Let be an e cient two-party protocol that given security parameter , both parties outputsingle bits X and Y , respectively. We are interested in how (X ; Y ) ppears" to an e cientadversary that only views the transcript T . We make the following contributions: We develop new tools to argue about this loose notion, and show (modulo some caveats)that for every such protocol , there exists an e cient simulator such that the follow-ing holds: on input T , the simulator outputs a pair (X0 ; Y 0 ) such that (X0 ; Y 0 ; T ) is(somewhat) computationally indistinguishable from (X ; Y ; T ). We use these tools to prove the following dichotomy theorem: every such protocol is:{ either uncorrelated | it is (somewhat) indistinguishable from an e cient protocolwhose parties interact to produce T , but then choose their outputs independentlyfrom some product distribution (that is determined in poly-time from T ),{ or, the protocol implies a key-agreement protocol (for in nitely many ).Uncorrelated protocols are completely uninteresting from a cryptographic viewpoint, asthe correlation between outputs is uninteresting. Our dichotomy shows that every protocolis either completely uninteresting or implies key-agreement. We use the above dichotomy to make progress on open problems on minimal cryptographicassumptions required for di erentially private mechanisms for the XOR function. A subsequent work of Haitner et al. uses the above dichotomy to makes progress on a long-standing open question regarding the complexity of fair two-party coin-ipping protocols.We highlight the following two ideas regarding our technique: The simulator algorithm is obtained by a carefully designed competition" between e cientalgorithms attempting to forecast ((X ; Y )jT = t). The winner is used to simulate theoutputs of the protocol. To the best of our knowledge, this idea has not been used before(at least in this context). Our key-agreement protocol uses the simulation to reduce to an information theoreticsetup, and is in some sense non-black box.
展开▼
机译:设给定安全参数的有效的两方协议,双方分别输出X位和Y位。我们对(X; Y)仅出现在仅查看成绩单T的一位科学对手看来很感兴趣。我们做出了以下贡献:我们开发了新的工具来争论这个松散的概念,并表明(对某些警告进行模化)在每个这样的协议中,都有一个有效的模拟器,其结果如下:在输入T上,模拟器输出一对(X0; Y 0),使得(X0; Y 0; T)在某种程度上与(X; Y; T)。我们使用这些工具来证明以下二分定理:每个这样的协议是:{要么不相关|它与某种有效的协议(在某种程度上是不可区分的),有效的协议是各方相互作用来产生T的,但是然后选择它们的输出不依赖于某些产品的分配(取决于T的多时决定),{或该协议暗含了密钥协商协议(对于很多协议而言)。从加密的角度来看,不相关的协议完全不感兴趣,因为输出之间的相关性不重要O二分法表明,每个协议要么完全不有趣,要么暗示密钥协议。我们使用上述二分法在XOR函数的不同私有机制所需的最小密码假设的开放问题上取得进展。 Haitner等人的后续工作。使用上述二分法,在一个长期存在的关于公平的两方投币协议的复杂性的悬而未决的问题上取得了进展。我们着重介绍了有关我们技术的以下两个思想:模拟器算法是通过精心设计的“竞争”获得的。尝试进行预测的算法((X; Y)jT = t)。优胜者用于模拟协议的输出,据我们所知,以前(至少在这种情况下)未曾使用过这种思想。密钥协商协议使用模拟来简化为信息理论设置,并且在某种意义上是非黑匣子。
展开▼
