Black-Box Use of One-Way Functions is Useless for Optimal Fair Coin-Tossing

Abstract

A two-party fair coin-tossing protocol guarantees output delivery to the honest party even when the other party aborts during the protocol execution. Cleve (STOC–1986) demonstrated that a computationally bounded fail-stop adversary could alter the output distribution of the honest party by (roughly) 1/r (in the statistical distance) in an r-message coin-tossing protocol. An optimal fair coin-tossing protocol ensures that no adversary can alter the output distribution beyond 1/r.

In a seminal result, Moran, Naor, and Segev (TCC–2009) constructed the first optimal fair coin-tossing protocol using (unfair) oblivious transfer protocols. Whether the existence of oblivious transfer protocols is a necessary hardness of computation assumption for optimal fair coin-tossing remains among the most fundamental open problems in theoretical cryptography. The results of Impagliazzo and Luby (FOCS–1989) and Cleve and Impagliazzo (1993) prove that optimal fair coin-tossing implies the necessity of one-way functions’ existence; a significantly weaker hardness of computation assumption compared to the existence of secure oblivious transfer protocols. However, the sufficiency of the existence of one-way functions is not known.

Towards this research endeavor, our work proves a black-box separation of optimal fair coin-tossing from the existence of one-way functions. That is, the black-box use of one-way functions cannot enable optimal fair coin-tossing. Following the standard Impagliazzo and Rudich (STOC–1989) approach of proving black-box separations, our work considers any r-message fair coin-tossing protocol in the random oracle model where the parties have unbounded computational power. We demonstrate a fail-stop attack strategy for one of the parties to alter the honest party’s output distribution by \(1/\sqrt{r}\) by making polynomially-many additional queries to the random oracle. As a consequence, our result proves that the r-message coin-tossing protocol of Blum (COMPCON–1982) and Cleve (STOC–1986), which uses one-way functions in a black-box manner, is the best possible protocol because an adversary cannot change the honest party’s output distribution by more than \(1/\sqrt{r}\).

Several previous works, for example, Dachman–Soled, Lindell, Mahmoody, and Malkin (TCC–2011), Haitner, Omri, and Zarosim (TCC–2013), and Dachman–Soled, Mahmoody, and Malkin (TCC–2014), made partial progress on proving this black-box separation assuming some restrictions on the coin-tossing protocol. Our work diverges significantly from these previous approaches to prove this black-box separation in its full generality. The starting point is the recently introduced potential-based inductive proof techniques for demonstrating large gaps in martingales in the information-theoretic plain model. Our technical contribution lies in identifying a global invariant of communication protocols in the random oracle model that enables the extension of this technique to the random oracle model.

H. K. Maji and M. Wang—The research effort is supported in part by an NSF CRII Award CNS–1566499, an NSF SMALL Award CNS–1618822, the IARPA HECTOR project, MITRE Innovation Program Academic Cybersecurity Research Award, a Purdue Research Foundation (PRF) Award, and The Center for Science of Information, an NSF Science and Technology Center, Cooperative Agreement CCF–0939370.

1 Introduction

Ideally, in any cryptographic task, one would like to ensure that the honest parties receive their output when adversarial parties refuse to participate any further. Ensuring guaranteed output delivery, a.k.a., fair computation, is challenging even for fundamental cryptographic primitives like two-party coin-tossing. A two-party fair coin-tossing protocol assures that the honest party receives her output bit even when the adversary aborts during the protocol execution. Cleve  [24] demonstrated that, even for computationally bounded parties, a fail-stop adversary¹ could alter the output distribution by 1/r (in the statistical distance) in any r-message interactive protocols. Intuitively, any r-message interactive protocol is 1/r-insecure. An optimal r-message two-party fair coin-tossing protocol ensures that it is only 1/r-insecure.

In a seminal result, nearly three decades after the introduction of optimal fair coin-tossing protocols, Moran, Naor, and Segev  [88] presented the first optimal coin-tossing protocol construction based on the existence of (unfair) secure protocols for the oblivious transfer functionality.² Shortly after that, in a sequence of exciting results, several optimal/near-optimal fair protocols were constructed for diverse two-party and multi-party functionalities  [3,4,5,6, 13, 14, 23, 58, 59, 64, 86]. However, each of these protocols assumes the existence of secure protocols for oblivious transfer as well.

In theoretical cryptography, a primary guiding principle of research is to realize a cryptographic primitive securely using the minimal computational hardness assumption. Consequently, the following fundamental question arises naturally.

$$\begin{aligned} \begin{array}{c} \mathbf{Question{:} } \text { Is the existence of oblivious transfer}\\ necessary \\ \text {for constructing optimal fair coin-tossing protocols?} \end{array} \end{aligned}$$

For example, the results of Impagliazzo and Luby  [74] and Cleve and Impagliazzo  [25] prove that optimal fair coin-tossing implies that the existence of one-way functions is necessary; a significantly weaker hardness of computation assumption compared to the existence of secure oblivious transfer protocols. However, it is unclear whether one-way functions can help realize optimal fair coin-tossing or not. For instance, historically, for a long time, one-way functions were not known to imply several fundamental primitives like pseudorandom generators  [66, 67, 73], pseudorandom functions  [54, 55], pseudorandom permutations  [81], statistically binding commitment  [90], statistically hiding commitment  [63, 92], zero-knowledge proofs  [57], and digital signatures  [93, 97]; eventually, however, secure constructions were discovered. On the other hand, cryptographic primitives like collision-resistant hash functions, key-agreement schemes, public-key encryption, trapdoor primitives, and oblivious transfer protocols do not have constructions based on the existence of one-way functions. Therefore, is it just that we have not yet been able to construct optimal fair coin-tossing protocols securely from one-way functions, or are there inherent barriers to such constructions?

$$\begin{aligned} \begin{array}{c} \text {Does optimal fair coin-tossing belong to}\\ Minicrypt \text { or } Cryptomania ~[72]? \end{array} \end{aligned}$$

Impagliazzo  [72] introduced five possible worlds and their implications for computer science. In Minicrypt, one-way functions exist; however, public-key cryptography is impossible. In Cryptomania, complex public-key cryptographic primitives like key-agreement and oblivious transfer are feasible.

Among several possible approaches, a prominent technique to address the question above is to study it via the lens of black-box separations, as introduced by Impagliazzo and Rudich  [75]. Suppose one “black-box separates the cryptographic primitive Q from another cryptographic primitive P”. Then, one interprets this result as indicating that the primitive P is unlikely to facilitate the secure construction of Q using black-box constructions.³ Consequently, to reinforce the necessity of the existence of oblivious transfer protocols for optimal fair coin-tossing, one needs to provide black-box separation of optimal fair coin-tossing protocols from computational hardness assumptions that are weaker than the existence of oblivious transfer protocols; for example, the existence of one-way functions  [74, 75].

Our Results. In this work, we prove the (fully) black-box separation  [96] of optimal two-party fair coin-tossing protocol from the existence of one-way functions. In particular, we show that any r-message two-party coin-tossing protocol in the random oracle model, where parties have unbounded computational power, is \(1/\sqrt{r}\)-insecure. In turn, this result settles in the positive the longstanding open problem of determining whether the coin-tossing protocol of Blum  [16] and Cleve  [24] achieves the highest security while using one-way functions in a black-box manner.

Our proof relies on a potential-based argument that proceeds by identifying a global invariant (see Claim 4.3) across coin-tossing protocols in the random oracle model to guide the design of good fail-stop adversarial attacks. As a significant departure from previous approaches  [29, 30], our analysis handles the entire sequence of curious random oracle query-answer pairs as a single instance of information exposure.

1.1 Our Contributions

Before we proceed to present a high-level informal summary of our results, we need a minimalist definition of two-party coin-tossing protocols in the random oracle model that are secure against fail-stop adversaries. An \((r,n,X_0)\)-coin-tossing protocol is a two-party interactive protocol with final output \(\in {\{0,1\}} \), and parties have oracle access to a random oracle⁴ such that the following conditions are satisfied.

1. 1.

   Alice and Bob exchange a total of r messages (of arbitrary length) during the protocol.⁵

2. 2.

   The oracle query complexity of both Alice and Bob is (at most) n in every execution of the protocol.

3. 3.

   At the end of the protocol, parties always agree on the output \(\in {\{0,1\}} \). Furthermore, the expectation of the output over all possible protocol executions is \(X_0\in [0,1]\).

4. 4.

   We consider only fail-stop adversarial strategies. If one party aborts during the protocol execution, then the honest party outputs a defense coin \(\in {\{0,1\}} \) based on her view without making additional queries to the random oracle. Such protocols are called instant protocols, and one may assume any coin-tossing protocol to be instant without loss of generality  [29].⁶

We emphasize that there are additional subtleties in defining coin-tossing protocols in the random oracle model, and Sect. 2.3 addresses them. In this section, we rely on a minimalist definition that suffices to introduce our results. Our main technical result is the following consequence for any \((r,n,X_0)\)-coin-tossing protocol.

Informal Theorem 1

(Main Technical Result). There exists a universal constant \(c>0\) and a polynomial \(p(\cdot )\) such that the following holds. Let \(\pi \) be any \((r,n,X_0)\)-coin-tossing protocol in the information-theoretic random oracle model, where \(r,n\in \mathbb {N}\), and \(X_0\in (0,1)\). Then, there exists a fail-stop adversarial strategy for one of the parties to alter the expected output of the honest party by \(\ge c\cdot X_0(1-X_0) / \sqrt{r}\) and performs at most \(p(nr/X_0(1-X_0))\) additional queries to the random oracle.

We remark that \(X_0\) may be a function of r and n itself. For example, the expected output \(X_0\) may be an inverse polynomial of r.

This technical result directly yields the following (fully) black-box separation result using techniques in  [75, 96].

Corollary 1

(Black-box Separation from One-way Functions). There exists a universal constant \(c>0\) such that the following holds. Let \(\pi \) be any r-message two-party protocol that uses any one-way function in a fully black-box manner. Suppose, at the end of the execution of \(\pi \), both parties agree on their output \(\in {\{0,1\}} \). Before the beginning of the protocol, let the expectation of their common output be \(X_0\in (0,1)\). Then, there is a fail-stop adversarial strategy for one of the parties to alter the honest party’s expected output by \(\ge c\cdot X_0(1-X_0) / \sqrt{r}\).

That is, optimal fair coin-tossing lies in Cryptomania. All our hardness of computation results extend to the multi-party fair computation of arbitrary functionalities, where parties have private inputs if the output of the functionality has entropy and honest parties are not in the majority.

We emphasize that the black-box separation extends to any primitive (and their exponentially-hard versions) that one can construct in a black-box manner from random oracles or ideal ciphers, which turn out to be closely related to random oracles  [28, 70]. Furthermore, the impossibility result in the random oracle model implies black-box separations from other (more structured) cryptographic primitives (and their exponentially-hard versions) like regular one-way functions, one-way permutations, and collision-resistant hash functions as well. Although these primitives cannot be constructed from random oracles/ideal cipher in a black-box manner, using by-now well-establish techniques in this field (see, for example,  [75]), the main technical result suffices to prove the separations from these structured primitives.

This black-box separation from one-way functions indicates that the two-party coin-tossing protocol of Blum  [16] and Cleve  [24], which uses one-way functions in a black-box manner and builds on the protocols of  [7, 21], achieves the best possible security for any r-message protocol. Their protocol is \(1/\sqrt{r}\)-insecure, and any r-message protocol cannot have asymptotically better security by only using one-way functions in a black-box manner, thus resolving this fundamental question after over three decades.

1.2 Prior Related Works and Comparison

There is a vast literature of defining and constructing fair protocols for two-party and multi-party functionalities  [2,3,4,5,6, 13, 14, 23, 58, 59, 64, 86]. In this paper, our emphasis is on the intersection of this literature with black-box separation results. The field of meta-reductions  [1, 8, 10, 15, 19, 20, 22, 27, 31, 34, 38, 39, 41,42,43, 50, 65, 68, 89, 94, 95, 101, 105], which demonstrates similar hardness of computation results from computational hardness assumptions like falsifiable assumptions  [91], is outside the scope of this work.

In a seminal result, Impagliazzo and Rudich  [75] introduced the notion of black-box separation for cryptographic primitives. After that, there have been other works  [9, 96] undertaking this nuanced task of precisely defining black-box separation and its subtle variations. Intuitively, separating a primitive Q from a primitive P indicates that attempts to secure realize Q solely on the black-box use of P are unlikely to succeed. Reingold, Trevisan, and Vadhan  [96] highlighted the subtleties involved in defining black-box separations by delineating several variants of separations. In their terminology, this work pertains to a fully black-box separation where the construction uses P in a black-box manner, and the security reduction uses the adversary in a black-box manner as well. Since the inception of black-box separations in 1989, this research direction has been a fertile ground for highly influential research  [12, 17, 18, 29, 30, 32, 36, 37, 40, 44,45,46,47,48,49, 51,52,53, 62, 69, 71, 75, 77, 80, 82,83,85, 87, 98, 99, 102, 103]. Among these results, in this paper, we elaborate on the hardness of computation results about fair computation protocols.

A recent work of Haitner, Nissim, Omri, Shaltiel, and Silbak  [61] introduces the notion of the “computational essence of key-agreement”. Haitner, Makriyannis, and Omri  [60], for any constant r, prove that r-message coin-tossing protocols imply key-agreement protocols, if they are less than \(1/\sqrt{r}\)-insecure. Observe that proving the implication that key-agreement protocol exists is a significantly stronger result as compared to demonstrating a black-box separation from key-agreement.⁷ However, their contribution is incomparable to our result because it shows a stronger consequence for any constant r.

Among the related works in black-box separation, the most relevant to our problem are the following. Haitner, Omri, and Zarosim  [62], for input-less functionalities, lift the hardness of computation results in the information-theoretic plain model against semi-honest adversaries to the random oracle model, i.e., random oracles are useless. However, coin-tossing is trivial to realize securely against semi-honest adversaries,⁸ and fail-stop adversarial strategies are not semi-honest. Dachman–Soled, Lindell, Mahmoody, and Malkin  [29] proved that the random oracle could be “compiled away” if the coin-tossing protocol has messages. Therefore, the fail-stop adversarial strategy of Cleve and Impagliazzo  [25] in the information-theoretic plain model also succeeds against the two-party coin-tossing protocol in the random oracle model. Finally, Dachman–Soled, Mahmoody, and Malkin  [30] show a fail-stop adversarial strategy against a particular class of fair coin-tossing protocols, namely, function oblivious protocols. An exciting feature of this work is that the attack performed by the adversarial party does not proceed by compiling away the random oracle. Similar proof techniques were independently introduced by [82, 83] to study the computational complexity of two-party secure deterministic function evaluations.

Recently, there have been two works providing improvements to the fail-stop adversarial attacks of Cleve and Impagliazzo  [25] in the information-theoretic plain model. These results proceed by induction on r and employ a potential argument to lower-bound the performance of the most devastating fail-stop adversarial strategy against a coin-tossing protocol. Khorasgani, Maji, and Mukherjee  [78] generalize (and improve) the fail-stop attack of Cleve and Impagliazzo  [25] to arbitrary \(X_0\in (0,1)\), even when \(X_0\) depends on r and tends to 0 or 1. Khorasgani, Maji, and Wang  [79] decouple the number of messages r in a coin-tossing protocol and the number of defense updates d that the two parties perform. They show that a two-party coin-tossing protocol in the information-theoretic plain model is \(1/\sqrt{d}\)-insecure, independent of the number of messages r in the protocol.

This result  [79] is a good starting point for our work because our curious fail-stop attacker shall perform additional queries to the random oracle; however, the parties do not update their defense coins during this information exposure. Unfortunately, their approach only applies to interactive protocols in the information-theoretic plain model. Our work identifies a global invariant for communication protocols that enables the extension of the approach of [79] to the random oracle model. Furthermore, we simplify the proof of their result as well.

2 Preliminaries

We use uppercase letters for random variables, (corresponding) lowercase letters for their values, and calligraphic letters for sets. For a joint distribution (A, B), A and B represent the marginal distributions, and \(A\times B\) represents the product distribution where one samples from the marginal distributions A and B independently. For a random variable A distributed over \(\varOmega \), the support of A, denoted by , is the set For two random variables A and B distributed over a (discrete) sample space \(\varOmega \), their statistical distance is defined as

For a sequence \((X_1,X_2,\ldots )\), we use \(X_{\le i}\) to denote the joint distribution \((X_1,X_2,\ldots ,X_i)\). Similarly, for any \((x_1,x_2,\dotsc )\in \varOmega _1\times \varOmega _2\times \cdots \), we define \(x_{{\le i}}\,{:}{=} (x_1,x_2,\dotsc ,x_i)\in \varOmega _1\times \varOmega _2\times \cdots \times \varOmega _i\). Let \((M_1,M_2,\ldots ,M_r)\) be a joint distribution over sample space \(\varOmega _1\times \varOmega _2\times \cdots \times \varOmega _r\), such that for any \(i\in \{1,2,\ldots ,n\}\), \(M_i\) is a random variable over \(\varOmega _i\). A (real-valued) random variable \(X_i\) is said to be \(M_{\le i}\) measurable if there exists a deterministic function \(f:\varOmega _1\times \cdots \times \varOmega _i\rightarrow {\mathbb {R}} \) such that \(X_i=f(M_1,\ldots ,M_i)\). A random variable \(\tau :\varOmega _1\times \cdots \times \varOmega _r\rightarrow \{1,2,\ldots ,r\}\) is called a stopping time, if the random variable \(\mathbbm {1}_{\tau \le i}\) is \(M_{\le i}\) measurable, where \(\mathbbm {1}\) is the indicator function. For a more formal treatment of probability spaces, \(\sigma \)-algebras, filtrations, and martingales, refer to, for example, [100].

The following inequality shall be helpful for our proof.

Theorem 2

(Jensen’s inequality). If f is a multivariate convex function, then , for all probability distributions X over the domain of f.

2.1 Two-Party Interactive Protocols in the Random Oracle Model

Alice and Bob speak in alternate rounds. We denote the \(i^{th}\) message by \(M_i\). For every message \(M_i\), we denote Alice’s private view immediately after sending/receiving message \(M_i\) as \(V^\mathsf {A}_i\), which consists of Alice’s random tape \(R^\mathsf {A}\), her private queries, and the first i messages exchanged. We use \(V^\mathsf {A}_0\) to represent Alice’s private view before the protocol begins. Similarly, we define Bob’s private view \(V^\mathsf {B}_i\) and use \(R^\mathsf {B}\) to denote his private random tape.

Query Operator \({\mathcal {Q}} \). For any view V, we use \({\mathcal {Q}} (V)\) to denote the set of all queries contained in the view V.

2.2 Heavy Querier and the Augmented Protocol

For two-party protocols in the random oracle model, [12, 75] introduced a standard algorithm, namely, the heavy querier. In this paper, we shall use the following imported theorem.

Imported Theorem 3

(Guarantees of Heavy Querier  [12, 83]). Let \(\pi \) be any two-party protocol between Alice and Bob in the random oracle model, in which both parties ask at most n queries. For all threshold \(\epsilon \in (0,1)\), there exists a public algorithm, called the heavy querier, who has access to the transcript between Alice and Bob. After receiving each message \(M_i\), the heavy querier performs a sequence of queries and obtain its corresponding answers from the random oracle. Let \(H_i\) denote the sequence of query-answer pairs asked by the heavy querier after receiving message \(M_i\). Let \(T_i\) be the union of the \(i^{th}\) message \(M_i\) and the \(i^{th}\) heavy querier message \(H_i\). The heavy querier guarantees that the following conditions are simultaneously satisfied.

• \(\epsilon \) -Lightness. For any i, any , and query \(q\notin {\mathcal {Q}} \left( h_{\le i}\right) \),

  

• \(n\epsilon \) -Dependence. Fix any i,

  

  Intuitively, it states that on average, the statistical distance between (1) the joint distribution of Alice’s and Bob’s private view, and (2) the product of the marginal distributions of Alice’s private views and Bob’s private views is small.

• -Efficiency. The expected number of queries asked by the heavy querier is bounded by . Consequently, it has query complexity with probability (at least) \((1-\epsilon )\) by an averaging argument.

We refer to the protocol with the heavy querier’s messages attached as the augmented protocol. We call \(T_i\) the augmented message.

2.3 Coin-Tossing Protocol

We will prove our main result by induction on the message complexity of the protocol. Therefore, after any partial transcript \(t_{\le i}\), we will treat the remainder of the orginal protocol starting from the \((i+1)^{th}\) message, as a protocol of its own. Hence, it is helpful to define the coin-tossing protocol where, before the beginning of the protocol, Alice’s and Bob’s private views are already correlated with the random oracle. However, note that, in the augmented protocol, after each augmented message \(t_i\), the heavy querier has just ended. Thus, these correlations will satisfy Imported Theorem 3. Therefore, we need to define a general class of coin-tossing protocols in the random oracle model over which we shall perform our induction.

Definition 1

(\((\epsilon ,\varvec{\alpha },r,n,X_0)\)-Coin-Tossing). An interactive protocol \(\pi \) between Alice and Bob with random oracle \(O:{\{0,1\}} ^\lambda \rightarrow {\{0,1\}} ^\lambda \) is called an \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin-tossing protocol if it satisfies the following.

• Setup. There is an arbitrary set \({\mathcal {S}} \subseteq {\{0,1\}} ^\lambda \), which is publicly known, such that for all queries \(s\in {\mathcal {S}} \), the query answers O(s) are also publicly known. Let \(\varOmega ^\mathsf {A}\), \(\varOmega ^\mathsf {B}\), and \(\varOmega ^\mathsf {O}\) be the universes of Alice’s random tape, Bob’s random tape, and the random oracle, respectively. There are also publicly known sets \({\mathcal {A}} \subseteq \varOmega ^\mathsf {A}\times \varOmega ^\mathsf {O}\) and \({\mathcal {B}} \subseteq \varOmega ^\mathsf {B}\times \varOmega ^\mathsf {O}\). The random variables \(R^\mathsf {A}\), \(R^\mathsf {B}\), and O are sampled uniformly conditioned on that (1) \((R^\mathsf {A},O)\in {\mathcal {A}} \), (2) \((R^\mathsf {B},O)\in {\mathcal {B}} \), and (3) O is consistent with the publicly known answers at \({\mathcal {S}} \). Alice’s private view before the beginning of the protocol is a deterministic function of \(R^\mathsf {A}\) and O, which might contain private queries. Likewise, Bob’s private view is a deterministic function of \(R^\mathsf {B}\) and O.⁹

• Agreement. At the end of the protocol, both parties always agree on the output \(\in {\{0,1\}} \). Without loss of generality, we assume the output is concatenated to the last message in the protocol.¹⁰

• Defense preparation. At message \(M_i\), if Alice is supposed to speak, in addition to preparing the next-message \(M_i\), she will also prepare a defense coin for herself as well. If Bob decides to abort the next message, she shall not make any additional queries to the random oracle, and simply output the defense she has just prepared. [29, 30] introduced this constraint as the “instant construction.” They showed that, without loss of generality, one can assume this property for all the defense preparations except for the first defense (see Remark 2). We shall refer to this defense both as Alice’s \(i^{th}\) defense and also as her \((i+1)^{th}\) defense. Consequently, Alice’s defense for every i is well-defined. Bob’s defense is defined similarly. We assume the party who receives the first message has already prepared her defense for the first message before the protocol begins.

• \(\epsilon \) -Lightness at Start. For any query \(q\notin {\mathcal {S}} \), the probability that Alice has asked query q before the protocol begins is upper bounded by \(\epsilon \in [0,1]\). Similarly, the probability that Bob has asked query q is at most \(\epsilon \).

• \(\varvec{\alpha }\) -Dependence. For all \(i\in \{0,1,\ldots ,r\}\), Alice’s and Bob’s private views are \(\alpha _i\)-dependent on average immediate after the message \(T_i\). That is, the following condition is satisfied for every i.

  

• r -Message complexity. The number of messages of this protocol is . We emphasize that the length of the message could be arbitrarily long.

• n -Query complexity. For all possible complete executions of the protocol, the number of queries that Alice asks (including the queries asked before the protocol begins) is at most . This also includes the queries that are asked for the preparation of the defense coins. Likewise, Bob asks at most n queries as well.

• \(X_0\) -Expected Output. The expectation of the output is \(X_0\in (0,1)\).

Remark 1

Let us justify the necessity of \(\varvec{\alpha }\)-dependence in the definition. We note that when heavy querier stops, Alice’s and Bob’s view are not necessarily close to the product of their respective marginal distributions.¹¹ However, to prove any meaningful bound on the susceptibility of this protocol, we have to treat \(\varvec{\alpha }\) as an additional error term. Therefore, we introduce this parameter in our definition. However, the introduction of this error shall not be a concern globally, because the heavy querier guarantees that over all possible executions this dependence is at most \(n\epsilon \) (on average), which we shall ensure to be sufficiently small.

Remark 2

We note that, after every heavy querier message, the remaining sub-protocol always satisfies the definition above. However, the original coin-tossing protocol might not meet these constraints. For example, consider a one-message protocol where Alice queries \(O(0^\lambda )\), and sends the parity of this string to Bob as the output. On the other hand, Bob also queries \(O(0^\lambda )\) and uses the parity of this string as his defense. This protocol is perfectly secure in the sense that no party can deviate the output of the protocol at all. However, the query \(0^\lambda \) is 1-heavy in Bob’s private view even before the protocol begins. Prior works [29, 30] rule out such protocols by banning Bob from making any queries when he prepares his first defense. In this paper, we consider protocols such that no queries are more than \(\epsilon \)-heavy when Bob prepares his first defense. We call this the \(\epsilon \)-lightness at start assumption. The set of protocols that prior works consider is identical to the set of protocols that satisfies 0-lightness at start assumption.

To justify our \(\epsilon \)-lightness at start assumption, we observe that one can always run a heavy querier with a threshold \(\epsilon \) before the beginning of the protocol as a pre-processing step. Note that this step fixes only a small part (of size ) of the random oracle, and, hence, the random oracle continues to be an “idealized” one-way function. If this protocol is a black-box construction of a coin-tossing protocol with any one-way function, the choice of the one-way function should not change its expected output. Therefore, by running a heavy querier before the beginning of the protocol, it should not alter the expected output of the protocol. After this compilation step, all queries are \(\epsilon \)-light in Bob’s view before the protocol begins. Consequently, our inductive proof technique is applicable.

Remark 3

Let us use the an example to further illustrate how we number Alice’s and Bob’s defense coins. Suppose Alice sends the first message in the protocol. Bob shall prepare his first defense coin even before the protocol begins. Alice, during her preparation of the first message, shall also prepare a defense coin as her first defense.

The second message in the protocol is sent by Bob. Since Alice is not speaking during this message preparation, her second defense coin remains identical to her first defense coin. Bob, on the other hand, shall update a new defense coin as his second defense during his preparation of the second message.

For the third message, Alice shall prepare a new third defense coin and Bob’s third defense coin is identical to his second defense coin. This process continues for r messages during the protocol execution.

Notation. Let \(X_i\) represent the expected output conditioned on the first i augmented messages, i.e., the random variable \(T_{\le i}\). Let \(D^\mathsf {A}_i\) be the expectation of Alice’s \(i^{th}\) defense coin conditioned on the first i augmented messages. Similarly, let \(D^\mathsf {B}_i\) be the expectation of Bob’s \(i^{th}\) defense coin conditioned on the first i augmented messages. (Refer to Definition 1 for the definition of \(i^{th}\) defense. Recall that, for both Alice and Bob, the \(i^{th}\) defense is defined for all \(i\in \{1,2,\ldots ,r\}\).) Note that random variables \(X_i,D^\mathsf {A}_i,\) and \(D^\mathsf {B}_i\) are all \(T_{\le i}\)-measurable.

3 Our Results

Given an \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin-tossing protocol \(\pi \) and a stopping time \(\tau \), we define the following score function that captures the susceptibility of this protocol with respect to this particular stopping time.

Definition 2

Let \(\pi \) be an \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin tossing protocol. Let \(\mathsf {P}\in \{\mathsf {A},\mathsf {B}\}\) be the party who sends the last message of the protocol. For any stopping time \(\tau \), define

We clarify that the binary operator \(\vee \) in the expression above represents the boolean OR operation, and not the “join” operator.

To provide additional perspectives to this definition, we make the following remarks similar to [79].

1. 1.

   Suppose Alice is about to send \((m_i^*,h_i^*)\) as the \(i^{th}\) message. In the information-theoretic plain model, prior works  [25, 78] consider the gap between the expected output before and after this message. Intuitively, since Alice is sending this message, she could utilize this gap to attack Bob, because Bob’s defense cannot keep abreast of this new information. However, in the random oracle model, both parties are potentially vulnerable to this gap. This is due to the fact that the heavy querier message might also reveal information about Bob. For instance, it might reveal Bob’s commitments sent in previous messages using the random oracle as an idealized one-way function. Then, Alice’s defense cannot keep abreast of this new information either and thus Alice is potentially vulnerable.

2. 2.

   Due to the reasons above, for every message, we consider the potential deviations that both parties can cause by aborting appropriately. Suppose we are at transcript \(T_{\le i}=t_{\le i}^*\), which belongs to the stopping time, i.e., \(\tau =i\). And Alice sends the last message \((m_i^*,h_i^*)\). Naturally, Alice can abort without sending this message to Bob when she finds out her \(i^{th}\) message is \((m_i^*,h_i^*)\). This attack causes a deviation of . On the other hand, Bob can also attack by aborting when he receives Alice’s message \((m_i^*,h_i^*)\). This attack ensures a deviation of . Note that for the \((i+1)^{th}\) message, Alice is not supposed to speak, her \((i+1)^{th}\) defense is exactly her \(i^{th}\) defense. Hence this deviation can be also written as .

3. 3.

   The above argument has a boundary case, which is the last message of the protocol. Suppose Alice sends the last message. Then, Bob, who receives this message, cannot abort anymore because the protocol has ended. Therefore, if our stopping time \(\tau =n\), the score function must exclude . This explains why we have the indicator function \(\mathbbm {1}\) in our score function.

4. 4.

   Lastly, we illustrate how one can translate this score function into a fail-stop attack strategy. Suppose we find a stopping time \(\tau ^*\) that witnesses a large score \(\mathsf {Score}(\pi ,\tau ^*)\). For Alice, we will partition the stopping time into two partitions depending on whether \(X_\tau \ge D^\mathsf {B}_\tau \) or not. Similarly, for Bob, we partition the stopping time into two partitions depending on whether \(X_\tau \ge D^\mathsf {A}_\tau \). These four attack strategies correspond to Alice or Bob deviating towards 0 or 1. And the summation of the deviations caused by these four attacks are exactly \(\mathsf {Score}(\pi ,\tau ^*)\). Hence, there must exist a fail-stop attack strategy for one of the parties that changes the honest party’s output distribution by \(\ge \frac{1}{4}\cdot \mathsf {Score}(\pi ,\tau ^*)\).

Given the definition of our score function, we are interested in finding the stopping time that witnesses the largest score. This motivates the following definition.

Definition 3

For any \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin-tossing protocol \(\pi \), define

$$\mathsf {Opt}(\pi )\,{:}{=} \max _\tau \;\mathsf {Score}(\pi ,\tau ).$$

Intuitively, \(\mathsf {Opt}(\pi )\) represents the susceptibility of the protocol \(\pi \). Our main theorem states the following lower bound on this quantity.

Theorem 4

(Main Technical Result in the Random Oracle Model). For any \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin-tossing protocol \(\pi \), the following holds.

$$\mathsf {Opt}(\pi )\ge \varGamma _r\cdot X_0\left( 1-X_0\right) - \left( nr\cdot \epsilon + \alpha _0 + 2\sum _{i=1}^{r}\alpha _i \right) ,$$

where \(\varGamma _r\,{:}{=} \sqrt{\frac{\sqrt{2}-1}{r}}\), for all positive integers r. Furthermore, one needs to make an additional queries to the random oracle (in expectation) to identify a stopping time \(\tau \) witnessing this lower bound.

We defer the proof to Sect. 4. In light of the remarks above, this theorem implies the following corollary.

Corollary 2

Let \(\pi \) be a coin-tossing protocol in the random oracle model that satisfies the \(\epsilon \)-lightness at start assumption (see Remark 2). Suppose \(\pi \) is an r-message protocol, and Alice and Bob ask at most n queries. The expected output of \(\pi \) is \(X_0\). Then, either Alice or Bob has a fail-stop attack strategy that deviates the honest party’s output distribution by

$$\varOmega \left( \frac{X_0\left( 1-X_0\right) }{\sqrt{r}}\right) .$$

This attack strategy performs additional queries to the random oracle in expectation.

This corollary is obtained by substituting \(\epsilon =\frac{X_0\left( 1-X_0\right) }{nr^2}\) in Theorem 4. Imported Theorem 3 guarantees that, for all i, the average dependencies after the \(i^{th}\) message are bounded by \(n\epsilon \). Hence, the error term is .

The efficiency of the heavy querier is guaranteed by Imported Theorem 3. One can transform the average-case efficiency to worst-case efficiency by forcing the heavy querier to stop when it asks more than \(\frac{n^2 r^3}{\left( X_0\left( 1-X_0\right) \right) ^2}\) queries. By Markov’s inequality, this happens with probability at most , and thus the quality of this attack is essentially identical to the averge-case attack.

4 Proof of Theorem 4

In this section, we prove Theorem 4 using induction on the message complexity r. We first provide some useful lemmas in Sect. 4.1. Next, we prove the base case in Sect. 4.2. Finally, Sect. 4.3 proves the inductive step.

Throughout this section, without loss of generality, we shall assume that Alice sends the first message in the protocol.

4.1 Useful Imported Technical Lemmas

Firstly, it is implicit in [12] that if (1) Alice’s and Bob’s private view before the protocol begins are \(\alpha _0\)-dependent, (2) all the queries are \(\epsilon \)-light for Bob, and (3) Alice asks at most n queries to prepare her first message, then after the first message, Alice’s and Bob’s private view are \((\alpha _0+n\epsilon )\)-dependent.

Lemma 1

(Technical Lemma  [12]). We have

$$\mathsf {SD} \left( {\left( V^\mathsf {A}_1,V^\mathsf {B}_0\right) },{\left( V^\mathsf {A}_1\times V^\mathsf {B}_0\right) }\right) \le \alpha _0+n\epsilon .$$

Additionally, the following inequality from  [79] shall be useful for our proof.

Lemma 2

(Imported Technical Lemma, Lemma 1 in  [79]). For all \(P\in [0,1]\) and \(Q\in [0,1/2]\), if P, Q satisfies

$$P-Q-P^2Q\ge 0,$$

then for all \(x,\alpha ,\beta \in [0,1]\), we have

In particular, for all \(r\ge 1\), the constraints are satisfied if we set \(P=\varGamma _r\) and \(Q=\varGamma _{r+1}\), where \(\varGamma _r\,{:}{=} \sqrt{\frac{\sqrt{2}-1}{r}}.\)

4.2 Base Case of the Induction: Message Complexity \(r=1\)

Let \(\pi \) be an \((\epsilon ,\varvec{\alpha },r,n,X_0)\)-coin-tossing protocol with \(r=1\). In this protocol, Alice sends the only message \(M_1\). We shall pick the stopping time \(\tau \) to be 1. Note that this is the last message of the protocol and hence Bob who receives it cannot abort any more. Therefore, our score function is the following

Let , which is the expectation of Bob’s first defense before the protocol begins. Recall that in the augmented protocol \(T_1=(M_1,H_1)\), and \(X_1\) and \(D_1^\mathsf {B}\) are \(T_1\) measurable. We have

In the above inequality, (i) and (ii) are because of triangle inequality. Since we assume the output is concatenated to the last message of the protocol, . And by the definition of \(X_0\), the probability of the output being 1 is \(X_0\). Hence we have (iv).

To see (iii), note that

Hence,

Therefore,

This completes the proof for the base case.

4.3 Inductive Step

Suppose the theorem is true for \(r=r_0-1\), we are going to prove it for \(r=r_0\). Let \(\pi \) be an arbitrary \((\epsilon ,\varvec{\alpha },r_0,n, X_0)\)-coin-tossing protocol. Assume the first augmented message is \((M_1,H_1)=(m_1^*,h_1^*)\), and conditioned on that, \(X_1=x_1^*\), \(D_1^\mathsf {A}=d_1^{\mathsf {A},*}\), and \(D_1^\mathsf {B}=d_1^{\mathsf {B},*}\). Moreover, the remaining sub-protocol \(\pi ^*\) is an \((\epsilon ,\varvec{\alpha }^*,r_0-1,n,x_1^*)\)-coin-tossing protocol. By our induction hypothesis,

$$\mathsf {Opt}\left( \pi ^*\right) \ge \varGamma _{r_0-1}\cdot x_1^*\left( 1-x_1^*\right) -\left( n(r_0-1)\epsilon +\alpha _0^*+\sum _{i=1}^{r_0-1}\alpha _i^*\right) .$$

(For simplicity, we shall use \(\mathsf {Err}\left( {\varvec{\alpha },n,r}\right) \) to represent \(\alpha _0+\sum _{i=1}^r\alpha _i+nr\epsilon \) in the rest of the proof.) That is, there exists a stopping time \(\tau ^*\) for sub-protocol \(\pi ^*\), whose score is lower bounded by the quantity above. On the other hand, we may choose not to continue by picking this message \((M_1,H_1)=(m_1^*,h_1^*)\) as our stopping time. This would yield a score of

Hence, the optimal stopping time would decide on whether to abort now or defer the attack to sub-protocol \(\pi ^*\) by comparing which one of those two quantities is larger. This would yield a score of

where inequality (i) is because of Lemma 2. Now that we have a lower bound on how much score we can yield at every first augmented message, we are interested in how much they sum up to.

Without loss of generality, assume there are totally \(\ell \) possible first augmented messages, namely \(t_1^{(1)},t_1^{(2)},\ldots ,t_1^{(\ell )}\). The probability of the first message being \(t_1^{(i)}\) is \(p^{(i)}\) and conditioned that, \(X_1=x_1^{(i)}\), \(D_1^\mathsf {A}=d_1^{\mathsf {A},{(i)}}\), and \(D_1^\mathsf {B}=d_1^{\mathsf {B},{(i)}}\). Moreover, the remaining \(r_0-1\) protocol has dependence vector \(\varvec{\alpha }^{(i)}\). Therefore, we are interested in,

$$\sum _{i=1}^\ell p^{(i)}\left( \varGamma _{r_0}\left( x_1^{(i)}\left( 1-x_1^{(i)}\right) +\left( x_1^{(i)}-d_1^{\mathsf {A},{(i)}}\right) ^2+\left( x_1^{(i)}-d_1^{\mathsf {B},{(i)}}\right) ^2\right) -\mathsf {Err}\left( {\varvec{\alpha }^{(i)},n,r_0-1}\right) \right) $$

Define the tri-variate function \(\varPhi \) as

$$\varPhi (x,y,z)\,{:}{=}\, x(1-x)+(x-y)^2+(x-z)^2.$$

We make the crucial observation that this function can also be rewritten as

$$\varPhi (x,y,z) = x+(x-y-z)^2-2yz.$$

Therefore, we can rewrite the above quantity as

$$\sum _{i=1}^\ell p^{(i)}\left( \varGamma _{r_0}\left( x_1^{(i)}+\left( x_1^{(i)}-d_1^{\mathsf {A},{(i)}}-d_1^{\mathsf {B},{(i)}}\right) ^2-2\cdot d_1^{\mathsf {A},{(i)}}\cdot d_1^{\mathsf {B},{(i)}}\right) -\mathsf {Err}\left( {\varvec{\alpha }^{(i)},n,r_0-1}\right) \right) $$

We observe the following case analysis for the three expressions in the potential function above.

1. 1.

   For the x term, we observe that the expectation of \(x_1^{(i)}\) is \(X_0\), i.e., we have \(\sum _{i=1}^\ell p^{(i)}\cdot x_1^{(i)}=X_0\).

2. 2.

   For the \((x-y-z)^2\) term, we note that it is a convex tri-variate function. Hence, Jensen’s inequality is applicable.

3. 3.

   For the \(y\cdot z\) term, we have the following claim.

Claim

4.3 (Global Invariant)

Proof

To see this, consider the expectation of the product of Alice and Bob defense when we sample from . This expectation is \(\alpha _0+n\epsilon \) close to because joint distribution \(\left. \left( V^\mathsf {A}_1,V^\mathsf {B}_0\right) \right. \) is \(\alpha _0+n\epsilon \) close to the product of its marginal distribution by Lemma 1.

On the other hand, this expectation is identical to the average (over all possible messages) of the expectation of the product of Alice and Bob defense when we sample from . Conditioned on first message being \(t_1^{(i)}\), this expectation is \(\alpha _0^{(i)}\)-close to because has \(\alpha _0^{(i)}\)-dependence by definition.

Finally, we note that, by definition, \(\sum _{i=1}^\ell p^{(i)}\alpha _0^{(i)}=\alpha _1.\) Note that the indices between \(\alpha \) and \(\alpha ^{(i)}\) are shifted by 1. This is because of that the dependence after the first message of the original protocol is the average of the dependence before each sub-protocol begins.

This proves that \(\sum _{i=1}^\ell p^{(i)}\cdot d_1^{\mathsf {A},{(i)}}d_1^{\mathsf {B},{(i)}}\) and are \((\alpha _0+n\epsilon )+\alpha _1\) close.   \(\square \)

Given these observations, we can push the expectation inside each term, and they imply that our score is lower bounded by

We note that by definition (again note that the indices of \(\alpha \) and \(\alpha ^{(i)}\) are shifted by 1),

$$(\alpha _0+\alpha _1+n\epsilon )+\sum _{i=1}^\ell p^{(i)}\cdot \mathsf {Err}\left( {\varvec{\alpha }^{(i)},n,r_0-1}\right) =\mathsf {Err}\left( {\varvec{\alpha },n,r_0}\right) .$$

Therefore, our score is at least

Switching back to the form of \(x(1-x)+(x-y)^2+(x-z)^2\), we get

This completes the proof of the inductive step and, hence, the proof of Theorem 4.