Keywords

1 Introduction

Key-agreement protocols [DH76] allow two parties, Alice and Bob, to agree on a shared private key by communicating over an insecure public channel. Its security requires that any (efficient) eavesdropper cannot learn the key from the transcript. In an early work, Merkle [Mer78] first proposed an ingenious key-agreement protocol, known as Merkle’s Puzzles, as follows.

Protocol 1

(Merkle’s Puzzles). Let \(f:[N]\rightarrow [M]\) be a cryptographic hash function and let \(\ell \) be a parameter measuring the query complexity of this protocol. Alice and Bob first agree on a set \( W \subseteq [N]\) of size \(\ell ^2\). Then, at the beginning of the protocol, Alice makes \(\ell \) random queries in W, i.e., \(f(w_{1}),\dots ,f(w_{\ell })\). Similarly, Bob makes another \(\ell \) random queries \(f(w_{1}'),\dots ,f(w_{\ell }')\). By the birthday paradox, there is a good chance that \(\{w_{1},\dots ,w_{\ell }\}\cap \{w_{1}',\dots ,w_{\ell }'\} \ne \emptyset \). Alice then sends \(z_1 = f(w_{1}),\dots , z_{\ell } = f(w_{\ell })\) to Bob, and Bob checks if there is a \(w_{j}'\) in his query such that \(f(w_{j}')= z_i\) for some \(i\in [\ell ]\). If such a pair \((w_{j}', z_i)\) exists, then Bob sends \(z_i\) back to Alice and sets \(w_{j}'\) as his key; otherwise, Bob aborts. Finally, according to \(z_i\), Alice chooses \(w_{i}\) as her key.

As long as the function f is collision-free on W, Alice and Bob will agree on the same key with high probability. In terms of security, if f is modeled as a random function, we can show that any eavesdropper that breaks this protocol with constant probability has to query a constant fraction of inputs in W; consequently, the query complexity of any eavesdropper must be \(\varOmega (\ell ^2)\).

On the other hand, Impagliazzo and Rudich [IR89], followed by Barak and Mahmoody [BMG09], showed that key-agreement protocol is essentially a public-key primitive and is unlikely to be based only on hardness assumptions for symmetric cryptography—any key-agreement protocol only guarantees limited security as long as the symmetric hardness is used in a black-box way. Specifically, they studied key-agreement protocols in the random oracle model (ROM). In the ROM, all parties, including the eavesdropper, have oracle access to a random function \(f: [N] \rightarrow [M]\), which is an idealization of symmetric primitives like collision-resistant hash function. The efficiency of parties is measured by the number of queries they make to the oracle (in the worst case). [IR89] proved that any key-agreement protocols in the ROM with \(\ell \) queries can be attacked by an eavesdropper with \(O(\ell ^6)\) queries. [BMG09] further improved the efficiency of the eavesdropper to \(O(\ell ^2)\) queries. This result indicates that Merkle’s puzzle is optimal in terms of the number of oracle queries since it reaches quadratic security. Despite its limited security, the complexity of key-agreement protocols in the ROM is still an interesting question of fine-grained cryptography. A long line of research has been conducted on the limitation and possibility of key-agreement protocols in the ROM, in both classical setting [DH76, Mer78, IR89, BMG09, HMO+19, ACMS23], distributed setting [DH21] and quantum setting [ACC+22].

Besides oracle queries, another important cost in key-agreement protocols is the communication cost between Alice and Bob. The communication complexity of (multi-party) protocols, such as key-agreement, optimally-fair coin tossing, statistically hiding commitment schemes, and multi-party computation, has garnered considerable attention recently [DSLMM11, HHRS15, HMO+19, Cou19, AHMS20, CN22].

In this paper, we focus on the communication complexity of key-agreement protocols: a problem initiated by Haitner et al. [HMO+19]. Concretely, they observed that the communication complexity of Merkle’s Puzzle is also \(\widetilde{\varOmega }(\ell )\)Footnote 1, and they conjectured that high communication cost is unavoidable.

Conjecture 1

([HMO+19], informal). Let \(\varPi = (\textsf{A}, \textsf{B})\) be a key-agreement protocol such that:

  1. 1.

    \(\textsf{A}\) and \(\textsf{B}\) agree on the same key with high probability;

  2. 2.

    \(\textsf{A}\) and \(\textsf{B}\) each make at most \(\ell \) queries to the random function (oracle);

  3. 3.

    \(\varPi \) is secure against any adversary with q queries to the random oracle.

Then \(\textsf{A}\) and \(\textsf{B}\) must communicate \(\varOmega (q / \ell )\) bits.

As we discussed, Merkle’s puzzle matches the lower bound in this conjecture for \(q = \varTheta (\ell ^2)\). For \(q = o(\ell ^2)\), an asymmetric version of Merkle’s puzzle also matches this lower bound.

Protocol 2

(Asymmetric version of Merkle’s Puzzles). Alice and Bob first fix a domain W of size q. Then Alice makes \(c:=q/\ell \) random queries in W and sends them to Bob. Bob also makes \(\ell \) random queries (in W) and checks if there is a common query in accordance with the original Merkle’s Puzzles.

[HMO+19] partly tackled this conjecture for two types of key-agreement protocols. We say a protocol is non-adaptive if both parties choose all their queries at the beginning of the protocol (before querying the oracle and communicating); that is, their queries are determined by their internal randomness. Haitner el al. [HMO+19] proved that for any protocol \(\varPi = (\textsf{A}, \textsf{B})\) that satisfies the conditions in Conjecture 1:

  • If \(\varPi \) is non-adaptive and has only two rounds, \(\textsf{A}\) and \(\textsf{B}\) must exchange \(\varOmega (q / \ell )\) bits.

  • If the queries are uniformly sampled, then \(\textsf{A}\) and \(\textsf{B}\) must communicate \(\varOmega (q^2/\ell ^3)\) bits.

Note that protocols with uniform queries are also special non-adaptive protocols.

In this paper, we affirm Conjecture 1 for non-adaptive protocols with perfect completeness, i.e., Alice and Bob agree on the same key with probability 1. Specifically, we prove the following theorem.

Theorem 3

(Informal). Let \(\varPi = \left( \textsf{A}, \textsf{B}\right) \) be a non-adaptive key-agreement protocol such that:

  1. 1.

    \(\textsf{A}\) and \(\textsf{B}\) agree on the same key with probability 1;

  2. 2.

    \(\textsf{A}\) and \(\textsf{B}\) each make at most \(\ell \) queries to the random oracle;

  3. 3.

    \(\varPi \) is secure against any adversary with q queries to the random oracle.

Then \(\textsf{A}\) and \(\textsf{B}\) must communicate \(\varOmega (q / \ell )\) bits.

Our proof is built on the density increment argument introduced by Yang and Zhang [YZ22, YZ23], which they used to prove communication lower bounds for the unique disjointness problem. Looking at our main theorem carefully, we acknowledge two non-trivial requirements in our statement: non-adaptivity and perfect completeness. However, these limitations are not inherent in this method. Therefore, we are optimistic that our method has a good chance to overcome these two limitations; more details will be discussed in Sect. 1.2.

It is worth noting that Mazor [Maz23] recently devised a non-adaptive protocol with perfect completeness and quadratic security guarantee. We observed that this protocol, with minor adjustments, allows a trade-off between communication and security in a similar fashion to Protocol 2. Our result shows that Mazor’s construction is optimal among non-adaptive protocols with perfect completeness.

1.1 Proof Overview

Now we give a high-level overview of our proof. Since the execution of key-agreement protocols and the attacking process involve many random variables, we first explain our notations.

  • We use bold and uppercase letters for random variables and corresponding regular letters for samples and values, such as \(f, r_A, r_B, Q_A, Q_B, \tau , Q_E\) and \(f_E\) (uppercase for sets and lowercase for elements and functions).

  • Let \(\boldsymbol{F}\) be the RO that the parties have access to, which is a random function from [N] to [M]. Moreover, let \(\boldsymbol{R}_A, \boldsymbol{R}_B\) be Alice’s and Bob’s internal randomness. \((\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\) determines the entire execution of key-agreement protocols.

  • Let \(\boldsymbol{Q}_A,\boldsymbol{Q}_B\subseteq [N]\) be the queries made by Alice and Bob in the execution, respectively. Notice that \(\boldsymbol{Q}_A,\boldsymbol{Q}_B\) is fully determined by \(\boldsymbol{R}_A, \boldsymbol{R}_B\) for non-adaptive protocols. \(\boldsymbol{Q}_A\) and \(\boldsymbol{Q}_B\) are usually ordered sets since Alice and Bob make oracle queries one at a time. For the sake of notation convenience, we sometimes regard \(\boldsymbol{Q}_A\) and \(\boldsymbol{Q}_B\) as unordered sets.

  • Let \(\boldsymbol{T}\) be the communication transcript between Alice and Bob. Notice that \(\boldsymbol{T}\) is observed by the attacker Eve.

  • Let \(\boldsymbol{Q}_E \subseteq [N]\) be Eve’s queries. Let \(\boldsymbol{F}_E=\boldsymbol{F}(\boldsymbol{Q_E})\) be Eve’s observations of the random oracle \(\boldsymbol{F}\). We interpret \(\boldsymbol{F}_{E}\) as a partial function: for every \(x\in \boldsymbol{Q}_{E}\), \(\boldsymbol{F}_E(x) = \boldsymbol{F}(x)\); for all other x, \(\boldsymbol{F}_{E}(x) = \bot \).

To study the security of key-agreement protocols, Impagliazzo and Rudich [IR89] observed that the advantage of Alice and Bob over Eve mainly comes from their intersection queries which have not been queried by Eve, i.e., the knowledge from \((\boldsymbol{Q}_A\cap \boldsymbol{Q}_B) \setminus \boldsymbol{Q}_E\) and \(\boldsymbol{F}((\boldsymbol{Q}_A\cap \boldsymbol{Q}_B) \setminus \boldsymbol{Q}_E)\). Based on this insight, they devised an attacker that aims to guess (and query) the set \((\boldsymbol{Q}_A\cap \boldsymbol{Q}_B)\). In order to learn intersection queries more efficiently, [BMG09] introduced the notion of heavy query. Given Eve’s current observation, which consists of a transcript \(\tau \) and a partial function \(f_E\), an input \(w \in [N] \setminus Q_E\) is said to be \(\varepsilon \)-heavy with respect to \((\tau ,f_E)\) if

$$ \textbf{Pr}[w\in (\boldsymbol{Q}_A\cap \boldsymbol{Q}_B) ~|~ \tau , f_E]\ge \varepsilon . $$

Now we give an informal description of Eve’s strategyFootnote 2:

  • Stage I. Eve checks if there exists a heavy query conditioned on transcript \(\tau \) and her observations of the random oracle \(f_E\). If yes, then query them, update \(f_E\), and repeat until there are no heavy queries.

  • Stage II. Eve simulates Alice and Bob based on observed information and outputs Alice’s key in her simulation. In other words, Eve simply outputs a sample from the distribution of Alice’s key conditioned on observed information.

Suppose that Alice and Bob each make at most \(\ell \) queries and set \(\varepsilon = \varTheta (1 / \ell )\). A standard technique can prove that Stage I stops within \(O(\ell /\varepsilon ) = O(\ell ^2)\) queries. We can also show that in order to clean up all heavy queries (Stage I), \(\varOmega (\ell ^2)\) queries are inevitable. This querying process does not explore strong connections to communication complexity.

Our Approach. Our main observation is that if Alice and Bob communicate too little, they cannot utilize their common queries and thus have no advantage over Eve! Hence, we focus on queries correlated with the transcript \(\tau \) instead of all intersection queries. With this in mind, we introduce correlated query as a refined notion of heavy query.

Definition 1 (\(\varepsilon \)-correlated set, informal; see Definition 3)

Eve’s view consists of a transcript \(\tau \) and a partial function \(f_E\). We say a set \(S =\{w_1,\dots ,w_r\} \subseteq [N]\) is \(\varepsilon \) -correlated with respect to \((\tau , f_E)\) if

$$ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(w_1),\dots ,\boldsymbol{F}(w_r)\,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, f_E \right) -\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(w_1),\dots ,\boldsymbol{F}(w_r)\,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, f_E, \tau \right) \ge \varepsilon , $$

where \(\mathop {\mathrm {\textbf{H}}}\limits (\cdot )\) denotes the Shannon entropy.

We use \(\boldsymbol{F}(S)\) to denote \(\left( \boldsymbol{F}(w_1),\dots ,\boldsymbol{F}(w_r)\right) \) in the future, and \(\boldsymbol{F}(S)\) can also be viewed as a partial function with domain S. A main difference between our attacker and [BMG09] is that: instead of making \(\varepsilon \)-heavy queries, we clean up all \(\varepsilon \)-correlated sets of size at most \(2\ell \). Another difference is that we choose \(\varepsilon = \varTheta (1)\) and [BMG09] set \(\varepsilon =\varTheta (1/\ell )\). Intuitively, this is because a correlated set of size \(\ell \) is as effective as \(\ell \) single heavy queries. Along these lines, we then have to prove two things:

  • Success. Eve can guess the key of Alice/Bob if there is no \(\varepsilon \)-correlated set of size at most \(2\ell \).

  • Efficiency. Eve can remove all \(\varepsilon \)-correlated sets (of size at most \(2\ell \)) after querying O(c) correlated sets, where c is the number of communication bits between Alice and Bob. Thus, the query complexity of Eve is \(O(c\cdot \ell )\).

Eve Can Guess the Key if There are No Small \(\varepsilon \)-Correlated Sets. Assume that the protocol \(\varPi \) is non-adaptive, i.e., \(Q_A\) (or \(Q_B\)) is determined by \(r_A\) (resp., \(r_B\)). To study the success probability of Eve, we consider a rectangle \(\mathcal {X}\times \mathcal {Y}\) as follows. Every \(x\in \mathcal {X}\) has the form \(x=(r_A,f_A)\) (Alice’s view) and every \(y\in \mathcal {Y}\) has the form \(y=(r_B,f_B)\) (Bob’s view), where \(f_A, f_B\) have domain \(Q_A, Q_B\) respectively. Note that we enumerate x and y independently in the rectangle. Consequently, some pairs (xy) in this rectangle may be inconsistent. Concretely, we say that a pair \(x=(r_A, f_A)\) and \(y=(r_B, f_B)\) is inconsistent if there exists an input \(w\in Q_A \cap Q_B\) such that \(f_A(w)\ne f_B(w)\). Define an output table as follows:

$$ \mathcal {M}(x , y) {\mathop {=}\limits ^{\textsf{def}}}{\left\{ \begin{array}{ll} \text {Alice's key output by } \varPi (r_A, r_B,f_A \cup f_B), &{}\text {if } f_A \text { and }f_B \text { are consistent};\\ *, &{}\text {otherwise.} \end{array}\right. } $$

This table indeed captures all possible executions of the protocol \(\varPi \). This table is a partial function because many entries are undefined (the \(*\) entries).

During the attack, Eve observes the transcript \(\tau \) and makes queries to f. Whenever Eve has observed \((\tau ,f_E)\), we update the table \(\mathcal {M}\) by removing the entries that are inconsistent with Eve’s observation, i.e., we update the table to

$$ \mathcal {M}_{\tau ,f_E}(x , y) {\mathop {=}\limits ^{\textsf{def}}}{\left\{ \begin{array}{ll} \mathcal {M}(x,y), &{}\text {if } (x,y) \text { are consistent with } (\tau ,f_E);\\ *, &{}\text {otherwise.} \end{array}\right. } $$

Given this observation \((\tau ,f_E)\), the defined entries of \(\mathcal {M}_{\tau ,f_E}\) capture all possible views of Alice and Bob. Now we say \(\mathcal {M}_{\tau ,f_E}\) is almost monochromatic if almost all defined entries of \(\mathcal {M}_{\tau ,f_E}\) are equal to the same output \(b \in \left\{ 0, 1\right\} \).Footnote 3 A key step in our proof is to show \(\mathcal {M}_{\tau ,f_E}\) is almost monochromatic provided that the following conditions are met:

  1. 1.

    \(\varPi \) has perfect completeness;

  2. 2.

    there is no small \(\varepsilon \)-correlated set respect to \((\tau ,f_E)\).

Once Eve realizes \(\mathcal {M}_{\tau ,f_E}\) is almost monochromatic, she knows that Alice’s key is b with high probability.

Upper Bound the Number of Eve’s Queries via Density Increment Argument. This part of our proof is based on the density increment argument in [YZ22, YZ23]. We first define a density function to capture the amount of hidden information in the transcript \(\tau \) about the random function \(\boldsymbol{F}\), which is not known by Eve. For every \(\tau \) and \(f_E\), its density function \(\varPhi (\tau , f_E)\) is defined as

$$ \varPhi (\tau , f_E) {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, f_E\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, f_E, \tau \right) . $$

If we replace \(\tau \) and \(f_E\) with corresponding random variables, \(\boldsymbol{T}\) and \(\boldsymbol{F_E}\), then \(\varPhi (\boldsymbol{T}, \boldsymbol{F_E})\) equals to \(\textrm{I}\left( \boldsymbol{F}; \boldsymbol{T} \,\,|\,\, \boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F_E}\right) \), the mutual information of \(\boldsymbol{F}\) and \(\boldsymbol{T}\) conditioned on \(\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F_E}.\) This quantity is strongly related to the information complexity (IC), a powerful tool for proving lower bounds in communication complexity [CSWY01, BBCR10]. IC usually refers to the mutual information of Alice’s input and Bob’s input conditioned on the transcript, so the IC for key-agreement should look like \(\textrm{I}\left( \boldsymbol{R}_A, \boldsymbol{R}_B; \boldsymbol{T}\right) \). However, in the ROM, the random function \(\boldsymbol{F}\) is another random resource involved in the computation. Therefore, we cannot use IC as a black box to study such key-agreement protocols. Instead, we use the density increment argument proposed by [YZ23], which reinterprets IC in a white-box manner.

Let us turn back to our proof. The key idea is that whenever Eve queries an \(\varepsilon \)-correlated set, the density function decreases by at least \(\varepsilon \) in expectation. To make things clearer, we first explain our sampling procedure. There are several random variables involved in the analysis, including \((\boldsymbol{R}_A,\boldsymbol{R}_B,\boldsymbol{F},\boldsymbol{T},\boldsymbol{S}_1,\boldsymbol{S}_2,\dots ).\) Here \(\boldsymbol{S}_{i}\) is the query set made by Eve in the i-th round. In our analysis, we do not sample \((\boldsymbol{R}_A,\boldsymbol{R}_B,\boldsymbol{F})\) all at once. Instead, we consider these random variables to be sampled in the following order.

figure a

Suppose that at some point, Eve has already observed \(f_E\), e.g., \(f_E=f(S_1\cup \cdots \cup S_{i-1})\) and decided to query \(S_i\) next. By definition, Eve only queries correlated sets, i.e., \(S_i\) is \(\varepsilon \)-correlated w.r.t. \((\tau ,f_E)\). And we prove that for any \(\varepsilon \)-correlated set \(S_i\),

$$\begin{aligned} \mathop {\mathrm {\textbf{E}}}\limits _{f(S_i) \leftarrow \boldsymbol{F}(S_i)|_{\tau , f_E}}\left[ \varPhi (\boldsymbol{T}, f_{E}\cup f(S_i))\right] \le \varPhi (\boldsymbol{T}, f_E) - \varepsilon , \end{aligned}$$
(1)

where \(f_E\cup f(S_i)\) is Eve’s updated observation after making oracle queries on \(S_i\). We then finish our argument by observing the following two properties of \(\varPhi \):

  • In the beginning, \(\varPhi (\boldsymbol{T},f_{\emptyset }) \le c\). Here \(f_\emptyset \) denotes the all-empty function since Eve has no information about the oracle before making any queries.

  • \(\varPhi \) is non-negative: \(\varPhi (\tau ,f_{E})\ge 0\) for all \(\tau , f_{E}\).

Equation (1) says that each time Eve queries an \(\varepsilon \)-correlated set, \(\varPhi \) decreases by \(\varepsilon \) (in expectation), so Eve can query at most \(O(c / \varepsilon ) = O(c)\) sets (in expectation), as we set \(\varepsilon = \varTheta (1)\). Since each set queried by Eve is of size at most \(2\ell \), we conclude that the total number of Eve’s queries is \(O(c\ell )\).

Comparison with [HMO+19]. The paper by Haitner et al. uses mostly direct calculations to derive an upper bound of the mutual information characterizing the advantage of Alice and Bob over Eve. An important ingredient in their proof is that conditioning on Eve’s view does not introduce significant dependency between Alice and Bob; this is true for two-round protocols but fails for multi-round protocols. Even with perfect completeness, their approach encounters similar barriers. In contrast, our proof mainly depends on the investigation of the structure of the table \(\mathcal {M}_{\tau , f_E}\), and hence the number of rounds is no longer a restriction.

1.2 Discussions and Open Problems

In this section, we discuss some open problems and future directions. An immediate question is how to remove the restrictions in our main theorem. We briefly discuss some potential ways to solve them below.

Protocols with Imperfect Completeness. In our proof, the property of perfect completeness is used in Lemma 3. The perfect completeness restriction is an analog of proving deterministic communication complexity, while key-agreement protocols with imperfect completeness can be likened to randomized communication protocols. The density increment argument used in this paper was originally inspired by the proofs of query-to-communication lifting theorems in communication complexity [RM97, GPW15, GPW17, YZ22]. In communication complexity, past experience suggests that the density increment argument is robust in the sense that it usually extends to proving randomized communication lower bounds. For example, the deterministic query-to-communication lifting theorem was formalized by [GPW15], then [GPW17] proved the extension to the randomized query-to-communication lifting theorem, even though it took several years.

Protocols with Adaptive Queries. The density increment argument has a good chance of proving communication lower bounds for adaptive protocols. Particularly, our efficiency proof directly applies to adaptive protocols. Our proof only utilized the non-adaptivity in Lemma 3. The round-by-round analysis introduced by Barak and Mahmoody [BMG09] might be helpful to circumvent this obstacle. Admittedly, the analysis might be slightly more complicated, but we do not see a fundamental barrier here.

Further Potential Applications. The heavy query technique used in the proof of [BMG09] has found applications in the context of black-box separations and black-box security in the random oracle model (see, e.g., [DSLMM11, KSY11, BKSY11, MP12, HOZ16]). Likewise, it will be interesting to check if our approach offers fresh perspectives and potential solutions to some open problems. The following is a list of potential questions.

  1. 1.

    Devise an \(O(\ell )\)-round and \(O(\ell ^2)\)-query attack for key-argeement protocols in the ROM [BMG09, MMV11].

  2. 2.

    Consider an M-party protocol where all pairs among M players agree on secret keys. Given an attack that recovers a constant fraction of the \({M \atopwithdelims ()2}\) keys with \(O(M\cdot \ell ^2)\) oracle queries [DH21].

  3. 3.

    In the quantum setting, Alice and Bob are capable of conducting quantum computation and classical communication, and the random oracle allows quantum queries. [ACC+22] introduced the Polynomial Compatibility Conjecture and gave an attack (only for protocols with perfect completeness) assuming this conjecture holds. Devise an attack that has better efficiency or fewer restrictions.

2 Preliminary

2.1 Notations

For a random variable \(\boldsymbol{X}\), denote x is sampled from (the distribution of ) \(\boldsymbol{X}\) as \(x\leftarrow \boldsymbol{X}\); the support of \(\boldsymbol{X}\) is defined as \(\textrm{supp}(\boldsymbol{X}) {\mathop {=}\limits ^{\textsf{def}}}\left\{ x : \mathop {\mathrm {\textbf{Pr}}}_{}\left[ \boldsymbol{X} = x\right] > 0\right\} \).

Partial Functions. There are many ways to view a partial function \(f: [N] \rightarrow [M] \cup \left\{ \bot \right\} \) with domain \(Q {\mathop {=}\limits ^{\textsf{def}}}\left\{ w \in [N] : f(w) \ne \bot \right\} \): It can be viewed as a function \(f_Q : Q \rightarrow [M]\), or a list \(\left( (w_i, f(w_i)\right) _{i \in [Q]}\). We say two partial functions are consistent if they agree on the intersection of their domains. For consistent partial functions \(f_1\) and \(f_2\), we use \(f_1 \cup f_2\) to denote the partial function with domain \(Q_1 \cup Q_2\) and is consistent with \(f_1\) and \(f_2\).

2.2 Key-Agreement Protocols

Let \(\varPi = (\textsf{A}, \textsf{B})\) be a two-party protocol consisting of a pair of probabilistic interactive Turing machines, where the two parties \(\textsf{A}\) and \(\textsf{B}\) are often referred to as Alice and Bob. A protocol is called \(\ell \) -oracle-aided if Alice and Bob have access to an oracle \(f: [N] \rightarrow [M]\) and each party makes at most \(\ell \) queries to f. An oracle-aided protocol is called non-adaptive when both parties choose their queries before querying the oracle and communicating. \(\varPi \) produces a transcript \(\tau \) which is the communication bits between players. The communication complexity of \(\varPi \), denoted by \(\textrm{CC}(\varPi )\), is the length of the transcript of \(\varPi \) in the worst case.

We focus on oracle-aided key-agreement protocols in the random oracle model, where the oracle f is uniformly sampled from the collection of all functions from [N] to [M]. Note that the execution of the key-agreement protocol is completely determined by \(r_A, r_B\) and f, where \(r_A\) (resp., \(r_\textsf{B}\)) is Alice’s (resp., Bob’s) internal randomness. We call the tuple \((r_A, r_B, f)\) an extended view. Let \(\boldsymbol{EV} = (\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\) denote the distribution of the extended view in a random execution. For every extended view \(v=(r_A,r_B,f)\), let \(\texttt{tran}(v), \texttt{out}_{\textsf{A}}(v), \texttt{out}_{\textsf{B}}(v)\) be the communication transcript, \(\textsf{A}\)’s output, and \(\textsf{B}\)’s output respectively, given the extended view v.

Definition 2 (Key-agreement protocols)

Let \(\alpha , \gamma \in [0 , 1], q \in \mathbb {N}\). A protocol \(\varPi = (\textsf{A}, \textsf{B})\) is a \((\alpha , q, \gamma )\)-key-agreement if the following conditions hold:

  1. 1.

    \((1 - \alpha )\)-completeness. \( \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}}\left[ \texttt{out}_{\textsf{A}}(v) = \texttt{out}_{\textsf{B}}(v)\right] \ge 1 - \alpha . \)

  2. 2.

    \((q, \gamma )\)-security. For any q-oracle-aided adversary \(\textsf{E}\),

    $$ \mathop {\mathrm {\textbf{Pr}}}_{v = (r_\textsf{A}, r_\textsf{B}, f)\leftarrow \boldsymbol{EV}}\left[ \textsf{E}^f(\texttt{tran}(v)) = \texttt{out}_{\textsf{A}}(v)\right] \le \gamma . $$

Since we aim to prove lower bounds, we assume each party outputs one bit, as per [HMO+19]. Moreover, [HMO+19] proved that studying the following normalized key-agreement protocols suffices.

Normalized Key-Agreement Protocols. Following [HMO+19], to simplify the proof of the lower bound, we can transform the key-agreement protocol \(\varPi \) into a normalized protocol called \(\varPi '\), such that the secret key output by Bob in \(\varPi '\) is the first bit of his last query. Formally,

Proposition 1

Let \(\varPi \) be a non-adaptive, \(\ell \)-oracle-aided \((\alpha , q ,\gamma )\)-key-agreement protocol with communication complexity c. Then there is a non-adaptive \((\ell + 1)\)-oracle-aided \((\alpha , q, \gamma )\)-key-agreement protocol \(\varPi '\) with communication complexity \(c + 1\), in which Bob’s output is the first bit of his last query.

2.3 Basic Information Theory

The Shannon entropy of a random variable \(\boldsymbol{X}\) is defined as

$$ \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X}) {\mathop {=}\limits ^{\textsf{def}}}\sum _{x\in \textrm{supp}(\boldsymbol{X})}\mathop {\mathrm {\textbf{Pr}}}_{}\left[ \boldsymbol{X} = x\right] \log \left( \frac{1}{\mathop {\mathrm {\textbf{Pr}}}_{}\left[ \boldsymbol{X} = x\right] }\right) . $$

The conditional entropy of a random variable \(\boldsymbol{X}\) given \(\boldsymbol{Y}\) is defined as

$$ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}\,\,|\,\,\boldsymbol{Y}\right) {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{E}}}\limits _{y \leftarrow \boldsymbol{Y}}\left[ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}\,\,|\,\,\boldsymbol{Y}=y\right) \right] . $$

We often use (conditional) entropy conditioned on some event E, which is defined by the same formula where the probability measure \(\mathop {\mathrm {\textbf{Pr}}}_{}\left[ \cdot \right] \) is replace by \( \textbf{Pr}'[\cdot ] {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{Pr}}}_{}\left[ \cdot | E\right] . \) Entropy conditioned on event E is denoted as \(\mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X} | E), \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X} | \boldsymbol{Y}, E)\).

Let \(\boldsymbol{X}\) and \(\boldsymbol{Y}\) be two (possibly correlated) random variables. The mutual information of \(\boldsymbol{X}\) and \(\boldsymbol{Y}\) is defined by

$$ \textrm{I}\left( \boldsymbol{X}; \boldsymbol{Y}\right) {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X}) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}\,\,|\,\,\boldsymbol{Y}\right) = \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{Y}) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{Y}\,\,|\,\,\boldsymbol{X}\right) . $$

The conditional mutual information is

$$\textrm{I}\left( \boldsymbol{X}_i; \boldsymbol{Y} \,\,|\,\, \boldsymbol{X}_1,\dots ,\boldsymbol{X}_{i - 1}\right) {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}_i\,\,|\,\,\boldsymbol{X}_1,\dots ,\boldsymbol{X}_{i - 1}\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}_i\,\,|\,\,\boldsymbol{Y},\boldsymbol{X}_1,\dots ,\boldsymbol{X}_{i - 1}\right) . $$

Proposition 2 (Entropy chain rule)

For random variables \(\boldsymbol{X}_1, \boldsymbol{X}_2, \dotsc , \boldsymbol{X}_{n}\), it holds that

$$ \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X}_1, \boldsymbol{X}_2, \dotsc , \boldsymbol{X}_{n})=\sum _{i=1}^n\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{X}_i\,\,|\,\,\boldsymbol{X}_1, \boldsymbol{X}_2, \dotsc , \boldsymbol{X}_{i - 1}\right) . $$

Proposition 3

(Chain rule for mutual information) For \(\boldsymbol{X}_1,\boldsymbol{X}_2,\dots ,\boldsymbol{X}_n\) are n random variables and \(\boldsymbol{Y}\) is another random variable,

$$ \textrm{I}\left( \boldsymbol{X}_1,\boldsymbol{X}_2,\dots ,\boldsymbol{X}_n; \boldsymbol{Y}\right) = \sum _{i=1}^{n} \textrm{I}\left( \boldsymbol{X}_i; \boldsymbol{Y} \,\,|\,\, \boldsymbol{X}_1,\boldsymbol{X}_2,\dots ,\boldsymbol{X}_{i - 1}\right) . $$

Proposition 4

(Data processing inequality) For two random variables \(\boldsymbol{X},\boldsymbol{Y}\) and a function f,

$$\mathop {\mathrm {\textbf{H}}}\limits (f(\boldsymbol{X}))\le \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{X})\text { and } \textrm{I}\left( f(\boldsymbol{X}); \boldsymbol{Y}\right) \le \textrm{I}\left( \boldsymbol{X}; \boldsymbol{Y}\right) $$

3 Communication Complexity of Key-Agreement Protocols

This section proves the main theorem:

Theorem 4

(Formal version of Theorem 3). Let \(\varPi = (\textsf{A}, \textsf{B})\) be an \(\ell \)-query-aided, non-adaptive \((0, q, \gamma )\)-key-agreement (i.e., \(\varPi \) enjoys perfect completeness), then

$$ \textrm{CC}(\varPi ) \ge \frac{q}{2(\ell + 1)} \cdot \frac{(1-\gamma )^3}{ 27} - 1= \varOmega \left( \frac{q}{\ell }\right) . $$

By Proposition 1, it suffices to show that

$$\begin{aligned} \textrm{CC}(\varPi ) \ge \frac{q}{2\ell } \cdot \frac{(1-\gamma )^3}{ 27}, \end{aligned}$$
(2)

for all normalized protocol \(\varPi \) that satisfies the conditions in Theorem 4.

Correlated sets play a central role in our proof; here we give the formal definition.

Definition 3 (\(\varepsilon \)-correlated)

Let \(\tau \) be a transcript and \(f_E\) be a partial function with domain \(Q_E\). We say a set \(S \subseteq [N]\) is \(\varepsilon \) -correlated with respect to \((\tau , f_E)\) if

$$ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\left( S\right) \,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F}(Q_E) = f_E \right) -\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\left( S\right) \,\,|\,\,\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \ge \varepsilon , $$

where \((\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\) is a random extended view and \(\boldsymbol{T} {\mathop {=}\limits ^{\textsf{def}}}\texttt{tran}(\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\).

3.1 Description of the Attacker

The attacker is described in Algorithm 1. In the algorithm, \(f_E^{(i)}\) stands for the observations of Eve till the end of the i-th iteration. Moreover, we use \(\boldsymbol{EV}(\tau , f_E^{(i)})\) to denote the distribution of the extended view \(\boldsymbol{EV}\) conditioned on the following two events: (1) the random oracle is consistent with \(f_E^{(i)}\); (2) the transcript is \(\tau \).

figure b

3.2 Success Probability of the Attacker

This subsection analyzes the attacker’s success probability for perfect completeness. We will first introduce the language of the combinatorial rectangle and then use it to analyze the attacker’s success probability.

Through the Lens of Rectangles. Combinatorial rectangle is a standard tool in communication complexity. We thus develop this language for key-agreement protocols in the following.

Let \(\varPi \) be a non-adaptive key-agreement protocol, meaning that queries of Alice is a function \(\mathcal {Q}_{\textsf{A}}(r_A)\) of her internal randomness \(r_A\). If \(f_A\) is a partial function with domain \(\mathcal {Q}_{\textsf{A}}(r_A)\), we call the pair \((r_A, f_A)\) a profile of Alice. The profile space of Alice, denoted by \(\mathcal {X}\), consists of all possible profiles of Alice, namely,

$$ \mathcal {X}{\mathop {=}\limits ^{\textsf{def}}}\left\{ (r_A, f_A) : f_A \text { is a partial function with domain }\mathcal {Q}_{\textsf{A}}(r_A)\right\} . $$

For Bob, we analogously define \(\mathcal {Q}_{\textsf{B}}\) and

$$\mathcal {Y}{\mathop {=}\limits ^{\textsf{def}}}\left\{ (r_B, f_B) : f_B \text { is a partial function with domain } \mathcal {Q}_{\textsf{B}}(r_B)\right\} . $$

Given a profile pair \((x = (r_A, f_A), y = (r_B, f_B)) \in \mathcal {X}\times \mathcal {Y}\), Alice and Bob can run the protocol by using \(f_A\) and \(f_B\) respectively as oracle answers: when Alice needs to issue an oracle query w, she takes \(f_A(w)\) as oracle answer; similarly, Bob takes \(f_B(w)\) as oracle answer when querying w. Hence, we can still define the transcript \(\texttt{tran}(x , y)\) and output \(\texttt{out}_{\textsf{A}}(x , y)\), \(\texttt{out}_{\textsf{B}}(x , y)\).

Note that some profile pairs are imaginary in the sense that the oracle answers of Alice and Bob are inconsistent. We say \(x = (r_A, f_A) \in \mathcal {X}\) and \(y = (r_B, f_B)\in \mathcal {Y}\) are consistent if \(f_A\) and \(f_B\) are consistent. Define the output table \(\mathcal {M}_{\varPi } \in \left\{ 0 , 1, *\right\} ^{\mathcal {X}\times \mathcal {Y}}\) via

$$ \mathcal {M}_{\varPi }(x , y) {\mathop {=}\limits ^{\textsf{def}}}{\left\{ \begin{array}{ll} \texttt{out}_{\textsf{A}}(x , y), &{}\text {if } x, y \text { are consistent};\\ *, &{}\text {otherwise.} \end{array}\right. } $$

Let \(D {\mathop {=}\limits ^{\textsf{def}}}\left\{ (x, y) \in \mathcal {X}\times \mathcal {Y}: \mathcal {M}_{\varPi }(x , y) \ne *\right\} \) be the set of all consistent profile pairs; such profile pairs can be witnessed in real execution.

A set \(R \subseteq \mathcal {X}\times \mathcal {Y}\) is called a rectangle if \(R = \mathcal {X}_R \times \mathcal {Y}_R\) for some \(\mathcal {X}_R \subseteq \mathcal {X}\) and \(\mathcal {Y}_R \subseteq \mathcal {Y}\). Let \(\tau \) be a transcript and \(f_E\) be a partial function with domain \(Q_E\). We care about the profiles that are consistent with \(f_E\) and produce transcript \(\tau \); formally, we consider the rectangle \(\mathcal {X}_{\tau , f_E} \times \mathcal {Y}_{\tau , f_E}\) where

$$ \mathcal {X}_{\tau , f_E} {\mathop {=}\limits ^{\textsf{def}}}\left\{ x = (r_A, f_A) \in \mathcal {X}: \exists y = (r_B, f_B) \in \mathcal {Y}\text { s.t. } \begin{array}{c} f_A, f_B, f_E \text { are consistent and} \\ \texttt{tran}(x , y) = \tau \end{array}\right\} , $$

and

$$ \mathcal {Y}_{\tau , f_E} {\mathop {=}\limits ^{\textsf{def}}}\left\{ y = (r_B, f_B) \in \mathcal {Y}: \exists x = (r_A, f_A) \in \mathcal {X}\text { s.t. } \begin{array}{c} f_A, f_B, f_E \text { are consistent and} \\ \texttt{tran}(x , y) = \tau \end{array}\right\} . $$

If \(\varPi \) has perfect completeness, the rectangle \(\mathcal {X}_{\tau , f_E} \times \mathcal {Y}_{\tau , f_E}\) has the following simple but useful property.

Lemma 1

Assume that \(\varPi \) has perfect completeness. Let \((x, y), (x', y') \in \mathcal {X}_{\tau , f_E} \times \mathcal {Y}_{\tau , f_E}\) for some \(\tau \) and \(f_E\). If \(\mathcal {M}_\varPi (x , y) = 0\) and \(\mathcal {M}_\varPi (x' ,y') = 1\), then \(\mathcal {M}_\varPi (x, y') = \mathcal {M}_\varPi (x', y) = *\).

Proof

Assume \(\mathcal {M}_\varPi (x, y') \ne *\). Since \((x, y')\) appears in some execution of \(\varPi \), by perfect completeness, we have \(\texttt{out}_{\textsf{A}}(x, y') = \texttt{out}_{\textsf{B}}(x, y')\). However, \(\texttt{out}_{\textsf{A}}(x, y') = \texttt{out}_{\textsf{A}}(x, y') = 0\) while \(\texttt{out}_{\textsf{B}}(x, y') = \texttt{out}_{\textsf{B}}(x' , y') = 1\), a contradiction. The argument for \((x', y)\) is similar.

Let \(\boldsymbol{QV}(\tau , f_E)\) denote the query set of Alice and Bob conditioned on \((\tau , f_E)\), namely, \(\boldsymbol{QV}(\tau , f_E) {\mathop {=}\limits ^{\textsf{def}}}(\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A), \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B))\), where \((\boldsymbol{R}_A, \boldsymbol{R}_B, \cdot ) = \boldsymbol{EV}(\tau , f_E)\). Given \((Q_A, Q_B) \in \textrm{supp}\boldsymbol{QV}(\tau , f_E)\), we obtain a subrectangle of \(\mathcal {X}_{\tau , f_E} \times \mathcal {Y}_{\tau , f_E}\) by adding the restriction that Alice’s (resp., Bob’s) queries is \(Q_A\) (resp., \(Q_B\)). That is, we consider \(\mathcal {X}_{\tau ,f_E}(Q_A) \times \mathcal {Y}_{\tau ,f_E}(Q_B)\) where

$$ \mathcal {X}_{\tau ,f_E}(Q_A) {\mathop {=}\limits ^{\textsf{def}}}\left\{ x = (r_A, f_A) \in \mathcal {X}_{\tau , f_E} : \mathcal {Q}_{\textsf{A}}(r_A) = Q_A\right\} , $$
$$ \mathcal {Y}_{\tau ,f_E}(Q_B) {\mathop {=}\limits ^{\textsf{def}}}\left\{ y = (r_B, f_B) \in \mathcal {Y}_{\tau , f_E} : \mathcal {Q}_{\textsf{B}}(r_B) = Q_B\right\} . $$

Definition 4 (Monochromatic Rectangle)

A rectangle \(R \subseteq \mathcal {X}\times \mathcal {Y}\) is called b -monochromatic if \(R \cap D \ne \emptyset \) and for every \((x, y)\in R\cap D\), \(\mathcal {M}_\varPi (x , y) = b\); R is said to be monochromatic if it is b-monochromatic for some \(b \in \left\{ 0,1\right\} \).

The following lemma shows that if the protocol is normalized and has perfect completeness, the rectangle \(\mathcal {X}_{\tau , f_E} \times \mathcal {Y}_{\tau , f_E}\) has a special structure: It can be partitioned into monochromatic rectangles according to the queries.

Lemma 2

Suppose \(\varPi \) is normalized and has perfect completeness. Let \(\tau \) be a transcript and \(f_E\) be a partial function. For all \((Q_A, Q_B) \in \textrm{supp}\boldsymbol{QV}(\tau , f_E)\), the rectangle \(\mathcal {X}_{\tau , f_E}(Q_A) \times \mathcal {Y}_{\tau , f_E}(Q_B)\) is monochromatic.

Proof

Since \(\varPi \) is normalized, for any \((x,y) \in \mathcal {X}_{\tau , f_E}(Q_A) \times \mathcal {Y}_{\tau , f_E}(Q_B)\), \(\texttt{out}_{\textsf{B}}(x, y)\) is determined by \(Q_B\). Moreover, because of perfect completeness, \(\texttt{out}_{\textsf{A}}(x , y) = \texttt{out}_{\textsf{B}}(x ,y)\) for all \((x , y) \in \mathcal {X}_{\tau , f_E}(Q_A) \times \mathcal {Y}_{\tau , f_E}(Q_B)\). Thus, \(\mathcal {X}_{\tau , f_E}(Q_A) \times \mathcal {Y}_{\tau , f_E}(Q_B)\) is monochromatic.

Analyzing the Attacker’s Success Probability. Next, we show that Algorithm 1 breaks the security of normalized protocols. The following lemma characterizes what happens after all small \(\varepsilon \)-correlated sets are cleaned up; it roughly says that if there exists no small \(\varepsilon \)-correlated set, the key is almost determined conditioned on Eve’s information.

Lemma 3

Let \(\tau \) be a transcript and \(f_E\) be a partial function with domain \(Q_E\). If there exists no \(\varepsilon \)-correlated set of size at most \(2\ell \) w.r.t. \((\tau , f_E)\), then \(\exists b \in \left\{ 0 , 1\right\} \) s.t.

$$ \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ \texttt{out}_{\textsf{A}}(v) = b\right] \ge 1 - \sqrt{2\varepsilon }. $$

Proof

Write \(\delta {\mathop {=}\limits ^{\textsf{def}}}\sqrt{2\varepsilon }\). Assume towards contradiction that

$$ \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ \texttt{out}_{\textsf{A}}(v) = b\right] > \delta , \forall b \in \left\{ 0 , 1\right\} . $$

For \(b \in \left\{ 0,1\right\} \), define

$$ \mathcal {G}_b {\mathop {=}\limits ^{\textsf{def}}}\left\{ (Q_A, Q_B) \in \textrm{supp}\boldsymbol{QV}(\tau , f_E) : \mathcal {X}_{\tau , f_E}(Q_A) \times \mathcal {Y}_{\tau , f_E}(Q_B) \text { is } b\text {-monochromatic} \right\} . $$

By Lemma 2, \(\forall b \in \left\{ 0,1\right\} \),

$$\begin{aligned} \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ (\mathcal {Q}_{\textsf{A}}(v), \mathcal {Q}_{\textsf{B}}(v)) \in \mathcal {G}_b\right] = \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ \texttt{out}_{\textsf{A}}(v) = b\right] > \delta . \end{aligned}$$
(3)

For \(Q = (Q_A, Q_B), Q' = (Q_A', Q_B')\), define

$$\begin{aligned} h(Q, Q') {\mathop {=}\limits ^{\textsf{def}}}&\quad \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(Q_A \cup Q_B)\,\,|\,\,\boldsymbol{F}(Q_E) = f_E\right) \\ &-\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\left( Q_A \cup Q_B\right) \,\,|\,\,\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A' \wedge \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B) = Q_B'\wedge \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) , \end{aligned}$$

where \((\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\) is a random extended view and \(\boldsymbol{T} = \texttt{tran}(\boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F})\) as usual. Then, we have

Claim

For all \(Q_0 = (Q_A^0, Q_B^0) \in \mathcal {G}_0\) and \(Q_1 = (Q_A^1, Q_B^1) \in \mathcal {G}_1\), we have \(h(Q_b, Q_{1 - b}) \ge 1\) for some \(b \in \left\{ 0,1\right\} \).

The above claim suggests some kind of correlation with the transcript exists; next, we prove such correlation gives rise to an \(\varepsilon \)-correlated set.

Consider the following complete bipartite graph, denoted by G:

  1. 1.

    The left vertex set is \(V_0\) and each vertex \(v \in V_0\) is associated with some \(Q(v) \in \mathcal {G}_0\).

  2. 2.

    The right vertex set is \(V_1\) and each vertex \(v \in V_1\) is associated with some \(Q(v) \in \mathcal {G}_1\).

  3. 3.

    For each \(Q \in \mathcal {G}_0 \cup \mathcal {G}_1\), the number of vertices associated with Q is proportional to \(\mathop {\mathrm {\textbf{Pr}}}_{\boldsymbol{QV}(\tau , f_E)}\left[ Q\right] \).

We assign an orientation to G as follows: for all \(v_0 \in V_0, v_1 \in V_1\), if \(h(Q(v_0),Q(v_1)) \ge 1\), then the edge \(\left\{ v_0, v_1\right\} \) is directed towards \(v_1\); otherwise, \(\left\{ v_0, v_1\right\} \) is directed towards \(v_0\). Let E(G) denote the set of all directed edges. By the above claim, each directed edge \(v \rightarrow v'\) satisfies \(h(Q(v), Q(v')) \ge 1\). Let \(\Gamma (v) {\mathop {=}\limits ^{\textsf{def}}}\left\{ v' : (v \rightarrow v') \in E(G)\right\} \) denote the set of out-neighbors of v. WLOG, assume that \(|V_0| \le |V_1|\). By average argument, there exists some \(v^* \in V_0 \cup V_1\) such that \(|\Gamma (v^*)| \ge \frac{|V_0|\cdot |V_1|}{|V_0| + |V_1|} \ge |V_0| / 2\).

Say \(v^* \in V_{b^*}\), then we have

$$\begin{aligned} \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow V_{1 - b^*}}\left[ (v^* \rightarrow v) \in E(G)\right] = \frac{|\Gamma (v^*)|}{|V_{1 - b^*}|} &\ge \frac{|V_0|}{2|V_{1 - b^*}|} \\ &= \frac{1}{2} \cdot \frac{\mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ (\mathcal {Q}_{\textsf{A}}(v), \mathcal {Q}_{\textsf{B}}(v)) \in \mathcal {G}_0\right] }{\mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow \boldsymbol{EV}(\tau , f_E)}\left[ (\mathcal {Q}_{\textsf{A}}(v), \mathcal {Q}_{\textsf{B}}(v)) \in \mathcal {G}_{1 - b^*}\right] } \\ &> \frac{\delta }{2}. \end{aligned}$$

Let \(Q^* {\mathop {=}\limits ^{\textsf{def}}}Q(v^*)\). Then we have

$$\begin{aligned} \begin{aligned} &\quad \mathop {\mathrm {\textbf{E}}}\limits _{Q \leftarrow \boldsymbol{QV}(\tau , f_E)}\left[ h(Q^*, Q)\right] \\ &\ge \mathop {\mathrm {\textbf{E}}}\limits _{Q \leftarrow \boldsymbol{QV}(\tau , f_E)}\left[ h(Q^*, Q)\,\,|\,\,Q \in \mathcal {G}_{1 - b^*}\right] \mathop {\mathrm {\textbf{Pr}}}_{Q \leftarrow \boldsymbol{QV}(\tau , f_E)}\left[ Q \in \mathcal {G}_{1 - b^*}\right] \\ &\ge \mathop {\mathrm {\textbf{E}}}\limits _{v \leftarrow V_{1 - b^*}}\left[ h(Q(v^*), Q(v))\right] \cdot \delta \\ &\ge \mathop {\mathrm {\textbf{Pr}}}_{v \leftarrow V_{1 - b^*}}\left[ (v^* \rightarrow v) \in E(G)\right] \cdot \delta \\ &=\frac{\delta ^2}{2} =\varepsilon , \end{aligned} \end{aligned}$$
(4)

where the second inequality follows from Eq. (3) and the construction of G, and the third inequality holds because \(h(Q(v^*), Q(v)) \ge \mathbb {1}[(v^* \rightarrow v) \in E(G)]\).

Note that \(\mathop {\mathrm {\textbf{E}}}\limits _{Q \leftarrow \boldsymbol{QV}(\tau , f_E)}\left[ h(Q^*, Q)\right] \ge \varepsilon \) means that

$$\begin{aligned} &\quad \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(Q^*_A \cup Q^*_B)\,\,|\,\,\boldsymbol{F}(Q_E) = f_E\right) \\ &- \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(Q^*_A \cup Q^*_B) \,\,|\,\, \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A), \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B), \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \ge \varepsilon , \end{aligned}$$

where \(Q^* = (Q^*_A, Q^*_B)\). Thus, letting \(\widehat{Q} = Q^*_A \cup Q^*_B\), we have

$$\begin{aligned} &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F}(Q_E) = f_E\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \boldsymbol{R}_A, \boldsymbol{R}_B, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ \ge &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \boldsymbol{R}_A,\boldsymbol{R}_B, \boldsymbol{F}(Q_E) = f_E\right) \\ &- \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A), \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B), \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ = &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \boldsymbol{F}(Q_E) = f_E\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\widehat{Q}) \,\,|\,\, \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A), \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B), \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ \ge &\ \varepsilon , \end{aligned}$$

where the first inequality is by data processing inequality and the second step holds as \(\boldsymbol{F}(\widehat{Q}), \boldsymbol{R}_A, \boldsymbol{R}_B\) are independent. That is, \(\widehat{Q}\) is \(\varepsilon \)-correlated w.r.t. \((\tau , f_E)\), a contradiction.

It remains to prove the claim involved in the above proof.

Proof (of Claim)

Define

$$ R_{b} {\mathop {=}\limits ^{\textsf{def}}}\mathcal {X}_{\tau , f_E}(Q_A^b) \times \mathcal {Y}_{\tau , f_E}(Q_B^{b}) \text { where } b \in \left\{ 0,1\right\} . $$

For all \((x , y) \in R_0, (x', y') \in R_1\), we have \(\mathcal {M}_{\varPi }(x , y) = 0\) and \(\mathcal {M}_{\varPi }(x', y') = 1\), and hence \(\mathcal {M}_{\varPi }(x, y') = *\) according to Lemma 1. This means that oracle answers in profile x and profile \(y'\) are inconsistent. Note that all inconsistent queries are in \(S {\mathop {=}\limits ^{\textsf{def}}}Q_A^0 \cap Q_B^1\). Therefore,

$$\begin{aligned} &\textrm{supp}\left( \boldsymbol{F}(S)|_{\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^0 \wedge \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_B) = Q_B^0 \wedge \boldsymbol{T} = \tau \wedge \boldsymbol{F}(Q_E) = f_E} \right) \\ &\cap \textrm{supp}\left( \boldsymbol{F}(S)|_{\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^1 \wedge \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_B) = Q_B^1 \wedge \boldsymbol{T} = \tau \wedge \boldsymbol{F}(Q_E) = f_E} \right) = \emptyset . \end{aligned}$$

A simple average argument shows that for some \(b^* \in \left\{ 0,1\right\} \),

$$\begin{aligned} \begin{aligned} &\quad \left| \textrm{supp}\left( \boldsymbol{F}(S)|_{\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^{b^*} \wedge \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_B) = Q_B^{b^* } \wedge \boldsymbol{T} = \tau \wedge \boldsymbol{F}(Q_E) = f_E} \right) \right| \\ &\le \frac{ \left| \textrm{supp}\left( \boldsymbol{F}(S)|_{\boldsymbol{F}(Q_E) = f_E} \right) \right| }{2}. \end{aligned} \end{aligned}$$
(5)

Consequently,

$$\begin{aligned} \Delta {\mathop {=}\limits ^{\textsf{def}}}&\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S)\,\,|\,\, \boldsymbol{F}(Q_E) = f_E\right) \\ &-\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\left( S\right) \,\,|\,\, \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^{b^*} \wedge \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B) = Q_B^{b^*} \wedge \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ \ge &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S)\,\,|\,\, \boldsymbol{F}(Q_E) = f_E\right) \\ &- \log \left| \textrm{supp}\left( \boldsymbol{F}(S)|_{\mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^{b^*} \wedge \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_B) = Q_B^{b^* } \wedge \boldsymbol{T} = \tau \wedge \boldsymbol{F}(Q_E) = f_E} \right) \right| \\ \ge &\log \left| \textrm{supp}\left( \boldsymbol{F}(S)|_{\boldsymbol{F}|_{Q_E} = f_E} \right) \right| - \log \frac{ \left| \textrm{supp}\left( \boldsymbol{F}(S)|_{\boldsymbol{F}(Q_E) = f_E} \right) \right| }{2} \\ = &1, \end{aligned}$$

where the second inequality follows from Eq. 5 and the fact that \(\boldsymbol{F}(S)|_{\boldsymbol{F}(Q_E) = f_E}\) is uniform distribution.

Now that \(\Delta \ge 1\), it suffice to show \(h(Q_{1 - b^*}, Q_{b^*}) \ge \Delta \). Since \(S \subseteq Q_{A}^{1 - b^*} \cup Q_{B}^{1 - b^*}\), this follows from chain rule:

$$\begin{aligned} \quad &h(Q_{1 - b^*}, Q_{b^*}) - \Delta \\ = &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\overline{S})\,\,|\,\, \boldsymbol{F}(Q_E) = f_E\right) \\ &-\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(\overline{S}) \,\,|\,\, \boldsymbol{F}(S), \mathcal {Q}_{\textsf{A}}(\boldsymbol{R}_A) = Q_A^{b^*} \wedge \mathcal {Q}_{\textsf{B}}(\boldsymbol{R}_B) = Q_B^{b^*} \wedge \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ \ge &\ 0, \end{aligned}$$

where \(\overline{S} {\mathop {=}\limits ^{\textsf{def}}}(Q_A^{1 - b^*} \cup Q_B^{1 - b^*}) \setminus S\) and the inequality holds since \(\boldsymbol{F}(\overline{S})|_{\boldsymbol{F}(Q_E) = f_E}\) is uniform distribution (and uniform distribution has maximum entropy).

Corollary 1 (Accuracy of \(\textsf{E}\))

Let \(\varPi \) be an \(\ell \)-oracle-aided, non-adaptive \((1, q, \gamma )-\)key-agreement. Assume the \(\varPi \) is normalized, then Algorithm 1 guesses the key correctly with probability at least \(1 - \sqrt{2\varepsilon }\), i.e.,

$$ \mathop {\mathrm {\textbf{Pr}}}_{v = (r_\textsf{A}, r_\textsf{B}, f)\leftarrow \boldsymbol{EV}}\left[ \textsf{E}^f(\texttt{tran}(v)) = \texttt{out}_{\textsf{A}}(v)\right] > 1 - \sqrt{2\varepsilon }. $$

Proof

By Lemma 3, \(\textsf{E}\) outputs \(\texttt{out}_{\textsf{A}}(v)\) except with probability less than \(\sqrt{2\varepsilon }\).

3.3 Efficiency of the Attacker

In this subsection, we analyze the efficiency of the attacker Eve (Algorithm 1) via the density increment argument [YZ22, YZ23]. We first introduce the density function. Intuitively, the density function \(\varPhi (\tau , f_E)\) captures the amount of hidden information contained in the transcript \(\tau \) about the random function \(\boldsymbol{F}\) given Eve’s observation of oracle \(f_E\). As Eve makes effective queries, she learns (a constant amount of) information in each iteration, so the density function decreases by a constant.

Definition 5 (Density function)

Let \(\tau \) be a transcript and \(f_E\) be a partial function with domain \(Q_E\). Define density function \(\varPhi \) via

$$\begin{aligned} \varPhi (\tau , f_E) {\mathop {=}\limits ^{\textsf{def}}}\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\,\,|\,\,\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) , \end{aligned}$$

where \((\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F})\) is a random extended view and \(\boldsymbol{T} {\mathop {=}\limits ^{\textsf{def}}}\texttt{tran}(\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F})\).

Lemma 4

The density function \(\varPhi \) satisfies the following properties:

  1. 1.

    \(\varPhi \) is non-negative.

  2. 2.

    \(\mathop {\mathrm {\textbf{E}}}\limits _{\tau \leftarrow \boldsymbol{T}}\left[ \varPhi (\tau , f_\emptyset )\right] \le \textrm{CC}(\varPi )\), where \(f_\emptyset \) denotes the empty function.

  3. 3.

    If S if \(\varepsilon \)-correlated w.r.t. \((\tau , f_E)\), then

    $$\mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{\boldsymbol{T} = \tau , \boldsymbol{F}(Q_E) = f_E}}\left[ \varPhi (\tau , f_E \cup f_S)\right] \le \varPhi (\tau , f_E) - \varepsilon .$$

Proof

We prove these statements as follows.

1. \(\boldsymbol{F}\) is uniform distribution conditioned on \(\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}\) and the event \(\boldsymbol{F}(Q_E) = f_E\). Hence \(\varPhi \) is non-negative.

2. By definition, we have that

$$\begin{aligned} \mathop {\mathrm {\textbf{E}}}\limits _{\tau \leftarrow \boldsymbol{T}}\left[ \varPhi (\tau , f_\emptyset )\right] &= \mathop {\mathrm {\textbf{E}}}\limits _{\tau \leftarrow \boldsymbol{T}}\left[ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\,\,|\,\,\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{T} = \tau \right) \right] \\ &= \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}\right) - \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}\,\,|\,\,\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{T}\right) \\ &= \textrm{I}\left( \boldsymbol{F}; \boldsymbol{T} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}\right) \\ &\le \mathop {\mathrm {\textbf{H}}}\limits (\boldsymbol{T}) \\ &\le \textrm{CC}(\varPi ). \end{aligned}$$

3. Write \(Q_E' {\mathop {=}\limits ^{\textsf{def}}}Q_E \cup S\). We decompose

$$\varPhi (\tau , f_E) - \mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{\boldsymbol{T} = \tau , \boldsymbol{F}(Q_E) = f_E}}\left[ \varPhi (\tau , f_E \cup f_{S})\right] = \phi _1 -\phi _2, $$

where

$$\begin{aligned} \phi _1 {\mathop {=}\limits ^{\textsf{def}}}&\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E\right) \\ &- \mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{\boldsymbol{T} = \tau , \boldsymbol{F}(Q_E) = f_E}}\left[ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E') = (f_E \cup f_{S})\right) \right] , \end{aligned}$$

and

$$\begin{aligned} \phi _2 {\mathop {=}\limits ^{\textsf{def}}}&\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ &- \mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{\tau , f_E}}\left[ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E') = (f_E \cup f_{S}) \wedge \boldsymbol{T} = \tau \right) \right] . \end{aligned}$$

Since \(\boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}\) are independent, we have (by chain rule)

$$ \phi _1 = \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S) \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E\right) . $$

Observe that by the definition of conditional entropy,

$$\begin{aligned} &\quad \mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{ \tau , f_E}}\left[ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E') = (f_E \cup f_S) \wedge \boldsymbol{T} = \tau \right) \right] \\ &= \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(S), \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) . \end{aligned}$$

By the chain rule,

$$\begin{aligned} \begin{aligned} \phi _2 = &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ &- \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F} \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(S), \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \\ = &\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S) \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) . \end{aligned} \end{aligned}$$
(6)

Since S is \(\varepsilon \)-correlated, we have

$$ \mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S) \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E\right) -\mathop {\mathrm {\textbf{H}}}\limits \left( \boldsymbol{F}(S) \,\,|\,\, \boldsymbol{R}_\textsf{A}, \boldsymbol{R}_\textsf{B}, \boldsymbol{F}(Q_E) = f_E \wedge \boldsymbol{T} = \tau \right) \ge \varepsilon , $$

and hence

$$ \varPhi (\tau , f_E) - \mathop {\mathrm {\textbf{E}}}\limits _{f_S \leftarrow \boldsymbol{F}(S)|_{\boldsymbol{T} = \tau , \boldsymbol{F}(Q_E) = f_E}}\left[ \varPhi (\tau , f_E \cup f_{S}\right] = \phi _1 - \phi _2 \ge \varepsilon . $$

Following Lemma 4, we can deduce that our attacker \(\textsf{E}\) (Algorithm 1) makes at most \(\textrm{CC}(\varPi )/\varepsilon \) iterations in expectation.

Lemma 5 (Efficiency of \(\textsf{E}\))

\( \mathop {\mathrm {\textbf{E}}}\limits [ \# \text { of iterations in the running of }\textsf{E}] \le \frac{\textrm{CC}(\varPi )}{\varepsilon }. \)

Proof

Recall the sampling procedure in Sect. 1.1. Then, we define some random variables in a random execution for analysis. Let \(\boldsymbol{F}_E^{(i)}=\boldsymbol{F}_E^{(i-1)}\cup \boldsymbol{F} (S_{i})\) be the observations of Eve until the end of the i-th iteration, where \(\boldsymbol{F}_E^{(0)}\) is the empty function. If \(\textsf{E}\) does not enter the i-th iteration, we define \(\boldsymbol{F}_E^{(i)}=\boldsymbol{F}_E^{(i-1)}\). Define a counter variable to record the number of iterations as follows: \(\boldsymbol{C}_0 {\mathop {=}\limits ^{\textsf{def}}}0\) and for \(i \ge 0\)

$$ \boldsymbol{C}_{i + 1} {\mathop {=}\limits ^{\textsf{def}}}{\left\{ \begin{array}{ll} \boldsymbol{C}_{i} + 1, &{}\text {if }\textsf{E} \text { enters the } i\text {-th iteration}; \\ \boldsymbol{C}_{i}, &{}\text {otherwise}. \end{array}\right. } $$

We claim that for every \(\tau \) and \(f_E\),

$$\begin{aligned} \mathop {\mathrm {\textbf{E}}}\limits \left[ \underline{ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(i)}) - \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(i+1)}) - \varepsilon (\boldsymbol{C}_{i+1} - \boldsymbol{C}_{i})}\,\,|\,\, \boldsymbol{T} = \tau \wedge \boldsymbol{F}_E^{(i)} = f_E \right] \ge 0. \end{aligned}$$
(7)

To see this, consider the event \(\textsf{Enter}_i {\mathop {=}\limits ^{\textsf{def}}}`\textsf{E} \text { enters the } i\text {-th iteration'}\). Conditioned on \(\textsf{Enter}_i\), \(\boldsymbol{C}_{i + 1} - \boldsymbol{C}_i = 1\) and by the third item of Lemma 4, the underlined part is non-negative; conditioned on \(\lnot \textsf{Enter}_i\), the underlined part equals zero by definition.

Since Eq. (7) holds for all \((\tau , f_E)\), we get

$$ \mathop {\mathrm {\textbf{E}}}\limits \left[ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(i)}) - \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(i+1)}) - \varepsilon (\boldsymbol{C}_{i+1} - \boldsymbol{C}_{i})\right] \ge 0. $$

Summing over \(i=0,\cdots ,N-1\), we obtain

$$ \mathop {\mathrm {\textbf{E}}}\limits [ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(0)} ] - \mathop {\mathrm {\textbf{E}}}\limits [ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(N)}) ] - \varepsilon \mathop {\mathrm {\textbf{E}}}\limits [\boldsymbol{C}_N - \boldsymbol{C}_0] \ge 0. $$

By the first and second items of Lemma 4, we have \(\mathop {\mathrm {\textbf{E}}}\limits [ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(N)}) ] \ge 0\) and \(\mathop {\mathrm {\textbf{E}}}\limits [ \varPhi (\boldsymbol{T},\boldsymbol{F}_E^{(0)}) ] \le \textrm{CC}(\varPi )\). Note that \(\boldsymbol{C}_0 = 0\) and \(\boldsymbol{C}_N\) equals the total number of iterations because there can never be more than N iterations. Therefore, we get

$$ \mathop {\mathrm {\textbf{E}}}\limits [ \# \text { of iterations in the running of }\textsf{E}] = \mathop {\mathrm {\textbf{E}}}\limits [\boldsymbol{C}_N] \le \frac{\textrm{CC}(\varPi )}{\varepsilon }. $$

So far, we have bounded the expected number of iterations of Algorithm 1 from above; however, Algorithm 1 could make too many queries in the worst case. To prove our main theorem, we need an attacker who makes a bounded number of queries in the worst case. We construct such an attacker by running \(\textsf{E}\) for a limited number of iterations.

Theorem 5

Let \(\textsf{E}'\) be an attacker who runs \(\textsf{E}\) but aborts when the number of iterations exceeds \(\frac{\textrm{CC}(\varPi )}{\varepsilon ^{3/2}}\). Then the following statements hold:

  1. 1.

    Efficiency: \(\textsf{E}'\) makes at most \(q_{\textsf{E}'} = 2\ell \cdot \textrm{CC}(\varPi ) / \varepsilon ^{3/2}\) oracle queries.

  2. 2.

    Accuracy: The success probability of \(\textsf{E}'\) is at least \(\gamma \).

Proof

Efficiency holds because \(\textsf{E}'\) queries at most \(\textrm{CC}(\varPi )/\varepsilon ^{3 / 2}\) sets and each set has size at most \(2\ell \). As for accuracy, let \(\beta , \beta '\) be the success probability of \(\textsf{E}, \textsf{E}'\) respectively. By the definition of \(\textsf{E}'\), we have

$$\begin{aligned} \left| \beta ' - \beta \right| &\le \mathop {\mathrm {\textbf{Pr}}}_{}\left[ \textsf{E}' \text { aborts}\right] \\ &= \mathop {\mathrm {\textbf{Pr}}}_{}\left[ \# \text { of iterations in the running of } \textsf{E}\text { is more than } \textrm{CC}(\varPi ) / \varepsilon ^{3/2}\right] . \end{aligned}$$

Lemma 5 together with Markov’s inequality shows that this quantity is at most \(\sqrt{\varepsilon }\). Therefore, we have \(\beta ' \ge \beta - \sqrt{\varepsilon }\). By the accuracy of \(\textsf{E}\) (Corollary 1) and our choice of \(\varepsilon \) (i.e., \(\varepsilon = (1 - \gamma )^2/ 9\)), we obtain \(\beta ' \ge 1 - \sqrt{2\varepsilon } - \sqrt{\varepsilon } > 1 - 3\sqrt{\varepsilon } = \gamma \).

Proving the Main Theorem. Theorem 4 immediately follows from the above lemma.

Proof (of Theorem 4)

Let \(\varPi \) be a protocol that satisfies the conditions of Theorem 4. It suffices to prove \(\textrm{CC}(\varPi ) \ge \frac{q}{2\ell } \cdot \frac{(1-\gamma )^3}{ 27}\) (Eq. 2), provided that \(\varPi \) is normalized. Since \(\textsf{E}'\) in theorem 5 succeeds with probability \(\gamma \) and \(\varPi \) is a \((q, \gamma )\)-secure by assumption, we must have \(q_{\textsf{E}'} > q\), which implies

$$ \textrm{CC}(\varPi ) > \frac{q}{2\ell } \cdot \varepsilon ^{3/2} = \frac{q}{2\ell } \cdot \frac{(1-\gamma )^3}{ 27}. $$