## Abstract

Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open. We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with N≥2 parties and polynomial stretch:One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions. One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String. One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO. Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.

Original language | English |
---|---|

Title of host publication | Advances in Cryptology – EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2024, Proceedings |

Editors | Marc Joye, Gregor Leander |

Pages | 122-154 |

Number of pages | 33 |

DOIs | |

State | Published - 2024 |

Event | 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024 - Zurich, Switzerland Duration: 26 May 2024 → 30 May 2024 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 14655 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Conference

Conference | 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024 |
---|---|

Country/Territory | Switzerland |

City | Zurich |

Period | 26/05/24 → 30/05/24 |

## ASJC Scopus subject areas

- Theoretical Computer Science
- General Computer Science