Channels of Small Log-Ratio Leakage and Characterization of Two-Party Differentially Private Computation

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11891)


Consider a ppt two-party protocol \(\varPi = (\mathsf {A} ,\mathsf {B} )\) in which the parties get no private inputs and obtain outputs \(O^{\mathsf {A} },O^{\mathsf {B} }\in \left\{ 0,1\right\} \), and let \(V^\mathsf {A} \) and \(V^\mathsf {B} \) denote the parties’ individual views. Protocol \(\varPi \) has \(\alpha \)-agreement if \(\Pr [O^{\mathsf {A} }=O^{\mathsf {B} }] = \tfrac{1}{2}+\alpha \). The leakage of \(\varPi \) is the amount of information a party obtains about the event \(\left\{ O^{\mathsf {A} }=O^{\mathsf {B} }\right\} \); that is, the leakage \(\epsilon \) is the maximum, over \(\mathsf {P} \in \left\{ \mathsf {A} ,\mathsf {B} \right\} \), of the distance between \(V^\mathsf {P} |_{O^{\mathsf {A} }= O^{\mathsf {B} }}\) and \(V^\mathsf {P} |_{O^{\mathsf {A} }\ne O^{\mathsf {B} }}\). Typically, this distance is measured in statistical distance, or, in the computational setting, in computational indistinguishability. For this choice, Wullschleger [TCC ’09] showed that if \(\epsilon \ll \alpha \) then the protocol can be transformed into an OT protocol.

We consider measuring the protocol leakage by the log-ratio distance (which was popularized by its use in the differential privacy framework). The log-ratio distance between XY over domain \(\varOmega \) is the minimal \(\epsilon \ge 0\) for which, for every \(v \in \varOmega \), \(\log \frac{\Pr [X=v]}{\Pr [Y=v]} \in [-\epsilon ,\epsilon ]\). In the computational setting, we use computational indistinguishability from having log-ratio distance \(\epsilon \). We show that a protocol with (noticeable) accuracy \(\alpha \in \varOmega (\epsilon ^2)\) can be transformed into an OT protocol (note that this allows \(\epsilon \gg \alpha \)). We complete the picture, in this respect, showing that a protocol with \(\alpha \in o(\epsilon ^2)\) does not necessarily imply OT. Our results hold for both the information theoretic and the computational settings, and can be viewed as a “fine grained” approach to “weak OT amplification”.

We then use the above result to fully characterize the complexity of differentially private two-party computation for the XOR function, answering the open question put by Goyal, Khurana, Mironov, Pandey, and Sahai, [ICALP ’16] and Haitner, Nissim, Omri, Shaltiel, and Silbak [22] [FOCS ’18]. Specifically, we show that for any (noticeable) \(\alpha \in \varOmega (\epsilon ^2)\), a two-party protocol that computes the XOR function with \(\alpha \)-accuracy and \(\epsilon \)-differential privacy can be transformed into an OT protocol. This improves upon Goyal et al. that only handle \(\alpha \in \varOmega (\epsilon )\), and upon Haitner et al. who showed that such a protocol implies (infinitely-often) key agreement (and not OT). Our characterization is tight since OT does not follow from protocols in which \(\alpha \in o( \epsilon ^2)\), and extends to functions (over many bits) that “contain” an “embedded copy” of the XOR function.


Oblivious transfer Differential privacy Hardness amplification 



We are very grateful to Kobbi Nissim, Eran Omri and Ido Abulafya for helpful conversations and advice. We thank the anonymous referees for detailed and very helpful comments.


  1. 1.
    Aiello, B., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001). Scholar
  2. 2.
    Beimel, A., Malkin, T., Micali, S.: The all-or-nothing nature of two-party secure computation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 80–97. Springer, Heidelberg (1999). Scholar
  3. 3.
    Beimel, A., Nissim, K., Omri, E.: Distributed private data analysis: simultaneously solving how and what. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 451–468. Springer, Heidelberg (2008). Scholar
  4. 4.
    Bellare, M., Micali, S.: Non-interactive oblivious transfer and applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 547–557. Springer, New York (1990). Scholar
  5. 5.
    Bennett, C.H., Brassard, G., Crépeau, C., Maurer, U.M.: Generalized privacy amplification. IEEE Trans. Inf. Theory 41(6), 1915–1923 (1995)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Chan, T.-H.H., Shi, E., Song, D.: Optimal lower bound for differentially private multi-party aggregation. In: Epstein, L., Ferragina, P. (eds.) ESA 2012. LNCS, vol. 7501, pp. 277–288. Springer, Heidelberg (2012). Scholar
  7. 7.
    Crépeau, C.: Efficient cryptographic protocols based on noisy channels. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 306–317. Springer, Heidelberg (1997). Scholar
  8. 8.
    Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions. In: 29th Annual Symposium on Foundations of Computer Science, pp. 42–52. IEEE (1988)Google Scholar
  9. 9.
    Dwork, C., Rothblum, G.N.: Concentrated differential privacy. arXiv preprint arXiv:1603.01887 (2016)
  10. 10.
    Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006). Scholar
  11. 11.
    Dwork, C., Rothblum, G.N., Vadhan, S.: Boosting and differential privacy. In: Proceedings of the 51st Annual Symposium on Foundations of Computer Science (FOCS), pp. 51–60 (2010)Google Scholar
  12. 12.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Goldreich, O.: Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press (2004)Google Scholar
  14. 14.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 19, pp. 218–229 (1987)Google Scholar
  15. 15.
    Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Goyal, V., Mironov, I., Pandey, O., Sahai, A.: Accuracy-privacy tradeoffs for two-party differentially private protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 298–315. Springer, Heidelberg (2013). Scholar
  17. 17.
    Goyal, V., Khurana, D., Mironov, I., Pandey, O., Sahai, A.: Do distributed differentially-private protocols require oblivious transfer? In: LIPIcs-Leibniz International Proceedings in Informatics, vol. 55. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2016)Google Scholar
  18. 18.
    Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 394–409. Springer, Heidelberg (2004). Scholar
  19. 19.
    Haitner, I.: A parallel repetition theorem for any interactive argument. SIAM J. Comput. 42(6), 2487–2501 (2013)MathSciNetCrossRefGoogle Scholar
  20. 20.
    Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. SIAM J. Comput. 40(6), 1486–1528 (2011)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Haitner, I., Omri, E., Zarosim, H.: Limits on the usefulness of random oracles. J. Cryptol. 29(2), 283–335 (2016)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Haitner, I., Nissim, K., Omri, E., Shaltiel, R., Silbak, J.: Computational two-party correlation. In: Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018)Google Scholar
  23. 23.
    Haitner, I., Mazor, N., Shaltiel, R., Silbak, J.: Channels of small log-ratio leakage and characterization of two-party differentially private computation (2019/616) (2019)Google Scholar
  24. 24.
    Harnik, D., Naor, M., Reingold, O., Rosen, A.: Completeness in two-party secure computation: a computational view. J. Cryptol. 19(4), 521–552 (2006)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Håstad, J., Pass, R., Wikström, D., Pietrzak, K.: An efficient parallel repetition theorem. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 1–18. Springer, Heidelberg (2010). Scholar
  26. 26.
    Holenstein, T.: Pseudorandom generators from one-way functions: a simple construction for any hardness. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 443–461. Springer, Heidelberg (2006). Scholar
  27. 27.
    Kairouz, P., Oh, S., Viswanath, P.: Differentially private multi-party computation: optimality of non-interactive randomized response. arXiv preprint arXiv:1407.1546 (2014)
  28. 28.
    Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005). Scholar
  29. 29.
    Khurana, D., Maji, H.K., Sahai, A.: Black-box separations for differentially private protocols. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 386–405. Springer, Heidelberg (2014). Scholar
  30. 30.
    Maurer, U.M.: Secret key agreement by public discussion from common information. IEEE Trans. Inf. Theory 39(3), 733–742 (1993)MathSciNetCrossRefGoogle Scholar
  31. 31.
    McGregor, A., Mironov, I., Pitassi, T., Reingold, O., Talwar, K., Vadhan, S.P.: The limits of two-party differential privacy. In: Electronic Colloquium on Computational Complexity (ECCC), p. 106 (2011). Preliminary version in FOCS 10Google Scholar
  32. 32.
    Mironov, I., Pandey, O., Reingold, O., Vadhan, S.: Computational differential privacy. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 126–142. Springer, Heidelberg (2009). Scholar
  33. 33.
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 448–457. Society for Industrial and Applied Mathematics (2001)Google Scholar
  34. 34.
    Nascimento, A.C., Winter, A.: On the oblivious-transfer capacity of noisy resources. IEEE Trans. Inf. Theory 54(6), 2572–2581 (2008)MathSciNetCrossRefGoogle Scholar
  35. 35.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). Scholar
  36. 36.
    Prabhakaran, V.M., Prabhakaran, M.M.: Assisted common information with an application to secure two-party sampling. IEEE Trans. Inf. Theory 60(6), 3413–3434 (2014)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Rabin, M.O.: How to exchange secrets by oblivious transfer. TR-81, Harvard (1981)Google Scholar
  38. 38.
    Warner, S.L.: Randomized response: a survey technique for eliminating evasive answer bias. J. Am. Stat. Assoc. 60(309), 63–69 (1965)CrossRefGoogle Scholar
  39. 39.
    Wolf, S., Wultschleger, J.: Zero-error information and applications in cryptography. In: IEEE Information Theory Workshop, pp. 1–6. IEEE (2004)Google Scholar
  40. 40.
    Wullschleger, J.: Oblivious-Transfer Amplification. Ph.D. thesis, ETH Zurich (2008)Google Scholar
  41. 41.
    Wullschleger, J.: Oblivious transfer from weak noisy channels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 332–349. Springer, Heidelberg (2009). Scholar
  42. 42.
    Yao, A.C.: Protocols for secure computations. In: Proceedings of the 23th Annual Symposium on Foundations of Computer Science (FOCS), pp. 160–164 (1982)Google Scholar
  43. 43.
    Yao, A.C.: How to generate and exchange secrets. In: Proceedings of the 27th Annual Symposium on Foundations of Computer Science (FOCS), pp. 162–167. IEEE Computer Society (1986)Google Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.School of Computer ScienceTel Aviv UniversityTel Aviv-YafoIsrael
  2. 2.Department of Computer ScienceUniversity of HaifaHaifaIsrael

Personalised recommendations