An Optimally Fair Coin Toss

Transcription

1 An Optmally Far Con Toss Tal Moran Mon Naor Gl Segev Abstract We address one of the foundatonal problems n cryptography: the bas of con-flppng protocols. Con-flppng protocols allow mutually dstrustful partes to generate a common unbased random bt, guaranteeng that even f one of the partes s malcous, t cannot sgnfcantly bas the output of the honest party. A classcal result by Cleve [STOC 86] showed that for any twoparty r-round con-flppng protocol there exsts an effcent adversary that can bas the output of the honest party by Ω1/r. However, the best prevously known protocol only guarantees O1/ r bas, and the queston of whether Cleve s bound s tght has remaned open for more than twenty years. In ths paper we establsh the optmal trade-off between the round complexty and the bas of two-party con-flppng protocols. Under standard assumptons the exstence of oblvous transfer, we show that Cleve s lower bound s tght: we construct an r-round protocol wth bas O1/r. A prelmnary verson of ths work appeared n Proceedngs of the 6th Theory of Cryptography Conference TCC, pages 1 18, Ef Araz School of Computer Scence, IDC Herzlya. Emal: talm@dc.ac.l. Supported by the European Unon s Seventh Framework Programme FP7 va a Mare Cure Career Integraton Grant and by the Israel Scence Foundaton Grant No. 1790/13. Most of ths work was done whle the author was a Ph.D. student at the Wezmann Insttute of Scence. Incumbent of the Judth Kleeman Professoral Char, Department of Computer Scence and Appled Mathematcs, Wezmann Insttute of Scence, Rehovot 76100, Israel. Emal: mon.naor@wezmann.ac.l. Research supported n part by a grant from the I-CORE Program of the Plannng and Budgetng Commttee, the Israel Scence Foundaton, BSF and the Israel Mnstry of Scence and Technology. School of Computer Scence and Engneerng, Hebrew Unversty of Jerusalem, Jerusalem 91904, Israel. Emal: segev@cs.huj.ac.l. Supported by the European Unon s Seventh Framework Programme FP7 va a Mare Cure Career Integraton Grant, by the Israel Scence Foundaton Grant No. 483/13, and by the Israel Centers of Research Excellence I-CORE Program Center No. 4/11. Most of ths work was done whle the author was a Ph.D. student at the Wezmann Insttute of Scence.

2 1 Introducton A con-flppng protocol allows mutually dstrustful partes to generate a common unbased random bt. Such a protocol should satsfy two propertes. Frst, when all partes are honest and follow the nstructons of the protocol, ther common output s a unformly dstrbuted bt. Second, even f some of the partes collude and devate from the protocol s nstructons, they should not be able to sgnfcantly bas the common output of the honest partes. When a majorty of the partes are honest, effcent and completely far con-flppng protocols are known as a specal case of secure multparty computaton wth an honest majorty [9] assumng a broadcast channel. When an honest majorty s not avalable, and n partcular when there are only two partes, the stuaton s more complex. Blum s two-party con-flppng protocol [12] guarantees that the output of the honest party s unbased only f the malcous party does not abort prematurely note that the malcous party can decde to abort after learnng the result of the con flp. Ths satsfes a rather weak noton of farness n whch once the malcous party s labeled as a cheater the honest party s allowed to halt wthout outputtng any value. Blum s protocol reles on any one-way functon [26, 34], and Impaglazzo and Luby [28] showed that one-way functons are n fact essental even for such a seemngly weak noton. Whle ths noton suffces for some applcatons, n many cases farness s requred to hold even f one of the partes aborts prematurely consder, for example, an adversary that controls the communcaton channel and can prevent communcaton between the partes. In ths paper we consder a stronger noton: even when the malcous party s labeled as a cheater, we requre that the honest party outputs a bt. Cleve s mpossblty result. The latter noton of farness turns out to be mpossble to acheve n general. Specfcally, Cleve [14] showed that for any two-party r-round con-flppng protocol there exsts an effcent adversary that can bas the output of the honest party by Ω1/r. Cleve s lower bound holds even under arbtrary computatonal assumptons: the adversary only needs to smulate an honest party, and decde whether or not to abort early dependng on the output of the smulaton. However, the best prevously known protocol wth respect to bas only guaranteed O1/ r bas [5, 14], and the queston of whether Cleve s bound was tght has remaned open for over twenty years. Farness n secure computaton. The bas of con-flppng protocols can be vewed as a partcular case of the more general framework of farness n secure computaton. Typcally, the securty of protocols s formalzed by comparng ther executon n the real model to an executon n an deal model where a trusted party receves the nputs of the partes, performs the computaton on ther behalf, and then sends all partes ther respectve outputs. Executons n the deal model guarantee complete farness: ether all partes learn the output, or nether party does. Cleve s result, however, shows that wthout an honest majorty complete farness s generally mpossble to acheve, and therefore the formulaton of secure computaton see [19] weakens the deal model to one n whch farness s not guaranteed. Informally, a protocol s secure-wth-abort f ts executon n the real model s ndstngushable from an executon n the deal model allowng the deal-model adversary to chose whether the honest partes receve ther outputs ths s the noton of securty satsfed by Blum s con-flppng protocol. Recently, Katz [29] suggested an alternate relaxaton: keep the deal model unchanged.e., all partes always receve ther outputs, but relax the noton of ndstngushablty by askng that the real model and deal model are dstngushable wth probablty at most 1/pn + νn, for a polynomal pn and a neglgble functon νn we refer the reader to Secton 2 for a formal defnton. Protocols satsfyng ths requrement are sad to be 1/p-secure, and ntutvely, such 1

3 protocols guarantee complete farness n the real model except wth probablty 1/p. In the context of con-flppng protocols, any 1/p-secure protocol has bas at most 1/p. However, the defnton of 1/p-securty s more general and apples to a larger class of functonaltes. 1.1 Our Contrbutons In ths paper we establsh the optmal trade-off between the round complexty and the bas of two-party con-flppng protocols. We prove the followng theorem: Theorem 1.1. Assumng the exstence of oblvous transfer, for any polynomal r = rn there exsts an r-round two-party con-flppng protocol that s 1/4r c-secure, for some constant c > 0. We prove the securty of our protocol under the smulaton-based defnton of 1/p-securty 1, whch for con-flppng protocols mples, n partcular, that the bas s at most 1/p. We note that our result not only dentfes the optmal trade-off asymptotcally, but almost pns down the exact leadng constant: Cleve showed that any r-round two-party con-flppng protocol has bas at least 1/8r + 2, and we manage to acheve bas of at most 1/4r c for some constant c > 0. Our approach holds n fact for a larger class of functonaltes. We consder the more general task of samplng from a dstrbuton D = D 1, D 2 : party P 1 receves a sample from D 1 and party P 2 receves a correlated sample from D 2 n con-flppng, for example, the jont dstrbuton D produces the values 0, 0 and 1, 1 each wth probablty 1/2. Before statng our result n ths settng we ntroduce a standard notaton: we denote by SDD, D 1 D 2 the statstcal dstance between the jont dstrbuton D = D 1, D 2 and the drect-product of the two margnal dstrbutons D 1 and D 2. We prove the followng theorem whch generalzes Theorem 1.1: Theorem 1.2. Assumng the exstence of oblvous transfer, for any polynomally-sampleable dstrbuton D = D 1, D 2 and polynomal r = rn there exsts an r-round two-party protocol for samplng from D that s SDD,D 1 D 2 2r c -secure, for some constant c > 0. Our approach rases several open questons that are fundamental to the understandng of conflppng protocols. These questons nclude dentfyng the mnmal computatonal assumptons that are essental for reachng the optmal trade-off.e., one-way functons vs. oblvous transfer, extendng our approach to the multparty settng, and constructng a more effcent varant of our protocol that can result n a practcal mplementaton. We elaborate on these questons n Secton 5, and hope that our approach and the questons t rases can make progress towards resolvng the complexty of con-flppng protocols. 1.2 Related Work Con-flppng protocols. When securty wth abort s suffcent, smple varatons of Blum s protocol are the most commonly used con-flppng protocols. For example, an r-round protocol wth bas O1/ r can be constructed by sequentally executng Blum s protocol Or tmes, and outputtng the majorty of the ntermedate output values [5, 14]. We note that n ths protocol an adversary can ndeed bas the output by Ω1/ r by abortng prematurely. One of the most sgnfcant results on the bas of con-flppng protocols gave reason to beleve that the optmal trade-off between the round complexty and the bas s n fact Θ1/ r as provded by the latter varant of Blum s protocol: Cleve and Impaglazzo [15] showed that n the fal-stop model, any two-party r-round con-flppng protocol has bas Ω1/ r. In the fal-stop model adversares are 1 In a prelmnary verson of ths work we proved our results wth respect to the defnton of bas see Secton 2, and motvated by [29, 22] we swtch to the more general framework of 1/p-secure computaton. 2

4 computatonally unbounded, but they must follow the nstructons of the protocol except for beng allowed to abort prematurely. Con-flppng protocols were also studed n a varety of other models. Among those are collectve con-flppng n the perfect nformaton model n whch partes are computatonally unbounded and all communcaton s publc [2, 10, 18, 35, 36], and protocols based on physcal assumptons, such as quantum computaton [1, 3, 4] and tamper-evdent seals [33]. Far computaton. The technques underlyng our protocols were drectly nspred by a recent lne of research devoted for achevng varous forms of farness n secure computaton. Specfcally, the technque of choosng a secret threshold round, before whch no nformaton s learned, and after whch abortng the protocol s essentally useless was suggested by Moran and Naor [33] as part of a con-flppng protocol based on tamper-evdent seals, by Katz [29] for partally-far protocols usng a smultaneous broadcast channel, and by Gordon et al. [20] for completely-far protocols for a restrcted but yet rather surprsng class of functonaltes. Varous technques for hdng a meanngful round n game-theoretc settngs were suggested by Halpern and Teague [25], Gordon and Katz [21], and Kol and Naor [30]. Katz [29] also ntroduced the technque of dstrbutng shares to the partes n an ntal setup phase whch s only securewth-abort, and these shares are then exchanged by the partes n each round of the protocol. 1.3 Subsequent Work Multparty con flppng. Bemel, Omr and Orlov generalzed our two-party protocol to the mult-party case where fewer than 2/3 of the partes are corrupt [7]. They showed an m-party r-round protocol that can tolerate t corrupt partes where m/2 t 2m/3 wth bas O2 2k+1 /r, where r = r Ok and k = 2t m. In partcular, when t and m are constant but r grows wth n, ths gves a protocol wth O1/r bas. Recently, Hatner and Tsfada [24] managed to break the 2/3 barrer wth the constructon of a protocol for three partes wth bas Olog 2 r/r. Ther protocol requres a new technque rather than relyng on a specal round at whch the the value of the game changes abruptly for the partes.e., the expected output of the game s 1/2 before ths round, and ether 0 or 1 afterwards, the new protocol smoothly changes the value of the game. Hatner and Tsfada show that ths s necessary when there are more than two partes and arbtrary coaltons may be corrupted. Ther results seem somewhat lmted, however, to three partes; dealng wth more than three partes and arbtrary corruptons remans an open problem Hatner and Tsfada conjecture that ther technque can be extended to a logarthmc number of partes. 1/p-secure computaton. Our results were recently extended by Gordon and Katz [22] to deal wth the more general case of randomzed functons, and not only dstrbutons. Gordon and Katz showed that any effcently-computable randomzed functon f : X Y Z where at least one of X and Y s of polynomal sze has an r-round protocol that s O mn{ X, Y } r -secure. In addton, they showed that even f both domans are of super-polynomal sze but the range Z s of polynomal sze, then f has an r-round protocol that s O Z r -secure. Gordon and Katz also showed a specfc functon f : X Y Z where X, Y, and Z are of sze super-polynomal whch cannot be 1/psecurely computed for any p > 2 assumng the exstence of exponentally-hard one-way functons. These results were further extended by Bemel et al. [6] to the multparty settng. For a constant number of partes and any functon f wth range of sze polynomal n the securty parameter, Bemel et al. show that there exsts a protocol for 1/p-secure computaton of f toleratng any number of 3

5 corrupt partes. Moreover, f the number of corrupted partes s less than 2/3, they construct a protocol that can handle a super-constant number of partes up to log log n, as long as the doman of f s of constant sze. In the other drecton, Bemel et al. show that no protocols exst for 1/p-secure computaton of functons wth polynomal-sze doman f the number of partes s super-constant. Con flppng vs. one-way functons. Our work shows how to construct an optmally-far con-flppng protocol based on oblvous transfer, however, t has left open to fnd the mnmal assumptons necessary for optmally-far con flppng. The work of Dachman-Soled et al. [16] took a step toward answerng ths queston by showng that any black-box constructon of an optmally-far con-flppng protocol based on a one-way functon wth n-bt nput and output needs Ωn/ log n rounds. Subsequently, Dachman-Soled et al. [17] took another step towards understandng the complexty of optmally-far con-flppng by showng that ths task wth an arbtrary number of rounds cannot be based on one-way functons n a black-box way, as long as the protocol s oblvous to the mplementaton of the one-way functon we refer the reader to [17] for more detals on ther noton of oblvousness. Surprsngly, an even more fundamental queston s stll open: are one-way functons necessary at all for constructng far con-flppng protocols? Whle Impaglazzo and Luby [28] gave a postve answer for protocols wth neglgble, only recently have we begn to close the gap wth regards to protocols that guarantee only non-neglgble bas. Maj et al. showed that one-way functons are requred for constant-round protocols wth bas 1/2 o1 [32]. Hatner and Omr [23] showed that strong con-flppng protocols wth bas and any number of rounds mply one way functons. Berman et al. [11] subsequently mproved ths result, provng that con-flppng protocols wth any constant bas and any number of rounds mply one-way functons the stronger result also apples to weak con-flppng protocols. The queston of whether protocols wth non-constant bas and non-constant rounds can be constructed wthout one-way functons s stll open, to the best of our knowledge. 1.4 Paper Organzaton The remander of ths paper s organzed as follows. In Secton 2 we revew several notons and defntons that are used n the paper most notably, the defnton of 1/p-secure computaton. In Secton 3 we descrbe a smplfed varant of our protocol and prove ts securty. In Secton 4 we descrbe a more refned and general varant of our protocol whch settles Theorems 1.1 and 1.2. Fnally, n Secton 5 we dscuss several open problems. 2 Prelmnares In ths secton we revew the defntons of con-flppng protocols, 1/p-ndstngushablty and 1/psecure computaton taken almost verbatm from [22, 29], securty wth abort, and one-tme message authentcaton. 2.1 Con-Flppng Protocols A two-party con-flppng protocol s defned va two probablstc polynomal-tme Turng machnes P 1, P 2, referred to as partes, that receve as nput a securty parameter 1 n. The partes exchange messages n a sequence of rounds, where n every round each party both sends and receves a message.e., a round conssts of two moves. At the end of the protocol, P 1 and P 2 produce output bts c 1 and c 2, respectvely. We denote by c 1 c 2 P 1 1 n, P 2 1 n the experment n whch P 1 and 4

6 P 2 nteract usng unformly chosen random cons, and then P 1 outputs c 1 and P 2 outputs c 2. It s requred that for all suffcently large n, and every possble par c 1, c 2 that may be output by P 1 1 n, P 2 1 n, t holds that c 1 = c 2.e., P 1 and P 2 agree on a common value. Ths requrement can be relaxed by askng that the partes agree on a common value wth suffcently hgh probablty 2. The securty requrement of a con-flppng protocol s that even f one of P 1 and P 2 s corrupted and arbtrarly devates from the protocol s nstructons, the bas of the honest party s output remans bounded. Specfcally, we emphasze that a malcous party s allowed to abort prematurely, and n ths case t s assumed that the honest party s notfed on the early termnaton of the protocol. In addton, we emphasze that even when the malcous party s labeled as a cheater, the honest party must output a bt. For smplcty, the followng defnton consders only the case n whch P 1 s corrupted, and an analogous defnton holds for the case that P 2 s corrupted: Defnton 2.1. A con-flppng protocol P 1, P 2 has bas at most ϵn f for every probablstc polynomal-tme Turng machne P1 t holds that Pr [c 1 c 2 P1 1 n, P 2 1 n : c 2 = 1] 1 2 ϵn + νn, for some neglgble functon νn and for all suffcently large n /p-Indstngushablty and 1/p-Secure Computaton 1/p-Indstngushablty. A dstrbuton ensemble X = {Xa, n} a Dn,n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. For a fxed polynomal pn, two dstrbuton ensembles X = {Xa, n} a Dn,n N and Y = {Y a, n} a Dn,n N are computatonally 1/p-ndstngushable, denoted X 1/p Y, f for every non-unform polynomal-tme algorthm D there exsts a neglgble functon νn such that for all suffcently large n N and for all a D n t holds that Pr [DXa, n = 1] Pr [DY a, n = 1] 1 pn + νn. 1/p-Secure computaton. A two-party protocol for computng a functonalty F = {f 1, f 2 } s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 holds nput 1 n, x, and party P 2 holds nput 1 n, y, then the jont dstrbuton of the outputs of the partes s statstcally close to f 1 x, y, f 2 x, y. In what follows we defne the noton of 1/p-secure computaton [22, 29]. The defnton uses the real/deal paradgm followng [13, 19, 27] where we consder a completely far deal model as typcally consdered n the settng of honest majorty, and requre only 1/p-ndstngushablty rather than ndstngushablty we note that, n general, the notons of 1/p-securty and securty-wth-abort are ncomparable. We consder actve adversares, who may devate from the protocol n an arbtrary manner, and statc corruptons. Securty of protocols nformal. The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what t can do n an deal scenaro that s secure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any 2 Cleve s lower bound [14] holds under ths relaxaton as well. Specfcally, f the partes agree on a common value wth probablty 1/2 + ϵ, then Cleve s proof shows that the protocol has bas at least ϵ/4r

7 adversary nteractng n the real protocol where no trusted party exsts can do no more harm than f t was nvolved n the above-descrbed deal computaton. Executon n the deal model. The partes are P 1 and P 2, and there s an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows: Inputs: P 1 and P 2 hold the securty parameter 1 n and nputs x X n and y Y n, respectvely. The adversary A receves an auxlary nput aux. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party may send an arbtrary value chosen by A to the trusted party. Denote the par of nputs sent to the trusted party by x, y. Trusted party sends outputs: If x / X n the trusted party sets x to some default element x 0 X n and lkewse f y / Y n. Then, the trusted party chooses r unformly at random and sends fnx 1, y ; r to P 1 and fnx 2, y ; r to P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs any arbtrary probablstc polynomal-tme computable functon of ts vew. We let IDEAL F,Aaux x, y, n be the random varable consstng of the vew of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We now consder the real model n whch a two-party protocol π s executed by P 1 and P 2 and there s no trusted party. The protocol executon s dvded nto rounds; n each round one of the partes sends a message. The honest party computes ts messages as specfed by π. The messages sent by the corrupted party are chosen by the adversary, A, and can be an arbtrary polynomal-tme functon of the corrupted party s nputs, random cons, and the messages receved from the honest party n prevous rounds. If the corrupted party aborts n one of the protocol rounds, the honest party behaves as f t had receved a specal symbol n that round. Let π be a two-party protocol computng F. Let A be a non-unform probablstc polynomaltme machne wth auxlary nput aux. We let REAL π,aaux x, y, n be the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng nput 1 n, x, and P 2 begns by holdng nput 1 n, y. Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol n the real model emulates the deal model n whch a trusted party exsts. Ths s formulated as follows: Defnton 2.2 1/p-secure computaton. Let F and π be as above, and fx a functon p = pn. Protocol π s sad to 1/p-securely compute F f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that {IDEAL F,Saux x, y, n} x,y X Y,aux {0,1} 1/p {REAL π,aaux x, y, n} x,y X Y,aux {0,1} and the same party s corrupted n both the real and deal models. 6

8 2.3 Securty Wth Abort In what follows we use the standard noton of computatonal ndstngushablty. That s, two dstrbuton ensembles X = {Xa, n} a Dn,n N and Y = {Y a, n} a Dn,n N are computatonally ndstngushable, denoted X = c Y, f for every non-unform polynomal-tme algorthm D there exsts a neglgble functon νn such that for all suffcently large n N and for all a D n t holds that Pr [DXa, n = 1] Pr [DY a, n = 1] νn. Securty wth abort s the standard noton for secure computaton where an honest majorty s not avalable. The defnton s smlar to the defnton of 1/p-securty presented n Secton 2.2, wth the followng two exceptons: 1 the deal-model adversary s allowed to choose whether the honest partes receve ther outputs.e., farness s not guaranteed, and 2 the deal model and real model are requred to be computatonally ndstngushable. Specfcally, the executon n the real model s as descrbed n Secton 2.2, and the executon n the deal model s modfed as follows: Inputs: P 1 and P 2 hold the securty parameter 1 n and nputs x X n and y Y n, respectvely. The adversary A receves an auxlary nput aux. Send nputs to trusted party: The honest party sends ts nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by x, y. Trusted party sends output to corrupted party: If x / X n the trusted party sets x to some default element x 0 X n and lkewse f y / Y n. Then, the trusted party chooses r unformly at random, computes z 1 = f 1 nx, y ; r and z 2 = f 2 nx, y ; r to P 2, and sends z to the corrupted party P.e., to the adversary A. Adversary decdes whether to abort: After recevng ts output the adversary sends ether abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P j, and n the latter case the trusted party sends z j to P j. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs any arbtrary probablstc polynomal-tme computable functon of ts vew. We let IDEAL abort F,Aaux x, y, n be the random varable consstng of the vew of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.3 securty wth abort. Let F and π be as above. Protocol π s sad to securely compute F wth abort f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that {IDEAL abort F,Saux x, y, n} x,y X Y,aux {0,1} c = {REALπ,Aaux x, y, n} x,y X Y,aux {0,1}. 2.4 One-Tme Message Authentcaton Message authentcaton codes provde assurance to the recever of a message that t was sent by a specfed legtmate sender, even n the presence of an actve adversary who controls the communcaton channel. A message authentcaton code s defned va trplet Gen, Mac, Vrfy of probablstc polynomal-tme Turng machnes such that: 7

9 1. The key generaton algorthm Gen receves as nput a securty parameter 1 n, and outputs an authentcaton key k. 2. The authentcaton algorthm Mac receves as nput an authentcaton key k and a message m, and outputs a tag t. 3. The verfcaton algorthm Vrfy receves as nput an authentcaton key k, a message m, and a tag t, and outputs a bt b {0, 1}. The functonalty guarantee of a message authentcaton code s that for any message m t holds that Vrfyk, m, Mack, m = 1 wth overwhelmng probablty over the nternal con tosses of Gen, Mac and Vrfy. In ths paper we rely on message authentcaton codes that are one-tme secure. That s, an authentcaton key s used to authentcate a sngle message. We consder an adversary that queres the authentcaton algorthm on a sngle message m of her choce, and then outputs a par m, t. We say that the adversary forges an authentcaton tag f m m and Vrfyk, m, t = 1. Message authentcaton codes that are one-tme secure exst n the nformaton-theoretc settng, that s, even an unbounded adversary has only a neglgble forgery probablty. Constructons of such codes can be based, for example, on par-wse ndependent hash functons [37]. 3 A Smplfed Protocol In order to demonstrate the man deas underlyng our approach, n ths secton we present a smplfed protocol. The smplfcaton s two-fold: Frst, we consder the specfc con-flppng functonalty as n Theorem 1.1, and not the more general functonalty of samplng from an arbtrary dstrbuton D = D 1, D 2 as n Theorem 1.2. Second, the con-flppng protocol wll only be 1/2r-secure and not 1/4r-secure. We descrbe the protocol n a sequence of refnements. We frst nformally descrbe the protocol assumng the exstence of a trusted thrd party. The trusted thrd party acts as a dealer n a pre-processng phase, sendng each party an nput that t uses n the protocol. In the protocol we make no assumptons about the computatonal power of the partes. We then elmnate the need for the trusted thrd party by havng the partes execute a secure-wth-abort protocol that mplements ts functonalty ths can be done n a constant number of rounds. The protocol. The jont nput of the partes, P 1 and P 2, s the securty parameter 1 n and a polynomal r = rn ndcatng the number of rounds n the protocol. In the pre-processng phase the trusted thrd party chooses unformly at random a value {1,..., r}, that corresponds to the round n whch the partes learn ther outputs. In every round {1,..., r} each party learns one bt of nformaton: P 1 learns a bt a, and P 2 learns a bt b. In every round {1,..., 1} these are the dummy rounds the values a and b are ndependently and unformly chosen. In every round {,..., r} the partes learn the same unformly dstrbuted bt c = a = b whch s ther output n the protocol. If the partes complete all r rounds of the protocol, then P 1 and P 2 output a r and b r, respectvely 3. Otherwse, f a party aborts prematurely, the other party outputs the value of the prevous round and halts. That s, f P 1 aborts n round {1,..., r} then P 2 3 An alternatve approach that reduces the expected number of rounds from r to r/2 + 1 s as follows. In round the partes learn ther output c = a = b, and n round + 1 they learn a specal value a +1 = b +1 = NULL ndcatng that they should output the value from the prevous round and halt. For smplcty both n the presentaton of the protocol and n the proof of securty we chose to present the protocol as always havng r rounds, but ths s not essental for our results. 8

10 outputs the value b 1 and halts. Smlarly, f P 2 aborts n round then P 1 outputs the value a 1 and halts. More specfcally, n the pre-processng phase the trusted thrd party chooses {1,..., r} unformly at random and defnes a 1,..., a r and b 1,..., b r as follows: Frst, t choose a 1,..., a 1 {0, 1} and b 1,..., b 1 {0, 1} ndependently and unformly at random. Then, t chooses c {0, 1} unformly at random and lets a = = a r = b = = b r = c. The trusted thrd party creates secret shares of the values a 1,..., a r and b 1,..., b r usng an nformaton-theoretcally-secure 2-outof-2 secret sharng scheme, and these shares are gven to the partes. For concreteness, we use the specfc secret-sharng scheme that splts a bt x nto x 1, x 2 by choosng x 1 {0, 1} unformly at random and lettng x 2 = x x 1. In every round {1,..., r} the partes exchange ther shares for the current round, whch enables P 1 to reconstruct a, and P 2 to reconstruct b. Clearly, when both partes are honest, the partes produce the same output bt whch s unformly dstrbuted. Elmnatng the trusted thrd party. We elmnate the need for the trusted thrd party by relyng on a possbly unfar sub-protocol that securely computes wth abort the functonalty ShareGen r, formally descrbed n Fgure 1. Such a protocol wth a constant number of rounds can be constructed assumng the exstence of oblvous transfer see, for example, [31]. In addton, our protocol also reles on a one-tme message authentcaton code Gen, Mac, Vrfy that s nformaton-theoretcally secure. The functonalty ShareGen r provdes the partes wth authentcaton keys and authentcaton tags so each party can verfy that the shares receved from the other party were the ones generated by ShareGen r n the pre-processng phase. A formal descrpton of the protocol s provded n Fgure 2. Input: Securty parameter 1 n. Computaton: Functonalty ShareGen r 1. Choose {1,..., r} unformly at random. 2. Defne values a 1,..., a r and b 1,..., b r as follows: For 1 1 choose a, b {0, 1} ndependently and unformly at random. Choose c {0, 1} unformly at random, and for r let a = b = c. 3. For 1 r, choose a 1, a 2 and b 1, b 2 4. Compute k1, a..., kr a, k1, b..., kr b Gen1 n. For 1 r, let t a = Mac k a Output: Mac k b b Party P 1 receves the values a 1 1,..., a1 2. Party P 2 receves the values a 2 1, ta 1 r,,..., b 1 1, tb 1 a 2 r as random secret shares of a and b, respectvely. a 2 and t b =, t a r,...,, b 2 b 1 r, t b r, and k a = k a 1,..., k a r. 1,..., b2 r, and k b = k1, b..., kr. b Fgure 1: The deal functonalty ShareGen r. Proof of securty. The followng theorem states that the protocol s 1/2r-secure. We then conclude the secton by showng the our analyss s n fact tght: there exsts an effcent adversary that can bas the output of the honest party by essentally 1/2r. 9

11 Jont nput: Securty parameter 1 n. Prelmnary phase: Protocol ConFlp r 1. Partes P 1 and P 2 run protocol π for computng ShareGen r 1 n see Fgure If P 1 receves from the above computaton, t outputs a unformly chosen bt and halts. Lkewse, f P 2 receves t outputs a unformly chosen bt and halts. Otherwse, the partes proceed. 3. Denote the output of P 1 from π by a 1 1,..., a1 4. Denote the output of P 2 from π by a 2 1, ta 1 In each round = 1,..., r do: r,,..., b 1 1, tb 1 a 2 r,...,, b 2, t a r b 1 r, t b r, and k a = k a 1,..., k a r. 1,..., b2 r, and k b = k1, b..., kr. b 1. P 2 sends the next share to P 1 : a P 2 sends a 2, t a to P 1. b P 1 receves â 2, ˆt a from P 2. If Vrfy k a â 2, ˆt a = 0 or f P 1 receved an nvald message or no message, then P 1 outputs a 1 and halts f = 1 t outputs a unformly chosen bt. c If Vrfy k a â 2, ˆt a = 1 then P 1 reconstructs a usng the shares a 1 and â P 1 sends the next share to P 2 : a P 1 sends b 1, t b to P 2. ˆb1 b P 2 receves, ˆt b from P 1. If Vrfy k b ˆb 1, ˆt b = 0 or f P 2 receved an nvald message or no message, then P 2 outputs b 1 and halts f = 1 t outputs a unformly chosen bt. c If Vrfy k b ˆb 1, ˆt b = 1 then P 2 reconstructs b usng the shares b 1 and b 2 Output: P 1 and P 2 output a r and b r, respectvely. Fgure 2: The con-flppng protocol ConFlp r. 10

12 Theorem 3.1. For any polynomal r = rn, f protocol π securely computes ShareGen r wth abort, then protocol ConFlp r s 1/2r-secure. Proof. We prove the 1/2r-securty of protocol ConFlp r n a hybrd model where a trusted party for computng ShareGen r wth abort s avalable. Usng standard technques see [13], t then follows that when replacng the trusted party computng ShareGen r wth a sub-protocol that securty computes ShareGen r wth abort, the resultng protocol s 1/2r-secure. Specfcally, for every polynomal-tme hybrd-model adversary A corruptng P 1 and runnng ConFlp r n the hybrd model, we show that there exsts a polynomal-tme deal-model adversary S corruptng P 1 n the deal model wth access to a trusted party computng the con-flppng functonalty such that the statstcal dstance between these two executons s at most 1/2r+νn, for some neglgble functon νn. For smplcty, n the remander of the proof we gnore the aspect of message authentcaton n the protocol, and assume that the only malcous behavor of the adversary A s early abort. Ths does not result n any loss of generalty, snce there s only a neglgble probablty of forgng an authentcaton tag. On nput 1 n, aux the deal-model adversary S nvokes the hybrd-model adversary A on 1 n, aux and queres the trusted party computng the con-flppng functonalty to obtan a bt c. The dealmodel adversary S proceeds as follows: 1. S smulates the trusted party computng the ShareGen r functonalty by sendng A ndependently and unformly chosen shares a 1 1,..., a1 r, b 1 1,..., b1 r. If A aborts.e., f A sends abort to the smulated ShareGen r after recevng the shares, then S outputs A s output and halts. 2. S chooses {1,..., r} unformly at random. 3. In every round {1,..., 1}, S chooses a random bt a, and sends A the share a 2 a 1 a. If A aborts then S outputs A s output and halts. = 4. In every round {,..., r}, S sends A the share a 2 +1 = a1 +1 c recall that c s the value receved from the trusted party computng the con-flppng functonalty. If A aborts then S outputs A s output and halts. 5. At the end of the protocol S outputs A s output and halts. We now consder the jont dstrbuton of A s vew and the output of the honest party P 2 n the deal model and n the hybrd model. There are three cases to consder: 1. A aborts before round. In ths case the dstrbutons are dentcal: n both models the vew of the adversary s the sequence of shares, and the sequence of messages up to the round n whch A aborted, and the output of P 2 s a unformly dstrbuted bt whch s ndependent of A s vew. 2. A aborts n round. In ths case A s vew s dentcal n both models, but the dstrbutons of P 2 s output gven A s vew are not dentcal. In the deal model, P 2 outputs the random bt c that was revealed to A by S n round recall that c s the bt receved from the trusted party computng the con-flppng functonalty. In the hybrd model, however, the output of P 2 s the value b 1 whch s a random bt that s ndependent of A s vew. Thus, n ths case the statstcal dstance between the two dstrbutons s 1/2. However, ths case occurs wth probablty at most 1/r snce n both models s ndependent of A s vew untl ths round that s, the probablty that A aborts n round s at most 1/r. 11

13 3. A aborts after round or does not abort. In ths case the dstrbutons are dentcal: the output of P 2 s the same random bt that was revealed to A n round. Note that A s vew n the hybrd and deal models s always dentcally dstrbuted no matter what strategy A uses to decde when to abort, and that the only dfference s n the dstrbuton of the honest party s output condtoned on A s vew. Specfcally, for any partcular round the event n whch the adversary aborts n round occurs wth exactly the same probablty n both models 4. Thus, the above three cases mply that the statstcal dstance between the two dstrbutons s at most 1/2r. Clam 3.2. In protocol ConFlp r there exsts an effcent adversaral party P1 output of P 2 by 1 2 r 2r. that can bas the Proof. Consder the adversaral party P1 that completes the pre-processng phase, and then halts n the frst round {1,..., r} for whch a = 0. We denote by Abort the random varable correspondng to the round n whch P1 aborts, where Abort = f P 1 does not abort. In addton, we denote by c 2 the random varable correspondng to the output bt of P 2. Notce that f P1 aborts n round j then P 2 outputs a random bt, and f P1 does not abort then P 2 always outputs 1. Therefore, for every {1,..., r} t holds that Pr [c 2 = 1 = ] = Ths mples that Pr [Abort = j = ] Pr [c 2 = 1 Abort = j = ] j=1 +Pr [Abort = = ] Pr [c 2 = 1 Abort = = ] = Pr [a 1 = = a j 1 = 1, a j = 0] Pr [c 2 = 1 Abort = j = ] j=1 +Pr [a 1 = = a = 1] Pr [c 2 = 1 Abort = = ] 1 = 2 j j=1 = Pr [c 2 = 1] = = r Pr [ = ] Pr [c 2 = 1 = ] =1 r =1 1 1 r = r 2r. 4 We state ths explctly because n some settngs that are nherently dfferent from our settng, analyzng the statstcal dstance between executons n two models by condtonng on a specfc event mght be problematc when that event does not occur wth equal probabltes n both models see, for example, [8, Sect. 2]. 12

14 4 The Generalzed Protocol In ths secton we present a more refned and generalzed protocol that settles Theorems 1.1 and 1.2. The mprovements over the protocol presented n Secton 3 are as follows: Improved securty guarantee: In the smplfed protocol party P 1 can bas the output of party P 2 by abortng n round, but party P 2 cannot not bas the output of party P 1. Ths s due to the fact that party P 1 always learns the output before party P 2 does. In the generalzed protocol the party that learns the output before the other party s chosen unformly at random.e., party P 1 learns the output before party P 2 wth probablty 1/2. Ths s acheved by havng the partes exchange a sequence of 2r values a 1, b 1,..., a 2r, b 2r usng the same secret-sharng exchange technque as n the smplfed protocol wth the followng property: for odd values of, party P 1 learns a before party P 2 learns b, and for even values of party P 2 learns b before party P 1 learns a. Thus, party P 1 can bas the result only when s odd, and party P 2 can bas the result only when s even. The key pont s that the partes can exchange the sequence of 2r shares n only r + 1 rounds by combnng some of ther messages 5. Fgure 3 gves a graphc overvew of the protocol. We note that modfyng the orgnal protocol by just havng ShareGen randomly choose whch party starts would also halve the bas snce wth probablty 1/2 the adversary chooses a party that cannot bas the outcome at all. However, ths s vulnerable to a trval dynamc attack: the adversary decdes whch party to corrupt after seeng whch party was chosen to start. A larger class of functonaltes: We consder the more general task of samplng from a dstrbuton D = D 1, D 2 : party P 1 receves a sample from D 1 and party P 2 receves a correlated sample from D 2 n con-flppng, for example, the jont dstrbuton D produces the values 0, 0 and 1, 1 each wth probablty 1/2. Our generalzed protocol can handle any polynomally-sampleable dstrbuton D. In the followng we descrbe the generalzed protocol Samplng r Secton 4.1, and then prove ts securty Secton Descrpton of the Protocol Jont nput: Securty parameter 1 n, and a polynomally-sampleable dstrbuton D = D 1, D 2. Prelmnary phase: 1. Partes P 1 and P 2 run protocol π for computng ShareGen r 1 n, D see Fgure If P 1 receves from the above computaton, t outputs a random sample from D 1 and halts. Lkewse, f P 2 receves t outputs a random sample from D 2 and halts. Otherwse, the partes proceed. 3. Denote the output of P 1 from π by a 1 1,..., a1 2r, b 1 1, tb 1,..., b 1 2r, tb 2r, and k1 a,..., ka 2r. 4. Denote the output of P 2 from π by a 2 1, ta 1,..., a 2 2r, ta 2r, b 2 1,..., b2 2r, and kb 1,..., kb 2r. 5 Recall that each round conssts of two moves: a message from P 2 to P 1 followed by a message from P 1 to P 2. 13

15 Fgure 3: Overvew of the generalzed protocol In round 1 do: 1. P 2 sends a share to P 1 : a P 2 sends a 2 1, ta 1 to P 1. b P 1 receves â 2 1, ˆt a 1 from P 2. If Vrfy k a 1 1 â 2 1, ˆt a 1 = 0, then P 1 outputs a random sample from D 1 and halts. Otherwse, P 1 reconstructs a 1 usng the shares a 1 1 and â P 1 sends a par of shares to P 2 : a P 1 sends b 1 1, tb 1 and b 1 2, tb 2 to P 2. ˆb1 b P 2 receves 1, ˆt ˆb1 b 1 and 2, ˆt b 2 from P 1. If Vrfy k b 1 ˆb 1 1 1, ˆt b 1 = 0, then P 2 outputs a random sample from D 2 and halts. Otherwse, P 2 reconstructs b 1 usng the shares b 1 1 and b 2 1. c If Vrfy k b 2 ˆb 1 2 2, ˆt b 2 = 0, then P 2 outputs b 1 and halts. Otherwse, P 2 reconstructs b 2 usng the shares b 1 2 and b 2 2. In each round j = 2,..., r do: 1. P 2 sends a par of shares to P 1 : a P 2 sends a 2 2j 2, ta 2j 2 and a 2 2j 1, ta 2j 1 to P 1. b P 1 receves â 2 2j 2, ˆt a 2j 2 and â 2 2j 1, ˆt a 2j 1 from P 2. If Vrfy k a 2j 2 2j 2 â 2 2j 2, ˆt a 2j 2 = 0, then P 1 outputs a 2j 3 and halts. Otherwse, P 1 reconstructs a 2j 2 usng the shares a 1 2j 2 and â2 2j 2. 14

16 c If Vrfy k a 2j 1 2j 1 â 2 2j 1, ˆt a 2j 1 = 0, then P 1 outputs a 2j 2 and halts. Otherwse, P 1 reconstructs a 2j 1 usng the shares a 1 2j 1 and â2 2j P 1 sends a par of shares to P 2 : a P 1 sends b 1 2j 1, tb 2j 1 and ˆb1 b P 2 receves 2j 1, ˆt b 2j 1 and b 1 2j, tb 2j ˆb1 2j, ˆt b 2j to P 2. from P 1. If Vrfy k b 2j 1 2j 1 ˆb 1 2j 1, ˆt b 2j 1 = 0, then P 2 outputs b 2j 2 and halts. Otherwse, P 2 reconstructs b 2j 1 usng the shares b 1 2j 1 and b 2 2j 1. c If Vrfy k b 2j ˆb 1 2j 2j, ˆt b 2j = 0, then P 2 outputs b 2j 1 and halts. Otherwse, P 2 reconstructs b 2j usng the shares b 1 2j and b 2 2j. In round r + 1 do: 1. P 2 sends a share to P 1 : a P 2 sends a 2 2r, ta 2r to P 1. b P 1 receves â 2 2r, ˆt a 2r from P 2. If Vrfy k a 2r 2r â 2 2r, ˆt a 2r = 0, then P 1 outputs a 2r 1 and halts. Otherwse, P 1 reconstructs a 2r usng the shares a 1 2r and â2 2r. 2. P 1 and P 2 output the values a 2r and b 2r, respectvely, and halt. Functonalty ShareGen r Input: Securty parameter 1 n, and a polynomally-sampleable dstrbuton D = D 1, D 2. Computaton: 1. Choose {1,..., 2r} unformly at random. 2. Defne values a 1,..., a 2r and b 1,..., b 2r as follows: For 1 1 sample a D 1 and b D 2 ndependently. Sample c 1, c 2 D, and for r let a, b = c 1, c For 1 2r, choose a 1, a 2 and b 1, b 2 4. Compute k1, a..., k2r, a k1, b..., k2r b Gen1 n. For 1 2r, let t a = Mac k a Output: Mac k b b Party P 1 receves the values a 1 1,..., a1 2r, 2. Party P 2 receves the values a 2 1, ta 1,..., b 1 1, tb 1 as random secret shares of a and b, respectvely. a 2 and t b = a 2 2r, ta 2r,..., b 1 2r, tb 2r, and k a = k a 1,..., k a 2r., b 2 1,..., b2 2r, and kb = k b 1,..., k b 2r. Fgure 4: The deal functonalty ShareGen r of the generalzed two-party protocol. 4.2 Proof of Securty We remnd the reader that SDD, D 1 D 2 denotes the statstcal dstance between the jont dstrbuton D = D 1, D 2 and the drect-product of the two margnal dstrbutons D 1 and D 2. We prove the followng theorem whch mples Theorems 1.1 and 1.2: 15

17 Theorem 4.1. For any polynomally-sampleable dstrbuton D = D 1, D 2 and polynomal r = rn, f protocol π securely computes ShareGen r wth abort, then Samplng r s SDD,D 1 D 2 2r -secure. Proof. As n the proof of Theorem 3.1 we prove the securty of the protocol n a hybrd model where a trusted party for computng ShareGen r wth abort s avalable. For every polynomal-tme hybrd-model adversary A corruptng P 1 and runnng Samplng r n the hybrd model, we show that there exsts a polynomal-tme deal-model adversary S corruptng P 1 n the deal model wth access to a trusted party that samples from D such that the statstcal dstance between these two executons s at most SDD,D 1 D 2 2r + νn, for some neglgble functon νn. The proof for the case that P 2 s corrupted s essentally dentcal, and therefore s omtted. For smplcty we gnore the aspect of message authentcaton, and assume that the only malcous behavor of A s early abort. Ths does not result n any loss of generalty, snce there s only a neglgble probably of forgng an authentcaton tag. On nput 1 n, aux the deal-model adversary S nvokes the hybrd-model adversary A on 1 n, aux and queres the trusted party who sends to the partes a sample c 1, c 2 drawn from the jont dstrbuton D = D 1, D 2. At ths pont S receves the value c 1 whch was sent to the corrupted P 1. S smulates the trusted party computng the ShareGen r functonalty by sendng A ndependently and unformly chosen shares a 1 1,..., a1 2r, b1 1,..., b1 2r. If A aborts at ths pont then S outputs A s output and halts. Otherwse, S chooses {1,..., 2r} unformly at random, and proceeds by sendng A shares a 2 1,..., a2 +1 n the order defned by the rounds of the protocol, where the shares are defned as follows: 1. For every {1,..., 1}, S samples a random a D 1 and sets a 2 = a 1 a. 2. For every {,..., r}, S sets a 2 party. = a1 c 1 where c 1 s the value receved from the trusted If at some pont durng the smulaton A aborts, then S outputs A s output and halts. We now consder the jont dstrbuton of the adversares vew and the output of the honest party P 2 n the deal model and n the hybrd model, and show that the statstcal dstance between the two dstrbutons s as most SDD,D 1 D 2 2r. As n the proof of Theorem 3.1, note that the adversary s vew s always dentcally dstrbuted n both cases, and therefore we only need to consder the dstrbuton of P 2 s output gven the adversary s vew. There are two cases to consder, dependng on whether s even or odd. Case 1: = 2j for some j {1,..., r}. In ths case P 2 learns ts output n round j and P 1 learns ts output n round j + 1, and we show that the two dstrbutons are dentcal. There are two cases to consder: 1. A aborts before round j + 1. In both models f A aborts before round j + 1 then he does not receve the share a 2 = a2 2j snce ths share s sent by P 2 only n round j + 1. Therefore, A s vew s ndependent of P 2 s output. 2. A aborts n round j + 1 or does not abort. In ths case n both models A learns c 1 and P 2 outputs c 2, where c 1, c 2 are sampled from the jont dstrbuton D = D 1, D 2. Case 2: = 2j 1 for some j {1,..., r}. In ths case both partes learn ther outputs n round j but P 1 learns ts output frst. Informally, P 1 can bas P 2 s output only by abortng n round j after recevng P 2 s message for ths round. More formally, there are three cases to consder: 16

18 1. A aborts before round j. In ths case the dstrbutons are dentcal: n both models the vew of the adversary s the sequence of shares, and the sequence of messages up to the round n whch A aborted, and the output of P 2 s a random sample from D 2 that s ndependent of A s vew. 2. A aborts n round j. In ths case A s vew s dentcal n both models, but the dstrbutons of P 2 s output gven A s vew are not dentcal. In the deal model, P 2 outputs the value c 2 that s correlated to the value c 1 that was revealed to A by S n round.e., c 1, c 2 s sampled from the jont dstrbuton D = D 1, D 2. In the hybrd model, however, the output of P 2 s the value b 1 whch s a random sample from D 2 that s ndependent of A s vew. Thus, n ths case the statstcal dstance between the two dstrbutons s SDD, D 1 D 2. However, ths case occurs wth probablty at most 1/2r snce n both cases s odd wth probablty exactly 1/2 and s ndependent of A s vew untl ths round that s, the probablty that A aborts n round j s at most 1/r. 3. A aborts n round j + 1 or does not abort. In ths case the dstrbuton are dentcal: n both models A learns c 1 and P 2 outputs c 2, where c 1, c 2 are sampled from the jont dstrbuton D = D 1, D 2. Ths mples that the statstcal dstance between the two dstrbutons s at most SDD,D 1 D 2 2r and concludes the proof of the theorem. We conclude ths secton by showng that Theorem 4.1 s tght for the con-flppng functonalty: there exsts an effcent adversary that can bas the output of the honest party by essentally 1/4r. Ths adversary s a natural generalzaton of the adversary presented at the end of Secton 3. Clam 4.2. In protocol Samplng r nstantated wth the dstrbuton D that outputs the values 0, 0 and 1, 1 each wth probablty 1/2, there exsts an effcent adversaral party P1 that can bas the output of P 2 by 1 2 r 4r. Proof. Consder the adversaral party P1 that completes the pre-processng phase, and then halts n the frst round j {1,..., r} for whch a 2j 1 = 0. We denote by Abort the random varable correspondng to the round n whch P1 aborts, where Abort = f P 1 does not abort. In addton, we denote by c 2 the random varable correspondng to the output bt of P 2. Notce that f s even, then P 2 outputs 1 wth probablty 1/2. Now, suppose that = 2j 1 for some j {1,..., r}, then there are two cases to consder: If P 1 aborts n round j j then P 2 outputs a random bt. If P 1 does not abort then P 2 always outputs 1. 17