Adaptively Secure Coin-Flipping, Revisited

The full-information model was introduced by Ben-Or and Linial in 1985 to study collective coin-flipping: the problem of generating a common bounded-bias bit in a network of $n$ players with $t=t(n)$ faults. They showed that the majority protocol can tolerate $t=O(\sqrt n)$ adaptive corruptions, and conjectured that this is optimal in the adaptive setting. Lichtenstein, Linial, and Saks proved that the conjecture holds for protocols in which each player sends a single bit. Their result has been the main progress on the conjecture in the last 30 years. In this work we revisit this question and ask: what about protocols involving longer messages? Can increased communication allow for a larger fraction of faulty players? We introduce a model of strong adaptive corruptions, where in each round, the adversary sees all messages sent by honest parties and, based on the message content, decides whether to corrupt a party (and intercept his message) or not. We prove that any one-round coin-flipping protocol, regardless of message length, is secure against at most $\tilde{O}(\sqrt n)$ strong adaptive corruptions. Thus, increased message length does not help in this setting. We then shed light on the connection between adaptive and strongly adaptive adversaries, by proving that for any symmetric one-round coin-flipping protocol secure against $t$ adaptive corruptions, there is a symmetric one-round coin-flipping protocol secure against $t$ strongly adaptive corruptions. Returning to the standard adaptive model, we can now prove that any symmetric one-round protocol with arbitrarily long messages can tolerate at most $\tilde{O}(\sqrt n)$ adaptive corruptions. At the heart of our results lies a novel use of the Minimax Theorem and a new technique for converting any one-round secure protocol into a protocol with messages of $polylog(n)$ bits. This technique may be of independent interest

Multiparty Quantum Coin Flipping

We investigate coin-flipping protocols for multiple parties in a quantum broadcast setting: (1) We propose and motivate a definition for quantum broadcast. Our model of quantum broadcast channel is new. (2) We discovered that quantum broadcast is essentially a combination of pairwise quantum channels and a classical broadcast channel. This is a somewhat surprising conclusion, but helps us in both our lower and upper bounds. (3) We provide tight upper and lower bounds on the optimal bias epsilon of a coin which can be flipped by k parties of which exactly g parties are honest: for any 1 <= g <= k, epsilon = 1/2 - Theta(g/k). Thus, as long as a constant fraction of the players are honest, they can prevent the coin from being fixed with at least a constant probability. This result stands in sharp contrast with the classical setting, where no non-trivial coin-flipping is possible when g <= k/2.Comment: v2: bounds now tight via new protocol; to appear at IEEE Conference on Computational Complexity 200

A Lower Bound for Adaptively-Secure Collective Coin-Flipping Protocols

In 1985, Ben-Or and Linial (Advances in Computing Research \u2789) introduced the collective coin-flipping problem, where n parties communicate via a single broadcast channel and wish to generate a common random bit in the presence of adaptive Byzantine corruptions. In this model, the adversary can decide to corrupt a party in the course of the protocol as a function of the messages seen so far. They showed that the majority protocol, in which each player sends a random bit and the output is the majority value, tolerates O(sqrt n) adaptive corruptions. They conjectured that this is optimal for such adversaries. We prove that the majority protocol is optimal (up to a poly-logarithmic factor) among all protocols in which each party sends a single, possibly long, message. Previously, such a lower bound was known for protocols in which parties are allowed to send only a single bit (Lichtenstein, Linial, and Saks, Combinatorica \u2789), or for symmetric protocols (Goldwasser, Kalai, and Park, ICALP \u2715)

Quantum cryptography: key distribution and beyond

Uniquely among the sciences, quantum cryptography has driven both foundational research as well as practical real-life applications. We review the progress of quantum cryptography in the last decade, covering quantum key distribution and other applications.Comment: It's a review on quantum cryptography and it is not restricted to QK

Unconditionally secure quantum coin flipping

Quantum coin flipping (QCF) is an essential primitive for quantum cryptography. Unconditionally secure strong QCF with an arbitrarily small bias was widely believed to be impossible. But basing on a problem which cannot be solved without quantum algorithm, here we propose such a QCF protocol, and show how it manages to evade all existing no-go proofs on QCF.Comment: The protocol is modified so that the security proof can be simplified. Also corrected a flaw in the analysis on the no-go proof in Ref.[13]. We thank the anonymous referee for pinpointing out the fla

Coin flipping from a cosmic source: On error correction of truly random bits

We study a problem related to coin flipping, coding theory, and noise sensitivity. Consider a source of truly random bits x \in \bits^n, and $k$ parties, who have noisy versions of the source bits y^i \in \bits^n, where for all $i$ and $j$, it holds that \Pr[y^i_j = x_j] = 1 - \eps, independently for all $i$ and $j$. That is, each party sees each bit correctly with probability $1-\epsilon$, and incorrectly (flipped) with probability $\epsilon$, independently for all bits and all parties. The parties, who cannot communicate, wish to agree beforehand on {\em balanced} functions f_i : \bits^n \to \bits such that $\Pr[f_1(y^1) = ... = f_k(y^k)]$ is maximized. In other words, each party wants to toss a fair coin so that the probability that all parties have the same coin is maximized. The functions $f_i$ may be thought of as an error correcting procedure for the source $x$. When $k=2,3$ no error correction is possible, as the optimal protocol is given by $f_i(x^i) = y^i_1$. On the other hand, for large values of $k$, better protocols exist. We study general properties of the optimal protocols and the asymptotic behavior of the problem with respect to $k$, $n$ and \eps. Our analysis uses tools from probability, discrete Fourier analysis, convexity and discrete symmetrization

Multi-party Poisoning through Generalized pp-Tampering

In a poisoning attack against a learning algorithm, an adversary tampers with a fraction of the training data $T$ with the goal of increasing the classification error of the constructed hypothesis/model over the final test distribution. In the distributed setting, $T$ might be gathered gradually from $m$ data providers $P_1,\dots,P_m$ who generate and submit their shares of $T$ in an online way. In this work, we initiate a formal study of $(k,p)$-poisoning attacks in which an adversary controls $k\in[n]$ of the parties, and even for each corrupted party $P_i$, the adversary submits some poisoned data $T'_i$ on behalf of $P_i$ that is still "$(1-p)$-close" to the correct data $T_i$ (e.g., $1-p$ fraction of $T'_i$ is still honestly generated). For $k=m$, this model becomes the traditional notion of poisoning, and for $p=1$ it coincides with the standard notion of corruption in multi-party computation. We prove that if there is an initial constant error for the generated hypothesis $h$, there is always a $(k,p)$-poisoning attacker who can decrease the confidence of $h$ (to have a small error), or alternatively increase the error of $h$, by $\Omega(p \cdot k/m)$. Our attacks can be implemented in polynomial time given samples from the correct data, and they use no wrong labels if the original distributions are not noisy. At a technical level, we prove a general lemma about biasing bounded functions $f(x_1,\dots,x_n)\in[0,1]$ through an attack model in which each block $x_i$ might be controlled by an adversary with marginal probability $p$ in an online way. When the probabilities are independent, this coincides with the model of $p$-tampering attacks, thus we call our model generalized $p$-tampering. We prove the power of such attacks by incorporating ideas from the context of coin-flipping attacks into the $p$-tampering model and generalize the results in both of these areas