TY - JOUR
T1 - Computational two-party correlation
T2 - A dichotomy for key-agreement protocols
AU - Haitner, Iftach
AU - Nissim, Kobbi
AU - Omri, Eran
AU - Shaltiel, Ronen
AU - Silbak, Jad
N1 - Publisher Copyright:
© 2020 Society for Industrial and Applied Mathematics
PY - 2020
Y1 - 2020
N2 - Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (Xκ0, Yκ0) such that (Xκ0, Yκ0, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.
AB - Let π be an efficient two-party protocol that, given security parameter κ, both parties output single bits Xκ and Yκ, respectively. We are interested in how (Xκ, Yκ) “appears” to an efficient adversary that only views the transcript Tκ. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input Tκ, the simulator outputs a pair (Xκ0, Yκ0) such that (Xκ0, Yκ0, Tκ) is (somewhat) computationally indistinguishable from (Xκ, Yκ, Tκ). (b) We use these tools to prove the following dichotomy theorem: every such protocol π is either uncorrelated-it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce Tκ, but then choose their outputs independently from some product distribution (that is determined in poly-time from Tκ), or the protocol implies a key-agreement protocol (for infinitely many κ's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539-562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast (Xκ, Yκ)|Tκ=t. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.
KW - Cryptography
KW - Differential privacy
KW - Key-agreement
KW - Simulation
UR - http://www.scopus.com/inward/record.url?scp=85096856778&partnerID=8YFLogxK
U2 - 10.1137/19M1236837
DO - 10.1137/19M1236837
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:85096856778
SN - 0097-5397
VL - 49
SP - 1041
EP - 1082
JO - SIAM Journal on Computing
JF - SIAM Journal on Computing
IS - 6
ER -