Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

2

 What is the minimal bias for multiparty coin-toss?  Coin tossing is a basic primitive in secure computation ◦ Simple to define ◦ Used in many schemes  Optimal bias means optimal fairness ◦ Essential in many tasks in MPC (e.g., fair exchange)  To understand fairness in general secure computation, we must understand the basic task of coin tossing 3

 We construct multiparty coin-tossing protocols ◦ Tolerating a majority of malicious parties ◦ Minimizing the bias of the adversary  Optimal bias of O(1/r), where r is the number of rounds 4

 Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 5

b a 6 c  a ⊕ b

I want c = 0 c = 0 w.p. 1 b a = b 7 c  a ⊕ b = 0 Can’t we send messages simultaneously?? No. Not a reasonable assumption!

z  commit(a) b a  decommit(z) 8 c  a ⊕ b

z  commit(a) b a  decommit(z) I want c = 0 If a = b Otherwise abort c = 0 w.p. 3/4 How to react if a party aborts?? The other party outputs a random bit 9 c  a ⊕ b = 0 c  0 w.p. ½

 Goal: honest parties agree on a uniform bit  r-round protocol Π  m parties, up to t malicious parties  Rushing adversary ◦ Realistic communication model (do not assume simultaneous exchange)  We assume a broadcast channel  Bias – the maximum advantage of any adversary in the protocol over flipping a fair coin ◦ In Blum’s protocol, the bias is ¼ 10

 Any r-round 2-party coin-tossing protocol, has bias Ω(1/r) ◦ Generalizes to any multiparty protocol with no honest majority  Conclusion: impossible to achieve coin- tossing with a polynomial number of rounds and negligible bias without honest majority 11

 Bias O(t/ r) with m parties, t malicious, and r rounds [ABCGM85,Cl86] ◦ Works by repeating Blum’s protocol r times and taking majority ◦ This is optimal in a natural restricted model [CI93]  Breakthrough: it is possible to achieve 2-party coin-tossing with optimal bias O(1/r ) [MNS09] ◦ Matches Cleve’s lower bound and shows that restricted model is restricted 12

What is the optimal bias for multiparty?  Honest majority: negligible bias [GMW87]  No honest majority: ◦ Lower bound of bias Ω(1/r) for r rounds ◦ Previously known protocol gives O(t/ r) for r rounds 13

 Goal: bias O(1/r)  O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)  O(1/r) bias when a “little” more than half the parties are corrupt ◦ These are corollaries of a general construction (see next slide)  Also, when constant fraction of parties are honest, O(1/ r ) – improving a factor of t compared to the previous upper bound (t =#malicious) 14

 Theorem: Multiparty r-round coin-tossing with bias O(2 2 k+1 /r), for m/2 ≤ t < 2m/3 m= #parties, t = #malicious, k = #diff between malicious and honest  Corollaries:  Optimal bias of O(1/r) when: 1.m is constant: e.g., with m=5, t=3 has bias 8/(r-O(1)), 2.k is constant: e.g., with m=2t (k=0) has bias 1/(2r-O(1))  Bias of O(t/r) when k is loglog m 15

 Theorem: Multiparty r-round coin-tossing with bias O(1/ ), when t is a const. fraction of m (t = #malicious)  Removes t factor from [ABCGM85,Cl86] 16

 Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 17

 r-round 2-party coin-tossing protocol  Special round i* ◦ Parties unknowingly learn the output in round i* ◦ Adversary must guess i* to bias output  i* is uniformly chosen and concealed by the view of the parties  Overall bias O(1/r) 18

What to do if a party aborts?? If Bob aborts in round i: Alice outputs a i-1 If Alice aborts in round i: Bob outputs b i-1 a i,b i ∈ {0,1} 19

i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i* ) I want c = 0 View is independent of output No BIAS Output is fixed No BIAS Adversary must guess i* View at i ≤ i* is independent of i* Bias O(1/r) BIAS !!  20

Preprocessing protocol i* Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i*) Use secret sharing: To restrict adv. to aborting — all shares are authenticated 21

Preprocessing protocol Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r } a i,b i ∈ R {0,1} (for all i<i*) Compute secret sharing:  Preprocessing?? Both parties get output?? But, How??  Answer: NO, only guarantee “Security With Abort” ◦ Adversary learns output, then may deny output from honest party.  No harm: preprocessing reveals nothing to adversary  Constant number of rounds [Lindell 2003] 22

 Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 23

An Imam, and a Priest go on the same flight… 24 a Rabbi

 Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round.  Before i* bits are independent.  From i* bits are all the same bit. 25

i* I want c = 0 If Bob aborts in round i Alices output a i-1 Attack: If a 1 = 0 Bob aborts in round 2 Constant Bias! Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i<i* ) Observation: At least two parties are honest. Either Bob is honest or There is an honest majority of Alices 26

i* Reconstructing a i — only when needed Dealer: go on unless two parties abort Output bit: c ∈ R {0,1} Special round: i* ∈ R {1,…,r} a i,b i ∈ R {0,1} (for all i<i* ) Use 2-out-of-3 secret sharing of a i : 27

Reconstruction upon abort in round i : Case 1: Two Alices aborted. Bob is honest. Sends b i-1 to third Alice Case 2: Bob aborted. Remaining Alices (at least two) reconstruct a i-1 Requires signatures (limiting adversary to aborts) 28

 We described a protocol with a trusted dealer  Does not exist in real-life  How to eliminate the dealer? ◦ To be answered in a few slides… 29

 Two ways we extend MNS: 1. Simulation — One subset simulating Alice, the other simulating Bob 2. Generalization — giving a bit to subsets of parties in each round.  Before i* bits are independent.  From i* bits are all the same bit. 30

Overview: r-round protocol with an online dealer In round i: each subset S of size 2 or 3 gets a bit Each bit is shared with threshold 2. Dealing with aborts in round i: Reconstruct the bit of round i-1 E.g., if A, B abort — C, D, E reconstruct E.g., if A, B, C abort — D, E reconstruct m=5, t=3 31

Dealer randomly selects: Output c, special round i* Random bits for i<i* (for all pairs, triples) (bits for i≥i* are set to c) Shares for every bit (all shares are signed) For pairs: in 2-out-of-2 SSS For triples: in 2-out-of-3 SSS 32

In round i: Dealer continues if 4 parties are still active Give party p its share for each bit p ∈ S (a pair or triplet) If less than 4 parties are active: Dealer halts Active parties (set S ) reconstruct 33

Dealer halts  at most 3 active parties. At least 2 are honest! A and D can reconstruct bit (threshold 2) Adversary could not see Before i* abort is independent of reconstructed bit m=5, t=3 34

Adversary must guess i* to bias output!! Adversary can see 10 bits in each round i (If not all equal, then i<i* ) Once in every 2 9 rounds they are all the same Probability to guess i* ≤ 2 9 /r (Improved later) m=5, t=3 35

 To turn into an off-line dealer: Clever use of another layer of secret sharing  To omit the off-line dealer: Preprocessing protocol (requires only security with abort) 36

1.Simulate dealer’s preprocessing Compute c, i*, bits for all subsets, rounds Compute shares for all bits (inner secret sharing) 2.Share info (for each round) – in 4-out-of-5 SSS Adversary cannot reconstruct (4=t+1) As long as 4 active protocol can go on (outer secret sharing) 37

If there are 4 active parties: Send shares of outer secret sharing (4-out-of-5) Each party learns its shares of appropriate bits (of inner secret sharing) If at least 2 parties aborted (cannot continue) Reconstruct bit (same as with online dealer) 38

In each round i parties hold the same information as with online dealer (due to outer-secret-sharing) To halt computation (prevent reconstruction) 2 must abort. Adversary can see the same bits after round i as with online dealer 39

1.Security with abort (constant round [Pass04]) with cheat detection 2.Cheat detection: All honest parties identify a cheater Continue without it Can be repeated at most twice Abort in preprocessing is independent of output 40

 Combining ideas (simulation, generalization): ◦ Number of subsets depends on k = 2t-m (gap between honest and malicious) ◦ Bound on bias (rather than ) 41

 Multiparty Coin-Toss: ◦ Examples and definitions ◦ Previous results ◦ Our results  Reviewing the [Moran, Naor, Segev 09] result  Our Result: Simplified Constructions  Summary and Open Problems 42

 Optimal O(1/r) bias for any constant number of parties (less than 2/3 of which are malicious)  Optimal O(1/r) bias when a “little” more than half the parties are corrupt r= #rounds in the protocol 43

1. Improve dependency on k, prove lower bounds k= #malicious - #honest 2. Open joke: An Imam, a Rabbi and a Priest go on the same flight… The engine breaks. Someone needs to go… They toss a fair coin. But how fair can it be…??!! Is O(1/r) bias possible when t ≥ 2m/3? Specifically, 2 malicious out of 3 parties 44

45 Thank You!!!