Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output

Damiano Abram, Jack Doerner, Yuval Ishai, Varun Narayanan

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open. We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with N≥2 parties and polynomial stretch:One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions. One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String. One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties. Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO. Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2024, Proceedings
EditorsMarc Joye, Gregor Leander
Pages122-154
Number of pages33
DOIs
StatePublished - 2024
Event43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024 - Zurich, Switzerland
Duration: 26 May 202430 May 2024

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14655 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024
Country/TerritorySwitzerland
CityZurich
Period26/05/2430/05/24

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output'. Together they form a unique fingerprint.

Cite this