TY - GEN
T1 - Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output
AU - Abram, Damiano
AU - Doerner, Jack
AU - Ishai, Yuval
AU - Narayanan, Varun
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2024.
PY - 2024
Y1 - 2024
N2 - Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open. We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with N≥2 parties and polynomial stretch:One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions. One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String. One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO. Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.
AB - Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open. We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with N≥2 parties and polynomial stretch:One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions. One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String. One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO. Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.
UR - http://www.scopus.com/inward/record.url?scp=85193610545&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-58740-5_5
DO - 10.1007/978-3-031-58740-5_5
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85193610545
SN - 9783031587399
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 122
EP - 154
BT - Advances in Cryptology – EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2024, Proceedings
A2 - Joye, Marc
A2 - Leander, Gregor
T2 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024
Y2 - 26 May 2024 through 30 May 2024
ER -