Computational two-party correlation: a dichotomy for key-agreement protocols. (English) Zbl 1498.94064
Summary: Let \(\pi\) be an efficient two-party protocol that, given security parameter \(\kappa\), both parties output single bits \(X_\kappa\) and \(Y_\kappa\), respectively. We are interested in how \((X_\kappa,Y_\kappa)\) “appears” to an efficient adversary that only views the transcript \(T_\kappa\). We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol \(\pi \), there exists an efficient simulator such that the following holds: on input \(T_\kappa \), the simulator outputs a pair \((X^\prime_\kappa,Y^\prime_\kappa)\) such that \((X^\prime_\kappa,Y^\prime_\kappa,T_\kappa)\) is (somewhat) computationally indistinguishable from \((X_\kappa,Y_\kappa,T_\kappa)\). (b) We use these tools to prove the following dichotomy theorem: every such protocol \(\pi\) is either uncorrelated – it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce \(T_\kappa\), but then choose their outputs independently from some product distribution (that is determined in poly-time from \(T_\kappa)\), or the protocol implies a key-agreement protocol (for infinitely many \(\kappa\)’s). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner et al., Lect. Notes Comput. Sci. 11239, 539–562 (2018; Zbl 1443.94059)] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast \((X_\kappa,Y_\kappa)|_{T_\kappa=t}\). The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.
MSC:
| 94A60 | Cryptography |
| 68P27 | Privacy of data |
| 68Q11 | Communication complexity, information complexity |
Citations:
Zbl 1443.94059References:
| [1] | R. Ahlswede and I. Csiszár, Common randomness in information theory and cryptography. I. Secret sharing, IEEE Trans. Inform. Theory, 39 (1993), pp. 1121-1132. · Zbl 0802.94013 |
| [2] | B. Barak and M. Mahmoody, Merkle puzzles are optimal - an \(O(n^2)\)-query attack on any key exchange from a random oracle, in Advances in Cryptology – CRYPTO 2009, Springer, Berlin, 2009, pp. 374-390. · Zbl 1252.94046 |
| [3] | A. Beimel, K. Nissim, and E. Omri, Distributed private data analysis: Simultaneously solving how and what, in Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, Springer, Berlin, 2008, pp. 451-468. · Zbl 1183.68080 |
| [4] | T. H. Chan, E. Shi, and D. Song, Optimal lower bound for differentially private multi-party aggregation, in Algorithms - ESA 2012 - 20th Annual European Symposium, Ljubljana, Slovenia, 2012, Springer, Berlin, 2012, pp. 277-288. · Zbl 1365.68064 |
| [5] | Y.-H. Chen, K.-M. Chung, and J.-J. Liao, On the complexity of simulating auxiliary input, in Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Cham, Switzerland, 2018, pp. 371-390. · Zbl 1415.94417 |
| [6] | R. Cleve and R. Impagliazzo, Martingales, Collective Coin Flipping and Discrete Control Processes (Extended Abstract). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.51.1797 (1993). |
| [7] | C. Crepeau and J. Kilian, Weakening security assumptions and oblivious transfer, in Advances in Cryptology – CRYPTO ’88, Springer, Berlin, 1989, pp. 2-7. |
| [8] | D. Dachman-Soled, Y. Lindell, M. Mahmoody, and T. Malkin, On the black-box complexity of optimally-fair coin tossing, in Proceedings of the 8th Theory of Cryptography Conference, TCC 2011, Lecture Notes in Comput. Sci., 6597, 2011, pp. 450-467. · Zbl 1295.94044 |
| [9] | D. Dachman-Soled, M. Mahmoody, and T. Malkin, Can optimally-fair coin tossing be based on one-way functions?, in Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, Y. Lindell, ed., Lecture Notes in Computer Science 8349, Springer, Heidelberg, 2014, pp. 217-239. · Zbl 1323.94108 |
| [10] | W. Diffie and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, 22 (1976), pp. 644-654. · Zbl 0435.94018 |
| [11] | C. Dwork, M. Naor, and O. Reingold, Immunizing encryption schemes from decryption errors, in International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Heidelberg, 2004, pp. 342-360. · Zbl 1122.94369 |
| [12] | V. Goyal, D. Khurana, I. Mironov, O. Pandey, and A. Sahai, Do distributed differentially-private protocols require oblivious transfer?, in LIPIcs-Leibniz International Proceedings in Informatics, Vol. 55, Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, Wadern, Germany, 2016. · Zbl 1425.94062 |
| [13] | V. Goyal, I. Mironov, O. Pandey, and A. Sahai, Accuracy-privacy tradeoffs for two-party differentially private protocols, in Advances in Cryptology – CRYPTO 2013, Springer, Berlin, 2013, pp. 298-315. · Zbl 1310.94149 |
| [14] | I. Haitner, Implementing oblivious transfer using collection of dense trapdoor permutations, in Proceedings of the First Theory of Cryptography Conference, TCC 2004, Springer, Berlin, 2004, pp. 394-409. · Zbl 1197.94189 |
| [15] | I. Haitner, N. Makriyannis, and E. Omri, On the complexity of fair coin flipping, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562. · Zbl 1443.94059 |
| [16] | I. Haitner, N. Mazor, R. Shaltiel, and J. Silbak, Channels of small log-ratio leakage and characterization of two-party differentially private computation, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2019, pp. 531-560. · Zbl 1455.94162 |
| [17] | I. Haitner, E. Omri, and H. Zarosim, Limits on the usefulness of random oracles, J. Cryptology, 29 (2016), pp. 283-335. · Zbl 1355.94060 |
| [18] | I. Haitner, O. Reingold, and S. Vadhan, Efficiency improvements in constructing pseudorandom generators from one-way functions, SIAM J. Comput., 42 (2013), pp. 1405-1430. · Zbl 1343.94060 |
| [19] | J. H\aastad, R. Impagliazzo, L. A. Levin, and M. Luby, A pseudorandom generator from any one-way function, SIAM J. Comput., 28 (1999), pp. 1364-1396. · Zbl 0940.68048 |
| [20] | T. Holenstein, Pseudorandom generators from one-way functions: A simple construction for any hardness, in Proceedings of the Third Theory of Cryptography Conference, TCC 2006, Springer, Berlin, 2006, pp. 443-461. · Zbl 1112.94012 |
| [21] | T. Holenstein, Strengthening Key Agreement Using Hard-Core Sets, PhD thesis, ETH Zurich, Zurich, 2006. |
| [22] | R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography, in Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), IEEE Computer Society, Los Alamitos, CA, 1989, pp. 230-235. |
| [23] | R. Impagliazzo and S. Rudich, Limits on the provable consequences of one-way permutations, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 1989, pp. 44-61. · Zbl 0718.68042 |
| [24] | D. Jetchev and K. Pietrzak, How to fake auxiliary input, in Theory of Cryptography Conference, Springer, Heidelberg, 2014, pp. 566-590. · Zbl 1326.94102 |
| [25] | D. Khurana, H. K. Maji, and A. Sahai, Black-box separations for differentially private protocols, in Advances in Cryptology – ASIACRYPT 2014, Springer, Heidelberg, 2014, pp. 386-405. · Zbl 1315.94083 |
| [26] | U. M. Maurer, Secret key agreement by public discussion from common information, IEEE Trans. Inform. Theory, 39 (1993), pp. 733-742. · Zbl 0784.94018 |
| [27] | U. M. Maurer and S. Wolf, Unconditionally secure key agreement and the intrinsic conditional information, IEEE Trans. Inform. Theory, 45 (1999), pp. 499-514. · Zbl 0946.94023 |
| [28] | A. McGregor, I. Mironov, T. Pitassi, O. Reingold, K. Talwar, and S. P. Vadhan, The limits of two-party differential privacy, Electronic Colloquium on Computational Complexity (ECCC), TR11-106, 2011. |
| [29] | M. Skorski, Simulating auxiliary inputs, revisited, in Theory of Cryptography Conference, Springer, Berlin, 2016, pp. 159-179. · Zbl 1369.94567 |
| [30] | M. Skórski, A Subgradient Algorithm for Computational Distances and Applications to Cryptography, preprint, IACR Cryptology ePrint Archive, 2016 (2016), 158. |
| [31] | L. Trevisan, M. Tulsiani, and S. Vadhan, Regularity, boosting, and efficiently simulating every high-entropy distribution, in 24th Annual IEEE Conference on Computational Complexity, IEEE Computer Society, Los Alamitos, CA, 2009, pp. 126-136. |
| [32] | S. Vadhan and C. J. Zheng, Characterizing pseudoentropy and simplifying pseudorandom generator constructions, in Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 2012, pp. 817-836. · Zbl 1286.65008 |
| [33] | S. Vadhan and C. J. Zheng, A uniform min-max theorem with applications in cryptography, in Advances in Cryptology-CRYPTO 2013, Springer, Berlin, 2013, pp. 93-110. · Zbl 1310.91019 |
| [34] | J. von Neumann, Various techniques used in connection with random digits, Appl. Math. Ser., 12 (1951), pp. 36-38. |
| [35] | S. L. Warner, Randomized response: A survey technique for eliminating evasive answer bias, J. Amer. Statist. Assoc., 60 (1965), pp. 63-69. · Zbl 1298.62024 |
| [36] | J. Wullschleger, Oblivious-transfer amplification, in Advances in Cryptology – EUROCRYPT 2007, Springer, Berlin, 2007, pp. 555-572. · Zbl 1141.94380 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
