Revision #1 Authors: Iftach Haitner, Kobbi Nissim, Eran Omri, Ronen Shaltiel, Jad Silbak

Accepted on: 16th April 2020 13:46

Downloads: 169

Keywords:

Let $\pi$ be an efficient two-party protocol that given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ ``appears'' to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions:

\begin{itemize}

\item We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient \textit{simulator} such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) \emph{computationally indistinguishable} from $(X_\kappa,Y_\kappa,T_\kappa)$.

\item We use these tools to prove the following \emph{dichotomy theorem}: every such protocol $\pi$ is:

\begin{itemize}

\item either \textit{uncorrelated} --- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs \emph{independently} from some product distribution (that is determined in poly-time from $T_\kappa$),

\item or, the protocol implies a key-agreement protocol (for infinitely many $\kappa$).

\end{itemize}

Uncorrelated protocols are completely uninteresting from a cryptographic viewpoint, as the correlation between outputs is uninteresting. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement.

\item We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function.

\item A subsequent work of \citeauthor{HaitnerMO18} uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols.

\end{itemize}

\noindent

We highlight the following two ideas regarding our technique:

\begin{itemize}

\item The simulator algorithm is obtained by a carefully designed ``competition'' between efficient algorithms attempting to forecast $((X_\kappa,Y_\kappa)|T_\kappa=t)$. The winner is used to simulate the outputs of the protocol. To the best of our knowledge, this idea has not been used before (at least in this context).

\item Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.

\end{itemize}

TR18-071 Authors: Iftach Haitner, Kobbi Nissim, Eran Omri, Ronen Shaltiel, Jad Silbak

Publication: 15th April 2018 12:26

Downloads: 502

Keywords:

Let $\pi$ be an efficient two-party protocol that given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ ``appears'' to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions:

\begin{itemize}

\item We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient \textit{simulator} such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) \emph{computationally indistinguishable} from $(X_\kappa,Y_\kappa,T_\kappa)$.

\item We use these tools to prove the following \emph{dichotomy theorem}: every such protocol $\pi$ is:

\begin{itemize}

\item either \textit{uncorrelated} --- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs \emph{independently} from some product distribution (that is determined in poly-time from $T_\kappa$),

\item or, the protocol implies a key-agreement protocol (for infinitely many $\kappa$).

\end{itemize}

Uncorrelated protocols are completely uninteresting from a cryptographic viewpoint, as the correlation between outputs is uninteresting. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement.

\item We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function.

\item A subsequent work of \citeauthor{HaitnerMO18} uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols.

\end{itemize}

\noindent

We highlight the following two ideas regarding our technique:

\begin{itemize}

\item The simulator algorithm is obtained by a carefully designed ``competition'' between efficient algorithms attempting to forecast $((X_\kappa,Y_\kappa)|T_\kappa=t)$. The winner is used to simulate the outputs of the protocol. To the best of our knowledge, this idea has not been used before (at least in this context).

\item Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.

\end{itemize}