficient (see Theorem 6).