Computationally Differentially Private Inner Product Protocols Imply Oblivious Transfer

TL;DR

This paper demonstrates that any computationally differentially private protocol estimating the inner product with sub-polynomial error inherently requires oblivious transfer, establishing a fundamental link between privacy, accuracy, and cryptographic primitives.

Contribution

It proves that for inner product estimation with certain accuracy, oblivious transfer is necessary, bridging a gap in understanding the cryptographic requirements of differential privacy.

Findings

Protocols with sub-polynomial accuracy imply oblivious transfer.

Any protocol estimating inner product with error O(n^{1/6}) can be used to construct oblivious transfer.

Improves previous results by showing necessity of oblivious transfer for certain accuracy regimes.

Abstract

In distributed differential privacy, multiple parties collaborate to analyze their combined data while each party protects the confidentiality of its data from the others. Interestingly, for certain fundamental two-party functions, such as the inner product and Hamming distance, the accuracy of distributed solutions significantly lags behind what can be achieved in the centralized model. For computational differential privacy, however, these limitations can be circumvented using oblivious transfer (used to implement secure multi-party computation). Yet, no results show that oblivious transfer is indeed necessary for accurately estimating a non-Boolean functionality. In particular, for the inner-product functionality, it was previously unknown whether oblivious transfer is necessary even for the best possible constant additive error. In this work, we prove that any computationally differentially private protocol that estimates the inner product over $\{-1,1\}^n \times \{-1,1\}^n$ up to an additive error of $O(n^{1/6})$, can be used to construct oblivious transfer. In particular, our result implies that protocols with sub-polynomial accuracy are equivalent to oblivious transfer. In this accuracy regime, our result improves upon Haitner, Mazor, Silbak, and Tsfadia [STOC '22], who showed that a key-agreement protocol is necessary.