From non-abelian anyons to quantum computation to coin-flipping by telephone
Coin Flipping with Constant Bias Implies One-Way Functions
of 23
description
Coin Flipping with Constant Bias Implies One-Way Functions. Iftach Haitner and Eran Omri. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A. Cryptography Implies One-Way Functions. - PowerPoint PPT Presentation
Transcript of Coin Flipping with Constant Bias Implies One-Way Functions
Slide 1
Iftach Haitner and Eran OmriCoin Flipping with Constant Bias Implies One-Way FunctionsTexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAA1Cryptography Implies One-Way FunctionsAlmost all computational cryptography is known to imply one-way functions [Impagliazzo-Luby 89]One-way functions (OWFs): efficiently computable functions that no efficient algorithm can invert (with more than negligible probability)
The characterization of coin-flipping protocols is not (fully) known
2
3Coin-Flipping Protocols3
4Coin-Flipping Protocolsc = 0 w.p oneBias is The big problem how to react to abort??Even the simple strategy of abort is a problem
4Blums Coin-Flipping Protocol
5Negligible biasCommitment obtained using OWF
5
Coin-Flipping ProtocolsAn efficient two-party protocol (A,B) is -bias CF if: Pr[(A,B)(1n)= (1,1)] = Pr[(A,B)(1n) = (0,0)] = For any PPT A and b2{0,1}, Pr[(A,B)(1n) =(,b)] + (same for B)Numerous applications (Zero-knowledge Proofs, Secure Function Evaluation)Implied by OWFs [Blum83, Naor89, Hstad et. al 90]
Does coin flipping imply OWFs?
6Known ResultsAlmost-optimal (i.e., negl(n)-bias) CF implies OWFs [IL 89]Non-trivial (i.e., ( -1/poly(n))-bias) constant-round CF implies OWFs [Maji, Prabhakaran, Sahai 10]Constant-bias ( -1/poly(n)) CF implies P NP [Maji, Prabhakaran, Sahai 10] Non-trivial CF implies P PSPACE
For !(1)-round, non-negl-bias CF, the results are far from being tight7Our Result8Proving the Main LemmaProof outline:Define unbounded strategies for A and BCareful analysis Approximate the strategies efficiently using OWF inverter9The Random Continuation AttackDefine A as follows (B is defined analogously)
A aborts if no valid (rA,rB) exists
On transcript , A samples uniform (rA,rB) s.t.(A(rA),B(rB)) is consistent with out(A(rA),B(rB)) = 1Sends A(rA)s reply on Execution tree T of (A,B) Nodes are all possible (partial) transcriptsNode is labeled by v[] / w[]v[] = Prout(A,B)[1|]w[] = Pr(A,B)[] Leaves determine the parties inputs
11 / 1 ?/ ?/ 10010/? 1/? 0/? The Protocol (A,B) All Honest1-leaf0-leafThe Protocol (A,B) All Cheating
The Protocols (A,B) and (A,B) Compensation Lemma (slightly simplified):For any frontier* L in T Pr(A,B)[L] Pr(A,B) [L] = Pr(A,B)[L] Pr(A,B)[L]No node in L has an ancestor in L (wrt. T)
Proof:Let L ={2 T: is a 1-leaf}Pr(A,B) [L] = and Pr(A,B)[L] = 1 ) Pr(A,B)[L] Pr(A,B)[L] =
13
Pr(A,B)[] = 2v[]w[]Pr(A,B)[L]Pr(A,B)[L] = Pr(A,B)[L]Pr(A,B)[L] / 1 ?/ ?/ 1001 ?/ ? ABEfficient Strategiesf(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)] l(rA,rB) is the full transcript (leaf) generated by (A(rA),B(rB))
To sample (rA,rB), A invokes f-inverter to get uniform preimage of (,1)On trans. , A samples uniform (rA,rB) s.t.(A(rA),B(rB)) is consistent with out(A(rA),B(rB)) = 1Sends A(rA)s reply on
using OWFs inverter Inverting f(rA,rB,i)= l(rA,rB)1,,i,v[l(rA,rB)]Assuming OWFs do not exist, 9 efficient f-inverter that on a unifrom output of f, returns almost uniform preimage [IL 89]Problem: the query distribution induced by unbounded (A,B), might be far from uniform A repeatedly deviates from the prescribed protocol
Does the success of unbounded As (or of B), depend on non-typical queries?Main observation: A or B do well enough, even if f-inverter fails on non-typical queriesTwo Types of Non-Typical Queriesf(rA,rB,i) = l(rA,rB)1,,i,v[l(rA,rB)]As queries are of the form (,1)UnBalanced queries UnBalA = {2 T: Pr(A,B) [] > c Pr(A,B) []} where c is large (e.g., 1000)Prf[(UnBalA,)] = Pr(A,B) [UnBalA] < 1/cLow-Value queries LowVal = {2 T: v[] < }, where is small (e.g., 0.001)Prf[(LowVal,1)] < Distribution of other queries is dominated by the output distribution of fLow-Value QueriesPr(A,B)[] = 2v[]w[]LowVal ={2 T: v[]< 2and is top-most such node}
Pr(A,B) [LowVal] = 2LowVal 2v[] Pr(A,B) [] < 22 2LowVal Pr(A,B) [] < 22
Compensation Lemma yields Pr(A,B) [LowVal] Pr(A,B) [LowVal] < 22
Yet, Pr(A,B) [LowVal] might be large ) As success might depend on inverting f on LowValWe prove: A or B do well enough, even if both fail on LowVal (but succeed elsewhere)Low-Value Queries cont. 10B0119UnBalanced QueriesUnBalA = {2 T: Pr(A,B) [] > cPr(A,B) [] and is top-most such node}Pr(A,B) [UnBalA] < 1/cPr(A,B)[UnBalA] = 22UnBalA v[] Pr(A,B)[] 2Pr(A,B)[UnBalA] < 2/c
Compensation Lemma yieldsPr(A,B)[UnBalA] < 2/c220UnBalanced Queries cont.Unless is small, A might (still) gain a lot from visiting BiasedA 1010
10
1001/k1-1/k
0
BA21
-bias weak coin-flipping: Pr[(A,B)(1n) = 0] + Pr[(A,B)(1n) = 1] + Weaker security guarantee, yet has many applicationsPrevious work holds wrt weak coin-flippingSummaryConstant-bias coin flipping implies OWFs
Challenge: prove that any non-trivial coin flipping implies OWFs
23
![Optimal Coin Flipping - Cornell Universitykozen/Papers/Coinflip.pdf · Optimal Coin Flipping 411 Example 2. The following example is a slight modification of one from [8]. The state](https://static.fdocuments.us/doc/165x107/5b3c48aa7f8b9a895a8d324c/optimal-coin-flipping-cornell-university-kozenpaperscoinflippdf-optimal.jpg)
