Coin Tossing with Lazy Defense: Hardness of Computation Results

There is a significant interest in securely computing functionalities with guaranteed output delivery, a.k.a., fair computation. For example, consider a 2-party n-round coin-tossing protocol in the information-theoretic setting. Even if one party aborts during the protocol execution, the other party has to receive her outcome. Towards this objective, every round, the sender of that round’s message, preemptively prepares a defense coin, which is her output if the other party aborts prematurely. Cleve and Impagliazzo (1993), Beimel, Haitner, Makriyannis, and Omri (2018), and Khorasgani, Maji, and Mukherjee (2019) show that a fail-stop adversary can alter the distribution of the outcome by Ω(1/ √ n). This hardness of computation result for the representative coin-tossing functionality (using a partition argument) extends to the fair evaluation of any functionality whose output is not apriori fixed and honest parties are not in the majority. However, there are natural scenarios in the delegation of computation where it is infeasible for the parties to update their defenses during every round of the protocol evolution. For example, when parties delegate, say, their coin-tossing task to an external server, due to high network latency, the parties cannot stay abreast of the progress of the fast protocol running on the server and keep their defense coins in sync with that protocol. Therefore, this paper considers lazy coin-tossing protocols, where parties update their defense coins only a total of d times during the protocol execution. Is it possible that using only d n defense coin updates, a fair coin-tossing protocol is robust to O(1/ √ n) change in their output distribution? This paper proves that being robust to O(1/ √ n) change in the output distribution necessarily requires that the defense complexity d = Ω(n), thus ruling out the possibility mentioned above. More generally, our work proves that a fail-stop adversary can bias the outcome distribution of a coin-tossing protocol by Ω ( 1/ √ d ) , a qualitatively better attack than the previous state-of-the-art when d = o(n). This hardness of computation results extends to the fair evaluation of arbitrary functionalities as well. That is, the defense complexity of the protocol, not its round complexity, determines its security. We emphasize that the rounds where parties calculate their defense coins need not be apriori fixed; they may depend on the protocol’s evolution itself. Finally, we translate this fail-stop adversarial attack into new black-box separation results. The proof relies on an inductive argument using a carefully crafted potential function to precisely account for the quality of the best attack on coin-tossing protocols. Previous approaches fail when the protocol evolution reveals information about the defense coins of both the parties, which is inevitable in lazy coin-tossing protocols. Our analysis decouples the defense complexity of coin-tossing protocols from its round complexity to guarantee fail-stop attacks whose performance depends only on the defense complexity of the coin-tossing protocol, irrespective of their round complexity. Our paper, to complement this hardness of computation result, introduces a coin-tossing protocol with a private defense update strategy, i.e., the defense update round is not publicly 2 Coin Tossing with Lazy Defense: Hardness of Computation Results measurable, using d = n1−λ defense updates (in expectation) to achieve O (1/ √ n) robustness, where λ is an appropriate positive constant.

[1]  Michael E. Saks,et al.  The Dual BKR Inequality and Rudich's Conjecture , 2011, Comb. Probab. Comput..

[2]  Sanjam Garg,et al.  On the Round Complexity of OT Extension , 2018, IACR Cryptol. ePrint Arch..

[3]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[4]  Eran Omri,et al.  Complete Characterization of Fairness in Secure Two-Party Computation of Boolean Functions , 2015, TCC.

[5]  Mihir Bellare,et al.  Uniform Generation of NP-Witnesses Using an NP-Oracle , 2000, Inf. Comput..

[6]  Stephen M. Rudich,et al.  Limits on the provable consequences of one-way functions , 1983, STOC 1983.

[7]  Abhi Shelat,et al.  Lower Bounds on Assumptions Behind Indistinguishability Obfuscation , 2016, TCC.

[8]  Tal Malkin,et al.  Can Optimally-Fair Coin Tossing Be Based on One-Way Functions? , 2014, TCC.

[9]  Steven Myers,et al.  Towards a Separation of Semantic and CCA Security for Public Key Encryption , 2007, TCC.

[10]  Eran Omri,et al.  Tighter Bounds on Multi-Party Coin Flipping via Augmented Weak Martingales and Differentially Private Sampling , 2018, 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS).

[11]  Michael E. Saks,et al.  A dual version of Reimer's inequality and a proof of Rudich's conjecture , 2000, Proceedings 15th Annual IEEE Conference on Computational Complexity.

[12]  Gilad Asharov,et al.  Towards Characterizing Complete Fairness in Secure Two-Party Computation , 2014, IACR Cryptol. ePrint Arch..

[13]  Yehuda Lindell,et al.  Complete Fairness in Secure Two-Party Computation , 2011, JACM.

[14]  Justin M. Reyneri,et al.  Coin flipping by telephone , 1984, IEEE Trans. Inf. Theory.

[15]  Periklis A. Papakonstantinou,et al.  On the Impossibility of Basing Identity Based Encryption on Trapdoor Permutations , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[16]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[17]  Sanjam Garg,et al.  Lower Bounds on Obfuscation from All-or-Nothing Encryption Primitives , 2017, CRYPTO.

[18]  Eran Omri,et al.  1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds , 2011, CRYPTO.

[19]  Yevgeniy Vahlis,et al.  Two Is a Crowd? A Black-Box Separation of One-Wayness and Security under Correlated Inputs , 2010, TCC.

[20]  Steven Rudich,et al.  The Use of Interaction in Public Cryptosystems (Extended Abstract) , 1991, CRYPTO.

[21]  Yehuda Lindell,et al.  On the Black-Box Complexity of Optimally-Fair Coin Tossing , 2011, TCC.

[22]  Takahiro Matsuda,et al.  On Black-Box Separations among Injective One-Way Functions , 2011, TCC.

[23]  Boaz Barak,et al.  Merkle Puzzles are Optimal , 2008, IACR Cryptol. ePrint Arch..

[24]  Jonathan Katz,et al.  Lower bounds on the efficiency of encryption and digital signature schemes , 2003, STOC '03.

[25]  Yael Tauman Kalai,et al.  A Lower Bound for Adaptively-Secure Collective Coin-Flipping Protocols , 2018, Electron. Colloquium Comput. Complex..

[26]  Hemanta K. Maji,et al.  Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness , 2019, IACR Cryptol. ePrint Arch..

[27]  Leslie G. Valiant,et al.  Random Generation of Combinatorial Structures from a Uniform Distribution , 1986, Theor. Comput. Sci..

[28]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[29]  H. K. Maji,et al.  Black-box use of One-way Functions is Useless for Optimal Fair Coin-Tossing , 2020, IACR Cryptol. ePrint Arch..

[30]  Eran Omri,et al.  Limits on the Usefulness of Random Oracles , 2013, Journal of Cryptology.

[31]  Jonathan Katz,et al.  Impossibility of Blind Signatures from One-Way Permutations , 2011, TCC.

[32]  Manoj Prabhakaran,et al.  Limits of random oracles in secure computation , 2012, Electron. Colloquium Comput. Complex..

[33]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[34]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[35]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[36]  Manoj Prabhakaran,et al.  On the Power of Public-key Encryption in Secure Computation , 2013, Electron. Colloquium Comput. Complex..

[37]  Marc Fischlin,et al.  Notions of Black-Box Reductions, Revisited , 2013, IACR Cryptol. ePrint Arch..

[38]  Nikolaos Makriyannis On the Classification of Finite Boolean Functions up to Fairness , 2014, SCN.

[39]  Yehuda Lindell,et al.  A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness , 2013, TCC.

[40]  Luca Trevisan,et al.  Lower bounds on the efficiency of generic cryptographic constructions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[41]  Jonathan Katz,et al.  Partial Fairness in Secure Two-Party Computation , 2010, Journal of Cryptology.