nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

On the Complexity of Fair Coin Flipping

verfasst von : Iftach Haitner, Nikolaos Makriyannis, Eran Omri

Erschienen in: Theory of Cryptography

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A two-party coin-flipping protocol is \(\varepsilon \)-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than \(\varepsilon \). Cleve [STOC ’86] showed that r-round o(1 / r)-fair coin-flipping protocols do not exist. Awerbuch et al. [Manuscript ’85] constructed a \(\varTheta (1/\sqrt{r})\)-fair coin-flipping protocol, assuming the existence of one-way functions. Moran et al. [Journal of Cryptology ’16] constructed an r-round coin-flipping protocol that is \(\varTheta (1/r)\)-fair (thus matching the aforementioned lower bound of Cleve [STOC ’86]), assuming the existence of oblivious transfer.

The above gives rise to the intriguing question of whether oblivious transfer, or more generally “public-key primitives”, is required for an \(o(1/\sqrt{r})\)-fair coin flipping. This question was partially answered by Dachman-Soled et al. [TCC ’11] and Dachman-Soled et al. [TCC ’14], who showed that restricted types of fully black-box reductions cannot establish \(o(1/\sqrt{r})\)-fair coin-flipping protocols from one-way functions. In particular, for constant-round coin-flipping protocols, [10] yields that black-box techniques from one-way functions can only guarantee fairness of order \(1/\sqrt{r}\).

We make progress towards answering the above question by showing that, for any constant

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-03807-6_20/476300_1_En_20_IEq8_HTML.gif

, the existence of an \(1/(c\cdot \sqrt{r})\)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner et al. [FOCS ’18] to facilitate a two-party variant of the attack of Beimel et al. [FOCS ’18] on multi-party coin-flipping protocols.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel On the Security Loss of Unique Signatures

Nächstes Kapitel Game Theoretic Notions of Fairness in Multi-party Coin Toss

Such protocols are typically addressed as having guaranteed output delivery, or, abusing terminology, as fair.

While infinitely-often key-agreement protocols are useless from a cryptographic point of view, constructing such protocols appears to be as hard as obtaining full-blown key agreement.

For instance, the first two messages might contain commitments to the parties’ randomness.

In the spirit of Beimel et al. [3], we could have modified the definition of the \(X_i\)’s to make them efficiently computable even for non constant-round protocols. The idea is to define \(X_i= {{\mathbf {E}}}\left[ C \mid F_i,X_{i-1}\right] \). While the resulting sequence might not be a martingale, [3] proves that a \(1/\sqrt{r}\)-gap also occurs with constant probability for such a sequence. Unfortunately, we cannot benefit from this improvement, since the results of Haitner et al. [12] only guarantees indistinguishability for constant \(\rho \), which makes it useful only for attacking constant-round protocols.

Assuming the nonexistence of key-agreement protocols, Theorem 1.3 implies Theorem 1.2. Yet, we chose to use both results to make the text more modular.

Definition 2.1 requires perfect uniformity: the common output in an honest execution is an unbiased bit. The proof given below, however, easily extends to any non-trivial uniformity condition, e.g., the common output equals 1 with probability 3 / 4.

We remark that we did not optimize the value of the constant.

Haitner et al. [12] do not limit the output-length of \(\mathsf {F} \). Nevertheless, by applying [12] with parameter \(\rho /2\) and chopping each of the forecaster’s outputs to the first \(\left\lceil \log 1/\rho \right\rceil +1\) (most significant) bits, yields the desired constant output-length forecaster.

Alon, B., Omri, E.: Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 307–335. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_13CrossRef

Awerbuch, B., Blum, M., Chor, B., Goldwasser, S., Micali, S.: How to implement Bracha’s \({O}(\log n)\) byzantine agreement algorithm (1985). Unpublished manuscript

Beimel, A., Haitner, I., Makriyannis, N., Omri, E.: Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling. In: Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018)

Beimel, A., Omri, E., Orlov, I.: Protocols for multiparty coin toss with a dishonest majority. J. Cryptol. 28(3), 551–600 (2015)MathSciNetCrossRef

Berman, I., Haitner, I., Tentes, A.: Coin flipping of any constant bias implies one-way functions. J. ACM 65(3), 14 (2018)MathSciNetCrossRef

Blum, M.: How to exchange (secret) keys. ACM Trans. Comput. Syst. 1, 175–193 (1983)CrossRef

Buchbinder, N., Haitner, I., Levi, N., Tsfadia, E.: Fair coin flipping: tighter analysis and the many-party case. In: Proceedings of the 28th Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pp. 2580–2600 (2017)

Cleve, R.: Limits on the security of coin flips when half the processors are faulty. In: Proceedings of the 18th Annual ACM Symposium on Theory of Computing (STOC), pp. 364–369 (1986)

Cleve, R., Impagliazzo, R.: Martingales, collective coin flipping and discrete control processes (extended abstract) (1993). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.51.1797

10.

Dachman-Soled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the black-box complexity of optimally-fair coin tossing. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 450–467. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_27CrossRefMATH

11.

Dachman-Soled, D., Mahmoody, M., Malkin, T.: Can optimally-fair coin tossing be based on one-way functions? In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 217–239. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_10CrossRef

12.

Haitner, I., Nissim, K., Omri, E., Shaltiel, R., Silbak, J.: Computational two-party correlation. In: Proceedings of the 59th Annual Symposium on Foundations of Computer Science (FOCS) (2018)

13.

Haitner, I., Omri, E.: Coin flipping with constant bias implies one-way functions. SIAM J. Comput. 43(2), 389–409 (2014)MathSciNetCrossRef

14.

Haitner, I., Tsfadia, E.: An almost-optimally fair three-party coin-flipping protocol. In: Proceedings of the 46th Annual ACM Symposium on Theory of Computing (STOC), pp. 817–836 (2014)

15.

Haitner, I., Tsfadia, E.: An almost-optimally fair three-party coin-flipping protocol. SIAM J. Comput. 46(2), 479–542 (2017)MathSciNetCrossRef

16.

Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58, 13–30 (1963)MathSciNetCrossRef

17.

Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: Proceedings of the 30th Annual Symposium on Foundations of Computer Science (FOCS), pp. 230–235 (1989)

18.

Maji, H.K., Prabhakaran, M., Sahai, A.: On the computational complexity of coin flipping. In: Proceedings of the 51st Annual Symposium on Foundations of Computer Science (FOCS), pp. 613–622 (2010)

19.

Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 1–18. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_1CrossRef

20.

Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. J. Cryptol. 29(3), 491–513 (2016)MathSciNetCrossRef

Titel: On the Complexity of Fair Coin Flipping
verfasst von: Iftach Haitner
Nikolaos Makriyannis
Eran Omri
Verlag: Springer International Publishing
Buch: Theory of Cryptography
Print ISBN: 978-3-030-03806-9

Electronic ISBN: 978-3-030-03807-6

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-030-03807-6_20

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner