1 / 28

Coin Flipping of any Constant Bias Implies One-Way Functions

Coin Flipping of any Constant Bias Implies One-Way Functions. Iftach Haitner Based on joint works with Itay Berman, Eran Omri and Aris Tentes. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. Cryptography Implies One-Way Functions.

thina
Download Presentation

Coin Flipping of any Constant Bias Implies One-Way Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Coin Flipping of any Constant Bias Implies One-Way Functions Iftach Haitner Based on joint works with Itay Berman, Eran Omri andAris Tentes TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA

  2. Cryptography Implies One-Way Functions Almost all “computational” cryptography is known to imply one-way functions [c.f. Impagliazzo-Luby ‘89] • One-way functions (OWFs): efficiently computable functions that no efficient algorithm can invert (with more than negligible probability) • These reductions are typically rather straightforward fornon-interactive primitives, or for interactive primitives with single “failure point”, e.g., commitment schemes • Rather complex for some interactive primitives Full characterization of coin-flipping protocols is notknown

  3. Coin-Flipping Protocols Parities want to jointly flip a uniform string I want Output Output

  4. Blum’s Coin-Flipping Protocol • I want • Negligible bias • Commitment obtained using OWF Output

  5. Coin-Flipping Protocols Efficient 2-party protocol is -bias CF: • For any PPT and,(Same for B) • Fairness is not required

  6. Weak Coin-Flipping Protocols Efficient 2-party protocol is -bias CF: • For any PPT’s and , Strong CF ) Weak CF • Numerous applications (ZK proofs, SFE,…) • Implied (with negligible bias) by OWFs [Blum’83, Naor‘89, Håstad et. al ‘90] Does (weak) coin flipping imply OWFs?

  7. Known Results • –bias CF implies OWFs[IL ‘89], where is the protocol round complexity • Constant-round,non-trivial(i.e., –bias) CF implies OWFs[Maji, Prabhakaran, Sahai ‘10] • -bias strong CF implies OWFs[Haitner, Omri‘11] • Constant-round,non-trivialCF implies NP BPP [Zachos ‘86] • –bias CF implies NP BPP[Maji, Prabhakaran, Sahai ‘10] • Non-trivialCF implies PSPACE BPP For -round, –bias CF, results are far from being tight

  8. [Haitner-Omri ‘11] Theorem 1 [Haitner-Omri ‘11]Coin flipping with bias impliesOWFs • Only holds for strong coin tossing Main lemma: Assume @OWFs and let (A,B) be CF protocol.Then exist efficient strategies A and Bs.t.: Pr[(A,B)(1n)= ‘1’] > ,or Pr[(A,B)(1n)= ‘1’] > (Same holds for ‘0’) • Optimal two-sided attacker • Matches the Quantum bound

  9. [Berman-Haitner-Tentes ‘13] Theorem 2 [Berman-Haitner-Tentes ‘13]Coin flipping of any (non-trivial) constant bias (e.g., 0.4999) impliesOWFs • Also holds for weakcoin tossing Main lemma: Assume @OWFs and let (A,B) be CF protocol.Then exist efficient strategies A and Bs.t.: Pr[(A,B)(1n)= ‘1’] >,or Pr[(A,B)(1n)= ‘0’] >(Same holds for opposite directions) • Almost fully characterizes complexity of coin-flipping protocols. Yet to be characterized: CF of bias

  10. Rest of the Talk • About proving the necessity of OWFs • The optimalattack on CF protocols • The biased-continuation attack • Approximating the biased-continuation attack(assuming OWFs)

  11. Proving The Necessity of OWFs Given a cryptographic primitive (e.g., commitment scheme) ’score function: efficiently computable function whose inversion implies breaking the security of has a core function ) OWF are necessary for Example 1: Symmetric key encryption Example 2: For commitment schemes, the core functionmaps the parties’ coins to the commitment string Hard to find for interactive primitives (with no single failing point) • Does there exist such core function? • Distribution induced by attack might be different from uniform

  12. The Optimal Adversaries

  13. Protocols as Binary Trees • Nodestranscripts • Messages are bits • Inner nodes labeling: who controls the node • Leaves labeling: protocol’s outcome • Edges labeling: probability of taking the edge • 1leaves/0leaves • Node value: probability of hitting a 1leaf, once in the node

  14. Optimal Attacks on CF Protocols A ® 1- ® Optimal adversaries for : – optimalvalid strategy for A attacking towards 1 – optimalvalid strategy for B attacking towards 0 Assume wlg. that ‘1’= ) Question: what makes wins? B 1 ¯ 0 A 1 Fact: is-immune: Lemma: 9-immune measureover 1-leaves of (i.e., 1-leaves):

  15. The Biased Continuation Attack Or, hitting the –immune measure

  16. The Biased-Continuation Attack The (first) biased-continuation attackfor A towards 1 • is analogous for towards 0. • OWFsis necessary, but not sufficient Amazingly useful! Also used for Parallel Repetition thms[Håstad et. al ‘10], [Haitner‘09] On transcript , samples uniform: is consistent with Sends ’s reply on A ½ ½ B B ¼ ¾ A A A A • … B B B • … • … 0 0 1 0 1

  17. Recursions is also a protocol. = on . Problem: is not efficient. On transcript , samples uniform: is consistent with Sends ’s reply on A ¼ ½ ¾ ½ B B ¼ ¾ Fact: For -round protocol, converges to A‘s optimal attacker. A A A A • … B B B • … 0 0 1 0 1 Question: How well does?

  18. and the –Immune Measure A ® 1- ® where letting . Since ) for Problem: )(even for constant)) is inefficient B 1 ¯ 0 A 1 • … Key observation: ifthen

  19. Conditional Protocols over 1-leaves of with and The conditional protocol ) no –immune measure ) wins. ) 9measureover 0-leaves of with and Still, might be small… A ® 1- ® B 1 ¯ 0 A 1 • …

  20. Conditional Protocols cont. The conditional protocol ) 9 measureover 1-leaves of with and Can we gain also from ? For the measure A ® 1- ® 1 B ¯ 0 A 1 • …

  21. Sequence of Conditional Protocols There exists measure sequences ,over 1-leaves over 0-leaves, s.t.: = = ½ for large enough t • and For assume wlg. that 9s.t. and ) for

  22. An Efficient Attack On CF Protocols(assuming OWFs)

  23. Transcript Function Leaf induced by For let needs to invert Seems that needs to invert , for Might be impossibleeven ifOWFs Since is stateless, suffices to invert

  24. Hard to Invert Transcripts @OWF does not suffice for attacking these nodes • … A A 0 ½ 0 1

  25. Large is Balanced • … A Lemma:c >0 where descendants of • We can focus on low-value nodes Corollary: Assume all low-value nodes are in B’s control and OWFs)exists an efficient approximationof A 0 ½ 0 1

  26. Pruned Protocols The pruned variantof • controls all low-value nodes • controls all high-valuenodes By previous lemmas, :eitheror A .5 A B B .2 .999 A A B A A .001 .3 • … A B A B B • … 0 0 1 0 1 0 1

  27. The Pruning Attacker The pruning attacker, acts as if it is in the pruned protocol Let . The pruning attacker for , acts as until reaching a pruned node, and then start acting honestly (like ) Assume wlg. that then A .5 B B A A .2 .999 A A A A .3 .001 A A B A A B B 0 0 1 0 1 0 1 B B

  28. Summary • Coin flipping of any constant-biasimplies OWFs • Challengeshow the same for bias • Further implications for the connection between zero-sum games and existence of OWFs

More Related