1 / 52

An (Almost) Optimally Fair 3-Party Coin-Flipping

An (Almost) Optimally Fair 3-Party Coin-Flipping. Iftach Haitner and Eliad Tsfadia. Coin-Flipping Protocols. Parties want to jointly flip a uniform bit. I want. Output. Output. Blum’s Coin-Flipping Protocol. I want. Negligible bias – If the honest party is allowed to abort

yestin
Download Presentation

An (Almost) Optimally Fair 3-Party Coin-Flipping

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An (Almost) Optimally Fair 3-Party Coin-Flipping Iftach Haitner and Eliad Tsfadia

  2. Coin-Flipping Protocols Parties want to jointlyflip a uniformbit I want Output Output

  3. Blum’s Coin-Flipping Protocol • I want • Negligiblebias – If the honest party is allowed to abort • Bias¼ – If the honest party must output a bit

  4. Two-Party Coin-Flipping Protocols Efficient 2-party protocol is -bias CF: • For any PPT and bit :(Same for ) • Honest party mustoutput a bit. An-round-bias CF is called optimally fair.

  5. Many-Party Coin-Flipping Protocols • Efficient -party protocol is analogously defined – The honest parties must output the samebitagainst any number of colluding parties • Negative results for two-party CF protocols are valid also for the many-party case. • Many-party (fair) CF seems much harder to construct than two-party case. • We focus on the three-party case.

  6. Known Results (positive) • [Blum ’82]: bias CF (assuming OWF) • [Cleve ’86]: -round -partybias CF, against corrupted parties (assuming OWF). • [Moran, Naor, Segev ’09] :-round -party -bias CF (assuming OT) • [Beimel, Omri, Orlov ’11] : -round -party-bias CF, against corrupted parties (assuming OT). • For or more corrupted parties, [Cleve ’86] was the best CF protocol.

  7. Known Results (negative) • [Cleve ’86]: Any -round -party CF protocol can be biased by . Holds in anycomputational model. • [Cleve, Impagliazzo ’93] - In the fail-stop model,any -round -party CF protocol canbe biased by . fail-stop model: parties are unbounded, and their onlymalicious action is abortprematurely. In the random oracle model: • [Soled et. al ’11] :No -round -party optimally fair CF, where n is oracle input length. • [Soled et. al ’14]: No oblivious-party optimally fair CF protocol • [Berman, Haitner, Tentes’14] CF (even “unfair”) of any constant bias implies OWF.

  8. Our Result Theorem: Assuming OT, there exists -round, -party -bias CF. New 2-party -bias CF protocol. • Not using the threshold paradigm, used in [MNS ’09] and[BOO ’11] .

  9. Rest of the Talk • [MNS]’s2-party protocol. • [Cleve]’s2-party protocol. • Our 2-party protocol. • Our 3-party protocol.

  10. FairCF via non-Fair SFE • Parties interact in a non-fair Secure Functionality Evaluation (SFE) protocol. • Parties use SFE output as auxiliary input for the fair interaction. • SFE computation is non fair– Rushing adversaries get output first (and might abort). • SFE via constant-round protocol (assuming OT). In the following: • SFE as honest, non-fair dealer. • Parties are unbounded, fail-stop.

  11. Fair CF via non-Fair SFE, cont. • Sample (values) and . • Outputs two sets of shares(one per party), via 2-out-of-2Secret Sharing Scheme (SSS). Honest Dealer A’s shares of B’s shares of For to : B sends his share of A sends her share of B reconstructs and A reconstructs B A • Output: A outputs a bit according to , and B outputs the samebit according to . • A aborts at round : B outputs a bit according to. • Interaction is merely a shares exchanging. • Aborting at SFE part is harmless. • Advantage of aborting at round : Aborting party knows’th round value, while other party does not.

  12. [MNS]‘s 2-Party Protocol

  13. [MNS]2-Party Protocol Dealer: • and . • For to : • For to : • Split into two sets of shares using -out-of- SSS

  14. [MNS]2-Party Protocol

  15. [MNS] ‘s 2-Party Protocol ’s shares of ’s shares of For to : B sends his share of A sends her share of (a) A Party reconstructs A sends her share of B sends his share of (b) Both parties reconstruct • Output: Both parties output for first with . • A aborts: B outputs for maximalthis value was reconstructed. • A aborts before first round: B outputs uniformbit.

  16. Analysis Each party shares are uniform strings Aborting before firstround is harmless. Consider aborting at round • – ’s view at the end of ’th round. • –w/othe abort message. • –’s expected output given (in an honest continuation) ’s bias (towards 0 or 1):

  17. Analysis cont. • : . Nobias • : . Nobias : • : . No bias • : and . = =

  18. Fairness via Defense

  19. No-Defense [MNS] Dealer: • Let and . • For to : • For to : • Split into two sets of shares using-out-of- secret sharing scheme

  20. No-Defense [MNS] Dealer: • Let and . • For to : • For to : • Split into two sets of shares using-out-of- secret sharing scheme

  21. No-Defense [MNS] Dealer: Let and . For to :let For to : let Split into two sets of shares using-out-of- secret sharing scheme

  22. No-Defense [MNS] ’s shares of ’s shares of For to : B sends his share of A sends her share of Both parties reconstruct A • Output: Both parties output for first with . • A aborts: B outputs if revealed; O/w a uniform bit. B • Bias. • Addingdefense valuesprevents such attack. • Defense values themselves cause a bias. • Resulting bias is .

  23. [MNS] – Distribution of Defense Values , reconstructed at round (i,a), is sampled according to protocol value at end of round (i,b)

  24. 3-Party [MNS]?

  25. 3-Party Coin-Flipping Efficient 3-party protocol is -bias CF: • For any PPTs and , and bit :(Same for other two-party collations) • Non-aborting parties mustoutput the samebit.

  26. 3-Party Coin-Flipping cont. Assume Aaborts at round and let be its view at that time • Expected outcome of (B,C) should be close to • To decide on common output, (B,C) shouldinteract in 2-party fairCF • This inner2-party interaction should not reveal (o/w, coalition of B andC can bias the protocol).

  27. Extending [MNS] for 3-Party Case Dealer: • and . • For to : • be shares for defense inner 2-party protocols. • If , . Otherwise, . • Split into three sets of shares using 3-out-of-3 SSS.

  28. Extending [MNS] for 3-Party Case For to : sends his shares of sends her shares of Sends his share of Sends her share of Broadcast Channel B sends his shares of Parties reconstruct defensevalues Sends his share of A All parties reconstruct • Output: All parties output for first with . • A aborts : B and C execute innerprotocol using for maximalthose values were reconstructed. C

  29. Inner Protocol Leaks Outer Protocol Value Consider the inner 2-party protocol described in • Joint output should be (close to) uniform if , and close to if . • Inner protocol should be fair. • Defense values of inner protocol: • monochromatic if • mixedif . Adversary controlling bothB and C finds at beginningof the round (i.e., (,a)). Thus, achieving constant bias. Issue is the constantjump in protocol value of underlying no-defense [MNS] • This is regardless of the inner protocol

  30. [Cleve]’s 2-Party Protocol

  31. [Cleve]’s 2-Party Protocol For to : A • Output: if ; Otherwise, . • A aborts at round : Bchooses by itself.

  32. Smoothness of [Cleve]’s protocol • A’s view at the end of round j For simplicity, assumeisuniform over . • B’s expected outcome given . • : • : • happens w.p.

  33. Our 2-Party Protocol

  34. Our 2-Party Protocol Dealer: – taking w.p. and 0o/w. • For to : • , • Split into two sets of shares using 2-out-of-2SSS • is the expected outcome (i.e., protocol value) given .

  35. Our 2-Party Protocol (reconstructed at round (i,a)) is sampled according to protocol value at end of round (i,b) ’s shares of ’s shares of For to : B sends his share of A sends her share of (a) A P reconstructs A sends her share of B sends his share of (b) B Both parties reconstruct • Output: if ; Otherwise, . • A aborts: B outputs for maximal for which this value was reconstructed.

  36. Analysis aborts at round • – ’s view at the endof ’th round. • –w/othe abort message. • –’s expected output given (in honest continuation) Aborting at round (i,b) is harmless. Aborting at round (i,a): • contains and = where

  37. Analysis cont. = Assume . for • On expectation = . • for “small” i(e.g., ) • for “large” i(e.g., ) …..

  38. Weighted Majority Protocol • Parties output the majority of coins instead of . • First rounds getting more weight than last rounds.

  39. Weighted Majority Protocol cont. • For to : • Split into two sets of shares using 2-out-of-2 secret sharing scheme

  40. WeightedMajorityProtocol cont.. • For to : • Split into two sets of shares using 2-out-of-2 secret sharing scheme • sum of uniform coins over

  41. Analysis At round with • is uniform in • is sum of ) coins • coins are left to reconstruct Protocol outcome is determined w.p. (compared to in non-weighted majority protocol) • On expectation = . • Since might be adaptive, additional factoris paid.

  42. -Coin-Flipping Protocols Efficient 2-party protocol is -bias -CF: • For any PPT and,(Same for ) Used as the inner2-party protocol of our 3-party protocol.

  43. Our-Coin-Flipping Protocol • dist. over ,taking w.p. and o/w. • s.t.: • Input: • Let • For to : • Split into two sets of shares using 2-out-of-2 secret sharing scheme • When calling the dealer with input protocol’s expected outcome is . • To get fairness, weighted majority is required.

  44. Hiding Algorithm An algorithm D is hidingif: D() does not leak more information about , than a-biased coin. For our 3-party CF, we need 2-party CF with hiding dealer The dealer from last slide is notsuch dealer. A “derandomized variant” of it is.

  45. Non-Hiding Dealer • dist over , taking w.p. and o/w. • Input: : • Set • For to , let • Split into two sets of shares using 2-out-of-2 secret sharing scheme • Effectively, form 2mindependent samples from (), and thus determine.

  46. Hiding Dealer • dist over , taking w.p. and o/w. • Input: . • Set • For to , let • Split into two sets of shares using 2-out-of-2 secret sharing scheme Let : Return 1 if where is an (m-i)-element randomsubsetof S : Return 1 if where are independentsamples from . • Only 2m samples from • Leaks no more than a single sample from ()

  47. Our 3-Party Coin-Flipping Protocol

  48. 3-Party Coin-Flipping (reminder) Efficient 3-party protocol is -bias CF: • For any PPTs and , and bit :(Same for other two-party collations) • Non-aborting parties mustoutput the samebit.

  49. Our 3-Party Protocol • Dealer: • Dhidingdealer for 2-party optimally-fair CF • For to : • Let • Split into 3 sets of shares using 3-out-of-3 SSS. • Expected outcome ofinneri-round 2-party protocol equalsexpected outcome of outer3-party protocol given.

  50. Our 3-Party Protocol For to : sends his shares of sends her shares of Sends his share of Sends her share of Broadcast Channel sends his shares of All parties reconstruct their defensevalues. Sends his share of All parties reconstruct • Output: if ; Otherwise, . • Aaborts: B and C interact in 2-party CF using for maximal those values were reconstructed.

More Related