Coin Flipping with Constant Bias Implies One-Way Functions Iftach Haitner and Eran Omri.

Download Report

Transcript Coin Flipping with Constant Bias Implies One-Way Functions Iftach Haitner and Eran Omri. 

Coin Flipping with Constant Bias Implies
One-Way Functions
Iftach Haitner and Eran Omri
Cryptography Implies One-Way Functions
Almost all “computational” cryptography is known to
imply one-way functions [Impagliazzo-Luby ‘89]
 One-way functions (OWFs): efficiently computable
functions that no efficient algorithm can invert (with more
than negligible probability)
The characterization of coin-flipping protocols is
not (fully) known
2
Coin-Flipping Protocols
𝒄 ← {0,1}
𝒄
3
Coin-Flipping Protocols
I want 𝒄 = 0
𝒄 =𝟎
 c = 0 w.p one
 Bias is ½
4
Blum’s Coin-Flipping Protocol
I want 𝒄 = 0
𝒛  𝑐𝑜𝑚𝑚𝑖𝑡(𝒂)
𝒃 ← {0,1}
𝒂 ← {0,1}
𝑏
𝒂  𝑑𝑒𝑐𝑜𝑚𝑚𝑖𝑡(𝒛)
𝒄=𝒂⊕𝒃
• Negligible bias
• Commitment obtained using OWF
5
𝒄=𝒂 ⊕ 𝒃
Coin-Flipping Protocols
 An efficient two-party protocol (A,B) is ±-bias CF if:
Pr[(A,B)(1n)= (1,1)] = Pr[(A,B)(1n) = (0,0)] = ½
2. For any PPT A and b2{0,1},
Pr[(A,B)(1n) =(·,b)] · ½ + ± (same for B)
 Numerous applications (Zero-knowledge Proofs, Secure
Function Evaluation…)
1.
 Implied by OWFs [Blum’83, Naor‘89, Håstad et. al ‘90]
Does coin flipping imply OWFs?
6
Known Results
 Almost-optimal (i.e., negl(n)-bias) CF implies OWFs [IL ‘89]
 Non-trivial (i.e., (½ -1/poly(n))-bias) constant-round CF
implies OWFs [Maji, Prabhakaran, Sahai ‘10]
 Constant-bias (¼ -1/poly(n)) CF implies P  NP
[Maji, Prabhakaran, Sahai ‘10]
 Non-trivial CF implies P  PSPACE
For !(1)-round, non-negl-bias CF, the results are far from
being tight
7
Our Result
Main theorem:
Constant-bias (
2−1

2
2−1
-1/poly(n)
2
) CF implies OWFs
= 0.207…
Main lemma: Assume that OWFs do not exist, then for
any (unbiased) coin-flipping protocol (A,B), there exist
efficient strategies A and B s.t.
Pr[(A,B)(1n)= ‘1’]
8
>
Pr[(A,B)(1n)= ‘1’] >
1
-1/poly(n), or
2
1
-1/poly(n)
2
Proving the Main Lemma
Main lemma: assume OWFs do not exist, then for any
(unbiased) coin-flipping protocol (A,B), there exist efficient
strategies A and B s.t.
1
= ‘1’] > -1/poly(n), or
2
1
n
Pr[out(A,B)(1 ) = ‘1’] > -1/poly(n)
2
Pr[out(A,B)(1n)
9
Proof outline:
 Define unbounded strategies for A and B
 Careful analysis
 Approximate the strategies efficiently using OWF
inverter
The “Random Continuation” Attack
Define A as follows (B is defined analogously)
On transcript ®, A samples uniform (rA,rB) s.t.
1. (A(rA),B(rB)) is consistent with ®
2. out(A(rA),B(rB)) = ‘1’
Sends A(rA)’s reply on ®
 A aborts if no valid (rA,rB) exists
Claim (success of unbounded attack)
Prout(A,B)[‘1’] ¸
1
2
or Prout(A,B)[‘1’] ¸
1
2
The Protocol (A,B) – All Honest
 Execution tree T of (A,B)

Nodes are all possible (partial) transcripts
 Node ® is labeled by v[®] / w[®]
 v[®] = Prout(A,B)[‘1’|®]
½/1
 w[®] = Pr(A,B)[®]
0
 Leaves determine the parties’ inputs
0
1
?/ ½
?/ ½
1
…
0/?
0-leaf
11
…
1/?
1-leaf
0/?
The Protocol (A,B) – All Cheating
 v[®] = Prout(A,B)[‘1’|®] and w[®] = Pr(A,B)[®]
Claim: Pr(A,B)[®] = 2¢v[®]¢w[®]
Proof:
 (A,B) uniformly picks a leaf in T
# of leaves under ®
w[®] =

# of leaves in T
# of 1−leaves under ®
v[®] =
# of leaves under ®
(A,B) uniformly picks a 1-leaf in T
Pr(A,B)[®] =
#of 1−leaves under ®
# of 1−leaves under ®
= 2∙
# of 1−leaves in T
# of leaves in T
Hence, Pr(A,B)[®] = 2¢v[®]¢w[®]
The Protocols (A,B) and (A,B)
Compensation Lemma (slightly simplified):
For any frontier* L in T
Pr(A,B)[L] ¢ Pr(A,B) [L] = Pr(A,B)[L] ¢Pr(A,B)[L]
* No node in L has an ancestor in L (wrt. T)
Claim: Prout(A,B)[‘1’] ¸
1
2
or Prout(A,B)[‘1’] ¸
1
2
Proof:
Pr(A,B)[®] = 2¢v[®]¢w[®]
 Let L ={®2 T: ® is a 1-leaf}
 Pr(A,B) [L] = ½ and Pr(A,B)[L] = 1
) Pr(A,B)[L] ¢ Pr(A,B)[L] = ½
13
Pr(A,B)[L]¢Pr(A,B)[L] = Pr(A,B)[L]¢Pr(A,B)[L]
We prove for L ={’01’}
 β(X,Y)[b|®] = Pr(X,Y) [®±b|®]
(prob. of taking edge b from ®)
Pr(X,Y) [01] = β(X,Y)[0] ¢ β(X,Y)[1|0]
Pr(A,B)[01] = β(A,B) [0] ¢ β(A,B) [1|0]
Pr(A,B)[01] = β(A,B) [0] ¢ β(A,B) [1|0]
0
1
?/ ½
?/ ½
0
1
?/ ?
…
Pr(A,B)[01] = β(A,B) [0] ¢ β(A,B) [1|0]
Pr(A,B)[01] = β(A,B) [0]¢ β(A,B) [1|0]
)
A
½/1
B
Efficient Strategies
using OWFs inverter
On trans. ®, A samples “ uniform” (rA,rB) s.t.
1. (A(rA),B(rB)) is consistent with ®
2. out(A(rA),B(rB)) = ‘1’
Sends A(rA)’s reply on ®
f(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)]
l(rA,rB) is the full transcript (leaf)
generated by (A(rA),B(rB))
To sample (rA,rB), A invokes “f-inverter” to
get “uniform” preimage of (®,1)
Inverting f(rA,rB,i)= l(rA,rB)1,,i,v[l(rA,rB)]
 Assuming OWFs do not exist, 9 efficient f-inverter that on a
unifrom output of f, returns almost uniform preimage [IL ‘89]
Problem: the query distribution induced by unbounded (A,B),
might be far from uniform – A repeatedly deviates from the
prescribed protocol
Does the success of unbounded A‘s (or of B), depend on
“non-typical” queries?
Main observation:
A or B do “well enough”, even if f-inverter fails on non-typical
queries
Two Types of Non-Typical Queries
f(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)]
A‘s queries are of the form (®,1)
 UnBalanced queries
UnBalA = {®2 T: Pr(A,B) [®] > c ¢ Pr(A,B) [®]}
where c is large (e.g., 1000)
 Prf[(UnBalA,¢)] = Pr(A,B) [UnBalA] < 1/c
 Low-Value queries
LowVal = {®2 T: v[®] < ±}, where ± is small (e.g., 0.001)
 Prf[(LowVal,1)] < ±
Distribution of other queries is dominated by the output
distribution of f
Low-Value Queries
LowVal ={®2 T: v[®]< ±
Pr(A,B)[®] = 2¢v[®]¢w[®]
2
and ® is top-most such node}
 Pr(A,B) [LowVal] = ®2LowVal 2¢v[®]¢ Pr(A,B) [®]
< 2±2 ¢ ®2LowVal Pr(A,B) [®] < 2±2
 Compensation Lemma yields
Pr(A,B) [LowVal] ¢ Pr(A,B) [LowVal] < 2±
2
Yet, Pr(A,B) [LowVal] might be large
) A’s success might depend on inverting f on LowVal
We prove: A or B do “well enough”, even if both
fail on LowVal (but succeed elsewhere)
Low-Value Queries cont.
 Pr(A,B) [LowVal] ¢ Pr(A,B) [LowVal] < 2±
2
LowValA ={®2 T: v[®]< ±2 Æ Pr(A,B) [®] ≥ Pr(A,B) [®]}
 Pr(A,B) [LowValA] < 2±
B
®
𝛿2
For ® 2 LowValA
𝛿2
1 − 𝛿2
 Prout(A,B)[‘1’] ¢ Prout(A,B)[‘1’] = ½
11
0
 Even if both A and B fail on LowValA
Prout(A,B)[‘1’]¸
1
- ±2
2
or Prout(A,B)[‘1’] ¸
1
2
- 2±
…
 Holds wrt. the original protocol
1. A and B are greedy
2. A and B do no worse than failing on LowValA
UnBalanced Queries
UnBalA = {®2 T: Pr(A,B) [®] > c¢Pr(A,B) [®] and ® is
top-most such node}
 Pr(A,B) [UnBalA] < 1/c
 Pr(A,B)[UnBalA] = 2¢®2UnBal v[®]¢ Pr(A,B)[®]
A
· 2¢Pr(A,B)[UnBalA] < 2/c
 Compensation Lemma yields
Pr(A,B)[UnBalA] < 2/c2
20
UnBalanced Queries cont.
 UnBalA= {®: Pr(A,B) [®] > c¢Pr(A,B) [®]}
 Pr(A,B) [UnBalA] < 2/c2
®
For ®2 UnBalA with v[®]=±
Solution: 1. Use larger outcomes
2. Instruct A to take red edges w.p. 1/±k
½
 Ex[out(A,B)] ¢ Ex[out(A,B)] ¸ ½
1
2
2
𝑘
1/k
1-1/k
1
00
½
0
2𝑘𝛿
Ex[out(A,B)] ¸ –
Ex[out(A,B)] ¸ – 2
𝑐
1
2 might (still) gain 1a lot
2𝛿from
Unless
±
is
small,
A
 Prout (A,B)[‘1’]¸ –
Prout (A,B)[‘1’]¸ –
(taking
2 𝑐
2
𝑐
visiting
Biased
A
 Holds wrt. the original
protocol
or
or
A
1
2
…
 Even if both A and B fail on UnBalA
B
k=c)
The Constant
2−1
2
= 0.207…
 The right bound for ``two-side” attackers (even
unbounded ones)
 ²-bias weak coin-flipping implies (
2−1
+
2
²)-bias
coin-flipping [Chaillou and Kerenidis ‘09]
2−1
²-bias weak(coin-flipping:
 Quantum
)-bias coin-flipping exists, and is
2
n
optimal
Pr[(A,B)(1
) =’03,
‘0’] ·
½ + ² and Kerenidis ’09]
[Kitaev
Chaillou
 Pr[(A,B)(1n) = ‘1’] · ½ + ²
Weaker security guarantee, yet has many applications
Previous work holds wrt weak coin-flipping
Summary
 Constant-bias coin flipping implies OWFs
 Challenge: prove that any non-trivial coin flipping
implies OWFs