Oblivious-Transfer Complexity of Noisy Coin-Toss via Secure Zero Communication Reductions

Abstract

In p-noisy coin-tossing, Alice and Bob obtain fair coins which are of opposite values with probability p. Its Oblivious-Transfer (OT) complexity refers to the least number of OTs required by a semi-honest perfectly secure 2-party protocol for this task. We show a tight bound of \(\varTheta (\log 1/p)\) for the OT complexity of p-noisy coin-tossing. This is the first instance of a lower bound for OT complexity that is independent of the input/output length of the function.

We obtain our result by providing a general connection between the OT complexity of randomized functions and the complexity of Secure Zero Communication Reductions (SZCR), as recently defined by Narayanan et al. (TCC 2020), and then showing a lower bound for the complexity of an SZCR from noisy coin-tossing to (a predicate corresponding to) OT.

S. Goyal—Work done while at IIT Bombay

V. Narayanan—Supported by ERC Project NTSC (742754) and ISF Grants 1709/14 & 2774/20.

M. Prabhakaran—Supported by IITB Trust Lab.

A Basic Constructions

In this section, for the sake of explicitness, we detail two basic constructions of Balanced Embedding from any function to the OT predicate – from a truth table and from a boolean circuit of the function. The first construction is implied by the second one, which in turn is implied by the general construction of balanced embedding from SZCR.

1.1 A.1 Balanced Embedding from Truth Table

Theorem 4

For any deterministic function \(f:\{0,1\}^n\times \{0,1\}^n \rightarrow \{0,1\}\times \{0,1\}\), there exists a balanced embedding to \({\boldsymbol{\upphi }} _\textsf{OT} ^k\) for \(k=2^{n+1}\).

Proof

To define the balanced embedding \((\pi ,\theta )\) we will define inputs \(u_\alpha \) and \(v_\beta \) to \({\boldsymbol{\upphi }} _\textsf{OT} ^k\) such that \(\pi (u, \alpha ) = \theta (u, \alpha ) = 1\) for \(u = u_\alpha \) and 0 for rest; and similarly \(\pi (v, \beta ) = \theta (v, \beta ) = 1\) for \(v = v_\beta \) and 0 for rest. \(u_\alpha \) and \(v_\beta \) where \(\alpha = (x,a)\) and \(\beta = (y,b)\) are defined as follows:

• For \(0\le i\le 2^n-1\), \(u_i=(1,a)\), if \(i=x\) and \(u_i = (0,0)\) otherwise, whereas \(v_i = (0, f_A(i,y))\).

• For \(2^n\le i\le 2^{n+1}-1\), \(v_i=(1,b)\), if \(i=2^n+y\) and \(v_i = (0,0)\) otherwise, whereas \(u_i = (0, f_B(x,i))\).

It is straight forward to see that this definition satisfies the conditions of a balanced embedding as the only compatible u, v pairs correspond to correct outputs being sampled at both the ends.    \(\square \)

1.2 A.2 Constructing Balanced Embedding from Circuit

Theorem 5

Given a circuit C with NAND gates that computes a function f, we can construct a balanced embedding to \({\boldsymbol{\upphi }} _\textsf{OT} ^{2|C|}\).

Proof

Let x and y be the inputs of Alice and Bob, respectively. For each wire w in C, Alice and Bob sample \(w_A\) and \(w_B\), respectively, as follows:

1. (i).

   If w is an input wire that reads \(x_i\), then \(w_A=x_i\) and \(w_B=0\), and if w is an input wire that reads \(y_i\), then \(w_A=0\) and \(w_B=y_i\)

2. (ii).

   If w is the output wire computing \(f_A(x,y)\), then \(w_A\leftarrow \{0,1\}\) and \(w_B=0\), and if w is the output wire computing \(f_B(x,y)\), then \(w_A=0\), and \(w_B\leftarrow \{0,1\}\).

3. (iii).

   Otherwise, \(w_A\leftarrow \{0,1\}\) and \(w_B\leftarrow \{0,1\}\).

For each gate g in C, we denote the two input wires by \(\textrm{In1}^g,\textrm{In2}^g\) and the output wire by \(\textrm{Out}^g\).

We define sets \(U_x\) and \(V_y\) corresponding to inputs x, y. Elements of these sets \((u_i\in \{0,1\}^2:1\le i\le 2|C|)\) and \((v_i\in \{0,1\}^2:1\le i\le 2|C|)\) are be sampled as follows:

Enumerate the gates in C as \(g_1,g_2,\ldots ,g_{|C|}\); for \(1\le i\le 2|C|\):

• Set \(u_{2i-1}=(\alpha _A^{g_i},\textrm{In1}_A^{g_i}\oplus \alpha _A^{g_i})\) and \(u_{2i}=(\beta _A^{g_i},\textrm{In2}_A^{g_i}\oplus \beta _A^{g_i})\), where \(\alpha _A^{g_i},\beta _A^{g_i}\) are sampled uniformly at random subject to:

  $$\begin{aligned} \alpha _A^{g_i}\oplus \beta _A^{g_i}=\textrm{Out}^{g_i}_A\oplus (\textrm{In1}^{g_i}_A\cdot \textrm{In1}^{g_i}_A)\oplus 1. \end{aligned}$$

  (26)

• Sets \(v_{2i-1}=(\textrm{In2}_B^{g_i},\alpha _B^{g_i})\) and \(u_{2i}=(\textrm{In1}_B^{g_i},\beta ^{g_i})\), where \(\alpha _B^{g_i},\beta _B^{g_i}\) are sampled uniformly at random subject to:

  $$\begin{aligned} \alpha _B^{g_i}\oplus \beta _B^{g_i}=\textrm{Out}^{g_i}_B\oplus (\textrm{In1}^{g_i}_B\cdot \textrm{In1}^{g_i}_B). \end{aligned}$$

  (27)

Finally, set candidate outputs \(a=\hat{w}_B\), where \(\hat{w}\) is the wire that outputs \(f_A(x,y)\) in C, and \(b=\tilde{w}_A\), where \(\tilde{w}\) is the wire that outputs \(f_B(x,y)\) in C. We use functions \(O_A: \mathcal {U} \times X \rightarrow \{0,1\}\) and \(O_B: \mathcal {V} \times Y \rightarrow \{0,1\}\) to denote the a and b values generated for specific u, x and y, b pairs respectively.

We then define the embedding \((\pi ,\theta )\) for \(\alpha = (x,a)\) and \(\beta = (y,b)\) as \(\pi (u, \alpha ) = \theta (u, \alpha ) = 2^{-|C|}\) if \(u\in U_x\) and \(a = O_A(u,x)\) and 0 otherwise. Similarly, \(\pi (v, \beta ) = \theta (v, \beta ) = 2^{-|C|}\) if \(v\in V_y\) and \(b = O_B(v,y)\) and 0 otherwise. It is easy to check that this construction is indeed correct, owing to the correctness of the circuit C.    \(\square \)