TY - GEN
T1 - Computational two-party correlation
T2 - 59th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2018
AU - Haitner, Iftach
AU - Nissim, Kobbi
AU - Omri, Eran
AU - Shaltiel, Ronen
AU - Silbak, Jad
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/11/30
Y1 - 2018/11/30
N2 - Let π be an efficient two-party protocol that given security parameter κ, both parties output single bits X κ and Y κ , respectively. We are interested in how (X κ , Y κ ) "appears" to an efficient adversary that only views the transcript T κ . We make the following contributions: • We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input T κ , the simulator outputs a pair (X κ ' , Y κ ) such that (X κ ' , Y κ ' , T κ ) is (somewhat) computationally indistinguishable from (X κ , Y κ , T κ ). • We use these tools to prove the following dichotomy theorem: every such protocol π is: - either uncorrelated - it is (somewhat) indistin-guishable from an efficient protocol whose parties interact to produce T κ , but then choose their out-puts independently from some product distribution (that is determined in poly-time from T κ ), - or, the protocol implies a key-agreement protocol (for infinitely many κ 's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. • We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. • A subsequent work of Haitner et al. uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We highlight the following ideas regarding our technique: • The simulator algorithm is obtained by a carefully designed "competition" between efficient algorithms attempting to forecast (X κ , Y κ )|T κ=t . The winner is used to simulate the outputs of the protocol. • Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.
AB - Let π be an efficient two-party protocol that given security parameter κ, both parties output single bits X κ and Y κ , respectively. We are interested in how (X κ , Y κ ) "appears" to an efficient adversary that only views the transcript T κ . We make the following contributions: • We develop new tools to argue about this loose notion, and show (modulo some caveats) that for every such protocol π, there exists an efficient simulator such that the following holds: on input T κ , the simulator outputs a pair (X κ ' , Y κ ) such that (X κ ' , Y κ ' , T κ ) is (somewhat) computationally indistinguishable from (X κ , Y κ , T κ ). • We use these tools to prove the following dichotomy theorem: every such protocol π is: - either uncorrelated - it is (somewhat) indistin-guishable from an efficient protocol whose parties interact to produce T κ , but then choose their out-puts independently from some product distribution (that is determined in poly-time from T κ ), - or, the protocol implies a key-agreement protocol (for infinitely many κ 's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. • We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. • A subsequent work of Haitner et al. uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We highlight the following ideas regarding our technique: • The simulator algorithm is obtained by a carefully designed "competition" between efficient algorithms attempting to forecast (X κ , Y κ )|T κ=t . The winner is used to simulate the outputs of the protocol. • Our key-agreement protocol uses the simulation to reduce to an information theoretic setup, and is in some sense non-black box.
KW - Computational correlation
KW - Differential privacy
KW - Key agreement
UR - http://www.scopus.com/inward/record.url?scp=85057128065&partnerID=8YFLogxK
U2 - 10.1109/FOCS.2018.00022
DO - 10.1109/FOCS.2018.00022
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85057128065
T3 - Proceedings - Annual IEEE Symposium on Foundations of Computer Science, FOCS
SP - 136
EP - 147
BT - Proceedings - 59th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2018
A2 - Thorup, Mikkel
PB - IEEE Computer Society
Y2 - 7 October 2018 through 9 October 2018
ER -