ECCC-Report TR18-071https://eccc.weizmann.ac.il/report/2018/071Comments and Revisions published for TR18-071en-usThu, 16 Apr 2020 13:46:24 +0300
Revision 1
| Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocol |
Ronen Shaltiel,
Iftach Haitner,
Eran Omri,
Kobbi Nissim,
Jad Silbak
https://eccc.weizmann.ac.il/report/2018/071#revision1Let $\pi$ be an efficient two-party protocol that given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ ``appears'' to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions:
\begin{itemize}
\item We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient \textit{simulator} such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) \emph{computationally indistinguishable} from $(X_\kappa,Y_\kappa,T_\kappa)$.
\item We use these tools to prove the following \emph{dichotomy theorem}: every such protocol $\pi$ is:
\begin{itemize}
\item either \textit{uncorrelated} --- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs \emph{independently} from some product distribution (that is determined in poly-time from $T_\kappa$),
\item or, the protocol implies a key-agreement protocol (for infinitely many $\kappa$).
\end{itemize}
Uncorrelated protocols are completely uninteresting from a cryptographic viewpoint, as the correlation between outputs is uninteresting. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement.
\item We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function.
\item A subsequent work of \citeauthor{HaitnerMO18} uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols.
\end{itemize}
\noindent
We highlight the following two ideas regarding our technique:
\begin{itemize}
\item The simulator algorithm is obtained by a carefully designed ``competition'' between efficient algorithms attempting to forecast $((X_\kappa,Y_\kappa)|T_\kappa=t)$. The winner is used to simulate the outputs of the protocol. To the best of our knowledge, this idea has not been used before (at least in this context).
\item Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.
\end{itemize}Thu, 16 Apr 2020 13:46:24 +0300https://eccc.weizmann.ac.il/report/2018/071#revision1
Paper TR18-071
| Computational Two-Party Correlation |
Ronen Shaltiel,
Iftach Haitner,
Eran Omri,
Kobbi Nissim,
Jad Silbak
https://eccc.weizmann.ac.il/report/2018/071Let $\pi$ be an efficient two-party protocol that given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ ``appears'' to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions:
\begin{itemize}
\item We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient \textit{simulator} such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) \emph{computationally indistinguishable} from $(X_\kappa,Y_\kappa,T_\kappa)$.
\item We use these tools to prove the following \emph{dichotomy theorem}: every such protocol $\pi$ is:
\begin{itemize}
\item either \textit{uncorrelated} --- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs \emph{independently} from some product distribution (that is determined in poly-time from $T_\kappa$),
\item or, the protocol implies a key-agreement protocol (for infinitely many $\kappa$).
\end{itemize}
Uncorrelated protocols are completely uninteresting from a cryptographic viewpoint, as the correlation between outputs is uninteresting. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement.
\item We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function.
\item A subsequent work of \citeauthor{HaitnerMO18} uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols.
\end{itemize}
\noindent
We highlight the following two ideas regarding our technique:
\begin{itemize}
\item The simulator algorithm is obtained by a carefully designed ``competition'' between efficient algorithms attempting to forecast $((X_\kappa,Y_\kappa)|T_\kappa=t)$. The winner is used to simulate the outputs of the protocol. To the best of our knowledge, this idea has not been used before (at least in this context).
\item Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.
\end{itemize}Sun, 15 Apr 2018 12:26:33 +0300https://eccc.weizmann.ac.il/report/2018/071