Fair Coin Flipping: Tighter Analysis and the Many-Party Case

In a multi-party fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [19] [STOC 1986] has shown that in any m-round coin-flipping protocol the corrupted parties can bias the honest parties' common output bit by Θ(1/m). For more than two decades the best known coin-flipping protocols against majority was the protocol of [9] [Manuscript 1985], who presented a t-party, m-round protocol with bias [EQUATION]. This was changed by the breakthrough result of [42] [TCC 2009], who constructed an m-round, two-party coin-flipping protocol with optimal bias Θ(1/m). Recently, [32] [STOC 14] constructed an m-round, three-party coin-flipping protocol with bias O(log3 m/m). Still for the case of more than three parties, against arbitrary number of corruptions, the best known protocol remained the [EQUATION]-bias protocol of [9]. We make a step towards eliminating the above gap, presenting a t-party, m-round coin-flipping protocol, with bias [EQUATION]. This improves upon the [EQUATION]-bias protocol of [9] for any t ≤ 1/2 · log log m, and in particular for t ∈ O(1), this yields an 1/m1/2+Θ(1)-bias protocol. For the three-party case, this yields an [EQUATION]-bias protocol, improving over the the O(log3 m/m)-bias protocol of [32]. Our protocol generalizes that of [32], by presenting an appropriate "defense protocols" for the remaining parties to interact in, in the case that some parties abort or caught cheating ([32] only presented a two-party defense protocol, which limits their final protocol to handle three parties). We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-flipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.

[1]  Omer Reingold,et al.  Inaccessible entropy , 2009, STOC '09.

[2]  Bar Alon,et al.  Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious , 2016, TCC.

[3]  Yehuda Lindell,et al.  Complete Fairness in Secure Two-Party Computation , 2011, JACM.

[4]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[5]  Yehuda Lindell,et al.  On the Black-Box Complexity of Optimally-Fair Coin Tossing , 2011, TCC.

[6]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[7]  Andris Ambainis,et al.  A new protocol and lower bounds for quantum coin flipping , 2001, STOC '01.

[8]  Eran Omri,et al.  Complete Characterization of Fairness in Secure Two-Party Computation of Boolean Functions , 2015, TCC.

[9]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[10]  Alexander Russell,et al.  Perfect Information Leader Election in log* n+O (1) Rounds , 2001, J. Comput. Syst. Sci..

[11]  Moni Naor,et al.  Basing cryptographic protocols on tamper-evident seals , 2005, Theor. Comput. Sci..

[12]  M. Skala Hypergeometric tail inequalities: ending the insanity , 2013, 1311.5939.

[13]  Eran Omri,et al.  1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds , 2011, CRYPTO.

[14]  Moni Naor,et al.  An Optimally Fair Coin Toss , 2015, Journal of Cryptology.

[15]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[16]  Iftach Haitner,et al.  Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations , 2004, TCC.

[17]  Moni Naor,et al.  Efficient oblivious transfer protocols , 2001, SODA '01.

[18]  Michael E. Saks A Robust Noncryptographic Protocol for Collective Coin Flipping , 1989, SIAM J. Discret. Math..

[19]  Andrew Chi-Chih Yao,et al.  Quantum bit escrow , 2000, STOC '00.

[20]  Uriel Feige,et al.  Noncryptographic selection protocols , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[21]  Eran Omri,et al.  Characterization of Secure Multiparty Computation Without Broadcast , 2016, Journal of Cryptology.

[22]  Eran Omri,et al.  Coin Flipping with Constant Bias Implies One-Way Functions , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[23]  Amit Sahai,et al.  On the Computational Complexity of Coin Flipping , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[24]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[25]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[26]  Eran Omri,et al.  Protocols for Multiparty Coin Toss with a Dishonest Majority , 2015, Journal of Cryptology.

[27]  Iftach Haitner,et al.  An almost-optimally fair three-party coin-flipping protocol , 2014, STOC.

[28]  Omer Reingold,et al.  Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function , 2009, SIAM J. Comput..

[29]  Yael Tauman Kalai Smooth Projective Hashing and Two-Message Oblivious Transfer , 2005, EUROCRYPT.

[30]  Itay Berman,et al.  Coin flipping of any constant bias implies one-way functions , 2014, STOC.

[31]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[32]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[33]  Manuel Blum,et al.  How to exchange (secret) keys , 1983, TOCS.

[34]  Yuval Ishai,et al.  Priced Oblivious Transfer: How to Sell Digital Goods , 2001, EUROCRYPT.

[35]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[36]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[37]  Andris Ambainis,et al.  Multiparty quantum coin flipping , 2003, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[38]  Jonathan Katz,et al.  Partial Fairness in Secure Two-Party Computation , 2010, Journal of Cryptology.

[39]  Noga Alon,et al.  Coin-flipping games immune against linear-sized coalitions , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[40]  Jonathan Katz On achieving the "best of both worlds" in secure multiparty computation , 2007, STOC '07.

[41]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[42]  Gilad Asharov,et al.  Towards Characterizing Complete Fairness in Secure Two-Party Computation , 2014, IACR Cryptol. ePrint Arch..

[43]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[44]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[45]  Nathan Linial,et al.  Collective Coin Flipping , 1989, Adv. Comput. Res..