1 / 45

Protocols for Multiparty Coin Toss With Dishonest Majority

Protocols for Multiparty Coin Toss With Dishonest Majority. Eran Omri, Bar-Ilan University. Joint work with Amos Beimel and Ilan Orlov, BGU . Ilan Orlov …!??!!. Coin Tossing. A Fundamental Question. What is the minimal bias for multiparty coin-toss ?

neci
Download Presentation

Protocols for Multiparty Coin Toss With Dishonest Majority

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protocols for Multiparty Coin Toss With Dishonest Majority Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU IlanOrlov…!??!!

  2. Coin Tossing

  3. A Fundamental Question • What is the minimal bias for multiparty coin-toss? • Coin tossing is a basic primitive in secure computation • Simple to define • Used in many schemes • Optimal bias means optimal fairness • Essential in many tasks in MPC (e.g., fair exchange) • To understand fairness in general secure computation, we must understand the basic task of coin tossing

  4. Our Results in a Glance • We construct multiparty coin-tossing protocols • Tolerating a majority of malicious parties • Minimizing the bias of the adversary • Optimal bias of O(1/r), where r is the number of rounds

  5. Talk Outline • Multiparty Coin-Toss: • Examples and definitions • Previous results • Our results • Reviewing the [Moran, Naor, Segev 09] result • Our Result: Simplified Constructions • Summary and Open Problems

  6. Naive Coin-Toss Protocol c a ⊕ b c a ⊕ b b a

  7. Naive Coin-Toss Protocol I want c = 0 c a ⊕ b = 0 b a = b c = 0 w.p. 1 Can’t we send messages simultaneously?? No. Not a reasonable assumption!

  8. [Blum 83]’s Coin-Toss Protocol c a ⊕ b c a ⊕ b z commit(a) b a  decommit(z)

  9. [Blum 83]’s Coin-Toss Protocol I want c = 0 z  commit(a) b a  decommit(z) If a = b c a ⊕ b = 0 Otherwise abort c 0 w.p. ½ How to react if a party aborts?? The other party outputs a random bit c = 0 w.p. 3/4

  10. Secure Coin Toss—The Model • Goal: honest parties agree on a uniform bit • r-round protocol Π • m parties, up to t malicious parties • Rushing adversary • Realistic communication model (do not assume simultaneous exchange) • We assume a broadcast channel • Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin • In Blum’s protocol, the bias is ¼

  11. [Cleve 86]’s Lower Bound • Any r-round 2-party coin-tossing protocol, has bias Ω(1/r) • Generalizes to any multiparty protocol with no honest majority • Conclusion: impossible to achieve coin-tossing with a polynomial number of rounds and negligible bias without honest majority

  12. Previous Results • Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86] • Works by repeating Blum’s protocol r times and taking majority • This is optimal in a natural restricted model [CI93] • Breakthrough: it is possible to achieve 2-partycoin-tossing with optimal bias O(1/r ) [MNS09] • Matches Cleve’s lower bound and shows that restricted model is restricted

  13. A Fundamental Question What is the optimal bias for multiparty? • Honest majority: negligible bias [GMW87] • No honest majority: • Lower bound of bias Ω(1/r) for r rounds • Previously known protocol gives O(t/ r) for r rounds

  14. Our results • Goal: bias O(1/r) • O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) • O(1/r) bias when a “little” more than half the parties are corrupt • These are corollaries of a general construction (see next slide) • Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious)

  15. A Formal Statement of Main Result • Theorem: Multiparty r-round coin-tossing with bias O(22k+1/r), for m/2 ≤ t < 2m/3 m= #parties, t = #malicious, k = #diff between malicious and honest • Corollaries: • Optimal bias of O(1/r) when: • m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), • k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1)) • Bias of O(t/r) when k is loglog m

  16. A Formal Statement of Results • Theorem: Multiparty r-round coin-tossing with bias O(1/ ), when t is a const. fraction of m (t = #malicious) • Removes t factor from [ABCGM85,Cl86]

  17. Talk Outline • Multiparty Coin-Toss: • Examples and definitions • Previous results • Our results • Reviewing the [Moran, Naor, Segev 09] result • Our Result: Simplified Constructions • Summary and Open Problems

  18. The [MNS 09] Construction • r-round 2-party coin-tossing protocol • Special round i* • Parties unknowingly learn the output in round i* • Adversary must guess i* to bias output • i* is uniformly chosen and concealed by the view of the parties • Overall bias O(1/r)

  19. [MNS 09] — Online Dealer ai,bi ∈ {0,1} What to do if a party aborts?? If Bob aborts in round i: Alice outputs ai-1 If Alice aborts in round i: Bob outputs bi-1

  20. [MNS 09] — Online Dealer • Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r } • ai,bi ∈ R {0,1} (for all i<i* ) I want c = 0 View is independent of output No BIAS  i* BIAS !!  Adversary must guess i* View at i ≤ i* is independent of i* Bias O(1/r) Output is fixed No BIAS 

  21. [MNS 09] — Omitting the Dealer • Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r } • ai,bi ∈ R {0,1} (for all i<i*) Use secret sharing: Preprocessing protocol i* To restrict adv. to aborting — all shares are authenticated

  22. [MNS 09] — Omitting the Dealer • Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r } • ai,bi ∈ R {0,1} (for all i<i*) Compute secret sharing: Preprocessing protocol • Preprocessing?? Both parties get output?? But, How?? • Answer: NO, only guarantee “Security With Abort” • Adversary learns output, then may deny output from honest party. • No harm: preprocessing reveals nothing to adversary • Constant number of rounds [Lindell 2003]

  23. Talk Outline • Multiparty Coin-Toss: • Examples and definitions • Previous results • Our results • Reviewing the [Moran, Naor, Segev 09] result • Our Result: Simplified Constructions • Summary and Open Problems

  24. Just a Second…. An Imam, and a Priest go on the same flight… a Rabbi

  25. Extending to the Multiparty Setting • Two ways we extend MNS: • Simulation — One subset simulating Alice, the other simulating Bob • Generalization — giving a bit to subsets of parties in each round. • Before i* bits are independent. • From i* bits are all the same bit.

  26. When Simulation Works— m=4,t=2 • Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r} • ai,bi ∈ R {0,1} (for all i<i* ) I want c = 0 Observation: At least two parties are honest. Either Bob is honest or There is an honest majority of Alices i* If Bob aborts in round i Alices output ai-1 Attack: If a1= 0 Bob aborts in round 2 Constant Bias!

  27. 4 Parties 2 Malicious — With Shares • Output bit: c ∈R {0,1} • Special round: i* ∈ R {1,…,r} • ai,bi ∈ R {0,1} (for all i<i* ) Use 2-out-of-3 secret sharing of ai: i* Reconstructing ai— only when needed Dealer: go on unless two parties abort

  28. Reconstruction Reconstruction upon abort in round i : Case 1: Two Alices aborted. Bob is honest. Sends bi-1 to third Alice Case 2: Bob aborted. Remaining Alices (at least two) reconstruct ai-1 Requires signatures (limiting adversary to aborts)

  29. Omitting the Dealer • We described a protocol with a trusted dealer • Does not exist in real-life • How to eliminate the dealer? • To be answered in a few slides…

  30. Extending to the Multiparty Setting • Two ways we extend MNS: • Simulation — One subset simulating Alice, the other simulating Bob • Generalization — giving a bit to subsets of parties in each round. • Before i* bits are independent. • From i* bits are all the same bit.

  31. 5-Party Protocol with 3 Malicious m=5, t=3 • Overview: r-round protocol with an online dealer • In round i: • each subset S of size 2 or 3 gets a bit • Each bit is shared with threshold 2. • Dealing with aborts in round i: • Reconstruct the bit of round i-1 • E.g., if A, B abort — C, D, E reconstruct • E.g., if A, B, C abort — D, E reconstruct

  32. Preprocessing • Dealer randomly selects: • Output c,special roundi* • Random bits for i<i* (for all pairs, triples) • (bits for i≥i* are set to c) • Shares for every bit (all shares are signed) • For pairs: in 2-out-of-2 SSS • For triples: in 2-out-of-3 SSS

  33. Interaction Rounds • In round i: • Dealer continues if 4 parties are still active • Give party p its share for each bit • p ∈ S (a pair or triplet) • If less than 4 parties are active: • Dealer halts • Active parties (set S ) reconstruct

  34. Reconstruction m=5, t=3 • Dealer halts  at most 3 active parties. • At least 2 are honest! • A and D can reconstruct bit (threshold 2) • Adversary could not see • Before i* abort is independent of reconstructed bit

  35. Security: m=5, t=3 • Adversary must guess i* to bias output!! • Adversary can see 10 bits in each round i • (If not all equal, then i<i* ) • Once in every 29 rounds they are all the same • Probability to guess i* ≤ 29/r (Improved later)

  36. Omitting the Dealer • To turn into an off-line dealer: Clever use of another layer of secret sharing • To omit the off-line dealer: Preprocessing protocol (requires only security with abort)

  37. Omitting the Dealer—Preprocessing • Simulate dealer’s preprocessing • Compute c, i*, bits for all subsets, rounds • Compute shares for all bits • (inner secret sharing) • Share info (for each round) – in 4-out-of-5 SSS • Adversary cannot reconstruct (4=t+1) • As long as 4 active protocol can go on • (outer secret sharing)

  38. Omitting the Dealer — Round i • If there are 4 active parties: • Send shares of outer secret sharing • (4-out-of-5) • Each party learns its shares of appropriate bits • (of inner secret sharing) • If at least 2 parties aborted (cannot continue) • Reconstruct bit • (same as with online dealer)

  39. Omitting the Dealer—Correctness • In each round i parties hold the same information as with online dealer • (due to outer-secret-sharing) • To halt computation (prevent reconstruction) • 2 must abort. • Adversary can see the same bits after round i as with online dealer

  40. Implementing the Preprocessing • Security with abort (constant round [Pass04]) with cheat detection • Cheat detection: • All honest parties identify a cheater • Continue without it • Can be repeated at most twice • Abort in preprocessing is independent of output

  41. Final construction • Combining ideas (simulation, generalization): • Number of subsets depends on k = 2t-m (gap between honest and malicious) • Bound on bias (rather than )

  42. Talk Outline • Multiparty Coin-Toss: • Examples and definitions • Previous results • Our results • Reviewing the [Moran, Naor, Segev 09] result • Our Result: Simplified Constructions • Summary and Open Problems

  43. Summary • Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious) • Optimal O(1/r) bias when a “little” more than half the parties are corrupt r= #rounds in the protocol

  44. Open Problems • Improve dependency on k, prove lower bounds k= #malicious - #honest • Open joke: An Imam, a Rabbi and a Priest go on the same flight… The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!! Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties

  45. Thank You!!! Omrier@gmail.com

More Related