Abstract
Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open.
We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with \(N\ge 2\) parties and polynomial stretch:
-
One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.
-
One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.
-
One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties.
Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO.
Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.
The full version of this work is available via https://eprint.iacr.org/.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Hofheinz et al. [23] proved that Protocol 1.1 can in fact be simulated for some parameterizations, but not all.
- 2.
Other models exist that achieve a similar goal. UC security is always black-box.
- 3.
Also known as the Hidden Subgroup Assumption.
- 4.
\(f^{-1}\) may be non-deterministic.
- 5.
Note that in this provisional version, the output length is linear in L but the seed length is independent of L; the analysis of the final protocol’s stretch will be more complex.
- 6.
For convenience, we say that the seed oracle outputs discrete Gaussian samples directly, but in order to meet the definition of a seed oracle it must actually output uniform coins from which such samples can be calculated. We highlight that discrete Gaussians are explainable distributions [6]. In other words, given a Gaussian sample \(\boldsymbol{e}\), we are able to efficiently produce coins that produce the sample \(\boldsymbol{e}\) when provided as randomness for the distribution, and the distribution of these coins is uniform, as required.
- 7.
Note that in the real world, these “ciphertexts” are uniformly random and there is no public key corresponding to them.
- 8.
Our setting is simpler since we consider only statistical security, but on the other hand Abram et al. focused on the one-round setting, whereas our argument applies to protocols with multiple rounds.
References
Abram, D., Damgård, I., Orlandi, C., Scholl, P.: An algebraic framework for silent preprocessing with trustless setup and active security. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 421–452. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15985-5_15
Abram, D., Doerner, J., Ishai, Y., Narayanan, V.: Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output. Cryptology ePrint Archive, 2024 (2024)
Abram, D., Obremski, M., Scholl, P.: On the (Im)possibility of Distributed Samplers: Lower Bounds and Party-Dynamic Constructions. Cryptology ePrint Archive, Paper 2023/863 (2023)
Abram, D., Scholl, P., Yakoubov, S.: Distributed (correlation) samplers: how to remove a trusted dealer in one round. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 790–820. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_27
Abram, D., Waters, B., Zhandry, M.: Security-preserving distributed samplers: how to generate any CRS in one round without random oracles. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14081, pp. 489–514. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38557-5_16
Agrawal, S., Wichs, D., Yamada, S.: Optimal broadcast encryption from LWE and pairings in the standard model. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 149–178. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_6
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS (2009)
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen (1993)
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Bellare, M., Garay, J.A., Rabin, T.: Distributed pseudo-random bit generators - a new way to speed-up shared coin tossing. In: Burns, J.E., Moses, Y. (eds.) 15th ACM PODC, pp. 191–200. ACM, August 1996. https://doi.org/10.1145/248052.248090
Blum, M.: Coin flipping by telephone. In: Proceedings IEEE Spring COMPCOM, pp. 133–137 (1982)
Buchbinder, N., Haitner, I., Levi, N., Tsfadia, E.: Fair coin flipping: tighter analysis and the many-party case. In: Klein, P.N. (ed.) 28th SODA, pp. 2580–2600. ACM-SIAM, January 2017. https://doi.org/10.1137/1.9781611974782.170
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000). https://doi.org/10.1007/s001459910006
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959888
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26
Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: 18th ACM STOC, pp. 364–369. ACM Press, May 1986. https://doi.org/10.1145/12130.12168
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge, UK (2004)
Goyal, V., Lee, C.K., Ostrovsky, R., Visconti, I.: Constructing non-malleable commitments: a black-box approach. In: 53rd FOCS, pp. 51–60. IEEE Computer Society Press, October 2012. https://doi.org/10.1109/FOCS.2012.47
Hofheinz, D., Müller-Quade, J., Unruh, D.: On the (Im-)possibility of extending coin toss. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 504–521. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_30
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, pp. 12–24. ACM Press, May 1989. https://doi.org/10.1145/73007.73009
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Ladner, R.E., Dwork, C. (eds.): 40th ACM STOC. ACM Press, May 2008
Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003). https://doi.org/10.1007/s00145-002-0143-7
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996). https://doi.org/10.1006/jcss.1996.0004
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, May 2008. https://doi.org/10.1145/1374376.1374406
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. https://doi.org/10.1145/1060590.1060603
Yeung, R.: A new outlook on Shannon’s information measures. IEEE Trans. Inf. Theory 37(3), 466–474 (1991). https://doi.org/10.1109/18.79902
Zhandry, M.: The magic of ELFs. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 479–508. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_18
Acknowledgements
Damiano Abram was supported by a GSNS travel grant from Aarhus University, by the Aarhus University Research Foundation (AUFF) and by the Independent Research Fund Denmark (DFF) under project number 0165-00107B (C3PO). Jack Doerner was supported by the ERC projects NTSC (742754) and HSS (852952), ISF grant 2774/20, the Azrieli Foundation, and the Brown University Data Science Institute. Yuval Ishai was supported by ERC grant NTSC (742754), BSF grant 2022370, ISF grant 2774/20, and ISF-NSFC grant 3127/23. Varun Narayanan was supported by NSF grants CNS-2246355, CCF-2220450, and CNS-2001096.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Abram, D., Doerner, J., Ishai, Y., Narayanan, V. (2024). Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14655. Springer, Cham. https://doi.org/10.1007/978-3-031-58740-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-58740-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58739-9
Online ISBN: 978-3-031-58740-5
eBook Packages: Computer ScienceComputer Science (R0)
