Niv Buchbinder,Iftach Haitner,Nissan Levi,Eliad Tsfadia

DOI: https://doi.org/10.1137/1.9781611974782.170

2022-06-17

Abstract:In a multi-party fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some adversarial parties try to bias the output. In this work we focus on the case of an arbitrary number of corrupted parties. Cleve [STOC 1986] has shown that in any such $m$-round coin-flipping protocol, the corrupted parties can bias the honest parties' common output bit by $\Theta(1/m)$. For more than two decades, the best known coin-flipping protocol was the one of Awerbuch et al. [Manuscript 1985], who presented a $t$-party, $m$-round protocol with bias $\Theta(t/\sqrt{m})$. This was changed by the breakthrough result of Moran et al. [TCC 2009], who constructed an $m$-round, two-party coin-flipping protocol with optimal bias $\Theta(1/m)$. Haitner and Tsfadia [STOC 2014] constructed an $m$-round, three-party coin-flipping protocol with bias $O(\log^3m / m)$. Still for the case of more than three parties, the best known protocol remained the $\Theta(t/\sqrt{m})$-bias protocol of Awerbuch et al. We make a step towards eliminating the above gap, presenting a $t$-party, $m$-round coin-flipping protocol, with bias $O(\frac{t^4 \cdot 2^t \cdot \sqrt{\log m}}{m^{1/2+1/\left(2^{t-1}-2\right)}})$ for any $t\le \tfrac12 \log\log m$. This improves upon the $\Theta(t/\sqrt{m})$-bias protocol of Awerbuch et al., and in particular, for $t\in O(1)$ it is an $1/m^{\frac12 + \Theta(1)}$-bias protocol. For the three-party case, it is an $O(\sqrt{\log m}/m)$-bias protocol, improving over the $O(\log^3m / m)$-bias protocol of Haitner and Tsfadia. Our protocol generalizes that of Haitner and Tsfadia, by presenting an appropriate recovery protocol for the remaining parties to interact in, in the case that some parties abort or are caught cheating. We prove the fairness of the new protocol by presenting a new paradigm for analyzing fairness of coin-flipping protocols.

Cryptography and Security

Iftach Haitner,Yonatan Karidi-Heller

2024-10-27

Abstract:In a distributed coin-flipping protocol, Blum [ACM Transactions on Computer Systems '83], the parties try to output a common (close to) uniform bit, even when some adversarially chosen parties try to bias the common output. In an adaptively secure full-information coin flip, Ben-Or and Linial [FOCS '85], the parties communicate over a broadcast channel, and a computationally unbounded adversary can choose which parties to corrupt along the protocol execution. Ben-Or and Linial proved that the $n$-party majority protocol is resilient to $O(\sqrt{n})$ corruptions (ignoring poly-logarithmic factors), and conjectured this is a tight upper bound for any $n$-party protocol (of any round complexity). Their conjecture was proved to be correct for single-turn (each party sends a single message) single-bit (a message is one bit) protocols Lichtenstein, Linial and Saks [Combinatorica '89], symmetric protocols Goldwasser, Tauman Kalai and Park [ICALP '15], and recently for (arbitrary message length) single-turn protocols Tauman Kalai, Komargodski and Raz [DISC '18]. Yet, the question of many-turn protocols was left entirely open. In this work, we close the above gap, proving that no $n$-party protocol (of any round complexity) is resilient to $\omega(\sqrt{n})$ (adaptive) corruptions.

Cryptography and Security

Atul Singh Arora,Jamie Sikora,Thomas Van Himbeeck

2024-04-26

Abstract:Weak coin flipping is the cryptographic task where Alice and Bob remotely flip a coin but want opposite outcomes. This work studies this task in the device-independent regime where Alice and Bob neither trust each other, nor their quantum devices. The best protocol was devised over a decade ago by Silman, Chailloux, Aharon, Kerenidis, Pironio, and Massar with bias $\varepsilon \approx 0.33664$, where the bias is a commonly adopted security measure for coin flipping protocols. This work presents two techniques to lower the bias of such protocols, namely self-testing and abort-phobic compositions. We apply these techniques to the SCAKPM '11 protocol above and, assuming a continuity conjecture, lower the bias to $\varepsilon \approx 0.29104$. We believe that these techniques could be useful in the design of device-independent protocols for a variety of other tasks.

Quantum Physics,Cryptography and Security

Ivan Geffner,Joseph Y. Halpern

DOI: https://doi.org/10.48550/arXiv.2312.14775

2023-12-25

Abstract:Protocols for tossing a common coin play a key role in the vast majority of implementations of consensus. Even though the common coins in the literature are usually \emph{fair} (they have equal chance of landing heads or tails), we focus on the problem of implementing a \emph{biased} common coin such that the probability of landing heads is $p \in [0,1]$. Even though biased common coins can be implemented using fair common coins, we show that this can require significant inter-party communication. In fact, we show that there is no bound on the number of messages needed to generate a common coin of bias $p$ in a way that tolerates even one malicious agent, even if we restrict $p$ to an arbitrary infinite subset of $[0,1]$ (e.g., rational numbers of the form $1/2^n$) and assume that the system is synchronous. By way of contrast, if we do not require the protocol to tolerate a faulty agent, we can do this. Thus, the cause of the message complexity is the requirement of fault tolerance.

Distributed, Parallel, and Cluster Computing,Multiagent Systems

Jia-Jun Ma,Fen-Zhuo Guo,Qian Yang,Yan-Bing Li,Qiao-Yan Wen

DOI: https://doi.org/10.48550/arXiv.1107.1455

2012-03-19

Abstract:In this paper, we present a quantum strong coin flipping protocol. In this protocol, an EPR pair and a quantum memory storage are made use of, and losses in the quantum communication channel and quantum memory storage are all analyzed. We obtain the bias in the fair scenario as a function of $p$, where $p$ is the probability that the particle in Bob's quantum memory storage is lost, which means our bias varies as the degree of losses in the quantum memory storage changes. Therefore we call our protocol semi-loss-tolerant. We also show that the bias decreases with decreasing $p$. When $p$ approaches 0, the bias approaches 0.3536, which is less than that of all the previous loss-tolerant protocols. Details of both parties' optimal cheating strategies are also given and analyzed. What's more, experimental feasibility is discussed and demonstrated. Compared with previous qubit-based loss-tolerant SCF protocols, we introduce the EPR pair to keep our protocol loss-tolerant while trying to push down the bias. In addition, a quantum memory storage is used and the losses in it has been taken into account. We obtain the bias in the fair scenario as a function of $p$, where $p$ is the probability that the particle in Bob's quantum memory storage is lost, which means our bias varies as the degree of losses in the quantum memory storage changes. We also show that the bias decreases with decreasing $p$. When $p$ approaches 0, the bias approaches 0.3536, which is less than that of all the previous loss-tolerant protocols. Details of both parties' optimal cheating strategies are also given and analyzed. Besides, experimental feasibility is discussed and demonstrated.

Quantum Physics

Shang-En Huang,Seth Pettie,Leqi Zhu

DOI: https://doi.org/10.1145/3639454

IF: 2.269

2024-01-02

Journal of the ACM

Abstract:Since the mid-1980s it has been known that Byzantine Agreement can be solved with probability 1 asynchronously, even against an omniscient, computationally unbounded adversary that can adaptively corrupt up to f < n /3 parties. Moreover, the problem is insoluble with f ≥ n /3 corruptions. However, Bracha’s [13] 1984 protocol (see also Ben-Or [8]) achieved f < n /3 resilience at the cost of exponential expected latency 2 Θ ( n ) , a bound that has never been improved in this model with f = ⌊( n − 1)/3⌋ corruptions. In this paper, we prove that Byzantine Agreement in the asynchronous, full information model can be solved with probability 1 against an adaptive adversary that can corrupt f < n /3 parties, while incurring only polynomial latency with high probability . Our protocol follows an earlier polynomial latency protocol of King and Saia [33,34], which had suboptimal resilience, namely f ≈ n /10 9 [33,34]. Resilience f = ( n − 1)/3 is uniquely difficult, as this is the point at which the influence of the Byzantine and honest players are of roughly equal strength. The core technical problem we solve is to design a collective coin-flipping protocol that eventually lets us flip a coin with an unambiguous outcome. In the beginning, the influence of the Byzantine players is too powerful to overcome, and they can essentially fix the coin’s behavior at will. We guarantee that after just a polynomial number of executions of the coin-flipping protocol, either (a) the Byzantine players fail to fix the behavior of the coin (thereby ending the game) or (b) we can “blacklist” players such that the blacklisting rate for Byzantine players is at least as large as the blacklisting rate for good players. The blacklisting criterion is based on a simple statistical test of fraud detection .

computer science, information systems, theory & methods, software engineering, hardware & architecture

Hamidreza Amini Khorasgani,Hemanta K. Maji,Tamalika Mukherjee

DOI: https://doi.org/10.48550/arXiv.1907.01694

2019-11-27

Abstract:Consider designing a distributed coin-tossing protocol for n processors such that the probability of heads is X0 in [0,1], and an adversary can reset one processor to change the distribution of the final outcome. For X0=1/2, in the non-cryptographic setting, Blum's majority protocol is $\frac1{\sqrt{2\pi n}}$ insecure. For computationally bounded adversaries and any X0 in [0,1], the protocol of Moran,Naor,Segev (2009) is only O(1/n) insecure. In this paper, we study discrete-time martingales (X0,X1,..,Xn) such that Xi in [0,1], for all i in {0,..,n}, and Xn in {0,1}. In particular, for any X0 in [0,1], we construct martingales that yield $\frac12\sqrt{\frac{X_0(1-X_0)}{n}}$ insecure coin-tossing protocols with n-bit communication; irrespective of the number of bits required to represent the output distribution. Note that for sufficiently small X0, we achieve higher security than Moran et al's protocol even against computationally unbounded adversaries. For X0=1/2, our protocol requires only 40% of the processors to obtain the same security as the majority protocol. We introduce a new inductive technique that uses geometric transformations to estimate the large gaps in these martingales. For any X0 in [0,1], we show that there exists a stopping time $T$ such that $\mathbb{E}[|{X_T-X_{T-1}}|]\geq\frac2{\sqrt{2n-1}}\cdot X_0(1-X_0)$. The inductive technique also constructs martingales that demonstrate the optimality of our bound - we construct optimal martingales such that any $T$ has$\mathbb{E}[|{X_T-X_{T-1}}|]\leq\frac1{\sqrt{n}}\cdot\sqrt{X_0(1-X_0)}$. Our lower-bound holds for all X0 in [0,1]; while the previous bound of Cleve,Impagliazzo (1993) exists only for positive constant X0. Our approach only employs elementary techniques and avoids the complex probabilistic tools inherent to the approaches of Cleve,Impagliazzo (1993) and Beimel,Haitner,Makriyannis,Omri (2018).

Discrete Mathematics

Atul Singh Arora,Jérémie Roland,Chrysoula Vlachou,Stephan Weis

2024-02-25

Abstract:Weak coin flipping is an important cryptographic primitive -- it is the strongest known secure two-party computation primitive that classically becomes secure only under certain assumptions (e.g. computational hardness), while quantumly there exist protocols that achieve arbitrarily close to perfect security. This breakthrough result was established by Mochon in 2007 [

Quantum Physics,Cryptography and Security

Roger Colbeck,Adrian Kent

DOI: https://doi.org/10.1103/PhysRevA.73.032320

2005-11-23

Abstract:Alice is a charismatic quantum cryptographer who believes her parties are unmissable; Bob is a (relatively) glamorous string theorist who believes he is an indispensable guest. To prevent possibly traumatic collisions of self-perception and reality, their social code requires that decisions about invitation or acceptance be made via a cryptographically secure variable bias coin toss (VBCT). This generates a shared random bit by the toss of a coin whose bias is secretly chosen, within a stipulated range, by one of the parties; the other party learns only the random bit. Thus one party can secretly influence the outcome, while both can save face by blaming any negative decisions on bad luck. We describe here some cryptographic VBCT protocols whose security is guaranteed by quantum theory and the impossibility of superluminal signalling, setting our results in the context of a general discussion of secure two-party computation. We also briefly discuss other cryptographic applications of VBCT.

Quantum Physics,Cryptography and Security

André Chailloux,Iordanis Kerenidis

DOI: https://doi.org/10.48550/arXiv.1102.1678

2011-02-09

Abstract:Bit commitment is a fundamental cryptographic primitive with numerous applications. Quantum information allows for bit commitment schemes in the information theoretic setting where no dishonest party can perfectly cheat. The previously best-known quantum protocol by Ambainis achieved a cheating probability of at most 3/4[Amb01]. On the other hand, Kitaev showed that no quantum protocol can have cheating probability less than 1/sqrt{2} [Kit03] (his lower bound on coin flipping can be easily extended to bit commitment). Closing this gap has since been an important and open question. In this paper, we provide the optimal bound for quantum bit commitment. We first show a lower bound of approximately 0.739, improving Kitaev's lower bound. We then present an optimal quantum bit commitment protocol which has cheating probability arbitrarily close to 0.739. More precisely, we show how to use any weak coin flipping protocol with cheating probability 1/2 + eps in order to achieve a quantum bit commitment protocol with cheating probability 0.739 + O(eps). We then use the optimal quantum weak coin flipping protocol described by Mochon[Moc07]. To stress the fact that our protocol uses quantum effects beyond the weak coin flip, we show that any classical bit commitment protocol with access to perfect weak (or strong) coin flipping has cheating probability at least 3/4.

Quantum Physics

Amos Beimel,Eran Omri,Ilan Orlov

DOI: https://doi.org/10.48550/arXiv.1011.5567

2010-11-25

Abstract:A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more harm than in an ideal computation where parties give their inputs to a trusted party which returns the output of the functionality to all parties. In particular, in the ideal model such computation is fair -- all parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible without an honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested a relaxed definition -- 1/p-secure computation -- which guarantees partial fairness. For two parties, they construct 1/p-secure protocols for functionalities for which the size of either their domain or their range is polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended to multiparty protocols. We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result is constructions of 1/p-secure protocols when the number of parties is constant provided that less than 2/3 of the parties are corrupt. Our protocols require that either (1) the functionality is deterministic and the size of the domain is polynomial (in the security parameter), or (2) the functionality can be randomized and the size of the range is polynomial. If the size of the domain is constant and the functionality is deterministic, then our protocol is efficient even when the number of parties is O(log log n) (where n is the security parameter). On the negative side, we show that when the number of parties is super-constant, 1/p-secure protocols are not possible when the size of the domain is polynomial.

Cryptography and Security

Andris Ambainis

DOI: https://doi.org/10.48550/arXiv.quant-ph/0204063

2002-04-11

Quantum Physics

Abstract:We study the class of protocols for weak quantum coin flipping introduced by Spekkens and Rudolph (quant-ph/0202118). We show that, for any protocol in this class, one party can win the coin flip with probability at least $1/\sqrt{2}$.

Yilei Wang,Qiuliang Xu,Zhe Liu

DOI: https://doi.org/10.1109/INCoS.2013.55

2013-01-01

Abstract:Complete fairness means that either all parties learn the output of the function or none of them does. It was deemed as an impossible task in general in secure two party computation by Cleve (STOC 1986). However, a seminal result of complete fairness between two parties was achieved by Gordorn et al. (STOC 2008). Recently Groce and Katz (Euro crypt 2012) corrected the insufficient assumptions and gave some positive results of fairness. Here we revisit this problem and introduce the Tit-for-Tat (TFT) strategy into rational two-party computation. To the best of our knowledge, it is the first secure two-party computation protocol with constant rounds that allows both parties to know the terminal round.

Jamie Sikora

DOI: https://doi.org/10.48550/arXiv.1605.08156

2018-08-28

Abstract:Die-rolling is the cryptographic task where two mistrustful, remote parties wish to generate a random $D$-sided die-roll over a communication channel. Optimal quantum protocols for this task have been given by Aharon and Silman (New Journal of Physics, 2010) but are based on optimal weak coin-flipping protocols which are currently very complicated and not very well understood. In this paper, we first present very simple classical protocols for die-rolling which have decent (and sometimes optimal) security which is in stark contrast to coin-flipping, bit-commitment, oblivious transfer, and many other two-party cryptographic primitives. We also present quantum protocols based on integer-commitment, a generalization of bit-commitment, where one wishes to commit to an integer. We analyze these protocols using semidefinite programming and finally give protocols which are very close to Kitaev's lower bound for any $D \geq 3$. Lastly, we briefly discuss an application of this work to the quantum state discrimination problem.

Quantum Physics,Optimization and Control

Simon Neves,Verena Yacoub,Ulysse Chabaud,Mathieu Bozzio,Iordanis Kerenidis,Eleni Diamanti

DOI: https://doi.org/10.1038/s41467-023-37566-x

2022-11-07

Abstract:As in modern communication networks, the security of quantum networks will rely on complex cryptographic tasks that are based on a handful of fundamental primitives. Weak coin flipping (WCF) is a significant such primitive which allows two mistrustful parties to agree on a random bit while they favor opposite outcomes. Remarkably, perfect information-theoretic security can be achieved in principle for quantum WCF. Here, we overcome conceptual and practical issues that have prevented the experimental demonstration of this primitive to date, and demonstrate how quantum resources can provide cheat sensitivity, whereby each party can detect a cheating opponent, and an honest party is never sanctioned. Such a property is not known to be classically achievable with information-theoretic security. Our experiment implements a refined, loss-tolerant version of a recently proposed theoretical protocol and exploits heralded single photons generated by spontaneous parametric down conversion, a carefully optimized linear optical interferometer including beam splitters with variable reflectivities and a fast optical switch for the verification step. High values of our protocol benchmarks are maintained for attenuation corresponding to several kilometers of telecom optical fiber.

Quantum Physics

André Chailloux,Iordanis Kerenidis,Jamie Sikora

DOI: https://doi.org/10.48550/arXiv.1007.1875

2013-03-23

Abstract:Oblivious transfer is a fundamental primitive in cryptography. While perfect information theoretic security is impossible, quantum oblivious transfer protocols can limit the dishonest players' cheating. Finding the optimal security parameters in such protocols is an important open question. In this paper we show that every 1-out-of-2 oblivious transfer protocol allows a dishonest party to cheat with probability bounded below by a constant strictly larger than 1/2. Alice's cheating is defined as her probability of guessing Bob's index, and Bob's cheating is defined as his probability of guessing both input bits of Alice. In our proof, we relate these cheating probabilities to the cheating probabilities of a coin flipping protocol and conclude by using Kitaev's coin flipping lower bound. Then, we present an oblivious transfer protocol with two messages and cheating probabilities at most 3/4. Last, we extend Kitaev's semidefinite programming formulation to more general primitives, where the security is against a dishonest player trying to force the outcome of the other player, and prove optimal lower and upper bounds for them.

Quantum Physics

Sven Laur,Jan Willemson,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-24861-0_18

2011-01-01

Abstract:Most of the multi-party computation frameworks can be viewed as oblivious databases where data is stored and processed in a secret-shared form. However, data manipulation in such databases can be slow and cumbersome without dedicated protocols for certain database operations. In this paper, we provide efficient protocols for oblivious selection, filtering and shuffle essential tools in privacy-preserving data analysis. As the first contribution, we present a 1-out-of-n oblivious transfer protocol with 0(log log n) rounds, which achieves optimal communication and time complexity and works over any ring Z(N). Secondly, we show how to construct round-efficient shuffle protocols with optimal asymptotic computation complexity and provide several optimizations.

Esther Hänggi,Jürg Wullschleger

DOI: https://doi.org/10.1007/978-3-642-19571-6_28

2011-04-26

Abstract:Coin flipping is a cryptographic primitive for which strictly better protocols exist if the players are not only allowed to exchange classical, but also quantum messages. During the past few years, several results have appeared which give a tight bound on the range of implementable unconditionally secure coin flips, both in the classical as well as in the quantum setting and for both weak as well as strong coin flipping. But the picture is still incomplete: in the quantum setting, all results consider only protocols with perfect correctness, and in the classical setting tight bounds for strong coin flipping are still missing. We give a general definition of coin flipping which unifies the notion of strong and weak coin flipping (it contains both of them as special cases) and allows the honest players to abort with a certain probability. We give tight bounds on the achievable range of parameters both in the classical and in the quantum setting.

Quantum Physics,Cryptography and Security

Yilei Wang,Duncan S. Wong,Willy Susilo,Xiaofeng Chen,Qiuliang Xu

DOI: https://doi.org/10.1002/sec.1292

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Fairness in secure two-party computation ensures that either both of the communicating parties learn the output of some pre-defined function or none of them does. Rational two-party computation is an extension of two-party computation that incorporates game theory into conventional two-party (cryptographic) computation protocols for achieving fairness. From the standpoint of game theory, the strategies are designed for achieving equilibrium resulting in attaining fairness in rational two-party computation protocols. Groce and Katz (Eurocrypt 2012) achieved fairness by computational Nash equilibrium under complete information. In this paper, protocols are considered in more practical scenarios of incomplete information, where fairness is achieved by sequential equilibrium. Our protocol has constant number of rounds as Groce and Katz do while achieving a stronger sequential equilibrium which also implies the computational Nash equilibrium. Copyright (C) 2015 John Wiley & Sons, Ltd.

Rachid Guerraoui,Jingjing Wang

DOI: https://doi.org/10.1007/978-3-662-53426-7_11

2016-01-01

Abstract:A computation scheme among n parties is fair if no party obtains the computation result unless all other \(n-1\) parties obtain the same result. A fair computation scheme is optimistic if n honest parties can obtain the computation result without resorting to a trusted third party. We prove, for the first time, a tight lower-bound on the message complexity of optimistic fair computation for n parties among which \(n-1\) can be malicious in an asynchronous network. We do so by relating the optimal message complexity of optimistic fair computation to the length of the shortest permutation sequence in combinatorics.