Computational Two-Party Correlation: : A Dichotomy for Key-Agreement Protocols
Authors: 
Iftach Haitner, Kobbi Nissim, Eran Omri, Ronen Shaltiel, and Jad SilbakAuthors Info & Claims
Iftach Haitner, Kobbi Nissim, Eran Omri, Ronen Shaltiel, and Jad SilbakAuthors Info & ClaimsAbstract
Let $\pi$ be an efficient two-party protocol that, given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ “appears” to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient simulator such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) computationally indistinguishable from $(X_\kappa,Y_\kappa,T_\kappa)$. (b) We use these tools to prove the following dichotomy theorem: every such protocol $\pi$ is either uncorrelated---it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs independently from some product distribution (that is determined in poly-time from $T_\kappa$), or the protocol implies a key-agreement protocol (for infinitely many $\kappa$'s). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539--562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast $(X_\kappa,Y_\kappa)|_{T_\kappa=t}$. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.
References
[1]
R. Ahlswede and I. Csiszár, Common randomness in information theory and cryptography. I. Secret sharing, IEEE Trans. Inform. Theory, 39 (1993), pp. 1121--1132.
[2]
B. Barak and M. Mahmoody, Merkle puzzles are optimal - an O(n$^{2}$)-query attack on any key exchange from a random oracle, in Advances in Cryptology -- CRYPTO 2009, Springer, Berlin, 2009, pp. 374--390.
[3]
A. Beimel, K. Nissim, and E. Omri, Distributed private data analysis: Simultaneously solving how and what, in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, Springer, Berlin, 2008, pp. 451--468.
[4]
T. H. Chan, E. Shi, and D. Song, Optimal lower bound for differentially private multi-party aggregation, in Algorithms - ESA 2012 - 20th Annual European Symposium, Ljubljana, Slovenia, 2012, Springer, Berlin, 2012, pp. 277--288.
[5]
Y.-H. Chen, K.-M. Chung, and J.-J. Liao, On the complexity of simulating auxiliary input, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Cham, Switzerland, 2018, pp. 371--390.
[6]
R. Cleve and R. Impagliazzo, Martingales, Collective Coin Flipping and Discrete Control Processes (Extended Abstract). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.51.1797 (1993).
[7]
C. Crepeau and J. Kilian, Weakening security assumptions and oblivious transfer, in Advances in Cryptology -- CRYPTO '88, Springer, Berlin, 1989, pp. 2--7.
[8]
D. Dachman-Soled, Y. Lindell, M. Mahmoody, and T. Malkin, On the black-box complexity of optimally-fair coin tossing, in Proceedings of the 8th Theory of Cryptography Conference, TCC 2011, Lecture Notes in Comput. Sci., 6597, 2011, pp. 450--467.
[9]
D. Dachman-Soled, M. Mahmoody, and T. Malkin, Can optimally-fair coin tossing be based on one-way functions?, in Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, Y. Lindell, ed., Lecture Notes in Computer Science 8349, Springer, Heidelberg, 2014, pp. 217--239.
[10]
W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, 22 (1976), pp. 644--654.
[11]
C. Dwork, M. Naor, and O. Reingold, Immunizing encryption schemes from decryption errors, in International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Heidelberg, 2004, pp. 342--360.
[12]
V. Goyal, D. Khurana, I. Mironov, O. Pandey, and A. Sahai, Do distributed differentially-private protocols require oblivious transfer?, in LIPIcs-Leibniz International Proceedings in Informatics, Vol. 55, Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Wadern, Germany, 2016.
[13]
V. Goyal, I. Mironov, O. Pandey, and A. Sahai, Accuracy-privacy tradeoffs for two-party differentially private protocols, in Advances in Cryptology -- CRYPTO 2013, Springer, Berlin, 2013, pp. 298--315.
[14]
I. Haitner, Implementing oblivious transfer using collection of dense trapdoor permutations, in Proceedings of the First Theory of Cryptography Conference, TCC 2004, Springer, Berlin, 2004, pp. 394--409.
[15]
I. Haitner, N. Makriyannis, and E. Omri, On the complexity of fair coin flipping, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539--562.
[16]
I. Haitner, N. Mazor, R. Shaltiel, and J. Silbak, Channels of small log-ratio leakage and characterization of two-party differentially private computation, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2019, pp. 531--560.
[17]
I. Haitner, E. Omri, and H. Zarosim, Limits on the usefulness of random oracles, J. Cryptology, 29 (2016), pp. 283--335.
[18]
I. Haitner, O. Reingold, and S. Vadhan, Efficiency improvements in constructing pseudorandom generators from one-way functions, SIAM J. Comput., 42 (2013), pp. 1405--1430.
[19]
J. H\aastad, R. Impagliazzo, L. A. Levin, and M. Luby, A pseudorandom generator from any one-way function, SIAM J. Comput., 28 (1999), pp. 1364--1396.
[20]
T. Holenstein, Pseudorandom generators from one-way functions: A simple construction for any hardness, in Proceedings of the Third Theory of Cryptography Conference, TCC 2006, Springer, Berlin, 2006, pp. 443--461.
[21]
T. Holenstein, Strengthening Key Agreement Using Hard-Core Sets, PhD thesis, ETH Zurich, Zurich, 2006.
[22]
R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography, in Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, Los Alamitos, CA, 1989, pp. 230--235.
[23]
R. Impagliazzo and S. Rudich, Limits on the provable consequences of one-way permutations, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 1989, pp. 44--61.
[24]
D. Jetchev and K. Pietrzak, How to fake auxiliary input, in Theory of Cryptography Conference, Springer, Heidelberg, 2014, pp. 566--590.
[25]
D. Khurana, H. K. Maji, and A. Sahai, Black-box separations for differentially private protocols, in Advances in Cryptology -- ASIACRYPT 2014, Springer, Heidelberg, 2014, pp. 386--405.
[26]
U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Trans. Inform. Theory, 39 (1993), pp. 733--742.
[27]
U. M. Maurer and S. Wolf, Unconditionally secure key agreement and the intrinsic conditional information, IEEE Trans. Inform. Theory, 45 (1999), pp. 499--514.
[28]
A. McGregor, I. Mironov, T. Pitassi, O. Reingold, K. Talwar, and S. P. Vadhan, The limits of two-party differential privacy, Electronic Colloquium on Computational Complexity (ECCC), TR11-106, 2011.
[29]
M. Skorski, Simulating auxiliary inputs, revisited, in Theory of Cryptography Conference, Springer, Berlin, 2016, pp. 159--179.
[30]
M. Skórski, A Subgradient Algorithm for Computational Distances and Applications to Cryptography, preprint, IACR Cryptology ePrint Archive, 2016 (2016), 158.
[31]
L. Trevisan, M. Tulsiani, and S. Vadhan, Regularity, boosting, and efficiently simulating every high-entropy distribution, in 24th Annual IEEE Conference on Computational Complexity, IEEE Computer Society, Los Alamitos, CA, 2009, pp. 126--136.
[32]
S. Vadhan and C. J. Zheng, Characterizing pseudoentropy and simplifying pseudorandom generator constructions, in Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 2012, pp. 817--836.
[33]
S. Vadhan and C. J. Zheng, A uniform min-max theorem with applications in cryptography, in Advances in Cryptology--CRYPTO 2013, Springer, Berlin, 2013, pp. 93--110.
[34]
J. von Neumann, Various techniques used in connection with random digits, Appl. Math. Ser., 12 (1951), pp. 36--38.
[35]
S. L. Warner, Randomized response: A survey technique for eliminating evasive answer bias, J. Amer. Statist. Assoc., 60 (1965), pp. 63--69.
[36]
J. Wullschleger, Oblivious-transfer amplification, in Advances in Cryptology -- EUROCRYPT 2007, Springer, Berlin, 2007, pp. 555--572.
Recommendations
An Almost-Optimally Fair Three-Party Coin-Flipping Protocol
In a multiparty fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, ...
Complete fairness in secure two-party computation
STOC '08: Proceedings of the fortieth annual ACM symposium on Theory of computingIn the setting of secure two-party computation, two mutually distrusting parties wish to compute some function of their inputs while preserving, to the extent possible, various security properties such as privacy, correctness, and more. One desirable ...
Comments
Information & Contributors
Information
Published In
© 2020, Society for Industrial and Applied Mathematics.
Publisher
Society for Industrial and Applied Mathematics
United States
Publication History
Published: 01 January 2020
Author Tags
Author Tag
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in