Presentation is loading. Please wait.

Presentation is loading. Please wait.

Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you.

Published byRosemary Melton Modified over 8 years ago

Similar presentations

Presentation on theme: "Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you."— Presentation transcript:

1 Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AA

2 Cryptography Implies One-Way Functions (Almost all) Complexity-based cryptography is known to imply one-way functions [Impagliazzo-Luby ‘89] One-way functions (OWFs): efficiently computable functions that no efficient algorithm can invert with more than negligible probability The characterization of coin-flipping protocols is not (fully) known 2

3 Coin Flipping Protocols An efficient two-party protocol (A,B) 1. Pr[(A,B)(1 n )= ‘1’] = Pr[(A,B)(1 n ) = ‘0’] = ½ 2. For any PPT A and b 2 {0,1}, Pr [(A,B ) (1 n ) =‘b’ ] · ½ + negl(n) (same for B ) Numerous applications (Zero-knowledge Proofs, Secure Function Evaluation…) ± -bias coin flipping: 2. Pr [(A,B ) (1 n ) = ‘b’ ] · ½ + ± (n) Implied by OWFs [Naor ‘89, Håstad et. al ‘90] Does coin flipping imply OWFs?

4 Known Results Almost-optimal (i.e., negl(n)-bias) CF implies OWFs [IL ‘89] Non-trivial (i.e., (½ -1/poly(n))-bias) constant-round CF implies OWFs [Maji et. al ‘10] Constant-bias (¼ -1/poly(n)) CF implies P  NP [Maji et. Al ‘10] Non-trivial CF implies P  PSPACE All the above results hold wrt weak coin flipping: Pr [(A,B ) (1 n ) = ‘0’ ] · ½ + ± (n) Pr [( A, B) (1 n ) = ‘1’ ] · ½ + ± (n) Weaker security guarantee, yet has many applications 4

5 Our Result Main thm: Constant-bias (1/√2-½-1/poly(n)) coin flipping implies OWFs  1/√2 - ½ = 0.207… Main lemma: Assume that OWFs do not exist, then for any (unbiased) coin-flipping protocol (A,B) and any b 2 {0,1}, exist efficient strategies A and B s.t. Pr[ (A,B ) (1 n )= ‘b’] > 1/√2 -1/poly(n), or Pr[ ( A, B) (1 n )= ‘b’] > 1/√2 -1/poly(n) 5

6 The Constant 1/√2 - ½ The right bound for two-side attackers (even unbounded ones) (1/√2 - ½ + ² )-bias coin-flipping implies ² -bias weak coin-flipping [Chaillou and Kerenidis ‘09] Quantum (1/√2-½)-bias coin-flipping exists, and is optimal [Kitaev ’03, Chaillou and Kerenidis ’09] 6

7 Proving the Main Lemma Main lemma: Assume that OWFs do not exist, then for any (unbiased) coin-flipping protocol (A,B) and any b 2 {0,1}, exist efficient strategies A and B s.t. Pr[out( A,B)(1 n ) = ‘b’] > 1/√2 -1/poly(n), or Pr[out(A, B )(1 n ) = ‘b’] > 1/√2 -1/poly(n) Rest of the talk: Define unbounded strategies for A and B Approximate these strategies efficiently using OWF inverter 7

8 The Random Continuation Attack Fix n and b=1. Define A as Claim: Pr out (A,B ) [‘1’] ¸ 1/√2 or Pr out ( A, B) [‘1’] ¸ 1/√2 8 Given a transcript ®, A picks a uniform value for (r A,r B ) s.t. 1.(A(r A ),B(r B )) is consistent with ® 2.out(A(r A ),B(r B )) = ‘1’ Sends A(r A )’s reply on ® Given a transcript ®, A picks a uniform value for (r A,r B ) s.t. 1.(A(r A ),B(r B )) is consistent with ® 2.out(A(r A ),B(r B )) = ‘1’ Sends A(r A )’s reply on ®

9 The Protocol (A, B) The prob. of any 1-transcript wrt (A,B), is twice its prob. wrt (A,B) More generally, for any (possibly partial) transcript ® let v[ ® ] = Pr out(A,B) [‘1’| ® ], then 1. Pr (A, B) [ ® ] = 2 ¢ v[ ® ] ¢ Pr (A,B) [ ® ] 9

10 Pr (A, B) [ ® ] = 2 ¢ V[ ® ] ¢ Pr (A,B) [ ® ] V[ ® ] =Pr (A,B) [‘1’| ® ] Execution tree T of (A,B), labeled by v[ ® ]/ Pr (A,B) [ ® ] (messages are bits, and full transcripts determine the parties’ random coins) (A,B) uniformly picks a (full) path in T Pr (A,B) [ ® ]: # of paths visiting ® # of paths in T v[ ® ]: # of 1-paths visiting ® # of paths visiting ® (A,B) uniformly picks a 1-path in T Pr (A, B) [ ® ]: # of 1-paths visiting ® # of 1-paths in T 10 ½ / 1 ?/ ½ 10 0 1 … 0/ ? 1/ ? 0/ ? …

11 The Protocol (A, B) The prob. of any 1-transcript wrt (A,B), is twice its prob. wrt (A,B) More generally, for any (possibly partial) transcript ®, let v[ ® ] =Pr out(A,B) [‘1’| ® ], then 1. Pr (A, B) [ ® ] = 2 ¢ v[ ® ] ¢ Pr (A,B) [ ® ] 2. Compensation Lemma (slightly simplified): For any frontier* L of transcripts Pr (A,B) [L] ¢ Pr (A,B) [L] = Pr (A,B ) [L] ¢ Pr ( A, B) [L] * No transcript in L has prefix in L 11

12 Pr (A,B) [L] ¢ Pr (A,B) [L] = Pr (A,B ) [L] ¢ Pr ( A, B) [L] We prove for L ={’01’} k (X,Y) [b| ® ] = Pr (X,Y) [ ® ± b| ® ] (prob. of taking edge b from ® ) Pr (X,Y) [01] = k (X,Y) [0] ¢ k (X,Y) [1|0] Pr (A,B) [01] = k (A,B) [0] ¢ k (A,B) [1|0] ) ½ / 1 ?/ ½ 10 0 1 … ?/ ? A B

13 The Protocol (A, B) The prob. of any 1-transcript wrt (A,B), is twice its prob. wrt (A,B) More generally, for any (possibly partial) transcript ®, let v[ ® ] =Pr out(A,B) [‘1’| ® ], then 1. Pr (A, B) [ ® ] = 2 ¢ v[ ® ] ¢ Pr (A,B) [ ® ] 2. Compensation Lemma (slightly simplified): For an frontier L of transcripts Pr (A,B) [L] ¢ Pr (A,B) [L] = Pr (A,B ) [L] ¢ Pr ( A, B) [L] 1-leaves = { ® 2 T: ® is a full transcript and v[ ® ] =1} Pr (A, B) [1-Leaves] = 2 ¢ Pr (A,B) [1-leaves] =1 ) Pr (A,B ) [1-leaves] ¢ Pr ( A, B) [1-leaves] = ½ 13

14 Efficient Strategies A needs to sample (r A,r B ) efficiently (given OWFs inverter) Define f(r A,r B,i) = ( ® (r A,r B ) 1,,i,v[ ® ]) ® (r A,r B ) is the (full) transcript generated by (A(r A ),B(r B )) To sample (r A,r B ), A returns a random preimage of ( ®,1) Assuming OWFs do not exist, this can be done efficiently for unifromly chosen outputs of f [IL ‘89] Problem: the distribution induced by (A,B ) might be far from uniform Given a transcript ®, A picks a uniform value for (r A,r B ) s.t. 1.(A(r A ),B(r B )) is consistent with ® 2.out(A(r A ),B(r B )) = ‘1’ Sends A(r A )’s reply on ® Given a transcript ®, A picks a uniform value for (r A,r B ) s.t. 1.(A(r A ),B(r B )) is consistent with ® 2.out(A(r A ),B(r B )) = ‘1’ Sends A(r A )’s reply on ®

15 Two Types of Non-Typical Queries f(r A,r B,i) = ( ® (r A,r B ) 1,,i,v[ ® ]) Low-Value Transcripts LowVal = { ® 2 T: v[ ® ] < ± }, where ± is small (e.g., 0.001) Pr[f(U) = ( ®,1) Æ ® 2 LowVal] < ± Biased Transcripts Biased A = { ® 2 T: Pr (A, B ) [ ® ] > c ¢ Pr ( A,B ) [ ® ]} where c is large (e.g., 1000) Pr[f(U) = ( ®, ¢ ) Æ ® 2 Biased A ] = Pr ( A,B ) [Biased A ] < 1/c 15

16 Low-Value Transcripts LowVal ={ ® 2 T: v[ ® ]< ± } Pr (A,B) [LowVal] = 2 ¢  ® 2 LowVal v[ ® ] ¢ Pr ( A,B ) [ ® ] < 2 ± ¢  ® 2 LowVal Pr ( A,B ) [ ® ] · 2 ± Yet, it might be that Pr (A, B ) [LowVal] is large ) the success of (A,B ) depends on succeeding on inverting f on LowVal We prove that A does “well enough”, even if it always fails on LowVal 16

17 Low-Value Transcripts cont. LowVal A ={ ® 2 LowVal Æ Pr (A, B ) [ ® ] > Pr (A,B) [ ® ]} (hence, Pr (A, B ) [LowVal A ] > Pr (A,B) [LowVal A ]) Since Pr (A,B) [ LowVal A ]<2 ±, Compensation Lemma yields Pr ( A,B) [LowVal A ] < 2 ± Let ® be in (the frontier of) LowVal A Even when both A and B fail on LowVal A Pr out (A,B ) [‘1’] ¸ 1/√2 - ± or Pr out ( A, B) [‘1’] ¸ 1/√2 - 2 ± This also holds wrt the original protocol … 101010 B

18 Biased Transcripts Biased A = { ® 2 T : Pr (A, B ) [ ® ] > c ¢ Pr ( A,B ) [ ® ]} Pr ( A,B ) [Biased A ] < 1/c Since Pr (A,B) [Biased A ] = 2 ¢  ® 2 Biassed A v[ ® ] ¢ Pr ( A,B ) [ ® ] · 2 ¢ Pr ( A,B ) [Biased A ] < 2/c the Compensation Lemma yields that Pr ( A,B) [Biased A ] < 2/c 18

19 Biased Transcripts cont. Biased A = { ® : Pr (A, B ) [ ® ] > c ¢ Pr ( A,B ) [ ® ]} Pr ( A,B) [Biased A ] < 2/c Let ® 2 Biased A with v[ ® ]= ± Solution: 1. Use larger outcomes 2. Instruct A to take red edges w.p. 1/k Ex [ out ( A,B ) ] ¢ Ex [ out ( A, B ) ] ¸ ½ Even when both A and B fail on Biased A Ex[out ( A,B ) ] ¸ 1/√2 – 1/k or Ex[out ( A, B ) ] ¸ 1/√2 – 2k/c ) Pr out (A,B ) [‘1’] ¸ 1/√2 – 1/k or Pr out ( A, B) [‘1’] ¸ 1/√2 – 2k/c This also holds wrt the original protocol 1010 … 10 ½ 10 0 1/k 1-1/k 0 ½ B A

20 Summary Constant-bias coin flipping implies OWFs Slightly increasing the constant (by 1/poly(n)), would yield a similar result for weak coin flipping Interesting connection between Quantum coin flipping and our current knowledge of plain model coin flipping Challenge: prove that any non-trivial coin flipping implies OWFs

Download ppt "Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you."

Similar presentations

Merkle Puzzles Are Optimal

Merkle Puzzles Are Optimal
Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?

Limitations of Quantum Advice and One-Way Communication Scott Aaronson UC Berkeley IAS Useful?
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.

A Parallel Repetition Theorem for Any Interactive Argument Or On the Benefits of Cutting Your Argument Short Iftach Haitner Microsoft Research New England.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Study Group Randomized Algorithms 21 st June 03. Topics Covered Game Tree Evaluation –its expected run time is better than the worst- case complexity.

Study Group Randomized Algorithms 21 st June 03. Topics Covered Game Tree Evaluation –its expected run time is better than the worst- case complexity.
Small Subgraphs in Random Graphs and the Power of Multiple Choices The Online Case Torsten Mütze, ETH Zürich Joint work with Reto Spöhel and Henning Thomas.

Small Subgraphs in Random Graphs and the Power of Multiple Choices The Online Case Torsten Mütze, ETH Zürich Joint work with Reto Spöhel and Henning Thomas.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

Similar presentations

Ads by Google