Abstract
In p-noisy coin-tossing, Alice and Bob obtain fair coins which are of opposite values with probability p. Its Oblivious-Transfer (OT) complexity refers to the least number of OTs required by a semi-honest perfectly secure 2-party protocol for this task. We show a tight bound of \(\varTheta (\log 1/p)\) for the OT complexity of p-noisy coin-tossing. This is the first instance of a lower bound for OT complexity that is independent of the input/output length of the function.
We obtain our result by providing a general connection between the OT complexity of randomized functions and the complexity of Secure Zero Communication Reductions (SZCR), as recently defined by Narayanan et al. (TCC 2020), and then showing a lower bound for the complexity of an SZCR from noisy coin-tossing to (a predicate corresponding to) OT.
S. Goyal—Work done while at IIT Bombay
V. Narayanan—Supported by ERC Project NTSC (742754) and ISF Grants 1709/14 & 2774/20.
M. Prabhakaran—Supported by IITB Trust Lab.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This functionality is sometimes referred to as sampling from a binary symmetric source. Note that for semi-honest security, as we consider, this is a cryptographically trivial task without any noise (i.e., when \(p=0\)).
- 2.
Throughout this paper, we consider semi-honest and perfect security, which arguably gives the cleanest notion of OT complexity.
- 3.
- 4.
Our connection between SZCR and OT-based 2-PC does extend to both \(\mu \) and m. But our formulation of balanced embedding complexity \(|f|_{\textsc {emb}}\) omits \(\mu \), and lower bounds on \(|f|_{\textsc {emb}}\) yield lower bounds on m rather than only on \(m+\mu \).
- 5.
That is, \({\boldsymbol{\upphi }} _\textsf{OT} (u,v)=1\) iff \(u=(r_1,\cdots ,r_m)\), \(v=(s_1,\cdots ,s_m)\) and each \((r_i,s_i)\) is in the support of the OT correlation. Looking ahead, \({\boldsymbol{\upphi }} _\textsf{OT} \) in fact uses \(m+1\) instances of OT, where the extra instance is used as an “abort switch.” Following the notation in [22], later, we denote \({\boldsymbol{\upphi }} _\textsf{OT} \) as \({\boldsymbol{\upphi }} _{\textsf{supp} (\textsf{OT} ^{+})}\).
- 6.
The general definition in [22] allowed a CRS, or even more general correlations in an SZCR. For simplicity, we omit this from our adaptation, as we shall not need it for our specific result.
- 7.
For randomized functions, \(G_{f}\) is a weighted bipartite graph with the weight of an edge ((x, a), (y, b)) being \(\Pr [f(x,y)=(a,b)]\).
- 8.
Note that the common information that Alice and Bob obtain in an execution of the protocol \({\Uppi } ^\textsf{OT} \) is not solely determined by the transcript, but also by their views of the OT correlation. Indeed, a protocol could use OTs to carry out an information-theoretically secure secret-key agreement protocol, and then use the key as a one-time pad for the rest of the transcript, so that the transcript by itself is distributed identically for all input-output pairs.
References
Agarwal, P., Narayanan, V., Pathak, S., Prabhakaran, M., Prabhakaran, V.M., Rehan, M.A.: Secure non-interactive reduction and spectral analysis of correlations. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 797–827. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_28
Amini Khorasgani, H., Maji, H.K., Nguyen, H.H.: Secure non-interactive simulation: feasibility and rate. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 767–796. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_27
Beaver, D.: Perfect privacy for two-party protocols. In: Feigenbaum, J., Merritt, M. (eds.) Proceedings of DIMACS Workshop on Distributed Computing and Cryptography, vol. 2, pp. 65–77. American Mathematical Society (1989)
Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: STOC, pp. 479–488 (1996)
Beimel, A., Ishai, Y., Kumaresan, R., Kushilevitz, E.: On the cryptographic complexity of the worst functions. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 317–342. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_14
Beimel, A., Malkin, T.: A quantitative approach to reductions in secure computation. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 238–257. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_14
Bhushan, K., Misra, A.K., Narayanan, V., Prabhakaran, M.: Secure non-interactive reducibility is decidable. In: These Proceedings (2022)
Chor, B., Kushilevitz, E.: A zero-one law for Boolean privacy. SIAM J. Discrete Math. 4(1), 36–47 (1991)
Csiszár, I., Ahlswede, R.: On oblivious transfer capacity. In: International Symposium on Information Theory (ISIT), pp. 2061–2064 (2007)
Dodis, Y., Micali, S.: Lower bounds for oblivious transfer reductions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 42–55. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_4
Dvir, Z., Gopi, S.: 2-server PIR with subpolynomial communication. J. ACM 63(4), 39:1–39:15, 2016
Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In ACM (ed.) STOC, pp. 218–229 (1987). See [12, Chap. 7] for more details
Goldrcich, O., Vainish, R.: How to solve any protocol problem - an efficiency improvement (extended abstract). In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 73–86. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_6
Haber, S., Micali, S.: Unpublished manuscript cited by [12] (1986)
Imai, H., Morozov, K., Nascimento, A.C.A.: On the oblivious transfer capacity of the erasure channel. In: International Symposium on Information Theory (ISIT), pp. 1428–1431 (2006)
Imai, H., Morozov, K., Nascimento, A.C.A.: Efficient oblivious transfer protocols achieving a non-zero rate from any non-trivial noisy correlation. In: International Conference on Information Theoretic Security (ICITS) (2007)
Imai, H., Morozov, K., Nascimento, A.C.A., Winter, A.: Efficient protocols achieving the commitment capacity of noisy correlations. In: International Symposium on Information Theory (ISIT), pp. 1432–1436 (2006)
Imai, H., Müller-Quade, J., Nascimento, A.C.A., Winter, A.: Rates for bit commitment and coin tossing from noisy correlation. In: International Symposium on Information Theory (ISIT), p. 45 (2004)
Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)
Kushilevitz, E.: Privacy and communication complexity. In: FOCS, pp. 416–421 (1989)
Maji, H., Prabhakaran, M., Rosulek, M.: Complexity of multi-party computation functionalities. Cryptology and Information Security Series, vol. 10, pp. 249–283. IOS Press, Amsterdam (2013)
Narayanan, V., Prabhakaran, M., Prabhakaran, V.M.: Zero-communication reductions. In: Pass, R., Pietrzak, K. (eds.) TCC 2020, Part III. LNCS, vol. 12552, pp. 274–304. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_10
Prabhakaran, V., Prabhakaran, M.: Assisted common information with an application to secure two-party sampling. IEEE Trans. Inf. Theory 60(6), 3413–3434 (2014). https://doi.org/10.1109/TIT.2014.2316011
Winkler, S., Wullschleger, J.: Statistical impossibility results for oblivious transfer reductions. Cryptology ePrint Archive, Report 2009/508 (2009). http://eprint.iacr.org/
Winter, A., Nascimento, A.C.A., Imai, H.: Commitment capacity of discrete memoryless channels. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 35–51. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40974-8_4
Wolf, S., Wullschleger, J.: New monotones and lower bounds in unconditional two-party computation. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 467–477. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_28
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Basic Constructions
A Basic Constructions
In this section, for the sake of explicitness, we detail two basic constructions of Balanced Embedding from any function to the OT predicate – from a truth table and from a boolean circuit of the function. The first construction is implied by the second one, which in turn is implied by the general construction of balanced embedding from SZCR.
1.1 A.1 Balanced Embedding from Truth Table
Theorem 4
For any deterministic function \(f:\{0,1\}^n\times \{0,1\}^n \rightarrow \{0,1\}\times \{0,1\}\), there exists a balanced embedding to \({\boldsymbol{\upphi }} _\textsf{OT} ^k\) for \(k=2^{n+1}\).
Proof
To define the balanced embedding \((\pi ,\theta )\) we will define inputs \(u_\alpha \) and \(v_\beta \) to \({\boldsymbol{\upphi }} _\textsf{OT} ^k\) such that \(\pi (u, \alpha ) = \theta (u, \alpha ) = 1\) for \(u = u_\alpha \) and 0 for rest; and similarly \(\pi (v, \beta ) = \theta (v, \beta ) = 1\) for \(v = v_\beta \) and 0 for rest. \(u_\alpha \) and \(v_\beta \) where \(\alpha = (x,a)\) and \(\beta = (y,b)\) are defined as follows:
-
For \(0\le i\le 2^n-1\), \(u_i=(1,a)\), if \(i=x\) and \(u_i = (0,0)\) otherwise, whereas \(v_i = (0, f_A(i,y))\).
-
For \(2^n\le i\le 2^{n+1}-1\), \(v_i=(1,b)\), if \(i=2^n+y\) and \(v_i = (0,0)\) otherwise, whereas \(u_i = (0, f_B(x,i))\).
It is straight forward to see that this definition satisfies the conditions of a balanced embedding as the only compatible u, v pairs correspond to correct outputs being sampled at both the ends. \(\square \)
1.2 A.2 Constructing Balanced Embedding from Circuit
Theorem 5
Given a circuit C with NAND gates that computes a function f, we can construct a balanced embedding to \({\boldsymbol{\upphi }} _\textsf{OT} ^{2|C|}\).
Proof
Let x and y be the inputs of Alice and Bob, respectively. For each wire w in C, Alice and Bob sample \(w_A\) and \(w_B\), respectively, as follows:
-
(i).
If w is an input wire that reads \(x_i\), then \(w_A=x_i\) and \(w_B=0\), and if w is an input wire that reads \(y_i\), then \(w_A=0\) and \(w_B=y_i\)
-
(ii).
If w is the output wire computing \(f_A(x,y)\), then \(w_A\leftarrow \{0,1\}\) and \(w_B=0\), and if w is the output wire computing \(f_B(x,y)\), then \(w_A=0\), and \(w_B\leftarrow \{0,1\}\).
-
(iii).
Otherwise, \(w_A\leftarrow \{0,1\}\) and \(w_B\leftarrow \{0,1\}\).
For each gate g in C, we denote the two input wires by \(\textrm{In1}^g,\textrm{In2}^g\) and the output wire by \(\textrm{Out}^g\).
We define sets \(U_x\) and \(V_y\) corresponding to inputs x, y. Elements of these sets \((u_i\in \{0,1\}^2:1\le i\le 2|C|)\) and \((v_i\in \{0,1\}^2:1\le i\le 2|C|)\) are be sampled as follows:
Enumerate the gates in C as \(g_1,g_2,\ldots ,g_{|C|}\); for \(1\le i\le 2|C|\):
-
Set \(u_{2i-1}=(\alpha _A^{g_i},\textrm{In1}_A^{g_i}\oplus \alpha _A^{g_i})\) and \(u_{2i}=(\beta _A^{g_i},\textrm{In2}_A^{g_i}\oplus \beta _A^{g_i})\), where \(\alpha _A^{g_i},\beta _A^{g_i}\) are sampled uniformly at random subject to:
$$\begin{aligned} \alpha _A^{g_i}\oplus \beta _A^{g_i}=\textrm{Out}^{g_i}_A\oplus (\textrm{In1}^{g_i}_A\cdot \textrm{In1}^{g_i}_A)\oplus 1. \end{aligned}$$(26) -
Sets \(v_{2i-1}=(\textrm{In2}_B^{g_i},\alpha _B^{g_i})\) and \(u_{2i}=(\textrm{In1}_B^{g_i},\beta ^{g_i})\), where \(\alpha _B^{g_i},\beta _B^{g_i}\) are sampled uniformly at random subject to:
$$\begin{aligned} \alpha _B^{g_i}\oplus \beta _B^{g_i}=\textrm{Out}^{g_i}_B\oplus (\textrm{In1}^{g_i}_B\cdot \textrm{In1}^{g_i}_B). \end{aligned}$$(27)
Finally, set candidate outputs \(a=\hat{w}_B\), where \(\hat{w}\) is the wire that outputs \(f_A(x,y)\) in C, and \(b=\tilde{w}_A\), where \(\tilde{w}\) is the wire that outputs \(f_B(x,y)\) in C. We use functions \(O_A: \mathcal {U} \times X \rightarrow \{0,1\}\) and \(O_B: \mathcal {V} \times Y \rightarrow \{0,1\}\) to denote the a and b values generated for specific u, x and y, b pairs respectively.
We then define the embedding \((\pi ,\theta )\) for \(\alpha = (x,a)\) and \(\beta = (y,b)\) as \(\pi (u, \alpha ) = \theta (u, \alpha ) = 2^{-|C|}\) if \(u\in U_x\) and \(a = O_A(u,x)\) and 0 otherwise. Similarly, \(\pi (v, \beta ) = \theta (v, \beta ) = 2^{-|C|}\) if \(v\in V_y\) and \(b = O_B(v,y)\) and 0 otherwise. It is easy to check that this construction is indeed correct, owing to the correctness of the circuit C. \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Goyal, S., Narayanan, V., Prabhakaran, M. (2022). Oblivious-Transfer Complexity of Noisy Coin-Toss via Secure Zero Communication Reductions. In: Kiltz, E., Vaikuntanathan, V. (eds) Theory of Cryptography. TCC 2022. Lecture Notes in Computer Science, vol 13749. Springer, Cham. https://doi.org/10.1007/978-3-031-22368-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-22368-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22367-9
Online ISBN: 978-3-031-22368-6
eBook Packages: Computer ScienceComputer Science (R0)