Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocols
Abstract
Let be an efficient two-party protocol that given security parameter , both parties output single bits and , respectively. We are interested in how "appears" to an efficient adversary that only views the transcript . We make the following contributions: We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol , there exists an efficient simulator such that the following holds: on input , the simulator outputs a pair such that is (somewhat) computationally indistinguishable from . We use these tools to prove the following dichotomy theorem: every such protocol is: - either uncorrelated -- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce , but then choose their outputs independently from some product distribution (that is determined in poly-time from ), - or, the protocol implies a key-agreement protocol (for infinitely many 's). Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement. We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function. A subsequent work of Haitner et al. uses the above dichotomy to makes progress on a longstanding open question regarding the complexity of fair two-party coin-flipping protocols.
Cite
@article{arxiv.2105.00765,
title = {Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocols},
author = {Iftach Haitner and Kobbi Nissim and Eran Omri and Ronen Shaltiel and Jad Silbak},
journal= {arXiv preprint arXiv:2105.00765},
year = {2021}
}
Comments
A preliminary version appeared in FOCS 2018. Published in SIAM Journal on Computing 2020