Hence, S reveals nothing about the

Hence, S reveals nothing about the inputs and outputs of the gate.

Second, if P 2 (Q[Q0), then the inductive invariant is that the collection of all shares held by dishonest parties in Q and Q0 does not give the adversary any information about the inputs and the outputs. As the base case, it is clear that the invariant is valid for input gates. The induction step is as follows. The adversary can obtain at most 2(N=6) = N=3 shares of any shared value during the computation step; N=6 from dishonest parties in Q and N=6 from dishonest parties in Q0. By the secrecy of the VSS scheme, at least N=3+1 shares are required for reconstructing the secret. By the secrecy of RenewShares and Multiply, when at most N=3 of the shares are revealed, the secrecy of the computation step is proved using universal computability of multi-party protocols.

Query Processing. The correctness and secrecy follows from the proof of the Reconst algorithm and the standard assumption that the location-based server correctly executes the queries and sends the results back to the parties.

Lemma 3. The protocol LocationSharing sends ~O (n) bits, computes ~O(n) operations, and has O(log2 n) rounds of communication.

We rst compute the cost of each step of the protocol separately and then compute the total cost. Based on [22], the communication and computation complexity of the VSS subprotocol is O(poly(n)) when it is invoked among n parties. Also, the VSS protocol takes constant rounds of communication.
 Setup. The communication and computation costs are equal to those costs of the quorum building algorithm of Theorem 3, which is ~O (1) for each party. This protocol takes constant rounds of communication.
 Input Broadcast. The input broadcast step invokes the VSS protocol n times among N = O(log n) parties. So, this step sends O(n
poly(N)) bits and performs O(n
poly(N)) operations. Since the VSS scheme is constant-round, this step also takes constant rounds.
 Random Generation. It is easy to see that the subprotocol GenRand sends O(N
poly(N)) messages, performs O(N
poly(N)), and has constant rounds.
 Circuit Computation. The Batcher's sorting network [4] has O(n log2 n) gates. So, the communication cost of this step is equal to the communication and computation cost of running O(n log2 n) instantiations of Compare and RenewShares. Compare requires O(log q) invocation of Multiply which sends O(poly(N)) messages and computes O(poly(N)) operations. Renew- Shares also sends O(poly(N)) messages and computes O(poly(N)) operations. Hence, the circuit computation phase sends O(n log n
log q
poly(N)) messages computes O(n log n
log q
poly(N)) . Since the sorting network has depth O(log2 n), and Compare takes constant rounds, this steps takes O(log2 n) rounds of communication.
 Query Processing. The costs are equal to the communication and computation costs of running n instantiations of Reconst. Thus, this step sends ~O(n) messages and performs ~O (n) operations. Since Reconst is a constant-round protocol and the communications with the server take constant rounds, this step of the protocol also takes constant rounds.
 Total. Since q > 3 2kn2 log n, for a constant k, q = O(n3) and log q = O(log n). Thus, Protocol 1 sends ~O (n) bits and computes ~O(n) operations. Finally, the protocol requires O(log2 n) rounds of communication. This completes the proof of Theorem 1.