Abstract
Consider a coin tossing protocol in which n processors \(P_1,\dots ,P_n\) agree on a random bit b in n rounds, where in round i \(P_i\) sends a single message \(w_i\). Imagine a full-information adversary who prefers the output 1, and in every round i it knows all the finalized messages \(w_1,\dots ,w_{i-1}\) so far as well as the prepared message \(w_i\). A k-replacing attack will have a chance to replace the prepared \(w_i\) with its own choice \(w'_i \ne w_i\) in up to k rounds. Taking majority protocol over uniformly random bits \(w_i=b_i\) is robust in the following strong sense. Any k-replacing adversary can only increase the probability of outputting 1 by at most \(O(k/\sqrt{n})\). In this work, we ask if the above simple protocol is tight.
For the same setting, but restricted to uniformly random bit messages, Lichtenstein, Linial, and Saks [Combinatorica’89] showed how to achieve bias \(\varOmega (k/\sqrt{n})\) for any \(k \in [n]\). Kalai, Komargodski, and Raz [DISC’18, Combinatorica’21] gave an alternative polynomial-time attack when \(k \ge \varTheta (\sqrt{n})\). Etesami, Mahloujifar, and Mahmoody [ALT’19, SODA’20] extended the result of KKR18 to arbitrary long messages. It hence remained open to find any attacks of bias \(\varOmega (k/\sqrt{n})\) in the few-corruption regime \(k=o(\sqrt{n})\) when the messages are of arbitrary length, and to find such polynomial-time (and perhaps tight) attacks when messages are uniformly random bits. In this work, we resolve both of these problems.
-
For arbitrary length messages, we show that k-replacing polynomial-time attacks can indeed increase the probability of outputting 1 by \(\varOmega (k/\sqrt{n})\) for any k, which is optimal up to a constant factor. By plugging in our attack into the framework of Mahloujifar Mahmoody [TCC’17] we obtain similar data poisoning attacks against deterministic learners when adversary is limited to changing \(k=o(\sqrt{n})\) of the n training examples.
-
For uniformly random bits \(b_1,\dots ,b_n\), we show that whenever \(\Pr [b=1]= \Pr [\sum b_i \ge t] = \mathsf {\beta }^{(t)}_n\) for \(t \in [n]\) is the probability of a Hamming ball, then online polynomial-time k-replacing attacks can increase \(\Pr [b=1]\) from \(\mathsf {\beta }^{(t)}_n\) to \(\mathsf {\beta }^{(t-k)}_n \), which is optimal due to the majority protocol. In comparison, the (information-theoretic) attack of LLS89 increased \(\Pr [b=1]\) to \(\mathsf {\beta }^{(t-k)}_{n-k}\), which is optimal for adaptive adversaries who cannot see the message before changing it. Thus, we obtain a computational variant of Harper’s celebrated vertex isoperimetric inequality.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This is also called a single-turn protocol.
- 2.
In contrast, untargeted adversaries can bias the output towards either of 0 or 1.
- 3.
This is also called the strongly adaptive corruption model [13].
- 4.
Interestingly, the main result of [21] focuses on non-targeted attacks and shows that the output of any single-turn protocol can be attacked (only information theoretically) by a (standard) adaptive non-targeted adversary replacing \(k=\varOmega (\sqrt{n})\) parties. The recent breakthrough of Haitner and Karidi-Heller [15] generalized the main result of [21] to any general, perhaps multi-turn, protocol. Our focus in this work, however, is on single-turn protocols.
- 5.
A weaker version for uniform bits is known as the blowing-up lemma [30].
- 6.
In case [21], here we refer to their proof for the case of bitwise messages. Their attack for the long-message setting is (inherently) an non-targeted attack, and not a PPT one.
- 7.
Attack would need \( {v}_{\le i}\) and the “used part of the budget” \(\mathrm {HD}( {u}_{\le i}, {v}_{\le i})\). Both of these can be obtained from \(\sigma _i=( {u}_{\le i}, {v}_{\le i})\).
- 8.
In Sects. 2 and 3, we called the original random process \( {\mathbf {w}}_{\le n}\) and \(\mathbf {U}_n\) was one of the generated random processes (modeling the original samples). However, since we are starting from a product distribution, it would hold that \(\mathbf {U}_n \equiv {\mathbf {w}}_{\le n}\), and thus we simply call the original distribution \(\mathbf {u}\).
References
Amir, D., Milman, V.: Unconditional and symmetric sets in n-dimensional normed spaces. Israel J. Math. 37(1–2), 3–20 (1980)
Beimel, A., Haitner, I., Makriyannis, N., Omri, E.: Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 838–849. IEEE (2018)
Ben-Or, M., Linial, N.: Collective coin flipping. Adv. Comput. Res. 5, 91–115 (1989)
Ben-Or, M., Linial, N.: Collective coin flipping. Adv. Comput. Res. 5, 91–115 (1990)
Bentov, I., Gabizon, A., Zuckerman, D.: Bitcoin beacon. arXiv preprint arXiv:1605.04559 (2016)
Blum, M.: How to exchange (secret) keys. ACM Trans. Comput. Syst. 1, 175–193 (1984)
Cleve, R.: Limits on the security of coin flips when half the processors are faulty. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, pp. 364–369. ACM (1986)
Cleve, R., Impagliazzo, R.: Martingales, collective coin flipping and discrete control processes. Manuscript (1993)
Dachman-Soled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the black-box complexity of optimally-fair coin tossing. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 450–467. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_27
Dachman-Soled, D., Mahmoody, M., Malkin, T.: Can optimally-fair coin tossing be based on one-way functions? In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 217–239. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_10
Dodis, Y.: New imperfect random source with applications to coin-flipping. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 297–309. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-48224-5_25
Etesami, O., Mahloujifar, S., Mahmoody, M.: Computational concentration of measure: optimal bounds, reductions, and more. In: Proceedings of the Fourteenth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 345–363. SIAM (2020)
Goldwasser, S., Kalai, Y.T., Park, S.: Adaptively secure coin-flipping, revisited. In: Halldórsson, M.M., Iwama, K., Kobayashi, N., Speckmann, B. (eds.) ICALP 2015. LNCS, vol. 9135, pp. 663–674. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47666-6_53
Habib, M., McDiarmid, C., Ramirez-Alfonsin, J., Reed, B.: Probabilistic Methods for Algorithmic Discrete Mathematics, vol. 16. Springer, Heidelberg (2013)
Haitner, I., Karidi-Heller, Y.: A tight lower bound on adaptively secure full-information coin flip. In: IEEE 61st Annual Symposium on Foundations of Computer Science (FOCS) (2020)
Haitner, I., Makriyannis, N., Omri, E.: On the complexity of fair coin flipping. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 539–562. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_20
Haitner, I., Nissim, K., Omri, E., Shaltiel, R., Silbak, J.: Computational two-party correlation: a dichotomy for key-agreement protocols. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 136–147. IEEE (2018)
Haitner, I., Tsfadia, E.: An almost-optimally fair three-party coin-flipping protocol. SIAM J. Comput. 46(2), 479–542 (2017)
Harper, L.H.: Optimal numberings and isoperimetric problems on graphs. J. Comb. Theory 1(3), 385–393 (1966)
Kahn, J.: The influence of variables on Boolean functions. In: Proceedings of the 29th Annual IEEE Symposium on Foundations of Computer Science (1988)
Kalai, Y.T., Komargodski, I., Raz, R.: A lower bound for adaptively-secure collective coin-flipping protocols. In: 32nd International Symposium on Distributed Computing (2018)
Khorasgani, H.A., Maji, H.K., Mukherjee, T.: Estimating gaps in martingales and applications to coin-tossing: constructions and hardness. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 333–355. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_13
Khorasgani, H.A., Maji, H.K., Wang, M.: Optimally-secure coin-tossing against a byzantine adversary. Cryptology ePrint Archive, Report 2020/519 (2020). https://eprint.iacr.org/2020/519
Lichtenstein, D., Linial, N., Saks, M.: Some extremal problems arising from discrete control processes. Combinatorica 9(3), 269–287 (1989)
Mahloujifar, S., Diochnos, D.I., Mahmoody, M.: Learning under \(p\)-tampering attacks. In: ALT, pp. 572–596 (2018)
Mahloujifar, S., Mahmoody, M.: Blockwise \(p\)-tampering attacks on cryptographic primitives, extractors, and learners. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 245–279. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_8
Mahloujifar, S., Mahmoody, M.: Can adversarially robust learning leverage computational hardness? In: Garivier, A., Kale, S. (eds.) Proceedings of the 30th International Conference on Algorithmic Learning Theory. Proceedings of Machine Learning Research, vol. 98, pp. 581–609. PMLR, Chicago, Illinois (2019). http://proceedings.mlr.press/v98/mahloujifar19a.html
Mahloujifar, S., Mahmoody, M., Mohammed, A.: Universal multi-party poisoning attacks. In: Proceedings of the 36th International Conference on Machine Learning, vol. 97, pp. 4274–4283 (2019)
Maji, H.K., Wang, M.: Black-box use of one-way functions is useless for optimal fair coin-tossing. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 593–617. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_21
Margulis, G.A.: Probabilistic characteristics of graphs with large connectivity. Problemy peredachi informatsii 10(2), 101–108 (1974)
McDiarmid, C.: On the method of bounded differences. Surv. Comb. 141(1), 148–188 (1989)
Milman, V.D., Schechtman, G.: Asymptotic Theory of Finite Dimensional Normed Spaces, vol. 1200. Springer, Heidelberg (1986). https://doi.org/10.1007/978-3-540-38822-7
Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 1–18. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_1
Russell, A., Saks, M., Zuckerman, D.: Lower bounds for leader election and collective coin-flipping in the perfect information model. SIAM J. Comput. 31(6), 1645–1662 (2002)
Talagrand, M.: Concentration of measure and isoperimetric inequalities in product spaces. Publications Mathématiques de l’Institut des Hautes Etudes Scientifiques 81(1), 73–205 (1995)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Etesami, O., Gao, J., Mahloujifar, S., Mahmoody, M. (2021). Polynomial-Time Targeted Attacks on Coin Tossing for Any Number of Corruptions. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13043. Springer, Cham. https://doi.org/10.1007/978-3-030-90453-1_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-90453-1_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90452-4
Online ISBN: 978-3-030-90453-1
eBook Packages: Computer ScienceComputer Science (R0)
