International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Computational Hardness of Optimal Fair Computation: Beyond Minicrypt

Authors:
Hemanta K. Maji , Purdue University
Mingyuan Wang , Purdue University
Download:
DOI: 10.1007/978-3-030-84245-1_2 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: CRYPTO 2021
Abstract: Secure multi-party computation allows mutually distrusting parties to compute securely over their private data. However, guaranteeing output delivery to honest parties when the adversarial parties may abort the protocol has been a challenging objective. As a representative task, this work considers two-party coin-tossing protocols with guaranteed output delivery, a.k.a., fair coin-tossing. In the information-theoretic plain model, as in two-party zero-sum games, one of the parties can force an output with certainty. In the commitment-hybrid, any r-message coin-tossing protocol is 1/r-unfair, i.e., the adversary can change the honest party's output distribution by 1/r in the statistical distance. Moran, Naor, and Segev (TCC--2009) constructed the first 1/r-unfair protocol in the oblivious transfer-hybrid. No further security improvement is possible because Cleve (STOC--1986) proved that 1/r-unfairness is unavoidable. Therefore, Moran, Naor, and Segev's coin-tossing protocol is optimal. However, is oblivious transfer necessary for optimal fair coin-tossing? Maji and Wang (CRYPTO--2020) proved that any coin-tossing protocol using one-way functions in a black-box manner is at least 1/r-unfair. That is, optimal fair coin-tossing is impossible in Minicrypt. Our work focuses on tightly characterizing the hardness of computation assumption necessary and sufficient for optimal fair coin-tossing within Cryptomania, outside Minicrypt. Haitner, Makriyannia, Nissim, Omri, Shaltiel, and Silbak (FOCS--2018 and TCC--2018) proved that better than 1/r-unfairness, for any constant r, implies the existence of a key-agreement protocol. We prove that any coin-tossing protocol using public-key encryption (or, multi-round key agreement protocols) in a black-box manner must be 1/r-unfair. Next, our work entirely characterizes the additional power of secure function evaluation functionalities for optimal fair coin-tossing. We augment the model with an idealized secure function evaluation of f, \aka, the f-hybrid. If f is complete, that is, oblivious transfer is possible in the f-hybrid, then optimal fair coin-tossing is also possible in the f-hybrid. On the other hand, if f is not complete, then a coin-tossing protocol using public-key encryption in a black-box manner in the f-hybrid is at least 1/r-unfair.
Video from CRYPTO 2021
BibTeX
@inproceedings{crypto-2021-31237,
  title={Computational Hardness of Optimal Fair Computation: Beyond Minicrypt},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-030-84245-1_2},
  author={Hemanta K. Maji and Mingyuan Wang},
  year=2021
}