Merkles Key Agreement Protocol is Optimal: An $O(n^2)$ Attack on any Key Agreement from Random Oracles

Merkle’s Key Agreemen t Proto col is Optimal: An O ( n 2 ) A ttac k on an y Key Agreemen t from Ra ndom Oracles Boaz Barak ∗ Mohammad Mahmo o dy † Abstract W e prov e that every k ey agreement protocol in the ra ndom oracle mo del in which the honest users make at most n q uer ies to the or acle can b e broken by an adversary who mak es O ( n 2 ) queries t o the oracle. This improv es on the pre v ious ˜ Ω( n 6 ) query a ttack giv en by Impagliazzo and Rudic h (STOC ’89 ) a nd resolves a n op en question posed by them. Our bound is optimal up to a consta nt factor since Merkle pro po sed a key agreement proto co l in 19 74 that can b e easily implemented with n quer ies to a ra ndom ora c le and cannot b e br oken by any adversary who asks o ( n 2 ) queries. Keyw ords: Key Agreeme nt, Random Oracle, Merkle Puzzles. ∗ Microsof t Researc h N ew England and H arv ard U niversit y , b@boazbarak.org . † Universit y of Virginia, mohammad@cs.vi rginia.edu . Supp orted by N SF CAREER aw ard CCF-1350939. Con ten ts 1 In tro duction 1 1.1 O ur Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 Related W o rk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 O ur T ec h niques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.1 The App roac h of [ IR89 ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 Our App roac h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Preliminaries 8 2.1 S tatistical Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 0 3 Pro ving the Main Theorem 11 3.1 Notation and Deﬁnitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 3.2 Atta c k er’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.3 An alysis of A ttac k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.3.1 Ev e Find s Intersectio n Queries: Pro ving Lemm a 3.6 . . . . . . . . . . . . . . 14 3.3.2 The Graph Characterization: Pro ving L emma 3.8 . . . . . . . . . . . . . . . . 16 3.3.3 Ev e Find s the Key: Pro ving Lemma 3.4 . . . . . . . . . . . . . . . . . . . . . 1 9 3.3.4 Eﬃciency of Ev e: Pro ving Lemma 3.5 . . . . . . . . . . . . . . . . . . . . . . 22 4 Extensions 24 4.1 Making the Views Almost I n dep en den t . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 Removing the Rationalit y C ondition . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 1 In tro duction In the 1970’s Diﬃe, Hellman, and Merkle [ Mer74 , DH76 , Mer78 ] b egan to c hallenge th e accepted wisdom that t wo parties cannot comm unicate conﬁdentia lly o v er an op en c h annel without ﬁrst exc hanging a secret k ey using some secure means. The ﬁrs t su c h proto col (at least in the op en scien tiﬁc communit y) w as prop osed b y Merkle in 1974 [ Mer74 ] for a course pr o ject in Berk eley . Ev en though the course’s instructor rejected th e prop osal, Merkle cont inued wo rking on h is ideas and discuss ing them with Diﬃe and Hellman, leading to the pap ers [ DH76 , Mer78 ]. Merkle’s original k ey exchange proto col w as extremely simple and ca n b e dir ectly formalized and implemen ted using a ran d om oracle 1 as follo ws: Proto col 1.1 (Merkle’s 1974 Protocol u s ing Rand om O racles) . Let n b e the securit y parameter and H : [ n 2 ] 7→ { 0 , 1 } n b e a function c hosen at random accessible to all parties as an oracl e. Alice and Bob execute the proto col as follo w s. 1. Alice c ho oses 10 n d istinct random num b ers x 1 , . . . , x 10 n from [ n 2 ] and sends a 1 , . . . , a 10 n to Bob w h ere a i = H ( x i ). 2. Similarly , Bob c ho oses 10 n r an d om num b ers y 1 , . . . , y 10 n in [ n 2 ] and sends b 1 , . . . , b 10 n to Alice where b j = H ( y j ). (This step can b e executed in p arallel with Alice’s ﬁrst step.) 3. If there exists an y a i = b i among the exc hanged strin gs, Alice and Bob let ( i, j ) to b e th e lexicographicall y ﬁrst ind ex of suc h pair; Alice tak es x i as her k ey and Bob take s y j as his k ey . If no suc h ( i, j ) p air exits, they b oth tak e 0 as the agreed k ey . It is easy to see that with p robabilit y at lea st 1 − n 4 / 2 n , the ran d om function H : [ n 2 ] 7→ { 0 , 1 } n is injectiv e, and so any a i = b i will lead to the same key x i = y j used by Alice and Bob. In addition, the p robabilit y of not ﬁnd ing a “colli sion” a i = b j is at most (1 − 10 /n ) 10 n ≤ (1 /e ) 100 < 2 − 100 for all n ≥ 10. Moreo ver, wh en there is a collision a i = b j , Eve has to essen tially searc h the whole input space [ n 2 ] to ﬁn d the pr eimage x i = y j of a i = b j (or, more precisely , m ak e n 2 / 2 calls to H ( · ) on a v erage). W e note that in his 1978 paper [ Mer78 ] Merkle d escrib ed a diﬀeren t v ariant o f a k ey agreemen t proto col by having Alice send to Bob n “puzzles” a 1 , . . . , a n suc h that eac h puzzle a i tak es ≈ n “time” to solve (where the times is mo deled as the num b er of orac le queries), and the solv er learns some secret x i . The idea is that Bob w ould c h o ose at random wh ic h puzzle i ∈ [ n ] to solv e, and so sp end ≈ n time to learn x i whic h he can then use as a s h ared secret with Alice after sending a hash of x i to Alice so that sh e knows whic h secret Bob c hose. On the other hand, Ev e would need to solve almost all the puzzles to ﬁ nd the s ecret, thus sp ending ≈ n 2 time. Th ese p uzzles can indeed b e implemen ted via a random oracle H : [ n ] × [ n ] 7→ { 0 , 1 } n × { 0 , 1 } m as follo ws. T h e i ’th p uzzle with hidden secret x ∈ { 0 , 1 } m can b e obtained b y c ho osing and k ← [ n ] at r andom and ge tting a i = ( H 1 ( i, k ) , H 2 ( i, k ) ⊕ x ) where ⊕ denotes b it wise exclusiv e OR, H 1 ( · , · ) den otes the ﬁrst n b its of H ’s output, and H 2 ( · , · ) denotes th e last m b its of H ’s output. No w, giv en puzzles P 1 = ( h 1 1 , h 2 2 ) , . . . , P n = ( h n 1 , h n 2 ), Bob tak es a random puzzle P j , solv es it b y asking H ( j, k ) for all k ∈ [ n ] to get H ( j, k ) = ( h j 1 , h 2 ) for s ome h 2 , and then he retriev es the puzzle solutio n x = h 2 ⊕ h j 2 . 1 In th is work, r andom or acles d enote any randomized ora cle O : { 0 , 1 } ∗ 7→ { 0 , 1 } ∗ such th at O ( x ) is indep endent of O ( { 0 , 1 } ∗ \ { x } ) for every x (see Deﬁ nition 2.2 ). The tw o proto cols of Merkle we describ e here can b e implemented using a length-preserving random oracle (by cutting the inputs and the outp ut to the right length). Our ne gative results, on the other hand, apply to an y random oracle. 1 One problem with Merkle’s pr oto col is that its securit y was only analyzed in the r an d om oracle mo del whic h do es not necessarily ca pture securit y when instant iated with a cryptographic o ne-wa y or h ash fu nction [ CGH04 ]. Biham, Goren, and Ish ai [ BGI08 ] to ok a step to w ards resolving this issue by pr o viding a security analysis for Merkle’s proto col under concrete co mplexit y assumptions. In p articular, they prov ed that assuming the existence of on e-wa y functions that cannot b e inv erted with probabilit y more than 2 − αn b y adv ersaries runnin g in time 2 αn for α ≥ 1 / 2 − δ , there is a key agreemen t p roto col in whic h Alice and Bob run in time n b ut an y ad versary whose ru nning time is at most n 2 − 10 δ has o (1) c h an ce of ﬁ nding the secret. P erhaps a more serious issu e with Merkle’s proto col is th at it only p ro vides a qu adr atic gap b et we en the running time of the honest parties and the adversary . F ortun ately , not too long after Merkle’s work, Diﬃe and Hellman [ DH76 ] and later Rivest, Sh amir, and Adleman [ RSA78 ] ga v e constructions for k ey agreemen t proto cols th at are conjectured to h a v e sup er-p olynomial (ev en sub exp onent ial) securit y and are of cour se w id ely used to this day . But b ecause th ese and later proto cols are based on certain a lgebraic computatio nal problems, they co uld per h aps b e vu lnerable to unforseen attac ks u sing this algebraic structur e. It remained, ho w ev er, an imp ortant op en question to sho w whether there exist k ey agreement proto cols with sup er-p olynomial securit y that use only a random oracle. 2 The seminal pap er of Impagliazzo and Rudic h [ IR89 ] answ ered this question negativ ely b y sho wing that ev ery key agreemen t pr otocol, ev en in its full general form that is allo we d to run in p olynomially man y rounds, can b e b rok en b y an adv ersary asking O ( n 6 log n ) queries if the tw o parties ask n queries in the r andom oracle mo d el. 3 A rand om oracle is in p articular a one-wa y function (with h igh pr ob ab ility) 4 , and thus an imp ortan t corollary of [ IR89 ]’s resu lt is that there is no construction of k ey agreement proto cols based on one-w a y functions with a pro of of su p er-p olynomial securit y that is of the standard blac k-b o x t yp e (i.e., the implemen tation of the proto col uses the one-w a y function as an oracle, and its p ro of of securit y uses the one-w a y function and any adv ersary breaking the protocol also as oracles). 5 Question and Motiv ation. Im p agliazzo and Rudic h [ IR89 , S ection 8] mention as an op en ques- tion (wh ich they attribute to Merkle) to ﬁnd out whether their atta c k can b e impr o v ed to O ( n 2 ) queries (hence sho wing the optimalit y of Merkle’s proto col in the random oracle mo del) or th ere exist key agreemen t proto cols in the random oracle mo d el with ω ( n 2 ) securit y . Bey ond just b eing a natural question, it also has some practical and th eoretical motiv ations. The practical m otiv ation is that p roto cols with suﬃcien tly large p olynomial gap could b e secure enough in pr actice—e. g., a k ey agreemen t pr otocol taking 10 9 op erations to run and (10 9 ) 6 = 10 54 op erations to br eak could b e go o d enough for man y applications. 6 In fact, as w as argued b y Merkle himself [ Mer74 ], as 2 This is n ot to b e confused with some more recen t works such as [ BR93 ], that com b ine the random ora cle model with assumptions on the intra ctability of other problems such as factoring or the RSA p rob lem to obtain more eﬃcient cryptographic constructions. 3 More accurately , [ IR89 ] gav e an O ( m 6 log m )- query attack where m is the maximum of the number of queries n and the number of communication rounds, though we b elieve th eir analysis could b e improv ed to an O ( n 6 log n )-q uery attac k. F or the sa ke of simplicit y , w hen discussing [ IR89 ]’s results w e will assume that m = n , though for our result w e do not need this assumption. 4 The pro of of this statement for the case of non- uniform adversar ies is quite n ontrivial ; see [ GGKT05 ] for a proof. 5 This argument applies to our result as w ell, and of course extends to any other primitive that is implied b y random oracles (e.g., col lision-resistan t hash functions) in a blac k -b ox wa y . 6 These n umbers are just an example, and in practical applications the constan t terms will make an imp ortant diﬀerence; how ev er we note that these particular constan ts are not ru led out by [ IR89 ]’s attac k but are ruled out by ours by t ak ing num ber of operations to mean the number of calls to the ora cle. 2 tec h nology impro ves and honest users can aﬀord to ru n more op erations, suc h p olynomial gaps only b ecome more usefu l since the ratio b et w een the wo rk requ ir ed b y the attac ke r and the hon est user will gro w as well. T h us, if kno wn algebraic k ey agreement proto cols w ere broken, one might lo ok to p olynomial-securit y pr oto col suc h as Merkle’s for an alternativ e. Another motiv ation is theoretical— Merkle’s proto col has v ery limited int eraction (consisting of one round in whic h b oth parties simulta neously broadcast a m essage) and in particular it imp lies a pub lic k ey encryp tion sc heme. It is natural to ask whether more in teracti on can help ac hieve some p olynomial adv an tage o v er this simple proto col. Brak ersk i et al. [ BKSY11 ] sho w a simple O ( n 2 )-query attac k for pro- to cols with p erfe c t c ompleteness based on a random oracle s, 7 where the probabilit y is ov er b oth the oracle and parties’ random seeds. In this work we fo cus on the main question of [ IR89 ] in fu ll ﬂedged form. 1.1 Our Results In this w ork w e answ er the ab ov e question of [ IR89 ], b y sh o wing that ev ery protocol in the random oracle mo del wh ere Alice and Bob mak e n oracle queries can b e br ok en with high probabilit y by an adversary making O ( n 2 ) queries. That is, w e pro v e the follo win g: Theorem 1.2 (Ma in Theorem) . L et Π b e a two-p arty pr oto c ol in the r andom or acle mo del such that when exe cuting Π the two p arties A lic e and Bob make at most n queries e ach, and their outputs ar e identic al with pr ob ability at le ast ρ . Then, for every 0 < δ < ρ , ther e is an e avesdr opping adversary Eve making O ( n 2 /δ 2 ) que ries to the or acle whos e output agr e es with Bob’s output with pr ob ability at le ast ρ − δ . T o th e b est of our kno wledge, n o b etter b oun d than the e O ( n 6 )-query attac k of [ IR89 ] was previously kno wn ev en in the case where one do es n ot assume the one-w ay function is a random oracle (wh ic h would ha v e made the task of pro ving a negativ e result easier). In the original publication of this w ork [ BMG09 ], the follo wing tec hnical result (Theorem 1.3 ) w as implicit in th e pro of of Theorem 1.2 . Since this particular result has foun d uses in sub sequen t w orks to th e original pub lication of this work [ BMG09 ], here w e state and prov e it explicitly . This theorem, roughly sp eaking, asserts that b y run ning the attac k er of Theorem 1.2 the “correlat ion” b et we en the “views” of Alice and Bob (conditioned on Ev e’s kn o wledge) remains close to zero at all times. The view of a party consists of the information they p osses at an y momen t durin g the execution of the p roto col: their p riv ate randomness, the pu blic messages, and th eir priv ate in teraction w ith the oracle. Theorem 1.3 (Making Views almost In dep en d en t—Informal) . L et Π b e a two -p arty pr oto c ol in the r andom or acle mo del such that when exe cu ting Π the two p arties A lic e and Bob make at most n or acle queries e ach. Then for any α, β < 1 / 10 ther e is an e avesdr opp er Eve making p oly( n/ ( αβ )) queries to the or acle such that with pr ob ability at le ast 1 − α the fol lowing holds at the e nd of ev ery r ound: the joint distribution of Alic e’s and Bob’s views so far c onditione d on Eve’s view is β - close to b eing indep endent of e ach other. See S ection 4 for the formal statemen t and pro of of Theorem 1.3 . 7 W e are not aw are of any p erfectly complete n -q uery key agreement protocol in the random oracle with ω ( n ) securit y . In other w ords, it seems conceiv able that all such protocols could b e broken with a line ar num b er of q ueries. 3 1.2 Related W ork Quan tum-Resilien t Ke y Agreemen t. In one cen tral scenario in whic h some algebraic key agreemen t proto cols will b e brok en—the construction of p ractical quant um computers— Merkle’s proto col will also b e brok en with linear oracle qu eries u sing Gro ve r’s searc h algorithm [ Gro96 ]. In the original pu blication of this work w e ask ed whether our O ( n 2 )-query classical attac k could lead to an O ( n ) quantum attac k ag ainst an y classical proto col (w h ere Ev e accesses the rand om oracle in a sup erp osition). W e note that usin g quantum comm unication there is an information the or etic al ly secure key agreemen t p roto col [ BBE92 ]. Brassard and Salv ail [ BS08 ] (indep en d en tly observ ed b y [ BGI08 ]) ga ve a quantum v ersion of Merkle’s proto col, showing that Alice and Bob can u s e qu antum computation (but classica l comm u nication) to obtain a key agreement pr oto col with sup er-linear n 3 / 2 securit y in th e random oracle mo del against q u an tum adve rsaries. Finally , Brassard et al. [ BHK + 11 ] r esolv ed our question negativ ely b y presen ting a classic al p r oto col in the r andom oracle mod el with sup er linear securit y Ω( n 3 / 2 − ε ) for arbitrary small constan t ε . A ttac ks in Small P arallel Time. Mahmo o dy , Moran, and V adhan [ MMV11 ] sho w ed ho w to impro v e the r ound c omplexity of the attac ke r of Theorem 1.2 to n (whic h is optimal) for the case of one-message proto cols, where a round here refers to a set of queries that are ask ed to the oracle in parallel. 8 Their r esult rules out constructions of “time-loc k puzzles” in the p ar al lel r andom oracle mo del in wh ic h the p olynomial-query solv er n eeds more p ar al lel time (i.e., rounds of parallel queries to the rand om oracle) than the pu zzle generator to solv e the p uzzle. As an application bac k to our sett ing, [ MMV11 ] used the ab ov e result and sho w ed that eve ry n -query (e v en m ulti-round) k ey agreemen t proto col can b e broke n by O ( n 3 ) queries in only n r ounds of oracle qu eries, improving the Ω ( n 2 )-round att ac k of our work by a f actor of n . Whether an O ( n )-roun d O ( n 2 )-query atta c k is p ossible remains as an intriguing op en question. Blac k-Bo x Separat ions and the P o w er of Random Oracle. The w ork of Impagliazzo and Rudic h [ IR89 ] laid d o wn the framew ork for th e ﬁeld of black-b ox sep ar ations . A blac k-b ox separation of a primitiv e Q f r om another primitiv e P ru les out any construction of Q from P as long as it treats the primitiv e P and the adv ersary (in the securit y pr o of ) as oracle s. W e r efer the reader to the excellen t sur v ey by Reingold et al. [ R TV04 ] for the formal deﬁnition and its v arian ts. Due to the abund ance of blac k-b o x tec hn iqu es in cryptography , a blac k -b o x s ep aration indicates a ma jor disparit y b et ween ho w hard it is to achiev e P vs. Q , at least with resp ect to blac k-b o x tec hniques. The work of [ IR89 ] emp lo y ed the so calle d “oracle separation” metho d to der ive their blac k-b o x separation. In p articular, they show ed that relativ e to the oracle O = ( R, PSP A CE ) in w hic h R is a random oracle one-wa y fu nctions exist (with h igh p robabilit y) but secure k ey agreemen t do es not. This existence of suc h an oracle im p lies a blac k-b o x separation. The main tec hnical step in the p ro of of [ IR89 ] is to sh o w that relativ e to a random oracle R , an y key agreemen t proto col could b e broken b y an adve rsary who is computationally unboun ded and asks at most S = p oly ( n ) n um b er of qu er ies (where n is the securit y parameter). The smallest suc h p olynomial S for an y construction C could b e considered as a quant itativ e b lac k-b o x s ecurit y for C in the ran d om oracle model. T his is in deed the setting of our pap er, and w e stud y the optimal blac k-b o x security of ke y agreemen t in the random oracle m o del. O u r T h eorem 1.2 p ro v es that 8 F or example, a non-adaptive attacker who prepares al l of its o racle q ueries and then asks th em in one shot, has round complexity one. 4 Θ( n 2 ) is the optimal securit y one can ac hieve for an n -query k ey agree ment proto col in the random oracle mo del. The tec hniques used in the pr o of of Theorem 1.2 h a v e found applications in the con texts of blac k-b o x separations and blac k-b o x securit y in the rand om oracle mo del (see, e.g., [ KSY11 , BKSY11 , MP12 ]). In the follo w ing w e describ e some of the wo rks that fo cus on the p o w er of r andom oracles in secure tw o-party computation. Dac h m an-Soled et al. [ DSLMM11 ] were th e ﬁrst to p oin t out that results implicit in our pro of of Theorem 1.2 in th e original pu blication of this w ork [ BMG09 ] could b e u sed to sho w the existence of eav esdropp ing atta c ks that gather enough inf ormation from the oracle in a w a y that conditioned on this information the views of Alice and Bob b ecome “cl ose” to b eing in dep end en t (see Lemma 5 of [ DSLMM11 ]). S u c h resu lts we re used in [ DSLMM1 1 ], [ MMP14 ], and [ HHRS07 ] to explore the p o we r of random oracles in secure t w o-part y computation. Dac hman-Soled et al. sh o w ed that “optimally-fair” coi n tossing p roto cols [ Cle86 ] cannot b e based on one-w a y functions with n inp ut and n output b its in a blac k-b o x w a y if the protocol has o ( n/ log n ) roun ds. Mahmo o dy , Ma ji, and Prabhak aran [ MMP14 ] prov ed that random oracles are us efu l for secure t w o-part y computation of ﬁnite (or at m ost p olynomial-size domain) d eterministic fu n ctions only as the commitment functionalit y . Their results sho w ed that “non-trivia l” functions can not b e computed securely b y a blac k-b o x use of one-w ay fu nctions. Haitner, Omri, and Zarosim [ HOZ13 ] studied inp ut-less randomized functionalitie s an d sh o w ed that a rand om oracle 9 is, to a large extent, useless for su c h functionalities as well. In p articular, it w as sho wn that for ev ery p roto col Π in the random oracle mo del, and every p olynomial p ( · ), there is a p roto col in the no-oracle mo d el that is “ 1 / p ( · ) -close” to Π. [ HOZ13 ] p ro v ed this result by using the machinery dev eloped in the original pub lication of this w ork (e.g., the gr aph c har acterization of Sectio n 3.3. 2 ) and simpliﬁed some of the steps of the original pro of. [ HOZ13 ] sho w ed ho w to use suc h lo wer-boun ds for the input-less setting to prov e blac k-b o x separations from one-wa y functions for “diﬀerentia lly priv ate” t w o-part y functionalities f or the with-input setting. 1.3 Our T ec hniques The main tec hn ical c hallenge in proving our main result is the issue of dep endenc e b et w een the executions of th e tw o p arties Alice and Bob in a key agreemen t proto col. A t ﬁrst sight, it ma y seem that a computationally u n b ou n ded attac k er that monitors all communicatio n b et w een Alice and Bob will trivially b e able to ﬁnd out their shared ke y . But the presence of the r andom oracle allo ws Alice and Bob to correlate their executions ev en without comm unicating (wh ic h is indeed the reason that Merkle’s proto col ac hiev es nontrivial securit y). Dealing with suc h correlations is th e cause of th e tec hnical complexit y in b oth our work and the previous wo rk of Impagliazzo and Rudic h [ IR89 ]. W e handle this issue in a diﬀeren t w a y than [ IR89 ]. On a very h igh level our appr oac h can b e viewe d as u sing more information ab ou t the stru cture of these correlations than [ IR89 ] did. T his allo ws u s to analyze a more eﬃcien t attac kin g algo rithm that is more fru gal with the num b er of queries it uses than the attac ker of [ IR89 ]. Belo w we p ro vide a more detailed (though still high level) exp osition of our tec hniqu e and its relatio n to [ IR89 ]’s tec hnique. W e n o w review [ IR89 ]’s attac k (and its analysis) and particularly discuss the subtle issue of dep endenc e b et w een Alice and Bob that arises in b oth their w ork and ours. Ho w ev er, no resu lt of this section is used in the later sections, and so the reader shou ld feel fr ee at any time to skip ahead to the next sections that con tain our actual attac k and its analysis. 9 [ HOZ13 ] prov ed this result f or a larger clas s of oracles, see [ HOZ13 ] for more d et ails. 5 1.3.1 The Approac h of [ IR89 ] Consider a proto col that consists of n rounds of in teraction, where eac h party mak es exactly one oracle query b efore sending its message. [ IR89 ] called pr oto cols of this type “normal-form p roto cols” and ga v e an e O ( n 3 ) attac k against them (their ﬁnal result w as obtained b y transforming every proto col in to a normal-form pr otocol with a quadr atic loss of eﬃciency). Ev en though without loss of generalit y the attac ker Ev e of a k ey agreement proto col can defer all of her computation till after the int eraction b etw een Alice and Bob is ﬁnish ed, it is conceptually simpler in b oth [ IR89 ]’s case and ours to think of the attac ke r E v e as run ning concurren tly with Alice and Bob. In particular, the attac k er Eve of [ IR89 ] p erformed the follo wing op erations after eac h round i of the proto col: • If the round i is one in whic h Bob sen t a messag e, then at this point Eve samples 1000 n log n random executions of Bob fr om th e d istribution D of Bob’s executions that are consisten t with the information that Eve has at that momen t (whic h consists of the comm unication transcript and previous oracle answ ers). That is, Ev e samples a unif orm ly random tap e for Bob and uniformly rand om qu ery answ ers sub ject to b eing consistent w ith E v e’s information. After eac h time she samples an execution, Eve asks the oracle all the queries that are ask ed during this execution and records the answ ers. (Generally , the tru e ans wers will b e diﬀerent from Ev e’s guessed answers when sampling the execution.) If the round i is one in whic h Alice sent a message, then Ev e do es similarly b y c hanging the role of Alice and Bob. Ov erall Eve will sample e O ( n 2 ) executions m aking a total of e O ( n 3 ) queries. It’s not hard to see that as long as Eve learns all of th e interse ction queries (queries aske d b y b oth Alice and Bob during the execution) then sh e can reco ver the shared secret with high probabilit y . Thus the b ulk of [ IR89 ]’s analysis w as d ev oted to sho wing th e follo wing claim. Claim 1.4. With pr ob ability at le ast 0 . 9 Eve never fails, wher e we say that Eve fails at r ound i if the query made in this r ound by, say, Alic e was aske d pr eviously by Bob but not by Ev e . A t ﬁrst look, it ma y seem that one could easily pr o v e Claim 1.4 . Ind eed, C laim 1.4 will follo w b y sho wing that at an y roun d i , the pr obabilit y that Ev e fails in r ound i for the ﬁrst time is at most 1 / (10 n ). No w all the comm un ication b et w een Alice and Bob is ob s erv ed b y Ev e, and if no failure has y et happ en ed then Ev e h as also observed all the intersecti on qu eries so far. Because the answers for n on -intersectio n qu eries are completely r an d om and indep endent from one another it seems that Alice h as no more information ab out Bob than Eve do es, and hence if the pr obabilit y that Alice ’s query q was ask ed b efore by Bob is more than 1 / (10 n ) then this query q has probabilit y at least 1 / (10 n ) to app ear in eac h one of Ev e’s sampled executions of Bob. S in ce Ev e mak es 1000 n log n suc h samples, the pr obabilit y th at Ev e misses q w ould b e b oun ded by (1 − 1 10 n ) 1000 n log n ≪ 1 / (10 n ). The Dep e nde ncy Issue. When trying to turn the ab o v e int uition into a p ro of, the assumption that Ev e h as as m uc h information ab out Bob as Alice do es translates to the follo w in g statement : conditioned on Ev e’s information, the distributions of Ali ce’s view and Bob’s view are indep endent from one another. 10 Indeed, if this statemen t were true th en the ab ov e paragraph co uld h a v e b een easily tr anslated in to a pro of that [ IR89 ]’s atta c k er is successful, and it w ouldn’t h a v e b een h ard to 10 Readers familiar with the setting of communication complexity may note that this is analogous to th e wel l k now n fact that conditioning on any transcri pt of a 2-party communication p rotocol results in a produ ct distribution (i.e., com binatorial rectangle) o ver the inp uts. H o wev er, things are diﬀerent in the presence of a random oracl e. 6 optimize th is attac k er to ac hiev e O ( n 2 ) qu eries. Alas, this statemen t is false. In tuitiv ely the reason is the follo wing: ev en the fact that Ev e has not missed an y int ersection qu eries is s ome non trivial information that Alice and Bob sh are and create s dep endence b et we en them. 11 Impagliazzo and Ru dic h [ IR89 ] dealt w ith this issue b y a “charging argumen t”, where they sho w ed that suc h dep end ence can b e c harged in a certain wa y to one of the executions sampled by Ev e, in a wa y that at most n samples can b e c harged at eac h round (and the rest of Eve ’s samp les are distributed correctly as if the indep endence assum ption was tr u e). This argument inherently required sampling at least n executions (e ac h of n queries) p er round, resulting in an Ω( n 3 ) attac k. 1.3.2 Our Approac h W e no w describ e our approac h and ho w it diﬀers f rom the pr evious p ro of of [ IR89 ]. The discussion b elo w is s omewh at h igh leve l and v ague, and glosses o v er some imp ortant details. Again, the reader is we lcome to skip ahead at an y time to Section 3 that conta ins the full description of our attac k and do es not dep en d on this section in an y wa y . Our atta c king algorithm follo ws the same general outline as that of [ IR89 ] b u t has tw o imp ortan t diﬀerences: 1. One quantitative d iﬀerence is that while our atta c k er Ev e also computes a distribution D of p ossible executions of Alice and Bob conditioned on her knowledge , she do es not sample f ull executions from D ; r ather, she compu tes wh ether there is an y qu ery q ∈ { 0 , 1 } ∗ that has probabilit y more than, sa y , 1 / (1 00 n ) of b eing in D and makes only suc h he avy q u eries. In tuitiv ely , since Alice and Bob mak e at m ost 2 n queries, the to tal exp ected num b er of hea vy queries (and h ence the qu er y complexit y of Eve) is b oun ded by O ( n 2 ). Th e actual analysis is more in v olv ed since the d istr ibution D k eeps c hanging as Ev e learns more information through the m essages she observ es and oracle answers she r eceiv es. 2. The qualitative d iﬀerence is that h ere we do not consider the same distribution D that was considered b y [ IR89 ]. Their attac k er to some exten t “pretended” that the conditional distri- butions of Alice and Bob are indep enden t from one another and only considered one p art y in eac h round. In co nt rast, w e deﬁn e our distr ibution D to b e the j oint distribution of Alice and Bob, where there could b e dep endencies b et w een them. Th us, to sample from our d istr ibution D one w ould need to sample a p air of exec utions of Alice and Bob (random tapes and oracle answ ers) that are c onsistent w ith one an other and Ev e’s curr en t knowledge . The main c hallenge in the analysis is to pr ov e that the attac k is su c c e ssful (i.e., that Claim 1.4 ab o v e holds) and in particular that the probability of failur e at eac h round (or more generally , at eac h query of Alice or Bob) is b ounded b y , sa y , 1 / (10 n ). Once again, things w ou ld ha v e b een ea sy if we knew that th e d istr ibution D of the possible executions of Alice and Bob conditioned on Eve’s kno wledge is a pr o duct distribution , and hence Alice has no more inform ation on Bob th an Ev e has. While th is is not generally true, we show that in our att ac k this distribution is close to b eing a pr o duct distribution , in a pr ecise sense. 11 As a simple example f or suc h dep enden ce consider a protocol where in t h e ﬁrst roun d Alice c h ooses x (which is going to b e the shared key) to b e either the string 0 n or 1 n at random, qu eries the oracle H at x and sends y = H ( x ) to Bob. Bob then makes the query 1 n and gets y ′ = H (1 n ). No w even if Alice c hose x = 0 n and hence Alice and Bob hav e no in tersection queries, Bob can ﬁnd out the va lue of x just by observing that y ′ 6 = y . S till, an attack er must ask a non-in tersection query such as 1 n to know if x = 0 n or x = 1 n . 7 A t an y p oin t in the execution, ﬁx Eve ’s curr ent information ab out the system and d eﬁne a bipar- tite graph G w hose left-side v ertices corresp ond to p ossible executions of Alice that are consistent with Ev e’s information and righ t-side v ertices corresp ond to p ossible executions of Bob consisten t with Ev e’s in formation. W e p ut an edge b etw een t wo executions A and B if they are consisten t with one another and moreov er if they do not represent an execution in which Eve has already faile d (i.e., there is no intersecti on query th at is aske d in b oth executions A and B but not by Eve). Roughly sp eaking, the distr ib ution D that our attac ker Eve considers can b e thought of as c ho osing a uniformly random edge in the graph G . (Note that the graph G and the distribu tion D c h ange at eac h p oin t that Eve learns some n ew information ab out the system.) If G were the complete bipartite clique then D would ha v e b een a pro d uct distribution. Although G ca n rarely b e the complete graph, what w e sho w is that G is still dense in the sense that ea c h vertex is co nnected to most of the ve rtices on the other side. Relying on the densit y of this graph , w e show that Alice’s probabilit y of hitting a query that Bob ask ed b efore is at most t wice the probabilit y that Ev e do es so if she c ho oses the m ost likel y query based on h er kno wledge. The b ound on the d egree is obtained b y sh o wing that G can b e r epresen ted as a disjointness gr aph , w here eac h v ertex u is asso ciated w ith a set S ( u ) (from an arb itrarily large univ erse) and there is an edge b et we en a le ft-side vertex u and a right-side vertex v if and only if S ( u ) ∩ S ( v ) = ∅ . The s et S ( u ) corresp ond s to the queries made in th e execution corresp onding to u that are not aske d b y Ev e. The deﬁnition of the graph G implies th at | S ( u ) | ≤ n for all vertice s u . The deﬁnition of our at tac king algorithm implies that the distribution obtained by pic king a random edge e = ( u, v ) and outputting S ( u ) ∪ S ( v ) is light in the sense that there is no element q in the universe that has probabilit y more than 1 / (10 n ) of b eing in a s et chosen from this d istr ibution. W e show that these conditions imp ly that eac h v ertex is connected to most of the v ertices on the other side. 2 Preliminaries W e use b old fonts to d enote random v ariables. By Q ← Q we indicate th at Q is sampled from the d istribution of the rand om v ariable Q . By ( x , y ) we denote a joint distrib ution o v er random v ariables x , y . By x ≡ y we denote that x and y are iden tically distributed. F or join tly distributed ( x , y ), by ( x | y = y ) we denote the d istribution of x conditioned on y = y . When it is cle ar from the con text we might simply write ( x | y ) ins tead of ( x | y = y ). By ( x × y ) w e denote a pro du ct distribution in which x and y are sampled indep endentl y . F or a ﬁn ite set S , b y x ← S w e denote that x is sampled from S uniformly at random. By Su pp( x ) w e denote the supp ort set of the random v ariable x deﬁn ed as S upp( x ) = { x | Pr[ x = x ] > 0 } . F or any eve nt E , b y ¬ E we denote the complemen t of the even t E . Deﬁnition 2.1. A p artial fu nction F is a function F : D 7→ { 0 , 1 } ∗ deﬁned o ve r some domain D ⊆ { 0 , 1 } ∗ . W e call t w o partial f u nctions F 1 , F 2 with domains D 1 , D 2 c onsistent if F 1 ( x ) = F 2 ( x ) for eve ry x ∈ D 1 ∩ D 2 . (In particular, F 1 and F 2 are consisten t if D 1 ∩ D 2 = ∅ .) In pr evious w ork random oracles are deﬁn ed either as Bo olean functions [ IR89 ] or length- preserving fun ctions [ BR93 ]. I n this w ork we u se a general deﬁn ition that captures b oth cases by only requirin g the oracle answ ers to b e indep enden t. Since our go al is to giv e at tacks in this mod el, using this deﬁnition makes our r esults more general and applicable to b oth scenarios. Deﬁnition 2.2 (Random Oracles) . A r andom or acle H ( · ) is a rand om v ariable w hose v alues are functions H : { 0 , 1 } ∗ 7→ { 0 , 1 } ∗ suc h th at H ( x ) is d istributed indep endently of H ( { 0 , 1 } ∗ \ { x } ) for 8 all x ∈ { 0 , 1 } ∗ and that Pr[ H ( x ) = y ] is a rational n umb er for ev ery pair ( x, y ). 12 F or an y ﬁnite partial fu n ction F , b y Pr H [ F ] we denote the p robabilit y that the rand om oracle H is consisten t with F . Namely , Pr H [ F ] = Pr H ← H [ F ⊆ H ] and Pr H [ ∅ ] = 1 w here F ⊆ H means that the partial function F is consistent with H . Remark 2.3 (In ﬁnite vs. Finite Random Oracles) . In this w ork, we will alw a ys work with ﬁnite random oracles wh ic h are only queried on inpu ts of length n ≤ p oly( κ ) where κ is a (securit y) parameter giv en to p arties. Th us, w e only need a ﬁn ite v arian t of Deﬁnition 2.2 . Ho we v er, in case of inﬁ nite r andom oracles (as in Deﬁnition 2.2 ) we need a measure space ov er the sp ace of full inﬁnite oracles that is consisten t w ith the ﬁ nite probabilit y d istributions of H ( · ) r estricted to inputs { 0 , 1 } n for all n = 1 , 2 , . . . . By Caratheo dory’s extension theorem, suc h measure sp ace exists and is unique (see Theorem 4.6 of [ Hol15 ]). Since for ev ery r an d om oracle H ( · ) and ﬁxed x th e rand om v ariable H ( x ) is ind ep endent of H ( x ′ ) for all x ′ 6 = x , w e can us e the follo wing c haracterizatio n of Pr H [ F ] for every F ⊆ { 0 , 1 } ∗ × { 0 , 1 } ∗ . Here we only state and u se this lemma for ﬁnite sets. Prop osition 2.4. F or every r andom or acle H ( · ) and every ﬁnite set F ⊂ { 0 , 1 } ∗ × { 0 , 1 } ∗ we have Pr H [ F ] = Y ( x,y ) ∈ F Pr[ H ( x ) = y ] . No w we derive the f ollo win g lemma from the ab ov e prop osition. Lemma 2.5. F or c onsistent ﬁnite p artial functions F 1 , F 2 and r andom or acle H it holds that Pr H [ F 1 ∪ F 2 ] = Pr H [ F 1 ] · Pr H [ F 2 ] Pr H [ F 1 ∩ F 2 ] . Pr o of. Since F 1 and F 2 are consistent, we can think of F = F 1 ∪ F 2 as a partial function. T herefore, b y Pr op osition 2.4 and the inclusion-exclusion principle w e ha v e: Pr H [ F 1 ∪ F 2 ] = Y ( x,y ) ∈ F 1 ∪ F 2 Pr[ H ( x ) = y ] = Q ( x,y ) ∈ F 1 Pr[ H ( x ) = y ] · Q ( x,y ) ∈ F 2 Pr[ H ( x ) = y ] Q ( x,y ) ∈ F 1 ∩ F 2 Pr[ H ( x ) = y ] = Pr H [ F 1 ] · Pr H [ F 2 ] Pr H [ F 1 ∩ F 2 ] . Lemma 2.6 (Lemma 6.4 in [ IR89 ]) . L et E b e any event deﬁne d over a r andom variable x , and let x 1 , x 2 , . . . b e a se quenc e of r andom variables al l determine d by x . L et D b e the event deﬁne d over ( x 1 , . . . ) that holds if and only if ther e exists some i ≥ 1 such that Pr[ E | x 1 , . . . , x i ] ≥ λ . Then Pr[ E | D ] ≥ λ . 12 Our results exten d to the case where the probabilities are not necessarily rational numbers, how ever, since every reasonable cand idate random oracle w e are a ware of satisﬁes this rationality condition, and it av oids some tec hnical subtleties, we restrict attention to oracles that satisfy it. In Section 4.2 we show how t o remov e this restri ction. 9 Lemma 2.7. L et E b e any event deﬁne d over a r andom variable x , and let x 1 , x 2 , . . . b e a se quenc e of r andom variables al l determine d by x . Supp ose Pr[ E ] ≤ λ and λ = λ 1 · λ 2 . L et D b e the ev e nt deﬁne d over ( x 1 , . . . ) that holds if and only if ther e exists some i ≥ 1 such that Pr[ E | x 1 , . . . , x i ] ≥ λ 1 . Then it holds that Pr[ D ] ≤ λ 2 . Pr o of. Lemma 2.6 sho ws that Pr [ E | D ] ≥ λ 1 . No w we prov e th e cont rap ositiv e of L emma 2.7 . If Pr[ D ] > λ 2 , th en w e would get Pr[ E ] ≥ Pr[ E ∧ D ] ≥ Pr[ D ] · Pr[ E | D ] > λ 1 · λ 2 = λ . 2.1 Statistical Distance Deﬁnition 2.8 (Statistical Dista nce) . By ∆( x , y ) we denote the statistic al distanc e b et w een r an - dom v ariables x , y deﬁned as ∆( x , y ) = 1 2 · P z | Pr[ x = z ] − P r[ y = z ] | . W e call random v ariables x and y ε -close , denoted b y x ≈ ε y , if ∆( x , y ) ≤ ε . W e use the follo wing useful w ell-kno w n lemmas ab out statistical distance. Lemma 2.9. ∆( x , y ) = ε if and only if either of the fol lowing hold s: 1. F or every (even r andomize d) function D it holds that Pr[ D ( x ) = 1 ] − Pr[ D ( y ) = 1] ≤ ε . 2. F or every event E it holds that Pr x [ E ] − Pr y [ E ] ≤ ε . Mor e over, if ∆( x , y ) = ε , then ther e is a deterministic (dete cting) Bo ole an function D that achieves Pr[ D ( x ) = 1] − Pr[ D ( y ) = 1] = ε . Lemma 2.10. It holds that ∆(( x , z ) , ( y , z )) = E z ← z ∆(( x | z ) , ( y | z )) . Lemma 2.11. If ∆( x , y ) ≤ ε 1 and ∆( y , z ) ≤ ε 2 , then ∆( x , z ) ≤ ε 1 + ε 2 . Lemma 2.12. ∆(( x 1 , x 2 ) , ( y 1 , y 2 )) ≥ ∆( x 1 , y 1 ) . W e use the con v en tion for the n otation ∆( · , · ) that w h enev er Pr[ x ∈ E ] = 0 for some eve nt E , w e let ∆(( x | E ) , y ) = 1 for ev ery r an d om v ariable y . Lemma 2.13. Supp ose x , y ar e ﬁnite r andom variables, and supp ose G is some event deﬁne d over Supp( x ) . Then ∆( x , y ) ≤ Pr x [ G ] + ∆(( x | ¬ G ) , y ) . Pr o of. Let δ = ∆( x , y ). Let g b e a Bo olean random v ariable join tly distributed with x as follo ws: g = 1 if and only if x ∈ G . S upp ose y is sampled indep endently of ( x , g ) (and so ( y , g ) ≡ ( y × g )). By Lemm as 2.12 and 2.10 we ha v e: ∆( x , y ) ≤ ∆(( x , g ) , ( y , g )) = E g ← g ∆(( x | g ) , ( y | g )) = E g ← g ∆(( x | g ) , y ) = Pr[ g = 1] · ∆(( x | g = 1) , y ) + Pr[ g = 0] · ∆(( x | g = 0) , y ) ≤ Pr[ g = 1] + ∆(( x | g = 0) , y ) = Pr x [ G ] + ∆(( x | ¬ G ) , y ) . 10 Deﬁnition 2.14 (Key Agreemen t) . A k ey agreemen t pr oto col consists of t wo interact iv e p olynomial- time probabilistic T ur ing m ac hines ( A, B ) that b oth get 1 n as securit y parameter, eac h get secret randomness r A , r B , and after interact ing for p oly ( n ) rounds A outpu ts s A and B outputs s B . W e sa y a k ey agreement sc heme ( A, B ) h as completeness ρ if Pr[ s A = s B ] ≥ ρ ( n ). F or an arbitrary ora- cle O , w e deﬁne k ey ag reemen t proto cols (and their completeness) relativ e to O by simply allo wing A and B to b e eﬃcien t algorithms relativ e to O . Securit y of Key Agreemen t Proto cols. It can b e easily seen that no k ey agreemen t proto col with completeness ρ > 0 . 9 could b e sta tistic al ly secur e, and that ther e is alw a ys a computationally unboun ded eav esdropp er Eve who can guess the sh ared secret k ey s A = s B with probabilit y at least 1 / 2 + neg( n ). In this w ork w e are in terested in stati stical securit y of k ey agreemen t pr oto cols in the r andom or acle mo del . Namely , we would lik e to kno w h o w many oracle quer ies are requir ed to br eak a k ey agreemen t protocol relativ e to a r andom oracle. 3 Pro ving the Main Theorem In this section we pro v e the next theorem which implies our Theorem 1.2 as sp ecial case. Theorem 3.1. L et Π b e a two-p arty inter active pr oto c ol b etwe en Alic e and Bob using a r ando m or acle H (ac c essible by everyone) such that: • Alic e uses lo c al r andomness r A , makes at most n A queries to H and at the end outputs s A . • Bob use s lo c al r andomness r B , makes at most n B queries to H and at the end outputs s B . • Pr[ s A = s B ] ≥ ρ wher e the pr ob ability is over the choic e of ( r A , r B , H ) ← ( r A , r B , H ) . Then, for every 0 < δ < ρ , ther e is a deterministic e avesdr opping adversary Eve who only gets ac c ess to the public se quenc e of messages M sent b etwe en Al ic e and Bob, makes at most 400 · n A · n B /δ 2 queries to the or acle H and outputs s E such that Pr[ s E = s B ] ≥ ρ − δ . 3.1 Notation and Deﬁnitions In this subsection we give some deﬁnitions and notations to b e used in the p ro of of Theorem 3.1 . W.l.o.g w e assu me that Alice, Bob, and Ev e will never ask an orac le query t wice. Recall that Alice (resp. Bob) asks at most n A (resp. n B ) oracle queries. Rounds. Alice send s her messages in o d d round s and Bob send s his messages in ev en r ounds. Supp ose i = 2 j − 1 and it is Alice’s turn to send the message m i . This round starts b y Alic e asking her oracle queries and co mputing m i , then Alice sends m i to Bob, and this round ends by Eve asking her (new) oracle queries based on the messages sen t so far M i = [ m 1 , . . . , m i ]. Same holds for i = 2 j by c hanging the role of Alice and Bob. 11 Queries and Views. By Q i A w e den ote the set of oracle queries ask ed b y Alice by the end of r ound i . By P i A w e denote the set o f oracle query-answe r pairs kno wn to Alice by the end of round i (i.e., P i A =  ( q , H ( q )) | q ∈ Q i A  ). By V i A w e denote the view of Alice by the end of round i . T his view consists of: Alice’s randomness r A , exchanged messages M i as we ll a s oracle query-answ er pairs P i A kno wn to Alice so far. By Q i B , P i B , V i B (resp. Q i E , P i E , V i E ) we denote the same v ariables deﬁ ned for Bob (resp. Eve ). Note that V i E only consists of ( M i , P i E ) since Ev e do es not u se an y randomn ess. W e also use Q ( · ) as an op erator that extracts the set of queries from set of query-answe r pairs or views; n amely , Q ( P ) = { q | ∃ a, ( q , a ) ∈ P } and Q ( V ) = { q | the query q is aske d in the view V } . Deﬁnition 3.2 (Hea vy Queries) . F or a r andom v ariable V wh ose samples V ← V are sets of queries, sets of query-answer pairs, or views, w e sa y a query q is ε -he avy for V if and only if Pr[ q ∈ Q ( V )] ≥ ε . Executions and Distributions A (full) exe cution of Alice, Bob, and E ve can b e describ ed b y a tup le ( r A , r B , H ) wh ere r A denotes Alice’s random tap e, r B denotes Bob’s random tap e, and H is th e random oracle (note that Eve is deterministic). W e denote b y E the distribu tion o v er (full) executio ns that is obtained b y running the algorithms for Ali ce, Bob and Ev e w ith uniformly c hosen random tap es r A , r B and a un iformly sampled random oracle H . By P r E [ P i A ] w e denote the probabilit y that a full execution of the system leads to P i A = P i A for a giv en P i A . W e u se the same notation also for other comp onent s of the sys tem (b y treating their o ccup ance as ev ents) as w ell. F or a sequence of i messages M i = [ m 1 , . . . , m i ] exc hanged b etw een the t wo parties and a set of query-answe r p airs (i.e., a partial function) P , by V ( M i , P ) w e den ote the joint distrib ution o v er the views ( V i A , V i B ) of Alice and Bob in th eir own (partial) executions up to the p oin t in th e system in wh ic h th e i ’th message is sen t (by Alice or Bob) conditioned on: the transcript of messages in the ﬁrst i round s b eing equal to M i and H ( q ) = a for all ( q , a ) ∈ P . Lo oking ahead in the pro of, th e distribution V ( M i , P ) would b e the cond itional distribution of Alice’s and Bob’s views in eye s of the atta c k er Eve who knows the p ublic messages and has learned oracle query-answer pairs describ ed in P . F or ( M i , P ) such that Pr E [ M i , P ] > 0, the distrib ution V ( M i , P ) can b e sampled by ﬁ rst sampling ( r A , r B , H ) uniformly at r andom conditioned on b eing consisten t with ( M i , P ) and then d eriving Alice’s and Bob’s views V i A , V i B from the sampled ( r A , r B , H ). F or ( M i , P ) su c h that Pr E [ M i , P ] > 0, the ev en t Go o d ( M i , P ) is deﬁ ned o v er th e d istr ibution V ( M i , P ) and holds if and only if Q i A ∩ Q i B ⊆ Q ( P ) for Q i A , Q i B , Q ( P ) determined by the samp led views ( V i A , V i B ) ← V ( M i , P ) and P . F or Pr E [ M i , P ] > 0 w e deﬁne the distribu tion G V ( M i , P ) to b e th e distribution V ( M i , P ) conditioned on Go o d ( M i , P ). Lo oking ahead to the pro of the ev ent Go o d ( M i , P ) indicates that the attac ker Ev e has not “missed” an y query that is ask ed b y b oth of Alice and Bob (i.e. an intersecti on query) so far, and thus G V ( M i , P ) refer to the same distrib ution of V ( M i , P ) w ith the extra condition that so far n o in tersection qu ery is missed by Ev e. 3.2 A ttack er’s Algorithm In this subs ection w e describ e an attac k er Eve who migh t ask ω ( n A n B /δ 2 ) qu eries, but she ﬁn ds the k ey in the t w o-part y k ey agreemen t protocol b et ween Alice and Bob with probabilit y 1 − O ( δ ). Then we sho w h o w to mak e Eve “eﬃcien t” without decreasing the su ccess probabilit y too m uc h. 12 Proto cols in Seminormal F orm. W e sa y a pr otocol is in seminormal form 13 if (1) the n u m b er of oracle queries asked by Alice or Bob in eac h round is at most one, and (2) when the last messag e is s en t (by Alice or Bob) the other part y d o es not ask an y oracl e queries and computes its output without using the last messag e. The second prop ert y could b e obtained b y simply adding an extra message LA ST at the end of the p roto col. (Note that our results do not dep end on the num b er of rounds.) One can also alwa ys ac hiev e the ﬁrst p r op erty without compromising the securit y as follo w s . If the p r oto col has 2 · ℓ rounds, w e will increase the n u m b er of rounds to 2 ℓ · ( n A + n B − 1) as follo ws. S upp ose it is Alice’s turn to send m i and b efore doing s o she n eeds to ask the queries q 1 , . . . , q k (p erhaps adaptiv ely) from the oracle. Instead of asking these queries from H ( · ) and sending m i in one round , Alice and Bob will run 2 n A − 1 su b-r ounds of in teractio n so that Alice will ha v e enough n umber of (fak e) rounds to ask her queries from H ( · ) one by on e. More formally: 1. The messages of the ﬁrst 2 n A − 1 sub-rounds for an odd roun d i will al l b e equal to ⊥ . Alice sends the ﬁrst ⊥ message, and the last message will b e m i sen t by Alice. 2. F or j ≤ k , b efore sendin g the message of the 2 j − 1’th su b-round Alic e asks q j from the oracle. Th e num b er of these queries, namely k , migh t n ot b e kno wn to Alice at the b eginning of round i , but since k ≤ n A , the num b er of sub -r ounds are enough to let Alice ask all of her queries q 1 , . . . , q k without asking more th an one qu ery in eac h sub-rou n d. If a proto col is in semi-normal form, then in eac h round there is at most one query aske d by the party who sends the message of that round, and w e will use this condition in our analysis. Moreo ver, Eve can simply pr etend that any proto col is in seminorm al form by imagining in her head that the extra ⊥ messages are b eing sent b etw een ev ery tw o real message. Therefore, w.l.o.g in the follo w in g w e will assu me th at the tw o-party proto col Π has ℓ r ou n ds and is in seminormal form. 14 Finally note that we ca nnot simply “expand ” a round i in wh ic h Alice asks k i queries in to 2 k messages b et we en Alice and Bob, b ecause then Bob wo uld kno w h o w m an y queries were ask ed b y Alice, but if we do the transform ation as describ ed ab o v e, then the actual n umber of queries ask ed f or that round could p oten tially r emain s ecret. Construction 3.3. Let ε < 1 / 10 b e an inpu t parameter. The adv ersary Ev e attac ks the ℓ -roun d t w o-part y pr oto col Π b et w een Alice and Bob (whic h is in seminormal form) a s follo ws. During the attac k Eve up d ates a set P E of oracle q u ery-answe r pairs as follo ws . S u pp ose in round i Alice or Bob sends th e message m i . After m i is sent, if Pr E [ Go o d ( M i , P E )] = 0 holds at any momen t, then Ev e ab orts. O therwise, as long as there is an y q u ery q 6∈ Q ( P E ) su c h that Pr ( V i A ,V i B ) ←G V ( M i ,P E ) [ q ∈ Q ( V i A )] ≥ ε n B or Pr ( V i A ,V i B ) ←G V ( M i ,P E ) [ q ∈ Q ( V i B )] ≥ ε n A (i.e., q is ( ε/n B )-hea vy for Alice or ( ε/n A )-hea vy for Bob with resp ect to the distrib ution G V ( M i , P E )) Ev e asks th e lexicographically ﬁ rst such q from H ( · ), and add s ( q , H ( q )) to P E . A t the end of round ℓ (when Eve is also done with asking her o racle queries), Ev e samples ( V ′ A , V ′ B ) ← G V ( M ℓ , P ℓ E ) and outputs Alice’s output s ′ A determined by V ′ A as its o wn outp u t s E . Theorem 3.1 d irectly follo ws from the next tw o lemmas. 13 W e use the t erm seminormal to d istinguish it from the normal form protocols deﬁned in [ IR89 ]. 14 Impagliazzo and R udich [ IR89 ] use th e term normal form for proto cols in whic h each party asks exactly one query b efore sending their messages in every round. 13 Lemma 3.4 (Ev e Finds the Key) . The output s E of Eve of Construction 3.3 agr e es with s B with pr ob ability at le ast ρ − 10 ε over the choic e of ( r A , r B , H ) . Lemma 3.5 (Eﬃciency of Eve ) . The pr ob ability that Eve of Construction 3.3 asks mor e than n A · n B /ε 2 or acle que ries is at most 10 ε . Before pr o ving Lemmas 3.4 and 3.5 we ﬁrst d eriv e Theorem 3.1 from them. Pro of of Theorem 3.1 . Supp ose w e mo dify the adv ersary Ev e and ab ort it as so on as it asks more than n A · n B /ε 2 queries and call the new adv ersary EﬀEv e. By Lemmas 3.4 and 3.5 th e output s E of EﬀEve still agrees with Bob’s output s B with pr obabilit y at least ρ − 10 ε − 10 ε = ρ − 20 ε . Theorem 3.1 follo w s by usin g ε = δ / 20 < 1 / 10 an d noting that n A · n B / ( δ/ 20) 2 = 400 · n A · n B /δ 2 . 3.3 Analysis of A ttack In this s u bsection we will p ro v e Lemmas 3.4 and 3.5 , but b efore doing so w e need some deﬁn itions. Ev en ts o ver E . E ven t Go o d holds if and only if Q ℓ A ∩ Q ℓ B ⊆ Q ℓ E in whic h case we say that Ev e has found all the interse ction queries . Eve nt Fail holds if and only if at some p oin t d uring the execution of the system, Alice or Bob asks a query q , whic h w as aske d b y the other part y , but not already ask ed by Eve . I f the ﬁrst query q that mak es Fail happ en is Bob’s j ’th query w e s ay the ev en t BFail j has happ ened, and if it is Alice’s j ’th qu ery we sa y that the even t AF ail j has happ ened. Therefore, BFail 1 , . . . , BFail n B and AFail 1 , . . . , AFail n B are disj oin t even ts wh ose union is equal to F ail . Also note that ¬ Go o d ⇒ F ail , b ecause if Alice and Bob share a query that Ev e nev er m ade, this m ust ha v e happ ened for the ﬁrst time at some p oint dur ing th e executio n of the proto col (making Fail happ en), but also note that G o o d and F ail are not necessarily complemen t ev ents in general. Finally let the eve nt BGo o d j (resp. AGoo d j ) b e the even t that w h en Bob (resp. Alice) asks his (resp. her) j ’th oracle query , and this happ ens in roun d i + 1, it holds that Q i A ∩ Q i B ⊆ Q i E . Note that the ev en t BFail i implies BGo o d i b ecause if BGo o d i do es n ot hold, it m eans that Alice and Bob ha v e alr e ady had an int ersection qu ery out of Eve ’s qu er ies, and so BFail i could not b e the ﬁrst time that Eve is missing an in tersection query . The follo wing lemma pla ys a cent ral role in pro ving b oth of Lemmas 3.5 and 3.4 . Lemma 3.6 (Ev e Finds the Intersectio n Q ueries) . F or al l i ∈ [ n B ] , Pr E [ BF ail i ] ≤ 3 ε 2 n B . Similarly, for al l i ∈ [ n A ] , Pr E [ AF ail i ] ≤ 3 ε 2 n A . Ther efor e, by a union b ound, Pr E [ ¬ Go o d ] ≤ Pr E [ F ail ] ≤ 3 ε . W e will ﬁrst pro v e Lemma 3.6 and then will use this lemma to pr o v e Lemmas 3.5 and 3.4 . In order to p ro v e L emma 3.6 itself, we will r educe it to stronger statemen ts in tw o steps i.e., Lemmas 3.7 and 3.8 . Lemma 3.8 (ca lled the graph charact erization lemma) is indeed at the h eart of our pro of and c haracterizes the conditional distribu tion of the views of Alice and Bob cond itioned on Eve’ s view. 3.3.1 Ev e Finds In tersection Queries: Pro ving Lemma 3.6 As we will s ho w sh ortly , Lemma 3.6 f ollo ws f rom the follo wing stronger lemma. 14 Lemma 3.7. L et B i , M i , and P i denote, in or der, Bob’s view, the se quenc e of messages sent b etwe en Alic e and Bob, and the or acle query-answer p airs known to Eve, al l b efor e the moment that Bob is going to ask his i ’th or acle qu ery that might happ en b e in a r ound j that is diﬀerent fr om ≥ i . 15 Then, for eve ry ( B i , M i , P i ) ← ( B i , M i , P i ) sample d by exe cuting the system it hold s that Pr G V ( M i ,P i ) [ BF ail i | B i ] ≤ 3 ε 2 n B . A symmetric statement hold s for Alic e. W e ﬁrst see wh y Lemma 3.7 implies Lemma 3.6 . Pr o of of L emma 3.6 using L emma 3.7 . It holds that Pr[ BFail i ] = X ( B i ,M i ,P i ) ∈ Supp( B i , M i , P i ) Pr E [ B i , M i , P i ] · Pr E [ BF ail i | B i , M i , P i ] . Recall that as we said th e ev en t BF ail i implies BGo o d i . T h erefore, it holds that Pr E [ BF ail i | B i , M i , P i ] ≤ Pr E [ BF ail i | B i , M i , P i , BGo o d i ] and b y deﬁnition w e ha ve Pr E [ BF ail i | B i , M i , P i , BGo o d i ] = Pr G V ( M i ,P i ) [ BF ail i | B i ]. By Lemma 3.7 it h olds that Pr G V ( M i ,P i ) [ BF ail i | B i ] ≤ 3 ε 2 n B , and so: Pr E [ BF ail i ] ≤ X ( B i ,M i ,P i ) ∈ Supp( B i , M i , P i ) Pr E [ B i , M i , P i ] · 3 ε 2 n B = Pr[Bob asks ≥ i queries] · 3 ε 2 n B ≤ 3 ε 2 n B . In the follo wing we will prov e Lemma 3.7 . In fact, w e will not use the fact that Bob is ab out to ask h is i ’th query and will prov e a more general stateme nt. F or simplicit y w e will u s e a simpliﬁed notation M = M i , P = P i . Su p p ose M = M j (namely the n um b er of messages in M is j ). T he follo w in g graph c h aracterization of the d istribution V ( M , P ) is at the heart of ou r analysis of the attac ke r Eve of Construction 3.3 . W e ﬁr s t describ e the intuition and purp ose b ehind the lemma. In tuition. Lemma 3.8 b elo w, intuitiv ely , asserts that at any time during the execution of th e proto col, wh ile Eve is run ning her attac k, the follo wing holds. Let ( M , P ) b e the view of Ev e at an y moment. Then the distribution V ( M , P ) of Alice’s and Bob’s views conditioned on ( M , P ) could b e sampled using a “lab eled” bipartite graph G b y sampling a u niform edge e = ( u, v ) an d taking the t w o labels of these t wo no des (denoted b y A u , B v ). Th is graph G has the extra p rop erty of b eing “dense” an d close to b eing a complete b ip artite graph. Lemma 3.8 (Graph Ch aracterizati on of V ( M , P )) . L et M b e the se qu enc e of messages sent b etwe en Alic e and Bob, let P b e the set of or acle query-answer p airs known to Ev e by the end of the r ound in which the last message in M is sent and Eve is also done with her le arning q ueries. L et Pr V ( M ,P ) [ Go o d ( M , P )] > 0 . F or eve ry such ( M , P ) , ther e is a bip artite gr aph G (dep ending on M , P ) with v e rtic es ( U A , U B ) and e dges E suc h that: 15 Also note that M i is not necessarily the same as M i . The latter refers to th e t ranscript t ill the i ’th message of the p rotocol is se nt, while the former refers to th e messages till Bob is going to ask h is i ’th m essages (and might ask zero or more than one queries in some rou n ds). 15 1. Every ve rtex u in U A has a c orr esp onding view A u for Al ic e (which is c onsistent with ( M , P ) ) and a set Q u = Q ( A u ) \ Q ( P ) , and the same holds for vertic es in U B by changing the r ole of Alic e and Bob. (Note that every vi e w c an have multiple vertic es assigne d to it.) 2. Ther e is an e dge b etwe en u ∈ U A and v ∈ U B if and only if Q u ∩ Q v = ∅ . 3. Every vertex is c onne cte d to at le ast a (1 − 2 ε ) fr action of the vertic e s in the other side. 4. The distribution ( V A , V B ) ← G V ( M , P ) is identic al to: sampling a r andom e dge ( u, v ) ← E and taking ( A u , B v ) (i.e., the views c orr esp onding to u and v ). 5. The distributions G V ( M , P ) and V ( M , P ) have the same supp ort set. Lemma 3.8 at the heart of the pro of of our main theorem, and so we will ﬁr st see how to use this lemma b efore pro ving it. In particular, w e ﬁrst use Lemma 3.8 to pr o v e Lemma 3.7 , an d then w e w ill p ro v e Lemma 3.8 . Pro of of Lemma 3.7 using L e mma 3.8 . Let B = B i , M = M i , P = P i b e as in Lemma 3.7 and q b e Bo b’s i ’th q u ery wh ic h is going to be ask ed after the last message m j in M = M i = M j is sent to Bob. By Lemma 3.8 , the distribution G V ( M , P ) conditioned on getting B as Bob’s view is the same as u n iformly s ampling a rand om edge ( u, v ) ← E in the graph G of Lemma 3.8 conditioned on B v = B . W e pro v e Lemma 3.7 ev en conditioned on c ho osing an y v ertex v suc h that B v = B . F or suc h ﬁxed v , the distribution of Alice’s v iew A u , when we c ho ose a rand om edge ( u, v ′ ) conditioned on v = v ′ is the same as c ho osing a random neigh b or u ← N ( v ) of the no de v and th en s electing Alice’s view A u corresp ondin g to the no de u . Let S = { u ∈ U A suc h th at q ∈ A u } . Assuming d ( u ) denotes th e degree of w for any no d e w we ha v e Pr u ← N ( v ) [ q ∈ A u ] ≤ | S | d ( v ) ≤ | S | (1 − 2 ε ) · |U A | ≤ | S | · |U B | (1 − 2 ε ) · | E | ≤ P u ∈ S d ( u ) (1 − 2 ε ) 2 · | E | ≤ ε (1 − 2 ε ) 2 · n B < 3 ε 2 n B . First n ote th at pro vin g the ab o v e inequalit y is suﬃcien t for the p r o of of Lemma 3.7 , b ecause BFail i is equiv alent to q ∈ A u . No w, w e pro v e the ab o v e inequalities. The seco nd and fourth inequaliti es are due to the degree lo wer bou n ds of Item 3 in Lemm a 3.8 . The third inequalit y is b ecause | E | ≤ |U A | · |U B | . Th e ﬁfth in equalit y is b ecause of the deﬁnition of the attac k er Eve who asks ε/n B hea vy qu eries for Alice’s view when sampled from G V ( M , P ), as long as suc h queries exist. Namely , when w e c ho ose a random edge ( u, v ) ← E (whic h b y Item 4 of Lemma 3.8 is the same as sampling ( V A , V B ) ← G V ( M , P )), it holds that u ∈ S with probabilit y P u ∈ S d ( u ) / | E | . But for all u ∈ S it holds that q ∈ Q u , and so if P u ∈ S d ( u ) / | E | > ε/n B the query q should ha v e b een lea rned by Ev e already and so q could not b e in an y set Q u . T h e s ixth inequalit y is b ecause we are assuming ε < 1 / 10. 3.3.2 The Graph Characterization: Pro ving Lemma 3.8 W e prov e Lemma 3.8 by ﬁr st presen ting a “pro duct c haracterization” of the distr ib ution G V ( M , P ). 16 Lemma 3.9 (Pro du ct Characterizati on) . F or any ( M , P ) as describ e d in L emma 3.8 ther e exists a distribution A (r esp. B ) over A lic e’ s (r esp. Bob’s) vie ws such that the distribution G V ( M , P ) is identic al to the pr o duct distribution ( A × B ) c onditione d on the event Go o d ( M , P ) . Namely, 16 A similar observa tion was made b y [ IR89 ], see Lemma 6.5 t h ere. 16 G V ( M , P ) ≡ (( A × B ) | Q ( A ) ∩ Q ( B ) ⊆ Q ( P )) . Pr o of. Su pp ose ( V A , V B ) ← V ( M , P ) is suc h that Q A ∩ Q B ⊆ Q where Q A = Q ( V A ) , Q B = Q ( V B ), and Q = Q ( P ). F or su ch ( V A , V B ) we will show that P r G V ( M ,P ) [( V A , V B )] = α ( M , P ) · α A · α B where: α ( M , P ) only dep ends on ( M , P ), α A only dep ends on V A , and α B only dep end s only on V B . This means that if we let A b e the distribution o v er Supp( V A ) such that P r A [ V A ] is p rop ortional to α A and let B b e the distribution o v er Sup p( V B ) suc h that Pr B [ V B ] is prop ortional to α B , then G V ( M , P ) is pr op ortional (and hence equal to) the d istribution (( A × B ) | Q A ∩ Q B ⊆ Q ). In the follo wing w e will sho w that Pr G V ( M ,P ) [( V A , V B )] = α ( M , P ) · α A · α B . Since we are assuming Q A ∩ Q B ⊆ Q (i.e., that the ev ent G o o d ( M , P ) holds o v er ( V A , V B )) we ha v e: Pr V ( M ,P ) [( V A , V B )] = Pr V ( M ,P ) [( V A , V B ) ∧ G o o d ( M , P )] = Pr V ( M ,P ) [ Go o d ( M , P )] Pr G V ( M ,P ) [( V A , V B )] . (1) On th e other hand, by deﬁnition of conditional p robabilit y w e ha v e 17 Pr V ( M ,P ) [( V A , V B )] = Pr E [( V A , V B , M , P )] Pr E [( M , P )] . (2) Therefore, b y Equations ( 1 ) and ( 2 ) we hav e Pr G V ( M ,P ) [( V A , V B )] = Pr E [( V A , V B , M , P )] Pr E [( M , P )] · Pr V ( M ,P ) [ Go o d ( M , P )] . (3) The d en ominator of the righ thand side of Equation ( 3 ) only dep end s on ( M , P ) and so w e can tak e β ( M , P ) = Pr E [( M , P )] · Pr V ( M ,P ) [ Go o d ( M , P )]. In the follo w ing w e analyze the numerator. Recall that f or a p artial f unction F , b y Pr E [ F ] w e denote the probabilit y that H fr om the sam- pled exec ution ( r A , r B , H ) ← E is co nsistent w ith F ; namely , Pr E [ F ] = Pr H [ F ] (see Deﬁnition 2.2 ). Let P A (resp. P B ) b e the set of oracle query-answe r pairs in V A (resp. V B ). W e claim that: Pr E [( V A , V B , M , P )] = P r[ r A = r A ] · Pr[ r B = r B ] · Pr E [ P A ∪ P B ∪ P ] . The reason is that the n ecessary and suﬃcien t condition that ( V A , V B , M , P ) happ ens in the execution of the system is th at when w e sample a un if orm ( r A , r B , H ), r A equals Alice’s rand omness, r B equals Bob’s randomness, and H is consisten t with P A ∪ P B ∪ P . These conditions im p licitly imply that Alice and Bob will indeed pr o duce the transcript M as well. No w by Lemma 2.5 and ( P A ∩ P B ) \ P = ∅ w e h a v e Pr E [ P A ∪ P B ∪ P ] equ als to: Pr E [ P ] · Pr E [( P A ∪ P B ) \ P ] = Pr E [ P ] · Pr E [ P A \ P ] · Pr E [ P B \ P ] Pr E [( P A ∩ P B ) \ P ] = Pr E [ P ] · Pr E [ P A \ P ] · Pr E [ P B \ P ] . Therefore, w e get: Pr G V ( M ,P ) [( V A , V B )] = Pr[ r A = r A ] · Pr[ r B = r B ] · Pr E [ P ] · Pr E [ P A \ P ] · Pr E [ P B \ P ] β ( M , P ) . and so we can tak e α A = Pr[ r A = r A ] · Pr E [ P A \ P ], α B = Pr[ r B = r B ] · Pr E [ P B \ P ], and α ( M , P ) = Pr E [ P ] /β ( M , P ). 17 Note that V A , V B uniquely determine M , P so Pr[ V A , V B , M , P ] = Pr [ V A , V B ] holds for consistent V A , V B , M , P , but we choose to write the full ev ent’s description for clarity . 17 Graph Characterization. The pro d uct c haracterizatio n of Lemma 3.9 im p lies that we can think of G V ( M , P ) as a distribu tion o v er rand om edges of some bip artite graph G = ( U A , U B , E ) deﬁn ed based on ( M , P ) as follo ws. Construction 3.10 (Lab eled graph G = ( U A , U B , E )) . Every no de u ∈ U A will ha v e a corresp ond- ing view A u of Alice that is in the supp ort of the distribu tion A from Lemma 3.9 . W e also let the n umber of no des corresp ondin g to a view V A b e p rop ortional to Pr A [ A = V A ], meaning that A corresp onds to the uniform distribution ov er the left- side v ertices U A . Similarly , every no de v ∈ U B will h a v e a corresp onding view B v of Bob suc h that B corresp onds to the uniform distribution o v er U B . Doing th is is p ossible b ecause the probabilities Pr A [ A = V A ] and Pr B [ B = V B ] are all rational num b ers. More formally , since in Deﬁnition 2.2 of random oracles we assumed H ( x ) = y to b e rational for all ( x, y ), the p robabilit y space G V ( M , P ) only includ es r ational probabilities. Th us, if W 1 , . . . , W N is the list of all possib le views f or Alice when sampling ( V A , V B ) ← G V ( M , P ), and if Pr ( V A ,V B ) ←G V ( M ,P ) [ W j = V A ] = c j /d j where c 1 , d 1 , . . . , c N , d N are all intege rs, w e can put ( c j /d j ) · Q i ∈ [ N ] d i man y no des in U A represent ing the view W j . No w if we sample a nod e u ← U A uniformly and take A u as Alice’s view, it would b e the same as sampling ( V A , V B ) ← G V ( M , P ) and taki ng V A . Finally , w e deﬁne Q u = Q ( A u ) \ Q ( P ) for u ∈ U A to be the set of queries o utside of Q ( P ) that were ask ed by Alice in the v iew A u . W e deﬁne Q v = Q ( B u ) \ Q ( P ) similarly . W e put an edge b et w een the no d es u and v (denoted b y u ∼ v ) in G if and only if Q u ∩ Q v = ∅ . It tu rns out that the graph G is dense as formalized in the next lemma. Lemma 3.11. L et G = ( U A , U B , E ) b e the gr aph of Construction 3.10 . Th en for every u ∈ U A , d ( u ) ≥ |U B | · (1 − 2 ε ) and for every v ∈ U B , d ( v ) ≥ |U A | · (1 − 2 ε ) wher e d ( w ) i s the de gr e e of the vertex w . Pr o of. First n ote that Lemma 3.9 and the description of C onstruction 3.10 imply that the d istri- bution G V ( M , P ) is equal to the d istr ibution obtained b y letting ( u, v ) b e a ran d om edge of the graph G and c ho osing ( A u , B v ). W e w ill make use of this p rop erty . W e ﬁr st sh o w that for ev ery w ∈ U A , P v ∈U B ,w 6∼ v d ( v ) ≤ ε · | E | . The reason is that the p r obabilit y of v er tex v b eing c hosen when we c ho ose a rand om edge is d ( v ) | E | and if P v ∈U B ,w 6∼ v d ( v ) | E | > ε , it means that Pr ( u,v ) ← E [ Q w ∩ Q v 6 = ∅ ] ≥ ε . Hence, b ecause | Q w | ≤ n A , by the pigeonhole prin ciple there w ould exist q ∈ Q w suc h that Pr ( u,v ) ← E [ q ∈ Q v ] ≥ ε/n A . Bu t this is a contradicti on, b ecause if th at holds, then q should h a v e b een in P b y the d eﬁnition of the attac ker Ev e of Construction 3.3 , and hence it could not b e in Q w . Th e same argum ent sho ws that f or ev ery w ∈ U B , P u ∈U A ,u 6∼ w d ( u ) ≤ ε | E | . Th us, for ev ery vertex w ∈ U A ∪ U B ,   E 6∼ ( w )   ≤ ε | E | where E 6∼ ( w ) d enotes the set of edges that do not con tain an y neighbor of w (i.e ., E 6∼ ( w ) = { ( u, v ) ∈ E | u 6∼ w ∧ w 6∼ v } ). The follo wing claim p ro v es L emm a 3.11 . Claim 3.12. F or ε ≤ 1 / 2 , let G = ( U A , U B , E ) b e a nonempty bi p artite g r aph wher e   E 6∼ ( w )   ≤ ε | E | for al l vertic es w ∈ U A ∪ U B . Then d ( u ) ≥ |U B | · (1 − 2 ε ) for al l u ∈ U A and d ( v ) ≥ |U A | · (1 − 2 ε ) for al l v ∈ U B . Pr o of. Let d A = min { d ( u ) | u ∈ U A } and d B = min { d ( v ) | v ∈ U B } . By switc hing the left and right sides if necessary , w e may assume w ithout loss of generalit y that d A |U B | ≤ d B |U A | . (4) 18 So it su ﬃ ces to prov e that 1 − 2 ε ≤ d A |U B | . Sup p ose 1 − 2 ε > d A |U B | , and let u ∈ U A b e the vertex that d ( u ) = d A < (1 − 2 ε ) | U B | . Because for all v ∈ U B w e hav e d ( v ) ≤ |U A | , thus, using Inequalit y ( 4 ) w e get that | E ∼ ( u ) | ≤ d A |U A | ≤ d B |U B | where E ∼ ( u ) = E \ E 6∼ ( u ). On the other hand since w e assumed that d ( u ) < (1 − 2 ε ) |U B | , there are more than 2 ε |U B | d B edges in E 6∼ ( u ), meaning that | E ∼ ( u ) | <   E 6∼ ( u )   / (2 ε ). Bu t this imp lies | E 6∼ ( u ) | ≤ ε | E | = ε  | E 6∼ ( u ) | + | E ∼ ( u ) |  < ε | E 6∼ ( u ) | + | E 6∼ ( u ) | / 2 , whic h is a cont radiction for ε < 1 / 2. Finally w e prov e Item 5 . Namely , for ev ery ( A, B ) ← V ( V A , V B ), there is some B ′ suc h that ( A, B ′ ) is in the supp ort set of G V ( V A , V B ). The latter is equiv alen t to ﬁnding B ′ that is consistent with M , P and that Q ( A ) ∩ Q ( B ) ⊆ Q ( P ). F or sake of con tradiction s u pp ose this is not the case. Therefore, if we samp le B ′ from th e d istr ibution of V B conditioned on P , M then there is alw a ys an elemen t in Q ( A ) ∩ Q ( B ′ ) that is outside of cQ ( P ). By the pigeonhole pr inciple, one of the queries in Q ( A ) \ Q ( P ) would b e at least 1 /n A -hea vy for the distribution G V ( V A , V B ) (in particular the V B part). But this con tradicts how the algorithm of Eve op erates. Remark 3.13 (Suﬃcien t Condition for Graph Characterization) . It can b e ve riﬁed that the pro of of th e graph c haracterizat ion of Lemma 3.8 only requires the follo wing: A t the end of the r ounds, Ev e h as learned all th e ( ε/n B )-hea vy queries for Alice and all the ( ε/n A )-hea vy queries for Bob with resp ect to the distribu tion G V ( M , P ). More formally , all w e need is that when Ev e stops asking more queries, if there is an y qu ery q suc h that Pr ( V A ,V B ) ←G V ( M ,P ) [ q ∈ Q ( V A )] ≥ ε n B or Pr ( V A ,V B ) ←G V ( M ,P ) [ q ∈ Q ( V B )] ≥ ε n A then q ∈ Q ( P ). In p articular, Lemma 3.8 holds eve n if Ev e arbitrarily asks qu eries that are not necessarily h ea vy at the time b eing aske d or chooses to ask the hea vy queries in an arbitrary (diﬀeren t th an lexicographic) order. 3.3.3 Ev e Finds the Key: Proving Lemma 3.4 No w, w e turn to the q u estion of ﬁn ding the secret. Th eorem 6.2 in [ IR89 ] s h o ws that once o ne ﬁ nds all the inte rsection queries, with O ( n 2 ) more queries they can also ﬁnd th e actual secret. Here we use the prop erties of our atta c k to sho w that w e can d o s o ev en without asking m ore queries. First we need to sp ecify and p ro v e the follo wing corollary of of Lemma 3.8 . Corollary 3.14 (Corollary of Lemma 3.8 ) . L et Eve b e the e avesdr opping adversary of Construc- tion 3.3 using p ar ameter ε , and Pr V ( M i ,P i E ) [ Go o d ( M i , P i E )] > 0 wher e ( M i , P i E ) is the view of Eve by the end of r ound i (when she is also done with le arning querie s). F or the ﬁxe d i, M i , P i E , let ( V A , V B ) b e the joint view of Alic e and Bob as sample d fr om G V ( M i , P i E ) . Then for some pr o duct distribution ( U A × U B ) (wher e U A × U B c ould also dep end on i, M i , P i E ) we have: 1. ∆(( V A , V B ) , ( U A × U B )) ≤ 2 ε . 19 2. F or ev ery p ossible ( A, B ) ← V ( V A , V B ) (which by Item 5 is the same as the set of al l ( A, B ) ← G V ( V A , V B ) ) we have: ∆(( V A | V B = B ) , U A ) ≤ 2 ε , ∆(( V B | V A = A ) , U B ) ≤ 2 ε . Pr o of. In the graph c haracterizatio n G = ( U A , U B , E ) of G V ( M , P ) as d escrib ed in Lemma 3.8 , ev ery vertex is connected to 1 − 2 ε fraction of the v ertices of the other section, and consequen tly the graph G has 1 − 2 ε fractio n of the edges of the complete bipartite graph with the same nod es ( U A , U B ). Thus, if w e tak e U A the u niform distribution ov er U A and U B the u niform distribution o v er U B , th ey satisfy all the thr ee inequalities. The pro cess of sampling the comp onen ts of the system can also b e done in a “rev ersed” order where we ﬁrst decide ab ou t w h ether some ev en ts are going to hold or n ot and then sample the other comp onen ts conditioned on that. Notation. In the follo w in g let s ( V ) b e the output determined b y any view V (of Alice or Bob) Construction 3.15. Sample Alice, Bob, and Ev e’s views as f ollo ws. 1. T oss a coin b suc h that b = 1 with pr obabilit y Pr E [ Go o d ]. 2. If b = 1: (a) Sample E v e’s ﬁnal view ( M , P ) conditioned on Go od . (b) i. Samp le views of Alice and Bob ( V A , V B ) fr om G V ( M , P ). ii. Eve samples ( V ′ A , V ′ B ) ← G V ( M , P ), and outpu ts s E = s ( V ′ A ). 3. If b = 0: (a) Sample E v e’s ﬁnal view ( M , P ) conditioned on ¬ G o o d . (b) i. Samp le views ( V A , V B ) ← ( V ( M , P ) | ¬ Go o d ). ii. Eve do es th e same as case b = 1 ab o v e. In other wo rds, b = 1 if and only if Go o d holds o ver the real views of Alice and Bob. W e might use b = 1 and Go o d interc hangeably (dep en d ing on wh ic h one is conceptually more conv enient). The attac k er Eve of Construction 3.3 samp les views ( V ′ A , V ′ B ) from G V ( M , P ) in b oth cases of b = 0 and b = 1, and that is exactly what the Eve of Construction 3.15 do es as well, and the pair ( s E , s ( V B )) in C on s tructions 3.3 vs. 3.15 are identica lly distrib uted. Th erefore, our g oal is to lo wer b ound the pr obabilit y of getting s E = s ( V B ) wh ere s E = s ( V ′ A ) is the output of V ′ A and s ( V B ) is the outp ut of V B (in Construction 3.15 ). W e w ould sho w that this ev en t happ en s in Step 2b with suﬃcien tly large p robabilit y . (Note that it is also p ossible that s E = s ( V B ) happ ens in Step 3b as w ell, but w e ignore this case.) In the follo wing, let ρ ( M , P ) and win ( M , P ) b e deﬁned as follo ws. ρ ( M , P ) = Pr ( V A ,V B ) ←G V ( M ,P ) [ s ( V A ) = s ( V B )] win ( M , P ) = Pr ( V A ,V B ) ←G V ( M ,P ) , ( V ′ A ,V ′ B ) ←G V ( M ,P ) [ s ( V ′ A ) = s ( V B )] where ( V A , V B ) and ( V ′ A , V ′ B ) are indep enden t samples. W e will prov e Lemma 3.4 u sing the follo wing t wo claims. 20 Claim 3.16. Supp ose P denotes E ve’s set of or acle query-answer p airs after al l of the messages in M ar e sent. Assuming the pr ob ability of Go o d ( M , P ) is nonzer o c onditione d on ( M , P ) , for every ε < 1 / 10 use d by Eve’s algorithm of Construction 3.3 it holds that win ( M , P ) ≥ ρ ( M , P ) − 4 ε. No w we prov e Claim 3.16 . Pr o of of Claim 3.16 . Let ( U A × U B ) b e the pro d uct distribution of Corollary 3.14 for the view of ( M , P ). W e would like to lo w er b ound the probability of s ( V ′ A ) = s ( V B ) wh ere ( V A , V B ) and ( V ′ A , V ′ B ) are indep en d en t samples from the same distribution ( V A , V B ) ≡ G V ( M , P ). Since M , P are ﬁxed, f or simplicit y of notation, in the follo wing we let ( V A , V B ) ≡ G V ( M , P ) w ith ou t explicitly men tioning M , P . Also, in wh at follo w s, V A (resp. V B ) will denote the marginal distribution of the ﬁrst (resp. second) comp onen t of ( V A , V B ). W e will also preserv e V A , V B to denote the real and Bob views sampled from ( V A , V B ), and we will u se V ′ A , V ′ B to denote Eve’s samp les from the same d istribution ( V A , V B ). F or eve ry p ossible view A 0 ← V A , let ρ ( A 0 ) = Pr ( A,B ) ← ( V A , V B )) [ s ( A ) = s ( B ) | A = A 0 ]. By a v eraging ov er Alice’ s view, it holds that ρ ( M , P ) = E ( A,B ) ← ( V A , V B ) [ ρ ( A )]. Similarly , for ev ery p ossible view A 0 ← V A , let win ( A 0 ) = Pr ( A,B ) ← ( V A , V B )) [ s ( A ) = s ( B )]. By av eraging o v er Alice’s view, it holds th at ρ ( M , P ) = E ( A,B ) ← ( V A , V B ) [ ρ ( A )] and win ( M , P ) = E ( A,B ) ← ( V A , V B ) [ win ( A )] In the follo wing, w e will p ro v e something stronger th an C laim 3.16 and w ill show that win ( V ′ A ) ≥ ρ ( V ′ A ) − 4 ε for every V ′ A ← V A , and the claim follo ws by a v eraging ov er V ′ A ← V A . Th us, in the follo w in g V ′ A will b e the ﬁxed sample V ′ A ← V A . By Corollary 3.14 , for ev ery p ossible Alice’s view A ← V A , the distribu tion of Bob’s v iew sampled from ( V B | V A = A ) is 2 ε -clo se to U B . Therefore, the distrib u tion of V B (without conditioning on V A = A ) is also 2 ε -cl ose to U B . By t w o applicatio ns of Lemma 2.9 we get win ( V ′ A ) = Pr V B ← V B [ s ( V ′ A ) = s ( V B )] ≥ Pr B ← U B [ s ( V ′ A ) = s ( B )] − 2 ε ≥ Pr V ′ B ← ( V B | V A = V ′ A ) [ s ( V ′ A ) = s ( V ′ B )] − 4 ε = ρ ( V ′ A ) − 4 ε. The follo wing claim lo wer b ounds th e completeness of the k ey agreemen t proto col when con- juncted w ith reac hing Step 2b in Construction 3.15 . Claim 3.17. It holds that Pr E [ s ( V A ) = s ( V B ) ∧ G o o d ] ≥ ρ − 3 ε . Pr o of. By Lemma 3.6 it holds that 1 − 3 ε ≤ Pr E [ Go o d ]. Therefore ρ − 3 ε ≤ Pr E [ s ( V A ) = s ( V B )] − Pr E [ ¬ Go o d ] = Pr E [ s ( V A ) = s ( V B ) ∧ G o o d ] . 21 Pro of of Lemma 3.4 . W e will show a stronger claim that Pr[ s ( V ′ A ) = s ( V B ) ∧ Go o d ] ≥ ρ − 7 ε whic h implies Pr [ s ( V ′ A ) = s ( V B )] ≥ ρ − 7 ε as we ll. By deﬁnition of C on s truction 3.15 and using Claims 3.16 and 3.1 7 w e ha ve: Pr[ s ( V ′ A ) = s ( V B ) ∧ Go o d ] = Pr E [ Go o d ] · E ( M ,P ) ← (( M , P ) | Go od ) [ win ( M , P )] ≥ Pr E [ Go o d ] · E ( M ,P ) ← (( M , P ) | Go od ) [ ρ ( M , P ) − 4 ε ] =  Pr E [ Go o d ] · E ( M ,P ) ← (( M , P ) | Go od ) [ ρ ( M , P )]  − (4 Pr E [ Go o d ] · ε ) =  Pr E [ Go o d ] · Pr[ s ( V A ) = s ( V B ) | Go o d ]  − (4 Pr E [ Go o d ] · ε ) ≥ ( ρ − 3 ε ) − (4 ε ) = ρ − 7 ε. 3.3.4 Eﬃciency of Ev e: Pro ving Lemma 3.5 Recall that Eve’s criteria for “hea viness” is based on the distrib ution G V ( M , P E ) where M is the current sequence of messages sent so far and P E is the current set of oracle query-answer pairs kno wn to Ev e. T his distribution is cond itioned on Ev e n ot missing any queries up to this p oin t. Ho w ev er, b ecause we ha v e pro v en th at the ev en t Fail has small probabilit y , queries that are hea vy under G V ( M , P E ) are also (typical ly) almost as hea vy under th e real distribu tion V ( M , P E ). Intuiti v ely this means that, on a verage , Eve will not mak e too man y queries. Deﬁnition 3.18 (Coloring of Ev e’s Queries) . Supp ose ( M i , P E ) is the view of Eve at the moment Ev e asks query q . W e call q a r e d query , den oted q ∈ R , if Pr[ Go o d ( M i , P E )] ≤ 1 / 2. W e call q a gr e en query of Alice’s typ e, denoted q ∈ GA , if q is n ot red and Pr ( V i A ,V i B ) ←V ( M i ,P E ) [ q ∈ Q ( V i A )] ≥ ε 2 n B . (Note that here w e are samp lin g the views from V ( M i , P E ) and not from G V ( M i , P E ) and the threshold of “hea viness” is ε 2 n B rather than ε n B .) Similarly , we call q a green query of Bob’s t yp e, denoted q ∈ GB , if q is not r ed and Pr ( V i A ,V i B ) ←V ( M i ,P E ) [ q ∈ Q ( V i B )] ≥ ε 2 n A . W e also let the set of all green queries to b e G = G A ∪ G B . The follo wing claim sh o ws that eac h of Ev e’s queries is either red or green. Claim 3.19. Every query q aske d by Eve is either in R or in G . Pr o of. If q is a qu ery of Eve which is not red , then Pr V ( M i ,P E ) [ Go o d ( M i , P E )] ≥ 1 / 2 where ( M i , P E ) is the view of Ev e wh en asking q . Since Eve is asking q , either of the follo wing holds: 1. Pr ( V i A ,V i B ) ←G V ( M i ,P E ) [ q ∈ Q ( V i A )] ≥ ε n B , or 2. Pr ( V i A ,V i B ) ←G V ( M i ,P E ) [ q ∈ Q ( V i B )] ≥ ε n A . If case 1 holds, then Pr ( V i A ,V i B ) ←V ( M i ,P E ) [ q ∈ Q ( V i A )] ≥ Pr ( V i A ,V i B ) ←V ( M i ,P E ) [ Go o d ( M i , P E ) ∧ q ∈ Q ( V i A )] = Pr V ( M i ,P E ) [ Go o d ( M i , P E )] · Pr ( V i A ,V i B ) ←G V ( M i ,P E ) [ q ∈ Q ( V i A )] ≥ ( 1 2 ) · ε n B = ε 2 n B whic h imp lies th at q ∈ GA . Case 2 similarly sho ws that q ∈ GB . 22 W e will b ound the size of the queries of eac h color separately . Claim 3.20 (Bounding Red Queries) . Pr E [ R 6 = ∅ ] ≤ 6 ε . Claim 3.21 (Bounding Green Qu eries) . E E [ | G | ] ≤ 4 n A · n B /ε . Ther efor e, by Markov i ne quality, Pr E [ | G | ≥ n A · n B /ε 2 ] ≤ 4 ε . Pro ving Lemma 3.5 . Lemma 3.5 follo w s b y a union b ound and C laims 3.19 , 3.2 0 , and 3.21 . Pr o of of Claim 3.20 . C laim 3.20 f ollo ws directly fr om Lemma 2.7 and Lemma 3.6 as follo ws . Let x (in Lemma 2.7 ) b e E , the ev ent E b e F ail , the sequence x 1 , . . . , b e the sequence of pieces of information that Eve receiv es (i.e., th e messages and oracle answers), λ = 3 ε , λ 1 = 1 / 2 and λ 2 = 6 ε . Lemma 3.6 sho ws that Pr[ F ail ] ≤ λ . Therefore, if we let D b e the even t that at some p oint cond itioned on Ev e’s view the probabilit y of F ail is more than λ 1 , Lemma 2.7 sho ws that the probabilit y of D is at most λ 2 . Also note that for eve ry sampled ( M , P E ), Pr[ ¬ Go o d | ( M , P E )] ≤ Pr[ F ail | ( M , P E )]. Th erefore, with probabilit y at least 1 − λ 2 = 1 − 6 ε , dur ing th e execution of the system, th e probability of Goo d ( M , P E ) conditioned on Eve’s view will nev er go b elo w 1 / 2. Pr o of of Claim 3.21 . W e will prov e that E E [ | GA | ] ≤ 2 n A · n B /ε , and E E [ | GB | ] ≤ 2 n A · n B /ε follo w s symmetrically . Using these t w o upp er b ounds we can d eriv e Claim 3.21 easily . F or a ﬁxed qu ery q ∈ { 0 , 1 } ℓ , let I q b e the ev en t, deﬁned o v er E , that Eve asks q as a green query of Alice’s t yp e (i.e., q ∈ GA ). Let F q b e the ev en t that Alice actually asks q (i.e., q ∈ Q A ). By linearit y of exp ectation we ha v e E E [ | GA | ] = P q Pr[ I q ] and P q Pr[ F q ] ≤ | Q A | ≤ n A . Let γ = ε 2 n B . W e claim that for all q it h olds that: Pr[ I q ] · γ ≤ Pr [ F q ] . (5) First n ote that Inequalit y ( 5 ) implies Claim 3.2 1 as follo ws: E E [ | GA | ] = X q Pr[ I q ] ≤ 1 γ X q Pr[ F q ] ≤ n A γ = 2 n A n B ε . T o prov e Inequalit y ( 5 ), w e u se Lemm a 2.7 as follo ws. Th e underlying r andom v ariable x (of Lemma 2.7 ) will b e E , the even t E will b e F q , the sequence of random v ariables x 1 , x , . . . will b e the sequ ence of pieces of information th at Ev e obs er ves, λ will b e Pr[ F q ], and λ 1 will b e γ . If I q holds, it means that based on Ev e’s view the query q has at least γ prob ab ility of b eing ask ed b y Alice (at some p oint b efore), whic h implies that the even t D (of Lemma 2.7 ) holds, an d so I q ⊆ D . Therefore, by Lemma 2.7 P r[ I q ] ≤ Pr[ D ] ≤ λ/ λ 1 = Pr[ F q ] /γ pro ving Inequalit y ( 5 ). Remark 3.22 (S u ﬃcien t Condition for Eﬃciency of Ev e) . Th e pro of of Claims 3.1 9 and 3.21 only dep end on the fact that all the queries asked by Eve are are either ( ε/n B )-hea vy for Alice or ( ε/n A )-hea vy f or Bob with resp ect to the distribution G V ( M , P ). More formally , all we need is that wh enev er Eve asks a query q it h olds that Pr ( V A ,V B ) ←G V ( M ,P ) [ q ∈ Q ( V A )] ≥ ε n B or Pr ( V A ,V B ) ←G V ( M ,P ) [ q ∈ Q ( V B )] ≥ ε n A . In particular, the conclusions of Claims 3.19 and 3.21 h old regardless of which h eavy queries Eve c ho oses to ask at an y momen t, and the only imp ortan t thing is that all the quer ies ask ed b y Eve w ere h ea vy at the time of b eing ask ed. 23 4 Extensions In this sectio n w e p ro v e several extensions to our main result that can all b e directly obtained from the r esults pro v ed in Section 3 . The main goal of this section is to generalize our main result to a broader setting so that it could b e applied in subsequent w ork m ore easily . W e assum e the reader is familiar with th e deﬁnitions giv en in Sectio ns 2 and 3 . 4.1 Making the V iews Almost I ndep enden t In this section we will pr o v e Th eorem 1.3 along with sev eral other extensions. These extensions w ere used in [ DSLMM11 ] to prov e blac k-b o x separations for certain optimally-fair coin-tossing proto cols. W e ﬁrst menti on these extensions informally and then will pro v e them formally . Av erage Num b er of Queries: W e will sho w how to d ecrease the num b er of queries ask ed by Ev e b y a factor of Ω( ε ) if we settle for b ounding the aver age num b er of queries asked by Eve . This can alw ays b e turned into a an attac k of worst-ca se complexit y by putting the Θ ( ε ) m ultiplicativ e factor b ac k and applying the Mark o v inequ alit y . Changing the Hea viness Threshold: W e will sho w that the attac ker Ev e of Construction 3.3 is “robust” with resp ect to c ho osing its “hea vin ess” parameter ε . Namely , if s he change s the parameter ε arbitrarily d uring her att ac k, as long as ε ∈ [ ε 1 , ε 2 ] for s ome ε 1 < ε 2 , w e can still sho w that Ev e is b oth “successful” and “eﬃci ent ” with high probability . Learning the Dep endencies: W e w ill sho w that ou r adv ersary Eve can, with h igh pr ob ab ility , learn the “dep endency” b et ween the views of Alice and Bob in any t w o-part y computation. Dac h m an et al. [ DSLMM11 ] were the ﬁ rst to p oin t out that such results can b e obtained from results p r o v ed in original publication of this w ork [ BMG09 ]. Haitner et al. [ HOZ13 ], r elying some of the results pro v ed in [ BMG09 ], prov ed a v arian t of the ﬁrst part of our Theorem 1.3 in wh ic h n b ounds b oth of n A and n B . Ligh tness of Queries: W e observ e that with high probabilit y the follo wing holds at the end of ev ery r ound conditioned on E ve’s view: F or every query q not learned by Ev e, the probabilit y of q b eing asked b y Alice or Bob r emains “small”. Note that h ere w e are not cond itioning on the even t Go o d ( M , P ). No w we formally pro v e the ab o v e extensions. The follo wing deﬁnition deﬁnes a c lass of atta c ks that share a sp eciﬁc set of prop erties. Deﬁnition 4.1. F or ε 1 ≤ ε 2 , w e call Ev e an ( ε 1 , ε 2 )-attac k er, if Eve p erf orm s her attac k in the framew ork of Construction 3.3 , but instead of using a sin gle parameter ε it uses ε 1 ≤ ε 2 as follo ws . 1. All queries ask ed are heavy according to pa ra meter ε 1 . E very query q ask ed by Ev e, at the time of b eing ask ed, should b e either ( ε 1 /n B )-hea vy for Alice or ( ε 1 /n A )-hea vy for Bob with resp ect to the distribu tion G V ( M , P ) where ( M , P ) is the view of Eve when asking q . 2. No heavy query , as parameterized by ε 2 , remains unlearned. A t the end of ev ery round i , if ( M , P ) is the view of Eve at that momen t, and if q is any qu ery that is either ( ε 2 /n B )-hea vy for Alic e or ( ε 2 /n A )-hea vy for Bo b with resp ect to th e distribution G V ( M , P ), then Eav e has to hav e learned that query already to mak e sure q ∈ Q ( P ). 24 Comparison with E ve of Construction 3.3 . The Eve of Construction 3.3 is an ( ε, ε )-attac ker, but for ε 1 < ε 2 the class of ( ε 1 , ε 2 )-attac k ers include algorithms that could not necessarily b e describ ed b y Construction 3.3 . F or example, an ( ε 1 , ε 2 )-attac k ers can chose any ε ∈ [ ε 1 , ε 2 ] and run the at tac k er of Construction 3.3 using parameter ε , or it ca n eve n k eep c hanging its paramete r ε ∈ [ ε 1 , ε 2 ] alo ng the exe cution of the attac k. In addition, the attac k er of Construction 3.3 needs to c ho ose the lexic o g r aphic al ly ﬁrst hea vy quer y , while an ( ε 1 , ε 2 )-attac k er has the freedom of c ho osing any query so long as it is ( ε 1 /n B )-hea vy f or Alice or ( ε 1 /n A )-hea vy f or Bob. Finally , an ( ε 1 , ε 2 )- attac ke r could use its o wn rand omn ess r E that aﬀects its c hoice of queries, as long as it resp ects the tw o conditions of Deﬁnition 4.1 . Deﬁnition 4.2 (Self Dep endency) . F or every join t distribution ( x , y ), we call SelfDep ( x , y ) = ∆(( x , y ) , ( x × y )) the self (statistic al) dep endency of a ( x , y ) wh ere in ( x × y ) w e sample x and y indep en d en tly from th eir marginal distributions. The follo w ing theorem formalizes Th eorem 1.3 . Th e last p art of the theorem is u sed by [ DSLMM11 ] to pro v e low er-b ounds on coin tossing p roto cols fr om one-w a y functions. W e advise the reader to review the n otations of Section 3.1 as w e will u se some of th em here for our mo diﬁ ed v ariant of ( ε 1 , ε 2 )-attac k ers. Theorem 4.3 (Extensions to Main T heorem) . L et, Π , r A , n A , r B , n B , H , s A , s B , ρ b e as in The o- r em 3.1 a nd supp ose ε 1 ≤ ε 2 < 1 / 10 . L et Eve b e an y ( ε 1 , ε 2 ) -attacker wh o is mo diﬁe d to stop asking any queries as so on as she is ab out to ask a r e d query (as deﬁne d in Deﬁnition 3.18 ). Then the fol lowing claims hold. 1. Finding outputs: E v e’s output agr e es with Bob’s output with pr ob ability ρ − 16 ε 2 . 2. Average num b er of queries: The exp e cte d numb er of qu eries aske d by Eve is at most 4 n A n B /ε 1 . Mor e gener al ly, if we let Q ε to b e the numb er of (gr e en) queries that ar e aske d b e c ause of b eing ε -he avy for a ﬁxe d ε ∈ [ ε 1 , ε 2 ] , it holds that E [ | Q ε | ] ≤ 4 n A n B /ε . 3. Self-dep endency at ev ery ﬁxed round. F or any ﬁxe d r ound i , it holds that E ( M ,P ) ← ( M i , P i E ) [ SelfDep ( V ( M , P ))] ≤ 21 · ε 2 . 4. Simultaneous self-dep endencies at all rounds. F or every α, β such tha t 0 < α < 1 , 0 < β < 1 , and α · β ≥ ε 2 , with pr ob ability at le ast 1 − 9 α the fol lowing holds: at the end of ev ery r ound i , we have SelfD ep ( V ( M i , P i E )) ≤ 9 β . 5. Simultaneous lightness at all round. F or every α, β such that 0 < α < 1 , 0 < β < 1 , and α · β ≥ ε 2 , with pr ob ability at le ast 1 − 9 α the fol lowing holds: at the end of ev ery r ound, if q 6∈ Q ( P ) is any query not le arne d by Eve so far we have Pr ( V A ,V B ) ←V ( M ,P ) [ q ∈ Q ( V A )] < ε 2 n B + β and Pr ( V A ,V B ) ←V ( M ,P ) [ q ∈ Q ( V B )] < ε 2 n A + β . 6. Dep endency and ligh tness at every ﬁxed round. F or every r ound i and e very ( M , P ) ← ( M i , P i E ) ther e is a pr o duct distribution ( W A × W B ) such that the fol lowing two hold: (a) E ( M ,P ) [∆( V ( M , P ) , ( W A × W B ))] ≤ 15 ε 2 . 25 (b) With pr ob ability 1 − 6 ε 2 over the choic e of ( M , P ) (which determines the distributions W A , W B as wel l), we have Pr[ q ∈ Q ( W A )] < ε 2 n B and Pr[ q ∈ Q ( W B )] < ε 2 n A . In the rest of this s ection w e p r o v e Theorem 4.3 . T o pro v e all the p rop erties, w e ﬁr st assume that the adv ersary is an ( ε 1 , ε 2 )-attac k er, d enoted b y UnbEv e (Unb ou n ded Ev e), and then will analyze ho w stopping Un bEve u p on reac h ing a red query (i.e., con v erting it in to Ev e) will aﬀect her execution. Remarks 3.13 and 3.22 sh o w th at many of the results pro v ed in the previous section extend to the m ore general s etting of ( ε 1 , ε 2 )-attac k ers. Claim 4.4. Al l the fol lowing lemmas, claims, and c or ol laries stil l hold when we use an arbitr ary ( ε 1 , ε 2 ) -attacker and ε 1 < ε 2 < 1 / 10 : 1. L emma 3.8 using ε = ε 2 . 2. Cor ol lary 3.14 using ε = ε 2 . 3. L emma 3.6 using ε = ε 2 . 4. L emma 3.4 using ε = ε 2 . 5. Claim 3.20 using ε = ε 2 . 6. Claim 3.19 by using ε = ε 1 in the deﬁnition of gr e en que rie s. 7. Claim 3.21 by usi ng ε = ε 1 in the deﬁnition of gr e en queries. Mor e ge ne r al ly, the pr o of of Claim 3.21 works dir e ctly (witho ut any change) if we run a ( ε 1 , ε 2 ) attack, but d eﬁne the gr e en queries using a p ar ameter ε ∈ [ ε 1 , ε 2 ] (and only c ount such queries, as gr e en ones). Pr o of. Item 1 follo ws fr om Remark 3.13 and the the second pr op erty of ( ε 1 , ε 2 )-attac k ers. All Items 2 – 5 follo w from Item 1 b ecause the pro ofs of th e corresp ond ing statemen ts in previous section only r ely (directly or ind ir ectly) on Lemma 3.8 . Items 6 and 7 follo w from Remark 3.22 and the ﬁrst prop ert y of ( ε 1 , ε 2 )-attac k ers. Finding Output s. By Item 4 of Claim 4.4 , Un bEv e hits Bob’s output with probab ility at least ρ − 10 ε 2 . By Item 5 of Claim 4.4 , th e probabilit y th at Un bEv e asks an y red q u eries is at most 6 ε 2 . Therefore, Ev e’s outpu t will agree with Bob’s outp ut with p r obabilit y at least ρ − 10 ε − 6 ε = ρ − 16 ε . Num b er of Queries. By Item 7 , the exp ected num b er of green queries asked by UnbEv e is at most 4 n A n B /ε 1 . As also sp eciﬁed in Item 7 , the more general up p er b ound , for an arbitrary parameter ε ∈ [ ε 1 , ε 2 ], holds as wel l. Dep endencies. W e will use the follo wing deﬁnition whic h relaxes the notion of self dep end ency b y computing the statistical distance of ( x , y ) to the closest pro duct d istribution (that migh t b e diﬀeren t from ( x × y )). 26 Deﬁnition 4.5 (Statistic al Dep endency) . F or tw o j oin tly distributed random v ariables ( x , y ), let the statistic al dep endency of ( x , y ), denoted b y StatDep ( x , y ), b e the minim um statistica l distance of ( x , y ) from all pro duct distr ib utions d eﬁned o v er Supp( x ) × Supp( y ). More formally: StatDep ( x , y ) = inf ( a × b ) ∆(( x , y ) , ( a × b )) in wh ic h a × b are distributed o ver Su pp( x ) × S upp( y ). By deﬁnition, w e ha v e Sta tDep ( x , y ) ≤ SelfDep ( x , y ). The follo w ing lemma by [ MMP14 ] sho ws that the t w o qu an tities can not b e to o far. Lemma 4.6 (Lemma A.6 in [ MMP14 ]) . SelfD ep ( x , y ) ≤ 3 · StatD ep ( x , y ) . Remark 4.7. W e note that, S elfDep ( x , y ) can, in general, b e larger than StatD ep ( x , y ). F or instance consider the follo wing joint d istribution o v er ( x , y ) wh ere x and y are b oth Bo olean v ariables: Pr[ x = 0 , y = 0] = 1 / 3 , Pr [ x = 1 , y = 0] = 1 / 3 , Pr [ x = 1 , y = 1] = 1 / 3 , Pr [ x = 0 , y = 1] = 0. It is easy to see that SelfD ep ( x , y ) = 2 / 9, b u t ∆(( x , y ) , ( a × b )) = 1 / 6 < 2 / 9 for a p ro du ct distribution ( a × b ) deﬁned as f ollo ws : a ≡ x and Pr[ b = 0] = Pr[ b = 1] = 1 / 2. The follo wing lemma follo ws from Lemm a 2.13 and the deﬁn ition of statistical dep endency . Lemma 4.8. F or jointly distribute d ( x , y ) and event E deﬁne d over the supp ort of ( x , y ) , i t holds that S tatDep ( x , y ) ≤ Pr ( x , y ) [ E ] + Sta tDep (( x , y ) | ¬ E ) . We take the notational c onvention that whenever Pr ( x , y ) [ E ] = 0 we let StatDep (( x , y ) | ¬ E ) = 1 . Pr o of. Let ( a × b ) b e su c h that ∆((( x , y ) | ¬ E ) , ( a × b )) ≤ δ . F or the same ( a × b ), by Lemma 2.13 it h olds that ∆(( x , y ) , ( a × b )) ≤ Pr ( x , y ) [ E ] + δ . Therefore StatDep ( x , y ) = inf ( a × b ) ∆(( x , y ) , ( a × b )) ≤ Pr ( x , y ) [ E ] + in f ( a × b ) ∆((( x , y ) | ¬ E ) , ( a × b )) ≤ Pr ( x , y ) [ E ] + StatDep (( x , y ) | ¬ E ) . Self-dep endency at ev ery ﬁxed round. By Item 2 of Claim 4.4 , w e get th at b y r unnin g Un bEve we obtain StatDep ( G V ( M , P )) ≤ 2 ε 2 where ( M , P ) is the view of Un bEv e at the end of the p roto col. By also Lemma 4.8 we get: StatDep ( V ( M , P )) ≤ P r E [ ¬ Go o d | ( M , P )] + StatDep ( G V ( M , P )) ≤ Pr E [ ¬ Go o d | ( M , P )] + 2 ε 2 . Therefore, by Item 3 of Claim 4.4 and Lemma 4.6 w e get E ( M ,P ) ← ( M , P ) [ StatDep ( V ( M , P ))] ≤ 3 ·  E ( M ,P ) ← ( M , P ) [ StatDep ( V ( M , P ))]  ≤ 3 ·  E ( M ,P ) ← ( M , P )  Pr E [ ¬ Go o d | ( M , P )]  + 2 ε 2  ≤ 3 ·  Pr E [ ¬ Go o d ] + 2 ε 2  ≤ 3 · 5 ε 2 = 15 ε 2 27 Since the probabilit y of UnbEv e asking any r ed queries is at most 6 ε 2 (Item 5 of Claim 4.4 ), therefore when we run Ev e, it holds that E ( M ,P ) ← ( M , P ) [ StatDep ( V ( M , P ))] increases at most by 6 ε 2 compared to when running UnvEv e. This is b ecause wh enev er w e halt the execution of Eve (wh ich happ en s with probabilit y at most 6 ε 2 ) this can lead to statistical dep endency of V ( M , P ) at most 1. Therefore, if w e use Ev e instead of UnbEv e, it h olds that E ( M ,P ) ← ( M , P ) [ StatDep ( V ( M , P ))] ≤ 15 ε 2 + 6 ε 2 = 21 ε 2 . Sim ultaneous self-dep e nde ncies at all rounds. First note that 0 < α < 1, 0 < β < 1, and α · β ≥ ε 2 imply that α ≥ ε 2 and β ≥ ε 2 . By Item 3 of Claim 4.4 , when w e r un Un b Ev e, it holds that Pr E [ F ail ] ≤ 3 ε 2 , so by Lemma 2.7 we conclude that with probabilit y at least 1 − 3 α it holds that dur ing the execution of the pr otocol, the probabilit y of Fail (and thus, the probabilit y of ¬ Go o d ( M , P )) conditioned on Eve’s view alw a ys remains at most β . T herefore, b y Item 2 of Claim 4.4 and Lemma 4.8 , with probabilit y at least 1 − 3 α the follo w ing holds at the end of every round (wh ere ( M , P ) is Eve’s view at the end of th at roun d) StatDep ( V ( M , P )) ≤ P r E [ ¬ Go o d | ( M , P )] + StatDep ( G V ( M , P )) ≤ β + 2 ε 2 ≤ 3 β . Using Lemma 4.6 w e obtain the b ound SelfDep ( V ( M , P )) ≤ 9 β . Sin ce the pr obabilit y of Un bEv e asking an y red queries is at most 6 ε 2 , b y a union b oun d w e conclude that with p r obabilit y at least 1 − 3 α − 6 ε 2 > 1 − 9 α , we still get SelfDep ( V ( M , P )) ≤ 9 β at the end of ev ery round. Sim ultaneous lightness at all rounds. As shown in the previous item, f or such α, β , with probabilit y at least 1 − 9 α it holds that during th e execution of the proto col, the p robabilit y of Fail (and th us, the probabilit y of ¬ Go o d ( M , P )) conditioned on Ev e’s view alw ays remains at most β . No w sup p ose ( M , P ) b e the view of E v e at th e end of s ome round w here Pr V ( M ,P [ ¬ Go o d ( M , P )] ≤ β . By the second p rop erty of ( ε 1 , ε 2 )-attac k ers, it holds that: Pr ( V A ,V B ) ←V ( M ,P ) [ q ∈ Q ( V A )] ≤ Pr V ( M ,P ) [ ¬ Go o d ( M , P )] + Pr ( V A ,V B ) ←G V ( M ,P ) [ q ∈ Q ( V A )] ≤ ε 2 /n B + β . The same pro of shows that a similar state ment holds for Bob. Dep endency and lightness at ev ery ﬁxed round. Let ( W A , W B ) ≡ G V ( M , P ). The pro d uct distribution w e are looking for will b e W A × W B . When w e run UnbEv e, b y Lemma 3.6 it holds that E ( M ,P ) [∆(( W A , W B ) , V ( M , P ))] ≤ 3 ε 2 , b ecause otherwise the pr obabilit y of F ail w ill b e more than 3 ε 2 . Also, b y Corollary 3.14 it holds that Sta tDep ( V ( M , P )) ≤ 2 ε 2 , and b y Lemm a 4.6 , it holds that S elfDep ( V ( M , P )) = ∆( V ( M , P ) , ( W A × W B )) ≤ 6 ε 2 . Th us, when we r un Un bEv e, w e get E ( M ,P ) [∆(( W A × W B ) , V ( M , P ))] ≤ 9 ε 2 . By Claim 3.20 , the upp er b ound of 9 ε 2 when w e mo dify Un bEv e to Ev e (by not asking red queries), could in crease only b y 6 ε 2 . This pro v es the ﬁrst p art. T o pro v e the second part, again w e use Claim 3.20 wh ic h b ounds the probability of asking a r ed query by 6 ε 2 . Also, as long as w e d o n ot halt Eve (i.e., no r ed q u ery is ask ed), Eve and UnbEv e remain the same, and the ligh tness claims h old for Un bEv e b y deﬁnition of the attac k er UnbEv e. 28 4.2 Remo ving the Rationalit y Condition In this subsection we sh o w that al l the results of this pap er, except the graph c haracterizat ion of Lemma 3.8 , hold ev en with r esp ect to random oracles th at are not necessarily r ational according to Deﬁnition 2.2 . W e w ill sho w that a v arian t of Lemma 3.8 , wh ich is suﬃ cien t for all of our applications, still holds. In the f ollo win g, by an irr ationa l r andom or acle we refer to a random oracle that satisﬁes Deﬁn ition 2.2 except that its probabilities migh t n ot b e rational. Lemma 4.9 (Characterizati on of V ( M , P )) . L et H b e an irr ational or acle, let M b e the se quenc e of messages sent b etwe en Alic e and Bob so f ar, and let P b e the set of or acle q uery-answer p airs known to Eve (who uses p ar ameter ε ) by the end of the r ound in which the last message in M is sent. Also supp ose Pr V ( M ,P ) [ Go o d ( M , P )] > 0 . L et ( V A , V B ) b e the joint view of A lic e and Bob as sample d fr om G V ( M , P ) , and let U A = Supp( V A ) , U B = Supp( V B ) . L et G = ( U A , U B , E ) b e a b i p artite gr aph with vertex sets U A , U B and c onne c t u A ∈ U A to u B ∈ U B if and only if Q ( u A ) ∩ Q ( u B ) ⊆ Q ( P ) . Then ther e exists a distribution U A over U A and a distribution U B over U B such that: 1. F or every vertex u ∈ U A , it holds that Pr v ← U B [ u 6∼ v ] ≤ 2 ε , and similarly for every vertex u ∈ U B , it holds that Pr v ← U A [ u 6∼ v ] ≤ 2 ε . 2. The distribution ( V A , V B ) ← G V ( M , P ) is i dentic al to: sampling u ← U A and v ← U B conditioned on u ∼ v , and outputting the views c orr esp onding to u and v . Pr o of Sketch. Th e distribu tions U A and U B are in fact the same as the d istributions A and B of Lemma 3.9 . The rest of the pr o of is identic al to th at of Lemma 3.8 without any verte x rep etition. In fact, rep etition of v ertices (to mak e the d istributions uniform) ca nnot b e necessarily done an ymore b ecause of the irrationalit y of the probabilities. Here we explain the alternativ e parameter that tak es th e role of | E 6∼ ( u ) | / | E | . F or u ∈ U A let q 6∼ ( u ) b e the pr obabilit y that if we sample an edge e ← ( V A , V B ), it do es not con tain u as Alice ’s view, and deﬁne q 6∼ ( u ) for u ∈ U B similarly . It can b e veriﬁed that by the v ery same argument as in Lemma 3.8 , it holds that q 6∼ ( u ) ≤ ε for ev ery v ertex u in G . The other steps of the p ro of r emain the s ame. The c haracterizatio n of V ( M , P ) by Lemma 4.9 can b e used to deriv e Corollary 3.14 directly (using the same distributions U A and U B ). Remark 3.13 also holds w ith r esp ect to Lemma 4.9 . Here we show ho w to deriv e Lemma 3.7 and the rest of the r esults will follo w immediately . Pro ving Lemma 3.7 . Again, w e pro v e Lemma 3.7 ev en conditioned on c ho osing any ve rtex v that describ es Bob’s view. F or such v ertex v , the distribu tion of Alice’s v iew, when we choose a random edge ( u, v ′ ) ← ( V A , V B ) conditioned on v = v ′ is the same as c ho osing u ← U A conditioned on u ∼ v . Let’s call this distr ibution U v A . Let S = { u ∈ U A | q ∈ A u } wh ere q is th e next query of Bob as sp eciﬁed by v . Let p ( S ) = P u ∈ S Pr[ U A = u ] , q ( S ) = Pr ( u,v ) ← ( V A , V B ) [ u ∈ S ], and let p ( E ) = Pr u ← U A ,v ← U B [ u ∼ v ]. Also let p ∼ ( v ) = P u ∼ v Pr[ U A = u ]. Then, w e ha ve: Pr u ← U v A [ q ∈ A u ] ≤ p ( S ) p ∼ ( v ) ≤ p ( S ) 1 − 2 ε ≤ p ( S ) (1 − 2 ε ) · p ( E ) ≤ q ( S ) (1 − 2 ε ) 2 · p ( E ) ≤ ε (1 − 2 ε ) 2 · n B < 3 ε 2 n B . The second and fourth inequalities are due to the degree low er b oun ds of Item 1 in Lemma 4.9 . The third inequalit y is b ecause p ( E ) < 1. The ﬁfth in equ alit y is b ecause of the deﬁnition of the attac ke r Ev e w ho asks ε/n B hea vy qu eries for Alice’s view w h en samp led from G V ( M , P ), as long as su c h qu er ies exist. T h e sixth inequalit y is b ecause w e are assuming ε < 1 / 10. 29 Ac kno wledgemen t . W e thank Russell Impagliazzo for v ery useful discussions and the anony- mous reviewers for their v aluable commen ts. References [BBE92] Charles H. Bennett, Gilles Brassard, and Artur K. E kert, Quantum crypto gr aphy , Scien tiﬁc American 267 (199 2), no. 4, 50–57 . [BGI08] Eli Biham, Y aron J . Goren, and Y uv al Ishai, Basing we ak public-key crypto gr aphy on str ong one-way fu nctions , TCC (Ran Canetti, ed.), Lecture Notes in Comp uter Science, v ol. 4948, S pringer, 2008, pp. 55–72. [BHK + 11] Gilles Brassard, P eter Hø y er, Kassem K alac h , Marc Kaplan, Sophie Laplan te, and Louis Salv ail, Merkle puzzles in a quantum world , CR YPTO (Phillip Roga w a y , ed.), Lecture Notes in C omputer Science, v ol. 6841, Sprin ger, 2011, pp. 391–410. [BKSY11] Zvik a Brak erski, Jonathan Katz, Gil Segev, and Ar k ady Y eru khimo vic h, Limits on the p ower of zer o-know le dge pr o ofs in crypto gr aphic c onstructions , TCC (Y uv al Ishai, ed.), Lecture Notes in Computer S cience, v ol. 6597, Spr in ger, 2011, p p. 559–578 . [BMG09] Boaz Barak and Mohammad Mahmo o dy-Ghidary , Merkle puzzles ar e optim al - an O ( n 2 )-query attack on any ke y exchange fr om a r andom or acle , CR YPTO (Sh ai Halevi, ed.), Lecture Notes in Computer S cience, v ol. 5677, Spr in ger, 2009, p p. 374–390 . [BR93] Mihir Bel lare and Phillip Roga w a y , R andom or acles ar e pr actic al: A p ar adigm for designing eﬃci ent pr oto c ols , A CM Conference on Comp uter and Comm unications Securit y , 1993, p p. 62–73. [BS08] Gilles Brassard and Louis Salv ail, Quantum merkle puzzles , Internatio nal Conference on Qu an tum, Nano and Micro T ec h n ologies (ICQNM), IEEE Compu ter So ciet y , 20 08, pp. 76–79. [CGH04] Canetti, Goldreic h , and Halevi, The r andom or acle metho dolo gy, r ev i site d , JACM: Journal of the ACM 51 (2004), no. 4, 557–59 4. [Cle86] Ric hard Clev e, Li mits on the se curity of c oin ﬂips when half the pr o c essors ar e faulty (extende d abstr act) , Ann ual A C M Symp osium on Theory of Computing (Berk eley , California), 28– 30 Ma y 1986, pp. 364–369. [DH76] Whitﬁeld Diﬃe and Martin Hellman, New dir e ctions in crypto gr aphy , I EEE T ransac- tions on Information Theory I T -22 (1976), no. 6, 644–654. [DSLMM11] Dana Dac h man-Soled, Y eh uda Lindell, Mohammad Mahmoo d y , and T al Malkin, On the black- b ox c omplexity of optimal ly-fair c oin tossing , TCC (Y uv al Ishai, ed.), Lecture Notes in Computer Science, v ol. 6597 , Springer, 2011, pp. 450–467. [GGKT05] Ro sario Genn aro, Y ael Gertner, J onathan Katz, and Luca T revisan, Bounds on the eﬃciency of generic crypto gr aphic c onstructions , S IAM journal on Compu ting 35 (2005 ), no. 1, 217–246. 30 [Gro96] Lo v K. Gro v er, A fast quantum me chanic al algorithm for datab ase se ar ch , An n ual A CM S ymp osiu m on Theory of Computing (ST OC), 22–24 Ma y 1996, p p. 212–219. [HHRS07] Iftac h Haitner, J onathan J. Ho c h, O mer Reingold, and Gil Segev, Finding c ol lisions in inter active pr oto c ols – A tight lower b ound on the r ound c omplexity of statistic al ly- hiding c ommitments , Ann ual IEEE Symp osium on F oundations of Computer Science (F OCS), IEEE, 2007, pp. 669–67 9. [Hol15] Thomas Holenstein, Complexity the ory , 2015, http://w ww.compl exity.et hz.ch/education/Lectur e s / C o m p l e x i t y F S 1 5 / s k r i p t _ p r i n t a b l e . p d f . [HOZ13] Iftac h Haitner, Eran Omri, and Hila Zarosim, Limits on the usefulness of r andom or acles , Theory of Cryp tograph y , TCC (Amit Sahai, ed.), Lecture No tes in Computer Science, v ol. 7785, S pringer, 2013, pp. 437–456. [IR89] Russell Impagliazzo and Stev en Rudic h, Limits on the pr ovable c onse quenc es of one-way p ermutations , Ann ual ACM Sym p osium on Th eory of Computing (STOC), 1989, F ull v ersion a v ailable from Russell Impagliazzo’ s home page https:// cseweb.u csd.edu/ ~ russell/ secret.p s , pp. 44–6 1. [KSY11] Jonathan Katz, Dominique Sc hr¨ oder, and Ark ad y Y erukh imo vic h, Imp ossibility of blind signatur es fr om one-way p ermutations , TCC (Y uv al Ishai, ed .), Lecture Notes in Comp u ter Science, v ol. 6597, Springer, 2011, pp. 615–629. [Mer74] Ralph C. Merkle, C.S. 244 pr oje ct pr op osal , http://m erkle.co m/1974/ , 1974 . [Mer78] Ralph C. Merkle, Se cur e c ommunic ations over inse cur e channels , Comm u nications of the ACM 21 (197 8), no. 4, 294– 299. [MMP14] Mohammad Mahmo o dy , Hemanta K Ma j i, and Mano j Prabh ak aran, Limits of r andom or acles in se c u r e c omputation , Pr o ceedings of the 5th conference on Innov ations in theoretical computer science, A CM, 2014, pp. 23–34 . [MMV11] Mohammad Mahmo o d y , T al Moran, and Salil P . V ad h an, Time-lo ck puzzles in the r andom or acle mo del , CR YPTO (Phillip Roga w a y , ed.), Lecture Notes in Compu ter Science, v ol. 6841, S pringer, 2011, pp. 39–50. [MP12] Mohammad Mahmo o dy and Rafael Pass, The curious c ase of non-i nter active c om- mitments - on the p ower of black-b ox vs. non-black-b ox use of primitives , C R YPTO (Reihaneh Safa vi-Naini and Ran Canetti, eds.), Lecture Notes in Computer Science, v ol. 741 7, Springer, 201 2, pp. 701–718. [RSA78] Ronald L. Rive st, Adi S hamir, and Leonard M. Adleman, A metho d for obtaining dig- ital signatur es and public - key cryptosystems , Comm u nications of th e ACM 21 (1978), no. 2, 120–1 26. [R TV04] Omer Reingold, Luca T revisan, and Salil P . V adhan, Notions of r e duci bility b e twe en crypto gr aphic primitives , TCC (Mo ni Naor, ed.), Lecture Notes in Compu ter Science, v ol. 295 1, Springer, 200 4, pp. 1–20. 31

Merkles Key Agreement Protocol is Optimal: An $O(n^2)$ Attack on any Key Agreement from Random Oracles

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment