Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious

An $\alpha$-fair coin-tossing protocol allows a set of mutually distrustful parties to generate a uniform bit, such that no efficient adversary can bias the output bit by more than $\alpha$. Cleve [STOC 1986] has shown that if half of the parties can be corrupted, then, no $r$-round coin-tossing protocol is $o(1/r)$-fair. For over two decades the best known $m$-party protocols, tolerating up to $t\geq m/2$ corrupted parties, were only $O(t/\sqrt{r})$-fair. In a surprising result, Moran, Naor, and Segev [TCC 2009] constructed an $r$-round two-party $O(1/r)$-fair coin-tossing protocol, i.e., an optimally fair protocol. Beimel, Omri, and Orlov [Crypto 2010] extended the results of Moran et al.~to the {\em multiparty setting} where strictly fewer than 2/3 of the parties are corrupted. They constructed a $2^{2^k}/r$-fair $r$-round $m$-party protocol, tolerating up to $t=\frac{m+k}{2}$ corrupted parties. Recently, in a breakthrough result, Haitner and Tsfadia [STOC 2014] constructed an $O(\log^3(r)/r)$-fair (almost optimal) three-party coin-tossing protocol. Their work brings forth a combination of novel techniques for coping with the difficulties of constructing fair coin-tossing protocols. Still, the best coin-tossing protocols for the case where more than 2/3 of the parties may be corrupted (and even when $t=2m/3$, where $m>3$) were $\theta(1/\sqrt{r})$-fair. We construct an $O(\log^3(r)/r)$-fair $m$-party coin-tossing protocol, tolerating up to $t$ corrupted parties, whenever $m$ is constant and $t<3m/4$

A Lower Bound for Adaptively-Secure Collective Coin-Flipping Protocols

In 1985, Ben-Or and Linial (Advances in Computing Research \u2789) introduced the collective coin-flipping problem, where n parties communicate via a single broadcast channel and wish to generate a common random bit in the presence of adaptive Byzantine corruptions. In this model, the adversary can decide to corrupt a party in the course of the protocol as a function of the messages seen so far. They showed that the majority protocol, in which each player sends a random bit and the output is the majority value, tolerates O(sqrt n) adaptive corruptions. They conjectured that this is optimal for such adversaries. We prove that the majority protocol is optimal (up to a poly-logarithmic factor) among all protocols in which each party sends a single, possibly long, message. Previously, such a lower bound was known for protocols in which parties are allowed to send only a single bit (Lichtenstein, Linial, and Saks, Combinatorica \u2789), or for symmetric protocols (Goldwasser, Kalai, and Park, ICALP \u2715)

Audita: A Blockchain-based Auditing Framework for Off-chain Storage

The cloud changed the way we manage and store data. Today, cloud storage services offer clients an infrastructure that allows them a convenient source to store, replicate, and secure data online. However, with these new capabilities also come limitations, such as lack of transparency, limited decentralization, and challenges with privacy and security. And, as the need for more agile, private and secure data solutions continues to grow exponentially, rethinking the current structure of cloud storage is mission-critical for enterprises. By leveraging and building upon blockchain's unique attributes, including immutability, security to the data element level, distributed (no single point of failure), we have developed a solution prototype that allows data to be reliably stored while simultaneously being secured, with tamper-evident auditability, via blockchain. The result, Audita, is a flexible solution that assures data protection and solves challenges such as scalability and privacy. Audita works via an augmented blockchain network of participants that include storage-nodes and block-creators. In addition, it provides an automatic and fair challenge system to assure that data is distributed and reliably and provably stored. While the prototype is built on Quorum, the solution framework can be used with any blockchain platform. The benefit is a system that is built to grow along with the data needs of enterprises, while continuing to build the network via incentives and solving for issues such as auditing and outsourcing

Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness

Consider the representative task of designing a distributed coin-tossing protocol for $n$ processors such that the probability of heads is $X_0\in[0,1]$. This protocol should be robust to an adversary who can reset one processor to change the distribution of the final outcome. For $X_0=1/2$, in the information-theoretic setting, no adversary can deviate the probability of the outcome of the well-known Blum\u27s ``majority protocol\u27\u27 by more than $\frac1{\sqrt{2\pi n}}$, i.e., it is $\frac1{\sqrt{2\pi n}}$ insecure. In this paper, we study discrete-time martingales $(X_0,X_1,\dotsc,X_n)$ such that $X_i\in[0,1]$, for all $i\in\{0,\dotsc,n\}$, and $X_n\in\{0,1\}$. These martingales are commonplace in modeling stochastic processes like coin-tossing protocols in the information-theoretic setting mentioned above. In particular, for any $X_0\in[0,1]$, we construct martingales that yield $\frac12\sqrt{\frac{X_0(1-X_0)}{n}}$ insecure coin-tossing protocols. For $X_0=1/2$, our protocol requires only 40\% of the processors to achieve the same security as the majority protocol. The technical heart of our paper is a new inductive technique that uses geometric transformations to precisely account for the large gaps in these martingales. For any $X_0\in[0,1]$, we show that there exists a stopping time $\tau$ such that $$\mathbb{E}[\left\vert X_\tau-X_{\tau-1} \right\vert] \geq \frac2{\sqrt{2n-1}}\cdot X_0(1-X_0)$$ The inductive technique simultaneously constructs martingales that demonstrate the optimality of our bound, i.e., a martingale where the gap corresponding to any stopping time is small. In particular, we construct optimal martingales such that \textit{ any} stopping time $\tau$ has $$\mathbb{E}[\left\vert X_\tau-X_{\tau-1} \right\vert] \leq \frac1{\sqrt{n}}\cdot \sqrt{X_0(1-X_0)}$$ Our lower-bound holds for all $X_0\in[0,1]$; while the previous bound of Cleve and Impagliazzo (1993) exists only for positive constant $X_0$. Conceptually, our approach only employs elementary techniques to analyze these martingales and entirely circumvents the complex probabilistic tools inherent to the approaches of Cleve and Impagliazzo (1993) and Beimel, Haitner, Makriyannis, and Omri (2018). By appropriately restricting the set of possible stopping-times, we present representative applications to constructing distributed coin-tossing/dice-rolling protocols, discrete control processes, fail-stop attacking coin-tossing/dice-rolling protocols, and black-box separations

Game-Theoretically Fair Distributed Sampling

Cleve\u27s celebrated result (STOC\u2786) showed that a strongly fair multi-party coin-toss is impossible in the presence of majority-sized coalitions. Recently, however, a fascinating line of work studied a relaxed fairness notion called \emph{game-theoretic fairness}, which guarantees that no coalition should be incentivized to deviate from the prescribed protocol. A sequence of works has explored the feasibility of game-theoretic fairness for \emph{two-sided} coin-toss, and indeed demonstrated feasibility in the dishonest majority setting under standard cryptographic assumptions. In fact, the recent work of Wu, Asharov, and Shi (EUROCRYPT\u2722) completely characterized the regime where game-theoretic fairness is feasible. However, this line of work is largely restricted to two-sided coin-toss, and more precisely on a \emph{uniform} coin-toss (i.e., Bernoulli with parameter $1/2$). The only exceptions are the works on game-theoretically fair leader election, which can be viewed as a special case of uniform $n$-sided coin-toss where $n$ is the number of parties. In this work, we \emph{initiate} the comprehensive study of game-theoretic fairness for multi-party \emph{sampling from general distributions}. In particular, for the case of $m$-sided \emph{uniform} coin-toss we give a nearly complete characterization of the regime in which game-theoretic fairness is feasible. Interestingly, contrary to standard fairness notions in cryptography, the composition of game-theoretically fair two-sided coin-toss protocols does not necessarily yield game-theoretically fair multi-sided coins. To circumvent this, we introduce new techniques compatible with game-theoretic fairness. In particular, we give the following results: - We give a protocol from standard cryptographic assumptions that achieves game-theoretic fairness for uniform $m$-sided coin-toss against half- or more-sized adversarial coalitions. - To complement our protocol, we give a general impossibility result that establishes the optimality of our protocol for a broad range of parameters modulo an additive constant. Even in the worst-case, the gap between our protocol and our impossibility result is only a small constant multiplicative factor. - We also present a game-theoretically fair protocol for \emph{any} efficiently sampleable $m$-outcome distribution in the dishonest majority setting. For instance, even for the case of $m=2$ (i.e., two-sided coin-toss), our result implies a game-theoretically fair protocol for an \emph{arbitrary} Bernoulli coin. In contrast, the work of Wu, Asharov, and Shi only focussed on a Bernoulli coin with parameter $1/2$

Secure Multiparty Computation with Identifiable Abort from Vindicating Release

In the dishonest-majority setting, generic secure multiparty computation (MPC) protocols are fundamentally vulnerable to attacks in which malicious participants learn their outputs and then force the protocol to abort before outputs are delivered to the honest participants. In other words, generic MPC protocols typically guarantee security with abort. This flavor of security permits denial-of-service attacks in many applications, unless the cheating participants who cause aborts are identified. At present, there is a substantial performance gap between the best known protocols that are secure with non-identifiable abort, and the best known protocols that achieve security with identifiable abort (IA). Known constructions with IA rely on generic zero-knowledge proofs, adaptively secure oblivious transfer (OT) protocols, or homomorphic primitives. We present a novel approach for realizing functionalities with a weak form of input-revealing IA, which is based on delicate and selective revealing of committed input values. We refer to this new approach as vindicating release. When our approach is applied to several well-known protocols---including a variant of PVW OT, Softspoken OT extension, DKLs multiplication, and MASCOT generic MPC---the resulting protocols can be combined to realize any sampling functionality with (standard) IA. Such a realization is statistically secure given a variant of statically-corruptable ideal OT, and it differs minimally in terms of cost, techniques, and analysis from the equivalent realization (using the same well-known protocols, unmodified) that lacks identifiability. Using our protocol to sample the correlated randomness of the IOZ compiler reduces the compiler\u27s requirements from an adaptively secure OT protocol to a variant of statically-corruptable ideal OT

New Applications Of Public Ledgers

The last decade and a half has seen the rise of a new class of systems loosely categorized as public ledgers. Public ledgers guarantee that all posted information is permanently available to the entire public. Common realizations of public ledgers include public blockchains and centralized logs. In this work we investigate novel applications of public ledgers. We begin by describing enclave ledger interaction, a computational method that allows the execution of trusted execution environments or cryptographically obfuscated programs to be conditioned on the contents of the ledger. We then show how this conditional execution paradigm can be used to achieve fairness in dishonest majority secure multiparty computation, which is impossible in the plain model. Finally, we show how conditional execution can be used to build systems that facilitate law enforcement access to ciphertext while ensuring robust transparency and accountability mechanisms

Theory of Cryptography [electronic resource] : 14th International Conference, TCC 2016-B, Beijing, China, October 31-November 3, 2016, Proceedings, Part I /

The two-volume set LNCS 9985 and LNCS 9986 constitutes the refereed proceedings of the 14th International Conference on Theory of Cryptography, TCC 2016-B, held in Beijing, China, in November 2016. The total of 45 revised full papers presented in the proceedings were carefully reviewed and selected from 113 submissions. The papers were organized in topical sections named: TCC test-of-time award; foundations; unconditional security; foundations of multi-party protocols; round complexity and efficiency of multi-party computation; differential privacy; delegation and IP; public-key encryption; obfuscation and multilinear maps; attribute-based encryption; functional encryption; secret sharing; new models.TCC Test-of-Time Award -- From Indifferentiability to Constructive Cryptography (and Back) -- Foundations -- Fast Pseudorandom Functions Based on Expander Graphs -- 3-Message Zero Knowledge Against Human Ignorance -- The GGM Function Family is a Weakly One-Way Family of Functions -- On the (In)security of SNARKs in the Presence of Oracles -- Leakage Resilient One-Way Functions: The Auxiliary-Input Setting -- Simulating Auxiliary Inputs, Revisited -- Unconditional Security -- Pseudoentropy: Lower-bounds for Chain rules and Transformations -- Oblivious Transfer from Any Non-Trivial Elastic Noisy Channel via Secret Key Agreement -- Simultaneous Secrecy and Reliability Amplification for a General Channel Model -- Proof of Space from Stacked Expanders -- Perfectly Secure Message Transmission in Two Rounds -- Foundations of Multi-Party Protocols -- Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious -- Binary AMD Circuits from Secure Multiparty Computation -- Composable Security in the Tamper-Proof Hardware Model under Minimal Complexity -- Composable Adaptive Secure Protocols without Setup under Polytime Assumptions -- Adaptive Security of Yao’s Garbled Circuits -- Round Complexity and Efficiency of Multi-Party Computation -- Efficient Secure Multiparty Computation with Identifiable Abort -- Secure Multiparty RAM Computation in Constant Rounds -- Constant-Round Maliciously Secure Two-Party Computation in the RAM Model -- More Efficient Constant-Round Multi-Party Computation from BMR and SHE -- Cross&Clean: Amortized Garbled Circuits With Constant Overhead -- Differential Privacy -- Separating Computational and Statistical Differential Privacy in the Client-Server Model -- Concentrated Differential Privacy: Simplifications, Extensions, and Lower Bounds -- Strong Hardness of Privacy from Weak Traitor Tracing. .The two-volume set LNCS 9985 and LNCS 9986 constitutes the refereed proceedings of the 14th International Conference on Theory of Cryptography, TCC 2016-B, held in Beijing, China, in November 2016. The total of 45 revised full papers presented in the proceedings were carefully reviewed and selected from 113 submissions. The papers were organized in topical sections named: TCC test-of-time award; foundations; unconditional security; foundations of multi-party protocols; round complexity and efficiency of multi-party computation; differential privacy; delegation and IP; public-key encryption; obfuscation and multilinear maps; attribute-based encryption; functional encryption; secret sharing; new models