200 likes | 479 Views
On Fair Exchange, Fair Coins and Fair Sampling. Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign. Fairness. A secure multi-party protocol has properties like correctness, privacy of inputs. Fairness: An intuitive property desirable of secure protocols.
E N D
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign
Fairness • A secure multi-party protocol has properties like correctness, privacy of inputs. • Fairness: An intuitive property desirable of secure protocols. • Adversary cannot prevent honest parties from obtaining the output of computation, if he also obtains it. • Ideal world: Functionality gives output to all the parties (or none of them). • Finite two party functionalities. • Input, output size does not depend on the security parameter.
Motivation • Wide interest in the problem of fairness. • Understanding of fundamental primitives lacking. • In this work, we study the relationship between • Fair Exchange, • Fair Coin-flipping, • Fair Random-OT. • Given access to a fair primitive, can we realize another fair primitive.
Functionalities With input EXCH x y y x A B
Sampling functionalities Input-less A sampling functionality over the dist. . b COIN R-OT b b A B A B A B
Our Results EXCH X Cleve 1986 COIN X Any non-trivialjoint distribution Zero common information R-OT X Functionalities with Fair protocols
Related Work • Cleve 1986: No efficient protocol for fair coin-flipping. • A simple fail-stop attack. Even under computational assumptions. • Any functionality of interest likely not realizable. • Gordon et al. showed AND, OR, Yao’s millionaire problem have fair protocol [GHKL08] • Led to a flurry of results [MNS09, BOO10, GIMOS10, GK10, BLOO11, ALR13] • Landscape more complicated than unfair computation • E.g. no finite complete function [GIMOS10]
Our Results XOR EXCH X Cleve 1986 COIN X R-OT X Functionalities with Fair protocols
COIN functionality b COIN b b A B • Agreement: Alice and Bob output the same bit (if nobody corrupt). • Entropy: Honest party outputs a random bit.
: abort now; Bob outputs . : abort after 1 round; Bob outputs . . . . If I send , but Bob doesn’t send , ? --- Bob Alice . . . Alice can compute without sending message for round . /2
XOR from COIN Theorem: Even with access to COIN, XOR can’t be realized. • Assume: • Alice and Bob choose inputs randomly • Invalid input is substituted by a default one. • Agreement: Alice and Bob output the same bit. • Entropy: Honest party outputs a random bit. XOR A B
may depend on bit . • To find , Alice must send , and get the coin. • Too late to force Bob to output . • No dependence: Old attack! • Dependence?? • Force Bob to output . • Works!! If I send , but Bob doesn’t send , ? COIN b b Bob Alice conditioned on depends on
Our Results EXCH X COIN X Zero common information R-OT X Functionalities with Fair protocols
Common Information • Alice and Bob output the same value Q. • Common Information X Y A B Q Q
Characteristic bipartite graph A joint dist. as a bipartite graph such that and , iff 00 00 0 0 01 01 10 10 1 1 11 11 COIN R-OT 1-bit CI Zero CI
COIN from R-OT • Theorem: If a protocol has two phases: • Phase I: Access R-OT an unbounded number of times. • Phase II: Parties communicate for rounds. It can’t realize the COIN functionality. • Consider a protocol with only phase I. • No communication, only samples from R-OT. • Remark: Witsenhausen[1975] proved the theorem for protocols with phase I. • Recall for COIN: • Agreement: Alice and Bob output the same bit. • Entropy: Honest party outputs a random bit.
Graph Products 0 0 0…0 0…0 00 00 01 01 10 10 . . . 11 11 1…1 1…1 R-OT 1- sample 1 1 R-OT n-samples Pr [disagreement] Cheeger constant
COIN from R-OT • Lower-bounding the second eigenvalue of the Laplacian associated with the graph product. • No matter how many samples from R-OT, the weight on edges going across is a constant.
Conclusion EXCH X COIN X R-OT X Functionalities with Fair protocols