当前位置: X-MOL 学术SIAM J. Comput. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocols
SIAM Journal on Computing ( IF 1.2 ) Pub Date : 2020-11-03 , DOI: 10.1137/19m1236837
Iftach Haitner , Kobbi Nissim , Eran Omri , Ronen Shaltiel , Jad Silbak

SIAM Journal on Computing, Volume 49, Issue 6, Page 1041-1082, January 2020.
Let $\pi$ be an efficient two-party protocol that, given security parameter $\kappa$, both parties output single bits $X_\kappa$ and $Y_\kappa$, respectively. We are interested in how $(X_\kappa,Y_\kappa)$ “appears” to an efficient adversary that only views the transcript $T_\kappa$. We make the following contributions: (a) We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol $\pi$, there exists an efficient simulator such that the following holds: on input $T_\kappa$, the simulator outputs a pair $(X'_\kappa,Y'_\kappa)$ such that $(X'_\kappa,Y'_\kappa,T_\kappa)$ is (somewhat) computationally indistinguishable from $(X_\kappa,Y_\kappa,T_\kappa)$. (b) We use these tools to prove the following dichotomy theorem: every such protocol $\pi$ is either uncorrelated---it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_\kappa$, but then choose their outputs independently from some product distribution (that is determined in poly-time from $T_\kappa$), or the protocol implies a key-agreement protocol (for infinitely many $\kappa$'s). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. (c) We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. (d) A subsequent work [I. Haitner, N. Makriyannis, and E. Omri, in Theory of Cryptography Conference, Springer, Cham, Switzerland, 2018, pp. 539--562] uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-flipping protocols. We also highlight the following two ideas regarding our technique: (a) The simulator algorithm is obtained by a carefully designed “competition” between efficient algorithms attempting to forecast $(X_\kappa,Y_\kappa)|_{T_\kappa=t}$. The winner is used to simulate the outputs of the protocol. (b) Our key-agreement protocol uses the simulation to reduce to an information theoretic setup and is, in some sense, a non-black-box.


中文翻译:

计算两方关联:密钥协商协议的二分法

SIAM计算杂志,第49卷,第6期,第1041-1082页,2020年1月。
假设$ \ pi $是有效的两方协议,在给定安全参数$ \ kappa $的情况下,双方分别输出单个位$ X_ \ kappa $和$ Y_ \ kappa $。我们对$(X_ \ kappa,Y_ \ kappa)$如何“出现”给仅查看成绩单$ T_ \ kappa $的有效对手很感兴趣。我们做出以下贡献:(a)我们开发了新的工具来争论这个松散的概念,并表明(对某些警告进行模化),对于每个这样的协议$ \ pi $,都有一个有效的模拟器,使得以下内容成立:输入$ T_ \ kappa $,模拟器输出对$(X'_ \ kappa,Y'_ \ kappa)$,使得$(X'_ \ kappa,Y'_ \ kappa,T_ \ kappa $$是(有点)与$(X_ \ kappa,Y_ \ kappa,T_ \ kappa)$在计算上无法区分。(b)我们使用这些工具来证明以下二分定理:每个这样的协议$ \ pi $要么是不相关的-与(有效的)协议(在各方进行交互以产生$ T_ \ kapp $)的有效协议中(在某种程度上)是无法区分的,然后从某些产品分布中独立选择它们的输出(由poly确定)时间从$ T_ \ kappa $开始),或者该协议暗示一个密钥协商协议(用于无限多的$ \ kappa $)。从密码学的角度来看,不相关的协议是无趣的,因为输出之间的相关性(计算上)是微不足道的。我们的二分法表明,每个协议要么完全不有趣,要么暗示密钥协议。(c)我们使用上述二分法,在针对XOR功能的差分私有机制所需的最小密码假设的开放问题上取得进展。(d)随后的工作[I. Haitner,N。Makriyannis和E. Omri,在密码学理论会议上,瑞士占婆岛,施普林格,2018年,第539--562页]使用上述二分法在一个长期存在的关于公平的两方硬币翻转协议的复杂性的开放性问题上取得了进展。我们还重点介绍了有关我们的技术的以下两个想法:(a)仿真器算法是通过精心设计的“竞争”获得的,这些竞争是试图预测$(X_ \ kappa,Y_ \ kappa)| _ {T_ \ kappa = t的有效算法之间的竞争} $。获胜者用于模拟协议的输出。(b)我们的密钥协议协议使用模拟来简化信息理论设置,从某种意义上说,它是一个非黑匣子。[539--562]使用上述二分法对一个长期存在的关于公平的两方硬币翻转协议的复杂性的开放性问题取得了进展。我们还重点介绍了有关我们的技术的以下两个想法:(a)仿真器算法是通过精心设计的“竞争”获得的,这些竞争是试图预测$(X_ \ kappa,Y_ \ kappa)| _ {T_ \ kappa = t的有效算法之间的竞争} $。获胜者用于模拟协议的输出。(b)我们的密钥协议协议使用模拟来简化信息理论设置,从某种意义上说,它是一个非黑匣子。[539--562]使用上述二分法对一个长期存在的关于公平的两方硬币翻转协议的复杂性的开放性问题取得了进展。我们还重点介绍了有关我们的技术的以下两个想法:(a)仿真器算法是通过精心设计的“竞争”获得的,这些竞争是试图预测$(X_ \ kappa,Y_ \ kappa)| _ {T_ \ kappa = t的有效算法之间的竞争} $。获胜者用于模拟协议的输出。(b)我们的密钥协议协议使用模拟来简化信息理论设置,从某种意义上说,它是一个非黑匣子。获胜者用于模拟协议的输出。(b)我们的密钥协议协议使用模拟来简化信息理论设置,从某种意义上说,它是一个非黑匣子。获胜者用于模拟协议的输出。(b)我们的密钥协议协议使用模拟来简化信息理论设置,从某种意义上说,它是一个非黑匣子。
更新日期:2020-11-12
down
wechat
bug