-
On the Complexity of Two-Party Differential Privacy
Authors:
Iftach Haitner,
Noam Mazor,
Jad Silbak,
Eliad Tsfadia
Abstract:
In distributed differential privacy, the parties perform analysis over their joint data while preserving the privacy for both datasets. Interestingly, for a few fundamental two-party functions such as inner product and Hamming distance, the accuracy of the distributed solution lags way behind what is achievable in the client-server setting. McGregor, Mironov, Pitassi, Reingold, Talwar, and Vadhan…
▽ More
In distributed differential privacy, the parties perform analysis over their joint data while preserving the privacy for both datasets. Interestingly, for a few fundamental two-party functions such as inner product and Hamming distance, the accuracy of the distributed solution lags way behind what is achievable in the client-server setting. McGregor, Mironov, Pitassi, Reingold, Talwar, and Vadhan [FOCS '10] proved that this gap is inherent, showing upper bounds on the accuracy of (any) distributed solution for these functions. These limitations can be bypassed when settling for computational differential privacy, where the data is differentially private only in the eyes of a computationally bounded observer, using public-key cryptography primitives.
We prove that the use of public-key cryptography is necessary for bypassing the limitation of McGregor et al., showing that a non-trivial solution for the inner-product, or the Hamming distance, implies the existence of a key-agreement protocol. Our bound implies a combinatorial proof for the fact that non-Boolean inner product of independent (strong) Santha-Vazirani sources is a good condenser. We obtain our main result by showing that the inner-product of a (single, strong) SV source with a uniformly random seed is a good condenser, even when the seed and source are dependent.
△ Less
Submitted 17 June, 2022; v1 submitted 17 August, 2021;
originally announced August 2021.
-
On the Communication Complexity of Key-Agreement Protocols
Authors:
Iftach Haitner,
Noam Mazor,
Rotem Oshman,
Omer Reingold,
Amir Yehudayoff
Abstract:
Key-agreement protocols whose security is proven in the random oracle model are an important alternative to protocols based on public-key cryptography. In the random oracle model, the parties and the eavesdropper have access to a shared random function (an "oracle"), but the parties are limited in the number of queries they can make to the oracle. The random oracle serves as an abstraction for bla…
▽ More
Key-agreement protocols whose security is proven in the random oracle model are an important alternative to protocols based on public-key cryptography. In the random oracle model, the parties and the eavesdropper have access to a shared random function (an "oracle"), but the parties are limited in the number of queries they can make to the oracle. The random oracle serves as an abstraction for black-box access to a symmetric cryptographic primitive, such as a collision resistant hash. Unfortunately, as shown by Impagliazzo and Rudich [STOC '89] and Barak and Mahmoody [Crypto '09], such protocols can only guarantee limited secrecy: the key of any $\ell$-query protocol can be revealed by an $O(\ell^2)$-query adversary. This quadratic gap between the query complexity of the honest parties and the eavesdropper matches the gap obtained by the Merkle's Puzzles protocol of Merkle [CACM '78].
In this work we tackle a new aspect of key-agreement protocols in the random oracle model: their communication complexity. In Merkle's Puzzles, to obtain secrecy against an eavesdropper that makes roughly $\ell^2$ queries, the honest parties need to exchange $Ω(\ell)$ bits. We show that for protocols with certain natural properties, ones that Merkle's Puzzle has, such high communication is unavoidable. Specifically, this is the case if the honest parties' queries are uniformly random, or alternatively if the protocol uses non-adaptive queries and has only two rounds. Our proof for the first setting uses a novel reduction from the set-disjointness problem in two-party communication complexity. For the second setting we prove the lower bound directly, using information-theoretic arguments.
△ Less
Submitted 6 May, 2021; v1 submitted 5 May, 2021;
originally announced May 2021.
-
Inaccessible Entropy II: IE Functions and Universal One-Way Hashing
Authors:
Iftach Haitner,
Thomas Holenstein,
Omer Reingold,
Salil Vadhan,
Hoeteck Wee
Abstract:
This paper uses a variant of the notion of \emph{inaccessible entropy} (Haitner, Reingold, Vadhan and Wee, STOC 2009), to give an alternative construction and proof for the fundamental result, first proved by Rompel (STOC 1990), that \emph{Universal One-Way Hash Functions (UOWHFs)} can be based on any one-way functions. We observe that a small tweak of any one-way function $f$ is already a weak fo…
▽ More
This paper uses a variant of the notion of \emph{inaccessible entropy} (Haitner, Reingold, Vadhan and Wee, STOC 2009), to give an alternative construction and proof for the fundamental result, first proved by Rompel (STOC 1990), that \emph{Universal One-Way Hash Functions (UOWHFs)} can be based on any one-way functions. We observe that a small tweak of any one-way function $f$ is already a weak form of a UOWHF: consider the function $F(x,i)$ that returns the $i$-bit-long prefix of $f(x)$. If $F$ were a UOWHF then given a random $x$ and $i$ it would be hard to come up with $x'\neq x$ such that $F(x,i)=F(x',i)$. While this may not be the case, we show (rather easily) that it is hard to sample $x'$ with almost full entropy among all the possible such values of $x'$. The rest of our construction simply amplifies and exploits this basic property.Combined with other recent work, the construction of three fundamental cryptographic primitives (Pseudorandom Generators, Statistically Hiding Commitments and UOWHFs) out of one-way functions is now to a large extent unified. In particular, all three constructions rely on and manipulate computational notions of entropy in similar ways. Pseudorandom Generators rely on the well-established notion of pseudoentropy, whereas Statistically Hiding Commitments and UOWHFs rely on the newer notion of inaccessible entropy.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
Finding Collisions in Interactive Protocols -- Tight Lower Bounds on the Round and Communication Complexities of Statistically Hiding Commitments
Authors:
Iftach Haitner,
Jonathan J. Hoch,
Omer Reingold,
Gil Segev
Abstract:
We study the round and communication complexities of various cryptographic protocols. We give tight lower bounds on the round and communication complexities of any fully black-box reduction of a statistically hiding commitment scheme from one-way permutations, and from trapdoor permutations. As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as sin…
▽ More
We study the round and communication complexities of various cryptographic protocols. We give tight lower bounds on the round and communication complexities of any fully black-box reduction of a statistically hiding commitment scheme from one-way permutations, and from trapdoor permutations. As a corollary, we derive similar tight lower bounds for several other cryptographic protocols, such as single-server private information retrieval, interactive hashing, and oblivious transfer that guarantees statistical security for one of the parties. Our techniques extend the collision-finding oracle due to Simon (EUROCRYPT '98) to the setting of interactive protocols and the reconstruction paradigm of Gennaro and Trevisan (FOCS '00).
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
Hardness-Preserving Reductions via Cuckoo Hashing
Authors:
Itay Berman,
Iftach Haitner,
Ilan Komargodski,
Moni Naor
Abstract:
The focus of this work is \emph{hardness-preserving} transformations of somewhat limited pseudorandom functions families (PRFs) into ones with more versatile characteristics. Consider the problem of \emph{domain extension} of pseudorandom functions: given a PRF that takes as input elements of some domain $U$, we would like to come up with a PRF over a larger domain. Can we do it with little work a…
▽ More
The focus of this work is \emph{hardness-preserving} transformations of somewhat limited pseudorandom functions families (PRFs) into ones with more versatile characteristics. Consider the problem of \emph{domain extension} of pseudorandom functions: given a PRF that takes as input elements of some domain $U$, we would like to come up with a PRF over a larger domain. Can we do it with little work and without significantly impacting the security of the system? One approach is to first hash the larger domain into the smaller one and then apply the original PRF. Such a reduction, however, is vulnerable to a "birthday attack": after $\sqrt{\size{U}}$ queries to the resulting PRF, a collision (\ie two distinct inputs having the same hash value) is very likely to occur. As a consequence, the resulting PRF is \emph{insecure} against an attacker making this number of queries. In this work we show how to go beyond the aforementioned birthday attack barrier by replacing the above simple hashing approach with a variant of \textit{cuckoo hashing}, a hashing paradigm that resolves collisions in a table by using two hash functions and two tables, cleverly assigning each element to one of the two tables. We use this approach to obtain: (i) a domain extension method that requires {\em just two calls} to the original PRF, can withstand as many queries as the original domain size, and has a distinguishing probability that is exponentially small in the amount of non-cryptographic work; and (ii) a {\em security-preserving} reduction from non-adaptive to adaptive PRFs.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
Coin Flip** of \emph{Any} Constant Bias Implies One-Way Functions
Authors:
Itay Berman,
Iftach Haitner,
Aris Tentes
Abstract:
We show that the existence of a coin-flip** protocol safe against \emph{any} non-trivial constant bias (\eg $.499$) implies the existence of one-way functions. This improves upon a recent result of Haitner and Omri [FOCS '11], who proved this implication for protocols with bias $\frac{\sqrt2 -1}2 - o(1) \approx .207$. Unlike the result of Haitner and Omri, our result also holds for \emph{weak} c…
▽ More
We show that the existence of a coin-flip** protocol safe against \emph{any} non-trivial constant bias (\eg $.499$) implies the existence of one-way functions. This improves upon a recent result of Haitner and Omri [FOCS '11], who proved this implication for protocols with bias $\frac{\sqrt2 -1}2 - o(1) \approx .207$. Unlike the result of Haitner and Omri, our result also holds for \emph{weak} coin-flip** protocols.
△ Less
Submitted 4 May, 2021;
originally announced May 2021.
-
From Fairness to Full Security in Multiparty Computation
Authors:
Ran Cohen,
Iftach Haitner,
Eran Omri,
Lior Rotem
Abstract:
In the setting of secure multiparty computation (MPC), a set of mutually distrusting parties wish to jointly compute a function, while guaranteeing the privacy of their inputs and the correctness of the output. An MPC protocol is called \emph{fully secure} if no adversary can prevent the honest parties from obtaining their outputs. A protocol is called \emph{fair} if an adversary can prematurely a…
▽ More
In the setting of secure multiparty computation (MPC), a set of mutually distrusting parties wish to jointly compute a function, while guaranteeing the privacy of their inputs and the correctness of the output. An MPC protocol is called \emph{fully secure} if no adversary can prevent the honest parties from obtaining their outputs. A protocol is called \emph{fair} if an adversary can prematurely abort the computation, however, only before learning any new information.
We present highly efficient transformations from fair computations to fully secure computations, assuming the fraction of honest parties is constant (e.g., $1\%$ of the parties are honest). Compared to previous transformations that require linear invocations (in the number of parties) of the fair computation, our transformations require super-logarithmic, and sometimes even super-constant, such invocations. The main idea is to delegate the computation to chosen random committees that invoke the fair computation. Apart from the benefit of uplifting security, the reduction in the number of parties is also useful, since only committee members are required to work, whereas the remaining parties simply "listen" to the computation over a broadcast channel.
△ Less
Submitted 6 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
An Almost-Optimally Fair Three-Party Coin-Flip** Protocol
Authors:
Iftach Haitner,
Eliad Tsfadia
Abstract:
In a multiparty fair coin-flip** protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [STOC 1986] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any $m$-round coin-flip** protocol the corrupted parties can bias the honest parties' common output bit by…
▽ More
In a multiparty fair coin-flip** protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [STOC 1986] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any $m$-round coin-flip** protocol the corrupted parties can bias the honest parties' common output bit by $Ω(\frac1{m})$. For more than two decades the best known coin-flip** protocols against dishonest majority had bias $Θ(\frac{\ell}{\sqrt{m}})$, where $\ell$ is the number of corrupted parties. This was changed by a recent breakthrough result of Moran et al. [TCC 2009], who constructed an $m$-round, two-party coin-flip** protocol with optimal bias $Θ(\frac1{m})$. In a subsequent work, Beimel et al. [Crypto 2010] extended this result to the multiparty case in which less than $\frac23$ of the parties can be corrupted. Still for the case of $\frac23$ (or more) corrupted parties, the best known protocol had bias $Θ(\frac{\ell}{\sqrt{m}})$. In particular, this was the state of affairs for the natural three-party case.
We make a step towards eliminating the above gap, presenting an $m$-round, three-party coin-flip** protocol, with bias $\frac{O(\log^3 m)}m$. Our approach (which we also apply for the two-party case) does not follow the "threshold round" paradigm used in the work of Moran et al. and Beimel et al., but rather is a variation of the majority protocol of Cleve, used to obtain the aforementioned $Θ(\frac{\ell}{\sqrt{m}})$-bias protocol.
△ Less
Submitted 4 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
A Tight Parallel Repetition Theorem for Partially Simulatable Interactive Arguments via Smooth KL-Divergence
Authors:
Itay Berman,
Iftach Haitner,
Eliad Tsfadia
Abstract:
Hardness amplification is a central problem in the study of interactive protocols. While ``natural'' parallel repetition transformation is known to reduce the soundness error of some special cases of interactive arguments: three-message protocols and public-coin protocols, it fails to do so in the general case.
The only known round-preserving approach that applies to all interactive arguments is…
▽ More
Hardness amplification is a central problem in the study of interactive protocols. While ``natural'' parallel repetition transformation is known to reduce the soundness error of some special cases of interactive arguments: three-message protocols and public-coin protocols, it fails to do so in the general case.
The only known round-preserving approach that applies to all interactive arguments is Haitner's random-terminating transformation [SICOMP '13], who showed that the parallel repetition of the transformed protocol reduces the soundness error at a weak exponential rate: if the original $m$-round protocol has soundness error $1-p$, then the $n$-parallel repetition of its random-terminating variant has soundness error $(1-p)^{p n / m^4}$ (omitting constant factors). Hastad et al. [TCC '10] have generalized this result to partially simulatable interactive arguments, showing that the $n$-fold repetition of an $m$-round $δ$-simulatable argument of soundness error $1-p$ has soundness error $(1-p)^{p δ^2 n / m^2}$. When applied to random-terminating arguments, the Hastad et al. bound matches that of Haitner.
In this work we prove that parallel repetition of random-terminating arguments reduces the soundness error at a much stronger exponential rate: the soundness error of the $n$ parallel repetition is $(1-p)^{n / m}$, only an $m$ factor from the optimal rate of $(1-p)^n$ achievable in public-coin and three-message arguments. The result generalizes to $δ$-simulatable arguments, for which we prove a bound of $(1-p)^{δn / m}$. This is achieved by presenting a tight bound on a relaxed variant of the KL-divergence between the distribution induced by our reduction and its ideal variant, a result whose scope extends beyond parallel repetition proofs. We prove the tightness of the above bound for random-terminating arguments, by presenting a matching protocol.
△ Less
Submitted 3 May, 2021;
originally announced May 2021.
-
On the Complexity of Fair Coin Flip**
Authors:
Iftach Haitner,
Nikolaos Makriyannis,
Eran Omri
Abstract:
A two-party coin-flip** protocol is $ε$-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than $ε$. Cleve [STOC '86] showed that $r$-round $o(1/r)$-fair coin-flip** protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali[Manuscript '85] constructed a $Θ(1/\sqrt{r})$-fair coin-flip** protocol,…
▽ More
A two-party coin-flip** protocol is $ε$-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than $ε$. Cleve [STOC '86] showed that $r$-round $o(1/r)$-fair coin-flip** protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali[Manuscript '85] constructed a $Θ(1/\sqrt{r})$-fair coin-flip** protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an $r$-round coin-flip** protocol that is $Θ(1/r)$-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer.
The above gives rise to the intriguing question of whether oblivious transfer, or more generally ``public-key primitives,'' is required for an $o(1/\sqrt r)$-fair coin flip** protocol. We make a different progress towards answering the question by showing that, for any constant $r\in \N$, the existence of an $1/(c\cdot \sqrt{r})$-fair, $r$-round coin-flip** protocol implies the existence of an infinitely-often key-agreement protocol, where $c$ denotes some universal constant (independent of $r$). Our reduction is \emph{non} black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [FOCS '18] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flip** protocols.
△ Less
Submitted 3 May, 2021;
originally announced May 2021.
-
Channels of Small Log-Ratio Leakage and Characterization of Two-Party Differentially Private Computation
Authors:
Iftach Haitner,
Noam Mazor,
Ronen Shaltiel,
Jad Silbak
Abstract:
Consider a PPT two-party protocol $π=(A,B)$ in which the parties get no private inputs and obtain outputs $O^A,O^B\in \{0,1\}$, and let $V^A$ and $V^B$ denote the parties' individual views. Protocol $π$ has $α$-agreement if $Pr[O^A=O^B]=1/2+α$. The leakage of $π$ is the amount of information a party obtains about the event $\{O^A=O^B\}$; that is, the leakage $ε$ is the maximum, over $P\in\{A,B\}$,…
▽ More
Consider a PPT two-party protocol $π=(A,B)$ in which the parties get no private inputs and obtain outputs $O^A,O^B\in \{0,1\}$, and let $V^A$ and $V^B$ denote the parties' individual views. Protocol $π$ has $α$-agreement if $Pr[O^A=O^B]=1/2+α$. The leakage of $π$ is the amount of information a party obtains about the event $\{O^A=O^B\}$; that is, the leakage $ε$ is the maximum, over $P\in\{A,B\}$, of the distance between $V^P|OA=OB$ and $V^P|OA\neq OB$. Typically, this distance is measured in statistical distance, or, in the computational setting, in computational indistinguishability. For this choice, Wullschleger [TCC 09] showed that if $α>>ε$ then the protocol can be transformed into an OT protocol.
We consider measuring the protocol leakage by the log-ratio distance (which was popularized by its use in the differential privacy framework). The log-ratio distance between X,Y over domain Ωis the minimal $ε>0$ for which, for every $v\inΩ$, $log(Pr[X=v]/Pr[Y=v])\in [-ε,ε]$. In the computational setting, we use computational indistinguishability from having log-ratio distance $ε$. We show that a protocol with (noticeable) accuracy $α\inΩ(ε^2)$ can be transformed into an OT protocol (note that this allows $ε>>α$). We complete the picture, in this respect, showing that a protocol with $α\in o(ε^2)$ does not necessarily imply OT. Our results hold for both the information theoretic and the computational settings, and can be viewed as a "fine grained" approach to "weak OT amplification".
We then use the above result to fully characterize the complexity of differentially private two-party computation for the XOR function, answering the open question put by Goyal, Khurana, Mironov, Pandey, and Sahai [ICALP 16] and Haitner, Nissim, Omri, Shaltiel, and Silbak [FOCS 18].
△ Less
Submitted 9 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocols
Authors:
Iftach Haitner,
Kobbi Nissim,
Eran Omri,
Ronen Shaltiel,
Jad Silbak
Abstract:
Let $π$ be an efficient two-party protocol that given security parameter $κ$, both parties output single bits $X_κ$ and $Y_κ$, respectively. We are interested in how $(X_κ,Y_κ)$ "appears" to an efficient adversary that only views the transcript $T_κ$. We make the following contributions:
$\bullet$ We develop new tools to argue about this loose notion and show (modulo some caveats) that for every…
▽ More
Let $π$ be an efficient two-party protocol that given security parameter $κ$, both parties output single bits $X_κ$ and $Y_κ$, respectively. We are interested in how $(X_κ,Y_κ)$ "appears" to an efficient adversary that only views the transcript $T_κ$. We make the following contributions:
$\bullet$ We develop new tools to argue about this loose notion and show (modulo some caveats) that for every such protocol $π$, there exists an efficient simulator such that the following holds: on input $T_κ$, the simulator outputs a pair $(X'_κ,Y'_κ)$ such that $(X'_κ,Y'_κ,T_κ)$ is (somewhat) computationally indistinguishable from $(X_κ,Y_κ,T_κ)$.
$\bullet$ We use these tools to prove the following dichotomy theorem: every such protocol $π$ is:
- either uncorrelated -- it is (somewhat) indistinguishable from an efficient protocol whose parties interact to produce $T_κ$, but then choose their outputs independently from some product distribution (that is determined in poly-time from $T_κ$),
- or, the protocol implies a key-agreement protocol (for infinitely many $κ$'s).
Uncorrelated protocols are uninteresting from a cryptographic viewpoint, as the correlation between outputs is (computationally) trivial. Our dichotomy shows that every protocol is either completely uninteresting or implies key-agreement.
$\bullet$ We use the above dichotomy to make progress on open problems on minimal cryptographic assumptions required for differentially private mechanisms for the XOR function.
$\bullet$ A subsequent work of Haitner et al. uses the above dichotomy to makes progress on a longstanding open question regarding the complexity of fair two-party coin-flip** protocols.
△ Less
Submitted 5 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
Lower Bounds on the Time/Memory Tradeoff of Function Inversion
Authors:
Dror Chawin,
Iftach Haitner,
Noam Mazor
Abstract:
We study time/memory tradeoffs of function inversion: an algorithm, i.e., an inverter, equipped with an s-bit advice on a randomly chosen function $f : [n] -> [n]$ and using $q$ oracle queries to $f$, tries to invert a randomly chosen output $y$ of $f$, i.e., to find $x\in f^{-1}(y)$. Much progress was done regarding adaptive function inversion - the inverter is allowed to make adaptive oracle que…
▽ More
We study time/memory tradeoffs of function inversion: an algorithm, i.e., an inverter, equipped with an s-bit advice on a randomly chosen function $f : [n] -> [n]$ and using $q$ oracle queries to $f$, tries to invert a randomly chosen output $y$ of $f$, i.e., to find $x\in f^{-1}(y)$. Much progress was done regarding adaptive function inversion - the inverter is allowed to make adaptive oracle queries. Hellman [IEEE transactions on Information Theory 80] presented an adaptive inverter that inverts with high probability a random $f$. Fiat and Naor [SICOMP 00] proved that for any $s$, $q$ with $s^3q = n$ (ignoring low-order terms), an $s$-advice, $q$-query variant of Hellmans algorithm inverts a constant fraction of the image points of any function. Yao [STOC 90] proved a lower bound of $sq \geq n$ for this problem. Closing the gap between the above lower and upper bounds is a long-standing open question. Very little is known for the non-adaptive variant of the question. The only known upper bounds, i.e., inverters, are the trivial ones (with $s+q = n$), and the only lower bound is the above bound of Yao. In a recent work, Corrigan-Gibbs and Kogan [TCC 19] partially justified the difficulty of finding lower bounds on non-adaptive inverters, showing that a lower bound on the time/memory tradeoff of non-adaptive inverters implies a lower bound on low-depth Boolean circuits. Bounds that, for a strong enough choice of parameters, are notoriously hard to prove. We make progress on the above intriguing question, both for the adaptive and the non-adaptive case, proving the following lower bounds on restricted families of inverters.
△ Less
Submitted 9 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
Tighter Bounds on Multi-Party Coin Flip** via Augmented Weak Martingales and Differentially Private Sampling
Authors:
Amos Beimel,
Iftach Haitner,
Nikolaos Makriyannis,
Eran Omri
Abstract:
In his seminal work, Cleve [STOC '86] has proved that any $r$-round coin-flip** protocol can be efficiently biased by $Θ(1/r)$. This lower bound was met for the two-party case by Moran, Naor, and Segev [Journal of Cryptology '16], and the three-party case (up to a $polylog$ factor) by Haitner and Tsfadi [SICOMP '17], and was approached for $n$-party protocols when $n< loglog r$ by Buchbinder, Ha…
▽ More
In his seminal work, Cleve [STOC '86] has proved that any $r$-round coin-flip** protocol can be efficiently biased by $Θ(1/r)$. This lower bound was met for the two-party case by Moran, Naor, and Segev [Journal of Cryptology '16], and the three-party case (up to a $polylog$ factor) by Haitner and Tsfadi [SICOMP '17], and was approached for $n$-party protocols when $n< loglog r$ by Buchbinder, Haitner, Levi, and Tsfadia [SODA '17]. For $n> loglog r$, however, the best bias for $n$-party coin-flip** protocols remains $O(n/\sqrt{r})$ achieved by the majority protocol of Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85].
Our main result is a tighter lower bound on the bias of coin-flip** protocols, showing that, for every constant $ε>0$, an $r^ε$-party $r$-round coin-flip** protocol can be efficiently biased by $\widetildeΩ(1/\sqrt{r})$. As far as we know, this is the first improvement of Cleve's bound, and is only $n=r^ε$ (multiplicative) far from the aforementioned upper bound of Awerbuch et al.
△ Less
Submitted 3 May, 2021;
originally announced May 2021.
-
Characterization of Secure Multiparty Computation Without Broadcast
Authors:
Ran Cohen,
Iftach Haitner,
Eran Omri,
Lior Rotem
Abstract:
A major challenge in the study of cryptography is characterizing the necessary and sufficient assumptions required to carry out a given cryptographic task. The focus of this work is the necessity of a broadcast channel for securely computing symmetric functionalities (where all the parties receive the same output) when one third of the parties, or more, might be corrupted. Assuming all parties are…
▽ More
A major challenge in the study of cryptography is characterizing the necessary and sufficient assumptions required to carry out a given cryptographic task. The focus of this work is the necessity of a broadcast channel for securely computing symmetric functionalities (where all the parties receive the same output) when one third of the parties, or more, might be corrupted. Assuming all parties are connected via a peer-to-peer network, but no broadcast channel (nor a secure setup phase) is available, we prove the following characterization:
1) A symmetric $n$-party functionality can be securely computed facing $n/3\le t<n/2$ corruptions (\ie honest majority), if and only if it is \emph{$(n-2t)$-dominated}; a functionality is $k$-dominated, if \emph{any} $k$-size subset of its input variables can be set to \emph{determine} its output.
2) Assuming the existence of one-way functions, a symmetric $n$-party functionality can be securely computed facing $t\ge n/2$ corruptions (\ie no honest majority), if and only if it is $1$-dominated and can be securely computed with broadcast.
It follows that, in case a third of the parties might be corrupted, broadcast is necessary for securely computing non-dominated functionalities (in which "small" subsets of the inputs cannot determine the output), including, as interesting special cases, the Boolean XOR and coin-flip** functionalities.
△ Less
Submitted 4 May, 2021; v1 submitted 3 May, 2021;
originally announced May 2021.
-
Distributional Collision Resistance Beyond One-Way Functions
Authors:
Nir Bitansky,
Iftach Haitner,
Ilan Komargodski,
Eylon Yogev
Abstract:
Distributional collision resistance is a relaxation of collision resistance that only requires that it is hard to sample a collision $(x,y)$ where $x$ is uniformly random and $y$ is uniformly random conditioned on colliding with $x$. The notion lies between one-wayness and collision resistance, but its exact power is still not well-understood. On one hand, distributional collision resistant hash f…
▽ More
Distributional collision resistance is a relaxation of collision resistance that only requires that it is hard to sample a collision $(x,y)$ where $x$ is uniformly random and $y$ is uniformly random conditioned on colliding with $x$. The notion lies between one-wayness and collision resistance, but its exact power is still not well-understood. On one hand, distributional collision resistant hash functions cannot be built from one-way functions in a black-box way, which may suggest that they are stronger. On the other hand, so far, they have not yielded any applications beyond one-way functions.
Assuming distributional collision resistant hash functions, we construct \emph{constant-round} statistically hiding commitment scheme. Such commitments are not known based on one-way functions and are impossible to obtain from one-way functions in a black-box way. Our construction relies on the reduction from inaccessible entropy generators to statistically hiding commitments by Haitner et al.\ (STOC '09). In the converse direction, we show that two-message statistically hiding commitments imply distributional collision resistance, thereby establishing a loose equivalence between the two notions.
A corollary of the first result is that constant-round statistically hiding commitments are implied by average-case hardness in the class $SZK$ (which is known to imply distributional collision resistance). This implication seems to be folklore, but to the best of our knowledge has not been proven explicitly. We provide yet another proof of this implication, which is arguably more direct than the one going through distributional collision resistance.
△ Less
Submitted 3 May, 2021;
originally announced May 2021.
-
Fair Coin Flip**: Tighter Analysis and the Many-Party Case
Authors:
Niv Buchbinder,
Iftach Haitner,
Nissan Levi,
Eliad Tsfadia
Abstract:
In a multi-party fair coin-flip** protocol, the parties output a common (close to) unbiased bit, even when some adversarial parties try to bias the output. In this work we focus on the case of an arbitrary number of corrupted parties. Cleve [STOC 1986] has shown that in any such $m$-round coin-flip** protocol, the corrupted parties can bias the honest parties' common output bit by $Θ(1/m)$. Fo…
▽ More
In a multi-party fair coin-flip** protocol, the parties output a common (close to) unbiased bit, even when some adversarial parties try to bias the output. In this work we focus on the case of an arbitrary number of corrupted parties. Cleve [STOC 1986] has shown that in any such $m$-round coin-flip** protocol, the corrupted parties can bias the honest parties' common output bit by $Θ(1/m)$. For more than two decades, the best known coin-flip** protocol was the one of Awerbuch et al. [Manuscript 1985], who presented a $t$-party, $m$-round protocol with bias $Θ(t/\sqrt{m})$. This was changed by the breakthrough result of Moran et al. [TCC 2009], who constructed an $m$-round, two-party coin-flip** protocol with optimal bias $Θ(1/m)$. Haitner and Tsfadia [STOC 2014] constructed an $m$-round, three-party coin-flip** protocol with bias $O(\log^3m / m)$. Still for the case of more than three parties, the best known protocol remained the $Θ(t/\sqrt{m})$-bias protocol of Awerbuch et al.
We make a step towards eliminating the above gap, presenting a $t$-party, $m$-round coin-flip** protocol, with bias $O(\frac{t^4 \cdot 2^t \cdot \sqrt{\log m}}{m^{1/2+1/\left(2^{t-1}-2\right)}})$ for any $t\le \tfrac12 \log\log m$. This improves upon the $Θ(t/\sqrt{m})$-bias protocol of Awerbuch et al., and in particular, for $t\in O(1)$ it is an $1/m^{\frac12 + Θ(1)}$-bias protocol. For the three-party case, it is an $O(\sqrt{\log m}/m)$-bias protocol, improving over the $O(\log^3m / m)$-bias protocol of Haitner and Tsfadia.
Our protocol generalizes that of Haitner and Tsfadia, by presenting an appropriate recovery protocol for the remaining parties to interact in, in the case that some parties abort or are caught cheating. We prove the fairness of the new protocol by presenting a new paradigm for analyzing fairness of coin-flip** protocols.
△ Less
Submitted 17 June, 2022; v1 submitted 18 April, 2021;
originally announced April 2021.
-
Inaccessible Entropy I: Inaccessible Entropy Generators and Statistically Hiding Commitments from One-Way Functions
Authors:
Iftach Haitner,
Omer Reingold,
Salil Vadhan,
Hoeteck Wee
Abstract:
We put forth a new computational notion of entropy, measuring the (in)feasibility of sampling high-entropy strings that are consistent with a given generator. Specifically, the i'th output block of a generator G has accessible entropy at most k if the following holds: when conditioning on its prior coin tosses, no polynomial-time strategy $\widetilde{G}$ can generate valid output for G's i'th outp…
▽ More
We put forth a new computational notion of entropy, measuring the (in)feasibility of sampling high-entropy strings that are consistent with a given generator. Specifically, the i'th output block of a generator G has accessible entropy at most k if the following holds: when conditioning on its prior coin tosses, no polynomial-time strategy $\widetilde{G}$ can generate valid output for G's i'th output block with entropy greater than k. A generator has inaccessible entropy if the total accessible entropy (summed over the blocks) is noticeably smaller than the real entropy of G's output.
As an application of the above notion, we improve upon the result of Haitner, Nguyen, Ong, Reingold, and Vadhan [Sicomp '09], presenting a much simpler and more efficient construction of statistically hiding commitment schemes from arbitrary one-way functions.
△ Less
Submitted 23 August, 2021; v1 submitted 12 October, 2020;
originally announced October 2020.
-
On the Round Complexity of the Shuffle Model
Authors:
Amos Beimel,
Iftach Haitner,
Kobbi Nissim,
Uri Stemmer
Abstract:
The shuffle model of differential privacy was proposed as a viable model for performing distributed differentially private computations. Informally, the model consists of an untrusted analyzer that receives messages sent by participating parties via a shuffle functionality, the latter potentially disassociates messages from their senders. Prior work focused on one-round differentially private shuf…
▽ More
The shuffle model of differential privacy was proposed as a viable model for performing distributed differentially private computations. Informally, the model consists of an untrusted analyzer that receives messages sent by participating parties via a shuffle functionality, the latter potentially disassociates messages from their senders. Prior work focused on one-round differentially private shuffle model protocols, demonstrating that functionalities such as addition and histograms can be performed in this model with accuracy levels similar to that of the curator model of differential privacy, where the computation is performed by a fully trusted party.
Focusing on the round complexity of the shuffle model, we ask in this work what can be computed in the shuffle model of differential privacy with two rounds. Ishai et al. [FOCS 2006] showed how to use one round of the shuffle to establish secret keys between every two parties. Using this primitive to simulate a general secure multi-party protocol increases its round complexity by one. We show how two parties can use one round of the shuffle to send secret messages without having to first establish a secret key, hence retaining round complexity. Combining this primitive with the two-round semi-honest protocol of Applebaun et al. [TCC 2018], we obtain that every randomized functionality can be computed in the shuffle model with an honest majority, in merely two rounds. This includes any differentially private computation. We then move to examine differentially private computations in the shuffle model that (i) do not require the assumption of an honest majority, or (ii) do not admit one-round protocols, even with an honest majority. For that, we introduce two computational tasks: the common-element problem and the nested-common-element problem, for which we show separations between one-round and two-round protocols.
△ Less
Submitted 28 September, 2020;
originally announced September 2020.
-
A Tight Lower Bound on Adaptively Secure Full-Information Coin Flip
Authors:
Iftach Haitner,
Yonatan Karidi-Heller
Abstract:
In a distributed coin-flip** protocol, Blum [ACM Transactions on Computer Systems '83], the parties try to output a common (close to) uniform bit, even when some adversarially chosen parties try to bias the common output. In an adaptively secure full-information coin flip, Ben-Or and Linial [FOCS '85], the parties communicate over a broadcast channel and a computationally unbounded adversary can…
▽ More
In a distributed coin-flip** protocol, Blum [ACM Transactions on Computer Systems '83], the parties try to output a common (close to) uniform bit, even when some adversarially chosen parties try to bias the common output. In an adaptively secure full-information coin flip, Ben-Or and Linial [FOCS '85], the parties communicate over a broadcast channel and a computationally unbounded adversary can choose which parties to corrupt along the protocol execution. Ben-Or and Linial proved that the $n$-party majority protocol is resilient to $O(\sqrt{n})$ corruptions (ignoring poly-logarithmic factors), and conjectured this is a tight upper bound for any $n$-party protocol (of any round complexity). Their conjecture was proved to be correct for single-turn (each party sends a single message) single-bit (a message is one bit) protocols Lichtenstein, Linial and Saks [Combinatorica '89], symmetric protocols Goldwasser, Tauman Kalai and Park [ICALP '15], and recently for (arbitrary message length) single-turn protocols Tauman Kalai, Komargodski and Raz [DISC '18]. Yet, the question for many-turn protocols was left completely open.
In this work we close the above gap, proving that no $n$-party protocol (of any round complexity) is resilient to $ω(\sqrt{n})$ (adaptive) corruptions.
△ Less
Submitted 2 September, 2020; v1 submitted 4 May, 2020;
originally announced May 2020.
-
On the Round Complexity of Randomized Byzantine Agreement
Authors:
Ran Cohen,
Iftach Haitner,
Nikolaos Makriyannis,
Matan Orland,
Alex Samorodnitsky
Abstract:
We prove lower bounds on the round complexity of randomized Byzantine agreement (BA) protocols, bounding the halting probability of such protocols after one and two rounds. In particular, we prove that:
(1) BA protocols resilient against $n/3$ [resp., $n/4$] corruptions terminate (under attack) at the end of the first round with probability at most $o(1)$ [resp., $1/2+ o(1)$].
(2) BA protocols…
▽ More
We prove lower bounds on the round complexity of randomized Byzantine agreement (BA) protocols, bounding the halting probability of such protocols after one and two rounds. In particular, we prove that:
(1) BA protocols resilient against $n/3$ [resp., $n/4$] corruptions terminate (under attack) at the end of the first round with probability at most $o(1)$ [resp., $1/2+ o(1)$].
(2) BA protocols resilient against a fraction of corruptions greater than $1/4$ terminate at the end of the second round with probability at most $1-Θ(1)$.
(3) For a large class of protocols (including all BA protocols used in practice) and under a plausible combinatorial conjecture, BA protocols resilient against a fraction of corruptions greater than $1/3$ [resp., $1/4$] terminate at the end of the second round with probability at most $o(1)$ [resp., $1/2 + o(1)$].
The above bounds hold even when the parties use a trusted setup phase, e.g., a public-key infrastructure (PKI).
The third bound essentially matches the recent protocol of Micali (ITCS'17) that tolerates up to $n/3$ corruptions and terminates at the end of the third round with constant probability.
△ Less
Submitted 12 February, 2022; v1 submitted 25 July, 2019;
originally announced July 2019.