Privacy Reductions
5 views
Skip to first unread message
Yuval Madar
Jun 18, 2011, 12:27:03 PM6/18/11
to Weizmann Foundations of Cryptography 2011
Unless I missed something, it appears to me that privacy reductions,
as defined in definition 7.3.2, allow non-polynomial invocations of
the oracle. (Although each invocation is required to get polynomially-
sized inputs)
as defined in definition 7.3.2, allow non-polynomial invocations of
the oracle. (Although each invocation is required to get polynomially-
sized inputs)
Ron Rothblum
Jun 18, 2011, 1:46:39 PM6/18/11
to weizmann...@googlegroups.com
Hi Yuval,
We think of each oracle invocation as a single execution step. Therefore the limiting factor is the use of the reduction - i.e. if we want the parties to run in polynomial-time then they can only invoke the oracle a polynomial number of times.
Does that help clarify?
Ron
We think of each oracle invocation as a single execution step. Therefore the limiting factor is the use of the reduction - i.e. if we want the parties to run in polynomial-time then they can only invoke the oracle a polynomial number of times.
Does that help clarify?
Ron
Yuval Madar
Jun 19, 2011, 4:48:51 PM6/19/11
to Weizmann Foundations of Cryptography 2011
Partially.
How are exponential time privacy reductions interesting?
Specifically, the last reduction we performed in the last exercise
(Following the suggestion in the book) is worst-case exponential time
(Though polynomial time on average) - if we keep failing at the OT
experiment. What makes this reduction interesting?
How are exponential time privacy reductions interesting?
Specifically, the last reduction we performed in the last exercise
(Following the suggestion in the book) is worst-case exponential time
(Though polynomial time on average) - if we keep failing at the OT
experiment. What makes this reduction interesting?
Ron Rothblum
Jun 19, 2011, 6:36:15 PM6/19/11
to weizmann...@googlegroups.com
Notice that the protocol in the hint takes more than n trials only with exponentially vanishing probability. In this case we can even get rid of this annoyance by changing the protocol so that after n trials the messages are sent in the clear. Functionality and running time are ok and privacy is maintained since our change only takes effect with exponentially vanishing probability (I suggest to think how to prove this formally).
Also let me mention that algorithms that runs in expected polynomial-time are of interest in cryptography and complexity even when we can't bound the worst case running time.
Ron
Also let me mention that algorithms that runs in expected polynomial-time are of interest in cryptography and complexity even when we can't bound the worst case running time.
Ron
Reply all
Reply to author
Forward
0 new messages