TY - JOUR

T1 - On the complexity of fair coin flipping

AU - Haitner, Iftach

AU - Makriyannis, Nikolaos

AU - Omri, Eran

N1 - Publisher Copyright:
© 2022 Elsevier B.V.

PY - 2022/5/7

Y1 - 2022/5/7

N2 - A two-party coin-flipping protocol is ε-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than ε. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85] constructed a Θ(1/r)-fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Θ(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer. The above gives rise to the intriguing question of whether oblivious transfer, or more generally “public-key primitives,” is required for an o(1/r)-fair coin-flipping protocol. Towards answering this intriguing question, Maji and Wang [Crypto '18] have recently showed that in the random oracle model (ROM), any coin-flipping protocol can be biased by Ω(1/r). This implies that o(1/r)-fair coin-flipping protocol cannot be constructed from one-way function, or from a family of collision-resistant hash functions, in a black-box way. This result does not rule out, however, non black-box constructions, and black-box constructions based on primitives that cannot be realized in the ROM. We make a different progress towards answering above question by showing that, for any constant r∈N, the existence of an 1/(c⋅r)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [SICOMP '20] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flipping protocols.

AB - A two-party coin-flipping protocol is ε-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than ε. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85] constructed a Θ(1/r)-fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Θ(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer. The above gives rise to the intriguing question of whether oblivious transfer, or more generally “public-key primitives,” is required for an o(1/r)-fair coin-flipping protocol. Towards answering this intriguing question, Maji and Wang [Crypto '18] have recently showed that in the random oracle model (ROM), any coin-flipping protocol can be biased by Ω(1/r). This implies that o(1/r)-fair coin-flipping protocol cannot be constructed from one-way function, or from a family of collision-resistant hash functions, in a black-box way. This result does not rule out, however, non black-box constructions, and black-box constructions based on primitives that cannot be realized in the ROM. We make a different progress towards answering above question by showing that, for any constant r∈N, the existence of an 1/(c⋅r)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [SICOMP '20] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flipping protocols.

KW - Coin-flipping

KW - Fairness

KW - Key-agreement

UR - http://www.scopus.com/inward/record.url?scp=85125130432&partnerID=8YFLogxK

U2 - 10.1016/j.tcs.2022.02.010

DO - 10.1016/j.tcs.2022.02.010

M3 - מאמר

AN - SCOPUS:85125130432

VL - 914

SP - 23

EP - 38

JO - Theoretical Computer Science

JF - Theoretical Computer Science

SN - 0304-3975

ER -