Channels of small log-ratio leakage and characterization of two-party differentially private computation. (English) Zbl 1455.94162
Hofheinz, Dennis (ed.) et al., Theory of cryptography. 17th international conference, TCC 2019, Nuremberg, Germany, December 1–5, 2019. Proceedings. Part I. Cham: Springer. Lect. Notes Comput. Sci. 11891, 531-560 (2019).
Summary: Consider a PPT two-party protocol \(\varPi=(\mathsf{A},\mathsf{B})\) in which the parties get no private inputs and obtain outputs \(O^{\mathsf{A}},O^{\mathsf{B}}\in\{0,1\}\), and let \(V^\mathsf{A}\) and \(V^\mathsf{B}\) denote the parties’ individual views. Protocol \(\varPi\) has \(\alpha\)-agreement if \(\mathrm{Pr}[O^{\mathsf{A}}=O^{\mathsf{B}}]=\frac{1}{2}+\alpha\). The leakage of \(\varPi\) is the amount of information a party obtains about the event \(\{O^{\mathsf{A}}=O^{\mathsf{B}}\}\); that is, the leakage \(\epsilon\) is the maximum, over \(\mathsf{P}\in\{\mathsf{A},\mathsf{B}\}\), of the distance between \(V^\mathsf{P}|_{O^{\mathsf{A}}=O^{\mathsf{B}}}\) and \(V^\mathsf{P}|_{O^{\mathsf{A}}\ne O^{\mathsf{B}}}\). Typically, this distance is measured in statistical distance, or, in the computational setting, in computational indistinguishability. For this choice, J. Wullschleger [Lect. Notes Comput. Sci. 5444, 332–349 (2009; Zbl 1213.94141)] showed that if \(\epsilon\ll\alpha\) then the protocol can be transformed into an OT protocol.
We consider measuring the protocol leakage by the log-ratio distance (which was popularized by its use in the differential privacy framework). The log-ratio distance between \(X\), \(Y\) over domain \(\varOmega\) is the minimal \(\epsilon\ge 0\) for which, for every \(v\in\varOmega\), \(\log\frac{\Pr[X=v]}{\Pr[Y=v]}\in[-\epsilon,\epsilon]\). In the computational setting, we use computational indistinguishability from having log-ratio distance \(\epsilon\). We show that a protocol with (noticeable) accuracy \(\alpha\in\varOmega(\epsilon^2)\) can be transformed into an OT protocol (note that this allows \(\epsilon\gg\alpha)\). We complete the picture, in this respect, showing that a protocol with \(\alpha\in o(\epsilon^2)\) does not necessarily imply OT. Our results hold for both the information theoretic and the computational settings, and can be viewed as a “fine grained” approach to “weak OT amplification”.
We then use the above result to fully characterize the complexity of differentially private two-party computation for the XOR function, answering the open question put by V. Goyal et al. [LIPIcs – Leibniz Int. Proc. Inform. 55, Article 29, 15 p. (2016; Zbl 1425.94062)] and I. Haitner et al. [SIAM J. Comput. 49, No. 6, 1041–1082 (2020; Zbl 1498.94064)]. Specifically, we show that for any (noticeable) \(\alpha\in\varOmega(\epsilon^2)\), a two-party protocol that computes the XOR function with \(\alpha\)-accuracy and \(\epsilon\)-differential privacy can be transformed into an OT protocol. This improves upon Goyal et al. [loc. cit.] that only handle \(\alpha\in\varOmega(\epsilon)\), and upon Haitner et al. [loc. cit.] who showed that such a protocol implies (infinitely-often) key agreement (and not OT). Our characterization is tight since OT does not follow from protocols in which \(\alpha\in o(\epsilon^2)\), and extends to functions (over many bits) that “contain” an “embedded copy” of the XOR function.
For the entire collection see [Zbl 1428.94013].
We consider measuring the protocol leakage by the log-ratio distance (which was popularized by its use in the differential privacy framework). The log-ratio distance between \(X\), \(Y\) over domain \(\varOmega\) is the minimal \(\epsilon\ge 0\) for which, for every \(v\in\varOmega\), \(\log\frac{\Pr[X=v]}{\Pr[Y=v]}\in[-\epsilon,\epsilon]\). In the computational setting, we use computational indistinguishability from having log-ratio distance \(\epsilon\). We show that a protocol with (noticeable) accuracy \(\alpha\in\varOmega(\epsilon^2)\) can be transformed into an OT protocol (note that this allows \(\epsilon\gg\alpha)\). We complete the picture, in this respect, showing that a protocol with \(\alpha\in o(\epsilon^2)\) does not necessarily imply OT. Our results hold for both the information theoretic and the computational settings, and can be viewed as a “fine grained” approach to “weak OT amplification”.
We then use the above result to fully characterize the complexity of differentially private two-party computation for the XOR function, answering the open question put by V. Goyal et al. [LIPIcs – Leibniz Int. Proc. Inform. 55, Article 29, 15 p. (2016; Zbl 1425.94062)] and I. Haitner et al. [SIAM J. Comput. 49, No. 6, 1041–1082 (2020; Zbl 1498.94064)]. Specifically, we show that for any (noticeable) \(\alpha\in\varOmega(\epsilon^2)\), a two-party protocol that computes the XOR function with \(\alpha\)-accuracy and \(\epsilon\)-differential privacy can be transformed into an OT protocol. This improves upon Goyal et al. [loc. cit.] that only handle \(\alpha\in\varOmega(\epsilon)\), and upon Haitner et al. [loc. cit.] who showed that such a protocol implies (infinitely-often) key agreement (and not OT). Our characterization is tight since OT does not follow from protocols in which \(\alpha\in o(\epsilon^2)\), and extends to functions (over many bits) that “contain” an “embedded copy” of the XOR function.
For the entire collection see [Zbl 1428.94013].
MSC:
| 94A60 | Cryptography |
| 94A40 | Channel models (including quantum) in information and communication theory |
| 68P25 | Data encryption (aspects in computer science) |
| 68M12 | Network protocols |
References:
| [1] | Aiello, B.; Ishai, Y.; Reingold, O.; Pfitzmann, B., Priced oblivious transfer: how to sell digital goods, Advances in Cryptology — EUROCRYPT 2001, 119-135 (2001), Heidelberg: Springer, Heidelberg · Zbl 0981.94042 · doi:10.1007/3-540-44987-6_8 |
| [2] | Beimel, A.; Malkin, T.; Micali, S.; Wiener, M., The all-or-nothing nature of two-party secure computation, Advances in Cryptology — CRYPTO 99, 80-97 (1999), Heidelberg: Springer, Heidelberg · Zbl 0940.94008 · doi:10.1007/3-540-48405-1_6 |
| [3] | Beimel, A.; Nissim, K.; Omri, E.; Wagner, D., Distributed private data analysis: simultaneously solving how and what, Advances in Cryptology - CRYPTO 2008, 451-468 (2008), Heidelberg: Springer, Heidelberg · Zbl 1183.68080 · doi:10.1007/978-3-540-85174-5_25 |
| [4] | Bellare, M.; Micali, S.; Brassard, G., Non-interactive oblivious transfer and applications, Advances in Cryptology — CRYPTO 89 Proceedings, 547-557 (1990), New York: Springer, New York · Zbl 0722.68041 · doi:10.1007/0-387-34805-0_48 |
| [5] | Bennett, CH; Brassard, G.; Crépeau, C.; Maurer, UM, Generalized privacy amplification, IEEE Trans. Inf. Theory, 41, 6, 1915-1923 (1995) · Zbl 0856.94018 · doi:10.1109/18.476316 |
| [6] | Chan, T-HH; Shi, E.; Song, D.; Epstein, L.; Ferragina, P., Optimal lower bound for differentially private multi-party aggregation, Algorithms - ESA 2012, 277-288 (2012), Heidelberg: Springer, Heidelberg · Zbl 1365.68064 · doi:10.1007/978-3-642-33090-2_25 |
| [7] | Crépeau, C.; Fumy, W., Efficient cryptographic protocols based on noisy channels, Advances in Cryptology — EUROCRYPT 97, 306-317 (1997), Heidelberg: Springer, Heidelberg · doi:10.1007/3-540-69053-0_21 |
| [8] | Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions. In: 29th Annual Symposium on Foundations of Computer Science, pp. 42-52. IEEE (1988) |
| [9] | Dwork, C., Rothblum, G.N.: Concentrated differential privacy. arXiv preprint arXiv:1603.01887 (2016) |
| [10] | Dwork, C.; McSherry, F.; Nissim, K.; Smith, A.; Halevi, S.; Rabin, T., Calibrating noise to sensitivity in private data analysis, Theory of Cryptography, 265-284 (2006), Heidelberg: Springer, Heidelberg · Zbl 1112.94027 · doi:10.1007/11681878_14 |
| [11] | Dwork, C., Rothblum, G.N., Vadhan, S.: Boosting and differential privacy. In: Proceedings of the 51st Annual Symposium on Foundations of Computer Science (FOCS), pp. 51-60 (2010) |
| [12] | Even, S.; Goldreich, O.; Lempel, A., A randomized protocol for signing contracts, Commun. ACM, 28, 6, 637-647 (1985) · doi:10.1145/3812.3818 |
| [13] | Goldreich, O.: Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press (2004) · Zbl 1068.94011 |
| [14] | Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 19, pp. 218-229 (1987) |
| [15] | Goldreich, O.; Krawczyk, H.; Luby, M., On the existence of pseudorandom generators, SIAM J. Comput., 22, 6, 1163-1175 (1993) · Zbl 0795.94011 · doi:10.1137/0222069 |
| [16] | Goyal, V.; Mironov, I.; Pandey, O.; Sahai, A.; Canetti, R.; Garay, JA, Accuracy-privacy tradeoffs for two-party differentially private protocols, Advances in Cryptology - CRYPTO 2013, 298-315 (2013), Heidelberg: Springer, Heidelberg · Zbl 1310.94149 · doi:10.1007/978-3-642-40041-4_17 |
| [17] | Goyal, V., Khurana, D., Mironov, I., Pandey, O., Sahai, A.: Do distributed differentially-private protocols require oblivious transfer? In: LIPIcs-Leibniz International Proceedings in Informatics, vol. 55. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2016) · Zbl 1425.94062 |
| [18] | Haitner, I.; Naor, M., Implementing oblivious transfer using collection of dense trapdoor permutations, Theory of Cryptography, 394-409 (2004), Heidelberg: Springer, Heidelberg · Zbl 1197.94189 · doi:10.1007/978-3-540-24638-1_22 |
| [19] | Haitner, I., A parallel repetition theorem for any interactive argument, SIAM J. Comput., 42, 6, 2487-2501 (2013) · Zbl 1285.68010 · doi:10.1137/100810630 |
| [20] | Haitner, I.; Harnik, D.; Reingold, O., On the power of the randomized iterate, SIAM J. Comput., 40, 6, 1486-1528 (2011) · Zbl 1236.94055 · doi:10.1137/080721820 |
| [21] | Haitner, I.; Omri, E.; Zarosim, H., Limits on the usefulness of random oracles, J. Cryptol., 29, 2, 283-335 (2016) · Zbl 1355.94060 · doi:10.1007/s00145-014-9194-9 |
| [22] | Haitner, I., Nissim, K., Omri, E., Shaltiel, R., Silbak, J.: Computational two-party correlation. In: Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018) · Zbl 1498.94064 |
| [23] | Haitner, I., Mazor, N., Shaltiel, R., Silbak, J.: Channels of small log-ratio leakage and characterization of two-party differentially private computation (2019/616) (2019) · Zbl 1455.94162 |
| [24] | Harnik, D.; Naor, M.; Reingold, O.; Rosen, A., Completeness in two-party secure computation: a computational view, J. Cryptol., 19, 4, 521-552 (2006) · Zbl 1109.68046 · doi:10.1007/s00145-006-0346-4 |
| [25] | Håstad, J.; Pass, R.; Wikström, D.; Pietrzak, K.; Micciancio, D., An efficient parallel repetition theorem, Theory of Cryptography, 1-18 (2010), Heidelberg: Springer, Heidelberg · Zbl 1274.94075 · doi:10.1007/978-3-642-11799-2_1 |
| [26] | Holenstein, T.; Halevi, S.; Rabin, T., Pseudorandom generators from one-way functions: a simple construction for any hardness, Theory of Cryptography, 443-461 (2006), Heidelberg: Springer, Heidelberg · Zbl 1112.94012 · doi:10.1007/11681878_23 |
| [27] | Kairouz, P., Oh, S., Viswanath, P.: Differentially private multi-party computation: optimality of non-interactive randomized response. arXiv preprint arXiv:1407.1546 (2014) |
| [28] | Kalai, YT; Cramer, R., Smooth projective hashing and two-message oblivious transfer, Advances in Cryptology - EUROCRYPT 2005, 78-95 (2005), Heidelberg: Springer, Heidelberg · Zbl 1137.94348 · doi:10.1007/11426639_5 |
| [29] | Khurana, D.; Maji, HK; Sahai, A.; Sarkar, P.; Iwata, T., Black-box separations for differentially private protocols, Advances in Cryptology - ASIACRYPT 2014, 386-405 (2014), Heidelberg: Springer, Heidelberg · Zbl 1315.94083 · doi:10.1007/978-3-662-45608-8_21 |
| [30] | Maurer, UM, Secret key agreement by public discussion from common information, IEEE Trans. Inf. Theory, 39, 3, 733-742 (1993) · Zbl 0784.94018 · doi:10.1109/18.256484 |
| [31] | McGregor, A., Mironov, I., Pitassi, T., Reingold, O., Talwar, K., Vadhan, S.P.: The limits of two-party differential privacy. In: Electronic Colloquium on Computational Complexity (ECCC), p. 106 (2011). Preliminary version in FOCS 10 |
| [32] | Mironov, I.; Pandey, O.; Reingold, O.; Vadhan, S.; Halevi, S., Computational differential privacy, Advances in Cryptology - CRYPTO 2009, 126-142 (2009), Heidelberg: Springer, Heidelberg · Zbl 1252.94089 · doi:10.1007/978-3-642-03356-8_8 |
| [33] | Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 448-457. Society for Industrial and Applied Mathematics (2001) · Zbl 0991.94045 |
| [34] | Nascimento, AC; Winter, A., On the oblivious-transfer capacity of noisy resources, IEEE Trans. Inf. Theory, 54, 6, 2572-2581 (2008) · Zbl 1328.94037 · doi:10.1109/TIT.2008.921856 |
| [35] | Peikert, C.; Vaikuntanathan, V.; Waters, B.; Wagner, D., A framework for efficient and composable oblivious transfer, Advances in Cryptology - CRYPTO 2008, 554-571 (2008), Heidelberg: Springer, Heidelberg · Zbl 1183.94046 · doi:10.1007/978-3-540-85174-5_31 |
| [36] | Prabhakaran, VM; Prabhakaran, MM, Assisted common information with an application to secure two-party sampling, IEEE Trans. Inf. Theory, 60, 6, 3413-3434 (2014) · Zbl 1360.94328 · doi:10.1109/TIT.2014.2316011 |
| [37] | Rabin, M.O.: How to exchange secrets by oblivious transfer. TR-81, Harvard (1981) |
| [38] | Warner, SL, Randomized response: a survey technique for eliminating evasive answer bias, J. Am. Stat. Assoc., 60, 309, 63-69 (1965) · Zbl 1298.62024 · doi:10.1080/01621459.1965.10480775 |
| [39] | Wolf, S., Wultschleger, J.: Zero-error information and applications in cryptography. In: IEEE Information Theory Workshop, pp. 1-6. IEEE (2004) |
| [40] | Wullschleger, J.: Oblivious-Transfer Amplification. Ph.D. thesis, ETH Zurich (2008) · Zbl 1141.94380 |
| [41] | Wullschleger, J.; Reingold, O., Oblivious transfer from weak noisy channels, Theory of Cryptography, 332-349 (2009), Heidelberg: Springer, Heidelberg · Zbl 1213.94141 · doi:10.1007/978-3-642-00457-5_20 |
| [42] | Yao, A.C.: Protocols for secure computations. In: Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 160-164 (1982) |
| [43] | Yao, A.C.: How to generate and exchange secrets. In: Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS), pp. 162-167. IEEE Computer Society (1986) |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
