1 / 20

Coin Flipping with Constant Bias Implies One-Way Functions

Coin Flipping with Constant Bias Implies One-Way Functions. Iftach Haitner and Eran Omri. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. Cryptography Implies One-Way Functions.

tatum
Download Presentation

Coin Flipping with Constant Bias Implies One-Way Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Coin Flipping with Constant Bias Implies One-Way Functions Iftach Haitner and Eran Omri TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

  2. Cryptography Implies One-Way Functions (Almost all) Complexity-based cryptography is known to imply one-way functions [Impagliazzo-Luby ‘89] One-way functions (OWFs): efficiently computable functions that no efficient algorithm can invert with more than negligible probability The characterization of coin-flipping protocols is not (fully) known

  3. Coin Flipping Protocols An efficient two-party protocol (A,B) • Pr[(A,B)(1n)= ‘1’] = Pr[(A,B)(1n) = ‘0’] = ½ • For any PPT Aandb2{0,1},Pr[(A,B)(1n) =‘b’]·½ + negl(n) (same for B) Numerous applications (Zero-knowledge Proofs, Secure Function Evaluation…) ±-bias coin flipping: • Pr[(A,B)(1n) = ‘b’]·½ + ±(n) Implied by OWFs [Naor ‘89, Håstad et. al ‘90] Does coin flipping imply OWFs?

  4. Known Results • Almost-optimal (i.e., negl(n)-bias) CF implies OWFs[IL ‘89] • Non-trivial (i.e., (½ -1/poly(n))-bias) constant-round CF implies OWFs[Maji et. al ‘10] • Constant-bias (¼ -1/poly(n)) CF implies P  NP[Maji et. Al ‘10] • Non-trivial CF implies P  PSPACE All the above results hold wrtweak coin flipping: • Pr[(A,B)(1n) = ‘0’]· ½ + ±(n) • Pr[(A,B)(1n) = ‘1’]· ½ + ±(n) Weaker security guarantee, yet has many applications

  5. Our Result Main thm: Constant-bias (1/√2-½-1/poly(n)) coin flipping implies OWFs • 1/√2 - ½ = 0.207… Main lemma: Assume that OWFs do not exist, then for any (unbiased) coin-flipping protocol (A,B)andanyb2{0,1}, exist efficient strategies A and B s.t. Pr[(A,B)(1n)= ‘b’] > 1/√2 -1/poly(n), or Pr[(A,B)(1n)= ‘b’] > 1/√2 -1/poly(n)

  6. The Constant 1/√2 - ½ • The right bound for two-side attackers (even unbounded ones) • (1/√2 - ½ + ²)-bias coin-flipping implies ²-bias weak coin-flipping [Chaillou and Kerenidis ‘09] • Quantum(1/√2-½)-bias coin-flipping exists, and is optimal [Kitaev’03, Chaillou and Kerenidis ’09]

  7. Proving the Main Lemma Main lemma: Assume that OWFs do not exist, then for any (unbiased) coin-flipping protocol (A,B)and anyb2{0,1}, exist efficient strategies A and B s.t. Pr[out(A,B)(1n) = ‘b’] > 1/√2 -1/poly(n), or Pr[out(A,B)(1n) = ‘b’] > 1/√2 -1/poly(n) Rest of the talk: • Define unbounded strategies for AandB • Approximate these strategies efficiently using OWF inverter

  8. The Random Continuation Attack Fix n and b=1. Define A as Claim: Prout(A,B)[‘1’] ¸1/√2 orProut(A,B)[‘1’] ¸ 1/√2 Given a transcript ®, Apicks a uniform value for (rA,rB) s.t. (A(rA),B(rB)) is consistent with ® out(A(rA),B(rB)) = ‘1’ Sends A(rA)’s reply on ®

  9. The Protocol (A,B) The prob. of any 1-transcriptwrt(A,B), is twice its prob. wrt(A,B) More generally, for any (possibly partial) transcript ® let v[®]= Prout(A,B)[‘1’|®], then 1.Pr(A,B) [®] = 2¢v[®]¢Pr(A,B)[®]

  10. Pr(A,B) [®] = 2¢V[®]¢ Pr(A,B)[®] V[®]=Pr(A,B)[‘1’|®] Execution tree T of (A,B), labeled by v[®]/ Pr(A,B)[®](messages are bits, and full transcripts determine the parties’ random coins) (A,B)uniformly picks a (full) path in T • Pr(A,B)[®]: # of paths visiting ® # of paths in T • v[®]: #of1-paths visiting ®#ofpaths visiting ® (A,B)uniformly picks a 1-path in T • Pr(A,B)[®]: # of 1-paths visiting ®# of 1-paths in T ?/ ½ 0/? ?/ ½ ½ / 1 0/? 1/? 0 0 1 1 • … • …

  11. The Protocol (A,B) The prob. of any 1-transcriptwrt(A,B), is twice its prob. wrt(A,B) More generally, for any (possibly partial) transcript ®, let v[®]=Prout(A,B)[‘1’|®], then 1.Pr(A,B) [®] = 2¢v[®]¢Pr(A,B)[®] 2. Compensation Lemma (slightly simplified):For any frontier*L of transcripts Pr(A,B)[L] ¢ Pr(A,B)[L] = Pr(A,B)[L] ¢Pr(A,B)[L] * No transcript in Lhas prefix in L

  12. Pr(A,B)[L]¢Pr(A,B)[L] = Pr(A,B)[L]¢Pr(A,B)[L] We prove forL ={’01’} • k(X,Y)[b|®] = Pr(X,Y) [®±b|®](prob. of taking edge b from ®) • Pr(X,Y) [01] = k(X,Y)[0] ¢ k(X,Y)[1|0] Pr(A,B)[01] = k(A,B)[0] ¢ k(A,B)[1|0] Pr(A,B)[01] = k(A,B)[0]¢ k(A,B)[1|0] ) Pr(A,B)[01] = k(A,B)[0 ]¢ k(A,B)[1|0] Pr(A,B) [01] = k(A,B)[0] ¢ k(A,B)[1|0] ?/ ½ ?/ ½ ½ / 1 A 0 0 1 1 B ?/ ? • …

  13. The Protocol (A,B) The prob. of any 1-transcriptwrt(A,B), is twice its prob. wrt(A,B) More generally, for any (possibly partial) transcript ®, let v[®]=Prout(A,B)[‘1’|®], then 1.Pr(A,B) [®] = 2¢v[®]¢Pr(A,B)[®] 2. Compensation Lemma (slightly simplified):For an frontierL of transcripts Pr(A,B)[L] ¢Pr(A,B)[L] = Pr(A,B)[L]¢Pr(A,B)[L] 1-leaves = {®2T: ® is a full transcript and v[®] =1} • Pr(A,B)[1-Leaves] = 2¢Pr(A,B) [1-leaves] =1 )Pr(A,B)[1-leaves] ¢Pr(A,B)[1-leaves]= ½

  14. Efficient Strategies Given a transcript ®, Apicks a uniform value for (rA,rB) s.t. (A(rA),B(rB)) is consistent with ® out(A(rA),B(rB)) = ‘1’ Sends A(rA)’s reply on ® A needs to sample (rA,rB) efficiently(given OWFs inverter) • Define f(rA,rB,i) = (®(rA,rB)1,,i,v[®])®(rA,rB) is the (full) transcript generated by (A(rA),B(rB)) To sample (rA,rB), A returns a random preimage of (®,1) Assuming OWFs do not exist, this can be done efficiently for unifromly chosen outputs of f [IL ‘89] Problem: the distribution induced by (A,B)might be far from uniform

  15. Two Types of Non-Typical Queries f(rA,rB,i) = (®(rA,rB)1,,i,v[®]) Low-Value Transcripts LowVal= {®2T: v[®] < ±}, where± is small (e.g., 0.001) • Pr[f(U) = (®,1) Æ®2LowVal] < ± Biased Transcripts BiasedA = {®2T: Pr(A,B)[®] > c ¢ Pr(A,B)[®]} where c is large (e.g., 1000) • Pr[f(U) = (®,¢) Æ® 2BiasedA] = Pr(A,B)[BiasedA]< 1/c

  16. Low-Value Transcripts LowVal={®2T: v[®]< ±} • Pr(A,B)[LowVal] = 2¢®2LowValv[®]¢ Pr(A,B)[®]< 2± ¢ ®2LowValPr(A,B)[®]·2± Yet, it might be that Pr(A,B)[LowVal] is large ) the success of (A,B)depends on succeeding on inverting f on LowVal We prove that A does “well enough”, even if it always fails on LowVal

  17. Low-Value Transcripts cont. LowValA={®2LowValÆPr(A,B)[®] > Pr(A,B) [®]} (hence, Pr(A,B)[LowValA] > Pr(A,B)[LowValA]) Since Pr(A,B)[LowValA]<2±, Compensation Lemma yields • Pr(A,B)[LowValA] < 2± Let ® be in (the frontier of) LowValA Even when both A and B fail on LowValA Prout(A,B)[‘1’]¸1/√2 - ±orProut(A,B)[‘1’] ¸1/√2 - 2± This also holds wrt the original protocol B 1 1 0 0 1 0 • …

  18. Biased Transcripts BiasedA = {®2T: Pr(A,B)[®] > c ¢ Pr(A,B)[®]} • Pr(A,B)[BiasedA]<1/c Since • Pr(A,B)[BiasedA] = 2¢®2BiassedA v[®]¢ Pr(A,B)[®]·2¢Pr(A,B)[BiasedA]< 2/c the Compensation Lemma yields that • Pr(A,B)[BiasedA] < 2/c

  19. Biased Transcripts cont. • BiasedA= {®: Pr(A,B)[®] > c¢Pr(A,B)[®]} • Pr(A,B)[BiasedA] < 2/c Let ®2BiasedAwith v[®]=± Solution: 1. Use larger outcomes 2. Instruct A to take red edges w.p. 1/k • Ex[out(A,B)] ¢ Ex[out(A,B)]¸½ Even when both A and B fail on BiasedA • Ex[out(A,B)] ¸1/√2 – 1/k orEx[out(A,B)] ¸ 1/√2 – 2k/c )Prout(A,B)[‘1’]¸1/√2 – 1/k orProut(A,B)[‘1’]¸1/√2 – 2k/c This also holds wrt the original protocol B A ½ ½ 0 0 1 1 1 0 0 0 1 0 Unless is tiny, A might still gain substantially from visiting BiasedA 1/k 1-1/k • …

  20. Summary Constant-bias coin flipping implies OWFs Slightly increasing the constant (by 1/poly(n)), would yield a similar result for weak coin flipping Interesting connection between Quantum coin flipping and our current knowledge of plain model coin flipping Challenge: prove that any non-trivial coin flipping implies OWFs

More Related