TCC 2019: Theory of Cryptography pp 531-560

Channels of Small Log-Ratio Leakage and Characterization of Two-Party Differentially Private Computation

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11891)

Abstract

Consider a ppt two-party protocol $$\varPi = (\mathsf {A} ,\mathsf {B} )$$ in which the parties get no private inputs and obtain outputs $$O^{\mathsf {A} },O^{\mathsf {B} }\in \left\{ 0,1\right\}$$, and let $$V^\mathsf {A}$$ and $$V^\mathsf {B}$$ denote the parties’ individual views. Protocol $$\varPi$$ has $$\alpha$$-agreement if $$\Pr [O^{\mathsf {A} }=O^{\mathsf {B} }] = \tfrac{1}{2}+\alpha$$. The leakage of $$\varPi$$ is the amount of information a party obtains about the event $$\left\{ O^{\mathsf {A} }=O^{\mathsf {B} }\right\}$$; that is, the leakage $$\epsilon$$ is the maximum, over $$\mathsf {P} \in \left\{ \mathsf {A} ,\mathsf {B} \right\}$$, of the distance between $$V^\mathsf {P} |_{O^{\mathsf {A} }= O^{\mathsf {B} }}$$ and $$V^\mathsf {P} |_{O^{\mathsf {A} }\ne O^{\mathsf {B} }}$$. Typically, this distance is measured in statistical distance, or, in the computational setting, in computational indistinguishability. For this choice, Wullschleger [TCC ’09] showed that if $$\epsilon \ll \alpha$$ then the protocol can be transformed into an OT protocol.

We consider measuring the protocol leakage by the log-ratio distance (which was popularized by its use in the differential privacy framework). The log-ratio distance between XY over domain $$\varOmega$$ is the minimal $$\epsilon \ge 0$$ for which, for every $$v \in \varOmega$$, $$\log \frac{\Pr [X=v]}{\Pr [Y=v]} \in [-\epsilon ,\epsilon ]$$. In the computational setting, we use computational indistinguishability from having log-ratio distance $$\epsilon$$. We show that a protocol with (noticeable) accuracy $$\alpha \in \varOmega (\epsilon ^2)$$ can be transformed into an OT protocol (note that this allows $$\epsilon \gg \alpha$$). We complete the picture, in this respect, showing that a protocol with $$\alpha \in o(\epsilon ^2)$$ does not necessarily imply OT. Our results hold for both the information theoretic and the computational settings, and can be viewed as a “fine grained” approach to “weak OT amplification”.

We then use the above result to fully characterize the complexity of differentially private two-party computation for the XOR function, answering the open question put by Goyal, Khurana, Mironov, Pandey, and Sahai, [ICALP ’16] and Haitner, Nissim, Omri, Shaltiel, and Silbak [22] [FOCS ’18]. Specifically, we show that for any (noticeable) $$\alpha \in \varOmega (\epsilon ^2)$$, a two-party protocol that computes the XOR function with $$\alpha$$-accuracy and $$\epsilon$$-differential privacy can be transformed into an OT protocol. This improves upon Goyal et al. that only handle $$\alpha \in \varOmega (\epsilon )$$, and upon Haitner et al. who showed that such a protocol implies (infinitely-often) key agreement (and not OT). Our characterization is tight since OT does not follow from protocols in which $$\alpha \in o( \epsilon ^2)$$, and extends to functions (over many bits) that “contain” an “embedded copy” of the XOR function.

Keywords

Oblivious transfer Differential privacy Hardness amplification

Notes

Acknowledgement

We are very grateful to Kobbi Nissim, Eran Omri and Ido Abulafya for helpful conversations and advice. We thank the anonymous referees for detailed and very helpful comments.

References

1. 1.
Aiello, B., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001).
2. 2.
Beimel, A., Malkin, T., Micali, S.: The all-or-nothing nature of two-party secure computation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 80–97. Springer, Heidelberg (1999).
3. 3.
Beimel, A., Nissim, K., Omri, E.: Distributed private data analysis: simultaneously solving how and what. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 451–468. Springer, Heidelberg (2008).
4. 4.
Bellare, M., Micali, S.: Non-interactive oblivious transfer and applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 547–557. Springer, New York (1990).
5. 5.
Bennett, C.H., Brassard, G., Crépeau, C., Maurer, U.M.: Generalized privacy amplification. IEEE Trans. Inf. Theory 41(6), 1915–1923 (1995)
6. 6.
Chan, T.-H.H., Shi, E., Song, D.: Optimal lower bound for differentially private multi-party aggregation. In: Epstein, L., Ferragina, P. (eds.) ESA 2012. LNCS, vol. 7501, pp. 277–288. Springer, Heidelberg (2012).
7. 7.
Crépeau, C.: Efficient cryptographic protocols based on noisy channels. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 306–317. Springer, Heidelberg (1997).
8. 8.
Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions. In: 29th Annual Symposium on Foundations of Computer Science, pp. 42–52. IEEE (1988)Google Scholar
9. 9.
Dwork, C., Rothblum, G.N.: Concentrated differential privacy. arXiv preprint arXiv:1603.01887 (2016)
10. 10.
Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006).
11. 11.
Dwork, C., Rothblum, G.N., Vadhan, S.: Boosting and differential privacy. In: Proceedings of the 51st Annual Symposium on Foundations of Computer Science (FOCS), pp. 51–60 (2010)Google Scholar
12. 12.
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)
13. 13.
Goldreich, O.: Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press (2004)Google Scholar
14. 14.
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 19, pp. 218–229 (1987)Google Scholar
15. 15.
Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)
16. 16.
Goyal, V., Mironov, I., Pandey, O., Sahai, A.: Accuracy-privacy tradeoffs for two-party differentially private protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 298–315. Springer, Heidelberg (2013).
17. 17.
Goyal, V., Khurana, D., Mironov, I., Pandey, O., Sahai, A.: Do distributed differentially-private protocols require oblivious transfer? In: LIPIcs-Leibniz International Proceedings in Informatics, vol. 55. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2016)Google Scholar
18. 18.
Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 394–409. Springer, Heidelberg (2004).
19. 19.
Haitner, I.: A parallel repetition theorem for any interactive argument. SIAM J. Comput. 42(6), 2487–2501 (2013)
20. 20.
Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. SIAM J. Comput. 40(6), 1486–1528 (2011)
21. 21.
Haitner, I., Omri, E., Zarosim, H.: Limits on the usefulness of random oracles. J. Cryptol. 29(2), 283–335 (2016)
22. 22.
Haitner, I., Nissim, K., Omri, E., Shaltiel, R., Silbak, J.: Computational two-party correlation. In: Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018)Google Scholar
23. 23.
Haitner, I., Mazor, N., Shaltiel, R., Silbak, J.: Channels of small log-ratio leakage and characterization of two-party differentially private computation (2019/616) (2019)Google Scholar
24. 24.
Harnik, D., Naor, M., Reingold, O., Rosen, A.: Completeness in two-party secure computation: a computational view. J. Cryptol. 19(4), 521–552 (2006)
25. 25.
Håstad, J., Pass, R., Wikström, D., Pietrzak, K.: An efficient parallel repetition theorem. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 1–18. Springer, Heidelberg (2010).
26. 26.
Holenstein, T.: Pseudorandom generators from one-way functions: a simple construction for any hardness. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 443–461. Springer, Heidelberg (2006).
27. 27.
Kairouz, P., Oh, S., Viswanath, P.: Differentially private multi-party computation: optimality of non-interactive randomized response. arXiv preprint arXiv:1407.1546 (2014)
28. 28.
Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005).
29. 29.
Khurana, D., Maji, H.K., Sahai, A.: Black-box separations for differentially private protocols. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 386–405. Springer, Heidelberg (2014).
30. 30.
Maurer, U.M.: Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733–742 (1993)
31. 31.
McGregor, A., Mironov, I., Pitassi, T., Reingold, O., Talwar, K., Vadhan, S.P.: The limits of two-party differential privacy. In: Electronic Colloquium on Computational Complexity (ECCC), p. 106 (2011). Preliminary version in FOCS 10Google Scholar
32. 32.
Mironov, I., Pandey, O., Reingold, O., Vadhan, S.: Computational differential privacy. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 126–142. Springer, Heidelberg (2009).
33. 33.
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 448–457. Society for Industrial and Applied Mathematics (2001)Google Scholar
34. 34.
Nascimento, A.C., Winter, A.: On the oblivious-transfer capacity of noisy resources. IEEE Trans. Inf. Theory 54(6), 2572–2581 (2008)
35. 35.
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008).
36. 36.
Prabhakaran, V.M., Prabhakaran, M.M.: Assisted common information with an application to secure two-party sampling. IEEE Trans. Inf. Theory 60(6), 3413–3434 (2014)
37. 37.
Rabin, M.O.: How to exchange secrets by oblivious transfer. TR-81, Harvard (1981)Google Scholar
38. 38.
Warner, S.L.: Randomized response: a survey technique for eliminating evasive answer bias. J. Am. Stat. Assoc. 60(309), 63–69 (1965)
39. 39.
Wolf, S., Wultschleger, J.: Zero-error information and applications in cryptography. In: IEEE Information Theory Workshop, pp. 1–6. IEEE (2004)Google Scholar
40. 40.
Wullschleger, J.: Oblivious-Transfer Amplification. Ph.D. thesis, ETH Zurich (2008)Google Scholar
41. 41.
Wullschleger, J.: Oblivious transfer from weak noisy channels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 332–349. Springer, Heidelberg (2009).
42. 42.
Yao, A.C.: Protocols for secure computations. In: Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 160–164 (1982)Google Scholar
43. 43.
Yao, A.C.: How to generate and exchange secrets. In: Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS), pp. 162–167. IEEE Computer Society (1986)Google Scholar