1 Introduction

In the random-oracle model, the parties are given oracle access to a random function (i.e. a uniformly chosen function from the set of all functions of a given input and output length—the all-function family) and are assumed to have unbounded computational power (though they can only make a bounded number of oracle queries). Many cryptographic primitives are known to exist in this model, such as (exponentially hard) collision-resistant hash functions. More importantly, in this model, it is possible to implement secure protocols for tasks that are hard to implement in the standard model, and sometimes even completely unachievable; a well-known example is the work of [10], showing how to convert three-message identification schemes to a highly efficient (non interactive) signature scheme. In the random-oracle model, their methodology preserves the security of the original scheme [25], but (for some schemes) does not do so in the standard model [4, 14].

Random oracles, however, are not all powerful. In their seminal work, [18] showed that key-agreement protocols cannot be realized in the random-oracle model. Still, characterizing the functionalities that can be (securely) realized in this model remained an open question.

It is well known that for malicious adversaries, there exist functionalities that cannot be achieved in the information-theoretic model, i.e. where all entities are assumed to be unbounded (with no-oracle access), yet can be securely computed in the random-oracle model (e.g. commitment schemes, coin-tossing protocols and zero-knowledge proofs). All of these functionalities, however, are blatantly trivial when considering semi-honest adversaries, which are the focus of this work.

1.1 Our Result

We make progress towards answering the above question, showing that, to a large extent, any no-private input,Footnote 1 two-party computation that can be securely implemented in the random-oracle model in the presence of semi-honest adversaries can be securely implemented in the information-theoretic model in the presence of semi-honest adversaries.

Theorem 1.1

(Main theorem, informal). Let \(\pi \) be a no-private-input, \(m\)-round, \(\ell \)-query, oracle-aided two-party protocol and let \(\left\langle X,Y \right\rangle \) stand for a random execution of the protocol \((X,Y)\), resulting in the parties’ private outputs and the common transcript. Then, for any \(\varepsilon >0\), there exists an \(O(\ell ^2/\varepsilon ^2)\)-query oracle-aided function \(\mathsf{Map}\), and a stateless, no-oracle, \(m\)-round protocol \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) such that:

$$\begin{aligned} \mathrm{SD}\left( \left( {\mathrm{out }}_{\mathsf {A}},{\mathrm{out }}_{\mathsf {B}},\mathsf{Map}^{f}(\overline{t})\right) _{f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}, ({\mathrm{out }}_{\mathsf {A}},{\mathrm{out }}_{\mathsf {B}},\overline{t}) \leftarrow \left\langle \mathsf {A}^f,\mathsf {B}^f \right\rangle },\left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle \right) \in O( \varepsilon ), \end{aligned}$$

where \({{\mathcal{F}}_\mathrm{{AF}}}\) is the all-functions family.Footnote 2

Furthermore, the projections of the above distributions to their first and third coordinates, or to their second and third coordinates (i.e. the transcripts concatenated with the outputs of one of the parties) are identically distributed.

Intuitively, Theorem 1.1 states that for any oracle-aided protocol \(\pi \) that is executed with access to a random function, there exists a no-oracle protocol \({\widetilde{\pi }}\) in the information-theoretic setting that is almost as correct and almost as secure as \(\pi \). This is formalized by the requirement that the distributions induced by the private outputs of the parties and the common transcript in a random execution of \(\pi ^f\) (for \(f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}\)), being almost the same as that induced by a random execution of the (no-oracle) protocol \({\widetilde{\pi }}\), where the only difference is that one needs to apply a query-efficient procedure \(\mathsf{Map}\) to the transcript in the execution of \(\pi \). Correctness follows directly from the statistical closeness of the outputs, where security is implied by the fact that anything that can be learnt from the transcript of \({\widetilde{\pi }}\) can also be learnt from the transcript of \(\pi \) by applying the query-efficient function \(\mathsf{Map}\) on it. Theorem 1.1 generalizes to all-function families that are finite and have the property that answers for distinct queries, induced by drawing a random member from the family, are independent.

The main power of Theorem 1.1 is that it facilitates proving the inexistence of certain random-oracle model primitives, by proving the inexistence of their no-oracle analogues; given a random-oracle model protocol \(\pi \) implementing a certain functionality, say key agreement (where the parties wish to secretly agree on a common key), consider its no-oracle variant \({\widetilde{\pi }}\) guaranteed by Theorem 1.1. Since no information-theoretically secure key-agreement protocol exists, there exists a passive (i.e. semi-honest) adversary \(\widetilde{\mathsf{Eve}}\) that “extracts” the common key agreed by the parties of \({\widetilde{\pi }}\) from the protocol’s transcript. Theorem 1.1 yields that by invoking \(\widetilde{\mathsf{Eve}}\) on the output of \(\mathsf{Map}\) applied to the transcript of the random-oracle protocol \(\pi \), one finds the key agreed by the parties of \(\pi \) with high probability. Since we considered an arbitrary protocol \(\pi \), the above yields the inexistence of key-agreement protocols in the random-oracle model, reproving [1, 18].Footnote 3

A major ingredient of the proof of Theorem 1.1 is the dependency finder algorithm presented by [1], refining a similar algorithm by [18] (see Sect. 1.2). While we could have based the proof of Theorem 1.1 on a combination of several results from [1] (or alternatively, to get a theorem with worse parameters, by basing the proof on a followup result of [7, Lemma 5] or of [21, Lemma A.1]), we chose to give a new proof also for this part (modulo clearly marked parts taken from [1]). The new proof (given as part of the proof of Lemma 3.10) holds with respect to a larger set of function families. More significantly, it is more modular and introduces several simplifications compared with the previous proofs.

1.1.1 Applications

We demonstrate the usefulness of Theorem 1.1 via the following two examples. The first example shows that in the random-oracle model, it is impossible for two parties to accurately approximate the inner-product function in a differentially private manner, namely in a way that very little information is leaked about any single bit of the input of one party to the other party. A recent result of [22] shows that in the information-theoretic model, it is impossible to approximately compute the inner-product function in a differentially private manner. Combining their result with Theorem 1.1, we obtain the following fact.Footnote 4

Theorem 1.2

(informal). In the random-oracle model, any \(\ell \)-query \((\ell ^2,\alpha ,\gamma )\)-differentially private oracle-aided protocol for computing the inner product of two \(n\)-bits strings, errs by \(\frac{\sqrt{n}}{\log (n) \cdot e^\alpha }\) with a constant probability.

Very informally, an oracle-aided protocol is \((k,\alpha ,\gamma )\)-differentially private, if no party making at most \(k\) queries to the oracle learns more than \(\alpha \) information about any one of the input bits of the other party, except with some small probability \(\gamma \).

The above result yields the impossibility of fully black-box reducing differentially private protocols for (well) approximating the inner product, to the existence of one-way functions. Roughly speaking, such a fully black-box reduction is a pair of efficient oracle-aided algorithms \((\mathsf{Q},\mathsf{R})\) such that the following hold: (1) \(\mathsf{Q}^f\) is a good approximation protocol of the inner product for any function \(f\), and (2) \(\mathsf{R}^{f,\mathcal{A}}\) inverts \(f\), for any adversary \(\mathcal{A}\) that learns too much about the input of one of the parties in \(\mathsf{Q}^f\). Since a random sample from the all-function family is hard to invert (cf., [12, 18]), the existence of such a reduction yields that \(\mathsf{Q}^f\) is differentially private with respect to \(\mathrm{poly }\)-query adversaries, when \(f\) is chosen at random from the set of all functions.Footnote 5 Hence, Theorem 1.2 yields the following result.

Corollary 1.3

(informal). There exists no fully black-box reduction from \(\left( \alpha ,\gamma \right) \)-differentially private protocol computing with error \(o(\frac{\sqrt{n}}{\log ( n) \cdot e^\alpha })\) the inner product of two \(n\)-bit strings, to one-way functions.

We mention that, following an observation made by [22], Theorem 1.2 and Corollary 1.3 imply similar results for two-party differentially private protocols for the Hamming distance functionality.Footnote 6

The second example we give is for secure sampling. Let \(G = (G_\mathsf {A},G_\mathsf {B})\) be a distribution over \(\mathcal {A}\times \mathcal {B}\), where \(G_\mathsf {A}\) and \(G_\mathsf {B}\) denote its marginal distributions over \(\mathcal {A}\) and \(\mathcal {B}\), respectively. A protocol \(\pi = (\mathsf {A},\mathsf {B})\) is an information-theoretically \(\delta \)-secure implementation of \(G\), if it is a \(\delta \)-correct (no-oracle) implementation of \(G\) (i.e. the local outputs of the parties induced by a random execution of \(\pi \) are \(\delta \)-close to \(G\)) and is \(\delta \)-private according to the simulation paradigm (against all-powerful distinguishers). Specifically, there exists an algorithm \(\mathrm{Sim }_{\mathsf {A}}\) (a simulator for \(\mathsf {A}\)) such that \((x,y,\mathrm{Sim }_{\mathsf {A}}(x))_{(x,y) \leftarrow G}\) is \(\delta \)-close to the distribution of the parties outputs and \(\mathsf {A}\)’s view in a random execution of \(\pi \). (Similarly, there exists such a simulator \(\mathrm{Sim }_{\mathsf {B}}\) for \(\mathsf {B}\)). A protocol \(\pi \) is a \((T,\delta )\)-secure random-oracle implementation of \(G\), if it is a \(\delta \)-correct random-model implementation of \(G\), and it is \(\delta \)-private according to the simulation paradigm, against \(T\)-query, all-powerful distinguishers. Theorem 1.1 yields the following result.

Theorem 1.4

(informal). Let \(\pi \) be an \(\ell \)-query oracle-aided protocol that is an \((O(\ell ^2/\delta ^2),\delta )\)-secure implementation of a distribution \(G\) in the random-oracle model, then \(G\) has an information-theoretically \(O(\delta )\)-secure implementation.

We note that Theorem 1.4 does not seem to imply the aforementioned differential privacy result, since the notion of differential privacy cannot be realized via the real/ideal paradigm.

Limitations of Theorem 1.1. By definition, applications of Theorem 1.1 are restricted to no-private input, semi-honest protocols (for obvious reasons though, inexistence of semi-honest security yields inexistence of the full security). In addition, since the distributions described in Theorem 1.1 are only \(O(\varepsilon )\) close to each other, the theorem seems to only be useful for showing the impossibility of robust primitives: ones that remain information-theoretically unachievable, even if one slightly changes the primitive correctness or security requirement (e.g. the parties agree on the same key with slightly smaller probability). We are unaware, however, of any natural primitive for which the above robustness condition does not hold.

1.2 Our Technique

When using a no-oracle protocol to emulate an oracle-aided protocol \(\pi \), having oracle access to a random member of the all-function family, the crucial issue is to find all common information the parties share at a given point. The clear obstacle is the oracle calls: the parties might share information without explicitly communicating it, say by making the same oracle call.

Here comes into play the Dependency Finder of [18], and [1] (algorithm Eve, in their terminology, and Independence Learner in the terminology of [7, 21]). This oracle-aided algorithm (\(\mathsf{Finder} \), hereafter) gets as input a communication transcript \(\overline{t}\) of a random execution of \(\pi \), and an oracle access to \(f\), the oracle used by the parties in this execution. Algorithm \(\mathsf{Finder} \) outputs a list of query/answer pairs to \(f\) that with high probability contains all oracle queries that are common to both parties (and possibly also additional ones). Moreover, with high probability, \(\mathsf{Finder} \) is guaranteed not to make “too many” oracle queries.

Equipped with \(\mathsf{Finder} \), we give the following definition for the mapping procedure \(\mathsf{Map}\) and the stateless (no-oracle) protocol \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\): on a communication transcript \(\overline{t}\), the oracle-aided algorithm \(\mathsf{Map}^f\) outputs \(\left( \bigl (\overline{t}_1,\mathcal{{I}}_1 = \mathsf{Finder} ^f(\overline{t}_1)\bigl ),\bigl (\overline{t}_{1,2},\mathcal{{I}}_2 = \mathsf{Finder} ^f\right. \) \(\left. (\overline{t}_{1,2})\bigl )\dots , \bigl (\overline{t},\mathcal{{I}}_m = \mathsf{Finder} ^f(\overline{t})\bigl )\right) \). Namely, \(\mathsf{Map}\) invokes \(\mathsf{Finder} \) on each prefix of the transcript and outputs the result. The no-oracle protocol \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) is defined as follows: assume that \({\widetilde{\mathsf {A}}}\) speaks in round \((i+1)\) and that the \(i\)’th message is \(((\overline{t}_1,\mathcal{{I}}_1),\dots ,(\overline{t}_{1,\dots ,i},\mathcal{{I}}_i))\). The stateless, no-oracle \({\widetilde{\mathsf {A}}}\) samples random values for \(f\in {{\mathcal{F}}_\mathrm{{AF}}}\) and the random coins of \(\mathsf {A}\) conditioned on \(\overline{t}_{1,\dots ,i}\) being the protocol’s transcript, and \(f\) being consistent with \(\mathcal{{I}}_i\). It then lets \(t_{i+1}\) be the next message of \(\mathsf {A}\) induced by the above choice of \(f\) and random coins, and sends \(\left( \overline{t}' = (\overline{t}_{1,\dots ,i},t_{i+1}),\mathsf{Finder} ^f(\overline{t}')\right) \) back to \({\widetilde{\mathsf {B}}}\). In case this is the last round of interaction, \({\widetilde{\mathsf {A}}}\) locally outputs the (local) output of \(\mathsf {A}\) induced by this choice of \(f\) and random coins. In other words, \({\widetilde{\mathsf {A}}}\) selects a random view (including the oracle itself) for \(\mathsf {A}\) that is consistent with the information contained in the no-oracle protocol augmented transcript (i.e. the transcript of the oracle protocol and the oracle calls) and then acts as \(\mathsf {A}\) would.

The fact that \({\widetilde{\mathsf {A}}}\) perfectly emulates \(\mathsf {A}\) (and that \({\widetilde{\mathsf {B}}}\) perfectly emulates \(\mathsf {B}\)) trivially holds for information-theoretic reasons. For the same reason, it also holds that the transcript generated by applying \(\mathsf{Map}^f\) to a random transcript of \(\pi ^f\), where \(f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}\), generates exactly the same transcript as a random execution of \({\widetilde{\pi }}\) does (actually, the above facts hold for any reasonable definition of \(\mathsf{Finder} \),Footnote 7 and for any function family). The interesting part is arguing that the joint output of the no-oracle protocol has similar distribution to that of the oracle-aided protocol. To see that this is not trivial, assume that in the last round, both oracle parties make the same oracle query \(q\) and output the query/answer pair \((q,f(q))\). If it happens that \((q,\cdot )\notin \mathcal{{I}}\), where \(\mathcal{{I}}= \mathsf{Finder} (\overline{t})\) is the query/answer pairs made by the final call to \(\mathsf{Finder} \) on transcript \(\overline{t}\), then the answer that each of the no-oracle parties compute for the query \(q\) might be different. In this case, the joint output of the no-oracle protocol does not look like the joint output of the oracle protocol. Luckily, the above scenario is unlikely to happen due to the guarantee of \(\mathsf{Finder} \); with high probability, \(\mathcal{{I}}\) contains all common queries that the two parties made, yielding that the joint output of the no-oracle protocol has similar distribution to that of the oracle protocol. It turns out that the above example generalizes to any possible protocol, yielding that the above mapping and no-oracle protocol are indeed the desired ones.

1.3 Related Work

In their seminal work, [18] showed that there are no key-agreement protocols in the random-oracle model and deduced that key-agreement protocols cannot be black-box reduced to one-way functions. This result was later improved by [1], showing there are no \(\ell \)-query key-agreement protocols in the random-oracle model, secure against adversaries making \(O(\ell ^2)\) queries, thus matching the upper bound of [23]. [21] show that the all-function family (and thus one-way functions) are useless for secure function evaluation of deterministic, polynomial input-domain, two-party functionalities. In other words, deterministic, bounded input-domain functionalities that can be securely computed in the random-oracle model are the trivial ones—functionalities that can be securely computed unconditionally. The comparison to the result stated here is that [21] handle with polynomial input-domain functionalities, but only deterministic ones, where here we handle input-less functionalities, but including randomized ones. Putting the above results together gives a partial characterization of the power of the random-oracle model for two-party computation secure in the presence of semi-honest adversaries. It is still open, however, whether the random-oracle model is useful for securely computing randomized functionalities with inputs or functionalities of super-polynomial input domain. [7] give a random-oracle to no-oracle equivalence in a similar flavour to that of Theorem 1.1. The result of [7] holds for general with-input protocols, but is restricted to \(o(n/\log n)\)-round protocols, where \(n\) being the random function input length. In addition, the (implicit) mapping procedure given in [7] might make sub-exponential number of oracle calls (even for a constant \(\varepsilon \)). Finally, a long line of research, starting with the work of [6], gives a partial characterization of those functionalities that can be securely computed information theoretically.

1.3.1 Additional Black-Box Separations

Following [18], the method of black-box separation was subsequently used in many other works: [27] shows that there exists no black-box reduction from a \(k\)-round secret key agreements to \((k-1)\)-round secret key agreements; [29] shows that there exists no black-box reductions from collision-free hash functions to one-way permutations; [19] shows that there exists no construction of one-way permutations based on one-way functions. Other works using this paradigm contain  [5, 1113, 16, 20, 30], to name a few.

1.3.2 Differential Privacy

Distributed differential privacy was considered by [3], who studied the setting of multiparty differentially private computation (where an \(n\)-bit database is shared between \(n\) parties). They gave a separation between information-theoretic and computational differential privacy in the distributed setting. The notion of computational differential privacy was considered in [24]. They presented several definitions of computational differential privacy, studied the relationships between these definitions, and constructed efficient two-party computational differentially private protocols for approximating the Hamming distance between two vectors. Two-party differential privacy (where a \(2n\)-bit database is shared between two parties, each holding half of the bits) was considered by [22]. They prove a lower bound on the accuracy of two-party differentially private protocols, in the information-theoretic model, for computing the inner product between two \(n\)-bit strings (and, consequently, for protocols for computing the Hamming distance), hence proving a separation between information-theoretic and computational two-party differentially private computation. In this paper, we extend the lower bound of [22] to the random-oracle model. For the client–server setting (where the server holds the entire database and the client may issue queries to it), [15] considered the limitations of computational differentially private computation in the centralized setting (where a single entity holds the entire database). For this setting, they gave a black-box separation of computational differentially private computation from a large range of cryptographic primitives such as trapdoor permutations, collision-resistant hash functions and random oracles.

1.4 Open Problems

As mentioned above, the main open problem is a full characterization of the power of the random-oracle model with respect to semi-honest adversaries. Specifically, is it possible to come up with a random-oracle to no-oracle mapping that works for any (also with inputs) oracle-aided protocol?Footnote 8 Note that it is still open whether the mapping described in Theorem 1.1 can be used to rule out any non-trivial, input-less semi-honest random-oracle protocol, or only those that are “far” enough from being trivial (see discussion at the end of Sect. 1.1.1).

Finally, an interesting question is to come up with a random-oracle to no-oracle mapping that is applicable to protocols secure against fail-stop adversaries. We failed to use the mapping described in Theorem 1.1 for these settings. Loosely speaking, the reason that our approach fails is that the party that is active at the \(i\)’th round might first compute the \(i\)’th message and only then decide whether to abort or not based on this message. Now, if this is the case, then the probability that a party aborts in the oracle-aided protocol might be correlated with the view of the other party because of the queries that \(\mathsf{Finder} \) makes while computing the \(i\)’th message; hence, the joint distribution of the oracle-aided protocol is no longer close to product distribution, unlike the plain model protocol. A potential implication of such a result for fail-stop adversaries is that optimally fair coin tossing is impossible to achieve in the random function model.Footnote 9

1.5 Paper Organization

Formal definitions and notation used throughout the paper are given in Sect. 2. Our main result is stated and proved in Sect. 3, and several applications of this result are given in Sect. 4. Our new proof for the main technical lemma of [1] is given in “Appendix”.

2 Preliminaries

2.1 Notations

We use calligraphic letters to denote sets, uppercase for random variables and lowercase for values. Let \(\mathrm{poly }\) be the set of all polynomials, let ppt stand for probabilistic polynomial time, and pptm stands for ppt algorithm (machine). A function \(\mu :{\mathbb {N}}\rightarrow [0,1]\) is negligible, denoted \(\mu (n) = \mathrm{neg }(n)\), if \(\mu (n)=n^{-\omega (1)}\). For \(m\in {\mathbb {N}}\), let \([m]=\left\{ 1,\ldots ,m\right\} \). For a finite set \(\mathcal{{S}}\), let \(\chi _\mathcal{{S}}\) stand for its characteristic function, and let \(x\leftarrow \mathcal{{S}}\) to denote that \(x\) is selected according to the uniform distribution over \(\mathcal{{S}}\). Similarly, for a random variable \(X\), let \(x\leftarrow X\) to denote that \(x\) is chosen according to \(X\). The support of the distribution \(D\), denoted \(\mathrm{Supp }(D)\), is defined as \(\left\{ u\in {\mathcal {U}}: \Pr _{D}[u]>0\right\} \). The statistical distance between two distributions \(P\) and \(Q\) over a finite set \({\mathcal {U}}\), denoted \(\mathrm{SD}(P,Q)\), is defined as \(\frac{1}{2} \sum _{u\in {\mathcal {U}}}\left| \Pr _P[u]- \Pr _Q[u]\right| \), and is known to be equal to \(\max _{\mathcal{{S}}\subseteq {\mathcal {U}}} \left( \Pr _P[\mathcal{{S}}]- \Pr _Q[\mathcal{{S}}]\right) \). Two distributions \(P\) and \(Q\) are \(\delta \)-close, if \(\mathrm{SD}(P,Q)\le \delta \).

2.2 Interactive Protocols

A two-party protocol \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) (with no-oracle access) is a pair of probabilistic interactive Turing machines. The communication between the Turing machines \(\mathsf {A}\) and \(\mathsf {B}\) is carried out in rounds, where in each round one of the parties is active and the other party is idle. In the \(j\)’th round of the protocol, the currently active party \({\mathsf {P}}\) acts according to its partial view, writing some value on its output tape, and then sending a message to the other party (i.e. writing the message on the common tape).

The communication transcript (henceforth, the transcript) of a given execution of the protocol \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) is the list of messages \(\overline{t}\) exchanged between the parties in an execution of the protocol, where \(\overline{t}_{1,\ldots ,j}\) denotes the first \(j\) messages in \(\overline{t}\). A view of a party contains its input, its random tape and the messages exchanged by the parties during the execution. Specifically, \(\mathsf {A}\)’s view is a tuple \(v_\mathsf {A}= (i_\mathsf {A},r_\mathsf {A},\overline{t})\), where \(i_\mathsf {A}\) is \(\mathsf {A}\)’s input, \(r_\mathsf {A}\) are \(\mathsf {A}\)’s random coins, and \(\overline{t}\) is the transcript of the execution. Let \((v_\mathsf {A})_j\) denote the partial view of \(\mathsf {A}\) in the first \(j\) rounds of the execution described by \(v_\mathsf {A}\), namely \((v_\mathsf {A})_j = (i_\mathsf {A},r_\mathsf {A},\overline{t}_{1,\ldots ,j})\); the view \(v_\mathsf {B}\) of \(\mathsf {B}\) is defined analogously. Let \(v=(v_\mathsf {A},v_\mathsf {B})\) the joint view of \(\mathsf {A}\) and \(\mathsf {B}\), and let \(v_j = ((v_\mathsf {A})_j, (v_\mathsf {B})_j)\). Given a distribution (or a set) \(\mathcal{D}\) on the joint views of \(\mathsf {A}\) and \(\mathsf {B}\), let \(\mathcal{D}_\mathsf {A}\) be the projection of \(\mathcal{D}\) on \(\mathsf {A}\)’s view (i.e. \(\Pr _{\mathcal{D}_\mathsf {A}}[v_\mathsf {A}] = \Pr _{(v_\mathsf {A},\cdot ) \leftarrow \mathcal{D}}[v_\mathsf {A}]\)), and define \(\mathcal{D}_\mathsf {B}\) analogously. Finally, we sometimes refer to a well-structured tuple \(v\) as a “view” of \(\pi \), even though \(v\) happens with zero probability. When we wish to stress that we consider a view that has non-zero probability, we call it a valid view.

A protocol \(\pi \) has \(m\) rounds, if for every possible random tapes for the parties, the number of rounds is exactly \(m\). Given a joint view \(v\) (containing the views of both parties) of an execution of \(\left( \mathsf {A},\mathsf {B} \right) \) and \({\mathsf {P}}\in \left\{ \mathsf {A},\mathsf {B}\right\} \), let \(v_{\mathsf {P}}\) denote \({\mathsf {P}}\)’s part in \(v\) and let \(\mathsf{trans}(v)\) denote the communication transcript in \(v\). For \(j\in [m]\), let \({\mathrm{out }}^{\mathsf {P}}_j(v) = {\mathrm{out }}^{\mathsf {P}}_j(v_{\mathsf {P}})\) denote the output of party \({\mathsf {P}}\) at the end of the \(j\)’th round of \(v\) (i.e. the string written on \({\mathsf {P}}\)’s output tape), where \({\mathrm{out }}^{\mathsf {P}}_j(v) = {\mathrm{out }}^{\mathsf {P}}_{j-1}(v)\), in case \({\mathsf {P}}\) is inactive in the \(j\)’th round of \(v\).

In a stateless protocol, the parties hold no state and, in each round, act on the message received in the previous round with freshly sampled random coins. Throughout this paper, we almost solely consider no-private input protocols—the only input of the parties is their common input (the only exception to that is in Sect. 4.2, additional required notations introduced therein). Given a no-input two-party protocol \(\pi \), let \(\left\langle \pi \right\rangle \) be the distribution over the joint views of the parties in a random execution of \(\pi \).

2.2.1 Oracle-Aided Protocols

An oracle-aided two-party protocol \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) is a pair of interactive Turing machines, where each party has an additional tape called the oracle tape; the Turing machine can make a query to the oracle by writing a string \(q\) on its tape. It then receives a string \({\mathrm{ans }}\) (denoting the answer for this query) on the oracle tape. Without loss of generality, all oracle function families considered map binary strings to binary strings.

For an oracle-aided, no-input two-party protocol \(\pi = \left( \mathsf {A},\mathsf {B} \right) \) and a function family \({\mathcal{F}}\), let \(\Omega ^{{\mathcal{F}},\pi }\) be the set of all triplets \((r_\mathsf {A},r_\mathsf {B},f)\), where \(r_\mathsf {A}\) and \(r_\mathsf {B}\) are possible random coins for \(\mathsf {A}\) and \(\mathsf {B}\), and \(f\in {\mathcal{F}}\) (henceforth, if its value is clear from the context, we sometimes omit the superscript pair \(({\mathcal{F}},\pi )\)). For \(f\in {\mathcal{F}}\), the distribution \(\left\langle \pi ^f= (\mathsf {A}^f,\mathsf {B}^f) \right\rangle \) is defined analogously to \(\left\langle \pi \right\rangle =\left\langle \mathsf {A},\mathsf {B} \right\rangle \), i.e. it is the distribution over the joint views of parties in a random execution of \(\pi \) with access to \(f\). Given some information \(\inf \) about some element of \(\Omega \) (e.g. a set of query/answer pairs, or a view), let \(\Pr _\Omega [\inf ] = \Pr _{\omega \leftarrow \Omega }[\omega \text { is consistent with } \inf ]\), and let \(\Pr _{\Omega \mid \inf '}[\inf ]\) be this probability conditioned that \(\omega \) is consistent with \(\inf '\) (set to zero in case \(\Pr _\Omega [\inf ']=0\)).

Given a (possibly partial) execution of \(\pi ^f\), the views of the parties contain additional lists of query/answer pairs made to the oracle throughout the execution of the protocol. Specifically, \(\mathsf {A}\)’s view is a tuple \(v_\mathsf {A}= (r_\mathsf {A},\overline{t},f_\mathsf {A})\), where \(r_\mathsf {A}\) are \(\mathsf {A}\)’s coins, \(\overline{t}\) is the transcript of the execution, and \(f_\mathsf {A}\) are the oracle answers to \(\mathsf {A}\)’s queries. By convention, the active party in round \(j\) first makes all its queries to the oracle for this round and then writes a value to its output tape and send a message to the other party. We denote by \((f_{{\mathsf {P}}})_j\) the oracle answers to the queries that party \({\mathsf {P}}\) makes during the first \(j\) rounds. As above, let \((v_\mathsf {A})_j\) denote the partial view of \(\mathsf {A}\) in the first \(j\) rounds of the execution described by \(v_\mathsf {A}\), namely \((v_\mathsf {A})_j = (r_\mathsf {A},\overline{t}_{1,\ldots ,j},(f_{\mathsf {A}})_j)\). The view \(v_\mathsf {B}\) is analogously defined.

For \(\omega \in \Omega \), let \(\mathsf {view}(\omega )\) be the full view of the parties determined by \(\omega \). We say that a “view” \(v\) is consistent with \(({\mathcal{F}},\pi )\), if \(\Pr _{\Omega ^{{\mathcal{F}},\pi }}[v] >0\).

We assume without loss of generality that the party acting in the last round outputs a final message. Therefore, a partial transcript \(\overline{t}\) of the protocol uniquely determines the length of the partial execution that generated it (i.e. the number of rounds of \(\pi \) played), which is denoted by \(|\overline{t}|\). Consider the following distributions.

Definition 2.1

(\(\Omega (\overline{t}, \mathcal{{I}})\) and \(\mathcal{VIEW}(\overline{t}, \mathcal{{I}})\)). Let \({\mathcal{F}}\) be a function family and let \(\pi \) be an oracle-aided protocol. Given a partial transcript \(\overline{t}\) and a set of query/answer pairs \(\mathcal{{I}}\), let \(\Omega (\overline{t}, \mathcal{{I}}) = \Omega ^{{\mathcal{F}},\pi }(\overline{t}, \mathcal{{I}})\) be the set of all tuples \((r_\mathsf {A},r_\mathsf {B},f) \in \Omega =\Omega ^{{\mathcal{F}},\pi }\), in which \(f\) is consistent with \(\mathcal{{I}}\), and \(\overline{t}\) is a prefix of the transcript induced by \(\left\langle \mathsf {A}^f(r_\mathsf {A}),\mathsf {B}^f(r_\mathsf {B}) \right\rangle \). Given a set \(\mathcal{{P}}\subseteq \Omega \), let \(\Omega _\mathcal{{P}}(\overline{t}, \mathcal{{I}}) = \Omega (\overline{t}, \mathcal{{I}}) \cap \mathcal{{P}}\).

Define the random variable \(\mathcal{VIEW}^{{\mathcal{F}},\pi }(\overline{t}, \mathcal{{I}})\) as the value of \(\mathsf {view}(\omega )_{|\overline{t}|}\) for \(\omega \leftarrow \Omega (\overline{t}, \mathcal{{I}})\), and define \(\mathcal{VIEW}^{{\mathcal{F}},\pi }_\mathcal{{P}}(\overline{t}, \mathcal{{I}})\) analogously.

Since the above definition considers the uniform distribution over \(\Omega \), for any partial transcript \(\overline{t}\), set of query/answer pairs \(\mathcal{{I}}\), set \(\mathcal{{P}}\subseteq \Omega \), and information \(\inf \) about some element of \(\Omega \), it holds that \(\Pr _{\Omega _\mathcal{{P}}(\overline{t}, \mathcal{{I}})}[\inf ] = \Pr _{\Omega \mid \overline{t}, \mathcal{{I}},\mathcal{{P}}}[\inf ]\).

3 Mapping Oracle-Aided Protocols to No-Oracle Protocols

In this section, we state and prove our main result, a mapping from protocols in the random-oracle model to (inefficient) no-oracle protocols.

3.1 Dependent Views

Fix an \(m\)-round oracle-aided protocol \(\pi \) and a function family \({\mathcal{F}}\). We would like to restrict \(\mathcal{VIEW}(\overline{t}, \mathcal{{I}})\) to those views for which \(\mathcal{{I}}\) contains all joint information of the parties about \(f\). We start by formally defining what it means for \(\mathcal{{I}}\) to contain all joint information.

Definition 3.1

Let \(v_\mathsf {A}\) be a \(j_\mathsf {A}\)-round view for \(\mathsf {A}\) and \(v_\mathsf {B}\) be a \(j_\mathsf {B}\)-round view for \(\mathsf {B}\). For \(i\in [j_\mathsf {A}]\), let \({\mathcal{{I}}_\mathsf {A}}^i\) be the set of query/answer pairs that \(\mathsf {A}\) makes in the \(i\)’th round of \(v_\mathsf {A}\) (where \({\mathcal{{I}}_\mathsf {A}}^i =\emptyset \), if \(\mathsf {A}\) is idle in round \(i\)) and define \({\mathcal{{I}}_\mathsf {B}}^i\) analogously. Given a set \(\mathcal{{I}}\) of query/answer pairs, let

  1. 1.

    \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A}}= \prod _{i\in [j_\mathsf {A}]}\Pr _{\Omega \;|\;\mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1} \dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1}}\left[ {\mathcal{{I}}_\mathsf {A}}^i\right] \) and

  2. 2.

    \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}= \prod _{i\in [j_\mathsf {A}]}\Pr _{\Omega \;|\;\mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1}}\left[ {\mathcal{{I}}_\mathsf {A}}^i\right] \),

and define \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}\) and \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {B}}\) analogously.

Intuitively, \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A}}\) is the probability of \(\mathsf {A}\)’s view of \(f\) given \(\mathcal{{I}}\), and \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\) is this probability when conditioning also on \(\mathsf {B}\)’s view. We will focus on those views with \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A}}=\alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\) and \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {B}}=\alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}\).

Definition 3.2

(Dependent views) Let \(v = (v_\mathsf {A},v_\mathsf {B})\) be a pair of (possibly partial) valid views. The views \(v_\mathsf {A}\) and \(v_\mathsf {B}\) are dependent with respect to a set of query/answer pairs \(\mathcal{{I}}\) and a function family \({\mathcal{F}}\), if \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A}}\ne \alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\) or \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {B}}\ne \alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}\). Otherwise, \(v_\mathsf {A}\) and \(v_\mathsf {B}\) are independent with respect to \(\mathcal{{I}}\) and \({\mathcal{F}}\).

The following observation (generalizing a similar observation made in [1]) plays a crucial role in the proof of our main result (stated in Sect. 3.3). It shows how to express the probability of a given view \(v\), using \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\) and \(\alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}\). In particular, it implies that for an independent pair of views \(v=\left( v_\mathsf {B},v_\mathsf {A} \right) \) and any set \(\mathcal{{P}}\subseteq \Omega \), the probability that \(\mathcal{VIEW}_\mathcal{{P}}(\overline{t},\mathcal{{I}})= v\) can be written as a product of a term determined solely by \(v_\mathsf {A}\) and \((\overline{t}, \mathcal{{I}},\mathcal{{P}})\), and a term determined solely by \(v_\mathsf {B}\) and \((\overline{t}, \mathcal{{I}},\mathcal{{P}})\).

Proposition 3.3

Let \(\overline{t}\) be a transcript, let \(\mathcal{{I}}\) be a list of query/answer pairs, and let \(\mathcal{{P}}\subseteq \Omega \). Then, for every view \(v = (r_\mathsf {A},r_\mathsf {B},\cdot )\in \mathrm{Supp }\left( \mathcal{VIEW}\left( \overline{t},\mathcal{{I}} \right) \right) \) with \(\Pr _\Omega [v,\mathcal{{I}},\mathcal{{P}}]=\Pr _\Omega [v,\mathcal{{I}}]\), it holds that

$$\begin{aligned} \Pr [\mathcal{VIEW}_\mathcal{{P}}(\overline{t},\mathcal{{I}})= v]:{=}\mathop {\hbox {Pr}}\limits _{\Omega _\mathcal{{P}}(\overline{t},\mathcal{{I}})}[v] = \frac{\Pr _\Omega [r_\mathsf {A},r_\mathsf {B}]\cdot \alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\cdot \alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}}{\Pr _{\Omega \mid \mathcal{{I}}}[\overline{t},\mathcal{{P}}]}. \end{aligned}$$

Proof

Note that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{\Omega _\mathcal{{P}}(\overline{t},\mathcal{{I}})}[v] = \frac{\Pr _\Omega [v,\mathcal{{I}},\mathcal{{P}}]}{\Pr _\Omega [\overline{t},\mathcal{{I}},\mathcal{{P}}]} = \frac{\Pr _\Omega [v,\mathcal{{I}}]}{\Pr _\Omega [\overline{t},\mathcal{{I}},\mathcal{{P}}]}= \frac{\Pr _\Omega [r_\mathsf {A},r_\mathsf {B}, \mathcal{{I}}]\cdot \Pr _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[v]}{\Pr _\Omega [\overline{t},\mathcal{{I}},\mathcal{{P}}]}, \end{aligned}$$

where the second equality holds by the assumption that \(\Pr _\Omega [v,\mathcal{{P}},\mathcal{{I}}]=\Pr _\Omega [v,\mathcal{{I}}]\). Since the choice of random coins is independent of the choice of \(f\), we can write

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{\Omega _\mathcal{{P}}(\overline{t},\mathcal{{I}})}[v]&= \frac{\Pr _\Omega [r_\mathsf {A},r_\mathsf {B}]\cdot \Pr _\Omega [\mathcal{{I}}]\cdot \Pr _{\Omega \;|\;r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[v]}{\Pr _\Omega [\mathcal{{I}}] \cdot \Pr _{\Omega \;|\;\mathcal{{I}}}[\overline{t},\mathcal{{P}}]}=\frac{\Pr _\Omega [r_\mathsf {A},r_\mathsf {B}]\cdot \Pr _{\Omega \;|\;r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[v]}{\Pr _{\Omega \;|\;\mathcal{{I}}}[\overline{t},\mathcal{{P}}]} \end{aligned}$$
(1)

Note that \(\Pr _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[v]=\Pr _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[{\mathcal{{I}}_\mathsf {A}},{\mathcal{{I}}_\mathsf {B}},\overline{t}]\), where \({\mathcal{{I}}_\mathsf {A}}\) is the set of query/answer pairs that \(\mathsf {A}\) sees according to \(v_\mathsf {A}\) (\({\mathcal{{I}}_\mathsf {B}}\) is defined analogously). The reason for this is that given \((r_\mathsf {A},r_\mathsf {B},\mathcal{{I}})\), the values of \(({\mathcal{{I}}_\mathsf {A}},{\mathcal{{I}}_\mathsf {B}},\overline{t})\) and \(v\) are implied by each other. It follows that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{\Omega _\mathrm {P}(\overline{t},\mathcal{{I}})}[v]=\frac{\Pr _\Omega [r_\mathsf {A},r_\mathsf {B}]\cdot \Pr _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[{\mathcal{{I}}_\mathsf {A}},{\mathcal{{I}}_\mathsf {B}},\overline{t}]}{\Pr _{\Omega \;|\;\mathcal{{I}}}[\overline{t},\mathrm {P}]} \end{aligned}$$
(2)

We next analyse the term \(\Pr _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[{\mathcal{{I}}_\mathsf {A}},{\mathcal{{I}}_\mathsf {B}},\overline{t}]\). Let \(j\) be the number of rounds in \(v\), and for \(i\in [j]\) recall that \({\mathcal{{I}}_\mathsf {A}}^i\) is the set of query/answer pairs that \(\mathsf {A}\) sees in the \(i\)’th round of the execution according to \(v_\mathsf {A}\) (\({\mathcal{{I}}_\mathsf {B}}^i\) is defined analogously). Since at any point through the execution of \(\pi ^f\) the next query of the acting party is determined by its partial view, it follows that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}}}[{\mathcal{{I}}_\mathsf {A}},{\mathcal{{I}}_\mathsf {B}},\overline{t}]&=\prod _{i\in [j]}\mathop {\hbox {Pr}}\limits _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1},t_1,\dots ,t_{i-1}}\left[ {\mathcal{{I}}_\mathsf {A}}^i,{\mathcal{{I}}_\mathsf {B}}^i,t_i \right] \\&=\prod _{i\in [j]}\mathop {\hbox {Pr}}\limits _{\Omega \mid r_\mathsf {A},r_\mathsf {B},\mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1},t_1,\dots ,t_{i-1}}\left[ {\mathcal{{I}}_\mathsf {A}}^i,{\mathcal{{I}}_\mathsf {B}}^i \right] \\&=\prod _{i\in [j]}\mathop {\hbox {Pr}}\limits _{\Omega \mid \mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1}}\left[ {\mathcal{{I}}_\mathsf {A}}^i,{\mathcal{{I}}_\mathsf {B}}^i \right] \\&= \left( \prod _{i\in [j]}\mathop {\hbox {Pr}}\limits _{\Omega \mid \mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1}}[{\mathcal{{I}}_\mathsf {A}}^i]\right) \\&\quad \cdot \left( \prod _{i\in [j]}\mathop {\hbox {Pr}}\limits _{\Omega \mid \mathcal{{I}},{\mathcal{{I}}_\mathsf {A}}^{1},{\mathcal{{I}}_\mathsf {B}}^{1},\dots ,{\mathcal{{I}}_\mathsf {A}}^{i-1},{\mathcal{{I}}_\mathsf {B}}^{i-1}}[{\mathcal{{I}}_\mathsf {B}}^i]\right) \\&= \alpha ^{\mathcal{{I}}}_{v_\mathsf {A} \mid v_\mathsf {B}}\cdot \alpha ^{\mathcal{{I}}}_{v_\mathsf {B} \mid v_\mathsf {A}}. \end{aligned}$$

The second equation holds since the \(i\)’th message is (deterministically) determined by the randomness of the parties, the oracle answers and the transcript till now. The third one holds since the distribution on the oracle answers at each point during the execution is a function of \(\mathcal{{I}}\) and the previous queries made by the parties (recall that \(\Pr _{\Omega \mid \inf '}\left[ {\mathcal{{I}}_\mathsf {A}}^i,{\mathcal{{I}}_\mathsf {B}}^i \right] =\Pr _{\omega \leftarrow \Omega \mid \inf '}[\omega \text { is consistent with } {\mathcal{{I}}_\mathsf {A}}^i,{\mathcal{{I}}_\mathsf {B}}^i]\) and that the first \(i-1\) messages are determined by the randomness of the parties and the oracle answers to the queries made till round \(i-1\)). Finally, the fourth one holds since only one party is active in each round (hence, for every \(i\), either \({\mathcal{{I}}_\mathsf {A}}^i\) or \({\mathcal{{I}}_\mathsf {B}}^i\) is empty).\(\square \)

3.2 Intersecting Views

A special case of dependent views is when the two paries share a common oracle query not in \(\mathcal{{I}}\).

Definition 3.4

(Intersecting views) A (possibly partial) pair of views \(v = (v_\mathsf {A},v_\mathsf {B})\) is intersecting with respect to a set of query/answer pairs \(\mathcal{{I}}\), denoted \(\mathrm{Intersect }_\mathcal{{I}}(v) =1\), if \(v_\mathsf {A}\) and \(v_\mathsf {B}\) share a common query \(q\) not in \(\mathcal{{I}}\) (i.e. \((q,\cdot )\notin \mathcal{{I}}\)).

For a typical function family, a view with an intersection is dependent (with respect to the same list of query/answer pairs). In this paper, we limit our attention to “simple” function families for which also the other direction holds, namely dependency implies intersection.

Definition 3.5

(Simple function families) A function family \({\mathcal{F}}\) is simple, if it is finite, and \(\mathrm{Dependent }^{{\mathcal{F}}}_\mathcal{{I}}(v)\) \(\implies \) \(\mathrm{Intersect }_\mathcal{{I}}(v)\) for any oracle-aided protocol \(\pi \), list \(\mathcal{{I}}\) of query/answer pairs that is consistent with some \(f\in {\mathcal{F}}\) and a (possibly partial) pair of views \(v\) consistent with \(\mathcal{{I}}\).

It is immediate that the all-function family i.e. the set of “random functions” (see formal definition in Sect. 4.4) is simple.

3.3 Oracle-Aided to No-Oracle Protocol Mapping

The following theorem shows that an execution of an oracle-aided protocol with oracle access to a random \(f\in {\mathcal{F}}\), where \({\mathcal{F}}\) is a simple function family, can be mapped to an execution of a related protocol with no-oracle access. In Sect. 4, we use this result to prove limitations on the power of oracle-aided protocols in achieving specific cryptographic tasks.

Definition 3.6

(Oracle-aided to no-oracle mapping) A pair of a function family \({\mathcal{F}}\) and a no-input, \(m\)-round oracle-aided protocol \(\pi = (\mathsf {A},\mathsf {B})\), has a \((T,\varepsilon )\)-\({\mathrm{mapping }}\), if there exists a deterministic, oracle-aided \(T\)-query algorithm \(\mathsf{Map}\) and a stateless, \(m\)-round, no-input (and no-oracle) protocol \(({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\), such that the following holds.Footnote 10

  1. 1.

    \(\mathrm{SD}\left( \mathcal{D}_{\mathcal{F}},\mathcal{D}_P\right) \le \varepsilon \) for every \(j\in [m]\), where

    $$\begin{aligned}&\mathcal{D}_{\mathcal{F}}= \left( {\mathrm{out }}^\mathsf {A}_j(v),{\mathrm{out }}^\mathsf {B}_j(v),\mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j})\right) _{f\leftarrow {\mathcal{F}}, v \leftarrow \left\langle \mathsf {A}^f,\mathsf {B}^f \right\rangle } ~~~~\text { and, }\\&\mathcal{D}_P= \left( {\mathrm{out }}^{\widetilde{\mathsf {A}}}_j(\tilde{v}),{\mathrm{out }}^{\widetilde{\mathsf {B}}}_j(\tilde{v}),\mathsf{trans}(\tilde{v})_{1,\dots ,j}\right) _{\tilde{v}\leftarrow \left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle }. \end{aligned}$$

    Furthermore, \(\mathcal{D}_P[1,3]\equiv \mathcal{D}_{\mathcal{F}}[1,3]\) and \(\mathcal{D}_P[2,3]\equiv \mathcal{D}_{\mathcal{F}}[2,3]\).Footnote 11

  2. 2.

    For every \(f\in {\mathcal{F}}\), an \(m\)-round transcript \(\overline{t}\) and \(j\in [m]\), it holds that \(\mathsf{Map}^{f}(\overline{t}_{1,\dots ,j}) = \mathsf{Map}^{f}(\overline{t})_{1,\dots ,j}\). Furthermore, the set of oracle calls made in \(\mathsf{Map}^{f}(\overline{t}_{1,\dots ,j})\) is a subset of those made in \(\mathsf{Map}^{f}(\overline{t})\).

Theorem 3.7

Let \({\mathcal{F}}\) be a simple function family and let \(\pi = (\mathsf {A},\mathsf {B})\) be an \(\ell \)-query, oracle-aided no-input protocol, then \(({\mathcal{F}},\pi )\) has a \((2^{10}\cdot \ell ^2/\varepsilon ^2,\varepsilon )\)-\({\mathrm{mapping }}\) for any \(0<\varepsilon \le 1\).

Remark 3.8

(Round complexity of the no-oracle protocol) The proof of Theorem 3.7 can be easily modified to yield a one-message no-oracle protocol (in this case, \(\mathcal{D}_{\mathcal{F}}\) and \(\mathcal{D}_P\) should be modified to reflect the transcript and outputs at the end of the executions). The roles of \({\widetilde{\mathsf {A}}}\) and \({\widetilde{\mathsf {B}}}\) in the resulting protocol, however, cannot reflect as closely the roles of \(\mathsf {A}\) and \(\mathsf {B}\), as done in the many-round, no-oracle protocol stated above.

The proof of Theorem 3.7 immediately follows by the next two lemmata.

Definition 3.9

(\(\mathsf{DependencyFinder}\)) Let \({\mathcal{F}}\) be a function family and let \(\pi = (\mathsf {A},\mathsf {B})\) be an \(m\)-round oracle-aided protocol. A deterministic oracle-aided algorithm \(\mathsf{Finder}\) is a \((T,\varepsilon )\)-\(\mathsf{DependencyFinder}\) for \(({\mathcal{F}},\pi )\), if the following holds for any \(j\in [m]\).

Let \(\mathsf{CF}= \mathsf{CF}({\mathcal{F}},\pi ,\mathsf{Finder})\) be the following random process:

  1. 1.

    Choose \((r_\mathsf {A},r_\mathsf {B},f)\leftarrow \Omega ^{{\mathcal{F}},\pi }\) and let \(\overline{t}\) be the \(j\)-round transcript of \(\pi \) induced by \((r_\mathsf {A},r_\mathsf {B},f)\).

  2. 2.

    For \(i=1\) to \(j\): set \(\mathcal{{I}}_i = \mathcal{{I}}_{i-1} \cup \mathsf{Finder} ^f(\overline{t}_{1,\ldots ,i},\mathcal{{I}}_{i-1})\) (letting \(\mathcal{{I}}_0 = \emptyset \)), where \(\mathsf{Finder} ^f(x)\) is the set of queries/answers made by \(\mathsf{Finder} ^f(x)\) to \(f\).

  3. 3.

    Output \(\left( \overline{t},\mathcal{{I}}_j \right) \).

Then,

  1. 1.

    \({\hbox {E}}_{d\leftarrow \mathsf{CF}}\left[ \mathrm{SD}\left( \mathcal{VIEW}^{{\mathcal{F}},\pi }(d), (\mathcal{VIEW}^{{\mathcal{F}},\pi }(d)_\mathsf {A},\mathcal{VIEW}^{{\mathcal{F}},\pi }(d)_\mathsf {B})\right) \right] \le \varepsilon \), and

  2. 2.

    \(\Pr [\#\, \text {of}\, f-\text {calls made in}\, \mathsf{CF}> T] \le \varepsilon \).

That is, conditioned on a random transcript of \(\pi ^{\mathcal{F}}\) and the oracle queries made by a \((T,\delta )\)-\(\mathsf{DependencyFinder}\), the views of the parties are close to being in a product distribution.

Lemma 3.10

Let \({\mathcal{F}}\) be a simple function family and let \(\pi = (\mathsf {A},\mathsf {B})\) be an \(\ell \)-query oracle-aided protocol, then \(({\mathcal{F}},\pi )\) has a \((64/\delta ^2,\ell \delta )\)-\(\mathsf{DependencyFinder}\) for any \(0<\delta \le \frac{1}{4\ell }\).

Lemma 3.11

Any pair of function family and protocol that has a \((T,\varepsilon )\)-\(\mathsf{DependencyFinder}\) has a \((T,2\varepsilon )\)-\({\mathrm{mapping }}\).

The proof of Lemma 3.11 is given in Sect. 3.3.2, where the proof of Lemma 3.10 is given in “Appendix”.Footnote 12

3.3.1 Proving Theorem 3.7

Proof of Theorem 3.7

Immediately follows from Lemmas 3.10 and 3.11, taking \(\delta = \varepsilon /4\ell \).\(\square \)

3.3.2 Proving Lemma 3.11

Proof

Let \(({\mathcal{F}},\pi )\) be a pair of a function family and an \(m\)-round oracle-aided protocol that have a \((T,\varepsilon )\)-\(\mathsf{DependencyFinder}\) algorithm \(\mathsf{Finder}\). We start by defining the mapping algorithm and then define the no-oracle protocol.\(\square \)

Algorithm 3.12

(\(\mathsf{Map}\)).

  1. Oracle:

    \(f\in {\mathcal{F}}\).

  2. Input:

    A \(j\)-round transcript \(\overline{t}\) of \(\pi \).

Operation:

  1. 1.

    For \(i=1\) to \(j\): set \(\mathcal{{I}}_i = \mathcal{{I}}_{i-1} \cup \mathsf{Finder} ^f(\overline{t}_{1,\ldots ,i},\mathcal{{I}}_{i-1})\) (letting \(\mathcal{{I}}_0 = \emptyset \)).

    If in some round \(i\) the overall number of \(f\) calls (made by \(\mathsf{Finder}\)) is \(T\), halt the above loop, and for all \(i \le i' \le j\) set \(\mathcal{{I}}_{i'}\) to be the set of \(T\) query/answer pairs obtained so far.

  2. 2.

    Output \(\left( \overline{t}_1,\mathcal{{I}}_1 \right) ,\left( \overline{t}_{1,2},\mathcal{{I}}_2 \right) ,\dots ,\left( \overline{t},\mathcal{{I}}_j \right) \).

The no-oracle protocol. Our stateless, no-oracle protocol \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) emulates the oracle-aided protocol \(\pi \) by keeping the “important” oracle queries as part of the transcript and selecting the rest of the oracle at random (independently in each round). In particular, \({\widetilde{\mathsf {A}}}\) is active in \({\widetilde{\pi }}\) in the same rounds that \(\mathsf {A}\) is in \(\pi \) (same for \({\widetilde{\mathsf {B}}}\) and \(\mathsf {B}\)). The definition of \({\widetilde{\mathsf {A}}}\) is given below (\({\widetilde{\mathsf {B}}}\) is analogously defined).

Algorithm 3.13

(\({\widetilde{\mathsf {A}}}\)).

Input::

A pair \((\overline{t},\mathcal{{I}})\), where \(\overline{t}\) is a transcript of length \(j\) and \(\mathcal{{I}}\) is a set of query/answer pairs.

Operation:

  1. 1.

    Sample \((r_\mathsf {A},r_\mathsf {B},f) \leftarrow \Omega (\overline{t},\mathcal{{I}})\), and let \({\mathrm{out }}_{j+1}\) and \(t_{j+1}\) denote \(\mathsf {A}\)’s output and message, respectively, in the \((j+1)\) round of \(\left\langle \mathsf {A}^f(r_\mathsf {A}),\mathsf {B}^f(r_\mathsf {B}) \right\rangle \).

  2. 2.

    Output \({\mathrm{out }}_{j+1}\).

  3. 3.

    Compute the value of \(\mathcal{{I}}_{j+1}\) output by \(\mathsf{Map}^f(\overline{t_{j+1}})\) for \(\overline{t_{j+1}} = (\overline{t},t_{j+1})\).

  4. 4.

    Send \((\overline{t_{j+1}},\mathcal{{I}}_{j+1})\) to \({\widetilde{\mathsf {B}}}\).

We prove that algorithm \(\mathsf{Map}\) (Algorithm 3.12) and protocol \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) (Algorithm 3.13) form a \((T,2\varepsilon )\)-\({\mathrm{mapping }}\) for \(({\mathcal{F}},\pi )\). By construction, algorithm \(\mathsf{Map}\) is deterministic (since \(\mathsf{Finder}\) is deterministic), makes at most \(T\) queries and fulfils the second item of Definition 3.6. Towards showing that \((\mathsf{Map},{\widetilde{\pi }})\) fulfils also the first property of Definition 3.6 with respect to the stated parameter, we prove the following claim:

Claim 3.14

for every \(j\in [m]\): \(\left( \mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j})\right) _{f\leftarrow {\mathcal{F}}, v \leftarrow \left\langle \mathsf {A}^f,\mathsf {B}^f \right\rangle } \equiv \left( \mathsf{trans}\right. \) \(\left. (\tilde{v})_{1,\dots ,j}\right) _{\tilde{v}\leftarrow \left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle }\).

Proof

The claim trivially holds for \(j=0\), where the proof for a larger value of \(j\) is done by induction. By the induction hypothesis and the fact that \(\mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j})_{1,\dots ,j-1} = \mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j-1})\) (since \(\mathsf{Map}\) fulfils the second item of Definition 3.6), it suffices to prove that the distributions in the claim are the same, conditioned that their \((j-1)\)-“round” prefix is fixed to some value \(\left( \dots ,\left( \overline{t}_{1,\dots ,j-1},\mathcal{{I}}_{j-1} \right) \right) \). Since \(\mathcal{{I}}_{j-1}\) is the set of queries/answers made by \(\mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j-1})\) to \(f\), the value of the right-hand-side distribution under this conditioning is \(\mathsf{Map}^f(\overline{t}')\), where \(f\) and \(\overline{t}'\) are the function and the \(j\)-round transcript of \(\pi \), respectively, induced by \(\omega \leftarrow \Omega \left( \overline{t}_{1,\dots ,j-1},\mathcal{{I}}_{j-1} \right) \). It is easy to verify that, under this conditioning, the latter process also describes the left-hand-side distribution.\(\square \)

We next note that Claim 3.14 yields that \(\mathcal{D}_P[1,3]\equiv \mathcal{D}_{\mathcal{F}}[1,3]\) (and similarly that \(\mathcal{D}_P[2,3]\equiv \mathcal{D}_{\mathcal{F}}[2,3]\)); indeed, conditioned on \(\mathcal{D}_P[3] = \mathcal{D}_{\mathcal{F}}[3]= \left( \dots ,\left( \overline{t}_{1,\dots ,j},\mathcal{{I}}_{j} \right) \right) \), the values of both \(\mathcal{D}_P[1]\) and \(\mathcal{D}_{\mathcal{F}}[1]\) (i.e. \(\mathsf {A}\)’s output) are obtained by the following random process: sample \(\omega \leftarrow \Omega \left( \overline{t}_{1,\dots ,j},\mathcal{{I}}_{j} \right) \) and output \(\mathsf {A}\)’s output in the \(j\)’th round induced by \(\omega \).

Finally, the definition of \({\widetilde{\pi }}= ({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) yields that

$$\begin{aligned} \mathcal{D}_P&:{=}\left( {\mathrm{out }}^{\widetilde{\mathsf {A}}}_j(\tilde{v}),{\mathrm{out }}^{\widetilde{\mathsf {B}}}_j(\tilde{v}),\mathsf{trans}(\tilde{v})_{1,\dots ,j}\right) _{\tilde{v}\leftarrow \left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle }\nonumber \\&\equiv \left( {\mathrm{out }}^\mathsf {A}_j(v_\mathsf {A}),{\mathrm{out }}^\mathsf {B}_j(v_\mathsf {B}),\tilde{t}_{1,\dots ,j}\right) _{\tilde{t}\leftarrow \mathsf{trans}(\left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle ),v_\mathsf {A}\leftarrow \mathcal{VIEW}(\tilde{t}_j)_\mathsf {A},v_\mathsf {B}\leftarrow \mathcal{VIEW}(\tilde{t}_j)_\mathsf {A}} \end{aligned}$$
(3)

where we recall that \(\tilde{t}_j\) consists of a pair \((\overline{t_{j}},\mathcal{{I}}_{j})\). It is easy to verify that

$$\begin{aligned} \mathcal{D}_{\mathcal{F}}&:{=}\left( {\mathrm{out }}^\mathsf {A}_j(v),{\mathrm{out }}^\mathsf {B}_j(v),\mathsf{Map}^{f}(\mathsf{trans}(v)_{1,\dots ,j})\right) _{f\leftarrow {\mathcal{F}}, v \leftarrow \left\langle \mathsf {A}^f,\mathsf {B}^f \right\rangle }\\&\equiv \left( {\mathrm{out }}^\mathsf {A}_j(v_\mathsf {A}),{\mathrm{out }}^\mathsf {B}_j(v_\mathsf {B}),\tilde{t}_{1,\dots ,j}\right) _{f\leftarrow {\mathcal{F}}, \overline{t}\leftarrow \mathsf{trans}(\left\langle \mathsf {A}^f,\mathsf {B}^f \right\rangle ),\tilde{t}\leftarrow \mathsf{Map}^{f}(\overline{t}),v \leftarrow \mathcal{VIEW}(\tilde{t}_j)} \end{aligned}$$

and therefore, Claim 3.14 yields that

$$\begin{aligned} \mathcal{D}_{\mathcal{F}}\equiv \left( {\mathrm{out }}^\mathsf {A}_j(v_\mathsf {A}),{\mathrm{out }}^\mathsf {B}_j(v_\mathsf {B}),\tilde{t}_{1,\dots ,j}\right) _{\tilde{t}\leftarrow \mathsf{trans}(\left\langle {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right\rangle ),v \leftarrow \mathcal{VIEW}(\tilde{t}_j)} \end{aligned}$$
(4)

We conclude the proof using the fact that \(\mathsf{Finder}\) is a \((T,\varepsilon )\)-\(\mathsf{DependencyFinder}\) for \(({\mathcal{F}},\pi )\). The issue to note here is that Process \(\mathsf{CF}\) (described in Definition 3.9) may make arbitrary number of oracle queries, while \(\mathsf{Map}\) is restricted to at most \(T\) queries. Let \(\mathcal{{S}}\) be the set of pairs \(d=\left( \overline{t}_{1,\dots ,j},\mathcal{{I}}_{j} \right) \) in the support of the Process \(\mathsf{CF}\) with \(\left| \mathcal{{I}}_{j}\right| \le T\). Note that the probability that \(\mathsf{CF}\) outputs \(d\in \mathcal{{S}}\) is exactly the probability of the transcript part being of the form \(\left( \dots ,d \right) \) according to distribution \(\mathcal{D}_{\mathcal{F}}\), where by Claim 3.14 this is also the probability of the this event according to \(\mathcal{D}_P\). We bound the statistical distance between \(\mathcal{D}_{\mathcal{F}}\) and \(\mathcal{D}_P\), by separately bounding the part contributed by transcripts \(\left( \dots ,d \right) \) with \(d\in \mathcal{{S}}\) and by transcripts \(\left( \dots ,d \right) \) with \(d\notin \mathcal{{S}}\).

The fact that \(\mathsf{Finder}\) is a \((T, \varepsilon )\)-\(\mathsf{DependencyFinder}\) for \(({\mathcal{F}},\pi )\) yields a bound of \(\varepsilon \) on the contribution of elements whose transcripts are inside \(\mathcal{{S}}\) to the statistical distance between \(\mathcal{D}_{\mathcal{F}}\) and \(\mathcal{D}_P\). It also bounds by \(\varepsilon \) the probability that \(\mathsf{CF}\) outputs elements whose transcripts are outside \(\mathcal{{S}}\), yielding the same bound on the contribution of such elements to the statistical distance between \(\mathcal{D}_{\mathcal{F}}\) and \(\mathcal{D}_P\). We conclude that \(\mathrm{SD}\left( \mathcal{D}_{\mathcal{F}},\mathcal{D}_P\right) \le \varepsilon + \varepsilon = 2\varepsilon .\)

4 Applications

In this section, we use the oracle-aided to no-oracle protocol mapping from Sect. 3, to derive the impossibility of realizing three cryptographic tasks relative to simple function families. In Sect. 4.1, we re-establish the result of [18], showing that key-agreement protocols cannot be realized relative to simple function families. In Sect. 4.2, we extend the lower bound of [22] on the accuracy of two-party differentially private no-oracle protocols, to show it also holds for relative to simple function families. In Sect. 4.3, we show that a distribution that cannot be securely sampled in the information-theoretic model, cannot be securely sampled relative to simple function families. Finally, in Sect. 4.4, we use that the all-function family is simple, to prove the impossibility of reducing the above first two primitives to the hardness of one-way functions in a black-box manner.

We emphasize that all adversaries considered in Sects. 4.1 to 4.3 (and most of those considered in Sect. 4.4) are computationally unbounded, but typically can only make bounded number of oracle queries.

Throughout this section, we sometimes only define the security and correctness of the primitives in consideration for oracle-aided implementations. Their no-oracle counterparts are derived by considering these definitions with respect to the trivial function family (i.e. the singleton family, whose only member returns \(\perp \) on every query).

4.1 Key-Agreement Protocols

In a key-agreement protocol, two parties wish to agree on a common secret in a secure manner—an adversary (observer) seeing the communication transcript cannot find the secret. Below, we prove that non-trivial key-agreement cannot be achieved relative to simple function families. We start by formally defining the notion of key agreement and then recall the known fact that in the information-theoretic model, an adversary can reveal any secret agreement between two parties in the strongest possible sense (i.e. with the same probability that the parties themselves agree). Combining this fact with the mapping from oracle-aided to no-oracle protocols, described in Sect. 3, yields a similar result for oracle-aided protocols relative to simple function families.

We remark that the results presented in this section yield very little conceptual added value to what was already shown by [1, 18]. We do, however, present them here to demonstrate how they are easily derived from our main result (Theorem 3.7) and as a warm-up before moving on to the other applications of our main result, described in Sects. 4.2 and 4.3.

4.1.1 Standard Definitions and Known Facts

Let \(\pi \) be a two-party protocol and let \(v\) be the parties’ joint view in an interaction of \(\pi \) (i.e. \(v\in \mathrm{Supp }\left( \left\langle \pi ^f \right\rangle \right) \)). Recall (see Sect. 2.2) that \(\mathsf{trans}(v)\) denotes the communication transcript in \(v\), and \({\mathrm{out }}^{\mathsf {P}}_i(v)\) denotes the output of the party \({\mathsf {P}}\) at the \(i\)’th round. In the following, let \({\mathrm{out }}^{\mathsf {P}}(v) = {\mathrm{out }}^{\mathsf {P}}_m(v)\), where \(m\) is the last round in \(v\).

Definition 4.1

(Key-agreement protocol) Let \(0\le \gamma \), \(\alpha \le 1\) and \(k\in {\mathbb {N}}\). A two-party, oracle-aided protocol \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) is a \((k,\alpha ,\gamma )\)-key-agreement protocol relative to a function family \({\mathcal{F}}\), if the following hold:

Consistency::

\(\pi \) is \((1-\alpha )\)-consistent relative to \({\mathcal{F}}\). Namely, for every \(f\in {\mathcal{F}}\),

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle \pi ^f \right\rangle }\left[ {\mathrm{out }}^{\mathsf {A}}\left( v \right) ={\mathrm{out }}^{\mathsf {B}}\left( v \right) \right] \ge 1-\alpha \end{aligned}$$
(5)
Security::

For every \(P\in \left\{ \mathsf {A},\mathsf {B}\right\} \) and any \(k\)-query adversary \(\mathsf{Eve}\),

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}}, v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{Eve}^f\left( \mathsf{trans}\left( v \right) \right) ={\mathrm{out }}^{P}\left( v \right) \right] \le \gamma \end{aligned}$$
(6)

A protocol \(\pi \) is an \(\left( \alpha ,\gamma \right) \)-key-agreement protocol, if it is a \(\left( \cdot ,\alpha ,\gamma \right) \)-key-agreement protocol relative to the trivial function family.Footnote 13

In the information-theoretic model, all correlation between the parties is implied by the transcript. Hence, an adversary that on a given transcript \(\overline{t}\) samples a random view for \(\mathsf {A}\) that is consistent with \(\overline{t}\) and outputs whatever \(\mathsf {A}\) would upon this view agrees with \(\mathsf {B}\) with the same probability as does \(\mathsf {A}\). This simple argument yields the following fact.

Fact 4.2

Let \(0\le \alpha \le 1\) and let \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) be a no-oracle, two-party, no-input protocol. Assume that the probability that in a random execution of \(\pi \) both parties output the same value is \(1-\alpha \). Then, there exists a adversary that given the transcript of a random execution of \(\pi \), outputs the same value as \(\mathsf {B}\) does with probability \(1-\alpha \).

An immediate implication of Fact 4.2 is that there does not exist a no-oracle, two-party, \((\alpha ,\gamma )\)-key-agreement protocol for any \(0\le \gamma < 1-\alpha \). We next use our main result from Sect. 3 to prove a similar result for oracle-aided protocols.

4.1.2 Limits on Oracle-Aided Key-Agreement Protocols

In the language of the above definition, our main result is stated as follows.

Theorem 4.3

Let \({\mathcal{F}}\) be a function family and let \(\pi \) be an oracle-aided protocol. Assume that the pair \(({\mathcal{F}},\pi )\) has a \((T,\varepsilon )\)-\({\mathrm{mapping }}\), and then, \(\pi \) is not a \(\left( T,\alpha ,\gamma \right) \)-key-agreement relative to \({\mathcal{F}}\) for any \(0\le \gamma < 1-\left( \alpha +\varepsilon \right) \).

Proof

Assume to the contrary that \(\pi \) is a \(\left( T,\alpha ,\gamma \right) \)-key-agreement relative to \({\mathcal{F}}\) for some \(0\le \gamma < 1-\left( \alpha +\varepsilon \right) \). Let \({\widetilde{\pi }}=({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) and \(\mathsf{Map}\) be \({\widetilde{\pi }}=({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) and \(\mathsf{Map}\) be a \((T,\delta )\)-\({\mathrm{mapping }}\) for \(({\mathcal{F}},\pi )\). It follows (see Definition 3.6:1) that

$$\begin{aligned} \mathrm{SD}\left( ({\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) )_{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle },({\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) )_{f\leftarrow {\mathcal{F}}, v\leftarrow \left\langle \pi ^f \right\rangle }\right) \le \varepsilon \end{aligned}$$
(7)

Hence, the \((1-\alpha )\)-consistency of \(\pi \) yields that

$$\begin{aligned} \tau :{=}\mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\left[ {\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ={\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) \right] \ge 1-\left( \alpha +\varepsilon \right) \end{aligned}$$
(8)

Fact 4.2 yields an adversary \(\widetilde{\mathsf{Eve}}\) that given the transcript of a random execution of \({\widetilde{\pi }}\), outputs the same value as does \(\mathsf {B}\) with probability \(\tau \). Let \(\mathsf{Eve}\) be an adversary for \(\pi \) that upon a transcript \(\overline{t}\) (of an execution of \(\pi \) with access to \(f\)) applies \(\widetilde{\mathsf{Eve}}\) to \(\mathsf{Map}^f\left( \overline{t} \right) \) and outputs whatever \(\widetilde{\mathsf{Eve}}\) does. Note that \(\mathsf{Eve}\) makes at most \(T\) oracle calls. It follows that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{Eve}^{f}\left( \mathsf{trans}\left( v \right) \right) \!=\!{\mathrm{out }}^\mathsf {B}\left( v \right) \right]&=\mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \widetilde{\mathsf{Eve}}\left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) \right) \right. \nonumber \\&\qquad \left. ={\mathrm{out }}^\mathsf {B}\left( v \right) \right] \nonumber \\&=\mathop {\hbox {Pr}}\limits _{\tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\left[ \widetilde{\mathsf{Eve}}\left( \mathsf{trans}\left( \tilde{v} \right) \right) ={\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( \tilde{v} \right) \right] \nonumber \\&=\tau \ge 1-\left( \alpha +\varepsilon \right) , \end{aligned}$$
(9)

where the second equality follows since \((\mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) )\) is identically distributed as \((\mathsf{trans}\left( \tilde{v} \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( \tilde{v} \right) )\), where \(f\), \(v\) and \(\tilde{v}\) are sampled as in Eq. (9) (follows from the second property of the protocol/mapping pair, see Definition 3.6).\(\square \)

Combining Theorems 3.7 and 4.3 yields the following result.

Theorem 4.4

Let \({\mathcal{F}}\) be a simple function family. For parameters \(k,\ell \in {\mathbb {N}}\) and \(\alpha , \gamma \in {\mathbb {R}}\) with \(k \ge 2^{10}\cdot \left( \frac{\ell }{1-\alpha - \gamma }\right) ^2\) and \(1-\alpha > \gamma \ge 0 \), there exists no \(\ell \)-query oracle-aided protocol that is \(\left( k,\alpha ,\gamma \right) \)-key-agreement relative to \({\mathcal{F}}\).

Proof

Let \({\mathcal{F}}\) be a simple function family and let \(\pi \) be an \(\ell \)-query oracle-aided protocol. For \(\varepsilon =\frac{1-\alpha - \gamma }{2}\), Theorem 3.7 yields that \(({\mathcal{F}},\pi )\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\) for \(T=2^{10}\cdot \left( \frac{\ell }{\varepsilon } \right) ^2=2^{10}\cdot \left( \frac{\ell }{1-\alpha - \gamma }\right) ^2\). Since \(0\le \gamma < 1-\left( \alpha + \varepsilon \right) \) and \(k \ge T\), Theorem 4.3 yields that \(\pi \) is not a \(\left( k,\alpha ,\gamma \right) \)-key-agreement protocol relative to \({\mathcal{F}}\).\(\square \)

4.2 Differentially Private Two-Party Computation

In this section, we apply our main result to extend the lower bound of [22] to oracle-aided protocols equipped with simple function families. Specifically, we show that when given access to a random member of a simple function family (e.g. the all-function family), any two-party, differentially private, oracle-aided protocol computing the inner product of two \(s\)-bit strings, exhibits error magnitude of roughly \(\Omega \left( \sqrt{s}/\log {s} \right) \) (see Sect. 4.2.2 for the formal statement). This fact is later used in Sect. 4.4.3 to show that differentially private accurate computation of the inner product cannot be reduced to one-way functions in a black-box way.

Unlike the case of key-agreement protocols discussed in Sect. 4.1, here we consider a setting where the parties do hold private inputs. Since our main result (Theorem 3.7) only handles no-input protocols, in order to apply it to differentially private protocols, we need first to reduce the question in hand to such no-input protocols. Indeed, much of the following text deals with this transformation.

In proving the results of this section, we begin (Sect. 4.2.3) by using Theorem 3.7 together with an (“information theoretic”) result by [22], to show that a “sampled-input” protocol cannot be both differentially private and a good approximation for the inner product of two strings. In a sampled-input protocol, the no-input parties choose the inputs to the functionality (in our case, the inner-product function) by themselves. We then (Sect. 4.2.4) derive the same limitation on protocols with inputs, but where the correctness and privacy are measured with respect to uniformly chosen inputs. Finally, Sect. 4.2.5, we use the latter result to show the same limitation for fixed inputs, hence proving our main result. Before starting with the aforementioned plan, we first recall the formal definition of differential privacy, cite the result of [22] (Sect. 4.2.1) and formally state our main results (Sect. 4.2.2).

4.2.1 Standard Definitions and Known Facts

We start by recalling the standard definition of differential privacy for mechanisms (in a centralized model, where the mechanism has access to all the data). Let \(\Sigma \) be some alphabet. For strings \(x, x' \in \Sigma ^s\), let \(H_d\left( x,x' \right) = \left| \left\{ i \in [s] :x_i \ne x'_i\right\} \right| \) denote the Hamming distance between \(x\) and \(x'\). A randomized mechanism operating on \(s\)-long strings (databases) is a randomized algorithm that given input in \(\Sigma ^s\), outputs a value in the range \(\mathcal{{R}}\).

Definition 4.5

(\(\left( \alpha ,\gamma \right) \)-differential privacy [9] (in the centralized model)). A randomized mechanism \(\mathsf{M}\) over \(\Sigma ^s\) is \(\left( \alpha ,\gamma \right) \)-differentially private, if for every distinguisher \(\mathsf{D}\) and every \(x, x'\in \Sigma ^s\) with \(H_d\left( x,x' \right) =1\), it holds that

$$\begin{aligned} \Pr [\mathsf{D}\left( \mathsf{M}\left( x \right) \right) =1] \le e^\alpha \cdot \Pr [\mathsf{D}\left( \mathsf{M}\left( x' \right) \right) =1] + \gamma . \end{aligned}$$

If \(\mathsf{M}\) satisfies \(\left( \alpha ,\gamma \right) \)-differential privacy with \(\gamma =0\), then \(\mathsf{M}\) is just \(\alpha \)-differentially private.Footnote 14

Differential privacy extends naturally to the setting of two-party (semi-honest) protocols by requiring that the view of each party satisfies differential privacy with respect to the other party’s private input. In this work, we use a relaxed definition (and hence potentially easier to achieve) that only requires that the communication transcript (rather than the whole view of a party) is differentially private with respect to each party’s input. Such a requirement is easily implied by the above requirement on views, since any distinguisher that breaks the privacy seeing only the transcript can break the privacy seeing the whole view of a party (by simply disregarding everything in the view but the transcript part). We next define differential privacy for protocols using similar definitions to those given in [3, 22, 24]. Indeed, our definitions are close in spirit to the definition of IND-CDP from [24] (which they showed to be implied by all other definitions that they considered for computational differential privacy).

In the following, when we say protocol, we mean a two-party protocol. We focus on protocols where each party holds an \(s\)-bit string as its private input and call such protocols \(s\)-bit input protocols. We adapt the notations from Sect. 2.2 (defined for no-input protocols) to protocols with inputs, with the understanding that the view of a party also includes its \(s\)-bit private input. Specifically, given an oracle-aided protocol \(\pi = \left( \mathsf {A},\mathsf {B} \right) \), a function \(f\), and \(x,y\in {\{0,1\}}^*\), we define \(\left\langle \pi ^f\left( x,y \right) \right\rangle \) to be \(\left\langle (\mathsf {A}^f\left( x \right) ,\mathsf {B}^f\left( y \right) ) \right\rangle \) (i.e. the distribution over the joint views of parties in a random execution of \(\pi \) with access to \(f\), where the private input of \(\mathsf {A}\) is \(x\) and the private input of \(\mathsf {B}\) is \(y\)). Recall that for \(v\in \mathrm{Supp }\left( \left\langle \pi ^f\left( x,y \right) \right\rangle \right) \), we let \(\mathsf{trans}(v)\) denote the communication transcript in \(v\), and we let \({\mathrm{out }}^{\mathsf {P}}_i(v)\) denote the output of the party \({\mathsf {P}}\) at the \(i\)’th round. In the following, we let \({\mathrm{out }}^{\mathsf {P}}(v)\) denote the output of the party \({\mathsf {P}}\) at the last round of \(v\).

Definition 4.6

(Differential privacy for oracle-aided protocols) Let \({\mathcal{F}}\) be a function family and let \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) be an \(s\)-bit input, oracle-aided protocol. The protocol \(\pi \) is \(\left( k,\alpha ,\gamma \right) \)-differentially private with respect to \({\mathcal{F}}\) and \(\mathsf {A}\), if for every \(k\)-query, oracle-aided distinguisher \(\mathsf{D}\) and every \(x,x',y\in {\{0,1\}}^s\) with \(H_d\left( x,x' \right) =1\), it holds that

$$\begin{aligned}&\mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f\left( x,y \right) \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\right] \\&\quad \le e^\alpha \cdot \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f\left( x',y \right) \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\right] + \gamma . \end{aligned}$$

Being \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and \(\mathsf {B}\) is analogously defined. If \(\pi \) is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and both parties, then it is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\).

Finally, \(\pi \) is \(\left( \alpha ,\gamma \right) \)-differentially private, if it is \(\left( \cdot ,\alpha ,\gamma \right) \)-differentially private relative to the trivial function family.

Note that for no-oracle protocols, the above definition of \(\left( \alpha ,\gamma \right) \)-differentially private matches the standard (no-oracle) definition (slightly relaxed, as we only require the transcript to preserve the privacy of the parties). Our impossibility results, given below, apply to the privacy parameter \(\alpha \) being smaller than some constant.

Since differentially private mechanisms cannot be deterministic, for any deterministic (non-constant) function \(g\) of the input, one can only hope for the output of the mechanism being a good approximation for \(g\). We next define a notion of accuracy for differentially private protocols.

Definition 4.7

(Good approximations) Let \(g:{\{0,1\}}^{s}\times {\{0,1\}}^{s}\mapsto \mathbb {R}\) be a deterministic function and let \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) be an \(s\)-bit input, oracle-aided protocol. The protocol \(\pi \) is a \(\left( \beta ,d \right) \)-approximation for \(g\) relative to a function family \({\mathcal{F}}\), if for every \(f\in {\mathcal{F}}\), for every \(x,y\in {\{0,1\}}^s\) and \({\mathsf {P}}\in \left\{ \mathsf {A},\mathsf {B}\right\} \), it holds that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle \pi ^f\left( x,y \right) \right\rangle }\left[ \left|{\mathrm{out }}^{\mathsf {P}}\left( v \right) -g\left( x,y \right) \right|> d\right] < \beta . \end{aligned}$$
(10)

Namely, we require that the output of both parties is within distance \(d\) from \(g\left( x,y \right) \) with probability at least \(\beta \).

For two \(s\)-bit strings \(x\) and \(y\), let \(\mathsf{IP}(x,y)\) denote the inner product of \(x\) and \(y\): that is \(\mathsf{IP}(x,y)=\sum _{i\in [s]}x_i\cdot y_i\). [22] Showed that for a small enough \(\gamma \), no two-party, no-oracle, \(\left( \alpha ,\gamma \right) \)-differentially private protocol for computing the inner product of two \(s\)-bit databases can be a \(\left( 0.01,d \right) \)-approximation for \(d\in o(\sqrt{s}/\log s)\). This follows from the following general theorem.

Theorem 4.8

([22, Theorem A.5]). Let \(\pi = (\mathsf {A},\mathsf {B})\) be an \(s\)-bit (no-oracle) protocol, let \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) be the inputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, and let \({X_{\mathrm{out }}}\) and \({Y_{\mathrm{out }}}\) be the outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, induced by a random execution of \(\pi \). Assume that both \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) are independently and uniformly chosen from \({\{0,1\}}^s\) and that \(\pi \) is \(\left( \alpha ,\gamma \right) \)-differentially private, then

$$\begin{aligned} \Pr \left[ \left| {Y_{\mathrm{out }}}- \mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\right| < \Delta :{=}\Omega \left( \frac{\sqrt{s}}{\log s}\cdot \frac{\tau }{e^\alpha } \right) \right] \le \tau \end{aligned}$$

for every \(1\ge \tau \ge 48s\gamma \). The same holds for \({X_{\mathrm{out }}}\).

In the next section, we use similar arguments to the ones used by [22], to prove a variant of Theorem 4.8 for (no-oracle) no-input protocols (which we call here sampled-input protocols). For that we recall a few definitions and results from [22].

Lemma 4.9

([22, Lemma A.3]). Let \(\mathsf{M}\) be an \(\left( \alpha ,\gamma \right) \)-differentially private mechanism over \({\{0,1\}}^s\). Then, for every \(\nu >0\) and every \(x, x'\in {\{0,1\}}^s\) with \(H_d\left( x,x' \right) =1\), it holds that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{m\leftarrow \mathsf{M}(x)}\left[ \frac{\Pr [{\mathsf{M}\left( x \right) }=m]}{\Pr [{\mathsf{M}\left( x' \right) }=m]}\notin \left[ e^{-\left( \nu +\alpha \right) },e^{\left( \nu +\alpha \right) }\right] \right] < \gamma \cdot \frac{1+e^{-\left( \nu +\alpha \right) }}{1-e^{-{\nu }}}. \end{aligned}$$
(11)

Unpredictability of Bit Sources. The model of random sources introduced by [28] is one where each bit is somewhat unpredictable given the previous ones. An unpredictable \(s\)-bit source is a random variable over \({\{0,1\}}^s\) with the property that given any prefix of it, it is hard to guess the value of the next bit.

Definition 4.10

(\(\left( \eta ,\gamma \right) \)-unpredictable bit source). For \(\eta \in [0,1]\), a random variable \(X = \left( X_1,\ldots ,X_s \right) \) taking values in \({\{0,1\}}^s\) is an \(\left( \eta ,\gamma \right) \)-unpredictable bit source, if with probability at least \(1-\gamma \) over \(i \leftarrow [s]\) and over \(\left( x_1,\ldots ,x_{i-1} \right) \leftarrow \left( X_1,\ldots ,X_{i-1} \right) \), it holds that

$$\begin{aligned} \eta \le \frac{\Pr \left[ {X_{i}}=0\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1}\right] }{\Pr \left[ {X_{i}}=1\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1}\right] } \le 1/\eta . \end{aligned}$$

A variable \(X\) is \(\eta \)-unpredictable, if it is \(\left( \eta ,0 \right) \)-unpredictable.

A random variable \(X = \left( X_1,\ldots ,X_s \right) \) taking values in \({\{0,1\}}^s\) is an \(\left( \eta ,\gamma \right) \)-strongly unpredictable bit source, if with probability at least \(1-\gamma \) over \(i \leftarrow [s]\) and over \(\left( x_1,\ldots ,x_{i-1},x_{i+1},\ldots ,x_s \right) \leftarrow \left( X_1,\ldots ,X_{i-1},X_{i+1},\ldots ,X_s \right) \), it holds that

$$\begin{aligned} \eta \le \frac{\Pr \left[ {X_{i}}=0\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i+1}}=x_{i+1},\ldots ,{X_{s}}=x_s\right] }{\Pr \left[ {X_{i}}=1\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i+1}}=x_{i+1},\ldots ,{X_{s}}=x_s\right] } \le 1/\eta . \end{aligned}$$

Note that if \(X\) is \(\eta \)-unpredictable for \(\eta = 1\), then it is uniform. More generally, the larger the \(\eta \) is, the more the “randomness” is the source guaranteed to have. Specifically, an unpredictable source has high min-entropy.

Fact 4.11

Let \(X = \left( X_1,\ldots ,X_s \right) \) be an \(\eta \)-unpredictable source, then the min-entropy of \(X\), defined as \(\hbox {H}_{\infty }(X) = \min _{x\in \mathrm{Supp }(X)}\log \frac{1}{\Pr [X=x]}\) is at least \(\beta s\) for \(\beta =\log \left( 1+\eta \right) \).

Proof

Fix \((x_1,\dots , x_s) \in \mathrm{Supp }(X)\), \(i \in [s]\) and \(b\in {\{0,1\}}\). Definition 4.10 yields thatFootnote 15

$$\begin{aligned} \Pr \left[ {X_{i}}\!=\!b\;|\;{X_{1}}\!=\!x_1,\ldots {X_{i-1}}\!=\!x_{i-1}\right] \ge \eta \cdot \Pr \left[ {X_{i}}\!=\!1\!-\!b\;|\;{X_{1}}\!=\!x_1,\ldots {X_{i-1}}\!=\!x_{i-1}\right] . \end{aligned}$$

Since \(\Pr \left[ {X_{i}}=b\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1}\right] + \Pr \left[ {X_{i}}=1-b\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=\right. \) \(\left. x_{i-1}\right] =1\), it follows that \((1+\eta ) \cdot \Pr \left[ {X_{i}}=b\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1}\right] \le 1\), and therefore \(\Pr [X =(x_1,\dots , x_s)] \le \left( \frac{1}{1+\eta }\right) ^s\).\(\square \)

We will make use of the following results from [22].

Lemma 4.12

([22, Lemma A.2]). Let \(X = \left( X_1,\ldots ,X_s \right) \) be an \(\left( \eta ,\gamma \right) \)-strongly unpredictable bit source, then, for every \(\nu >0\), it is \(\frac{s\gamma }{\nu }\)-close to some \(\hat{\eta }\)-unpredictable bit source, where \(\hat{\eta }=\eta \cdot \frac{1-\nu }{1+\nu }\).

Corollary 4.13

Let \(X = \left( X_1,\ldots ,X_s \right) \) be an \(\left( \eta ,\gamma \right) \)-strongly unpredictable bit source, then it is \(2s\gamma \)-close to some \(\eta /3\)-unpredictable bit source.

Proof

Apply Lemma 4.12 with \(\nu =1/2\).\(\square \)

Theorem 4.14

([22, Theorem3.4]). Let \(X\) and \(Y\) be \(s\)-bit independent bit sources, where \(X\) is \(\eta \)-unpredictable and \(Y\) has min-entropy at least \(\beta s\), and let \(Z = \mathsf{IP}(X,Y) \,\mathrm{mod}\, r\) for some \(r\in {\mathbb {N}}\). Assume that \(s\ge c\cdot \frac{r^2}{\eta \beta } \cdot \log \left( \frac{r}{\beta } \right) \cdot \log \left( \frac{r}{\gamma } \right) \) for some \(\gamma \in [0, 1]\), where \(c\) is a universal constant, then \(\mathrm{SD}\left( (Y,Z),(Y,U_r) \right) \le \gamma \), where \(U_r\) is uniform on \({\mathbb {Z}}_r\) and independent of \(Y\).

4.2.2 Limits on Differentially Private Oracle-Aided Protocols for Computing Inner Product

In this section, we state our main impossibility results for differentially private, oracle-aided protocols for accurately approximating the inner product of two \(s\)-bit strings. We first give (Theorem 4.16) a lower bound on the accuracy of differentially private protocols for approximating the inner product of two \(s\)-bit strings relative to general function families (for protocols that have a certain type of mapping to no-oracle protocols). We then give lower bound on the accuracy of any differentially private, oracle-aided protocol for approximating the inner product of two \(s\)-bit strings relative to simple function families (Theorem 4.17).

Since these results deal with with-input protocols and since our discussion in Sect. 3 only handles no-input protocols, our proof proceeds by reducing the problem of with-input protocols that accurately approximate the inner-product function to a similar problem on no-input protocols. Specifically, for a given with-input protocol, we consider its no-input variant (called the sampled-input variant), in which the parties use the first \(s\) bits in their random input string as inputs (see the formal definition below).

Definition 4.15

(The sampled-input variant \(\mu \left( \pi \right) \)). Given an \(s\)-bit input, (possibly, oracle-aided) protocol \(\pi = (\mathsf {A},\mathsf {B})\), let \(\mu \left( \pi \right) = (\mu \left( \mathsf {A} \right) ,\mu \left( \mathsf {B} \right) )\) denote the following \(s\)-bit sampled-input protocol:

The parties \(\mu \left( \mathsf {A} \right) \) and \(\mu \left( \mathsf {B} \right) \) interact in an execution of \((\mathsf {A}(x_\mathsf {A};r_\mathsf {A}),\mathsf {B}(x_\mathsf {B};r_\mathsf {B}))\), taking the roles of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, where \(x_\mathsf {A}\) [resp., \(x_\mathsf {B}\)] is the first \(s\) bits of \(\mu \left( \mathsf {A} \right) \)’s [resp., \(\mu \left( \mathsf {B} \right) \)’s] coins, and \(r_\mathsf {A}\) [resp., \(r_\mathsf {B}\)] is the rest of \(\mu \left( \mathsf {A} \right) \)’s [resp., \(\mu \left( \mathsf {B} \right) \)’s] coins. Let \(a\) and \(b\) be the outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, in this execution, then the outputs of \(\mu \left( \mathsf {A} \right) \) and \(\mu \left( \mathsf {B} \right) \) will be \((x_\mathsf {A},a)\) and \((x_\mathsf {B},b)\), respectively.

Roughly speaking, in Theorem 4.16, stated below, we show that if an oracle-aided protocol \(\pi \) is \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to a function family \({\mathcal{F}}\) and if \((\mu (\pi ),{\mathcal{F}})\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\), then \(\pi \) is not a good approximation for the inner-product functionality relative to \({\mathcal{F}}\).

Theorem 4.16

For \(\nu >0\) and \(\alpha \ge 0\), there exist \(\lambda >0\) and \(z\in {\mathbb {N}}\) such that the following holds. Let \({\mathcal{F}}\) be a function family, let \(s \ge z\), let \(\pi = (\mathsf {A},\mathsf {B})\) be an oracle-aided, \(s\)-bit input protocol, and let \(\mu \left( \pi \right) \) be its sampled-input variant. Assume that \(\pi \) is \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and that \(({\mathcal{F}},\mu \left( \pi \right) )\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\), then for some \(f\in {\mathcal{F}}\) and every \({\mathsf {P}}\in \left\{ \mathsf {A},\mathsf {B}\right\} \), there exist \(x,y\in {\{0,1\}}^s\) such that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle \pi ^f\left( x,y \right) \right\rangle }\left[ \left| {\mathrm{out }}^{\mathsf {P}}(v)- \mathsf{IP}(x,y)\right| \le \Delta :{=}\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \left( \tau -\varepsilon \right) \right] \le \tau , \end{aligned}$$
(12)

for every \(\tau \le 1\) with \(\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \). The same holds for \({X_{\mathrm{out }}}\).

The proof of Theorem 4.16 is given in Sect. 4.2.5. At the end of this subsection, we provide a high-level overview of the steps towards proving Theorem 4.16.

Combining Theorems 3.7 and 4.16 yields an impossibility result for differentially private oracle-aided protocols for approximating the inner-product functionality relative to simple function families.

Theorem 4.17

For a simple function family \({\mathcal{F}}\) and constants \(0<\nu <1\) and \(\alpha \ge 0\), there exist \(\lambda >0\) and \(z\in {\mathbb {N}}\) such that the following holds. Let \(s\ge z\) and let \(\pi \) be an \(s\)-bit input, \(\ell \)-query oracle-aided protocol that is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\), for some \(k > 2^{10}\cdot \left( \frac{2\ell }{1-\nu } \right) ^2\) and \(\gamma \le \frac{\nu }{48\cdot s}\). Then, for \(\beta <\frac{1-\nu }{2}\) and \(d\le \lambda \cdot \nu \cdot \frac{\sqrt{s}}{\log s}\), protocol \(\pi \) is not a \(\left( \beta ,d \right) \)-approximation for the inner-product functionality relative to \({\mathcal{F}}\).

Proof

For numbers \(0<\nu <1\) and \(\alpha \ge 0\), let \(\lambda \) and \(z\) be as in Theorem 4.16. Let \({\mathcal{F}}\) be a simple function family and let \(\pi \) be an \(s\)-bit input, \(\ell \)-query oracle-aided protocol. Let \(\mu \left( \pi \right) \) be the (oracle-aided) sampled-input variant of \(\pi \) (see Definition 4.15). By construction, \(\mu \left( \pi \right) \) is an \(\ell \)-query, oracle-aided, no-input protocol. Finally, let \(\varepsilon =\frac{1-\nu }{2}\).

Theorem 3.7 yields that \(({\mathcal{F}},\mu \left( \pi \right) )\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\) for \(T=2^{10}\cdot \left( \frac{\ell }{\varepsilon } \right) ^2=2^{10}\cdot \left( \frac{2\ell }{1-\nu }\right) ^2\). Let \(\gamma \) be such that \(\gamma \le \frac{\nu }{48\cdot s}\). Taking \(\tau =\nu + \varepsilon \), it follows that \(\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \), as required by Theorem 4.16. Hence, for \(k \ge T\), Theorem 4.16 yields that if \(\pi \) is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\), then it is not a \(\left( \beta ,d \right) \)-approximation for the inner-product functionality relative to \({\mathcal{F}}\), whenever \(d\le \lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \left( \tau -\varepsilon \right) =\lambda \cdot \nu \cdot \frac{\sqrt{s}}{\log s}\) and \(\beta \le 1-\tau = 1- \nu - \varepsilon \). Plugging in the value of \(\varepsilon \), the latter holds whenever \(\beta \le \frac{1-\nu }{2}\).\(\square \)

A High-Level Overview of the Proof of Theorem 4.16. First, in Sect. 4.2.3, we define sampled-input protocols. In such a protocol, the parties have no initial inputs and the output of each party in any execution of the protocol consists of a sampled input and an actual output. Namely, the parties may sample an input during the execution of the protocol. See Definition 4.18 for a formal definition. Note that this notion is different from the notion of the sampled-input variant of a protocol (Definition 4.15): In Definition 4.15, the inputs of the parties are chosen independently at random at the beginning of the protocol, whereas in a sampled-input protocol, the inputs may be chosen during the execution of the protocol and are not necessarily independent or uniform. However, note that for any protocol \(\pi \), it holds that \(\mu (\pi )\) is a sampled-input protocol.

In Theorem 4.21, we provide limitations on the accuracy of a no-oracle sampled-input differentially private protocol. The proof of Theorem 4.21 is similar to the proof of Theorem 4.8 with some adaptations that are needed since the sampled inputs of the parties are not necessarily independent.

Then, in Proposition 4.25, we give limitations on the accuracy of an oracle-aided sampled-input differentially private protocol \(\pi \) relative to a function family \({\mathcal{F}}\), such that the pair \((\pi ,{\mathcal{F}})\) has an appropriate mapping to a no-oracle protocol. Proposition 4.25 is proved by combining Definition 3.6 and Proposition 4.21.

In Sect. 4.2.4, we define uniform-input executions of protocols, where the correctness and privacy are measured with respect to uniformly chosen inputs. In Proposition 4.28, we provide limitations on the accuracy of an oracle-aided uniform-input differentially private protocol \(\pi \) relative to a function family \({\mathcal{F}}\) where \((\mu (\pi ),{\mathcal{F}})\) has an appropriate mapping to a no-oracle protocol. This is proved by the observation that if \(\pi \) is differentially private and a good approximation relative to \({\mathcal{F}}\), then so is \(\mu (\pi )\), since \(\mu (\pi )\) works identically to \(\pi \) by Definition 4.15. We then use Proposition 4.25 to obtain that \(\mu (\pi )\) cannot be a good approximation for the inner-product functionality relative to \({\mathcal{F}}\), and hence, we conclude that \(\pi \) cannot be a good approximation as well. One subtle point that we should mention here is that while the inputs of \(\mu (\pi )\) are chosen uniformly at random and are independent, the inputs of the no-oracle protocol obtained from \(\mu (\pi )\) in the transformation applied in the proof of Proposition 4.25 are not necessarily independent (we show in Lemma 4.24 that each of the sampled inputs of the no-oracle protocol is identically distributed as the corresponding sampled input of the oracle-aided protocol, but the joint distribution of the sampled inputs of both parties in the no-oracle protocol is not necessarily distributed as the joint distribution in the oracle-aided protocol), and hence, we needed to prove Theorem 4.21 for the stronger case of sampled-input protocols.

Finally, in Sect. 4.2.5, we finish the proof of Theorem 4.16 by showing that a lower bound on the accuracy of a differentially private protocol with respect to uniform inputs implies a similar lower bound for a certain choice of inputs, and hence, we obtain a lower bound on arbitrary protocols.

4.2.3 Limits on Sampled-Input Protocols

In this section, we give a lower bound on the accuracy of no-input, two-party, differentially private protocols, where the inputs for the functionally are derived from the parties’ private coins (while preserving differential privacy with respect to these inputs). We do so by combining a result from [22] (stated here as Theorem 4.8) and our main result from Sect. 3 (Theorem 3.7).

Definition 4.18

(Sampled-input protocols) A no-input protocol \(\pi = (\mathsf {A},\mathsf {B})\) is an \(s\)-bit sampled-input protocol, if the output of party \(\mathsf {A}\) in any execution of \(\pi \) is of the form \((x,a)\) and the output of party \(\mathsf {B}\) is of the form \((y,b)\), where \(x,y\in {\{0,1\}}^s\). We call \(x\) [resp., \(y\)] the sampled input of \(\mathsf {A}\) [resp., \(\mathsf {B}\)], and \(a\) [resp., \(b\)] the actual output of \(\mathsf {A}\) [resp., \(\mathsf {B}\)].

For \(v \in \mathrm{Supp }\left( \left\langle \pi ^f \right\rangle \right) \), let \(\mathrm{SInp }^{\mathsf {P}}(v)\) denote the sampled input of party \({\mathsf {P}}\) in \(v\), and \(\mathrm{AOut }^{\mathsf {P}}(v)\) denote the actual output of the party \({\mathsf {P}}\).Footnote 16

We next extend the notion of good approximations to sampled-input protocols. Intuitively, we require the actual outputs of both parties to be within distance \(d\) from the value of \(g\) applied to the sampled inputs of the parties, except with probability \(\beta \).

Definition 4.19

(Sampled-input good approximations) Let \(g:{\{0,1\}}^{s}\times {\{0,1\}}^{s}\mapsto \mathbb {R}\) be a deterministic function, and let \(\pi = (\mathsf {A},\mathsf {B})\) be an oracle-aided, \(s\)-bit sampled-input protocol. The protocol \(\pi \) is a \(\left( \beta ,d \right) \)-SI-approximation for \(g\) relative to a function family \({\mathcal{F}}\) and \({\mathsf {P}}\in \left\{ \mathsf {A},\mathsf {B}\right\} \), if for every \(f\in {\mathcal{F}}\), it holds that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \left|\mathrm{AOut }^{\mathsf {P}}\left( v \right) -g\left( \mathrm{SInp }^{\mathsf {A}}\left( v \right) ,\mathrm{SInp }^{\mathsf {B}}\left( v \right) \right) \right|> d\right] < \beta . \end{aligned}$$
(13)

Protocol \(\pi \) is a \(\left( \beta ,d \right) \)-SI-approximation for \(g\) relative to \({\mathcal{F}}\), if it is a \(\left( \beta ,d \right) \)-SI-approximation for \(g\) relative to \({\mathcal{F}}\) and both parties.

We also extend the notion of differential privacy to sampled-input protocols.

Definition 4.20

(Differential privacy sampled-input protocols) Let \({\mathcal{F}}\) be a function family and let \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) be an oracle-aided, \(s\)-bit sampled-input protocol. The protocol \(\pi \) is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and \(\mathsf {A}\), if for every \(k\)-query, oracle-aided distinguisher \(\mathsf{D}\) and every \(x, x'\in {\{0,1\}}^s\) with \(H_d\left( x,x' \right) =1\), it holds that

$$\begin{aligned}&\mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\;|\;\mathrm{SInp }^\mathsf {A}\left( v \right) =x\right] \\&\le e^\alpha \cdot \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\;|\;\mathrm{SInp }^\mathsf {A}\left( v \right) =x'\right] + \gamma . \end{aligned}$$

The differential privacy of \(\pi \) relative to \({\mathcal{F}}\) and \(\mathsf {B}\) is defined analogously.

The protocol \(\pi \) is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\), if it is \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and both parties.

Lower Bound for No-Oracle Sampled-Input Protocols. The following theorem is a variant of Theorem 4.8, suited for no-oracle, sampled-input protocols.

Theorem 4.21

For numbers \(\nu >0\) and \(\alpha \ge 0\), there exist numbers \(\lambda >0\) and \(z\in {\mathbb {N}}\) such that the following holds. Let \(\pi = (\mathsf {A},\mathsf {B})\) be a no-oracle, \(s\)-bit sampled-input protocol, let \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) be the sampled inputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, and let \({X_{\mathrm{out }}}\) and \({Y_{\mathrm{out }}}\) be the actual outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, induced by a random execution of \(\pi \).

Assume that both \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) are uniformly distributed over \({\{0,1\}}^s\), that \(\pi \) is \(\left( \alpha ,\gamma \right) \)-differentially private and that \(s \ge z\), then

$$\begin{aligned} \Pr \left[ \left| {Y_{\mathrm{out }}}- \mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\right| \le \Delta :{=}\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \tau \right] \le \tau \end{aligned}$$

for every \(1\ge \tau \ge \max \left\{ 48s\gamma ,\nu \right\} \). The same holds for \({X_{\mathrm{out }}}\).

The main difference between Theorem 4.21 and Theorem 4.8 is that Theorem 4.21 allows \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) to be chosen during the protocol (and hence not necessarily be independent), where Theorem 4.8 assumes that the inputs are selected by an external entity (hence, needing to require independence of inputs). Note that Theorem 4.21 requires that each of \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) is uniformly distributed over \({\{0,1\}}^s\), but they are not assumed to be independent. We observe that the proof of Theorem 4.8 given in [22] does not require a priori independence between \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\), but only that they are independent given any transcript of the protocol. The latter holds, however, for any joint distribution for \(({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\), since the views of the parties (in the information-theoretic model with no inputs) are always independent of each other, given the transcript. Indeed, Theorem 4.21 easily follows by slight adaptation to the proof of Theorem 4.8, given in [22]. For completeness, however, we include a proof (much of which, taken verbatim from [22]). Let us first describe the outline of the proof given in [22] for Theorem 4.8 (Theorem A.5 in [22]), which is in turn the scheme of our proof. Their proof is twofold:

  1. 1.

    The first part of it is a result about unpredictable bit sources, showing that it is possible to extract a uniform element in \({\mathbb {Z}}_r\) from the inner product between two independent unpredictable \(s\)-bit variables (even given one of these variables), provided that \(r\) is somewhat less than \(\sqrt{s}\) (for the formal statement see Theorem 4.14).

  2. 2.

    The second part of the proof deals with executions of \(\left( \alpha ,\gamma \right) \)-differentially private protocols, where the inputs of the parties are selected uniformly at random. It is shown that the input of each party in such executions, given the transcript of the execution, is close to an unpredictable bit source.

Finally, combining the above two results yields that every two-party differentially private protocol for approximating the inner-product functionality must incur an error of roughly \(r \approx \sqrt{s}\). Indeed, if a significantly better approximation could be computed given the transcript (and one party’s input), then the inner product would be concentrated in an interval of size significantly smaller than \(r\), contradicting the fact that it reduces to an almost-uniform element of \({\mathbb {Z}}_r\).

When proving Theorem 4.21 for the case of sampled-input protocols, we can use the first part of the proof given in [22] for Theorem 4.8, without reproving it, whereas we reprove the second part, with respect to sampled-input protocols, in Claim 4.22.

Proof of Theorem 4.21

Let \(\pi = (\mathsf {A},\mathsf {B})\) be a no-oracle, \(s\)-bit sampled-input protocol, let \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) be the sampled inputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, and let \({X_{\mathrm{out }}}\) and \({Y_{\mathrm{out }}}\) be the actual outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, induced by a random execution of \(\pi \). Let \({\overline{T}}\) be the communication transcript in a random execution of \(\pi \), and for \(\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) \) let \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) [resp., \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\)] be the value of \({X_{\mathrm{In }}}\) [resp., \({Y_{\mathrm{In }}}\)] in such a random execution, conditioned on \({\overline{T}}= \overline{t}\). Assume that both \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) are uniformly distributed over \({\{0,1\}}^s\) and that \(\pi \) is \(\left( \alpha ,\gamma \right) \)-differentially private. Let \(\eta =e^{-\left( 1.1+\alpha \right) }/3\) and \(\beta = \log \left( 1+\eta ) \right) \). Finally, fix \(\nu >0\) and \(\tau \ge \max \left\{ 48s\gamma ,\nu \right\} \).

The proof is carried via the following claims (proofs given below). In Claim 4.22, we show that by the differential privacy of \(\pi \), it holds that \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) and \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\) are, on average, close to being unpredictable. In Claim 4.23, we define the constants \(\lambda \) and \(z\) so that we can apply Theorem 4.14 with respect to such sources.\(\square \)

Claim 4.22

There exist numbers \(\left\{ \gamma _{\overline{t}}\right\} _{\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) }\) with \({\hbox {E}}\left[ \gamma _{{\overline{T}}}\right] \le 4\gamma \), such that the following holds for every \(\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) \): the random variable \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) [resp., \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\)] is \(2s\gamma _{\overline{t}}\)-close to some \(\eta \)-unpredictable bit source \({\widehat{X}_{\overline{t}}}\) [resp., \({\widehat{Y}_{\overline{t}}}\)].

Claim 4.23

There exist numbers \(\lambda >0\) and \(z\in {\mathbb {N}}\), functions of \(\alpha \) and \(\nu \), such that the following holds. Let \(\Delta =\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \tau \), let \(r=6 \cdot \Delta /\tau \) and let \(c\) be the universal constant from Theorem 4.14. Assuming \(s\ge z\), then \(s\ge c\cdot \frac{r^2}{\eta \beta } \cdot \log \left( \frac{r}{\beta } \right) \cdot \log \left( \frac{r}{\tau /3} \right) \).

We use the above claims for proving Theorem 4.21 \({Y_{\mathrm{out }}}\), where the proof for \({X_{\mathrm{out }}}\) is analogous. Fix for a moment \(\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) \), and note that \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) and \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\) are independent (since \(\pi \) is a no-input, no-oracle protocol). Let \(\left\{ \gamma _{\overline{t}}\right\} _{\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) }\), \(\lambda \), \(z\), \(\Delta \) and \(r\), be the numbers from Claims 4.22 and 4.23. Claim 4.22 yields that

$$\begin{aligned} \mathrm{SD}\left( \left( {Y_{{\mathrm{In }}\;|\;\overline{t}}},\mathsf{IP}({X_{{\mathrm{In }}\;|\;\overline{t}}},{Y_{{\mathrm{In }}\;|\;\overline{t}}})\,\mathrm{mod}\,r \right) , \left( {\widehat{Y}_{\overline{t}}},\mathsf{IP}({\widehat{X}_{\overline{t}}},{\widehat{Y}_{\overline{t}}})\,\mathrm{mod}\,r \right) \right) \le 4s\gamma _{\overline{t}} \end{aligned}$$
(14)

for some two (independent) \(\eta \)-unpredictable bit sources \({\widehat{X}_{\overline{t}}}\) and \({\widehat{Y}_{\overline{t}}}\). Note that by Fact 4.11, both \({\widehat{X}_{\overline{t}}}\) and \({\widehat{Y}_{\overline{t}}}\) have min-entropy \(\beta s\).

Assume \(s \ge z\). Since by Claim 4.23 \(s\ge c\cdot \frac{r^2}{\eta \beta } \cdot \log \left( \frac{r}{\beta } \right) \cdot \log \left( \frac{r}{\tau /3} \right) \), Theorem 4.14 yields that

$$\begin{aligned} \mathrm{SD}\left( \left( {\widehat{Y}_{\overline{t}}},\mathsf{IP}({\widehat{X}_{\overline{t}}},{\widehat{Y}_{\overline{t}}})\,\mathrm{mod}\,r \right) , \left( {\widehat{Y}_{\overline{t}}},U_r \right) \right) \le \tau /3, \end{aligned}$$
(15)

where \(U_r\) is independently and uniformly distributed over \({\mathbb {Z}}_r\). Finally, combining Eqs.(14) and (15) yields that

$$\begin{aligned} \mathrm{SD}\left( \left( {Y_{{\mathrm{In }}\;|\;\overline{t}}},\mathsf{IP}({X_{{\mathrm{In }}\;|\;\overline{t}}},{Y_{{\mathrm{In }}\;|\;\overline{t}}})\,\mathrm{mod}\,r \right) , \left( {\widehat{Y}_{\overline{t}}},U_r \right) \right) \le 4s\gamma _{\overline{t}}+\tau /3 \end{aligned}$$
(16)

for every \(\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) \).

In the following, we assume without loss of generality that \(\mathsf {B}\)’s output is a deterministic function \(f_{\mathsf {B}}\) of \(\left( {Y_{\mathrm{In }}},{\overline{T}} \right) \).Footnote 17

Let \(\mathcal{{S}}= \left\{ \left( y,\overline{t},z \right) \in \mathrm{Supp }\left( {Y_{\mathrm{In }}},{\overline{T}} \right) \times {\mathbb {R}}:\left( f_{\mathsf {B}}\left( y,\overline{t} \right) -z \,\mathrm{mod}\,r \right) \in \left\{ r-\Delta ,\ldots ,0,\right. \right. \) \(\left. \left. \ldots ,\Delta \right\} \right\} .\) It follows that

$$\begin{aligned}&\Pr \left[ \left| {Y_{\mathrm{out }}}- \mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\right| \le \Delta \right] \\&\quad \le \Pr \left[ ({Y_{\mathrm{In }}},{\overline{T}},\mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}}))\in \mathcal{{S}}\right] \\&\quad =\Pr \left[ ({Y_{\mathrm{In }}},{\overline{T}},\mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\,\mathrm{mod}\,r)\in \mathcal{{S}}\right] \\&\quad \le \Pr \left[ ({\widehat{Y}_{{\overline{T}}}},{\overline{T}},U_r) \in \mathcal{{S}}\right] + \mathrm{SD}\left( ({Y_{\mathrm{In }}},{\overline{T}},\mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\,\mathrm{mod}\,r),({\widehat{Y}_{{\overline{T}}}},{\overline{T}},U_r)\right) \\&\quad \le \Pr \left[ ({\widehat{Y}_{{\overline{T}}}},{\overline{T}},U_r) \in \mathcal{{S}}\right] + {\hbox {E}}[4s\gamma _{{\overline{T}}}+\tau /3]\\&\quad \le 2\Delta /r + 16s\gamma +\tau /3\\&\quad \le \tau . \end{aligned}$$

The second inequality holds by Eq. (16), the third one since \({\hbox {E}}[\gamma _{{\overline{T}}}] \le 4\gamma \), and the last one since \(\frac{\Delta }{r} = \gamma /6\) and since, by assumption, \(\tau \ge 48s\gamma \).

Proof of Claim 4.22

Let \({X_{j}}\) denote the \(j\)’th bit in \({X_{\mathrm{In }}}\). For \(i\in [s]\) and \(\left( x,\overline{t} \right) \in \mathrm{Supp }\left( {X_{\mathrm{In }}},{\overline{T}} \right) \), define

$$\begin{aligned} \rho _X \left( i,x,\overline{t} \right)&:{=}\frac{\Pr \left[ {X_{i}}=0\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i+1}}=x_{i+1},\dots ,{X_{s}}=x_s,{\overline{T}}=\overline{t}\right] }{\Pr \left[ {X_{i}}=1\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i+1}}=x_{i+1},\dots ,{X_{s}}=x_s,{\overline{T}}=\overline{t}\right] }\\&=\frac{\Pr \left[ {\overline{T}}=\overline{t}\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i}}=0,{X_{i+1}}=x_{i+1},\dots ,{X_{s}}=x_s\right] }{\Pr \left[ {\overline{T}}=\overline{t}\;|\;{X_{1}}=x_1,\ldots {X_{i-1}}=x_{i-1},{X_{i}}=1,{X_{i+1}}=x_{i+1},\dots ,{X_{s}}=x_s\right] },\nonumber \end{aligned}$$
(17)

where the equality holds by the uniformity of \({X_{\mathrm{In }}}\) (using Bayes’ Rule), and let

$$\begin{aligned} \mathcal{{S}}_X=\left\{ \left( i,x,\overline{t} \right) :\rho _X \left( i,x,\overline{t} \right) \notin \left[ e^{-\left( 1.1+\alpha \right) },e^{\left( 1.1+\alpha \right) }\right] \right\} . \end{aligned}$$

Define \(\mathcal{{S}}_Y\) analogously for \({Y_{\mathrm{In }}}\). For \(\overline{t}\in \mathrm{Supp }\left( {\overline{T}} \right) \), set

$$\begin{aligned} \gamma _{\overline{t}}:{=}\max \left\{ \mathop {\hbox {Pr}}\limits _{i\leftarrow [s],x\leftarrow {X_{{\mathrm{In }}\;|\;\overline{t}}}}\left[ \left( i,x,\overline{t} \right) \in \mathcal{{S}}_X\right] , \mathop {\hbox {Pr}}\limits _{i\leftarrow [s],y\leftarrow {Y_{{\mathrm{In }}\;|\;\overline{t}}}}\left[ \left( i,y,\overline{t} \right) \in \mathcal{{S}}_Y\right] \right\} . \end{aligned}$$

It follows that \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) and \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\) are \((e^{-\left( 1.1+\alpha \right) },\gamma _{\overline{t}})\)-strongly unpredictable bit sources, and hence, Corollary 4.13 yields that both \({X_{{\mathrm{In }}\;|\;\overline{t}}}\) and \({Y_{{\mathrm{In }}\;|\;\overline{t}}}\) are \(2s\gamma _{\overline{t}}\)-close to some \((e^{-\left( 1.1+\alpha \right) }/3)\)-unpredictable bit sources, yielding the first requirement of the claim.

For the second requirement of the claim (\({\hbox {E}}\left[ \gamma _{{\overline{T}}}\right] \le 4\gamma \)), applying Lemma 4.9 with \(\nu =1.1\) yields that

$$\begin{aligned} \max \left\{ \mathop {\hbox {Pr}}\limits _{\left( x,\overline{t} \right) \leftarrow \left( {X_{\mathrm{In }}},{\overline{T}} \right) }\left[ \left( i,x,\overline{t} \right) \in \mathcal{{S}}_X\right] , \mathop {\hbox {Pr}}\limits _{\left( y,\overline{t} \right) \leftarrow \left( {Y_{\mathrm{In }}},{\overline{T}} \right) }\left[ \left( i,y,\overline{t} \right) \in \mathcal{{S}}_Y\right] \right\}&\le \gamma \cdot \frac{1\!+\!e^{-\left( 1.1+\alpha \right) }}{1-e^{-{1.1}}} \nonumber \\&< 2\gamma \end{aligned}$$
(18)

for every \(i\in [s]\),Footnote 18 and we conclude that

$$\begin{aligned} {\hbox {E}}\left[ \gamma _{{\overline{T}}}\right]&\le \mathop {\hbox {E}}\limits _{\overline{t}\leftarrow {\overline{T}}}\left[ \mathop {\hbox {Pr}}\limits _{i\leftarrow [s],x\leftarrow {X_{{\mathrm{In }}\;|\;\overline{t}}}}\left[ \left( i,x,\overline{t} \right) \in \mathcal{{S}}_X\right] + \mathop {\hbox {Pr}}\limits _{i\leftarrow [s],y\leftarrow {Y_{{\mathrm{In }}\;|\;\overline{t}}}}\left[ \left( i,y,\overline{t} \right) \in \mathcal{{S}}_Y\right] \right] \nonumber \\&\le {\hbox {E}}\left[ 2\cdot \max \left\{ \mathop {\hbox {Pr}}\limits _{\left( x,\overline{t} \right) \leftarrow \left( {X_{\mathrm{In }}},{\overline{T}} \right) }\left[ \left( i,x,\overline{t} \right) \in \mathcal{{S}}_X\right] ,\right. \right. \nonumber \\&\qquad \qquad \left. \left. \mathop {\hbox {Pr}}\limits _{\left( y,\overline{t} \right) \leftarrow \left( {Y_{\mathrm{In }}},{\overline{T}} \right) }\left[ \left( i,y,\overline{t} \right) \in \mathcal{{S}}_Y\right] :i\in [s]\right\} \right] \nonumber \\&< 4\gamma . \end{aligned}$$
(19)

\(\square \)

Proof of Claim 4.23

Let \(\lambda _1 = \lambda /\eta >0\), where \(\lambda \in (0,1)\) will be determined later. Since \(\Delta =\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \tau \), we have that \(s=\left( \frac{\Delta \cdot \log s}{\lambda \cdot \tau } \right) ^2=\left( \frac{\Delta \cdot \log s}{\lambda _1\cdot \tau \cdot \eta } \right) ^2\). Let \(z_1 = z_1(\lambda ,\alpha )\) be such that \(s\ge z_1\) implies \(\log s \ge \lambda _1\). By the above, we have that for every \(s \ge z_1\), it holds that \(s=\left( \frac{\Delta }{\tau \eta }\cdot \frac{\log s}{\lambda _1} \right) ^2\ge \left( \frac{\Delta }{\tau \eta } \right) ^2\). Hence, \(\log s\ge \log \left( \frac{\Delta }{\tau \eta } \right) ^2\ge \log \left( \frac{\Delta }{\tau \eta } \right) \). Recalling that \(r=6 \cdot \Delta /\tau \), it holds that \(\frac{\Delta }{\tau \eta }=\frac{r}{6\eta }\) and we obtain that

$$\begin{aligned} s&\ge \frac{1}{\lambda _1^2}\cdot \left( \frac{\Delta }{\tau \eta } \right) ^2\cdot \left( \log \left( \frac{\Delta }{\tau \eta } \right) \right) ^2\\&= \frac{1}{\lambda _1^2} \cdot \frac{r^2}{36\cdot \eta ^2}\cdot \left( \log \left( \frac{r}{6 \eta } \right) \right) ^2\nonumber \\&\ge \frac{1}{36 \cdot \lambda _1^2 } \cdot \frac{r^2}{\eta \beta }\cdot \left( \log \left( \frac{r}{6 \eta } \right) \right) ^2\nonumber \end{aligned}$$
(20)

for every \(s \ge z_1\), where the last inequality holds since, by inspection, \(\beta \ge \eta \) (recall that \(\beta = \log \left( 1+\eta ) \right) \)).

Let \(\lambda = \lambda (\alpha ,\nu ) \in (0,1)\) be such that \(\frac{1}{36 \cdot \lambda _1^2 } \ge 4c\). Let \(z_2 = z_2(\lambda ,\alpha )\) be such that \(s \ge z_2\) implies \(r \ge 36\cdot \eta ^2 \cdot \max \left\{ \frac{1}{\beta },\frac{3}{\tau }\right\} \), and let \(z = \max \left\{ z_1,z_2\right\} \). Fix \(s \ge z\). By the above, \(\left( \frac{r}{6\cdot \eta } \right) ^2 \ge \max \left\{ \frac{r}{\beta },\frac{r}{\tau /3}\right\} \), and therefore, \(2\cdot \log \left( \frac{r}{6 \eta } \right) \ge \max \left\{ \log \left( \frac{r}{\beta } \right) ,\log \left( \frac{r}{\tau /3} \right) \right\} \). Thus, Eq. (20) yields that

$$\begin{aligned} s&\ge 4\cdot c \cdot \frac{r^2}{\eta \beta }\cdot \left( \log \left( \frac{r}{6 \eta } \right) \right) ^2\\&\ge 4\cdot c\cdot \frac{r^2}{\eta \beta } \cdot \frac{1}{2}\cdot \log \left( \frac{r}{\beta } \right) \cdot \frac{1}{2}\cdot \log \left( \frac{r}{\tau /3} \right) \\&\ge c\cdot \frac{r^2}{\eta \beta } \cdot \log \left( \frac{r}{\beta } \right) \cdot \log \left( \frac{r}{\tau /3} \right) , \end{aligned}$$

concluding the claim’s proof.\(\square \)

Lower Bound for Oracle-Aided, Sampled-Input Protocols. We now use Definition 3.6 to give a variant of Theorem 4.21 for (sampled-input) oracle-aided protocols with an appropriate mapping to a no-oracle protocol. We start by showing that the existence of differentially private, oracle-aided, sampled-input protocols implies the existence of no-oracle, sampled-input protocols, incurring no loss in privacy and a minor loss in accuracy.

Lemma 4.24

Let \({\mathcal{F}}\) be a function family, let \(\pi \) be an oracle-aided, \(s\)-bit sampled-input protocol, and let \(g:{\{0,1\}}^{s}\times {\{0,1\}}^{s}\mapsto \mathbb {R}\) be a deterministic function. Assume that the pair \(({\mathcal{F}},\pi )\) has a \((T,\varepsilon )\)-\({\mathrm{mapping }}\), and assume that \(\pi \) is a \(\left( \beta ,d \right) \)-SI-approximation for \(g\) relative to \({\mathcal{F}}\) and party \({\mathsf {P}}\), and satisfies \(\left( T,\alpha ,\gamma \right) \)-differential privacy relative to \({\mathcal{F}}\). Then, the no-oracle, \(s\)-bit sampled-input protocol \({\widetilde{\pi }}=({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\), guaranteed by the \((T,\varepsilon )\)-\({\mathrm{mapping }}\), is a \(\left( \beta +\varepsilon ,d \right) \)-SI-approximation for \(g\) with respect to party \({\mathsf {P}}\), and is \(\left( \alpha ,\gamma \right) \)-differentially private.

Furthermore, the sampled input of party \(\mathsf {A}\) (resp. \(\mathsf {B}\)) and the sampled input of party \({\widetilde{\mathsf {A}}}\) (resp. \({\widetilde{\mathsf {B}}}\)) are identically distributed.

Proof

Let \({\widetilde{\pi }}=({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) and \(\mathsf{Map}\) be the no-input, no-oracle protocol and oracle-aided algorithm guaranteed by Definition 3.6 with respect to \(\pi \) and \({\mathcal{F}}\). We first argue that \({\widetilde{\pi }}\) satisfies \(\left( \alpha ,\gamma \right) \)-differential privacy. Assume to the contrary that this is not the case. Specifically, assume without loss of generality that there exists a (no-oracle) adversary \(\tilde{\mathsf{D}}\), such that

$$\begin{aligned}&\Pr _{\tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\left[ \tilde{\mathsf{D}}\left( \mathsf{trans}\left( \tilde{v} \right) \right) =1\;|\;\mathrm{SInp }^{\widetilde{\mathsf {A}}}\left( \tilde{v} \right) =x\right] \nonumber \\&\quad > e^\alpha \cdot \Pr _{\tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\left[ \tilde{\mathsf{D}}\left( \mathsf{trans}\left( \tilde{v} \right) \right) =1\;|\;\mathrm{SInp }^{\widetilde{\mathsf {A}}}\left( \tilde{v} \right) =x'\right] + \gamma \end{aligned}$$
(21)

for some \(x, x'\in {\{0,1\}}^s\) with \(H_d\left( x,x' \right) =1\). Consider the adversary \(\mathsf{D}\) for \(\pi \) that on a given transcript \(\overline{t}\) (of an execution of \(\pi \) with access to \(f\)) applies \(\tilde{\mathsf{D}}\) to \(\mathsf{Map}^{f}\left( \overline{t} \right) \). We claim that

$$\begin{aligned}&\mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\;|\;\mathrm{SInp }^\mathsf {A}\left( v \right) =x\right] \nonumber \\&\quad > e^\alpha \cdot \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{D}^{f}\left( \mathsf{trans}\left( v \right) \right) =1\;|\;\mathrm{SInp }^\mathsf {A}\left( v \right) =x'\right] + \gamma \end{aligned}$$
(22)

To see that Eq. (22) holds, note that by the furthermore statement of the first item in Definition 3.6, the transcript together with the sampled input of \({\widetilde{\mathsf {A}}}\) in a random execution of \({\widetilde{\pi }}\) (i.e. \(\left( \mathsf{trans}\left( \tilde{v} \right) , \mathrm{SInp }^{\widetilde{\mathsf {A}}}\left( \tilde{v} \right) \right) \), where \(\tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle \)) is (jointly) identically distributed as the value of \(\mathsf{Map}\) applied to the transcript and the sampled input of \(\mathsf {A}\) in a random execution of \(\pi \) (i.e. \(\left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) ,\mathrm{SInp }^\mathsf {A}\left( v \right) \right) \), where \(v \leftarrow \left\langle \pi ^f \right\rangle \) for \(f\leftarrow {\mathcal{F}}\)). In addition, by Definition 3.6, \(\mathsf{D}\) makes at most \(T\) oracle calls. Hence, we obtain a contradiction to the \(\left( T,\alpha ,\gamma \right) \)-differential privacy of \(\pi \), yielding that the protocol \({\widetilde{\pi }}\) must be \(\left( \alpha ,\gamma \right) \)-differentially private.

We conclude the proof by showing that \({\widetilde{\pi }}\) is a good approximation for \(g\) with respect to any party \({\mathsf {P}}\in \left\{ {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}}\right\} \). Specifically, we show that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{ \tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\left[ \left|\mathrm{AOut }^{\mathsf {P}}\left( \tilde{v} \right) -g\left( \mathrm{SInp }^{{\widetilde{\mathsf {A}}}}\left( \tilde{v} \right) ,\mathrm{SInp }^{{\widetilde{\mathsf {B}}}}\left( \tilde{v} \right) \right) \right|\ge d\right] < \beta +\varepsilon . \end{aligned}$$
(23)

By the first item in Definition 3.6, we have that the (actual) joint outputs of the parties in a random execution of \(\pi \) are in statistical distance at most \(\varepsilon \) from the (actual) joint outputs of the parties in a random execution of \({\widetilde{\pi }}\). Formally, if we let \(\mathcal{D}_{{\widetilde{\pi }}} =\left( \mathrm{SInp }^{{\widetilde{\mathsf {A}}}}\left( \tilde{v} \right) ,\mathrm{SInp }^{{\widetilde{\mathsf {B}}}}\left( \tilde{v} \right) ,\mathrm{AOut }^{{\mathsf {P}}}\left( \tilde{v} \right) \right) _{\tilde{v}\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\) and \(\mathcal{D}_{\pi }= \big (\mathrm{SInp }^{\mathsf {A}}\left( {v} \right) ,\mathrm{SInp }^{\mathsf {B}}\left( {v} \right) ,\mathrm{AOut }^{{\mathsf {P}}}\left( {v} \right) \big )_{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\), then we have that \(\mathrm{SD}\left( \mathcal{D}_{{\widetilde{\pi }}},\mathcal{D}_{\pi } \right) \le \varepsilon \). Hence, Eq. (23) follows from the accuracy of \(\pi \), i.e. since we have that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}}, v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \left|\mathrm{AOut }^{\mathsf {P}}\left( v \right) -g\left( \mathrm{SInp }^{\mathsf {A}}\left( v \right) ,\mathrm{SInp }^{\mathsf {B}}\left( v \right) \right) \right|\ge d\right] < \beta \end{aligned}$$
(24)

To verify this, let \(\mathcal{{S}}=\left\{ (x,y,w)\in \mathrm{Supp }{\mathcal{D}_{{\widetilde{\pi }}}}:\left|g(x,y)-w \right|\ge d\right\} \) and observe that the probability of falling into \(S\) according to \(\mathcal{D}_{{\widetilde{\pi }}}\) can be larger than the probability of falling into \(S\) according to \(\mathcal{D}_{\pi }\) (which is bounded by \(\beta \)), by at most the statistical distance between \(\mathcal{D}_{{\widetilde{\pi }}}\) and \(\mathcal{D}_{\pi }\).

The furthermore statement follows from the furthermore statement of the first item in Definition 3.6.\(\square \)

We now combine Lemma 4.24 and Theorem 4.21 to prove a lower bound on the accuracy of oracle-aided, sampled-input protocols that are differentially private.

Proposition 4.25

For numbers \(\nu >0\) and \(\alpha \ge 0\), there exist numbers \(\lambda >0\) and \(z\in {\mathbb {N}}\) such that the following holds. Let \({\mathcal{F}}\) be a function family, let \(s \ge z\) and let \(\pi = (\mathsf {A},\mathsf {B})\) be an oracle-aided, \(s\)-bit sample-input protocol. For \(f\in {\mathcal{F}}\), let \({X^f_{\mathrm{In }}}\) and \({Y^f_{\mathrm{In }}}\) be the sampled inputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, and let \({X^f_{\mathrm{out }}}\) and \({Y^f_{\mathrm{out }}}\) be the actual outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, induced by a random execution of \(\pi ^f\).

Assume that both \({X^f_{\mathrm{In }}}\) and \({Y^f_{\mathrm{In }}}\) are uniformly distributed over \({\{0,1\}}^s\) for every \(f\in {\mathcal{F}}\), that \(\pi \) is \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and that the pair \(({\mathcal{F}},\pi )\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\), then for some \(f\in {\mathcal{F}}\), it holds that

$$\begin{aligned} \Pr \left[ \left| {Y^f_{\mathrm{out }}}- \mathsf{IP}({X^f_{\mathrm{In }}},{Y^f_{\mathrm{In }}})\right| \le \Delta :{=}\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \left( \tau -\varepsilon \right) \right] \le \tau \end{aligned}$$

for every \(1\ge \tau \) with \(\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \). The same holds for \({X^f_{\mathrm{out }}}\).

Proof

Given values for \(\nu \) and \(\alpha \) set \(\lambda \) and \(z\) to be as in Theorem 4.21. Let \({\mathcal{F}}\) and \(\pi \) be as in the statement of the proposition. Since \(\pi \) is assumed to be \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\), and since the pair \(({\mathcal{F}},\pi )\) is assumed to have a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\), it follows from Lemma 4.24 that the no-oracle, sampled-input protocol \({\widetilde{\pi }}\) (guaranteed by this \({\mathrm{mapping }}\)) is \(\left( \alpha ,\gamma \right) \)-differentially private.

Since \({X_{\mathrm{In }}}\) and \({Y_{\mathrm{In }}}\) are uniformly distributed over \({\{0,1\}}^s\), it follows from the furthermore statement of Lemma 4.24 that the same holds for the sampled inputs of both parties in \({\widetilde{\pi }}\). Hence, Theorem 4.21 yields that for \(s \ge z\) and \(\tau \) such that \(\tau ':{=}\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \), it holds that \({\widetilde{\pi }}\) is not a \(\left( 1-\tau ',\Delta \right) \)-SI-approximation for \(\Delta =\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \tau '\). By Lemma 4.24, \(\pi \) is not a \(\left( 1-\tau '-\varepsilon ,\Delta \right) \)-SI-approximation, namely \(\Pr \left[ \left| {Y_{\mathrm{out }}}- \mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\right| \le \Delta \right] \le \tau '+\varepsilon =\tau \).\(\square \)

4.2.4 Limits on Uniform-Input Executions

The focus of this section is on executions of differentially private protocols, where the inputs of the parties are chosen uniformly at random. Towards proving a lower bound on the accuracy of approximating the inner-product function in such executions, we map a uniform-input execution of a with-input protocol to the sampled-input variant of this protocol (as defined in Definition 4.15). Roughly speaking, in the sampled-input variant of a protocol, the parties sample their inputs at random at the beginning of an execution.

We next define what it means for a protocol to approximate a function with good probability when the inputs of the parties are uniformly selected.

Definition 4.26

(Good random approximations) Let \(g:{\{0,1\}}^{s}\times {\{0,1\}}^{s}\mapsto \mathbb {R}\) be a deterministic function, and let \(\pi = (\mathsf {A},\mathsf {B})\) be an oracle-aided, \(s\)-bit input protocol. Protocol \(\pi \) is a \(\left( \beta ,d \right) \)-random approximation for \(g\) relative to function family \({\mathcal{F}}\) and \({\mathsf {P}}\in \left\{ \mathsf {A},\mathsf {B}\right\} \), if for every \(f\in {\mathcal{F}}\), it holds that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{x,y\leftarrow {\{0,1\}}^s, v\leftarrow \left\langle \pi ^f\left( x,y \right) \right\rangle }\left[ \left|{\mathrm{out }}^{\mathsf {P}}\left( v \right) -g\left( x,y \right) \right|> d\right] < \beta . \end{aligned}$$
(25)

Protocol \(\pi \) is a \(\left( \beta ,d \right) \)-random approximation for \(g\) relative to \({\mathcal{F}}\), if it is a \(\left( \beta ,d \right) \)-random approximation for \(g\) relative to \({\mathcal{F}}\) and both parties.

The following observation allows us to use the lower bound stated in Lemma 4.24, to derive a similar bound for with-input protocols, when the inputs of the parties are chosen uniformly at random.

Lemma 4.27

Let \(g:{\{0,1\}}^{s}\times {\{0,1\}}^{s}\mapsto \mathbb {R}\) be a deterministic function and let \({\mathcal{F}}\) be some oracle family. Assume that there exists an oracle-aided, \(s\)-bit input protocol \(\pi = (\mathsf {A},\mathsf {B})\) that is a \(\left( \beta ,d \right) \)-random approximation for \(g\) relative to \({\mathcal{F}}\) and party \({\mathsf {P}}\), and is \(\left( k,\alpha ,\gamma \right) \)-differential privacy relative to \({\mathcal{F}}\). Then, \(\mu \left( \pi \right) \) is a \(\left( \beta ,d \right) \)-SI-approximation for \(g\) relative to \({\mathcal{F}}\) and \({\mathsf {P}}\), and \(\left( k,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\).

Proof

Immediate by definition.\(\square \)

Combining Proposition 4.25 and Lemma 4.27 yields the following result.

Proposition 4.28

For numbers \(\nu >0\) and \(\alpha \ge 0\), there exist numbers \(\lambda >0\) and \(z\in {\mathbb {N}}\) such that the following holds. Let \({\mathcal{F}}\) be a function family, let \(s \ge z\) and let \(\pi = (\mathsf {A},\mathsf {B})\) be an oracle-aided, \(s\)-bit input protocol. For \(f\in {\mathcal{F}}\), let \({X^f_{\mathrm{In }}}\) and \({Y^f_{\mathrm{In }}}\) be the inputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, and let \({X^f_{\mathrm{out }}}\) and \({Y_{\mathrm{out }}}^f\) be the outputs of \(\mathsf {A}\) and \(\mathsf {B}\), respectively, induced by a random execution of \(\pi ^f\).

Assume that both \({X^f_{\mathrm{In }}}\) and \({Y^f_{\mathrm{In }}}\) are independently and uniformly chosen from \({\{0,1\}}^s\) for every \(f\in {\mathcal{F}}\), that \(\pi \) is \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\) and that the pair \(({\mathcal{F}},\mu \left( \pi \right) )\) has a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\) (where \(\mu \left( \pi \right) \) is sampled-input variant of \(\pi \)). Then, for some \(f\in {\mathcal{F}}\), it holds that

$$\begin{aligned} \Pr \left[ \left| {Y_{\mathrm{out }}}^f- \mathsf{IP}({X^f_{\mathrm{In }}},{Y^f_{\mathrm{In }}})\right| \le \Delta :{=}\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \left( \tau -\varepsilon \right) \right] \le \tau \end{aligned}$$

for every \(1\ge \tau \) with \(\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \). The same holds for \({X^f_{\mathrm{out }}}\).

Proof

Given values for \(\nu \) and \(\alpha \), set \(\lambda \) and \(z\) to be as in Proposition 4.25. Let \({\mathcal{F}}\) and \(\pi \) be as in the statement of the proposition. Let \(\mu \left( \pi \right) \) be the (oracle-aided) sampled-input variant of \(\pi \) (see Definition 4.15). By construction, the sampled inputs of both parties in \(\mu \left( \pi \right) \) are uniformly distributed. Since \(\pi \) is assumed to be \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\), it follows by Lemma 4.27 that \(\mu \left( \pi \right) \) is also \(\left( T,\alpha ,\gamma \right) \)-differentially private relative to \({\mathcal{F}}\). Since the pair \(({\mathcal{F}},\mu \left( \pi \right) )\) is assumed to have a \(\left( T,\varepsilon \right) \)-\({\mathrm{mapping }}\), it follows from Proposition 4.25 that for \(s \ge z\) and \(\tau \) such that \(\tau ':{=}\tau -\varepsilon \ge \max \left\{ 48s\gamma ,\nu \right\} \), the protocol \(\mu \left( \pi \right) \) is not a \(\left( 1-\tau ,\Delta \right) \)-SI-approximation for \(\Delta =\lambda \cdot \frac{\sqrt{s}}{\log s}\cdot \tau '\). Hence, by Lemma 4.27, \(\pi \) is not a \(\left( 1-\tau ,\Delta \right) \)-random approximation, namely \( \Pr \left[ \left| {Y_{\mathrm{out }}}- \mathsf{IP}({X_{\mathrm{In }}},{Y_{\mathrm{In }}})\right| \le \Delta \right] \le \tau \).\(\square \)

4.2.5 Limits on Arbitrary Protocols: Proving Theorem 4.16

The results presented in the previous section yield the lower bounds of Sect. 4.2.2 in a straightforward manner. That is, the lower bound on the accuracy of differentially private protocols, with respect to executions where inputs are selected uniformly at random, easily implies a similar lower bound for arbitrary executions of such protocols. Intuitively, this is because if a protocol errs with probability \(\beta \) on uniform inputs, then there must be a specific choice of inputs for the parties on which the protocol errs with probability at least \(\beta \).

Proof of Theorem 4.16

Immediate, by taking \(x\) and \(y\) that maximize the probability in Eq. (12), and using Proposition 4.28 to bound this probability from below.\(\square \)

4.3 Secure Sampling

In this section, we apply our main result to show that when given access to a random member of a simple function family (e.g. the all-function family), no-oracle-aided protocol can securely sample a distribution \(G\) that cannot be (almost) securely sampled by a no-oracle protocol.

In semi-honest no-input secure sampling, two parties with no-private inputs wish to compute some (possibly randomized) functionality privately and correctly. Let \(G = (G_\mathsf {A},G_\mathsf {B})\) be a distribution over \(\mathcal {A}\times \mathcal {B}\), where \(G_\mathsf {A}\) and \(G_\mathsf {B}\) denote its marginal distributions over \(\mathcal {A}\) and \(\mathcal {B}\), respectively. The parties \(\mathsf {A}\) and \(\mathsf {B}\) wish to perform a computation, where party \(\mathsf {A}\) learns \(g_\mathcal {A}\) and party \(\mathsf {B}\) learns \(g_\mathcal {B}\) for \(g = (g_\mathcal {A},g_\mathcal {B}) \leftarrow G\), but nothing else. Since the parties are semi-honest, they will always follow the prescribed protocol. A corrupted party, however, may try to use its view in the computation to infer additional information after the computation terminates.

4.3.1 Standard Definitions

Definition 4.29

(No-input secure sampling) Let \(\mathcal {A}\) and \(\mathcal {B}\) be sets, and let \(G = (G_\mathsf {A},G_\mathsf {B})\) be a distribution over \(\mathcal {A}\times \mathcal {B}\), where \(G_\mathsf {A}\) and \(G_\mathsf {B}\) denote its marginal distributions over \(\mathcal {A}\) and \(\mathcal {B}\), respectively. A two-party oracle-aided protocol \(\pi =\left( \mathsf {A},\mathsf {B} \right) \) is a \((k,\delta )\)-secure protocol for \(G\) relative to a function family \({\mathcal{F}}\), if the following conditions hold.

Correctness::

\(\pi \) is a \(\delta \)-correct implementation of \(G\) relative to \({\mathcal{F}}\). That is

$$\begin{aligned} \mathrm{SD}\left( \left( {\mathrm{out }}^{\mathsf {A}}\left( v \right) ,{\mathrm{out }}^{\mathsf {B}}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle },G\right) \le \delta \end{aligned}$$

for every \(f\in {\mathcal{F}}\).

Privacy::

\(\pi \) is a \(\left( k,\delta \right) \)-private implementation of \(G\) relative to \({\mathcal{F}}\): for every \(P\in \left\{ \mathsf {A},\mathsf {B}\right\} \), there exists an oracle-aided algorithm (simulator) \(\mathrm{Sim }_{\mathsf {P}}\) such that:

$$\begin{aligned}&\mathop {\hbox {E}}\limits _{f\leftarrow {\mathcal{F}}}\left[ \left| \Pr \left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{{\mathsf {P}}}^{f}\left( g_{\mathsf {P}} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}} \right) =1\right] \right. \right. \\&\left. \left. \quad -\Pr \left[ \mathsf{D}^{f}\left( \left( v_{\mathsf {P}}, {\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle } \right) =1\right] \right| \right] \le \delta , \end{aligned}$$

for any \(k\)-query distinguisher \(\mathsf{D}\).Footnote 19

A protocol \(\pi \) is a \(\delta \)-secure (no-oracle) implementation of \(G\), if it is a \(\left( 0,\delta \right) \)-secure implementation of \(G\) relative to the trivial function family—the function family whose only member returns \(\perp \) on every query. A distribution \(G\) is \(\delta \)-trivial, if \(G\) has a \(\delta \)-secure no-oracle implementation.

Remark 4.30

(privacy for no-oracle protocols, alternative definition). The success probability of the “best” distinguisher in the information-theoretic model is defined by the statistical distance between the output of a real execution: \({\mathsf {P}}\)’s view and the parties local outputs, and the output of the simulation: the simulator’s output and the sample from the distribution.

Furthermore, in the information-theoretic model, it suffices to assume that a party’s view contains only the communication transcript (i.e. without its random coins). This is because conditioned on the transcript, the parties’ views are in a product distribution, and thus, the party’s view is a function of the transcript and its local output.

The following is an alternative (and by the above, equivalent) definition for \(\delta \)-privacy of (no-oracle) protocols in the information-theoretic model: a protocol \({\widetilde{\pi }}= \left( {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}} \right) \) is a \(\delta \)-private implementation of a distribution \(G\) if for every \(P\in \left\{ {\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}}\right\} \) there exists an algorithm (simulator) \(\widetilde{\mathrm{Sim }}_{\widetilde{{\mathsf {P}}}}\) such that,

$$\begin{aligned} \mathrm{SD}\left( \left( \widetilde{\mathrm{Sim }}_{{\widetilde{{\mathsf {P}}}}}\left( g_{\mathsf {P}} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G},\left( \mathsf{trans}\left( v \right) ,{\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle } \right) \le \delta . \end{aligned}$$

4.3.2 Limits on Oracle-Aided Secure Sampling

In the language of the above definitions, the main result of this section is stated as follows.

Theorem 4.31

Let \({\mathcal{F}}\) be a function family, and let \(\pi \) be an oracle-aided protocol that is a \((T,\delta )\)-secure oracle-aided implementation of a distribution \(G\) with respect to \({\mathcal{F}}\). Assume that \(({\mathcal{F}},\pi )\) has a \((T,\delta ')\)-\({\mathrm{mapping }}\), then \(G\) is \((\delta + \delta ')\)-trivial.

Proof

Let \({\mathcal{F}}\) and \(\pi \) be as above and let \({\widetilde{\pi }}=({\widetilde{\mathsf {A}}},{\widetilde{\mathsf {B}}})\) and \(\mathsf{Map}\) be the \((T,\delta ')\)-\({\mathrm{mapping }}\) for \(({\mathcal{F}},\pi )\), we will prove that \({\widetilde{\pi }}\) is a (no oracle) \((\delta + \delta ')\)-secure implementation of \(G\). Since \(({\widetilde{\pi }},\mathsf{Map})\) is a \((T,\delta ')\)-\({\mathrm{mapping }}\), it follows (see Definition 3.6:1) that

$$\begin{aligned}&\mathrm{SD}\left( ({\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) ,\mathsf{trans}(v))_{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle },({\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) ,\right. \nonumber \\&\left. \quad \mathsf{Map}^{f}(\mathsf{trans}(v)))_{f\leftarrow {\mathcal{F}}, v\leftarrow \left\langle \pi ^f \right\rangle }\right) \le \delta ' \end{aligned}$$
(26)

Hence, the \(\delta \)-correctness of \(\pi \) yields that

$$\begin{aligned} \mathrm{SD}\left( ({\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) )_{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle },G\right) \le \delta +\delta ', \end{aligned}$$

and thus, \({\widetilde{\pi }}\) is \((\delta + \delta ')\)-correct implementation of \(G\).

For the privacy property, we construct a no-oracle simulator \(\widetilde{\mathrm{Sim }}_{\widetilde{\mathsf {A}}}\) for party \({\widetilde{\mathsf {A}}}\) (a simulator \({\widetilde{\mathsf {B}}}\) can be constructed analogously). Let \(\mathrm{Sim }_\mathsf {A}\) be the oracle-aided simulator guaranteed to exist for \(\pi \) and \(\mathsf {A}\). Fix a \(T\)-query distinguisher \(\mathsf{D}\). The assumption that \(\mathrm{Sim }_\mathsf {A}\) is a good simulator yields that

$$\begin{aligned}&\mathop {\hbox {E}}\limits _{f\leftarrow {\mathcal{F}}}\left[ \left| \Pr \left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{\mathsf {A}}^{f}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}} \right) =1\right] \right. \right. \\&\left. \left. \quad -\Pr \left[ \mathsf{D}^{f}\left( \left( v_\mathsf {A}, {\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle } \right) =1\right] \right| \right] \le \delta , \end{aligned}$$

and therefore,

$$\begin{aligned}&\sum _{f\in {\mathcal{F}}}\Pr \left[ f\right] \cdot \left| \Pr \left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{\mathsf {A}}^{f}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}} \right) =1\right] \right. \\&\left. \quad -\Pr \left[ \mathsf{D}^{f}\left( \left( v_\mathsf {A},{\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle } \right) =1\right] \right| \le \delta . \end{aligned}$$

By the triangle inequality

$$\begin{aligned}&\sum _{f\in {\mathcal{F}}}\Pr \left[ f\right] \cdot \left| \Pr \left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{\mathsf {A}}^{f}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}} \right) =1\right] \right. \\&\left. \quad -\Pr \left[ \mathsf{D}^{f}\left( \left( v_\mathsf {A}, {\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle } \right) =1\right] \right| \\&\quad \ge \left| \sum _{f\in {\mathcal{F}}}\Pr [f]\cdot \left( \Pr \left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{\mathsf {A}}^{f}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}} \right) =1\right] \right. \right. \\&\qquad \quad \left. \left. -\Pr \left[ \mathsf{D}^{f}\left( \left( v_\mathsf {A}, {\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{v\leftarrow \left\langle \pi ^f \right\rangle } \right) =1\right] \right) \right| \end{aligned}$$

and we conclude that

$$\begin{aligned}&\left| \mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G_\mathsf {A}}\left[ \mathsf{D}^{f}\left( \left( \mathrm{Sim }_{\mathsf {A}}^{f}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) \right) =1\right] \right. \nonumber \\&\left. \quad -\mathop {\hbox {Pr}}\limits _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^f \right\rangle }\left[ \mathsf{D}^{f}\left( \left( v_\mathsf {A}, {\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) \right) =1\right] \right| \le \delta \end{aligned}$$
(27)

Recalling that \(\mathsf{Map}\) makes at most \(T\)-queries, Eq. (27) yields that

$$\begin{aligned}&\mathrm{SD}\left( \left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( \mathrm{Sim }^{f}_{\mathsf {A}}\left( g_\mathsf {A} \right) \right) \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{f\leftarrow {\mathcal{F}},\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G},\right. \nonumber \\&\quad \left. \left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) ,{\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^{f} \right\rangle }\right) \le \delta \end{aligned}$$
(28)

\(\square \)

The no-oracle simulator \(\widetilde{\mathrm{Sim }}_{\widetilde{\mathsf {A}}}\) is defined as follows.

Algorithm 4.32

(\(\widetilde{\mathrm{Sim }}_{\widetilde{\mathsf {A}}}\)).

  1. Input:

    \(g_\mathsf {A}\in \mathrm{Supp }\left( G_\mathsf {A} \right) \)

Operation:

  1. 1.

    Let \(f\leftarrow {\mathcal{F}}\) and let \(v_\mathsf {A}\leftarrow \mathrm{Sim }_\mathsf {A}^f(g_\mathsf {A})\).

  2. 2.

    Output \(\mathsf{Map}^f\left( \mathsf{trans}\left( v_\mathsf {A} \right) \right) \).

Note that

$$\begin{aligned}&\left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( \mathrm{Sim }^{f}_{\mathsf {A}}\left( g_\mathsf {A} \right) \right) \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{f\leftarrow {\mathcal{F}},\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G} \\&\quad \equiv \left( \widetilde{\mathrm{Sim }}_{\widetilde{\mathsf {A}}}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G}, \end{aligned}$$

and that by Eq. (26)

$$\begin{aligned}&\mathrm{SD}\left( \left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) ,{\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^{f} \right\rangle },\right. \\&\left. \quad \left( \mathsf{trans}(v),{\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) \right) _{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle }\right) \le \delta '. \end{aligned}$$

We conclude that

$$\begin{aligned}&\mathrm{SD}\left( \left( \widetilde{\mathrm{Sim }}_{{\widetilde{\mathsf {A}}}}\left( g_\mathsf {A} \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G},\left( \mathsf{trans}(v),{\mathrm{out }}^{\widetilde{\mathsf {A}}}\left( v \right) ,{\mathrm{out }}^{\widetilde{\mathsf {B}}}\left( v \right) \right) _{v\leftarrow \left\langle {\widetilde{\pi }} \right\rangle } \right) \\&\quad \le \mathrm{SD}\left( \left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( \mathrm{Sim }^{f}_{\mathsf {A}}\left( g_\mathsf {A} \right) \right) \right) ,g_\mathsf {A},g_\mathsf {B} \right) _{f\leftarrow {\mathcal{F}},\left( g_\mathsf {A},g_\mathsf {B} \right) \leftarrow G},\right. \\&\qquad \left. \left( \mathsf{Map}^{f}\left( \mathsf{trans}\left( v \right) \right) ,{\mathrm{out }}^\mathsf {A}\left( v \right) ,{\mathrm{out }}^\mathsf {B}\left( v \right) \right) _{f\leftarrow {\mathcal{F}},v\leftarrow \left\langle \pi ^{f} \right\rangle }\right) +\delta '\\&\quad \le \delta +\delta '. \end{aligned}$$

The first inequality is by the above two equations and the triangle inequality, and last one by Eq. (28). It follows, see Remark 4.30, that \({\widetilde{\pi }}\) is \((\delta + \delta ')\)-private.

Combining Theorems 4.31 and 3.7 yields the following result.

Theorem 4.33

Let \({\mathcal{F}}\) be a simple function family. Let \(k,\ell \in {\mathbb {N}}\), let \(\delta \in [0,1]\) be such that \(k \ge 2^{10}\cdot \left( \frac{\ell }{\delta }\right) ^2\), and let \(G\) be a non \(2\delta \)-trivial distribution. Then, \(G\) has no \(\ell \)-query, \((k,\delta )\)-secure oracle-aided implementation relative to \({\mathcal{F}}\).

Proof

Let \(\pi \) be an \(\ell \)-query oracle-aided protocol. Theorem 3.7 yields that \(({\mathcal{F}},\pi )\) has a \(\left( T,\delta \right) \)-\({\mathrm{mapping }}\) for \(T=2^{10}\cdot \left( \frac{\ell }{\delta } \right) ^2\). Assume that \(\pi \) is a \((T,\delta )\)-secure oracle-aided implementation of \(G\) relative to \({\mathcal{F}}\), then Theorem 4.31 would yield that \(G\) is \(2\delta \)-trivial. Hence, \(G\) has no \(\ell \)-query \((k,\delta )\)-secure implementation relative to \({\mathcal{F}}\).\(\square \)

4.4 Applications to the All-Function Family and Black-Box Reductions to One-way Functions

In this section, we use Theorem 3.7 to derive limits on possible implementations relative to the all-function family (i.e. the set of “random functions”). We then use the above and the fact that a random element of the all-function family is hard to invert, to give limits on fully black-box reductions to one-way functions.

4.4.1 Standard Definitions and Known Facts

One-way functions and the all-function family. An efficiently computable function is one-way, if it is hard to invert on a random output.

Definition 4.34

(One-way functions) A polynomially time computable function \(f:{\{0,1\}}^*\mapsto {\{0,1\}}^*\) is one-way, if

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{x\leftarrow {{\{0,1\}}^n}}[\mathsf {A}(1^n,f(x)) \in f^{-1}(f(x))] = \mathrm{neg }(n) \end{aligned}$$

for any ppt \(\mathsf {A}\).

We define the all-function family over a given input length, as the set of all length-preserving functions over this input length.

Definition 4.35

(The all-function family) For \(n\in {\mathbb {N}}\), let \({{\mathcal{F}}_\mathrm{{AF}}}_n\) be the family of all functions from \(n\)-bit strings to \(n\)-bit strings.

The following fact is immediate.

Fact 4.36

For every \(n\in {\mathbb {N}}\), the family \({{\mathcal{F}}_\mathrm{{AF}}}_n\) is simple.

It is well known (cf., [12, 18]) that random members of the all-function family are “one way”. Specifically, we use the following fact.

Fact 4.37

For any \((2^{n/3}-1)\)-query oracle-aided algorithm \(\mathsf {A}\), it holds that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}_n}\left[ \Pr _{x\leftarrow {{\{0,1\}}^n}}[\mathsf {A}^f(f(x)) \in f^{-1}(f(x))] > 2^{-n/3}\right] \le 2^{-n/3}. \end{aligned}$$

Proof

It is easy to verify that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}_n,;x\leftarrow {{\{0,1\}}^n}}\left[ \mathsf {A}^f(f(x)) \in f^{-1}(f(x))\right] \le 2^{n/3}/2^{-n} =2^{-2n/3}, \end{aligned}$$

and the proof follows by a straightforward averaging argument.\(\square \)

Black-box reductions. Loosely speaking, a fully black-box reduction from a primitive \(Q\) (e.g. key-agreement protocol) to a primitive \(P\) (e.g. one-way function ) is: (1) a construction of \(Q\) out of \(P\) that “ignores” the structure of the implementation of \(P\) (i.e. uses it as a “black box”), and (2) a generic reduction from the security of \(P\) to that of \(Q\). In more details, such a reduction consists of a pair of pptm \((\mathsf{Q},\mathsf{R})\) such that the following holds. (1) for every correct implementation \({\mathsf {P}}\) of \(P\), it holds that \(\mathsf{Q}^{\mathsf {P}}\) is a correct implementation of \(Q\), and (2) for every adversary \(\mathsf {A}\) that breaks (the security of) \(\mathsf{Q}^{\mathsf {P}}\), it holds that \(\mathsf{R}^{{\mathsf {P}},\mathsf {A}}\) breaks \({\mathsf {P}}\). See [26] for a more formal discussion.

Cryptographic primitives are typically parameterized by the so-called security parameter, which determines their security and functionality (e.g. the key length of the key-agreement protocol). For such primitives, we consider a restricted form of black-box reductions that requires the reduction, and in particular, the security proof \(\mathsf{R}\), to work for every choice of the security parameter \(n\), e.g. an algorithm that guesses the agreed key of the key-agrement protocol “too well” on security parameter \(n\), can be used by the reduction to invert the one-way function on inputs of length \(n\). See Definitions 4.38 and 4.40 for concrete examples.Footnote 20

4.4.2 Key-Agreement Protocols

Following Definition 4.1 and the discussion in Sect. 4.4.1, we define fully black-box reduction from key-agreement protocols to one-way functions as follows.

Definition 4.38

(Gully black-box reduction from key agreement to one-way functions) A pptm triplet \((\mathsf {A},\mathsf {B},\mathsf{R})\) is a fully black-box reduction from an \(\left( \alpha ,\gamma \right) \)-key-agreement protocol to one-way functions, if the following holds for every \(n\in {\mathbb {N}}\).

  1. 1.

    \((\mathsf {A},\mathsf {B})\) is \((1-\alpha (n))\)-consistent with respect to \({{\mathcal{F}}_\mathrm{{AF}}}_n\) according to Definition 4.1.

  2. 2.

    For every function \(f\) over \({{\{0,1\}}^n}\), algorithm \(\mathsf{D}\) and \(\delta >0\) such that \(\Pr _{v\leftarrow \left\langle (\mathsf {A}^f,\mathsf {B}^f)(1^n) \right\rangle }\left[ \mathsf{D}(\mathsf{trans}(v))={\mathrm{out }}^{P}\left( v \right) \right] \ge \gamma + \delta \) for some \(P\in \left\{ \mathsf {A},\mathsf {B}\right\} \), algorithm \(\mathsf{R}^{\mathsf{D},f}\) inverts \(f\) with probability at least \(p(\delta )\), for some universal \(p\in \mathrm{poly }\).

Combining Theorem 4.4 and Facts 4.36 and 4.37 yields the following result.

Corollary 4.39

There exists no fully black-box reduction from an \(\left( \alpha ,\gamma \right) \)-key-agreement protocol to one-way functions, with \(1-\alpha (n) - \gamma (n) > 1/\mathrm{poly }(n)\).Footnote 21

Proof’s sketch

Assume that there exists a fully black-box reduction \((\mathsf {A},\mathsf {B},\mathsf{R})\) from an \(\left( \alpha ,\gamma \right) \)-key-agreement protocol to one-way functions, with \(1-\alpha (n) - \gamma (n) > 1/\mathrm{poly }(n)\). Since \({{\mathcal{F}}_\mathrm{{AF}}}_n\) is simple (Fact 4.36), by Theorem 4.4 and a simple averaging argument,Footnote 22 there exists a \(\mathrm{poly }(n)\)-query algorithm \(\mathsf{D}\) such that

$$\begin{aligned} \mathop {\hbox {Pr}}\limits _{f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}_n}\left[ \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle (\mathsf {A}^f,\mathsf {B}^f)(1^n) \right\rangle }\left[ \mathsf{D}^f(\mathsf{trans}(v))\!=\!{\mathrm{out }}^{P}\left( v \right) \right] \ge \gamma (n) \!+\! 1/\mathrm{poly }(n)\!\right] \!\ge \! 1/\mathrm{poly }(n) \end{aligned}$$
(29)

It follows that \(\Pr _{f\leftarrow {{\mathcal{F}}_\mathrm{{AF}}}_n}\left[ \Pr _{x\leftarrow {{\{0,1\}}^n}}[\mathsf{R}^{\mathsf{D}^f,f}(f(x)) \in f^{-1}(f(x))] >\right. \) \(\left. 1/\mathrm{poly }(n)\right] > 1/\mathrm{poly }(n)\), in contradiction to Fact 4.37.\(\square \)

4.4.3 Differentially Private Two-Party Computation

Following Definitions 4.6 and 4.7 and the discussion in Sect. 4.4.1, we define fully black-box reduction from differentially private protocols to one-way functions as follows.

Definition 4.40

(Fully black-box reduction from differentially private protocols to one-way functions) A pptm triplet \((\mathsf {A},\mathsf {B},\mathsf{R})\) is a fully black-box reduction from an \(\left( s,\beta ,d,\alpha ,\gamma \right) \)-differentially private protocol for a functionality \(g\) to one-way functions, if the following holds for every \(n\in {\mathbb {N}}\).

  1. 1.

    \((\mathsf {A},\mathsf {B})\) is a \(\left( \beta (n),d(n) \right) \)-approximation for \(g\) with respect to \({{\mathcal{F}}_\mathrm{{AF}}}_n\) according to Definition 4.7.

  2. 2.

    For every function \(f\) over \({{\{0,1\}}^n}\), algorithm \(\mathsf{D}\) and \(\delta >0\) such that

    $$\begin{aligned}&\mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle (\mathsf {A}^f(x),\mathsf {B}^f(y)) \right\rangle }\left[ \mathsf{D}\left( \mathsf{trans}\left( v \right) \right) =1\right] \ge e^{\alpha (n)}\cdot \mathop {\hbox {Pr}}\limits _{v\leftarrow \left\langle (\mathsf {A}^f(x'),\mathsf {B}^f(y)) \right\rangle }\\&\qquad \qquad \left[ \mathsf{D}\left( \mathsf{trans}\left( v \right) \right) =1\right] + \gamma (n) + \delta \end{aligned}$$

    for some \(x,x',y\in {\{0,1\}}^{s(n)}\) with \(H_d\left( x,x' \right) =1\), or the analogue condition holds for some \(y,y',x\in {\{0,1\}}^{s(n)}\) with \(H_d\left( y,y' \right) =1\), algorithm \(\mathsf{R}^{\mathsf{D},f}\) inverts \(f\) with probability at least \(p(\delta )\), for some universal \(p\in \mathrm{poly }\).

Combining Theorem 4.17 and Facts 4.37 and 4.36 yields the following result.

Corollary 4.41

For constants \(\nu \in (0,1)\) and \(\eta \ge 0\), there exist \(\lambda >0\) such that the following holds: let \(q\in \mathrm{poly }\) and let \(s,\beta ,d,\alpha \) and \(\gamma \) be such that \(\alpha (n)\le \eta \), \(\gamma (n)\le \frac{\nu }{48\cdot s(n)} - \frac{1}{q(n)}\), \(\beta (n)\le \frac{1-\nu }{2}\) and \(d(n)\le \lambda \cdot \nu \cdot \frac{\sqrt{s(n)}}{\log s(n)}\) for infinitely many \(n\)’s. Then, there exists no fully black-box reduction from an \(\left( s,\beta ,d,\alpha ,\gamma \right) \)-differentially private protocol for computing the inner-product functionality, to one-way functions.