1 / 20

On Fair Exchange, Fair Coins and Fair Sampling

On Fair Exchange, Fair Coins and Fair Sampling. Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign. Fairness. A secure multi-party protocol has properties like correctness, privacy of inputs. Fairness: An intuitive property desirable of secure protocols.

isra
Download Presentation

On Fair Exchange, Fair Coins and Fair Sampling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign

  2. Fairness • A secure multi-party protocol has properties like correctness, privacy of inputs. • Fairness: An intuitive property desirable of secure protocols. • Adversary cannot prevent honest parties from obtaining the output of computation, if he also obtains it. • Ideal world: Functionality gives output to all the parties (or none of them). • Finite two party functionalities. • Input, output size does not depend on the security parameter.

  3. Motivation • Wide interest in the problem of fairness. • Understanding of fundamental primitives lacking. • In this work, we study the relationship between • Fair Exchange, • Fair Coin-flipping, • Fair Random-OT. • Given access to a fair primitive, can we realize another fair primitive.

  4. Functionalities With input EXCH x y y x A B

  5. Sampling functionalities Input-less A sampling functionality over the dist. . b COIN R-OT b b A B A B A B

  6. Our Results EXCH X Cleve 1986 COIN X Any non-trivialjoint distribution Zero common information R-OT X Functionalities with Fair protocols

  7. Related Work • Cleve 1986: No efficient protocol for fair coin-flipping. • A simple fail-stop attack. Even under computational assumptions. • Any functionality of interest likely not realizable. • Gordon et al. showed AND, OR, Yao’s millionaire problem have fair protocol [GHKL08] • Led to a flurry of results [MNS09, BOO10, GIMOS10, GK10, BLOO11, ALR13] • Landscape more complicated than unfair computation • E.g. no finite complete function [GIMOS10]

  8. Our Results XOR EXCH X Cleve 1986 COIN X R-OT X Functionalities with Fair protocols

  9. COIN functionality b COIN b b A B • Agreement: Alice and Bob output the same bit (if nobody corrupt). • Entropy: Honest party outputs a random bit.

  10. : abort now; Bob outputs . : abort after 1 round; Bob outputs . . . . If I send , but Bob doesn’t send , ? --- Bob Alice . . . Alice can compute without sending message for round . /2

  11. XOR from COIN Theorem: Even with access to COIN, XOR can’t be realized. • Assume: • Alice and Bob choose inputs randomly • Invalid input is substituted by a default one. • Agreement: Alice and Bob output the same bit. • Entropy: Honest party outputs a random bit. XOR A B

  12. may depend on bit . • To find , Alice must send , and get the coin. • Too late to force Bob to output . • No dependence: Old attack! • Dependence?? • Force Bob to output . • Works!! If I send , but Bob doesn’t send , ? COIN b b Bob Alice conditioned on depends on

  13. Our Results EXCH X COIN X Zero common information R-OT X Functionalities with Fair protocols

  14. Common Information • Alice and Bob output the same value Q. • Common Information X Y A B Q Q

  15. Characteristic bipartite graph A joint dist. as a bipartite graph such that and , iff 00 00 0 0 01 01 10 10 1 1 11 11 COIN R-OT 1-bit CI Zero CI

  16. COIN from R-OT • Theorem: If a protocol has two phases: • Phase I: Access R-OT an unbounded number of times. • Phase II: Parties communicate for rounds. It can’t realize the COIN functionality. • Consider a protocol with only phase I. • No communication, only samples from R-OT. • Remark: Witsenhausen[1975] proved the theorem for protocols with phase I. • Recall for COIN: • Agreement: Alice and Bob output the same bit. • Entropy: Honest party outputs a random bit.

  17. Graph Products 0 0 0…0 0…0 00 00 01 01 10 10 . . . 11 11 1…1 1…1 R-OT 1- sample 1 1 R-OT n-samples Pr [disagreement] Cheeger constant

  18. COIN from R-OT • Lower-bounding the second eigenvalue of the Laplacian associated with the graph product. • No matter how many samples from R-OT, the weight on edges going across is a constant.

  19. Conclusion EXCH X COIN X R-OT X Functionalities with Fair protocols

  20. Thank you. Questions?

More Related