Coin Flipping with Constant Bias Implies One-Way Functions Iftach Haitner and Eran Omri.
Download ReportTranscript Coin Flipping with Constant Bias Implies One-Way Functions Iftach Haitner and Eran Omri.
Coin Flipping with Constant Bias Implies
One-Way Functions
Iftach Haitner and Eran Omri
Cryptography Implies One-Way Functions
Almost all βcomputationalβ cryptography is known to
imply one-way functions [Impagliazzo-Luby β89]
ο One-way functions (OWFs): efficiently computable
functions that no efficient algorithm can invert (with more
than negligible probability)
The characterization of coin-flipping protocols is
not (fully) known
2
Coin-Flipping Protocols
π β {0,1}
π
3
Coin-Flipping Protocols
I want π = 0
π =π
ο c = 0 w.p one
ο Bias is ½
4
Blumβs Coin-Flipping Protocol
I want π = 0
π ο ππππππ‘(π)
π β {0,1}
π β {0,1}
π
π ο ππππππππ‘(π)
π=πβπ
β’ Negligible bias
β’ Commitment obtained using OWF
5
π=π β π
Coin-Flipping Protocols
ο An efficient two-party protocol (A,B) is ±-bias CF if:
Pr[(A,B)(1n)= (1,1)] = Pr[(A,B)(1n) = (0,0)] = ½
2. For any PPT A and b2{0,1},
Pr[(A,B)(1n) =(·,b)] · ½ + ± (same for B)
ο Numerous applications (Zero-knowledge Proofs, Secure
Function Evaluationβ¦)
1.
ο Implied by OWFs [Blumβ83, Naorβ89, Håstad et. al β90]
Does coin flipping imply OWFs?
6
Known Results
ο Almost-optimal (i.e., negl(n)-bias) CF implies OWFs [IL β89]
ο Non-trivial (i.e., (½ -1/poly(n))-bias) constant-round CF
implies OWFs [Maji, Prabhakaran, Sahai β10]
ο Constant-bias (¼ -1/poly(n)) CF implies P οΉ NP
[Maji, Prabhakaran, Sahai β10]
ο Non-trivial CF implies P οΉ PSPACE
For !(1)-round, non-negl-bias CF, the results are far from
being tight
7
Our Result
Main theorem:
Constant-bias (
2β1
οΆ
2
2β1
-1/poly(n)
2
) CF implies OWFs
= 0.207β¦
Main lemma: Assume that OWFs do not exist, then for
any (unbiased) coin-flipping protocol (A,B), there exist
efficient strategies A and B s.t.
Pr[(A,B)(1n)= β1β]
8
>
Pr[(A,B)(1n)= β1β] >
1
-1/poly(n), or
2
1
-1/poly(n)
2
Proving the Main Lemma
Main lemma: assume OWFs do not exist, then for any
(unbiased) coin-flipping protocol (A,B), there exist efficient
strategies A and B s.t.
1
= β1β] > -1/poly(n), or
2
1
n
Pr[out(A,B)(1 ) = β1β] > -1/poly(n)
2
Pr[out(A,B)(1n)
9
Proof outline:
ο Define unbounded strategies for A and B
ο Careful analysis
ο Approximate the strategies efficiently using OWF
inverter
The βRandom Continuationβ Attack
Define A as follows (B is defined analogously)
On transcript ®, A samples uniform (rA,rB) s.t.
1. (A(rA),B(rB)) is consistent with ®
2. out(A(rA),B(rB)) = β1β
Sends A(rA)βs reply on ®
οΆ A aborts if no valid (rA,rB) exists
Claim (success of unbounded attack)
Prout(A,B)[β1β] ¸
1
2
or Prout(A,B)[β1β] ¸
1
2
The Protocol (A,B) β All Honest
ο Execution tree T of (A,B)
ο
Nodes are all possible (partial) transcripts
ο Node ® is labeled by v[®] / w[®]
ο v[®] = Prout(A,B)[β1β|®]
½/1
ο w[®] = Pr(A,B)[®]
0
ο Leaves determine the partiesβ inputs
0
1
?/ ½
?/ ½
1
β¦
0/?
0-leaf
11
β¦
1/?
1-leaf
0/?
The Protocol (A,B) β All Cheating
ο v[®] = Prout(A,B)[β1β|®] and w[®] = Pr(A,B)[®]
Claim: Pr(A,B)[®] = 2¢v[®]¢w[®]
Proof:
ο (A,B) uniformly picks a leaf in T
# of leaves under ®
w[®] =
ο
# of leaves in T
# of 1βleaves under ®
v[®] =
# of leaves under ®
(A,B) uniformly picks a 1-leaf in T
Pr(A,B)[®] =
#of 1βleaves under ®
# of 1βleaves under ®
= 2β
# of 1βleaves in T
# of leaves in T
Hence, Pr(A,B)[®] = 2¢v[®]¢w[®]
The Protocols (A,B) and (A,B)
Compensation Lemma (slightly simplified):
For any frontier* L in T
Pr(A,B)[L] ¢ Pr(A,B) [L] = Pr(A,B)[L] ¢Pr(A,B)[L]
* No node in L has an ancestor in L (wrt. T)
Claim: Prout(A,B)[β1β] ¸
1
2
or Prout(A,B)[β1β] ¸
1
2
Proof:
Pr(A,B)[®] = 2¢v[®]¢w[®]
ο Let L ={®2 T: ® is a 1-leaf}
ο Pr(A,B) [L] = ½ and Pr(A,B)[L] = 1
) Pr(A,B)[L] ¢ Pr(A,B)[L] = ½
13
Pr(A,B)[L]¢Pr(A,B)[L] = Pr(A,B)[L]¢Pr(A,B)[L]
We prove for L ={β01β}
ο Ξ²(X,Y)[b|®] = Pr(X,Y) [®±b|®]
(prob. of taking edge b from ®)
Pr(X,Y) [01] = Ξ²(X,Y)[0] ¢ Ξ²(X,Y)[1|0]
Pr(A,B)[01] = Ξ²(A,B) [0] ¢ Ξ²(A,B) [1|0]
Pr(A,B)[01] = Ξ²(A,B) [0] ¢ Ξ²(A,B) [1|0]
0
1
?/ ½
?/ ½
0
1
?/ ?
β¦
Pr(A,B)[01] = Ξ²(A,B) [0] ¢ Ξ²(A,B) [1|0]
Pr(A,B)[01] = Ξ²(A,B) [0]¢ Ξ²(A,B) [1|0]
)
A
½/1
B
Efficient Strategies
using OWFs inverter
On trans. ®, A samples β uniformβ (rA,rB) s.t.
1. (A(rA),B(rB)) is consistent with ®
2. out(A(rA),B(rB)) = β1β
Sends A(rA)βs reply on ®
f(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)]
l(rA,rB) is the full transcript (leaf)
generated by (A(rA),B(rB))
To sample (rA,rB), A invokes βf-inverterβ to
get βuniformβ preimage of (®,1)
Inverting f(rA,rB,i)= l(rA,rB)1,,i,v[l(rA,rB)]
ο Assuming OWFs do not exist, 9 efficient f-inverter that on a
unifrom output of f, returns almost uniform preimage [IL β89]
Problem: the query distribution induced by unbounded (A,B),
might be far from uniform β A repeatedly deviates from the
prescribed protocol
Does the success of unbounded Aβs (or of B), depend on
βnon-typicalβ queries?
Main observation:
A or B do βwell enoughβ, even if f-inverter fails on non-typical
queries
Two Types of Non-Typical Queries
f(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)]
Aβs queries are of the form (®,1)
ο UnBalanced queries
UnBalA = {®2 T: Pr(A,B) [®] > c ¢ Pr(A,B) [®]}
where c is large (e.g., 1000)
ο Prf[(UnBalA,¢)] = Pr(A,B) [UnBalA] < 1/c
ο Low-Value queries
LowVal = {®2 T: v[®] < ±}, where ± is small (e.g., 0.001)
ο Prf[(LowVal,1)] < ±
Distribution of other queries is dominated by the output
distribution of f
Low-Value Queries
LowVal ={®2 T: v[®]< ±
Pr(A,B)[®] = 2¢v[®]¢w[®]
2
and ® is top-most such node}
ο Pr(A,B) [LowVal] = ο₯®2LowVal 2¢v[®]¢ Pr(A,B) [®]
< 2±2 ¢ ο₯®2LowVal Pr(A,B) [®] < 2±2
ο Compensation Lemma yields
Pr(A,B) [LowVal] ¢ Pr(A,B) [LowVal] < 2±
2
Yet, Pr(A,B) [LowVal] might be large
) Aβs success might depend on inverting f on LowVal
We prove: A or B do βwell enoughβ, even if both
fail on LowVal (but succeed elsewhere)
Low-Value Queries cont.
ο Pr(A,B) [LowVal] ¢ Pr(A,B) [LowVal] < 2±
2
LowValA ={®2 T: v[®]< ±2 Æ Pr(A,B) [®] β₯ Pr(A,B) [®]}
ο Pr(A,B) [LowValA] < 2±
B
®
πΏ2
For ® 2 LowValA
πΏ2
1 β πΏ2
ο Prout(A,B)[β1β] ¢ Prout(A,B)[β1β] = ½
11
0
ο Even if both A and B fail on LowValA
Prout(A,B)[β1β]¸
1
- ±2
2
or Prout(A,B)[β1β] ¸
1
2
- 2±
β¦
ο Holds wrt. the original protocol
1. A and B are greedy
2. A and B do no worse than failing on LowValA
UnBalanced Queries
UnBalA = {®2 T: Pr(A,B) [®] > c¢Pr(A,B) [®] and ® is
top-most such node}
ο Pr(A,B) [UnBalA] < 1/c
ο Pr(A,B)[UnBalA] = 2¢ο₯®2UnBal v[®]¢ Pr(A,B)[®]
A
· 2¢Pr(A,B)[UnBalA] < 2/c
ο Compensation Lemma yields
Pr(A,B)[UnBalA] < 2/c2
20
UnBalanced Queries cont.
ο UnBalA= {®: Pr(A,B) [®] > c¢Pr(A,B) [®]}
ο Pr(A,B) [UnBalA] < 2/c2
®
For ®2 UnBalA with v[®]=±
Solution: 1. Use larger outcomes
2. Instruct A to take red edges w.p. 1/±k
½
ο Ex[out(A,B)] ¢ Ex[out(A,B)] ¸ ½
1
2
2
π
1/k
1-1/k
1
00
½
0
2ππΏ
Ex[out(A,B)] ¸ β
Ex[out(A,B)] ¸ β 2
π
1
2 might (still) gain 1a lot
2πΏfrom
Unless
±
is
small,
A
ο Prout (A,B)[β1β]¸ β
Prout (A,B)[β1β]¸ β
(taking
2 π
2
π
visiting
Biased
A
ο Holds wrt. the original
protocol
or
or
A
1
2
β¦
ο Even if both A and B fail on UnBalA
B
k=c)
The Constant
2β1
2
= 0.207β¦
ο The right bound for ``two-sideβ attackers (even
unbounded ones)
ο ²-bias weak coin-flipping implies (
2β1
+
2
²)-bias
coin-flipping [Chaillou and Kerenidis β09]
2β1
²-bias weak(coin-flipping:
ο Quantum
)-bias coin-flipping exists, and is
2
n
οoptimal
Pr[(A,B)(1
) =β03,
β0β] ·
½ + ² and Kerenidis β09]
[Kitaev
Chaillou
ο Pr[(A,B)(1n) = β1β] · ½ + ²
Weaker security guarantee, yet has many applications
Previous work holds wrt weak coin-flipping
Summary
ο Constant-bias coin flipping implies OWFs
ο Challenge: prove that any non-trivial coin flipping
implies OWFs