An Optimally Fair Coin Toss

Transcription

1 An Optmally Far Con Toss Tal Moran, Mon Naor,,andGlSegev Department of Computer Scence and Appled Mathematcs, Wezmann Insttute of Scence, Rehovot 76100, Israel Abstract. We address one of the foundatonal problems n cryptography: the bas of con-flppng protocols. Con-flppng protocols allow mutually dstrustful partes to generate a common unbased random bt, guaranteeng that even f one of the partes s malcous, t cannot sgnfcantly bas the output of the honest party. A classcal result by Cleve [STOC 86] showed that for any two-party r-round con-flppng protocol there exsts an effcent adversary that can bas the output of the honest party by Ω(1/r). However, the best prevously known protocol only guarantees O(1/ r) bas, and the queston of whether Cleve s bound s tght has remaned open for more than twenty years. In ths paper we establsh the optmal trade-off between the round complexty and the bas of two-party con-flppng protocols. Under standard assumptons (the exstence of oblvous transfer), we show that Cleve s lower bound s tght: we construct an r-round protocol wth bas O(1/r). 1 Introducton A con-flppng protocol allows mutually dstrustful partes to generate a common unbased random bt. Such a protocol should satsfy two propertes. Frst, when all partes are honest and follow the nstructons of the protocol, ther common output s a unformly dstrbuted bt. Second, even f some of the partes collude and devate from the protocol s nstructons, they should not be able to sgnfcantly bas the common output of the honest partes. When a majorty of the partes are honest, effcent and completely far conflppng protocols are known as a specal case of general multparty computaton wth an honest majorty [1] (assumng a broadcast channel). When an honest majorty s not avalable, and n partcular when there are only two partes, the stuaton s more complex. Blum s two-party con-flppng protocol [2] guarantees that the output of the honest party s unbased only f the malcous party does not abort prematurely (note that the malcous party can decde to abort after learnng the result of the con flp). Ths satsfes a rather weak noton of farness n whch once the malcous party s labeled as a cheater the honest party s allowed to halt wthout outputtng any value. Blum s protocol can rely on the Research supported n part by a grant from the Israel Scence Foundaton. Incumbent of the Judth Kleeman Professoral Char. O. Rengold (Ed.): TCC 2009, LNCS 5444, pp. 1 18, c Internatonal Assocaton for Cryptologc Research 2009

2 2 T. Moran, M. Naor, and G. Segev exstence of any one-way functon [3, 4], and Impaglazzo and Luby [5] showed that one-way functons are n fact essental even for such a seemngly weak noton. Whle ths noton suffces for some applcatons, n many cases farness s requred to hold even f one of the partes aborts prematurely (consder, for example, an adversary that controls the communcaton channel and can prevent communcaton between the partes). In ths paper we consder a stronger noton: even when the malcous party s labeled as a cheater, we requre that the honest party outputs a bt. Cleve s mpossblty result. The latter noton of farness turns out to be mpossble to acheve n general. Specfcally, Cleve [6] showed that for any twoparty r-round con-flppng protocol there exsts an effcent adversary that can bas the output of the honest party by Ω(1/r). Cleve s lower bound holds even under arbtrary computatonal assumptons: the adversary only needs to smulate an honest party, and decde whether or not to abort early dependng on the output of the smulaton. However, the best prevously known protocol (wth respect to bas) only guaranteed O(1/ r) bas [7,6], and the queston of whether Cleve s bound was tght has remaned open for over twenty years. Farness n secure computaton. The bas of con-flppng protocols can be vewed as a partcular case of the more general framework of farness n secure computaton. Typcally, the securty of protocols s formalzed by comparng ther executon n the real model to an executon n an deal model where a trusted party receves the nputs of the partes, performs the computaton on ther behalf, and then sends all partes ther respectve outputs. Executons n the deal model guarantee complete farness: ether all partes learn the output, or nether party does. Cleve s result, however, shows that wthout an honest majorty complete farness s generally mpossble to acheve, and therefore the formulaton of secure computaton (see [8]) weakens the deal model to one n whch farness s not guaranteed. Informally, a protocol s secure-wth-abort f ts executon n the real model s ndstngushable from an executon n the deal model allowng the deal-model adversary to chose whether the honest partes receve ther outputs (ths s the noton of securty satsfed by Blum s con-flppng protocol). Recently, Katz [9] suggested an alternate relaxaton: keep the deal model unchanged (.e., all partes always receve ther outputs), but relax the noton of ndstngushablty by askng that the real model and deal model are dstngushable wth probablty at most 1/p(n)+ ν(n), for a polynomal p(n) and a neglgble functon ν(n) (we refer the reader to Secton 2 for a formal defnton). Protocols satsfyng ths requrement are sad to be 1/p-secure, and ntutvely, such protocols guarantee complete farness n the real model except wth probablty 1/p. In the context of con-flppng protocols, any 1/p-secure protocol has bas at most 1/p. However, the defnton of 1/p-securty s more general and apples to a larger class of functonaltes.

3 An Optmally Far Con Toss Our Contrbutons In ths paper we establsh the optmal trade-off between the round complexty and the bas of two-party con-flppng protocols. We prove the followng theorem: Theorem 1.1. Assumng the exstence of oblvous transfer, for any polynomal r = r(n) there exsts an r-round two-party con-flppng protocol that s 1/(4r c)- secure, for some constant c>0. We prove the securty of our protocol under the smulaton-based defnton of 1/p-securty 1, whch for con-flppng protocols mples, n partcular, that thebassatmost1/p. We note that our result not only dentfes the optmal trade-off asymptotcally, but almost pns down the exact leadng constant: Cleve showed that any r-round two-party con-flppng protocol has bas at least 1/(8r +2), and we manage to acheve bas of at most 1/(4r c)forsomeconstant c>0. Our approach holds n fact for a larger class of functonaltes. We consder the more general task of samplng from a dstrbuton D =(D 1, D 2 ): party P 1 receves a sample from D 1 and party P 2 receves a correlated sample from D 2 (n con-flppng, for example, the jont dstrbuton D produces the values (0, 0) and (1, 1) each wth probablty 1/2). Before statng our result n ths settng we ntroduce a standard notaton: we denote by SD(D, D 1 D 2 )thestatstcal dstance between the jont dstrbuton D =(D 1, D 2 ) and the drect-product of the two margnal dstrbutons D 1 and D 2. We prove the followng theorem whch generalzes Theorem 1.1: Theorem 1.2. Assumng the exstence of oblvous transfer, for any effcentlysampleable dstrbuton D =(D 1, D 2 ) and polynomal r = r(n) there exsts an r-round two-party protocol for samplng from D that s SD(D,D1 D2) 2r c -secure, for some constant c>0. Our approach rases several open questons that are fundamental to the understandng of con-flppng protocols. These questons nclude dentfyng the mnmal computatonal assumptons that are essental for reachng the optmal trade-off (.e., one-way functons vs. oblvous transfer), extendng our approach to the multparty settng, and constructng a more effcent varant of our protocol that can result n a practcal mplementaton. We elaborate on these questons n Secton 5, and hope that our approach and the questons t rases can make progress towards resolvng the complexty of con-flppng protocols. 1.2 Related Work Con-flppng protocols. When securty wth abort s suffcent, smple varatons of Blum s protocol are the most commonly used con-flppng protocols. 1 In a very prelmnary verson of ths work we proved our results wth respect to the defnton of bas (see Secton 2), and motvated by [10, 9] we swtch to the more general framework of 1/p-secure computaton.

4 4 T. Moran, M. Naor, and G. Segev For example, an r-round protocol wth bas O(1/ r) can be constructed by sequentally executng Blum s protocol O(r) tmes, and outputtng the majorty of the ntermedate output values [7, 6]. We note that n ths protocol an adversary can ndeed bas the output by Ω(1/ r) by abortng prematurely. One of the most sgnfcant results on the bas of con-flppng protocols gave reason to beleve that the optmal trade-off between the round complexty and the bas s n fact Θ(1/ r) (as provded by the latter varant of Blum s protocol): Cleve and Impaglazzo [11] showed that n the fal-stop model, anytwo-partyr-round con-flppng protocol has bas Ω(1/ r). In the fal-stop model adversares are computatonally unbounded, but they must follow the nstructons of the protocol except for beng allowed to abort prematurely. In ths model commtment schemes exst n a trval fashon 2, and therefore the Cleve Impaglazzo bound also apples to any protocol whose securty reles on commtment schemes n a black-box manner, such as Blum s protocol and ts varants. Con-flppng protocols were also studed n a varety of other models. Among those are collectve con-flppng n the perfect nformaton model n whch partes are computatonally unbounded and all communcaton s publc [12, 13, 14, 15, 16], and protocols based on physcal assumptons, such as quantum computaton [17, 18, 19] and tamper-evdent seals [20]. Far computaton. Some of the technques underlyng our protocols found ther orgns n a recent lne of research devoted for achevng varous forms of farness n secure computaton. The technque of choosng a secret threshold round, before whch no nformaton s learned, and after whch abortng the protocol s essentally useless was suggested by Moran and Naor [20] as part of a con-flppng protocol based on tamper-evdent seals. It was later also used by Katz [9] for partally-far protocols usng a smultaneous broadcast channel, and by Gordon et al. [21] for completely-far protocols for a restrcted (but yet rather surprsng) class of functonaltes. Varous technques for hdng a meanngful round n game-theoretc settngs were suggested by Halpern and Teague [22], Gordon and Katz [23], and Kol and Naor [24]. Katz [9] also ntroduced the technque of dstrbutng shares to the partes n an ntal setup phase (whch s only secure-wth-abort), and these shares are then exchanged by the partes n each round of the protocol. Subsequent work. Our results were very recently generalzed by Gordon and Katz [10] to deal wth the more general case of randomzed functons, and not only dstrbutons. Gordon and Katz showed that any effcently-computable randomzed functon f : X Y Z where at ( least one of ) X and Y s of polynomal sze has an r-round protocol that s O mn{ X, Y } r -secure. In addton, they showed that even f both domans are of super-polynomal sze but ( the range Z s of polynomal sze, the f has an r-round protocol that s O Z r )-secure. Gordon and Katz also showed a specfc functon f : X Y Z where X, Y, 2 The protocol for commtment n the fal-stop model s smply to prvately decde on the commtted value and send the message I am commtted to the other party.

5 An Optmally Far Con Toss 5 and Z are of sze super-polynomal whch cannot be 1/p-securely computed for any p>2 assumng the exstence of exponentally-hard one-way functons. 1.3 Paper Organzaton The remanderof ths paper s organzedas follows. In Secton 2 we revew several notons and defntons that are used n the paper (most notably, the defnton of 1/p-secure computaton). In Secton 3 we descrbe a smplfed varant of our protocol and prove ts securty. In Secton 4 we sketch a more refned and general varant of our protocol (due to space lmtatons we refer the reader to the full verson for ts complete specfcaton and proof of securty). Fnally, n Secton 5 we dscuss several open problems. 2 Prelmnares In ths secton we revew the defntons of con-flppng protocols, 1/p-secure computaton (taken almost verbatm from [10,9]), securty wth abort, and onetme message authentcaton. 2.1 Con-Flppng Protocols A two-party con-flppng protocol s defned va two probablstc polynomaltme Turng machnes (P 1,P 2 ), referred to as partes, that receve as nput a securty parameter 1 n. The partes exchange messages n a sequence of rounds, where n every round each party both sends and receves a message (.e., a round conssts of two moves). At the end of the protocol, P 1 and P 2 produce outputs bts c 1 and c 2, respectvely. We denote by (c 1 c 2 ) P 1 (1 n ),P 2 (1 n ) the experment n whch P 1 and P 2 nteract (usng unformly chosen random cons), and then P 1 outputs c 1 and P 2 outputs c 2. It s requred that for all suffcently large n, and every possble par (c 1,c 2 ) that may be output by P 1 (1 n ),P 2 (1 n ), tholds that c 1 = c 2 (.e., P 1 and P 2 agree on a common value). Ths requrement can be relaxed by askng that the partes agree on a common value wth suffcently hgh probablty 3. The securty requrement of a con-flppng protocol s that even f one of P 1 and P 2 s corrupted and arbtrarly devates from the protocol s nstructons, the bas of the honest party s output remans bounded. Specfcally, we emphasze that a malcous party s allowed to abort prematurely, and n ths case t s assumed that the honest party s notfed on the early termnaton of the protocol. In addton, we emphasze that even when the malcous party s labeled as a cheater, the honest party must output a bt. For smplcty, the followng defnton consders only the case n whch P 1 s corrupted, and an analogous defnton holds for the case that P 2 s corrupted: 3 Cleve s lower bound [6] holds under ths relaxaton as well. Specfcally, f the partes agree on a common value wth probablty 1/2 + ɛ, then Cleve s proof shows that the protocol has bas at least ɛ/(4r +1).

6 6 T. Moran, M. Naor, and G. Segev Defnton 2.1. A con-flppng protocol (P 1,P 2 ) has bas at most ɛ(n) f for every probablstc polynomal-tme Turng machne P1 t holds that Pr [(c 1 c 2 ) P1 (1n ),P 2 (1 n ) : c 2 =1] 1 2 ɛ(n)+ν(n), for some neglgble functon ν(n) and for all suffcently large n /p-Indstngushablty and 1/p-Secure Computaton 1/p-Indstngushablty. A dstrbuton ensemble X = {X(a, n)} a Dn,n N s an nfnte sequence of random varables ndexed by a D n and n N, where D n s a set that may depend on n. For a fxed polynomal p(n), two dstrbuton ensembles X = {X(a, n)} a Dn,n N and Y = {Y (a, n)} a Dn,n N are computatonally 1/p-ndstngushable, denoted X 1/p Y, f for every non-unform polynomal-tme algorthm D there exsts a neglgble functon ν(n) such that for all suffcently large n N and for all a D n t holds that Pr [D(X(a, n)) = 1] Pr [D(Y (a, n)) = 1] 1 p(n) + ν(n). 1/p-Secure computaton. A two-party protocol for computng a functonalty F = {(f 1,f 2 )} s a protocol runnng n polynomal tme and satsfyng the followng functonal requrement: f party P 1 holds nput (1 n,x), and party P 2 holds nput (1 n,y), then the jont dstrbuton of the outputs of the partes s statstcally close to (f 1 (x, y),f 2 (x, y)). In what follows we defne the noton of 1/p-secure computaton [10, 9]. The defnton uses the standard real/deal paradgm [25, 8], except that we consder a completely far deal model (as typcally consdered n the settng of honest majorty), and requre only 1/p-ndstngushablty rather than ndstngushablty (we note that, n general, the notons of 1/p-securty and securty-wth-abort are ncomparable). We consder actve adversares, who may devate from the protocol n an arbtrary manner, and statc corruptons. Securty of protocols (nformal). The securty of a protocol s analyzed by comparng what an adversary can do n a real protocol executon to what tcandonandealscenarothatssecure by defnton. Ths s formalzed by consderng an deal computaton nvolvng an ncorruptble trusted party to whom the partes send ther nputs. The trusted party computes the functonalty on the nputs and returns to each party ts respectve output. Loosely speakng, a protocol s secure f any adversary nteractng n the real protocol (where no trusted party exsts) can do no more harm than f t was nvolved n the abovedescrbed deal computaton. Executon n the deal model. The partes are P 1 and P 2,andtheres an adversary A who has corrupted one of them. An deal executon for the computaton of F = {f n } proceeds as follows:

7 An Optmally Far Con Toss 7 Inputs: P 1 and P 2 hold the securty parameter 1 n and nputs x X n and y Y n, respectvely. The adversary A receves an auxlary nput aux. Send nputs to trusted party: The honest party sends ts actual nput to the trusted party. The corrupted party may send an arbtrary value (chosen by A) to the trusted party. Denote the par of nputs sent to the trusted partyby(x,y ). Trusted party sends outputs: If x / X n the trusted party sets x to some default element x 0 X n (and lkewse f y / Y n ). Then, the trusted party chooses r unformly at random and sends f 1 n (x,y ; r) top 1 and f 2 n (x,y ; r) to P 2. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs any arbtrary (probablstc polynomal-tme computable) functon of ts vew. We denote by IDEAL F,A(aux) (x, y, n) the random varable consstng of the vew of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Executon n the real model. We now consder the real model n whch a two-party protocol π s executed by P 1 and P 2 (and there s no trusted party). The protocol executon s dvded nto rounds; n each round one of the partes sends a message. The honest party computes ts messages as specfed by π. The messages sent by the corrupted party are chosen by the adversary, A, andcanbe an arbtrary (polynomal-tme) functon of the corrupted party s nputs, random cons, and the messages receved from the honest party n prevous rounds. If the corrupted party aborts n one of the protocol rounds, the honest party behaves as f t had receved a specal symbol n that round. Let π be a two-party protocol computng the functonalty F. LetA be a non-unform probablstc polynomal-tme machne wth auxlary nput aux. We denote by REAL π,a(aux) (x, y, n) the random varable consstng of the vew of the adversary and the output of the honest party, followng an executon of π where P 1 begns by holdng nput (1 n,x), and P 2 begns by holdng nput (1 n,y). Securty as emulaton of an deal executon n the real model. Havng defned the deal and real models, we can now defne securty of a protocol. Loosely speakng, the defnton asserts that a secure protocol (n the real model) emulates the deal model (n whch a trusted party exsts). Ths s formulated as follows: Defnton 2.2 (1/p-secure computaton). Let F and π be as above, and fx afunctonp = p(n). Protocolπ s sad to 1/p-securely compute F f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that 1/p {IDEAL F,S(aux) (x, y, n)} (x,y) X Y,aux {REAL π,a(aux) (x, y, n)} (x,y) X Y,aux and the same party s corrupted n both the real and deal models.

8 8 T. Moran, M. Naor, and G. Segev 2.3 Securty wth Abort In what follows we use the standard noton of computatonal ndstngushablty. That s, two dstrbuton ensembles X = {X(a, n)} a Dn,n N and Y = {Y (a, n)} a Dn,n N are computatonally ndstngushable, denoted X = c Y,ffor every non-unform polynomal-tme algorthm D there exsts a neglgble functon ν(n) such that for all suffcently large n N and for all a D n t holds that Pr [D(X(a, n)) = 1] Pr [D(Y (a, n)) = 1] ν(n). Securty wth abort s the standard noton for secure computaton where an honest majorty s not avalable. The defnton s smlar to the defnton of 1/p-securty presented n Secton 2.2, wth the followng two exceptons: (1) the deal-model adversary s allowed to choose whether the honest partes receve ther outputs (.e., farness s not guaranteed), and (2) the deal model and real model are requred to be computatonally ndstngushable. Specfcally, the executon n the real model s as descrbed n Secton 2.2, and the executon n the deal model s modfed as follows: Inputs: P 1 and P 2 hold the securty parameter 1 n and nputs x X n and y Y n, respectvely. The adversary A receves an auxlary nput aux. Send nputs to trusted party: The honest party sends ts actual nput to the trusted party. The corrupted party controlled by A may send any value of ts choce. Denote the par of nputs sent to the trusted party by (x,y ). Trusted party sends output to corrupted party: If x / X n the trusted party sets x to some default element x 0 X n (and lkewse f y / Y n ). Then, the trusted party chooses r unformly at random, computes z 1 = fn(x 1,y ; r) and z 2 = fn 2(x,y ; r) top 2, and sends z to the corrupted party P (.e., to the adversary A). Adversary decdes whether to abort: After recevng ts output the adversary sends ether abort of contnue to the trusted party. In the former case the trusted party sends to the honest party P j, and n the latter case the trusted party sends z j to P j. Outputs: The honest party outputs whatever t was sent by the trusted party, the corrupted party outputs nothng, and A outputs any arbtrary (probablstc polynomal-tme computable) functon of ts vew. We denote by IDEAL abort F,A(aux) (x, y, n) the random varable consstng of the vew of the adversary and the output of the honest party followng an executon n the deal model as descrbed above. Defnton 2.3 (securty wth abort). Let F and π be as above. Protocol π s sad to securely compute F wth abort f for every non-unform probablstc polynomal-tme adversary A n the real model, there exsts a non-unform probablstc polynomal-tme adversary S n the deal model such that {IDEAL abort F,S(aux) (x, y, n)} c (x,y) X Y,aux = {REAL π,a(aux) (x, y, n)} (x,y) X Y,aux.

9 2.4 One-Tme Message Authentcaton An Optmally Far Con Toss 9 Message authentcaton codes provde assurance to the recever of a message that t was sent by a specfed legtmate sender, even n the presence of an actve adversary who controls the communcaton channel. A message authentcaton code s defned va trplet (Gen, Mac, Vrfy) of probablstc polynomal-tme Turng machnes such that: 1. The key generaton algorthm Gen receves as nput a securty parameter 1 n, and outputs an authentcaton key k. 2. The authentcaton algorthm Mac receves as nput an authentcaton key k and a message m, and outputs a tag t. 3. The verfcaton algorthm Vrfy receves as nput an authentcaton key k, a message m, andatagt, and outputs a bt b {0, 1}. The functonalty guarantee of a message authentcaton code s that for any message m t holds that Vrfy(k, m, Mac(k, m)) = 1 wth overwhelmng probablty over the nternal con tosses of Gen, Mac and Vrfy. In ths paper we rely on message authentcaton codes that are one-tme secure. That s, an authentcaton key s used to authentcate a sngle message. We consder an adversary that queres the authentcaton algorthm on a sngle message m of her choce, and then outputs a par (m,t ). We say that the adversary forges an authentcaton tag f m m and Vrfy(k, m,t ) = 1. Message authentcaton codes that are one-tme secure exst n the nformaton-theoretc settng, that s, even an unbounded adversary has only a neglgble probablty of forgng an authentcaton tag. Constructons of such codes can be based, for example, on par-wse ndependent hash functons [26]. 3 A Smplfed Protocol In order to demonstrate the man deas underlyng our approach, n ths secton we present a smplfed protocol. The smplfcaton s two-fold: Frst, we consder the specfc con-flppng functonalty (as n Theorem 1.1), and not the more general functonalty of samplng from an arbtrary dstrbuton D =(D 1, D 2 ) (as n Theorem 1.2). Second, the con-flppng protocol wll only be 1/(2r)-secure and not 1/(4r)-secure. We descrbe the protocol n a sequence of refnements. We frst nformally descrbe the protocol assumng the exstence of a trusted thrd party. The trusted thrd party acts as a dealer n a pre-processng phase, sendng each party an nput that t uses n the protocol. In the protocol we make no assumptons about the computatonal power of the partes. We then elmnate the need for the trusted thrd party by havng the partes execute a secure-wth-abort protocol that mplements ts functonalty (ths can be done n a constant number of rounds). The protocol. The jont nput of the partes, P 1 and P 2, s the securty parameter 1 n and a polynomal r = r(n) ndcatng the number of rounds n the

10 10 T. Moran, M. Naor, and G. Segev protocol. In the pre-processng phase the trusted thrd party chooses unformly at random a value {1,...,r}, that corresponds to the round n whch the partes learn ther outputs. In every round {1,...,r} each party learns one bt of nformaton: P 1 learns a bt a,andp 2 learns a bt b. In every round {1,..., 1} (these are the dummy rounds) the values a and b are ndependently and unformly chosen. In every round {,...,r} the partes learn the same unformly dstrbuted bt c = a = b whch s ther output n the protocol. If the partes complete all r rounds of the protocol, then P 1 and P 2 output a r and b r, respectvely 4. Otherwse, f a party aborts prematurely, the other party outputs the value of the prevous round and halts. That s, f P 1 aborts n round {1,...,r} then P 2 outputs the value b 1 and halts. Smlarly, f P 2 aborts n round then P 1 outputs the value a 1 and halts. More specfcally, n the pre-processng phase the trusted thrd party chooses {1,...,r} unformly at random and defnes a 1,...,a r and b 1,...,b r as follows: Frst, t choose a 1,...,a 1 {0, 1} and b 1,...,b 1 {0, 1} ndependently and unformly at random. Then, t chooses c {0, 1} unformly at random and lets a = = a r = b = = b r = c. The trusted thrd party creates secret shares of the values a 1,...,a r and b 1,...,b r usng an nformatontheoretcally-secure 2-out-of-2 secret sharng scheme, and these shares are gven to the partes. For concreteness, we use the specfc secret-sharng scheme that splts a bt x nto (x (1),x (2) )bychoosngx (1) {0, 1} unformly at random and lettng x (2) = x x (1). In every round {1,...,r} the partes exchange ther shares for the current round, whch enables P 1 to reconstruct a,andp 2 to reconstruct b. Clearly, when both partes are honest, the partes produce the same output bt whch s unformly dstrbuted. Elmnatng the trusted thrd party. We elmnate the need for the trusted thrd party by relyng on a possbly unfar sub-protocol that securely computes wth abort the functonalty ShareGen r, formally descrbed n Fgure 1. Such a protocol wth a constant number of rounds can be constructed assumng the exstence of oblvous transfer (see, for example, [27]). In addton, our protocol also reles on a one-tme message authentcaton code (Gen, Mac, Vrfy) thats nformaton-theoretcally secure. The functonalty ShareGen r provdes the partes wth authentcaton keys and authentcaton tags so each party can verfy that the shares receved from the other party were the ones generated by ShareGen r n the pre-processng phase. A formal descrpton of the protocol s provded n Fgure 2. Proof of securty. The followng theorem states that the protocol s 1/(2r)- secure. We then conclude the secton by showng the our analyss s n fact tght: 4 An alternatve approach that reduces the expected number of rounds from r to r/2+1 s as follows. In round the partes learn ther output c = a = b, and n round + 1 they learn a specal value a +1 = b +1 = NULL ndcatng that they should output the value from the prevous round and halt. For smplcty (both n the presentaton of the protocol and n the proof of securty) we chose to present the protocol as always havng r rounds, but ths s not essental for our results.

11 An Optmally Far Con Toss 11 Input: Securty parameter 1 n. Computaton: Functonalty ShareGen r 1. Choose {1,...,r} unformly at random. 2. Defne values a 1,...,a r and b 1,...,b r as follows: For 1 1choosea,b {0, 1} ndependently and unformly at random. Choose c {0, 1} unformly at random, and for r let a = b = c. ( ) ( ) 3. For 1 r, choose a (1),a (2) and b (1),b (2) as random secret shares of a and b, respectvely. ( ) 4. Compute k1 a,...,kr a,k1,...,k b r b Gen(1 n ). For 1 r, lett a = Mac k a a (2) ( ) and t b = Mac k b b (1). Output: 1. Party P 1 receves the values a (1) 1,...,a(1) r, (k1 a,...,kr a ). 2. Party P 2 receves the values (k1,...,k b r). b ( ) ( a (2) 1,ta 1,..., ( ) ( b (1) 1,tb 1,..., a (2) r,t a r b (1) r,t b r ), and k a = ), b (2) 1,...,b(2) r, and k b = Fg. 1. The deal functonalty ShareGen r there exsts an effcent adversary that can bas the output of the honest party by essentally 1/(2r). Theorem 3.1. For any polynomal r = r(n), f protocol π securely computes ShareGen r wth abort, then protocol ConFlp r s 1/(2r)-secure. Proof. We prove the (1/2r)-securty of protocol ConFlp r n a hybrd model where a trusted party for computng the ShareGen r functonalty wth abort s avalable. Usng standard technques (see [25]), t then follows that when replacng the trusted party computng ShareGen r wth a sub-protocol that securty computes ShareGen r wth abort, the resultng protocol s 1/(2r)-secure. Specfcally, for every polynomal-tme hybrd-model adversary A corruptng P 1 and runnng ConFlp r n the hybrd model, we show that there exsts a polynomal-tme deal-model adversary S corruptng P 1 n the deal model wth access to a trusted party computng the con-flppng functonalty such that the statstcal dstance between these two executons s at most 1/(2r) +ν(n), for some neglgble functon ν(n). For smplcty, n the remander of the proof we gnore the aspect of message authentcaton n the protocol, and assume that the only malcous behavor of the adversary A s early abort. Ths does not result n any loss of generalty, snce there s only a neglgble probably of forgng an authentcaton tag.

12 12 T. Moran, M. Naor, and G. Segev Jont nput: Securty parameter 1 n. Prelmnary phase: Protocol ConFlp r 1. Partes P 1 and P 2 run protocol π for computng ShareGen r(1 n )(seefgure1). 2. If P 1 receves from the above computaton, t outputs a unformly chosen bt and halts. Lkewse, f P 2 receves t outputs a unformly chosen bt and halts. Otherwse, the partes proceed. 3. Denote the output of P 1 from π by a (1) 1,...,a(1) r, k a =(k1 a,...,kr a ). 4. Denote the output of P 2 from π by k b =(k1,...,k b r). b In each round =1,...,r do: ( ) ( a (2) 1,ta 1,..., ( ) ( b (1) 1,tb 1,..., a (2) r,t a r b (1) r,t b r ),and ), b (2) 1,...,b(2) r,and 1. P 2 sends the next ( share ) to P 1: (a) P 2 sends a (2),t a to P 1. ( ) ( ) (b) P 1 receves â (2), ˆt a from P 2.IfVrfy k a â (2), ˆt a =0(orfP 1 receved an nvald message or no message), then P 1 outputs a 1 and halts (f =1t outputs a unformly chosen bt). ( ) (c) If Vrfy k a â (2), ˆt a =1thenP 1 reconstructs a usng the shares a (1) and â (2). 2. P 1 sends the next ( share ) to P 2: (a) P 1 sends b (1),t b to P 2. (ˆb(1) ) ( ) (b) P 2 receves, ˆt b from P 1.IfVrfy k b ˆb (1), ˆt b =0(orfP 2 receved an nvald message or no message), then P 2 outputs b 1 and halts (f =1t outputs a unformly chosen bt). ( ) (c) If Vrfy k b ˆb (1), ˆt b =1thenP 2 reconstructs b usng the shares b (1) and b (2) Output: P 1 and P 2 output a r and b r, respectvely. Fg. 2. The con-flppng protocol ConFlp r On nput (1 n, aux) the deal-model adversary S nvokes the hybrd-model adversary A on (1 n, aux) and queres the trusted party computng the con-flppng functonalty to obtan a bt c. The deal-model adversary S proceeds as follows: 1. S smulates the trusted party computng the ShareGen r functonalty by sendng A shares a (1) 1,...,a(1) r,b (1) 1,...,b(1) r that are chosen ndependently and unformly at random. If A aborts (.e., f A sends abort to the smulated ShareGen r after recevng the shares), then S outputs A s output and halts. 2. S chooses {1,...,r} unformly at random.

13 An Optmally Far Con Toss In every round {1,..., 1}, S chooses a random bt a, and sends A the share a (2) = a (1) a.ifaaborts then S outputs A s output and halts. 4. In every round {,...,r}, S sends A the share a (2) +1 = a(1) +1 c (recall that c s the value receved from the trusted party computng the con-flppng functonalty). If A aborts then S outputs A s output and halts. 5. At the end of the protocol S outputs A s output and halts. We now consder the jont dstrbuton of A s vew and the output of the honest party P 2 n the deal model and n the hybrd model. There are three cases to consder: 1. A aborts before round. In ths case the dstrbutons are dentcal: n both models the vew of the adversary s the sequence of shares, and the sequence of messages up to the round n whch A aborted, and the output of P 2 s a unformly dstrbuted bt whch s ndependent of A s vew. 2. A aborts n round.inthscasea s vew s dentcal n both models, but the dstrbutons of P 2 s output gven A s vew are not dentcal. In the deal model, P 2 outputs the random bt c that was revealed to A by S n round (recall that c s the bt receved from the trusted party computng the con-flppng functonalty). In the hybrd model, however, the output of P 2 s the value b 1 whch s a random bt that s ndependent of A s vew. Thus, n ths case the statstcal dstance between the two dstrbutons s 1/2. However, ths case occurs wth probablty at most 1/r snce n both models s ndependent of A s vew untl ths round (that s, the probablty that A aborts n round s at most 1/r). 3. A aborts after round or does not abort. In ths case the dstrbutons are dentcal: the output of P 2 s the same random bt that was revealed to A n round. Note that A s vew n the hybrd and deal models s always dentcally dstrbuted (no matter what strategy A uses to decde when to abort). The only dfference s n the jont dstrbuton of A s vew and the honest party s output. Thus, condtonng on the round at whch A aborts wll have the same effect n the hybrd and deal models; n partcular, condtoned on case 1 or case 3 occurrng, the jont dstrbuton of A s vew and the honest party s output wll be dentcal n both models. We state ths explctly because n smlar (yet nherently dfferent) settngs, usng condtonal probabltes n such a way mght be problematc (see, for example, [28], Sect. 2). The above three cases mply that the statstcal dstance between the two dstrbutons s at most 1/(2r), and ths concludes the proof. Clam 3.2. In protocol ConFlp r there exsts an effcent adversaral party P 1 that can bas the output of P 2 by 1 2 r 2r. Proof. Consder the adversaral party P1 that completes the pre-processng phase, and then halts n the frst round {1,...,r} for whch a =0.We denote by Abort the random varable correspondng to the round n whch P1

14 14 T. Moran, M. Naor, and G. Segev aborts, where Abort = f P1 does not abort. In addton, we denote by c 2 the random varable correspondng to the output bt of P 2.NotcethatfP1 aborts n round j then P 2 outputs a random bt, and f P1 does not abort then P 2 always outputs 1. Therefore, for every {1,...,r} t holds that Pr [c 2 =1 = ] = Pr [Abort = j = ]Pr[c 2 =1 Abort = j = ] = = j=1 +Pr [Abort = = ]Pr[c 2 =1 Abort = = ] Pr [a 1 = = a j 1 =1,a j =0]Pr[c 2 =1 Abort = j = ] j=1 +Pr [a 1 = = a =1]Pr[c 2 =1 Abort = = ] 1 2 j j=1 = Ths mples that Pr [c 2 =1] = = r Pr [ = ]Pr[c 2 =1 = ] =1 r =1 ( 1 1 r ) 2 +1 = r 2r 4 The Generalzed Protocol In ths secton we sketch a more refned and generalzed protocol that settles Theorems 1.1 and 1.2 (due to space lmtatons, we defer the formal descrpton of the protocol and ts proof of securty to the full verson of the paper). The mprovements over the protocol presented n Secton 3 are as follows: Improved securty guarantee: In the smplfed protocol party P 1 can bas the output of party P 2 (by abortng n round ), but party P 2 cannot not bas the output of party P 1. Ths s due to the fact that party P 1 always learns the output before party P 2 does. In the generalzed protocol the party that learns the output before the other party s chosen unformly at random (.e., party P 1 learns the output before party P 2 wth probablty 1/2). Ths s acheved by havng the partes exchange a sequence of 2r values (a 1,b 1 ),...,(a 2r,b 2r ) (usng the same secret-sharng exchange technque as n the smplfed protocol) wth the followng property: for odd values of,.

15 An Optmally Far Con Toss 15 Fg. 3. Overvew of the generalzed protocol party P 1 learns a before party P 2 learns b, and for even values of party P 2 learns b before party P 1 learns a.thus,partyp 1 can bas the result only when s odd, and party P 2 can bas the result only when s even. The key pont s that the partes can exchange the sequence of 2r shares n only r + 1 rounds by combnng some of ther messages 5. Note that modfyng the orgnal protocol by havng ShareGen randomly choose whch player starts would also halve the bas (snce wth probablty 1 2 the adversary chooses a player that cannot bas the outcome at all). However, ths s vulnerable to a trval dynamc attack: the adversary decdes whch party to corrupt after seeng whch party was chosen to start. A larger class of functonaltes: We consder the more general task of samplng from a dstrbuton D =(D 1, D 2 ): party P 1 receves a sample from D 1 and party P 2 receves a correlated sample from D 2 (n con-flppng, for example, the jont dstrbuton D produces the values (0, 0) and (1, 1) each wth probablty 1/2). Our generalzed protocol can handle any polynomallysampleable dstrbuton D. The basc dea here s ShareGen canbe modfed to output shares of samples for arbtrary (effcently sampleable) dstrbutons. 5 Recall that each round conssts of two moves: a message from P 2 to P 1 followed by a message from P 1 to P 2.

16 16 T. Moran, M. Naor, and G. Segev Up to round the values each party receves are ndependent samples from the margnal dstrbutons (.e., P 1 receves ndependent samples from D 1, and P 2 from D 1 ). From round, the values are the real output from the jont dstrbuton. Fgure 3 gves a graphc overvew of the protocol (gnorng the authentcaton tags). As n the smplfed protocol, f P 2 aborts prematurely, P 1 outputs the value a,where s the hghest ndex such that a was successfully reconstructed. If P 1 aborts prematurely, P 2 outputs the last b value t successfully reconstructed. 5 Open Problems Identfyng the mnmal computatonal assumptons. Blum s con-flppng protocol, as well as ts generalzaton that guarantees bas of O(1/ r), can rely on the exstence of any one-way functon. We showed that the optmal tradeoff between the round complexty and the bas can be acheved assumng the exstence of oblvous transfer, a complete prmtve for secure computaton. A challengng problem s to ether acheve the optmal bas based on seemngly weaker assumptons (e.g., one-way functons), or to demonstrate that oblvous transfer s n fact essental. Identfyng the exact trade-off. The bas of our protocol almost exactly matches Cleve s lower bound: Cleve showed that any r-round protocol has bas at least 1/(8r + 2), and we manage to acheve bas of at most 1/(4r c) forsome constant c>0. It wll be nterestng to elmnate the multplcatve gap of 1/2 by ether mprovng Cleve s lower bound or by mprovng our upper bound. We note, however, that ths cannot be resolved by mprovng the securty analyss of our protocol snce there exsts an effcent adversary that can bas our protocol by essentally 1/(4r) (see Secton 4), and therefore our analyss s tght. Effcent mplementaton. Our protocol uses a general secure computaton step n the preprocessng phase. Although asymptotcally optmal, the technques used n general secure computaton often have a large overhead. Hence, t would be helpful to fnd an effcent sub-protocol to compute the ShareGen r functonalty that can lead to a practcal mplementaton. The multparty settng. Blum s con-flppng protocol can be extended to an m-party r-round protocol that has bas O(m/ r). An nterestng problem s to dentfy the optmal trade-off between the number of partes, the round complexty, and the bas. Unfortunately, t seems that several natural varatons of our approach fal to extend to the case of more than two partes. Informally, the man reason s that a coalton of malcous partes can guess the threshold round wth a pretty good probablty by smulatng the protocol among themselves for any possble subset.

17 An Optmally Far Con Toss 17 References 1. Ben-Or, M., Goldwasser, S., Wgderson, A.: Completeness theorems for noncryptographc fault-tolerant dstrbuted computaton. In: Proceedngs of the 20th Annual ACM Symposum on Theory of Computng, pp (1988) 2. Blum, M.: Con flppng by telephone - A protocol for solvng mpossble problems. In: Proceedngs of the 25th IEEE Computer Socety Internatonal Conference, pp (1982) 3. Håstad, J., Impaglazzo, R., Levn, L.A., Luby, M.: A pseudorandom generator from any one-way functon. SIAM Journal on Computng 28(4), (1999) 4. Naor, M.: Bt commtment usng pseudorandomness. Journal of Cryptology 4(2), (1991) 5. Impaglazzo, R., Luby, M.: One-way functons are essental for complexty based cryptography. In: Proceedngs of the 30th Annual IEEE Symposum on Foundatons of Computer Scence, pp (1989) 6. Cleve, R.: Lmts on the securty of con flps when half the processors are faulty. In: Proceedngs of the 18th Annual ACM Symposum on Theory of Computng, pp (1986) 7. Averbuch, B., Blum, M., Chor, B., Slvo Mcal, S.G.: How to mplement Bracha s O(log n) byzantne agreement algorthm (manuscrpt, 1985) 8. Goldrech, O.: Foundatons of Cryptography: Basc Applcatons, vol. 2. Cambrdge Unversty Press, Cambrdge (2004) 9. Katz, J.: On achevng the best of both worlds n secure multparty computaton. In: Proceedngs of the 39th Annual ACM Symposum on Theory of computng, pp (2007) 10. Gordon, D., Katz, J.: Partal farness n secure two-party computaton. Cryptology eprnt Archve, Report 2008/206 (2008) 11. Cleve, R., Impaglazzo, R.: Martngales, collectve con flppng and dscrete control processes (1993), Alon, N., Naor, M.: Con-flppng games mmune aganst lnear-szed coaltons. SIAM Journal on Computng 22(2), (1993) 13. Ben-Or, M., Lnal, N.: Collectve con flppng. Advances n Computng Research: Randomness and Computaton 5, (1989) 14. Fege, U.: Noncryptographc selecton protocols. In: Proceedngs of the 40th Annual IEEE Symposum on Foundatons of Computer Scence, pp (1999) 15. Russell, A., Zuckerman, D.: Perfect nformaton leader electon n log n + O(1) rounds. Journal of Computer and System Scences 63(4), (2001) 16. Saks, M.: A robust noncryptographc protocol for collectve con flppng. SIAM Journal on Dscrete Mathematcs 2(2), (1989) 17. Aharonov, D., Ta-Shma, A., Vazran, U.V., Yao, A.C.: Quantum bt escrow. In: Proceedngs of the 32nd Annual ACM Symposum on Theory of Computng, pp (2000) 18. Ambans, A.: A new protocol and lower bounds for quantum con flppng. Journal of Computer and System Scences 68(2), (2004) 19. Ambans, A., Buhrman, H., Dods, Y., Rohrg, H.: Multparty quantum con flppng. In: Proceedngs of the 19th Annual IEEE Conference on Computatonal Complexty, pp (2004) 20. Moran, T., Naor, M.: Basng cryptographc protocols on tamper-evdent seals. In: Cares, L., Italano, G.F., Montero, L., Palamdess, C., Yung, M. (eds.) ICALP LNCS, vol. 3580, pp Sprnger, Hedelberg (2005)

18 18 T. Moran, M. Naor, and G. Segev 21. Gordon, S.D., Hazay, C., Katz, J., Lndell, Y.: Complete farness n secure twoparty computaton. In: Proceedngs of the 40th Annual ACM Symposum on Theory of Computng, pp (2008) 22. Halpern, J.Y., Teague, V.: Ratonal secret sharng and multparty computaton. In: Proceedngs of the 36th Annual ACM Symposum on Theory of Computng, pp (2004) 23. Gordon, S.D., Katz, J.: Ratonal secret sharng, revsted. In: Proceedngs on the 5th Internatonal Conference on Securty and Cryptographyfor Networks, pp (2006) 24. Kol, G., Naor, M.: Cryptography and game theory: Desgnng protocols for exchangng nformaton. In: Proceedngs of the 5th Theory of Cryptography Conference, pp (2008) 25. Canett, R.: Securty and composton of multparty cryptographc protocols. Journal of Cryptology 13(1), (2000) 26. Wegman, M.N., Carter, L.: New hash functons and ther use n authentcaton and set equalty. Journal of Computer and System Scences 22(3), (1981) 27. Lndell, Y.: Parallel con-tossng and constant-round secure two-party computaton. Journal of Cryptology 16(3), (2003) 28. Bellare, M., Rogaway, P.: Code-based game-playng proofs and the securty of trple encrypton. Cryptology eprnt Archve, Report 2004/331 (2004),