3,632 research outputs found
Adaptively Secure Coin-Flipping, Revisited
The full-information model was introduced by Ben-Or and Linial in 1985 to
study collective coin-flipping: the problem of generating a common bounded-bias
bit in a network of players with faults. They showed that the
majority protocol can tolerate adaptive corruptions, and
conjectured that this is optimal in the adaptive setting. Lichtenstein, Linial,
and Saks proved that the conjecture holds for protocols in which each player
sends a single bit. Their result has been the main progress on the conjecture
in the last 30 years.
In this work we revisit this question and ask: what about protocols involving
longer messages? Can increased communication allow for a larger fraction of
faulty players?
We introduce a model of strong adaptive corruptions, where in each round, the
adversary sees all messages sent by honest parties and, based on the message
content, decides whether to corrupt a party (and intercept his message) or not.
We prove that any one-round coin-flipping protocol, regardless of message
length, is secure against at most strong adaptive
corruptions. Thus, increased message length does not help in this setting.
We then shed light on the connection between adaptive and strongly adaptive
adversaries, by proving that for any symmetric one-round coin-flipping protocol
secure against adaptive corruptions, there is a symmetric one-round
coin-flipping protocol secure against strongly adaptive corruptions.
Returning to the standard adaptive model, we can now prove that any symmetric
one-round protocol with arbitrarily long messages can tolerate at most
adaptive corruptions.
At the heart of our results lies a novel use of the Minimax Theorem and a new
technique for converting any one-round secure protocol into a protocol with
messages of bits. This technique may be of independent interest
Tight bounds for classical and quantum coin flipping
Coin flipping is a cryptographic primitive for which strictly better
protocols exist if the players are not only allowed to exchange classical, but
also quantum messages. During the past few years, several results have appeared
which give a tight bound on the range of implementable unconditionally secure
coin flips, both in the classical as well as in the quantum setting and for
both weak as well as strong coin flipping. But the picture is still incomplete:
in the quantum setting, all results consider only protocols with perfect
correctness, and in the classical setting tight bounds for strong coin flipping
are still missing. We give a general definition of coin flipping which unifies
the notion of strong and weak coin flipping (it contains both of them as
special cases) and allows the honest players to abort with a certain
probability. We give tight bounds on the achievable range of parameters both in
the classical and in the quantum setting.Comment: 18 pages, 2 figures; v2: published versio
Multi-party Poisoning through Generalized -Tampering
In a poisoning attack against a learning algorithm, an adversary tampers with
a fraction of the training data with the goal of increasing the
classification error of the constructed hypothesis/model over the final test
distribution. In the distributed setting, might be gathered gradually from
data providers who generate and submit their shares of
in an online way.
In this work, we initiate a formal study of -poisoning attacks in
which an adversary controls of the parties, and even for each
corrupted party , the adversary submits some poisoned data on
behalf of that is still "-close" to the correct data (e.g.,
fraction of is still honestly generated). For , this model
becomes the traditional notion of poisoning, and for it coincides with
the standard notion of corruption in multi-party computation.
We prove that if there is an initial constant error for the generated
hypothesis , there is always a -poisoning attacker who can decrease
the confidence of (to have a small error), or alternatively increase the
error of , by . Our attacks can be implemented in
polynomial time given samples from the correct data, and they use no wrong
labels if the original distributions are not noisy.
At a technical level, we prove a general lemma about biasing bounded
functions through an attack model in which each
block might be controlled by an adversary with marginal probability
in an online way. When the probabilities are independent, this coincides with
the model of -tampering attacks, thus we call our model generalized
-tampering. We prove the power of such attacks by incorporating ideas from
the context of coin-flipping attacks into the -tampering model and
generalize the results in both of these areas
Serial composition of quantum coin-flipping, and bounds on cheat detection for bit-commitment
Quantum protocols for coin-flipping can be composed in series in such a way
that a cheating party gains no extra advantage from using entanglement between
different rounds. This composition principle applies to coin-flipping protocols
with cheat sensitivity as well, and is used to derive two results: There are no
quantum strong coin-flipping protocols with cheat sensitivity that is linear in
the bias (or bit-commitment protocols with linear cheat detection) because
these can be composed to produce strong coin-flipping with arbitrarily small
bias. On the other hand, it appears that quadratic cheat detection cannot be
composed in series to obtain even weak coin-flipping with arbitrarily small
bias.Comment: 7 pages, REVTeX 4 (minor corrections in v2
Toward a general theory of quantum games
We study properties of quantum strategies, which are complete specifications
of a given party's actions in any multiple-round interaction involving the
exchange of quantum information with one or more other parties. In particular,
we focus on a representation of quantum strategies that generalizes the
Choi-Jamio{\l}kowski representation of quantum operations. This new
representation associates with each strategy a positive semidefinite operator
acting only on the tensor product of its input and output spaces. Various facts
about such representations are established, and two applications are discussed:
the first is a new and conceptually simple proof of Kitaev's lower bound for
strong coin-flipping, and the second is a proof of the exact characterization
QRG = EXP of the class of problems having quantum refereed games.Comment: 23 pages, 12pt font, single-column compilation of STOC 2007 final
versio
A large family of quantum weak coin-flipping protocols
Each classical public-coin protocol for coin flipping is naturally associated
with a quantum protocol for weak coin flipping. The quantum protocol is
obtained by replacing classical randomness with quantum entanglement and by
adding a cheat detection test in the last round that verifies the integrity of
this entanglement. The set of such protocols defines a family which contains
the protocol with bias 0.192 previously found by the author, as well as
protocols with bias as low as 1/6 described herein. The family is analyzed by
identifying a set of optimal protocols for every number of messages. In the
end, tight lower bounds for the bias are obtained which prove that 1/6 is
optimal for all protocols within the family.Comment: 17 pages, REVTeX 4 (minor corrections in v2
On Oblivious Amplification of Coin-Tossing Protocols
We consider the problem of amplifying two-party coin-tossing protocols: given a protocol where it is possible to bias the common output by at most ?, we aim to obtain a new protocol where the output can be biased by at most ?* < ?. We rule out the existence of a natural type of amplifiers called oblivious amplifiers for every ?* < ?. Such amplifiers ignore the way that the underlying ?-bias protocol works and can only invoke an oracle that provides ?-bias bits.
We provide two proofs of this impossibility. The first is by a reduction to the impossibility of deterministic randomness extraction from Santha-Vazirani sources. The second is a direct proof that is more general and also rules outs certain types of asymmetric amplification. In addition, it gives yet another proof for the Santha-Vazirani impossibility
- …