Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious

Alon, Bar; Omri, Eran

doi:10.1007/978-3-662-53641-4_13

Cited by 27 publications

(51 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…} such that X 0 = x * and X n ∈ {0, 1}. We define optimal score as opt n (x * , ℓ) := inf (X,E)∈An(x * ) max-score ℓ (X, E) xi x (1) x (2) . .…”

Section: Preliminariesmentioning

confidence: 99%

“…, n, any node at depth i has |Ω i+1 | children. In fact, for each i, the edge between a node at depth i and a child at depth (i + 1) corresponds to a possible outcome that E i+1 can take from the set Ω i+1 = {x (1) , . .…”

Section: Preliminariesmentioning

confidence: 99%

“…For simplicity, let us consider finite martingales, i.e., the sample space Ω i of the random variable E i is finite. Suppose that the root X 0 = x in the corresponding martingale tree has t children with values x (1) , x (2) , . .…”

Section: Proof Of Theoremmentioning

confidence: 99%

“…If X 0 does not have a t-bit binary representation (for example, say, X 0 = 1/3, X 0 = 1/e, or X 0 = 1/n) then we construct a bias-X ′ 0 coin, where X ′ 0 is the t-bit truncation of X 0 . This protocol has t · n-communication complexity and is 1 2…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness

Khorasgani

Maji

Mukherjee

2019

Theory of Cryptography

View full text Add to dashboard Cite

Consider the representative task of designing a distributed coin-tossing protocol for n processors such that the probability of heads is X0 ∈ [0, 1], and an adversary can reset one processor to change the distribution of the final outcome. For X0 = 1/2, in the non-cryptographic setting, no adversary can deviate the probability of the outcome of the well-known Blum's "majority protocol" by more than 1 √ 2πn , i.e., it is 1 √ 2πn insecure. For computationally bounded adversaries and any X0 ∈ [0, 1], the protocol of Moran, Naor, and Segev (2009) is only O 1 n insecure. In this paper, we study discrete-time martingales (X0, X1, . . . , Xn) such that Xi ∈ [0, 1], for all i ∈ {0, . . . , n}, and Xn ∈ {0, 1}. These martingales are commonplace in modeling stochastic processes like coin-tossing protocols in the non-cryptographic setting mentioned above. In particular, for any X0 ∈ [0, 1], we construct martingales that yield 1 2 X 0 (1−X 0 ) n insecure coin-tossing protocols with n-bit communication; irrespective of the number of bits required to represent the output distribution. Note that for sufficiently small X0, we achieve higher security than Moran et al.'s protocol even against computationally unbounded adversaries. For X0 = 1/2, our protocol requires only 40% of the processors to achieve the same security as the majority protocol.The technical heart of our paper is a new inductive technique that uses geometric transformations to precisely account for the large gaps in these martingales. For any X0 ∈ [0, 1], we show that there exists a stopping time τ such thatThe inductive technique simultaneously constructs martingales that demonstrate the optimality of our bound, i.e., a martingale where the gap corresponding to any stopping time is small. In particular, we construct optimal martingales such that any stopping time τ hasOur lower-bound holds for all X0 ∈ [0, 1]; while the previous bound of Cleve and Impagliazzo (1993) exists only for positive constant X0. Conceptually, our approach only employs elementary techniques to analyze these martingales and entirely circumvents the complex probabilistic tools inherent to the approaches of Cleve and Impagliazzo (1993) and Beimel, Haitner, Makriyannis, and Omri (2018). By appropriately restricting the set of possible stopping-times, we present representative applications to constructing distributed coin-tossing/dice-rolling protocols, discrete control processes, fail-stop attacking coin-tossing/dice-rolling protocols, and black-box separations. ACM Subject ClassificationMathematics of computing → Markov processes; Security and privacy → Information-theoretic techniques; Security and privacy → Mathematical foundations of cryptography 2 Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions & Hardness

show abstract

“…} such that X 0 = x * and X n ∈ {0, 1}. We define optimal score as opt n (x * , ℓ) := inf (X,E)∈An(x * ) max-score ℓ (X, E) xi x (1) x (2) . .…”

Section: Preliminariesmentioning

confidence: 99%

Section: Preliminariesmentioning

confidence: 99%

Section: Proof Of Theoremmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness

Khorasgani

Maji

Mukherjee

2019

Theory of Cryptography

View full text Add to dashboard Cite

show abstract

“…Recently, Haitner and Tsfadia [32] constructed an m-round, three-party coin-flipping protocol with bias O(log 3 m/m) against two corruptions. In a subsequent work, Alon and Omri [3] presented for any t ∈ O(1), an m-round, t-party coin-flipping protocol, with bias O(log 3 m/m) against < 3t/4 corrupted parties. (All the above results hold under the assumption that oblivious transfer protocols exist.)…”

mentioning

confidence: 99%

Fair Coin Flipping: Tighter Analysis and the Many-Party Case

Buchbinder¹,

Haitner²,

Levi³

et al. 2017

Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms

View full text Add to dashboard Cite

In a multi-party fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [19] [STOC 1986] has shown that in any m-round coin-flipping protocol the corrupted parties can bias the honest parties' common output bit by Θ(1/m). For more than two decades the best known coin-flipping protocols against majority was the protocol of We make a step towards eliminating the above gap, presenting a t-party, m-round coin-flipping protocol, with bias O(). This improves upon the Θ(t/ √ m)-bias protocol of [9] for any t ≤ 1/2 · log log m, and in particular for t ∈ O(1), this yields an 1/m We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-flipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.

show abstract

On the Complexity of Fair Coin Flipping

Haitner

Makriyannis

Omri

2018

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

A two-party coin-flipping protocol is ε-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than ε. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85] constructed a Θ(1/ √ r)-fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Θ(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer.The above gives rise to the intriguing question of whether oblivious transfer, or more generally "public-key primitives," is required for an o(1/ √ r)-fair coin flipping protocol. Towards answering this intriguing question, Maji and Wang [19] [Crypto '18] have recently showed that in the random oracle model (ROM), any coin-flipping protocol can be biased by Ω(1/ √ r). This implies that o(1/ √ r)-fair coin-flipping protocol cannot be constructed from one-way function, or from a family of collision-resistant hash functions, in a black-box way. This result does not rule out, however, non black-box constructions, and black-box constructions based on primitives that cannot be realized in the ROM.We make a different progress towards answering above question by showing that, for any constant r ∈ N, the existence of an 1/(c • √ r)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri on multi-party coin-flipping protocols.

show abstract

Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious

Cited by 27 publications

References 26 publications

Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness

Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness

Fair Coin Flipping: Tighter Analysis and the Many-Party Case

On the Complexity of Fair Coin Flipping

Contact Info

Product

Resources

About