Coin Flipping of any Constant Bias
Implies One-Way Functions
Iftach Haitner
Based on joint works with
Itay Berman, Eran Omri and Aris Tentes
Cryptography Implies One-Way Functions
Almost all “computational” cryptography is known to
imply one-way functions [c.f. Impagliazzo-Luby ‘89]
 One-way functions (OWFs): efficiently computable functions that no
efficient algorithm can invert (with more than negligible probability)
 These reductions are typically rather straightforward for
non-interactive primitives, or for interactive primitives
with single “failure point”, e.g., commitment schemes
 Rather complex for some interactive primitives
Full characterization of coin-flipping protocols is not known
Coin-Flipping Protocols
Parities want to jointly flip a uniform string
I want 𝒄 = 0
𝒄 ← {0,1}
𝒄
Output 𝒄
3
Output 𝒄
Blum’s Coin-Flipping Protocol
I want 𝒄 = 0
𝒛 ← 𝑐𝑜𝑚𝑚𝑖𝑡(𝒂)
𝒃 ← {0,1}
𝒂 ← {0,1}
𝒃
𝒂 ← 𝑑𝑒𝑐𝑜𝑚𝑚𝑖𝑡(𝒛)
Output
𝒄=𝒂
𝒄=𝒂 ⊕ 𝒃
⊕𝒃
• Negligible bias
4
Output
• Commitment obtained using OWF
Coin-Flipping Protocols
Efficient 2-party protocol (A,B) is 𝛿 -bias CF:
1. Pr A,B 1𝑛 = ‘1’ = Pr A,B 1𝑛 = ‘0’ = 1 2
2. For any PPT A and 𝑐 ∈ 0,1 ,
Pr A,B 1𝑛 = 𝑐 ≤ 1 2 + 𝛿 𝑛
(Same for B)
 Fairness is not required
5
Weak Coin-Flipping Protocols
Efficient 2-party protocol (A,B) is 𝛿 -bias CF:
1. Pr A,B 1𝑛 = ‘1’ = Pr A,B 1𝑛 = ‘0’ = 1 2
2. For any PPT’s A and B,
Pr A,B 1𝑛 = ‘1’ , Pr A,B 1𝑛 = ‘0’ ≤ 1 2 + 𝛿 𝑛
Strong CF )Weak CF
 Numerous applications (ZK proofs, SFE,…)
 Implied (with negligible bias) by OWFs
[Blum’83, Naor‘89, Håstad et. al ‘90]
Does (weak) coin flipping imply OWFs?
Known Results
1
 –bias
𝑚
CF implies OWFs [IL ‘89], where 𝑚 is the protocol round
complexity
 Constant-round, non-trivial (i.e.,
1
1
–
2 poly(n)
–bias) CF implies
OWFs [Maji, Prabhakaran, Sahai ‘10]
2−1
2
−𝑜(1) -bias strong CF implies OWFs [Haitner, Omri ‘11]

 Constant-round, non-trivial CF implies NP ⊈ BPP [Zachos ‘86]

1
4
− 𝑜(1) –bias CF implies NP ⊈ BPP [Maji, Prabhakaran, Sahai ‘10]
 Non-trivial CF implies PSPACE ⊈ BPP
For 𝜔(1)-round, 𝜔
1
𝑚
–bias CF, results are far from being tight
[Haitner-Omri ‘11]
Theorem 1 [Haitner-Omri ‘11]
Coin flipping with bias
2−1
– o(1)
2
2−1
≈ 0.207
2
implies OWFs
 Only holds for strong coin tossing
Main lemma: Assume @OWFs and let (A,B) be CF protocol.
Then exist efficient strategies A and B s.t.:
Pr[(A,B)(1n)= ‘1’]
>
Pr[(A,B)(1n)= ‘1’] >
2
2
2
2
− 𝑜(1), or
−o 1 .
 Optimal two-sided attacker
 Matches the Quantum bound
8
(Same holds for ‘0’)
[Berman-Haitner-Tentes ‘13]
Theorem 2 [Berman-Haitner-Tentes ‘13]
Coin flipping of any (non-trivial) constant bias
(e.g., 0.4999) implies OWFs
Also holds for weak coin tossing
Main lemma: Assume @OWFs and let (A,B) be CF protocol.
Then ∀𝜖 > 0 exist efficient strategies A and B s.t.:
Pr[(A,B)(1n)= ‘1’] >1 − 𝜖, or
Pr[(A,B)(1n)= ‘0’] >1 − 𝜖. (Same holds for opposite directions)
 Almost fully characterizes complexity of coin-flipping protocols.
Yet to be characterized: CF of bias
1
2
− 𝑜(1)
Rest of the Talk
 About proving the necessity of OWFs
 The optimal attack on CF protocols
 The biased-continuation attack
 Approximating the biased-continuation attack
(assuming ∄OWFs)
Proving The Necessity of OWFs
Given a cryptographic primitive P (e.g., commitment scheme)
P’s core function: efficiently computable function whose
inversion implies breaking the security of P
P has a core function ) OWF are necessary for P
Example 1: Symmetric key encryption (G,E,D)
𝑓 𝑘, 𝑟1 , … , 𝑟𝑡 , 𝑚1 , … 𝑚𝑡 = E 𝑘, 𝑟1 , 𝑚1 , … , E 𝑘, 𝑟𝑡 , 𝑚𝑡
Example 2: For commitment schemes, the core function maps the
parties’ coins to the commitment string
Hard to find for interactive primitives (with no single failing point)
 Does there exist such core function?
 Distribution induced by attack might be different from uniform
The Optimal Adversaries
12
Protocols as Binary Trees
 Nodes − transcripts
 Messages are bits
 Inner nodes labeling: who controls the node
 Leaves labeling: protocol’s outcome
 Edges labeling: probability of taking the edge
 1−leaves/0−leaves
 Node value: probability of hitting a 1−leaf, once in the node
Optimal Attacks on CF Protocols
Optimal adversaries for 𝜋 = (A,B):
A1 – optimal valid strategy for A attacking towards 1
B – optimal valid strategy for B attacking towards 0
0
ℓ𝑜
Pr [‘1’] = 1
1
(A1 ,B0 )
) OPTB0 ≝ Pr ‘0’ = 1 − 𝛼 < 1
(A,B0 )
Question: what makes A1 wins?
Fact: ℓ09is𝐁-immune
𝐁-immune:
Lemma:
measure M1 over 1-leaves of 𝜋 (i.e.,
0
Pr↦ ℓ[0,1]):
=
Pr
ℓ
=
1
−
OPT
M1 :1-leaves
0
0
B
0
A
®
1-®
Assume wlg. that
A,B
14
Ex M
(A,B)
1
A,B
= Ex0 M1 = 1 − OPTB0
(A,B )
B
¯
A
0
1
The Biased Continuation Attack
Or, hitting the B–immune measure
15
The Biased-Continuation Attack
The (first) biased-continuation attack A 1 for A towards 1
On transcript 𝑢, A 1 samples uniform (𝑟A , 𝑟B ):
1.
A(𝑟A ),B(𝑟B ) is consistent with u
2.
out A 𝑟A , B 𝑟B
= ‘1’
Sends A 𝑟A ’s reply on 𝑢
A
½
(1)
B
A
A
…
is analogous for B towards 0.
B
∄OWFs is necessary, but not sufficient
¼
¾
Amazingly useful!
A
A
Also used for Parallel Repetition thms
B
B
[Håstad et. al ‘10], [Haitner‘09]
B
½
0
0
1
…
B
1
0
…
Recursions
(A
A
2
1
, B) is also a protocol.
= A 1 on (A 1 , B).
On transcript 𝑢, A 2 samples uniform (𝑟A(1), 𝑟B):
1.
A(1) (𝑟A ),B(𝑟B ) is consistent with 𝑢
(1)
2.
out A(1) 𝑟A(1) , B 𝑟B
Sends A(1)
𝑟A(1)
= ‘1’
½
¾
’s reply on 𝑢.
¼
𝑚
is not efficient.
Question: How well A
𝑂(1)
does?
¾
AA1
0
AA1
B
B
0
1
B
AA1
AA1
…
Problem: A
¼
½
B
Fact: For 𝑚-round protocol,
A 𝑚 converges to A‘s optimal attacker.
17
AA1
…
B
1
0
(𝑖)
A
and the B–Immune Measure
𝑣𝑎𝑙 A(1) , B ≥ Pr
(A
1
,B)
ℓ𝑜 = 2𝛼
where 𝑣𝑎𝑙(𝜋) ≝ Pr ‘1’
𝜋
(𝑘)
𝑣𝑎𝑙 A , B ≥ Pr ℓ𝑜 =
(A
𝑘
Since 𝑣𝑎𝑙 A, B =
𝑘−1 𝑣𝑎𝑙
𝑖=0
,B)
®
A 𝑖 ,B
1
1
log / log
𝛼
1−𝜖
Key observation: if OPT0B = 1 − 𝛼 then
∀𝑘 > 0: 𝑣𝑎𝑙
≥
Ex
(A
𝑘
,B)
M
1
1-®
B
1
) 𝑣𝑎𝑙 A(𝑘) , B ≥ 1 − 𝜖
A(𝑘) , B
A
≥
¯
A
0
1
…
for 𝑘 =
ℓ𝑜
𝛼
letting A(0) = A.
1
2
𝛼
𝑣𝑎𝑙 A, B
𝛼
𝑘−1
𝑖 ,B
𝑣𝑎𝑙
A
𝑖=0
Problem:
𝛼 ∈ 𝑜(1) ) (even for constant 𝜖 > 0) 𝑘 ∈ 𝜔 1 ) A(𝑘) is inefficient
Conditional Protocols
OPTB0 (𝜋) = 1 − 𝛼 ) 9 M𝜋1 over 1-leaves of 𝜋 with Ex M𝜋1 =𝛼
𝜋
and Ex M𝜋1 = 𝑘−1 ® 𝑖
(A 𝑘 ,B)
𝑖=0
𝑣𝑎𝑙 A
,B
′
′
The conditional protocol π = A , B
′
=
π|¬M𝜋1
A
®
B
1
¯
) no B–immune measure ) B0 wins.
OPTA1 (𝜋 ′ ) ≝
1-®
A
0
Pr
‘1’ = 1 − 𝛽 < 1
′1
(A ,B)
𝜋
and
Ex
𝑘
(A′ ,B′
Ex
(A,B
𝑘
)
)
M𝜋0 ′ =
M𝜋0 ′
=
𝛽
𝑘−1
𝑖=0
(1− 𝑣𝑎𝑙(A′,B′ 𝑖 ))
1−𝛼 ⋅𝛽
𝑘−1(1− 𝑣𝑎𝑙(A′ ,B′ 𝑖
𝑖=0
Still, 𝛽 might be small…
1−𝛼 𝑘 ⋅ Ex
≥
))
(A ,B )
𝑘−1
𝑖=0 (1
M𝜋0 ′
− 𝑣𝑎𝑙 A, B 𝑖 )
…
1
) 9 measure M𝜋0 ′ over 0-leaves of 𝜋′ with Ex′ M𝜋0 ′ =𝛽
Conditional Protocols cont.
The conditional protocol π′′ = A′′ , B′′ = π′|¬M𝜋0 ′
OPTB0 (𝜋′′)
≝
Pr
‘0’ = 1 − 𝛼 ′ < 1
(A′′,B′′ )
A
®
1-®
0
0
) 9 measure M𝜋1 ′′ over 1-leaves of π′′ with Ex
M
𝜋′′ =𝛼′
′′
B
1
¯
𝜋
and
Ex
𝑘
(A′′
(A 𝑘 ,B)
M𝜋1 ′′ ≥
𝛼′
=
𝑘−1
𝑖=0 𝑣𝑎𝑙
1−𝛽 𝑘 ⋅ Ex
(A ,B)
𝑘−1 𝑣𝑎𝑙
𝑖=0
𝑖
A′′
M𝜋1 ′′
,B′′
1 − 𝛼 ⋅ 1 − 𝛽 ⋅ 𝛼′
A
0
𝛼′
1
A 𝑖 ,B
1
Can we gain also from M𝜋
?
For the measure M21 (ℓ) = M𝜋1 (ℓ) + 1 − M𝜋1 (ℓ) ⋅ M𝜋1 ′′ (ℓ)
Ex
(A
𝑘
,B)
M21
≥
1−𝛽 𝑘 ⋅ Ex M21
𝜋
𝑘−1 𝑣𝑎𝑙
𝑖=0
A 𝑖 ,B
𝛼 + 1 − 𝛼 ⋅ 1 − 𝛽 ⋅ 𝛼′
…
Ex
,B′′ )
M𝜋1 ′′
Sequence of Conditional Protocols
There exists measure sequences
M11 , M21 , M31 … ,over 1-leaves
M10 , M20 , M30 … , over 0-leaves, s.t.:
𝜇𝑡0 ≝ Ex Mt0
= 𝜇𝑡1 = ½ for large enough t
π


Ex
k
(A
,B)
Ex
(A,B
k
)
M𝑧1
M𝑧0
≥
≥
1−𝜇𝑧0
𝑘−1
𝑖=0 𝑣𝑎𝑙
𝑘
⋅ 𝜇𝑧1
A i ,B
1−𝜇𝑧1
𝑘
𝑘−1(1− 𝑣𝑎𝑙
𝑖=0
and
⋅ 𝜇𝑧0
A,B i )
For 𝜖 > 0 assume wlg. that 9z > 0 s.t. 𝜇𝑧1 ≥ 𝜖/2and 𝜇𝑧0 < 𝜖/2
)
Ex
(A
k
,B)
M𝑧1 ≥
𝜖 𝑘 𝜖
⋅2
𝑘−1 𝑣𝑎𝑙 A i
𝑖=0
1−2
,B
>1−𝜖
for 𝑘 =
2
log 𝜖
1−𝜖/2
log
1−𝜖
An Efficient Attack On CF Protocols
(assuming ∄OWFs)
22
Transcript Function
Leaf induced by (𝑟A , 𝑟B )
For 𝜋 = (A,B) let 𝑓𝜋 𝑟A , 𝑟B , 𝑖 ≝ ℓ 𝑟A , 𝑟B
1,…,𝑖
A 1 needs to invert 𝑓𝜋
Seems that A 𝑘 needs to invert 𝑓𝜋 , 𝑓𝜋1 , … , 𝑓𝜋𝑘−1 ,
for 𝜋 𝑗 = A 𝑗 ,B
Might be impossible even if ∄OWFs
Since A
23
𝑘
is stateless, suffices to invert 𝑓𝜋
Hard to Invert Transcripts
 𝐿𝑜𝑤𝑉𝑎𝑙𝛿A = {𝑣 ∶ 𝑣 in A′ s control & 𝑣𝑎𝑙 𝑣 < 𝛿}

Un𝐵𝑎𝑙𝛾A = {𝑣 ∶ 𝑣 in A′ s control & Pr
𝑘
(A
,B)
𝑣 >𝛾⋅ Pr 𝑣 }
(A,B)
@OWF does not suffice for attacking these nodes
…
A
2−𝑛
0
A
½
1
24
0
…
Large is Balanced
A
 𝐿𝑜𝑤𝑉𝑎𝑙𝛿A = 𝑣: 𝑣 in A′ s control & 𝑣𝑎𝑙 𝑣 < 𝛿
 Un𝐵𝑎𝑙𝛾A = {𝑣: 𝑣 in A′ s control & Pr 𝑣 > 𝛾 ⋅ Pr 𝑣 }
𝑘
(A
(A,B)
,B)
Pr
ℓ←(A
𝑘
,B)
[ℓ ∈ 𝑑𝑒𝑠𝑐
A
&ℓ∉
0
½
1
Lemma: ∀δ > 0 ∃c >0 ∶
Un𝐵𝑎𝑙𝛾A
2−𝑛
0
1
A
𝑑𝑒𝑠𝑐(𝐿𝑜𝑤𝑉𝑎𝑙𝛿 )]≤ 𝑐
𝛾
where 𝑑𝑒𝑠𝑐 𝑆 ≝ descendants of 𝑆
 We can focus on low-value nodes
Corollary: Assume all low-value nodes are in B’s control and ∄OWFs
) exists an efficient approximation A(𝑘) of A 𝑘
𝑣𝑎𝑙 A(𝑘) , B > 1 − 𝜖 ) 𝑣𝑎𝑙 A(𝑘) , B > 1 − 2𝜖
𝑣𝑎𝑙 A, B = 0.5
Pruned Protocols
A
B
A
B
0
0
1
…
The pruned variant 𝜋𝛿 = (A𝛿, B𝛿) of 𝜋 = (A,B)
A
.5
 B𝛿 controls all low-value nodes
BA
B
.999
.2
𝐿𝑜𝑤𝛿 = {𝑣 ∶ 𝑣𝑎𝑙 𝑣 < 𝛿}
 A𝛿 controls all high-value nodes
A
A .3 A
A
.001 B
𝐻𝑖𝑔ℎ𝛿 = {𝑣 ∶ 𝑣𝑎𝑙 𝑣 > 1 − 𝛿}
1
…
By previous lemmas, ∀𝜖 > 0 ∃𝑘 > 0 :
either 𝑣𝑎𝑙 A𝛿𝑘 , B𝛿 > 1 − 𝜖 or 𝑣𝑎𝑙 A𝛿 , B𝛿(𝑘)
26
<𝜖
B
0
1
0
The Pruning Attacker
The pruning attacker, acts as if it is in the pruned protocol
Let 𝜋 = (A,B).
The pruning attacker A
k ,𝛿
for A, acts as A(k)
𝛿
until reaching a pruned node, and then start acting honestly (like A)
Assume wlg. that 𝑣𝑎𝑙 A(k)
, B > 1 − 𝜖 then
𝛿
𝑣𝑎𝑙 A
k ,𝛿
,B
.5
>1−𝜖 −𝛿
.999
BA
A
A
0
27
0
A
A
BA
A
BA
1
A
.2
.3
1
A
B
.001
A
BB
B
0
1
0
Summary
 Coin flipping of any constant-bias implies OWFs
 Challenge − show the same for bias
1
2
− 𝑜(1)
 Further implications for the connection between zero-sum
games and existence of OWFs