Computational two-party correlation: A dichotomy for key-agreement protocols

Iftach Haitner; Kobbi Nissim; Eran Omri; Ronen Shaltiel; Jad Silbak

doi:10.1137/19M1236837

Computational two-party correlation: A dichotomy for key-agreement protocols

Iftach Haitner, Kobbi Nissim, Eran Omri, Ronen Shaltiel, Jad Silbak

Department of Computer Science

Research output: Contribution to journal › Article › peer-review

Abstract

Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (X_κ⁰, Y_κ⁰) such that (X_κ⁰, Y_κ⁰, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|_Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.

Original language	English
Pages (from-to)	1041-1082
Number of pages	42
Journal	SIAM Journal on Computing
Volume	49
Issue number	6
DOIs	https://doi.org/10.1137/19M1236837
State	Published - 2020

Bibliographical note

Funding Information:
∗Received by the editors January 4, 2019; accepted for publication (in revised form) July 30, 2020; published electronically November 3, 2020. https://doi.org/10.1137/19M1236837 Funding: The first and fifth authors were supported by ERC starting grant 638121. The second author was supported by NSF grant CNS-1565387. The third author was supported by ISF grants 544/13 and 152/17. The fourth and fifth authors were supported by ISF grant 1628/17. †Department of Computer Science, Tel Aviv University, Tel Aviv, 69978 ([email protected], [email protected]). ‡Department of Computer Science, Georgetown University, Washington D.C. 20057 USA (kobbi. [email protected]). §Department of Computer Science and Mathematics, Ariel University, Ariel, 40700 (omrier@ariel. ac.il). ¶Department of Computer Science, University of Haifa, Haifa, 31905 ([email protected]).

Publisher Copyright:
© 2020 Society for Industrial and Applied Mathematics

Keywords

Cryptography
Differential privacy
Key-agreement
Simulation

ASJC Scopus subject areas

General Computer Science
General Mathematics

Access to Document

10.1137/19M1236837

Cite this

@article{423624ae0bef475b95abd9516e0d4819,

title = "Computational two-party correlation: A dichotomy for key-agreement protocols",

abstract = "Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (Xκ0, Yκ0) such that (Xκ0, Yκ0, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.",

keywords = "Cryptography, Differential privacy, Key-agreement, Simulation",

author = "Iftach Haitner and Kobbi Nissim and Eran Omri and Ronen Shaltiel and Jad Silbak",

note = "Funding Information: ∗Received by the editors January 4, 2019; accepted for publication (in revised form) July 30, 2020; published electronically November 3, 2020. https://doi.org/10.1137/19M1236837 Funding: The first and fifth authors were supported by ERC starting grant 638121. The second author was supported by NSF grant CNS-1565387. The third author was supported by ISF grants 544/13 and 152/17. The fourth and fifth authors were supported by ISF grant 1628/17. †Department of Computer Science, Tel Aviv University, Tel Aviv, 69978 ([email protected], [email protected]). ‡Department of Computer Science, Georgetown University, Washington D.C. 20057 USA (kobbi. [email protected]). §Department of Computer Science and Mathematics, Ariel University, Ariel, 40700 (omrier@ariel. ac.il). ¶Department of Computer Science, University of Haifa, Haifa, 31905 ([email protected]). Publisher Copyright: {\textcopyright} 2020 Society for Industrial and Applied Mathematics",

year = "2020",

doi = "10.1137/19M1236837",

language = "English",

volume = "49",

pages = "1041--1082",

journal = "SIAM Journal on Computing",

issn = "0097-5397",

publisher = "Society for Industrial and Applied Mathematics Publications",

number = "6",

}

TY - JOUR

T1 - Computational two-party correlation

T2 - A dichotomy for key-agreement protocols

AU - Haitner, Iftach

AU - Nissim, Kobbi

AU - Omri, Eran

AU - Shaltiel, Ronen

AU - Silbak, Jad

N1 - Funding Information: ∗Received by the editors January 4, 2019; accepted for publication (in revised form) July 30, 2020; published electronically November 3, 2020. https://doi.org/10.1137/19M1236837 Funding: The first and fifth authors were supported by ERC starting grant 638121. The second author was supported by NSF grant CNS-1565387. The third author was supported by ISF grants 544/13 and 152/17. The fourth and fifth authors were supported by ISF grant 1628/17. †Department of Computer Science, Tel Aviv University, Tel Aviv, 69978 ([email protected], [email protected]). ‡Department of Computer Science, Georgetown University, Washington D.C. 20057 USA (kobbi. [email protected]). §Department of Computer Science and Mathematics, Ariel University, Ariel, 40700 (omrier@ariel. ac.il). ¶Department of Computer Science, University of Haifa, Haifa, 31905 ([email protected]). Publisher Copyright: © 2020 Society for Industrial and Applied Mathematics

PY - 2020

Y1 - 2020

N2 - Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (Xκ0, Yκ0) such that (Xκ0, Yκ0, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.

AB - Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (Xκ0, Yκ0) such that (Xκ0, Yκ0, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.

KW - Cryptography

KW - Differential privacy

KW - Key-agreement

KW - Simulation

UR - http://www.scopus.com/inward/record.url?scp=85096856778&partnerID=8YFLogxK

U2 - 10.1137/19M1236837

DO - 10.1137/19M1236837

M3 - Article

AN - SCOPUS:85096856778

SN - 0097-5397

VL - 49

SP - 1041

EP - 1082

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

IS - 6

ER -

Computational two-party correlation: A dichotomy for key-agreement protocols

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint