Coin Tossing with Lazy Defense: Hardness of Computation Results

Lecture Notes in Computer Science, 2011

A fair two-party coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of fail-stop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient fail-stop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to O(1/r) is called optimally-fair. The only optimally-fair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of O(1/ √ r) in r rounds relying only on the assumption that there exist one-way functions. In this paper we show that it is impossible to achieve optimally-fair coin tossing via a black-box construction from one-way functions for r that is less than O(n/ log n), where n is the input/output length of the one-way function used. An important corollary of this is that it is impossible to construct an optimally-fair coin tossing protocol via a black-box construction from one-way functions whose round complexity is independent of the security parameter n determining the security of the one-way function being used. Informally speaking, the main ingredient of our proof is to eliminate the random-oracle from "secure" protocols with "low round-complexity" and simulate the protocol securely against semi-honest adversaries in the plain model. We believe our simulation lemma to be of broader interest.

We consider the central cryptographic task of secure two- party computation: two parties wish to compute some function of their private inputs (each receiving possibly different outputs) where security should hold with respect to arbitrarily-malicious behavior of either of the participants. Despite extensive research in this area, the exact round- complexity of this fundamental problem (i.e., the number of rounds re- quired to compute an arbitrary poly-time functionality) was not previ- ously known. Here, we establish the exact round complexity of secure two-party com- putation with respect to black-box proofs of security. We first show a lower bound establishing (unconditionally) that four rounds are not suf- ficient to securely compute the coin-tossing functionality for any super- logarithmic number of coins; this rules out 4-round protocols for other natural functionalities as well. Next, we construct protocols for securely computing any (randomized) functionality using only five...

IACR Cryptol. ePrint Arch., 2020

Collective coin-tossing allows n processors with private randomness sources to agree on a common public coin. Without loss of generality, one can assume that the output is in the set {0, 1}, and the expected output of a coin-tossing protocol is X. The objective of a coin-tossing protocol is to be robust to adversarial interventions. In this paper, we study Byzantine adversaries who can arbitrarily set the messages of the corrupted processors. Historically, the study of coin-tossing protocols, with the introduction of even the mildest of variations in its setting, tends to yield surprising and exciting outcomes. We know several optimal or asymptotically optimal protocols like tribes, baton passing, and threshold protocols. Incidentally, there are several variants of coin-tossing where the majority protocol (or, more generally, the threshold protocols) turn out to be asymptotically optimal. In this work, we consider coin-tossing protocols in two security models and study the susceptib...

Topics in Cryptology–CT-RSA 2008, 2008

Journal of the ACM, 2011

... Previous work has been dedicated to achieving various relaxations of fairness (ie, “partial fairness”), both for the case of specific functionalities like coin tossing [Beimel et al. 2010; Cleve 1986, 1990;Moran et al. 2009] and contract signing/exchanging se-crets [Ben-Or et al. ...

Lecture Notes in Computer Science, 2003

We consider the round complexity of multi-party computation in the presence of a static adversary who controls a majority of the parties. Here, n players wish to securely compute some functionality and up to n − 1 of these players may be arbitrarily malicious. Previous protocols for this setting (when a broadcast channel is available) require O(n) rounds. We present two protocols with improved round complexity: The first assumes only the existence of trapdoor permutations and dense cryptosystems, and achieves round complexity O(log n) based on a proof scheduling technique of Chor and Rabin [13]; the second requires a stronger hardness assumption (along with the non-black-box techniques of Barak [2]) and achieves O(1) round complexity.-Secure two-party computation may be achieved in a constant number of rounds by applying the compiler of Lindell [30] (based on earlier work of Goldreich, Micali, and Wigderson [24]) to the constant-round protocol of Yao [34] (which is secure against semi-honest adversaries).

Lecture Notes in Computer Science, 2015

Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we revisit the question of MPC with only two rounds of interaction. We consider a minimal setting in which parties can communicate over secure point-to-point channels and where no broadcast channel or other form of setup is available. Katz and Ostrovsky (Crypto 2004) obtained negative results for such protocols with n = 2 parties. Ishai et al. (Crypto 2010) showed that if only one party may be corrupted, then n ≥ 5 parties can securely compute any function in this setting, with guaranteed output delivery, assuming one-way functions exist. In this work, we complement the above results by presenting positive and negative results for the cases where n = 3 or n = 4 and where there is a single malicious party. When n = 3, we show a 2-round protocol which is secure with "selective abort" against a single malicious party. The protocol makes a black-box use of a pseudorandom generator or alternatively can offer unconditional security for functionalities in NC 1 . The concrete efficiency of this protocol is comparable to the efficiency of secure two-party computation protocols for semi-honest parties based on garbled circuits. When n = 4 in the setting described above, we show the following: -A statistical VSS protocol that has a 1-round sharing phase and 1-round reconstruction phase. This improves over the state-of-the-art result of Patra et al. (Crypto 2009) whose VSS protocol required 2 rounds in the reconstruction phase. -A 2-round statistically secure protocol for linear functionalities with guaranteed output delivery. This implies a 2-round 4-party fair coin tossing protocol. We complement this by a negative result, showing that there is a (nonlinear) function for which there is no 2-round statistically secure protocol.

2012

A seminal result of Cleve (STOC '86) is that, in general, complete fairness is impossible to achieve in two-party computation. In light of this, various techniques for obtaining partial fairness have been suggested in the literature. We propose a definition of partial fairness within the standard real-/ideal-world paradigm that addresses deficiencies of prior definitions. We also show broad feasibility results with respect to our definition: partial fairness is possible for any (randomized) functionality f : X × Y → Z 1 × Z 2 at least one of whose domains or ranges is polynomial in size. Our protocols are always private, and when one of the domains has polynomial size our protocols also simultaneously achieve the usual notion of security with abort. In contrast to some prior work, we rely on standard assumptions only.

The main aim of cryptography is to provide the frameworks and solutions for information security.

To appear, 2004

We study the problem of constructing secure multi-party computation (MPC) protocols that are completely fair-meaning that either all the parties learn the output of the function, or nobody does-even when a majority of the parties are corrupted. We first propose a framework for fair multi-party computation, within which we formulate a definition of secure and fair protocols. The definition follows the standard simulation paradigm, but is modified to allow the protocol to depend on the runing time of the adversary. In this way, we avoid a well-known impossibility result for fair MPC with corrupted majority; in particular, our definition admits constructions that tolerate up to (n − 1) corruptions, where n is the total number of parties. Next, we define a "commit-provefair-open" functionality and construct an efficient protocol that realizes it, using a new variant of a cryptographic primitive known as "time-lines." With this functionality, we show that some of the existing secure MPC protocols can be easily transformed into fair protocols while preserving their security. Putting these results together, we construct efficient, secure MPC protocols that are completely fair even in the presence of corrupted majorities. Furthermore, these protocols remain secure when arbitrarily composed with any protocols, which means, in particular, that they are concurrently-composable and non-malleable. Finally, as an example of our results, we show a very efficient protocol that fairly and securely solves the socialist millionaires' problem.