280 likes | 417 Views
Coin Flipping of any Constant Bias Implies One-Way Functions. Iftach Haitner Based on joint works with Itay Berman, Eran Omri and Aris Tentes. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. Cryptography Implies One-Way Functions.
E N D
Coin Flipping of any Constant Bias Implies One-Way Functions Iftach Haitner Based on joint works with Itay Berman, Eran Omri andAris Tentes TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA
Cryptography Implies One-Way Functions Almost all “computational” cryptography is known to imply one-way functions [c.f. Impagliazzo-Luby ‘89] • One-way functions (OWFs): efficiently computable functions that no efficient algorithm can invert (with more than negligible probability) • These reductions are typically rather straightforward fornon-interactive primitives, or for interactive primitives with single “failure point”, e.g., commitment schemes • Rather complex for some interactive primitives Full characterization of coin-flipping protocols is notknown
Coin-Flipping Protocols Parities want to jointly flip a uniform string I want Output Output
Blum’s Coin-Flipping Protocol • I want • Negligible bias • Commitment obtained using OWF Output
Coin-Flipping Protocols Efficient 2-party protocol is -bias CF: • For any PPT and,(Same for B) • Fairness is not required
Weak Coin-Flipping Protocols Efficient 2-party protocol is -bias CF: • For any PPT’s and , Strong CF ) Weak CF • Numerous applications (ZK proofs, SFE,…) • Implied (with negligible bias) by OWFs [Blum’83, Naor‘89, Håstad et. al ‘90] Does (weak) coin flipping imply OWFs?
Known Results • –bias CF implies OWFs[IL ‘89], where is the protocol round complexity • Constant-round,non-trivial(i.e., –bias) CF implies OWFs[Maji, Prabhakaran, Sahai ‘10] • -bias strong CF implies OWFs[Haitner, Omri‘11] • Constant-round,non-trivialCF implies NP BPP [Zachos ‘86] • –bias CF implies NP BPP[Maji, Prabhakaran, Sahai ‘10] • Non-trivialCF implies PSPACE BPP For -round, –bias CF, results are far from being tight
[Haitner-Omri ‘11] Theorem 1 [Haitner-Omri ‘11]Coin flipping with bias impliesOWFs • Only holds for strong coin tossing Main lemma: Assume @OWFs and let (A,B) be CF protocol.Then exist efficient strategies A and Bs.t.: Pr[(A,B)(1n)= ‘1’] > ,or Pr[(A,B)(1n)= ‘1’] > (Same holds for ‘0’) • Optimal two-sided attacker • Matches the Quantum bound
[Berman-Haitner-Tentes ‘13] Theorem 2 [Berman-Haitner-Tentes ‘13]Coin flipping of any (non-trivial) constant bias (e.g., 0.4999) impliesOWFs • Also holds for weakcoin tossing Main lemma: Assume @OWFs and let (A,B) be CF protocol.Then exist efficient strategies A and Bs.t.: Pr[(A,B)(1n)= ‘1’] >,or Pr[(A,B)(1n)= ‘0’] >(Same holds for opposite directions) • Almost fully characterizes complexity of coin-flipping protocols. Yet to be characterized: CF of bias
Rest of the Talk • About proving the necessity of OWFs • The optimalattack on CF protocols • The biased-continuation attack • Approximating the biased-continuation attack(assuming OWFs)
Proving The Necessity of OWFs Given a cryptographic primitive (e.g., commitment scheme) ’score function: efficiently computable function whose inversion implies breaking the security of has a core function ) OWF are necessary for Example 1: Symmetric key encryption Example 2: For commitment schemes, the core functionmaps the parties’ coins to the commitment string Hard to find for interactive primitives (with no single failing point) • Does there exist such core function? • Distribution induced by attack might be different from uniform
Protocols as Binary Trees • Nodestranscripts • Messages are bits • Inner nodes labeling: who controls the node • Leaves labeling: protocol’s outcome • Edges labeling: probability of taking the edge • 1leaves/0leaves • Node value: probability of hitting a 1leaf, once in the node
Optimal Attacks on CF Protocols A ® 1- ® Optimal adversaries for : – optimalvalid strategy for A attacking towards 1 – optimalvalid strategy for B attacking towards 0 Assume wlg. that ‘1’= ) Question: what makes wins? B 1 ¯ 0 A 1 Fact: is-immune: Lemma: 9-immune measureover 1-leaves of (i.e., 1-leaves):
The Biased Continuation Attack Or, hitting the –immune measure
The Biased-Continuation Attack The (first) biased-continuation attackfor A towards 1 • is analogous for towards 0. • OWFsis necessary, but not sufficient Amazingly useful! Also used for Parallel Repetition thms[Håstad et. al ‘10], [Haitner‘09] On transcript , samples uniform: is consistent with Sends ’s reply on A ½ ½ B B ¼ ¾ A A A A • … B B B • … • … 0 0 1 0 1
Recursions is also a protocol. = on . Problem: is not efficient. On transcript , samples uniform: is consistent with Sends ’s reply on A ¼ ½ ¾ ½ B B ¼ ¾ Fact: For -round protocol, converges to A‘s optimal attacker. A A A A • … B B B • … 0 0 1 0 1 Question: How well does?
and the –Immune Measure A ® 1- ® where letting . Since ) for Problem: )(even for constant)) is inefficient B 1 ¯ 0 A 1 • … Key observation: ifthen
Conditional Protocols over 1-leaves of with and The conditional protocol ) no –immune measure ) wins. ) 9measureover 0-leaves of with and Still, might be small… A ® 1- ® B 1 ¯ 0 A 1 • …
Conditional Protocols cont. The conditional protocol ) 9 measureover 1-leaves of with and Can we gain also from ? For the measure A ® 1- ® 1 B ¯ 0 A 1 • …
Sequence of Conditional Protocols There exists measure sequences ,over 1-leaves over 0-leaves, s.t.: = = ½ for large enough t • and For assume wlg. that 9s.t. and ) for
Transcript Function Leaf induced by For let needs to invert Seems that needs to invert , for Might be impossibleeven ifOWFs Since is stateless, suffices to invert
Hard to Invert Transcripts @OWF does not suffice for attacking these nodes • … A A 0 ½ 0 1
Large is Balanced • … A Lemma:c >0 where descendants of • We can focus on low-value nodes Corollary: Assume all low-value nodes are in B’s control and OWFs)exists an efficient approximationof A 0 ½ 0 1
Pruned Protocols The pruned variantof • controls all low-value nodes • controls all high-valuenodes By previous lemmas, :eitheror A .5 A B B .2 .999 A A B A A .001 .3 • … A B A B B • … 0 0 1 0 1 0 1
The Pruning Attacker The pruning attacker, acts as if it is in the pruned protocol Let . The pruning attacker for , acts as until reaching a pruned node, and then start acting honestly (like ) Assume wlg. that then A .5 B B A A .2 .999 A A A A .3 .001 A A B A A B B 0 0 1 0 1 0 1 B B
Summary • Coin flipping of any constant-biasimplies OWFs • Challengeshow the same for bias • Further implications for the connection between zero-sum games and existence of OWFs