ECCC-Report TR12-065https://eccc.weizmann.ac.il/report/2012/065Comments and Revisions published for TR12-065en-usTue, 04 Dec 2012 21:07:53 +0200
Revision 2
| Limits of Random Oracles in Secure Computation |
Mohammad Mahmoody,
Hemanta Maji,
Manoj Prabhakaran
https://eccc.weizmann.ac.il/report/2012/065#revision2The seminal result of Impagliazzo and Rudich (STOC 1989) gave a black-box separation between one-way functions and public-key encryption: informally, a public-key encryption scheme cannot be constructed using one-way functions as the sole source of computational hardness. In addition, this implied a black-box separation between one-way functions and protocols for certain Secure Function Evaluation (SFE) functionalities (in particular, Oblivious Transfer). Surprisingly, however, {\em since then there has been no further progress in separating one-way functions and SFE functionalities} (though several other black-box separation results were shown). In this work, we present the complete picture for deterministic 2-party SFE functionalities. We show that one-way functions are black-box separated from {\em all such SFE functionalities}, except the ones which have unconditionally secure protocols (and hence do not rely on any computational hardness), when secure computation against semi-honest adversaries is considered. In the case of security against active adversaries, a black-box one-way function is indeed useful for SFE, but we show that it is useful only as much as access to an ideal commitment functionality is useful.
Technically, our main result establishes the limitations of random oracles for secure computation. We show that a two-party deterministic functionality $f$ has a secure function evaluation protocol in the random oracle model that is (statistically) secure against semi-honest adversaries if and only if $f$ has a protocol {\em in the plain model} that is (perfectly) secure against semi-honest adversaries. Further, in the setting of active adversaries, a deterministic SFE functionality $f$ has a (UC or standalone) statistically secure protocol in the random oracle model if and only if $f$ has a (UC or standalone) statistically secure protocol in the commitment-hybrid model.
Our proof is based on a ``frontier analysis'' of two-party protocols, combining it with (extensions of) the ``independence learners'' of Impagliazzo-Rudich/Barak-Mahmoody. We make essential use of a combinatorial property, originally discovered by Kushilevitz (FOCS'89), of functions that have semi-honest secure protocols in the plain model (and hence our analysis applies only to functions of polynomial-sized domains, for which such a combinatorial characterization is known).Tue, 04 Dec 2012 21:07:53 +0200https://eccc.weizmann.ac.il/report/2012/065#revision2
Revision 1
| Limits of Random Oracles in Secure Computation |
Mohammad Mahmoody,
Hemanta Maji,
Manoj Prabhakaran
https://eccc.weizmann.ac.il/report/2012/065#revision1The seminal result of Impagliazzo and Rudich (STOC 1989) gave a black-box separation between one-way functions and public-key encryption: informally, a public-key encryption scheme cannot be constructed using one-way functions as the sole source of computational hardness. In addition, this implied a black-box separation between one-way functions and protocols for certain Secure Function Evaluation (SFE) functionalities (in particular, Oblivious Transfer). Surprisingly, however, {\em since then there has been no further progress in separating one-way functions and SFE functionalities} (though several other black-box separation results were shown). In this work, we present the complete picture for deterministic 2-party SFE functionalities. We show that one-way functions are black-box separated from {\em all such SFE functionalities}, except the ones which have unconditionally secure protocols (and hence do not rely on any computational hardness), when secure computation against semi-honest adversaries is considered. In the case of security against active adversaries, a black-box one-way function is indeed useful for SFE, but we show that it is useful only as much as access to an ideal commitment functionality is useful.
Technically, our main result establishes the limitations of random oracles for secure computation. We show that a two-party deterministic functionality $f$ has a secure function evaluation protocol in the random oracle model that is (statistically) secure against semi-honest adversaries if and only if $f$ has a protocol {\em in the plain model} that is (perfectly) secure against semi-honest adversaries. Further, in the setting of active adversaries, a deterministic SFE functionality $f$ has a (UC or standalone) statistically secure protocol in the random oracle model if and only if $f$ has a (UC or standalone) statistically secure protocol in the commitment-hybrid model.
Our proof is based on a ``frontier analysis'' of two-party protocols, combining it with (extensions of) the ``independence learners'' of Impagliazzo-Rudich/Barak-Mahmoody. We make essential use of a combinatorial property, originally discovered by Kushilevitz (FOCS'89), of functions that have semi-honest secure protocols in the plain model (and hence our analysis applies only to functions of polynomial-sized domains, for which such a combinatorial characterization is known).Tue, 04 Dec 2012 20:30:11 +0200https://eccc.weizmann.ac.il/report/2012/065#revision1
Paper TR12-065
| Limits of Random Oracles in Secure Computation |
Mohammad Mahmoody,
Hemanta Maji,
Manoj Prabhakaran
https://eccc.weizmann.ac.il/report/2012/065The seminal result of Impagliazzo and Rudich (STOC 1989) gave a black-box separation between one-way functions and public-key encryption: informally, a public-key encryption scheme cannot be constructed using one-way functions as the sole source of computational hardness. In addition, this implied a black-box separation between one-way functions and protocols for certain Secure Function Evaluation (SFE) functionalities (in particular, Oblivious Transfer). Surprisingly, however, {\em since then there has been no further progress in separating one-way functions and SFE functionalities} (though several other black-box separation results were shown). In this work, we present the complete picture for deterministic 2-party SFE functionalities. We show that one-way functions are black-box separated from {\em all such SFE functionalities}, except the ones which have unconditionally secure protocols (and hence do not rely on any computational hardness), when secure computation against semi-honest adversaries is considered. In the case of security against active adversaries, a black-box one-way function is indeed useful for SFE, but we show that it is useful only as much as access to an ideal commitment functionality is useful.
Technically, our main result establishes the limitations of random oracles for secure computation. We show that a two-party deterministic functionality $f$ has a secure function evaluation protocol in the random oracle model that is (statistically) secure against semi-honest adversaries if and only if $f$ has a protocol {\em in the plain model} that is (perfectly) secure against semi-honest adversaries. Further, in the setting of active adversaries, a deterministic SFE functionality $f$ has a (UC or standalone) statistically secure protocol in the random oracle model if and only if $f$ has a (UC or standalone) statistically secure protocol in the commitment-hybrid model.
Our proof is based on a ``frontier analysis'' of two-party protocols, combining it with (extensions of) the ``independence learners'' of Impagliazzo-Rudich/Barak-Mahmoody. We make essential use of a combinatorial property, originally discovered by Kushilevitz (FOCS'89), of functions that have semi-honest secure protocols in the plain model (and hence our analysis applies only to functions of polynomial-sized domains, for which such a combinatorial characterization is known).Fri, 25 May 2012 11:24:21 +0300https://eccc.weizmann.ac.il/report/2012/065