Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computational Two Party Correlation

Published byVera Tanuwidjaja Modified over 6 years ago

Similar presentations

Presentation on theme: "Computational Two Party Correlation"β€” Presentation transcript:

1 Computational Two Party Correlation
Iftach Haitner, TAU Eran Omri, Ariel Kobbi Nissim, Georgetown Ronen Shaltiel, U. Haifa Jad Silbak, U. Haifa

2 Poly-time 2-party protocols
security parameter k Two rand. poly-time parties: A,B. Common input: security parameter k. Parties interact. Each party outputs one bit. A B Xk Tk Yk output transript output Example: Key Agreement Protocols (A,B) satisfy: Agreement: Pr 𝑋 π‘˜ = π‘Œ π‘˜ β‰₯ 1 2 +π‘Ž π‘˜ . Secrecy: βˆ€π‘ƒπ‘ƒπ‘‡π‘€ 𝐸, Pr 𝐸 𝑇 π‘˜ = 𝑋 π‘˜ ≀ 1 2 +𝑠 π‘˜ . Default values: π‘Ž π‘˜ = 1 2 βˆ’π‘›π‘’π‘” π‘˜ , 𝑠 π‘˜ =𝑛𝑒𝑔 π‘˜ . Interesting whenever: 𝑠 π‘˜ β‰ͺπ‘Ž π‘˜ . [Hol]: Protocol w/ 𝑠 π‘˜ ≀𝑂( π‘Ž π‘˜ 2 )β‡’ Default values.

3 Key Agreement protocols and β€œComputational Correlation”
security parameter k Consider PPTM E, that sees only T: ”(𝑋,π‘Œ)|𝑇 looks like (𝐡,𝐡):π΅β†π‘ˆβ€. Call this β€œcomputational correlation”. Note: βˆ€π‘‘:(𝑋,π‘Œ)|𝑇=𝑑 uncorrelated. A B Xk Tk Yk output transript output Example: Key Agreement Protocols (A,B) satisfy: Agreement: Pr 𝑋 π‘˜ = π‘Œ π‘˜ β‰₯ 1 2 +π‘Ž π‘˜ . Secrecy: βˆ€π‘ƒπ‘ƒπ‘‡π‘€ 𝐸, Pr 𝐸 𝑇 π‘˜ = 𝑋 π‘˜ ≀ 1 2 +𝑠 π‘˜ . Default values: π‘Ž π‘˜ = 1 2 βˆ’π‘›π‘’π‘” π‘˜ , 𝑠 π‘˜ =𝑛𝑒𝑔 π‘˜ . Interesting whenever: 𝑠 π‘˜ β‰ͺπ‘Ž π‘˜ . [Hol]: Protocol w/ 𝑠 π‘˜ ≀𝑂( π‘Ž π‘˜ 2 )β‡’ Default values.

4 Uninteresting protocol: Non-interactive randomized response
security parameter k No interaction. Parties A,B have fixed 𝑝 𝐴 , 𝑝 𝐡 ∈ 0,1 . A samples output 𝑋← π‘ˆ 𝑝 𝐴 . B samples output π‘Œβ† π‘ˆ 𝑝 𝐡 . 𝑋,π‘Œ are uncorrelated. A B Xk Tk Yk output transript output Example: Defective key-agreement by rand-response. Set: 𝑝 𝐴 = 𝑝 𝐡 = 1 2 +𝑠 for parameter s=s(k)>0. We have: Agreement: Pr 𝑋=π‘Œ β‰₯ 1 2 +π‘Ž, for π‘Ž=2 𝑠 2 . Secrecy: βˆ€π‘ƒπ‘ƒπ‘‡π‘€ 𝐸, Pr 𝐸 𝑇 =𝑋 ≀ 1 2 +𝑠. Defective key-agreement because π‘Ž<𝑠.

5 Slightly more interesting protocol: Interactive randomized response
security parameter k A,B interact (let T be the transcript) A,B have poly-time computable functions 𝑝 𝐴 (𝑇), 𝑝 𝐡 𝑇 ∈ 0,1 . A samples output 𝑋← π‘ˆ 𝑝 𝐴 (𝑇) . B samples output π‘Œβ† π‘ˆ 𝑝 𝐡 (𝑇) . A B Xk Tk Yk output transript output Intuition: such protocols have no β€œcomputational correlation”. A PPTM E that sees T: Can compute 𝑝 𝐴 (𝑇), 𝑝 𝐡 𝑇 in poly-time. β‡’ E β€œcompletely understands” (X,Y)|T=t. No hidden computational correlation. For example: such protocols are not key-agreement. Given T, E can predict X, just as well as B. β‡’ Not a key-agreement.

6 Uncorrelated protocols (informal)
security parameter k Dfn: A protocol Ξ =(𝐴,𝐡) is uncorrelated if βˆƒdeterministic poly-time π·π‘’π‘π‘Ÿ s.t. π·π‘’π‘π‘Ÿ 𝑇 π‘˜ = (𝑝 𝐴 𝑇 π‘˜ , 𝑝 𝐡 𝑇 π‘˜ )∈ 0,1 2 . If we sample independently: 𝑋 π‘˜ β€² ← π‘ˆ 𝑝 𝐴 𝑇 π‘˜ . π‘Œ π‘˜ β€² ← π‘ˆ 𝑝 𝐡 𝑇 π‘˜ . Then: 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ = 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ . An uncorrelated protocol is essentially an interactive rand. res. protocol. Informal thm: β€œsuch protocols cannot be transformed into key-agreement”. Real dfn: computational indistinguish. rather than equality. A B 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output Decr 𝑝 𝐴 , 𝑝 𝐡 numbers Sample independently: X k β€² ← π‘ˆ 𝑝 𝐴 Y k β€² ← π‘ˆ 𝑝 𝐡 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ = 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated

7 Main theorem (informal): A dichotomy
security parameter Modulu some caveats and technicalities (explained soon) k A B For every polynomial time 2-party protocol Ξ . Either, Ξ  is uncorrelated, meaning that given t, in poly-time we can sample 𝑋,π‘Œ |𝑇=𝑑, or, Ξ  can be transformed into a key-agreement. No intermediate concept. 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output Decr 𝑝 𝐴 , 𝑝 𝐡 numbers Sample independently: X k β€² ← π‘ˆ 𝑝 𝐴 Y k β€² ← π‘ˆ 𝑝 𝐡 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ = 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated

8 Main theorem (informal): A dichotomy
Candidae intermediate concept: Defective key agreement: a<s. In general, DKA doesn’t imply KA. DKA can be β€œinteresting”. Examples: Randomized response whp, and KA with small prob. Stronger form of secrecy: Pr⁑[𝑋=1|𝐸(𝑇)=1]= 1 2 ±𝑠 βˆ€ppt E, which answers one with noticeable probability. Agreement π‘Ž>2 𝑠 2 . security parameter Modulu some caveats and technicalities (explained soon) k A B For every polynomial time 2-party protocol Ξ . Either, Ξ  is uncorrelated, meaning that given t, in poly-time we can sample 𝑋,π‘Œ |𝑇=𝑑, or, Ξ  can be transformed into a key-agreement. No intermediate concept. 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output Decr 𝑝 𝐴 , 𝑝 𝐡 numbers Sample independently: X k β€² ← π‘ˆ 𝑝 𝐴 Y k β€² ← π‘ˆ 𝑝 𝐡 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ = 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated

9 An analogy to the Impagliazzo-Luby Thm: Distributional OWF β‡’ OWF
Our Theorem (Informal) Impagliazzo-Luby (informal) For every polynomial time 2-party protocol Ξ . Either, Ξ  is uncorrelated, meaning that given t, in poly-time we can sample 𝑋,π‘Œ |𝑇=𝑑, or, Ξ  can be transformed into a key-agreement. For every polynomial time procedure P(X)=T. Either P can be β€œreversed”, meaning that given t, in poly-time we can sample 𝑋|𝑃 𝑋 =𝑑, or, P can be transformed into a one-way function. To show that a primitive implies OWF/KA, sufficient to show that it cannot be reversed/not uncorrelated.

10 Main theorem: with caveats
security parameter k A B For every polynomial time 2-party protocol Ξ . Either, Ξ  is uncorrelated or, Ξ  can be transformed into a key-agreement *Decr is allowed to be randomized. for every constant 𝜌>0, 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ πœŒβˆ’ (on infinitely many k’s). output transript output 𝑅 π‘˜ Decr 𝑝 𝐴 , 𝑝 𝐡 (on infinitely many k’s). numbers Computational Indistinguishability by PPTMs, with distinguishing probability β‰€πœŒ Sample independently: X k β€² ← π‘ˆ 𝑝 𝐴 Y k β€² ← π‘ˆ 𝑝 𝐡 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ = 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated ≑ 𝑐 𝜌 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ , 𝑅 π‘˜ ≑ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ , 𝑅 π‘˜ real simulated

11 Applications: Goal: Show that a primitive implies key-agreement. Method: Show that primitive yields a correlated protocol. This work: Nontrivial differentially private protocol for XOR, implies (io) key agreement. [Haitner,Makriyannis,Omri β€˜18]: Nontrivial coin-flipping protocol, implies (io) key agreement.

12 Proof of main theorem: Rigorous treatment of computational correlation.

13 Forecasters: rigorous treatment of computational correlation
security parameter k Forecasters: F is a PPT that on input t, generates β€œforecast” of the probability space ( X k , Y k )| T k =t . F t = 𝑝 A , 𝑝 B|0 , 𝑝 B|1 ∈ 0,1 3 𝑝 A : Pr X k =1 T k =t] 𝑝 B|0 : Pr Y k =1 X k =0, T k =t] 𝑝 B|1 : Pr Y k =1 X k =1, T k =t] Dfn: For 𝜌>0, and protocol Ξ = A,B , poly-time F is a 𝜌-forecaster for Ξ , if F T π‘˜ = P A , P B|0 , P B|1 , X k β€² ← U P A , Y k β€² ← U P B| X k β€² X k , Y k , T k ≑ 𝑐 ρ X k β€² , Y k β€² , T k . A B 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output F 𝑝 A , 𝑝 B|0 , 𝑝 B|1 numbers π‘Œ π‘˜ β€² ← π‘ˆ 𝑝 B| X k β€² 𝑋 π‘˜ β€² ← π‘ˆ 𝑝 A Sample 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ ≑ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated

14 Forecasters: rigorous treatment of computational correlation
security parameter k Dfn: For 𝜌>0, and protocol Ξ = A,B , poly-time F is a 𝜌-forecaster for Ξ , if F T π‘˜ = P A , P B|0 , P B|1 , X k β€² ← U P A , Y k β€² ← U P B| X k β€² X k , Y k , T k ≑ 𝑐 ρ X k β€² , Y k β€² , T k . A B 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output F Informal Thm: βˆ€πœŒ>0, and protocol Ξ =(A,B) there exists a 𝜌-forecaster for Ξ . 𝑝 A , 𝑝 B|0 , 𝑝 B|1 numbers π‘Œ π‘˜ β€² ← π‘ˆ 𝑝 B| X k β€² 𝑋 π‘˜ β€² ← π‘ˆ 𝑝 A Sample Two caveats: computational indistinguish for 𝜌=o 1 , not negligible. X k , Y k , T k ≑ c ρ X k β€² , Y k β€² , T k , only holds for an infinite subset of π‘˜β€™s. 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ ≑ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated

15 Forecasters give dichotomy
B k security parameter 𝑋 π‘˜ π‘Œ π‘˜ output 𝑇 π‘˜ transript F 𝑝 A , 𝑝 B|0 , 𝑝 B|1 numbers π‘Œ π‘˜ β€² ← π‘ˆ 𝑝 B| X k β€² 𝑋 π‘˜ β€² ← π‘ˆ 𝑝 A Sample 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ β‰ˆ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated Uncorrelated protocol: If except for very few 𝑑: 𝑝 B|0 = 𝑝 B|1 use F as Decr. Decr t =(F t 1 ,F t 2 )=( 𝑝 A , 𝑝 B|0 ). If 𝑝 B|0 =𝑝 B|1 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² are independent

16 Forecasters give dichotomy
We can use infor. theory techniques on 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ In this infor. theor. setup the protocol can use the forecaster! A B k security parameter 𝑋 π‘˜ π‘Œ π‘˜ output 𝑇 π‘˜ transript F 𝑝 A , 𝑝 B|0 , 𝑝 B|1 numbers π‘Œ π‘˜ β€² ← π‘ˆ 𝑝 B| X k β€² 𝑋 π‘˜ β€² ← π‘ˆ 𝑝 A Sample 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ β‰ˆ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ real simulated Uncorrelated protocol: If except for very few 𝑑: 𝑝 B|0 = 𝑝 B|1 use F as Decr. Decr t =(F t 1 ,F t 2 )=( 𝑝 A , 𝑝 B|0 ). Correlated protocol: For notcbl. set of t’s 𝑝 B|0 β‰  𝑝 B|1 βŸΉβˆƒ KA protocol that uses Ξ . 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ has infor. theoretic uncertainty! Show: KA protocol using 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ that has information theoretic security. 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ β‰ˆ 𝑐 𝜌 𝑋 π‘˜ β€² , π‘Œ π‘˜ β€² , 𝑇 π‘˜ Applying the same KA this time on (real) 𝑋 π‘˜ , π‘Œ π‘˜ , 𝑇 π‘˜ ⟹ comput. secure KA with a loss of 𝜌 ⟹ amplify to get standard KA

17 From correlated protocol to KA (in the simulated infor. theor. world)
A,B (and unbounded eavesdrop.) E, receive (𝑋’,π‘Œβ€™,𝑇) from some dist where ( X β€² k , Y β€² k )| T k =t is correlated. The one-sided vN Protocol: A runs 𝐹 𝑑 : obtains 𝑝 𝐴 . A samples X β€²β€² ← π‘ˆ 𝑝 A A informs B whether 𝑋 β€² = 𝑋 β€²β€² . If equal: abort. If different: parties output 𝑋 β€² , π‘Œ β€² . vN extractor: X’ is fair coin, conditioned on {T=t} β‡’ secrecy. Initial correlation β‡’ outputs are correlated β‡’ agreement. A B 𝑋′ 𝑇 π‘Œβ€² output β€œtranscript” output If X β€² =Xβ€²β€²: If X β€² β‰ Xβ€²β€²: abort continue 𝑋′ π‘Œβ€² final output final output

18 Existence of forecasters: A competition
The price of forecaster F wrt. protocol Ξ , measures the distance between simulated output distribution and real one price Ξ ,π‘˜ F = E X , Y , T ←Π( 1 π‘˜ ) (𝑝 A , 𝑝 B|0 , 𝑝 B|1 )←F T Xβˆ’ 𝑝 A Y βˆ’ 𝑝 B|X 2 Dfn: F is πœ‡βˆ’optimal if βˆƒinf. πΌβŠ†π‘, s.t. βˆ€PPT F’, suf. large π‘˜βˆˆπΌ: price Ξ ,π‘˜ F ≀ price Ξ ,π‘˜ F +πœ‡. Thm: βˆ€πœ‡>0:βˆƒ πœ‡-optimal forecaster for Ξ . Thm: 𝜌-Distinguisher for forecaster F (wrt. Ξ ) ⟹ forecaster F’ with price Ξ ,π‘˜ Fβ€² < price Ξ ,π‘˜ F βˆ’ 𝜌 2 Hence, 𝜌 2 -optimal forecaster for Ξ  is a also a 𝜌-forecaster.

19 Distinguishing to price improvement
Thm: 𝜌-Distinguisher for forecaster F (wrt. Ξ ) ⟹ forecaster F’ with price Ξ ,π‘˜ Fβ€² < price Ξ ,π‘˜ F βˆ’ 𝜌 2 . For simplicity, we will ignore Y: Assume D distinguishes (𝑋,𝑇) from ( 𝑋 β€² ,𝑇), and is more likely to answer one on the former. Use D and F to construct F’(t) as follows: If 𝐷(0,𝑑)=𝐷(1,𝑑), then 𝐹’(𝑑)=𝐹(𝑑). If 𝐷(0,𝑑)=0, 𝐷(1,𝑑)=1, set 𝐹’ 𝑑 = 𝐹 𝑑 +πœ–. If 𝐷(0,𝑑)=1, 𝐷(1,𝑑)=0, set 𝐹’ 𝑑 = 𝐹 𝑑 βˆ’πœ–. Using choice of price function β‡’ Price improvement.

20 Application: Nontrivial Differential Privacy for XOR implies Key-Agreement
Two rand. poly-time parties: A,B. Each party has an input (1 bit) Goal compute function f(x,y). The parties interact. Transcript contains an output bit Z. A B Actually, this is a weaker notion of DP against an external observer x y Studied in: [McGregor,Mironov,Pitassi,Reingold,Talwar,Vadhan10] [Goyal,Mironov, Pandey,Sahai13] [Khurana,Maji,Sahai14] [Goyal,Khurana,Mironov,Pandey,Sahai16]. Z T Z output transript output Dfn: an 𝛼-correct, (πœ–,𝛿)-differentially private protocol: Correctness: βˆ€π‘₯,𝑦, Pr 𝑍=𝑓(π‘₯,𝑦) β‰₯ 1 2 +𝛼. Privacy of A: βˆ€π‘ƒπ‘ƒπ‘‡π‘€ 𝐷, Pr 𝐷 𝑇 =1 π‘₯=0 Pr 𝐷 𝑇 =1 π‘₯=1 = 𝑒 Β±πœ– ±𝛿. Do such protocols imply KA? For what parameters? For f x,y =xβŠ•π‘¦, 𝛼=2 πœ– 2 follows info-theoretically. Thm: For f, constant πœ–, 𝛼=Ξ© πœ– 2 , DP β‡’ KA.

21 Proof: DP β‡’ not uncorrelated β‡’ KA
Convert DP into DKA that is correlated. A,B choose inputs at random. A outputs 𝑋, B outputs Y β€² =π‘ŒβŠ•π‘. Pr 𝑋= π‘Œ β€² = Pr 𝑍=π‘‹βŠ•π‘Œ β‰₯ 1 2 +𝛼. For every PPTM, D: Pr 𝑋=0 𝐷 𝑇 =1 Pr 𝑋=1 𝐷 𝑇 =1 = Pr 𝐷 𝑇 =1 𝑋=0 Pr 𝐷 𝑇 =1 𝑋=1 = 𝑒 Β±πœ– ±𝛿. β‡’Pr 𝑋=1 𝐷 𝑇 =1 = 1 2 Β±2πœ– (for small 𝛿). If protocol is uncorrelated β‡’βˆ€π‘‡, 𝑝 𝐴 𝑇 , 𝑝 𝐡 𝑇 = 1 2 Β±3πœ–. But then 𝛼=O πœ– 2 cannot be large, contradiction. A B 𝑋 π‘Œ 𝑋 𝑍,𝑇 π‘ŒβŠ•π‘

22 Conclusion and open problems
Thm (Informal): For every polynomial time 2-party protocol Ξ , either, Ξ  is uncorrelated, or, Ξ  can be transformed into a key-agreement. Open problems: Remove caveats. Get forecasters with regards to distinguishers with negligible distinguishing prob. Have only one β€œinfinitely often”. Proof technique is β€œnon-black box”. Is it necessary? Maybe useful in other settings? Minimal assumptions for DP?

23 That’s it…

24 Transforming DKA to KA: Practice in info-theoretic setu
A,B (and unbounded eavesdrop.) E, receive (X,Y,T) from some dist. Pr 𝑋=π‘Œ β‰₯ 1 2 +π‘Ž. βˆ€π‘‘: Pr 𝑋=1|𝑇=𝑑 ≀ 𝑠. Defective: π‘Ž<𝑠, but not r.r: π‘Ž> 2𝑠 2 . Goal: Design a KA protocol for A,B: In the end: π‘Žπ‘”π‘Ÿπ‘’π‘’π‘šπ‘’π‘›π‘‘>π‘ π‘’π‘π‘’π‘Ÿπ‘–π‘‘π‘¦. A B 𝑋 𝑇 π‘Œ output β€œtranscript” output

25 The one-sided vN-Protocol:
Follows as in vN-extractor: If we toss a bit X with unknown bias p, two times: Pr 𝑋 1 =0, 𝑋 2 =1 =𝑝⋅ 1βˆ’π‘ =Pr X 1 =1, X 2 =0 β‡’ Pr 𝑋 1 =1 𝑋 1 β‰  𝑋 2 = 1 2 . The one-sided vN-Protocol: β€œPull lever twice” A,B (and unbounded eavesdrop.) E, receive (X,Y,T) from some dist. Pr 𝑋=π‘Œ β‰₯ 1 2 +π‘Ž. βˆ€π‘‘: Pr 𝑋=1|𝑇=𝑑 ≀ 𝑠. Defective: π‘Ž<𝑠, but not r.r: π‘Ž> 2𝑠 2 . Goal: Design a KA protocol for A,B: In the end: π‘Žπ‘”π‘Ÿπ‘’π‘’π‘šπ‘’π‘›π‘‘>π‘ π‘’π‘π‘’π‘Ÿπ‘–π‘‘π‘¦. Pr 𝑋 1 = π‘Œ 1 | 𝑋 1 β‰  𝑋 2 β‰₯ 1 2 +π‘Žβˆ’2 𝑠 2 . βˆ€ 𝑑 1 , 𝑑 2 : Pr 𝑋 1 =1 (𝑇 1 , 𝑇 2 = (𝑑 1 , 𝑑 2 ), 𝑋 1 β‰  𝑋 2 = 1 2 . A B unjustified simplifying assumption 𝑋 1 , 𝑋 2 𝑇 1 , 𝑇 2 π‘Œ 1 , π‘Œ 2 output β€œtranscript” output If 𝑋 1 = 𝑋 2 : If 𝑋 1 β‰  𝑋 2 : = abort continue 𝑋 1 π‘Œ 1 final output final output

26 The one-sided vN-Protocol:
β€œPull lever twice” A,B (and unbounded eavesdrop.) E, receive (X,Y,T) from some dist. Pr 𝑋=π‘Œ β‰₯ 1 2 +π‘Ž. βˆ€π‘‘: Pr 𝑋=1|𝑇=𝑑 ≀ 𝑠. Given t, parties can approximate: 𝑝 𝑑 = Pr 𝑋=1|𝑇=𝑑 . (within ±𝛾). Prot. vN+: Pull lever until we get 𝑑 1 , 𝑑 with |𝑝 𝑑 1 βˆ’ 𝑝 𝑑 2 |≀𝛾. Cost: π‘π‘œπ‘™π‘¦ 1 𝛾 invocations (affordable). A B unjustified simplifying assumption 𝑋 1 , 𝑋 2 𝑇 1 , 𝑇 2 π‘Œ 1 , π‘Œ 2 output β€œtranscript” output If 𝑋 1 = 𝑋 2 : If 𝑋 1 β‰  𝑋 2 : = abort continue 𝑋 1 π‘Œ 1 final output final output

27 Roadmap of proof for computational case: A competition of forecasters
security parameter k Players: poly-time 𝐹 𝑑 =( 𝑝 𝐴 , 𝑝 𝐡 0 , 𝑝 𝐡 1 ). Set: π‘ƒπ‘Ÿπ‘–π‘π‘’ 𝐹 to incentivize 𝐹 to output: 𝑝 𝐴 (𝑑)= Pr⁑[𝑋=1|𝑇=𝑑]. 𝑝 𝐡 0 (𝑑)= Pr⁑[π‘Œ=1|𝑇=𝑑,𝑋=0]. 𝑝 𝐡 1 (𝑑)=Pr⁑[π‘Œ=1|𝑇=𝑑,𝑋=1]. Show: βˆƒwinner 𝐹 𝑑 =( 𝑝 𝐴 𝑑 , 𝑝 𝐡 0 𝑑 , 𝑝 𝐡 1 𝑑 ). If except for very few 𝑑: 𝑝 𝐡 0 (𝑑)= 𝑝 𝐡 1 (𝑑), use 𝐹 as Decr. π·π‘’π‘π‘Ÿ 𝑑 =( 𝑝 𝐴 (𝑑), 𝑝 𝐡 0 (𝑑)). O.w. for notcbl. 𝐺 of 𝑑’s: 𝑝 𝐡 0 (𝑑)β‰  𝑝 𝐡 1 (𝑑). Run vN+ on 𝐺. Use 𝑝 𝐴 (𝑑) as estimate for Pr 𝑋=1 𝑇=𝑑 . Get KA. A B 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ output transript output Decr 𝑝 𝐴 , 𝑝 𝐡 numbers

28 Roadmap of proof for computational case: A competition of forecasters
security parameter k Players: poly-time 𝐹 𝑑 =( 𝑝 𝐴 , 𝑝 𝐡 0 , 𝑝 𝐡 1 ). Set: π‘ƒπ‘Ÿπ‘–π‘π‘’ 𝐹 to incentivize 𝐹 to output: 𝑝 𝐴 (𝑑)= Pr⁑[𝑋=1|𝑇=𝑑]. 𝑝 𝐡 0 (𝑑)= Pr⁑[π‘Œ=1|𝑇=𝑑,𝑋=0]. 𝑝 𝐡 1 (𝑑)=Pr⁑[π‘Œ=1|𝑇=𝑑,𝑋=1]. Show: βˆƒwinner 𝐹 𝑑 =( 𝑝 𝐴 𝑑 , 𝑝 𝐡 0 𝑑 , 𝑝 𝐡 1 𝑑 ). If except for very few 𝑑: 𝑝 𝐡 0 (𝑑)= 𝑝 𝐡 1 (𝑑), use 𝐹 as Decr. π·π‘’π‘π‘Ÿ 𝑑 =( 𝑝 𝐴 (𝑑), 𝑝 𝐡 0 (𝑑)). O.w. for notcbl. 𝐺 of 𝑑’s: 𝑝 𝐡 0 (𝑑)β‰  𝑝 𝐡 1 (𝑑). Run vN+ on 𝐺. Use 𝑝 𝐴 (𝑑) as estimate for Pr 𝑋=1 𝑇=𝑑 . Get KA. A B Show: If βˆƒadversary 𝐸, that breaks vN+ on 𝐺, then using 𝐸, 𝐹 can be significantly improved. Show: If βˆƒdistinguisher 𝐷, that breaks the simulation, then using 𝐷, 𝐹 can be significantly improved. It can be the case that no poly-time machine can compute these quantitites 𝑋 π‘˜ 𝑇 π‘˜ π‘Œ π‘˜ Different F’s may focus on different k’s. Maybe larger poly β‡’ better answer output transript output

29 Conclusion and open problems
Thm (Informal): For every polynomial time 2-party protocol Ξ , either, Ξ  is uncorrelated, or, Ξ  can be transformed into a key-agreement. Open problems: Remove caveats. Get uncorrelated with reagrds to distinguishers with negligible distinguishing prob. Have only one β€œinfinitely often”. Proof technique is β€œnon-black box”. Is it necessary? Maybe useful in other settings? Minimal assumptions for DP?

30 That’s it…

31 Application: Nontrivial DP for XOR implies KA
PPT protocol A,B , each party has single bit input Goal: compute function f(x,y) Transcript contains an output bit Z Dfn: A,B is 𝛼-correct, (πœ–,𝛿)-differentially private for f: Correctness. βˆ€π‘₯,𝑦: Pr 𝑍=𝑓(π‘₯,𝑦) β‰₯1/2+𝛼 Privacy of A. βˆ€ PPT D: Pr D vie𝑀 𝐴 =1 𝑦=0 Pr D vie𝑀 𝐴 =1 𝑦=1 = 𝑒 Β±πœ– ±𝛿 A B x y Z Do such protocols imply KA? For what parameters? For f x,y =xβŠ•π‘¦ 𝛼=2 πœ– 2 follows information theoretically 𝛼= πœ– , 𝛿=𝑛𝑒𝑔𝑙, using oblivious transfer Thm: 𝛼=Ξ© πœ– 2 (and 𝛿= πœ– 3 ) implies key agreement Holds for privacy against external observer (for which key agreement is a sufficient condition) Only for constant πœ–

32 Application: Nontrivial Fair Coin Flip implies KA
PPT protocol A,B Goal: output a common uniform bit Dfn: A,B is πœ–-fair coin flip, if βˆ€ PPT A βˆ— and c∈{0,1}: Pr A βˆ— ,B = β‹…,𝑐 ≀ 1 2 +πœ– A B c Do such protocols imply KA? For what parameters? For r-round protocols 1 π‘Ÿ -fair using one-way functions [Awerbuch et al β€˜86] 1 π‘Ÿ -fair using oblivious transfer [Moran-Naor-Segev β€˜09] Thm [H-Makriyannis,Omri β€˜18] : o 1 π‘Ÿ βˆ’fair implies key agreement Holds for constant r

Download ppt "Computational Two Party Correlation"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.
Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.

Fair Computation with Rational Players Adam Groce and Jonathan Katz University of Maryland.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Similar presentations

Ads by Google