Coin Flipping with Constant Bias Implies One-Way Functions. Iftach Haitner and Eran Omri. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. Cryptography Implies One-Way Functions. - PowerPoint PPT Presentation
Slide 1
Iftach Haitner and Eran OmriCoin Flipping with Constant Bias
Implies One-Way FunctionsTexPoint fonts used in EMF. Read the
TexPoint manual before you delete this box.: AAAA1Cryptography
Implies One-Way Functions(Almost all) Complexity-based cryptography
is known to imply one-way functions [Impagliazzo-Luby 89]One-way
functions (OWFs): efficiently computable functions that no
efficient algorithm can invert with more than negligible
probability
The characterization of coin-flipping protocols is not (fully)
known
2Coin Flipping ProtocolsAn efficient two-party protocol (A,B)
Pr[(A,B)(1n)= 1] = Pr[(A,B)(1n) = 0] = For any PPT A and b2{0,1},
Pr[(A,B)(1n) =b] + negl(n) (same for B)Numerous applications
(Zero-knowledge Proofs, Secure Function Evaluation)-bias coin
flipping:Pr[(A,B)(1n) = b] + (n)Implied by OWFs [Naor 89, Hstad et.
al 90]Does coin flipping imply OWFs?
Known ResultsAlmost-optimal (i.e., negl(n)-bias) CF implies OWFs
[IL 89]Non-trivial (i.e., ( -1/poly(n))-bias) constant-round CF
implies OWFs [Maji et. al 10]Constant-bias ( -1/poly(n)) CF implies
P NP [Maji et. Al 10] Non-trivial CF implies P PSPACE All the above
results hold wrt weak coin flipping: Pr[(A,B)(1n) = 0] + (n)
Pr[(A,B)(1n) = 1] + (n) Weaker security guarantee, yet has many
applications4Our Result Main thm: Constant-bias (1/2--1/poly(n))
coin flipping implies OWFs 1/2 - = 0.207Main lemma: Assume that
OWFs do not exist, then for any (unbiased) coin-flipping protocol
(A,B) and any b2{0,1}, exist efficient strategies A and B s.t.
Pr[(A,B)(1n)= b] > 1/2 -1/poly(n), or Pr[(A,B)(1n)= b] >
1/2 -1/poly(n) 5The Constant 1/2 - The right bound for two-side
attackers (even unbounded ones) (1/2 - + )-bias coin-flipping
implies -bias weak coin-flipping [Chaillou and Kerenidis 09]Quantum
(1/2-)-bias coin-flipping exists, and is optimal [Kitaev 03,
Chaillou and Kerenidis 09]
6
Proving the Main LemmaMain lemma: Assume that OWFs do not exist,
then for any (unbiased) coin-flipping protocol (A,B) and any
b2{0,1}, exist efficient strategies A and B s.t. Pr[out(A,B)(1n) =
b] > 1/2 -1/poly(n), or Pr[out(A,B)(1n) = b] > 1/2
-1/poly(n)
Rest of the talk:Define unbounded strategies for A and
BApproximate these strategies efficiently using OWF inverter7The
Random Continuation AttackFix n and b=1. Define A as
Claim: Prout(A,B)[1] 1/2 or Prout(A,B)[1] 1/2
8Given a transcript , A picks a uniform value for (rA,rB)
s.t.(A(rA),B(rB)) is consistent with out(A(rA),B(rB)) = 1Sends
A(rA)s reply on The Protocol (A,B) The prob. of any 1-transcript
wrt (A,B), is twice its prob. wrt (A,B)More generally, for any
(possibly partial) transcript let v[] = Prout(A,B)[1|], then1.
Pr(A,B) [] = 2v[] Pr(A,B)[]
9Pr(A,B) [] = 2V[] Pr(A,B)[]V[] =Pr(A,B)[1|]Execution tree T of
(A,B), labeled by v[]/ Pr(A,B)[](messages are bits, and full
transcripts determine the parties random coins)
(A,B) uniformly picks a (full) path in TPr(A,B)[]: # of paths
visiting # of paths in Tv[]: # of 1-paths visiting # of paths
visiting (A,B) uniformly picks a 1-path in TPr(A,B)[]: # of 1-paths
visiting # of 1-paths in T
10 / 1 ?/ ?/ 10010/? 1/? 0/? The Protocol (A,B) The prob. of any
1-transcript wrt (A,B), is twice its prob. wrt (A,B)More generally,
for any (possibly partial) transcript , let v[] =Prout(A,B)[1|],
then1. Pr(A,B) [] = 2v[] Pr(A,B)[] 2. Compensation Lemma (slightly
simplified):For any frontier* L of transcripts Pr(A,B)[L] Pr(A,B)
[L] = Pr(A,B)[L] Pr(A,B)[L]
* No transcript in L has prefix in L
11Pr(A,B)[L]Pr(A,B)[L] = Pr(A,B)[L]Pr(A,B)[L]We prove for L
={01}k(X,Y)[b|] = Pr(X,Y) [b|](prob. of taking edge b from )
Pr(X,Y) [01] = k(X,Y)[0] k(X,Y)[1|0]
Pr(A,B)[01] = k(A,B) [0] k(A,B) [1|0]Pr(A,B)[01] = k(A,B) [0]
k(A,B) [1|0])Pr(A,B)[01] = k(A,B) [0 ] k(A,B) [1|0]Pr(A,B) [01] =
k(A,B) [0] k(A,B) [1|0]
/ 1 ?/ ?/ 1001 ?/ ?
ABThe Protocol (A,B) The prob. of any 1-transcript wrt (A,B), is
twice its prob. wrt (A,B)More generally, for any (possibly partial)
transcript , let v[] =Prout(A,B)[1|], then1. Pr(A,B) [] = 2v[]
Pr(A,B)[] 2. Compensation Lemma (slightly simplified):For an
frontier L of transcripts Pr(A,B)[L] Pr(A,B) [L] =
Pr(A,B)[L]Pr(A,B)[L]
1-leaves = {2 T: is a full transcript and v[]
=1}Pr(A,B)[1-Leaves] = 2Pr(A,B) [1-leaves] =1) Pr(A,B)[1-leaves]
Pr(A,B)[1-leaves] = 13Efficient StrategiesA needs to sample (rA,rB)
efficiently (given OWFs inverter)Define f(rA,rB,i) =
((rA,rB)1,,i,v[]) (rA,rB) is the (full) transcript generated by
(A(rA),B(rB)) To sample (rA,rB), A returns a random preimage of
(,1)Assuming OWFs do not exist, this can be done efficiently for
unifromly chosen outputs of f [IL 89]Problem: the distribution
induced by (A,B) might be far from uniformGiven a transcript , A
picks a uniform value for (rA,rB) s.t.(A(rA),B(rB)) is consistent
with out(A(rA),B(rB)) = 1Sends A(rA)s reply on Two Types of
Non-Typical Queriesf(rA,rB,i) = ((rA,rB)1,,i,v[])
Low-Value Transcripts LowVal = {2 T: v[] < }, where is small
(e.g., 0.001)Pr[f(U) = (,1) 2 LowVal] <
Biased TranscriptsBiasedA = {2 T: Pr(A,B) [] > c Pr(A,B)
[]}where c is large (e.g., 1000)Pr[f(U) = (,) 2 BiasedA] = Pr(A,B)
[BiasedA] < 1/c
15Low-Value Transcripts LowVal ={2 T: v[]< }Pr(A,B) [LowVal]
= 22LowVal v[] Pr(A,B) [] < 2 2LowVal Pr(A,B) [] 2
Yet, it might be that Pr(A,B) [LowVal] is large ) the success of
(A,B) depends on succeeding on inverting f on LowVal
We prove that A does well enough, even if it always fails on
LowVal16Low-Value Transcripts cont.LowValA ={2 LowVal Pr(A,B) []
> Pr(A,B) []} (hence, Pr(A,B) [LowValA] > Pr(A,B)
[LowValA])Since Pr(A,B) [LowValA] c Pr(A,B) []}Pr(A,B) [BiasedA]
< 1/c
SincePr(A,B)[BiasedA] = 22BiassedA v[] Pr(A,B)[]
2Pr(A,B)[BiasedA] < 2/c
the Compensation Lemma yields thatPr(A,B)[BiasedA] <
2/c18Biased Transcripts cont.BiasedA= {: Pr(A,B) [] > cPr(A,B)
[]}Pr(A,B) [BiasedA] < 2/c Let 2 BiasedA with v[]=
Solution: 1. Use larger outcomes2. Instruct A to take red edges
w.p. 1/kEx[out(A,B)] Ex[out(A,B)] Even when both A and B fail on
BiasedAEx[out(A,B)] 1/2 1/k or Ex[out(A,B)] 1/2 2k/c ) Prout
(A,B)[1]1/2 1/k or Prout (A,B)[1]1/2 2k/cThis also holds wrt the
original protocol
Unless is tiny, A might still gain substantially from visiting
BiasedA 1010
10
1001/k1-1/k
0
BA19SummaryConstant-bias coin flipping implies OWFsSlightly
increasing the constant (by 1/poly(n)), would yield a similar
result for weak coin flippingInteresting connection between Quantum
coin flipping and our current knowledge of plain model coin
flipping
Challenge: prove that any non-trivial coin flipping implies
OWFs
20
