Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output

Abram, Damiano; Doerner, Jack; Ishai, Yuval; Narayanan, Varun

doi:10.1007/978-3-031-58740-5_5

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14655))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

267 Accesses
1 Citations

Abstract

Common randomness is an essential resource in many applications. However, Cleve (STOC 86) rules out the possibility of tossing a fair coin from scratch in the presence of a dishonest majority. A second-best alternative is a Coin Tossing Extension (CTE) protocol, which uses an “online” oracle that produces a few common random bits to generate many common random-looking bits. We initiate the systematic study of fully-secure CTE, which guarantees output even in the presence of malicious behavior. A fully-secure two-party statistical CTE protocol with black-box simulation was implicit in Hofheinz et al. (Eurocrypt 06), but its round complexity is nearly linear in its output length. The problem of constant-round CTE with superlogarithmic stretch remained open.

We prove that statistical CTE with full black-box security and superlogarithmic stretch must have superconstant rounds. In the computational setting we prove that with $N\ge 2$ parties and polynomial stretch:

One round suffices for CTE under subexponential LWE, even with Universally Composable security against adaptive corruptions.
One-round CTE is implied by DDH or the hidden subgroup assumption in class groups, with a short, reusable Uniform Random String, and by DCR and QR, with a reusable Structured Reference String.
One-way functions imply CTE with O(N) rounds, and thus constant-round CTE for any constant number of parties.

Such results were not previously known even in the two-party setting with standalone, static security. We also extend one-round CTE to sample from any efficient distribution, via strong assumptions including IO.

Our one-round CTE protocols can be interpreted as explainable variants of classical randomness extractors, wherein a (short) seed and a source instance can be efficiently reverse-sampled given a random output. Such explainable extractors may be of independent interest.

The full version of this work is available via https://eprint.iacr.org/.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Common randomness is a crucial resource in many applications, yet after 40 years of research, it remains difficult and sometimes even impossible to generate in many settings. The problem of flipping common coins was first posed and solved by Blum [12] in the two-party context, but his protocol did not ensure that both parties received an output in the case that one of them deviated from the protocol instructions. Shortly thereafter, Cleve [17] proved that this “fairness” problem is inherent and unconditional: any r-round coin-tossing protocol that is guaranteed to output a common bit must suffer an inverse-polynomial bias of $\varOmega (1/r)$ if a majority of the participants may be corrupted. In any round of interaction, corrupted parties may rush to see the messages of the honest parties before they transmit their own, and condition their responses (or choose not to respond) on the honest parties’ contributions.

Cleve’s bound has left a dichotomy in the plain model: in the face of a dishonest majority, either one must accept biased coins, or one must accept that the adversary can block the sampling of common coins entirely. Follow-up works have followed both pathways; for example, Buchbinder et al. [13] finally achieved guaranteed output with optimal bias for any constant number of parties, while Lindell [27] showed that polynomially-many coins can be tossed in constant rounds without guaranteed output, under the minimal assumption of one-way functions in the plain model. The impossibility of reliable unbiased coin tossing remains barrier to constructing a wide swath of essential primitives with guarantees against adversarial denial-of-service in the plain model, such as broadcast and consensus protocols, election protocols, lotteries, Common Random String (CRS) setup for cryptographic protocols, and many others.

The only means to evade Cleve’s bound is to assume the impossibility away. Suppose there exists an oracle that outputs a small number n of common random coins when invoked (n can be thought of as a security parameter). This oracle might be implemented, for example, by a natural process or by an expensive honest-majority protocol. From such an ideal object, a protocol to flip at least one unbiased coin is trivial. We call this oracle $\mathcal {F}_{\textsf{Coin}}^n $.

Even in settings where unbiased common coins can be found, it is prudent to assume that they are few or expensive to access. If an ideal n-coin oracle allows one to evade Cleve for the flipping of one coin, can it do so for $n+1$ coins, or more? In other words, can the oracle’s output serve as a seed? A multiparty protocol that uses an n-coin seed oracle to sample m apparently-uniform common coins for $m>n$ is known as a Coin Tossing Extension (CTE) protocol; if it invokes the seed oracle t times, we say that it has a stretch of $m-t\cdot n$. Bellare et al. [11] originally introduced the notion of CTE, motivated primarily by concrete efficiency and without any guarantee that output will be produced in the presence of malicious behavior. CTE protocols can be thought of as the distributed analogue of classical randomness extractors, and like classical extractors they require that the uniform seed be independent of the entropy source. This can be ensured by revealing the seed at the end of the protocol, after the corrupt parties (who exert partial control over the source) are committed to their contributions, which necessitates an “online” seed oracle, rather than a seed established ahead of time.

Game-Based Security is not Enough. If we insist only that a coin tossing extension protocol produce a common output that is indistinguishable from a uniform bit string, then optimal CTE protocols with guaranteed output and unconditional security are easy to construct. If one way functions exist, then so does a trivial protocol: the parties simply use the n-bit output of $\mathcal {F}_{\textsf{Coin}}^n $ to seed a Pseudorandom Generator (PRG), which can produce a string of m(n) bits for any polynomial m that is indistinguishable from uniform to all adversaries whose runtimes are also bounded polynomially in n. Notice that this protocol does not involve any communication at all, apart from invoking the oracle! If one way functions do not exist or the adversary is unbounded, then the solution need not be much more complicated. Consider the following simple protocol for N parties:

This protocol produces an output $\varepsilon $-close to uniform if there exists an $(\ell ,\varepsilon )$-extractor $\textsf{Extract}:\{0,1\}^{\ell \cdot N}\times \{0,1\}^n\rightarrow \{0,1\}^m$ [29]. For $\varepsilon \in \textsf{negl}(n)$ and $\ell \in O(m+n)$, there is a construction of such extractors from universal hashing [24].

The simplicity of these protocols comes with a shortcoming: though they may produce outputs indistinguishable from uniform, their outputs cannot be used to replace a truly uniform string in any given context. This can be seen by means of a simple example: suppose that the adversary is challenged to produce an n-bit representation of m uniformly sampled bits, for $n<m$. If these m bits are sampled by $\mathcal {F}_{\textsf{Coin}}^m $ directly, then the adversary will fail with probability overwhelming in $m-n$. On the other hand, if the bits are produced by the simple computational CTE protocol we have just described, then the n-bit intermediate output of the seed oracle $\mathcal {F}_{\textsf{Coin}}^n $ is exactly such a representation, and thus the protocol cannot be used in place of the oracle, even though their outputs are indistinguishable from one another. This is a simple and specific example of the general separation between game-based security and simulation-based security.^{Footnote 1}

Simulation-Secure CTE. Simulation-based security—otherwise known as security in the real/ideal-paradigm [14, 21]—insists that there exist an efficient simulator algorithm to produce a protocol transcript given any protocol output, and that the simulated transcript must be indistinguishable from a transcript of the real protocol. If the oracle $\mathcal {F}_{\textsf{Coin}}^m $ in the ideal world is replaced by some simulation-secure protocol in the real world, then the simulator ensures that for any attack on the protocol, an equivalent attack can be mounted against $\mathcal {F}_{\textsf{Coin}}^m $; thus, the protocol can be used in any context $\mathcal {F}_{\textsf{Coin}}^m $ can be. A protocol is said to black-box simulation-secure if the simulator does not need to inspect the code of the protocol’s adversary, but only to run the adversary as a subroutine. It is said to be Universally Composable (UC) [15] if the simulation property is guaranteed to hold in an arbitrary protocol context defined by an adversarial environment,^{Footnote 2} and it is said to have standalone security if simulatability is only guaranteed to hold for one instance at a time. We refer to any protocol that has both guaranteed output and black-box standalone-simulatable (or universally composable) security against a malicious adversary corrupting a dishonest majority of participants as fully secure.

Hofheinz et al. [23] gave a thorough treatment of simulation-secure CTE without guaranteed output (i.e. permitting the adversary to force the protocol to abort), with a specific focus on the feasibility of CTE for two parties in a set of six contexts comprising each combination of perfect, statistical, or computational security, and either black-box standalone security or universally composable security. They proved that perfectly secure CTE and statistically universally composable CTE are both impossible even for one bit of stretch. On the other hand, they proved that it is possible to achieve polynomial stretch in the computational universally composable case via a constant-round construction based on commitments; their protocol explicitly allows aborts to occur. They also proved that it is possible to achieve polynomial stretch in the statistical standalone case via a protocol with a round count linear in the number of output bits. Although they make no explicit claim about guaranteed output, this protocol does not in fact contain an abort: to our knowledge this makes it the first fully-secure CTE protocol, and the first to evade Cleve’s bound.

Evading Cleve with Fully-Secure CTE. In this work, we initiate the systematic study of fully-secure coin tossing extension, and pose the question:

How many rounds does fully-secure coin tossing extension require?

It is clear that there must be at least one invocation of an “online” oracle, or else Cleve’s bound would apply and we would be forced to sacrifice either guaranteed output or unbiased output. It is also clear that there must be at least one round of communication among the parties, or else there could be no additional entropy with which to extend the coins that the oracle produces. We begin our study by proving that any interaction after the coin-tossing oracle $\mathcal {F}_{\textsf{Coin}}^n $ is invoked is useless. This implies that if the adversary is given the (standard) power to rush, then the communication of the parties must occur before the invocation of $\mathcal {F}_{\textsf{Coin}}^n $ and thus the minimal interaction for any fully-secure CTE protocol is one round, followed by one oracle invocation. This result is proven in the full version of our work [2, Section 4.1].

In the black-box standalone statistical setting, we prove much more interaction than this is required: specifically, we prove that a protocol with r rounds of interaction before the oracle’s invocation cannot output more than $O(r\cdot \log \lambda )$ bits, where $\lambda $ is a security parameter. This implies that the protocol of Hofheinz et al. is nearly optimal with linear stretch, and with a simple adjustment optimality can easily be achieved. Since Hofheinz et al. have already proved that statistically universally composable CTE is impossible, even without guaranteed output or polynomial stretch, this effectively closes the question of the round complexity of statistical CTE with black-box simulation. This result is proven in the full version of our work [2, Section 8].

To evade the bound we have just proved, we turn to computational security and cryptographic assumptions. Under the subexponential Learning with Errors (LWE) Assumption [34], we construct an N-party protocol that achieves polynomial stretch with the optimal interaction pattern: one round, followed by an invocation of $\mathcal {F}_{\textsf{Coin}}^n $. Furthermore, this protocol is universally composable and secure against malicious adversaries adaptively corrupting up to $N-1$ parties. Due to its basis in a lattice assumption it is also plausibly post-quantum secure. Indeed, we do not know of a stronger bounded adversary than the one implied by this combination of attributes. This result is proven in Sect. 3.

By allowing a trusted setup and settling for weaker notions of security, we expand the set of assumptions we can rely on: using a general hidden subgroup framework, we devise a one-round fully-secure and universally composable N-party CTE protocol in the Common Reference String (CRS) model. Unlike our previous construction, this one is proven only to have security against the static corruption of $N-1$ participants. We show how to instantiate our framework from the Decisional Diffie-Hellman (DDH) assumption [18] and the Hard Subgroup Membership (HSM) assumption^{Footnote 3} on class groups [16]: both of these assumptions yield short, reusable, uniform CRSes that can be sampled via one extra call the very same coin oracle $\mathcal {F}_{\textsf{Coin}}^n $ that the protocol extends. We also give an instantiation of the framework using Paillier encryption [30] (and thus under both the Decisional Composite Residuosity (DCR) and Quadratic Residuosity (QR) assumptions); this instantiation requires a reusable structured CRS that cannot be so trivially sampled. These results are proven in the full version of our work [2, Section 6].

We find a result in even the weakest of computational assumptions: One-Way Functions (OWFs). A close inspection of the OWF-based constant-round N-party coin tossing protocol of Goyal et al. [22] reveals that it can achieve Identifiable Abort (IA) [25], though the authors did not claim this. This type of security does not guarantee an output, but does ensure that if no output is produced, then the honest parties can agree upon the identity of at least one malicious party. Simple iteration of this protocol to eliminate cheating parties one-by-one can ensure that an output is produced in O(N) rounds, even if $N-1$ parties are corrupt, but cannot prevent the adversary from biasing that output. We describe a simple way to eliminate this bias using a sample from $\mathcal {F}_{\textsf{Coin}}^n$, yielding a constant-round fully-secure coin tossing protocol for any constant number of parties. This result is proven in the full version [2, Section 7].

Fully-Secure Distributed Sampling. Abram et al. [4, 5] recently introduced the notion of Distributed Sampling, which can be thought of as a generalization of coin tossing to any (efficiently-samplable) distribution, and they proved the existence of one-round distributed samplers in the malicious, dishonest-majority setting under a set of strong assumptions, including Indistinguishability Obfuscation (iO) [10]. They could not, however, construct one-round unbiased distributed samplers with guaranteed output without running afoul of Cleve [17], and settled instead for a notion they referred to as indistinguishability-preservingness. In this work, we augment their techniques with a single call to the coin tossing oracle $\mathcal {F}_{\textsf{Coin}}^n $ to achieve what they could not. This result is proven in the full version of our work [2, Section 9].

Explainable Randomness Extractors. At the beginning of this section, we explained coin tossing extension as the multiparty analogue of a randomness extractor. This analogy is not an accident: when the parties in a coin tossing extension protocol perform a final local computation to recover the protocol’s output from the coin oracle’s output and the transcript of the protocol before the oracle was invoked, they are precisely invoking a randomness extractor with the pre-oracle transcript as the source and the oracle’s output as the seed. For one-round protocols as several of ours are, the source is simply the concatenation of the parties’ single messages. The black-box simulatability of our protocols suggests a heretofore-unidentified property of certain extractors: it is efficient to find a seed and source that yield a chosen output under the extractor, such that the distribution of seeds is independent of the output, and the sources belong to some well-defined distribution that is tolerated by the extractor. We refer to this property as explainability, and formally prove the correspondence; as corollaries our other results imply explainable computational extractors for various source distributions under various assumptions. Correspondingly, the statistical CTE protocol of Hofheinz et al. [23] implies an explainable statistical extractor for a particular source distribution. This result is proven in the full version of our work [2, Section 4.2].

Open Questions. This work leaves an interesting question open:

Do there exist constant-round and statistically simulation-secure

coin tossing extension protocols with $\omega (\log \lambda )$ stretch?

This paper shows that if we relax this question by considering computational security, the answer is yes (under standard cryptographic assumptions). On the other hand, for the more stringent variant of the question that requires black-box simulation, the answer is unconditionally no. Thus, an affirmative answer to our question would separate black-box and non-black-box simulation in the statistical security setting. We are not aware of such a separation in the literature.

2 Technical Overview

Notation. Let $\lambda $ be the security parameter. For any $n\in \mathbb {N}$, we use [n] to denote the set $\{1, \dots , n\}$. We use $\lfloor x \rfloor $ to denote the integral part of the number x. We use bold font to denote vectors and capital letters for matrices. We use $\Vert \cdot \Vert _\infty $ to denote the $\ell _\infty $-norm (i.e. the maximum magnitude of the entries of the vector). We use $=$ to denote equality, $:=$ to denote equality by definition of the left hand side by the right hand side, $\equiv $ to denote congruence, and $\leftarrow $ to denote deterministic assignment. We use in an overloaded fashion to denote sampling from a distribution, assignment using a randomized algorithm, or, if the right hand side is a domain, uniform sampling from that domain. We use $\sim $ to denote that two scalars approximate each other, or in some contexts that they are negligibly close in the security parameter, and we use $\approx _\textrm{s}$ and $\approx _\textrm{c}$ to denote that distributions are statistically or computationally indistinguishable, respectively.

A Coin Tossing Extension (CTE) protocol consists of an N-party protocol that produces m unbiased random bits given a source of $n<m$ unbiased random coins. Formally, our security definition is based on black-box simulation: we insist that a CTE protocol realizes the functionality $\mathcal {F}_{\textsf{Coin}}^m $ that provides all parties with a random string in the presence of a malicious PPT adversary corrupting up to $N-1$ parties, in the hybrid model of the functionality $\mathcal {F}_{\textsf{Coin}}^n $ (otherwise known as the seed oracle) that supplies a random string . $\mathcal {F}_{\textsf{Coin}}^n $ and $\mathcal {F}_{\textsf{Coin}}^m $ are identical, apart from their parametrization.

We highlight that $\mathcal {F}_{\textsf{Coin}}^m $ has guaranteed output, and thus our CTE protocols achieve full security: even if the corrupted parties deviate from the protocol, the honest parties will always agree on an unbiased random output. In general, both n and m may be polynomials in the security parameter $\lambda $, but we often leave this implicit. We define the round complexity of the protocol to be the number of rounds of interaction between the parties before the final invocation of $\mathcal {F}_{\textsf{Coin}}^n $, the sampling complexity t to be the number of times $\mathcal {F}_{\textsf{Coin}}^n $ is invoked, the additive stretch to be $m-t\cdot n$, and the multiplicative stretch to be $m/(t\cdot n)$.

Throughout this paper, we consider different flavours of security: most of our constructions achieve computational security in the UC model, and one is only standalone-secure. One construction achieves security against adaptive corruptions. Our lower bound applies to the information-theoretic case with black-box simulation. We always assume that the parties are connected by authenticated, private, point-to-point channels, and by an authenticated broadcast medium.

2.1 The Round Structure of CTE Protocols

In a coin tossing extension protocol, the seed oracle behaves very differently from a typical trusted setup: in order to evade Cleve’s impossibility [17], the random coins must be delivered throughout the execution of the protocol and not at the beginning. We begin by proving that any round of interaction after the last call to the seed oracle is essentially useless. Immediately after the last call, the parties must already agree on an unbiased random string of the right length. This fact holds even for CTE protocols that rely on non-black-box simulators.

Theorem 2.2

(Informal Version of [2, Theorem 4.3]). Let $\varPi $ be a CTE protocol producing m random bits. Let $\varPi '$ be the protocol in which the parties behave exactly as in $\varPi $ until the last call to the seed oracle, after which they stop interacting. $\varPi '$ is a secure coin tossing extension protocol producing m random bits.

Proving the above theorem begins with the simple observation that the output of any honest party $P_i$ in $\varPi '$ is the value it would return if it were executing $\varPi $ and all other parties ceased interacting (as they might, if they are corrupt) after last call to the entropy source. This implies that $P_i$’s output in $\varPi '$ cannot be noticeably biased by the adversary. It is more challenging to prove that the outputs of the honest parties in $\varPi '$ all coincide. We show this by following the blueprint of Cleve’s impossibility result [17] and applying a similar argument in the N-party setting. Let $\alpha $ be the index of one (arbitrary) bit of the output, and let $P_i$ and $P_j$ be two honest parties. Let the random variables $b_{i, r}$ and $b_{j, r}$ be the $\alpha ^\text {th}$ bit that $P_i$ and $P_j$ would output in $\varPi $ if all other parties ceased interacting in the $r^\text {th}$ round after the last call to the seed oracle. By the security of $\varPi $, the bits $b_{i, r}$ and $b_{j, r}$ must be equal for sufficiently large r, because, at the end of the protocol, $P_i$ and $P_j$ are guaranteed to agree. Our goal is to prove that, whatever the value of $\alpha $ and the behaviour of the adversary $\mathcal {A}$, the bits $b_{i, 0}$ and $b_{j, 0}$ are equal. For every adversary $\mathcal {A}$, every round r, and $b\in \{0, 1\}$, we define two modified adversaries, $\mathcal {A}_{r, 0}^b$ and $\mathcal {A}_{r, 1}^b$. The adversary $\mathcal {A}_{r, 0}^b$ corrupts all parties except $P_i$. Any parties that $\mathcal {A}$ would corrupt behave when corrupted by $\mathcal {A}_{r, 0}^b$ as they would when corrupted by $\mathcal {A}$; for all other parties, $\mathcal {A}_{r, 0}^b$ follows the protocol. At the $r^\text {th}$ round after the last call to the seed oracle, $\mathcal {A}_{r, 0}^b$ simulates the execution of the round in its head using $P_i$’s message ($\mathcal {A}_{r, 0}^b$ is a rushing adversary, and thus has this message before the round completes). If it predicts that $b_{j, r+1}=b$, then $\mathcal {A}_{r, 0}^b$ sends no further messages; otherwise, it sends the messages of the execution it simulated in its head and ceases communication thereafter. The adversary $\mathcal {A}_{r, 1}^b$ is slightly simpler: it corrupts all parties except $P_j$ and determines their behavior just like $\mathcal {A}_{r, 0}^b$ did. At the $r^\text {th}$ round after the last call to the seed oracle, $\mathcal {A}_{r, 1}^b$ checks whether $b_{i, r}=b$, and sends no further messages if so; otherwise, it ceases communication at the end of the following round. Using Cleve’s argument [17], we can prove that unless $b_{i, 0}=b_{j, 0}$, at least one of the adversaries $(\mathcal {A}_{r, 0}^b, \mathcal {A}_{r, 1}^b)_{r, b}$ must bias the $\alpha ^\text {th}$ bit of the output of $\varPi $ by a non-negligible amount, with overwhelming probability.

This result is formalized in the full version of our work [2, Section 4.1].

2.2 Coin Tossing Extension and Explainable Extractors

A randomness extractor is a primitive that converts samples from a high-entropy source into true randomness, with the aid of an auxiliary source of truly random bits, referred to as a seed. The samples provided by the high-entropy source should be independent of the seed, and the seed is typically required to be much shorter than the output. Formally, we require that for every source of sufficiently high entropy S, the following distribution is indistinguishable from the uniform distribution:

In the full version of our work [2, Section 4.2], we introduce the notion of an explainable extractor: a randomness extractor that satisfies a stronger, simulation-based security definition relative to some class of entropy sources $\mathcal {S}$. Specifically, for every source $S\in \mathcal {S}$, there must exist a PPT simulator $\textsf{Explain}_S$ such that the following distributions are indistinguishable:

We prove that fully-secure CTE protocols imply explainable extractors. In particular, any CTE protocol can be viewed as an explainable extractor for the class of entropy sources that is generated by running the CTE protocol with an adversary corrupting at most $N-1$ parties, and then outputting the transcript $\boldsymbol{x}$ and the view of the adversary $\textsf{aux}$ just before the last call to the seed oracle. The extractor $\textsf{Extract}(\boldsymbol{x}, \boldsymbol{u})$ simply emits an honest party’s (truly random) output using the transcript, simulating the seed oracle via $\boldsymbol{u}$, and performing any final computations via the honest party’s code. The algorithm $\textsf{Explain}_S$ can easily be derived from the simulator of the CTE protocol.

In Sect. 3, we use this fact to prove the existence of an explainable extractor for the class of entropy sources that produce N blocks of $\textsf{poly}(\lambda )$ bits $\boldsymbol{x_1}, \dots , \boldsymbol{x_N}$, such that one block (say $\boldsymbol{x_i}$) is truly random, and the other blocks and $\textsf{aux}$ are produced by any PPT algorithm receiving $\boldsymbol{x_i}$ as input. See Corollary 3.7.

2.3 Computational Coin Tossing Extension with Long Stretch

We now describe our CTE constructions starting from the simplest to the most sophisticated. All of our schemes achieve security against adversaries corrupting up to $N-1$ parties and require a single call to the seed oracle.

On UC-Security and Arbitrary Polynomial Stretch at No Round Cost. If a UC-secure coin tossing extension protocol generates $m>n$ random bits using a single call to the seed oracle, then we immediately obtain a UC-secure coin tossing extension protocol with the same round complexity, a single call to the seed oracle, and arbitrary polynomial stretch: all we must do is run the original CTE protocol many times in parallel. We use the coins produced by the seed oracle in the first execution, and then use n bits of the resulting output as the seed for the second execution, reserving at least one bit for the final output, and so on. We obtain at least one additional bit per instance.

From One-Way Functions via Coin Tossing with Identifiable Abort. We start from the simplest construction: we consider a secondary coin tossing functionality with identifiable abort and not guaranteed output. We refer to this functionality as $\mathcal {F}_{\mathsf {Coin+IA}}^m $; it can be realized by the protocol of Goyal et al. [22] in the standalone setting assuming one-way functions exist. We might naïvely hope to build a fully-secure CTE protocol via player elimination. The parties invoke $\mathcal {F}_{\mathsf {Coin+IA}}^m $, and if the invocation succeeds, then they output the random string produced by it; otherwise, they repeat the invocation of $\mathcal {F}_{\mathsf {Coin+IA}}^m $ without the party that cause the abort. After at most $N-1$ attempts, the honest parties are guaranteed to agree on a random string. Unfortunately, this construction allows the adversary to bias the output. Remember, we have not relied on the seed oracle, so Cleve’s impossibility [17] must apply. During each invocation of $\mathcal {F}_{\mathsf {Coin+IA}}^m $, the adversary learns the candidate output before the honest parties, and can choose to abort or accept the result; conditioning this choice on the candidate output allows bias to be injected. For example, if the adversary desires the initial bit of the output to be 0, then it can abort the invocation of $\mathcal {F}_{\mathsf {Coin+IA}}^m $ only when the candidate output starts with a 1.

We prevent this bias attack by “encrypting” the output of the CTE protocol using a PRG. Specifically, after $\mathcal {F}_{\mathsf {Coin+IA}}^m $ produces an output, the parties invoke the seed oracle $\mathcal {F}_{\textsf{Coin}}^\lambda $ to obtain a $\lambda $-bit seed, where $\lambda $ denotes the security parameter. They expand this seed with a PRG, and output the XOR of the expansion and the output of $\mathcal {F}_{\mathsf {Coin+IA}}^m $.

We highlight that even with this modification, the adversary still has the ability to cause an abort and force the honest parties to invoke $\mathcal {F}_{\mathsf {Coin+IA}}^m $ repeatedly. Compared to the naïve protocol, the adversary must now face the choice of whether to abort blindly: even given the candidate output of $\mathcal {F}_{\mathsf {Coin+IA}}^m $, the adversary cannot predict the output of the CTE protocol. At the time the adversary must make the decision, the privacy of the final output is guaranteed by the security of the PRG, because the $\lambda $-bit seed chosen by the seed oracle is not yet revealed. This result is expounded in the full version of our work [2, Section 7]. Ultimately, we prove:

Corollary 2.3

If one-way functions exist, then for any constant number of parties there is a constant-round fully-secure CTE protocol in the plain model, with standalone black-box simulatability against a malicious PPT adversary statically corrupting all parties but one. This construction is black-box in the OWF.

An Algebraic Framework for Coin-Tossing Extension. After discovering a fully-secure CTE protocol from coin tossing with identifiable abort, we wondered whether it is possible to guarantee output without restarting in response to malicious behavior. We answer this question affirmatively, and moreover demonstrate that only a single round of interaction followed by a single call to the seed oracle is required in the CRS model. Our construction is an algebraic framework for coin tossing extension that can be instantiated using DDH groups, class groups, or Paillier Encryption.

One-Round CTE Against Rushing Adversaries. One of the main challenges in designing a one-round CTE protocol is dealing with rushing behaviour. For the moment, imagine that our goal is to construct a protocol with black-box simulation and no CRS. In the ideal world, the corresponding functionality provides the simulator with the output of the protocol, and then the simulator must generate fake but consistent messages for the honest parties. The simulator must do this without knowing the messages of the corrupted players, since the honest party is assumed to speak first. In principle, the adversary might be able to inject so much randomness in the protocol that the Shannon entropy of the output $\boldsymbol{s}$ conditioned on the messages generated by the simulator $U_H$ is greater than $n+\omega (\log \lambda )$; specifically

$$\begin{aligned} \textsf{H}(\boldsymbol{s} | U_H)\ge n+\omega (\log \lambda ).\end{aligned}$$

(1)

Indeed, what happens if the adversary is the simulator itself, using a random string in place of the functionality’s output? Without a CRS, this is a possibility! If (1) holds, the simulator is doomed to fail: the only power it has is to rewind, or generate a random-looking n-bit response $\boldsymbol{u}$ on behalf of the seed oracle. The latter will not help because the entropy of $\boldsymbol{u}$ is bounded by n; it is too low to fully correct the bias induced by the adversary. Rewinding will not help, since it is equivalent to restarting: each execution is overwhelmingly likely to fail.

Relying on a CRS: the Hidden Subgroup Framework. Now that we have understood what the main challenges are, we relax our requirements to permit a CRS. We hope that by relying on the common reference string, we can restrict the influence of the adversary while allowing full freedom to the simulator. We demonstrate that this is possible using an algebraic framework inspired by the work of Abram et al. [1], which we refer to as the the hidden subgroup framework.

Theorem 2.4

(Informal Version of [2, Theorem 6.4]). Given any instantiation of the hidden subgroup framework, there exists a one-round N-party fully-secure protocol in the $\mathcal {F}_{\textsf{Coin}}^n $-hybrid CRS model that UC-realizes $\mathcal {F}_{\textsf{Coin}}^m $ in the presence of a malicious PPT adversary statically corrupting up to $N-1$ parties.

Consider a multiplicative group G with a smaller subgroup H. Suppose that we can efficiently sample uniformly random elements from both groups, but the two distributions are computationally indistinguishable. Our CRS consists of a description of G and H along with the CRS for a simulation-extractable NIZK. Each party $P_i$ broadcasts a random sample $h_i\in H$, along with a NIZK proving that the sample belongs to H. If any NIZK does not verify, the party that generated it is excluded from the execution of the protocol (without restarting). Next, the seed oracle provides the parties with the description of another random element $h\in H$. The parties output the product $h\cdot \prod _i h_i$, ignoring every $h_j$ for which the corresponding NIZK does not verify.

We argue that from the adversary’s perspective, the output is indistinguishable from a random element in G. Indeed, a simulator that receives from the functionality can generate a trapdoored CRS for the NIZK and send $g\cdot h_\iota $ instead of $h_\iota $ on behalf of an arbitrary honest party $P_\iota $. The corresponding NIZK is simulated using the trapdoor, and the simulator sends a correcting term $h\leftarrow \prod _i h_i^{-1}$ on behalf of the seed oracle (where, again, the product ignores all indices corresponding to non-verifying NIZKs). Notice that h is a random element in H due to $h_\iota $. The output of this protocol execution is g, and the transcript is indistinguishable from a real protocol transcript due to the security of the NIZK and the indistinguishability of uniform elements in G and H.

The Representation of the Group Elements. There is a problem yet to be solved in the blueprint we have just given: a CTE protocol must produce more random bits than those provided by the seed oracle. The entropy of a random element in G is higher than the entropy of random elements in H, but since the two distributions are indistinguishable, it would seem that the representations of elements in G and H require strings of the same length. In other words, it seems that in the foregoing construction, the seed oracle provides as many bits as are produced by the protocol. This is not the case, however: the stretch depends on how we represent the response of the seed oracle. This representation can be compressed because it is known to always be in H. If H is a cyclic group of order q and $h_0$ is a generator, then the seed oracle can represent any $h=h_0^r$ as $r\bmod q$. This representation is optimal as it requires roughly $\log q=\log |H|< \log |G|$ bits, and it yields a protocol with positive stretch.

Using such a representation introduces another issue, though: how can the simulator obtain a succinct representation of $\prod _i h_i^{-1}$? Doing so implies computing a discrete logarithm. This is the purpose of the simulation-extractable NIZKs: the simulator samples the discrete logarithms of the elements chosen by the honest parties (including $h_\iota $), and extracts the discrete logarithms of the elements of the corrupted parties using their NIZKs.

We require three additional properties from our framework:

There should exist a succinct representation for the elements of H. For any $h_i\in H$, we denote the representation by $\rho _i$. This representation may not be unique.
Given elements $h_1, \dots , h_\ell \in H$ and corresponding succinct representations $\rho _1, \dots , \rho _\ell $, we must be able to obtain a succinct representation of $\prod _{i\in [\ell ]} h_i^{-1}$
There must be a way to sample $h_1$ and a corresponding succinct representation $\rho _1$ such that, for every $h_2, \dots , h_\ell \in H$ and corresponding $\rho _2, \dots , \rho _\ell $, the succinct representation of $\prod _{i\in [\ell ]} h_i^{-1}$ derived from $\rho _1, \rho _2 \dots , \rho _\ell $ is indistinguishable from the succinct representation of a uniform element in H.

One Last Property: Converting the Output into Bits. A CTE protocol is supposed to produce random bits. The protocol we described above outputs a random group element $g\in G$ instead. How do we convert this into a random string? This can be surprisingly challenging! We cannot simply apply an arbitrary hash function f; the procedure must be explainable. There must be a way for the simulator to convert the random string $\boldsymbol{s}$ obtained from the functionality into a random group element g such that $f(g)=\boldsymbol{s}$. In other words, our framework also requires the existence of an efficiently invertible deterministic function f such that the following distributions are indistinguishable.^{Footnote 4}

Instantiations of the Framework. We present three instantiations of the hidden subgroup framework: one based on DDH over cyclic groups, one based on Paillier Encryption [30], and one based on class groups of imaginary quadratic fields [16].

Let $\widehat{G}$ be a cyclic group of prime order p wherein DDH is hard. Inspired by Peikert et al. [32], we choose G to be the product $\widehat{G}\times \widehat{G}$. The subgroup H consists of all pairs $(g_1, g_2)\in G$ such that $g_2=g_1^\alpha $ for a randomly sampled, secret . It is easy to see that H is a proper subgroup of G. Furthermore, it is hard to distinguish between the uniform distributions over G and H under the DDH assumption. Since H is cyclic with order p, we can also succinctly represent any element in H as the usual discrete logarithm of $(g_1, g_2)$ with respect to some generator $(g_0, g_0^\alpha )$. This succinct representation satisfies the properties required by the framework. Finally, the matter of conversion from G into random bits depends greatly on the choice of $\widehat{G}$. If the latter is a cyclic subgroup of $\mathbb {F}_q^*$ for some power of a prime q or of an elliptic curve, conversion is usually easy as long as the cofactor is small.
Consider the Paillier group $G:=\mathbb {Z}_{N^2}^*$ where N is the product of two large, random, safe primes $p=2p'+1$ and $q=2q'+1$. The subgroup H will consist of all $2N^\text {th}$ powers of G. H is a subgroup of order $p'\cdot q'$, and since $p'\ne q'$ are primes, all abelian groups of this order are cyclic. Under the QR assumption and the DCR assumption, no PPT adversary can distinguish between a random element in G and a random $2N^\text {th}$ power. As before, we can succinctly represent any element in H via the discrete logarithm with respect to a fixed generator $h_0$ ($h_0$ can be a random $2N^\text {th}$ power). This instantiation differs from the previous one only in that the order of H is unknown: to sample a random element in H with a known succinct representation, we must sample and set $h\leftarrow h_0^\rho $. We use flooding to ensure the third property of succinct representations.
Consider a class group $\widehat{G}$ and let F denote the cyclic subgroup of prime order q where the discrete logarithm problem is easy. Let $h_0$ be a random element in $\widehat{G}$ of order coprime with q. Let $\ell $ be $2^\lambda $ times greater than an upper-bound on the order of $h_0$. The subgroup H is generated by $h_0$ and G is $F\times H$. Under the hidden subgroup membership assumption, the uniform distributions over H and G are indistinguishable. Once again, we can succinctly represent the elements of H through their discrete logarithm with respect to $h_0$, and as in the Paillier case, the order of H is unknown, so we generate random elements with a known succinct representation by sampling and computing $h\leftarrow h_0^\rho $. Also as in the Paillier case, we use flooding to ensure the third property of succinct representations. While our class group instantiation has an advantage over our Paillier instantiation in that we can generate the parameters of the group transparently, there is also an important disadvantage: as far as we know, there exists no explainable procedure that converts random elements in G into random strings of bits. In other words, we do not know how to ensure the last property of our framework.

These results are formalized in the full version of our work [2, Section 6], with the three instantiations of our framework being presented in Subsects. 6.1, 6.2 and 6.3 respectively.

One-Round Setup-Free Adaptively-Secure Coin Tossing Extension. We return to the question of whether it is possible to built one-round CTE protocols without a CRS. As we explained in the context of our construction from the hidden subgroup framework, the goal of using a CRS is to limit adversarial influence on the output, while giving the simulator freedom. With no CRS, the simulator can only restrict the influence of the adversary through the responses of the seed oracle. This creates a new challenge: because the responses of the seed oracle are revealed only at the end, we cannot use well-studied primitives, such as NIZKs. We have eliminated the most common non-interactive MPC tool for preventing malicious behavior. We must therefore develop new techniques.

Lattice-Based Lossy Trapdoor Functions. Our solution comes from lattice-based cryptography. In our protocol, each party $P_i$ will broadcast L vectors $\boldsymbol{x_{i, 1}}, \dots , \boldsymbol{x_{i, L}}\in \mathbb {Z}_q^M$ sampled from a discrete Gaussian distribution. The seed oracle will provide matrices $A_1, \dots , A_N\in \mathbb {Z}_q^{K\times M}$ and $B_1, \dots , B_N\in \mathbb {Z}_q^{V\times M}$. For every index $i\in [N]$, we define the function

$$ f_i:\mathbb {Z}_q^M \longrightarrow \mathbb {Z}_q^{K+V}\qquad \text { such that}\qquad f_i:\boldsymbol{x} \longmapsto (A_i\cdot \boldsymbol{x}, B_i\cdot \boldsymbol{x}) $$

For the moment, assume that the parties output $\sum _{i\in [N]} f_i(\boldsymbol{x_{i, \ell }})$ for every $\ell \in [L]$, where L is a free parameter that controls the protocol’s stretch.^{Footnote 5} We will adjust this provisional protocol several times as we explore its properties in order to achieve the properties we desire.

Each $f_i$ can be viewed as a lossy trapdoor function [33] under the hardness of LWE. In particular, if M is sufficiently large compared to K, V and $\log q$, then there is a way to sample the matrices $(A_i, B_i)$ along with a trapdoor T so that, for every $\boldsymbol{v_1}\in \mathbb {Z}_q^{K}$, $\boldsymbol{v_2}\in \mathbb {Z}_q^V$, the trapdoor T can be used to sample a low-norm vector $\boldsymbol{x}\in \mathbb {Z}_q^M$ such that $A_i\cdot \boldsymbol{x}=\boldsymbol{v_1}$ and $B_i\cdot \boldsymbol{x}=\boldsymbol{v_2}$. Furthermore, this sampling method yields $A_i$ and $B_i$ that are statistically close to uniform and $\boldsymbol{x}$ is indistinguishable from a discrete Gaussian sample [7, 8, 19, 28]. When the matrices are sampled in this way, $f_i$ is in injective mode.

To use $f_i$ in lossy mode, suppose that we generate $B_i$ as $S\cdot A_i+E_i$, where $A_i\in \mathbb {Z}_q^{K\times M}$ and $S\in \mathbb {Z}_q^{V\times K}$ are sampled uniformly and $E_i\in \mathbb {Z}_q^{V\times M}$ comes from a discrete Gaussian distribution. Under LWE, the matrix $B_i$ is indistinguishable from uniform, but every time we apply $f_i$ on a small norm vector, we obtain a pair $(\boldsymbol{v_1}, \boldsymbol{v_2})\in \mathbb {Z}_q^K\times \mathbb {Z}_q^V$ such that $\boldsymbol{v_2}$ is close in norm to $S\cdot \boldsymbol{v_1}$.

Limiting the Influence of the Adversary Using Lossy Trapdoor Functions. Let us consider the ideal world execution of the protocol we described above. The simulator starts by picking an arbitrary honest party $P_\iota $. It generates the matrices $(A_i, B_i)_{i\in [N]}$ so that $f_\iota $ is in injective mode (let $T_\iota $ be the trapdoor), while all the other functions are in lossy mode. In particular, for every $i\ne \iota $, the simulator ensures that $B_i=S\cdot A_i+E_i$, where , and $E_i$ comes from a discrete Gaussian distribution over $\mathbb {Z}^{V\times M}$.

If all of the parties are honest, then the simulator has full control of the output of the protocol: if we desire the output to be the vectors $\boldsymbol{u_1}, \dots , \boldsymbol{u_L}\in \mathbb {Z}_q^{K+V}$, the simulator must simply generate messages $\boldsymbol{x_{i, 1}}, \dots , \boldsymbol{x_{i, L}}$ following the protocol for every $i\ne \iota $. Then, using the trapdoor $T_\iota $, it generates $\boldsymbol{x_{\iota , 1}}, \dots , \boldsymbol{x_{\iota , L}}$ such that $f_\iota (\boldsymbol{x_{\iota , \ell }})=\boldsymbol{u_\ell }-\sum _{i\ne \iota } f_i(\boldsymbol{x_{i, \ell }})$ for every $\ell \in [L]$. That ensures that the output is exactly as desired.

If some parties are corrupted, however, the adversary has the ability to bias the output in an unpredictable but limited way by using its ability to rush. If the adversary waits until after the honest parties (including $P_\iota $) are committed to their inputs before transmitting those of the corrupted parties, then it can contribute an additive term of $(\boldsymbol{v_{1, \ell }}, \boldsymbol{v_{2, \ell }}):=\sum _{j\in \mathcal {C}} f_j(\boldsymbol{x_{j, \ell }})$ to $\ell $-th vector produced the protocol, and the simulator cannot compensate using the mechanism we have just described. Since all $f_j$ for $j\in \mathcal {C}$ are in lossy mode with respect to the same matrix S, and they are all linear, it follows that $\boldsymbol{v_{2, \ell }}=S\cdot \boldsymbol{v_{1, \ell }}+\boldsymbol{e'_\ell }$ where $\boldsymbol{e'_\ell }$ is a vector of small norm. In other words, the entropy that the adversary can introduce is limited in this construction because the lossy trapdoor functions corresponding to the parties it corrupts are in lossy mode. We must add an additional mechanism to the protocol to correct for this adversarially-induced shift.

Adding a Correction Term. In order to allow the simulator to correct the offset induced by a rushing adversary, we augment the response of the seed oracle with two new matrices $C\in \mathbb {Z}_q^{K\times W}$ and $D\in \mathbb {Z}_q^{V\times W}$ that are indistinguishable from uniform, and a list of discrete Gaussian samples $(\boldsymbol{e_\ell })_{\ell \in [L]}$ over $\mathbb {Z}_q^W$.^{Footnote 6} The output of our new protocol is the list of all vectors

$$\begin{aligned} (\boldsymbol{s_{1,\ell }},\boldsymbol{s_{2,\ell }}):=\sum _{i\in [N]} f_i(\boldsymbol{x_{i, \ell }})+(C\cdot \boldsymbol{e_\ell }, D\cdot \boldsymbol{e_\ell })\quad \text {for every }\ell \in [L]. \end{aligned}$$

The simulator samples (C, D) such that they constitute a lossy-mode lossy trapdoor function. In other words, the matrix D is computed as $D\leftarrow S\cdot C+F$ where F is sampled according to a discrete Gaussian distribution over $\mathbb {Z}_q^{V\times W}$. Under the LWE assumption, D is indistinguishable from uniform, from the adversary’s perspective. However, C is not sampled uniformly, as $A_i$ for $i\ne \iota $ were. Instead, C is sampled together with a trapdoor T, much like $A_\iota $ and $T_\iota $. The trapdoor T allows the simulator to sample preimages with respect to C that are indistinguishable from discrete Gaussian samples.

Suppose that we would like the output to be the random vectors $(\boldsymbol{u_{1, 1}}, \boldsymbol{u_{2, 1}}), \dots , (\boldsymbol{u_{1, L}}, \boldsymbol{u_{2, L}})\in \mathbb {Z}_q^{K}\times \mathbb {Z}_q^V$. The simulator generates the messages of all honest parties except for $P_\iota $ by following the protocol, then it samples and, using the trapdoor $T_\iota $, it generates the messages $\boldsymbol{x_{\iota , 1}}, \dots , \boldsymbol{x_{\iota , L}}$ of $P_\iota $ such that

$$\begin{aligned} f_\iota (\boldsymbol{x_{\iota , \ell }})=(\boldsymbol{u_{1, \ell }}+\boldsymbol{w_\ell }, \boldsymbol{u_{2, \ell }}+S\cdot \boldsymbol{w_\ell }). \end{aligned}$$

Now, for every $\ell \in [L]$, let

$$\begin{aligned} (\boldsymbol{v_{1, \ell }}, \boldsymbol{v_{2, \ell }}):=\sum _{i\in [N]} f_i(\boldsymbol{x_{i, \ell }}) \end{aligned}$$

where $\boldsymbol{v_{1, \ell }}\in \mathbb {Z}_q^K$ and $\boldsymbol{v_{2, \ell }}\in \mathbb {Z}_q^V$. Since all of the functions $(f_i)_{i\ne \iota }$ are in lossy mode with respect to the same matrix S, we have that for every $\ell \in [L]$,

$$\begin{aligned} \boldsymbol{v_{2, \ell }}=\boldsymbol{u_{2, \ell }}+S\cdot (\boldsymbol{v_{1, \ell }}-\boldsymbol{u_{1, \ell }})+\boldsymbol{e''_\ell } \end{aligned}$$

where $\boldsymbol{e''_\ell }$ is a small-norm error vector. Therefore, if the simulator uses the trapdoor T to generate the discrete Gaussian samples $(\boldsymbol{e_\ell })_{\ell \in [L]}$ such that $C\cdot \boldsymbol{e_\ell }=\boldsymbol{u_{1, \ell }}-\boldsymbol{v_{1, \ell }}$, then we have

$$\begin{aligned} (\boldsymbol{s_{1,\ell }},\boldsymbol{s_{2,\ell }}) = (\boldsymbol{u_{1, \ell }}, \boldsymbol{u'_{2, \ell }}) \qquad \text { such that }\qquad \boldsymbol{u'_{2, \ell }} = \boldsymbol{u_{2, \ell }} +\boldsymbol{e''_\ell } + F\cdot \boldsymbol{e_\ell } \end{aligned}$$

for every $\ell \in [L]$. The term $\boldsymbol{e''_\ell } + F\cdot \boldsymbol{e_\ell }$ has low norm, and thus $\boldsymbol{u'_{2, \ell }}$ is close in norm to $\boldsymbol{u_{2, \ell }}$. We will require one further adjustment to our protocol to make them equal. Notice first that if our output vector $\boldsymbol{u_{1, \ell }}$ is uniform, then $\boldsymbol{u_{1, \ell }}-\boldsymbol{v_{1, \ell }}$ is uniform and consequently the simulated vector $\boldsymbol{e_\ell }$ is indistinguishable from a discrete Gaussian sample. Furthermore, notice that $\boldsymbol{x_{\iota , \ell }}$ leaks nothing about $\boldsymbol{u_{1, \ell }}$, because $\boldsymbol{w_\ell }$ acts as a mask.

Final Adjustments. If two (distributions of) vectors have a low-norm difference, then their high-order bits are likely the same. Our protocol as currently written admits a simulator that can force the output to be close in norm to any desired value, so taking only the high-order bits to be the protocol’s output will allow the very same simulation strategy to produce an exact match. Specifically, we will modify the protocol to pick a second modulus $p\ll q$ and round down each entry of $\boldsymbol{s_{2,\ell }}$ to the closest multiple of q/p.

In this next iteration of the protocol, the parties first compute

$$\begin{aligned} (\boldsymbol{s_{1, \ell }}, \boldsymbol{s_{2, \ell }})\leftarrow \sum _{i\in [N]} f_i(\boldsymbol{x_{i, \ell }})+(C\cdot \boldsymbol{e_\ell }, D\cdot \boldsymbol{e_\ell }) \end{aligned}$$

such that $\boldsymbol{s_{2, \ell }}\in \mathbb {Z}_q^V$ for every $\ell \in [L]$, and then compute the vector $\boldsymbol{s'_{2, \ell }}\in \mathbb {Z}_p^V$ that minimizes $\Vert \boldsymbol{s_{2, \ell }}-q/p\cdot \boldsymbol{s'_{2, \ell }}\Vert _\infty $ (we write $\boldsymbol{s'_{2, \ell }}\leftarrow \lceil \boldsymbol{s_{2, \ell }}\rfloor _p$). The output of the protocol is $(\boldsymbol{s_{1, 1}}, \boldsymbol{s'_{2, 1}}), \dots , (\boldsymbol{s_{1, L}}, \boldsymbol{s'_{2, L}})$. If we would like the output to be the vectors $(\boldsymbol{u_{1, 1}}, \boldsymbol{u_{2, 1}}), \dots , (\boldsymbol{u_{1, L}}, \boldsymbol{u_{2, L}})\in \mathbb {Z}_q^{K}\times \mathbb {Z}_p^V$, then the simulator samples $\boldsymbol{u''_{2, \ell }}\in \mathbb {Z}_q^V$ for $\ell \in [L]$ uniformly subject to $\lceil \boldsymbol{u''_{2, \ell }}+\boldsymbol{z} \rfloor _p=\boldsymbol{u_{2, \ell }}$ for every bounded-norm noise vector $\boldsymbol{z}$, uses the trapdoor $T_\iota $ to generate the messages $\boldsymbol{x_{\iota , 1}}, \dots , \boldsymbol{x_{\iota , L}}$ of $P_\iota $ such that

$$\begin{aligned} f_\iota (\boldsymbol{x_{\iota , \ell }})=(\boldsymbol{u_{1, \ell }}+\boldsymbol{w_\ell }, \boldsymbol{u''_{2, \ell }}+S\cdot \boldsymbol{w_\ell }) \end{aligned}$$

and continues the simulation as before.

To guarantee negligible simulation error while using this technique, we must take q to be larger than p by a superpolynomial factor. Moreover, we must set the magnitude of the LWE noise to $\alpha \cdot q$ for a negligible function $\alpha (\lambda )$. In other words, we must assume the hardness of LWE with superpolynomial modulus-to-noise ratio. This completes the first version of our construction.

Adaptive Security. Our protocol is secure against adaptive corruption as a consequence of the non-interactive nature of the construction and the explainability of discrete Gaussian distributions [6]. Given a discrete Gaussian sample $\boldsymbol{x}$, it is possible to efficiently produce random coins that, when provided as randomness for the distribution, produce the sample $\boldsymbol{x}$. We rely on this procedure every time that the adversary decides to corrupt a party after the end of the only round of interaction; recall that the messages of the parties are simply discrete Gaussian samples.

The Stretch of our First Construction. The number of random bits produced by the first version of our construction is $L\cdot (K\cdot \log q+V\cdot \log p)$, whereas the seed oracle provides

$$\begin{aligned} (K+V) \cdot (M\cdot N + W)\cdot \log q\end{aligned}$$

(2)

bits for the matrices $(A_1, \dots , A_N, B_1, \dots B_N, C, D)$, and $L\cdot W\cdot \textsf{poly}(\lambda )=L\cdot K\cdot \log q\cdot \textsf{poly}(\lambda )$ bits for the discrete Gaussian samples $(\boldsymbol{e_\ell })_{\ell \in [L]}$. We observe that (2) is independent of L, so, if we pick L to be sufficiently large, then $L\cdot (K\cdot \log q+V\cdot \log p)$ becomes arbitrarily greater than (2). Similarly, the number of bits necessary for the discrete Gaussian samples is independent of V, so we can pick V sufficiently large to make $L\cdot (K\cdot \log q+V\cdot \log p)$ arbitrarily greater than $L\cdot W\cdot \textsf{poly}(\lambda )$. This proves that our construction achieves an arbitrary polynomial stretch. However, notice that Eq. 2 depends linearly on N: this means that the number of bits supplied by the seed orace grows with the number of parties, which is undesirable. In order to fix this, we will need to make the slightly stronger assumption that LWE is hard with a subexponential (rather than superpolynomial) modulus-to-noise ratio. We present only this second construction in full in Sect. 3, but remark that the first construction that we have just sketched remains interesting, due to the slightly weaker assumption that it requires.

Improving the Complexity in the Number of Parties. Our first construction requires a number of random bits from the seed oracle that scales linearly in the number of parties. Is this necessary? We prove that it is not by devising a mechanism to deal matrices $(A_i, B_i)_{i\in [N]}$ that satisfy the properties necessary for the security of the protocol using just $O(\log N)\cdot \textsf{poly}(\lambda )$ uniformly random bits from the seed oracle. We leverage the fully homomorphic encryption (FHE) scheme Gentry et al. [20], hereafter called GSW.

In the GSW FHE scheme, the public key is a uniform-looking matrix $U\in \mathbb {Z}_q^{\varDelta \times M}$ for some $\varDelta \in \mathbb {N}$. An encryption of a bit b under U consists of

$$\begin{aligned} U\cdot R+b\cdot G \end{aligned}$$

where is a random binary matrix and $G\in \mathbb {Z}_q^{\varDelta \times \varDelta \log q}$ is the gadget matrix, i.e. a matrix for which there exists an efficient deterministic algorithm $G^{-1}$ that produces a binary matrix $X'\in \mathbb {Z}_2^{\varDelta \cdot \log q \times M'}$ such that $G\cdot X'=Y'$ for any input $Y'\in \mathbb {Z}_q^{\varDelta \times M'}$ and some $M'\in \mathbb {N}$. Under the hardness of LWE, all ciphertexts look like random matrices over $\mathbb {Z}_q^{\varDelta \times \varDelta \cdot \log q}$. Furthermore, due to the homomorphic properties of this scheme, there exists an efficient algorithm $\textsf{Eval} $ that takes as input the encryptions of bits $b_1, \dots , b_t$ under a public key U and the description of a function $f:\{0,1\}^t\rightarrow \{0,1\}$, and produces a ciphertext $Z_f=U\cdot R_f+f(b_1, \dots , b_t)\cdot G$ where $R_f$ is a small norm matrix.

We modify the seed oracle so that it provides $\log N+1$ random matrices

$$\begin{aligned} X_1, \dots , X_{\log N}\in \mathbb {Z}_q^{(K+V)\times (K+V)\log q} \qquad \text {and}\qquad Y\in \mathbb {Z}_q^{(K+V)\times M}. \end{aligned}$$

The parties regard $X_1, \dots , X_{\log N}$ as GSW ciphertexts with $\varDelta =K+V$,^{Footnote 7} and each party $P_j$ obtains its matrices $(A_j, B_j)$ by computing

$$\begin{aligned} (A_j^\intercal \mathbin {\Vert } B_j^\intercal )^\intercal = Z_j\leftarrow \textsf{Eval} (\delta _j, X_1, \dots , X_{\log N})\cdot G^{-1}(Y). \end{aligned}$$

where $\delta _j$ denotes the Kronecker delta function centered on j. We assume that $\delta _j$ takes as input $\log N$ bits and regards them as the description of an integer in [N]. Note that $A_j$ comprises the first K rows of $Z_j$ and $B_j$ the last V rows.

In the ideal world, the simulator determines the GSW public key U by sampling the first K rows uniformly over $\mathbb {Z}_q^{K\times M}$ (we denote these rows by $U_1$) and setting the last V rows to be $U_2\leftarrow S\cdot U_1+E$, where E is a discrete Gaussian sample over $\mathbb {Z}^{V\times M}$. Under LWE, U is indistinguishable from a uniformly sampled public key. Next, the simulator generates $X_1, \dots , X_{\log N}$ by encrypting the bits of $\iota $ under U; recall that $\iota $ is the index of the honest party chosen by the simulator. It also samples the matrix Y together with a trapdoor $T'$ that allows the simulator to compute preimages with respect to Y that are indistinguishable from discrete Gaussian samples.

The correctness of FHE evaluation implies that for any $j\ne \iota $,

$$\begin{aligned} B_j=U_2\cdot R_{\delta _j}\cdot G^{-1}(Y)=S\cdot (U_1\cdot R_{\delta _j} \cdot G^{-1}(Y))+E\cdot R_{\delta _j} \cdot G^{-1}(Y)\sim S\cdot A_j. \end{aligned}$$

In other words, the trapdoor function $f_j$ is in lossy mode with respect to S. On the other hand, if we denote the first K rows of G and Y by $G_1$ and $Y_1$ respectively, and the last V rows by $G_2$ and $Y_2$, we have

$$\begin{aligned}A_\iota -Y_1&= U_1\cdot R_{\delta _\iota }\cdot G^{-1}(Y)+G_1\cdot G^{-1}(Y)-Y_1=U_1\cdot R_{\delta _\iota }\cdot G^{-1}(Y),\\ B_\iota -Y_2&=U_2\cdot R_{\delta _\iota }\cdot G^{-1}(Y)+G_2\cdot G^{-1}(Y)-Y_2\\ &=S\cdot (U_1\cdot R_{\delta _\iota } \cdot G^{-1}(Y))+E\cdot R_{\delta _\iota } \cdot G^{-1}(Y)\sim S\cdot (A_\iota -Y_1). \end{aligned}$$

In other words, $f_\iota $ is the sum of two trapdoor functions, one in injective mode (described by the matrix Y) and one in lossy mode with respect to S, and the simulator’s trapdoor for $f_\iota $ is now $T'$ rather than $T_\iota $. The lossy-mode component of $f_\iota $ clearly introduces some error terms into the output, but we can correct them together with the bias introduced by the adversary via $(\boldsymbol{e_\ell })_{\ell \in [L]}$.

The Stretch of our Second Construction. Like our first construction, this construction produces $L\cdot (K\cdot \log q+V\cdot \log p)$ random bits, but the number of bits provided by the seed oracle has been reduced to

$$\begin{aligned} \log N\cdot (K+V)^2\cdot \log q+ (K+V)\cdot M\cdot \log q+ (K+V)\cdot W\cdot \log q\end{aligned}$$

(3)

for the matrices $(X_1, \dots , X_{\log N}, Y, C, D)$, and $L\cdot W\cdot \textsf{poly}(\lambda )=L\cdot K\cdot \log q\cdot \textsf{poly}(\lambda )$ for the discrete Gaussian samples $(\boldsymbol{e_\ell })_{\ell \in [L]}$. As before, (3) is independent of L and the number of bits necessary for the discrete Gaussian samples is independent of V; we can again pick L and V to be sufficiently large so that $L\cdot (K\cdot \log q+V\cdot \log p)$ becomes arbitrarily greater than (3) and $L\cdot (K\cdot \log q+V\cdot \log p)$ becomes arbitrarily greater than $L\cdot W\cdot \textsf{poly}(\lambda )$. This proves that our construction achieves an arbitrary polynomial stretch.

Final Remarks. Due to the noise growth induced by homomorphically evaluating the Kronecker delta function, it no longer suffices to assume the hardness of LWE with a superpolynomial modulus-to-noise ratio. The Kronecker delta function over the domain [N] has a multiplicative depth of $O(\log N)$. If we assume that $N\in \textsf{poly}(\lambda )$ then the depth is $O(\log \lambda )$ and in the simulation, the size of the noise in the GSW ciphertexts $Z_1, \dots , Z_N$ increases by a factor $O(\log \lambda )$ relative to our first construction. Since the magnitude of the noise is now quasipolynomial, we must select a modulus-to-noise ratio that is greater than quasipolynomial in order to guarantee the correctness of the simulation with overwhelming probability. We will formalize our second construction in Sect. 3 and show in that section that the hardness of LWE with a subexponential modulus-to-noise ratio is sufficient.

Theorem 2.5

(Informal Version of Theorem 3.3). If the subexponential LWE assumption holds, then there exists a fully-secure N-party protocol in the $\mathcal {F}_{\textsf{Coin}}^n $-hybrid model that UC-realizes $\mathcal {F}_{\textsf{Coin}}^m$ in the presence of a malicious PPT adversary adaptively corrupting $N-1$ parties.

2.4 A Lower Bound for Statistical Coin Tossing Extension

We now focus our attention on information-theoretic CTE. Hofheinz et al. [23] proved that perfectly secure CTE is impossible in any model and that statistically secure CTE is impossible in the UC model, and constructed one-round statistically secure CTE with $O(\log \lambda )$ additive stretch and black-box standalone simulation. We ask whether one-round statistically secure CTE with $\omega (\log \lambda )$ additive stretch is possible, and prove that if we insist upon black-box simulation, then it is not.

Theorem 2.6

Every r-round CTE protocol with one call to the seed oracle and black-box standalone statistical simulation security against semi-malicious adversaries who corrupt a majority of parties must have additive stretch in $O(r\cdot \log \lambda )$.

Tools and Notation. Consider any r-round statistically secure CTE protocol with black-box simulation and a single call to the seed oracle. Due to Theorem 2.2, we can assume without loss of generality that the parties stop interacting after the call to the seed oracle. Let $\boldsymbol{s}$ denote the output of the protocol, let $\boldsymbol{u}$ be the random coins provided by the seed oracle. For every $i\in [r]$, let $U_H^i$ and $U_C^i$ denote all the messages sent by the honest parties and the corrupted parties respectively, up to and including the $i^\text {th}$ round. We consider a very specific and rather unusual adversary (at least, in the context of lower bounds): the adversary that simply follows the protocol as if it was honest, but at the same time uses rushing; i.e., it reveals the messages of the corrupted players only after seeing the messages of the honest parties. Considering this extremely weak type of adversary makes our lower bound stronger. Our argument focuses on the information diagram [35] of the protocol, and it is reminiscent of a technique used by Abram et al. [3].^{Footnote 8} We will make use of a handful of basic tools and lemmas from information theory, including Shannon entropy (denoted $\textsf{H}$), and mutual information (denoted $\textsf{I}$); these are reviewed in the full version of our work [2, Section 3.2].

Output Entropy and Round Count. We start by observing that $\boldsymbol{s}$ is uniquely determined by $U_H^r$, $U_C^r$, and $\boldsymbol{u}$. Translating this into entropy, we have $\textsf{H}(\boldsymbol{s}| U_H^r, U_C^r, \boldsymbol{u})=0$ in the real world. In the ideal-world execution, this quantity could be negligibly-far from 0 due to simulation error; we write $\textsf{H}(\boldsymbol{s}| U_H^r, U_C^r, \boldsymbol{u})\sim 0$ to indicate this. We can bound m as follows:

$$\begin{aligned} m\sim \textsf{H}(\boldsymbol{s})&=\texttt {I}(\boldsymbol{s}; (\boldsymbol{u},U_C^r,U_H^r))+\textsf{H}(\boldsymbol{s}| U_H^r, U_C^r, \boldsymbol{u})\nonumber \\ &\sim \texttt {I}(\boldsymbol{s};\boldsymbol{u}|U_C^r,U_H^r)+ \texttt {I}(\boldsymbol{s}; (U_C^r,U_H^r))\nonumber \\ &\le n + \sum _{i=1}^r (\texttt {I}(U_H^i;\boldsymbol{s}|U_H^{i-1},U_C^{i-1})+\texttt {I}(U_C^i;\boldsymbol{s}|U_H^{i},U_C^{i-1})). \end{aligned}$$

(4)

In the second and last inequality, we used the chain rule of mutual information; in the last inequality we also used the fact that $\texttt {I}(\boldsymbol{s};\boldsymbol{u}|U_C^r,U_H^r)\le \textsf{H}(\boldsymbol{u})=n$.

Rewinding-Induced Correlation in the Ideal World. Consider a straight-line ideal-world experiment involving a statistically secure CTE protocol. In round i, the adversary (who essentially behaves honestly), receives the honest parties’ messages $U_H^i$, and then produces the message of corrupt parties $U_C^i$ for round i according to its view, which contains $U_H^{i-1}$ and $U_C^{i-1}$. This necessarily implies that $U_C^{i}$ is independent of $U_H^i$ and $\boldsymbol{s}$, conditioned on $U_H^{i-1}$ and $U_C^{i-1}$. However, the simulator might not be straight-line. We allow it the power to rewind the adversary, which means that it can accept or reject $U_C^i$ based on its knowledge of $\boldsymbol{s}$ and $U_H^i$. This introduces some correlation between the variables.

Each time the experiment is rewound, the adversary samples a fresh $U_C^i$ that is independent of $U_H^i$, $\boldsymbol{s}$, and all of the messages it produced in the previous rewindings, conditioned on $U_H^{i-1}$ and $U_C^{i-1}$. Because of this independence and the fact that the number of rewindings is upper bounded by the running time Q of the simulator, the simulator can induce at most $\log Q$ bits of correlation between $U_C^i$ and $(U_H^i,\boldsymbol{s})$, conditioned on $U_H^{i-1}$ and $U_C^{i-1}$. That is, when $Q=\textrm{poly}(\lambda )$, $\texttt {I}(U_C^i; (U_H^i, \boldsymbol{s})| U_H^{i-1}, U_C^{i-1})\le O(\log \lambda )$. By the chain rule of mutual information, this implies

$$\begin{aligned}\texttt {I}(U_C^i; \boldsymbol{s}| U_H^{i}, U_C^{i-1})\le \texttt {I}(U_C^i; (U_H^i, \boldsymbol{s})| U_H^{i-1}, U_C^{i-1})\le O(\log \lambda ).\end{aligned}$$

Since we are considering an honestly-behaving adversary in the dishonest-majority setting, our entropy diagram must be symmetric: we can switch the roles of honest and corrupted parties. This leads us to conclude that $\texttt {I}(U_H^i; \boldsymbol{s}| U_H^{i-1}, U_C^{i-1})\le \texttt {I}(U_H^i; (U_C^i, \boldsymbol{s})| U_H^{i-1}, U_C^{i-1})\le O(\log \lambda )$.

Putting It All Together. In the ideal world, we can now use the bounds $\texttt {I}(U_C^i; \boldsymbol{s}| U_H^{i}, U_C^{i-1})\le O(\log \lambda )$ and $\texttt {I}(U_H^i; \boldsymbol{s}| U_H^{i-1}, U_C^{i-1})\le O(\log \lambda )$ for all $i\in [r]$ in Eq. 4, to get the required bound $m\le n+r\cdot O(\log (\lambda ))$. This result is formalized in the full version of our work [2, Section 8].

2.5 One-Round Unbiased Sampling from Any Distribution

Our results so far have shown that in the dishonest majority setting, it is possible to simulatably sample m-bit random strings with guaranteed output delivery and no adversarial bias, assuming the existence of a seed oracle that produces $n\ll m$ unbiased random coins. Moreover, this can be done with a single round of interaction followed by one call to the seed oracle. We ask a final question: is there anything special about the uniform distribution, or can we actually sample values from any distribution with the same security guarantees, in the same setting? Specifically, given any efficient distribution $\mathcal {D}$, is it possible for N parties to agree on a random sample from $\mathcal {D}$ with the help of a uniform seed oracle, while leaking no additional information and allowing no bias, and denying the adversary the power to abort, even if it corrupts all of the parties but one? Can we achieve this using a single round of interaction? We prove that under strong cryptographic assumptions, this is indeed possible!

Theorem 2.7

(Informal Version of [2, Theorem 9.5]). Let $\mathcal {D}$ be an efficient distribution. Assuming the existence of indistinguishability obfuscation, injective length-doubling PRGs, and indistinguishability-preserving distributed samplers [5], there exists a one-round N-party protocol in the $\mathcal {F}_{\textsf{Coin}}^n $-hybrid CRS model that UC-realizes the functionality $\mathcal {F}_{\mathsf {\mathcal {D}}}$ that provides all parties with a sample from $\mathcal {D}$ in the presence of a malicious PPT adversary statically corrupting up to $N-1$ parties.

Indistinguishability-Preserving Distributed Samplers. Distributed samplers [3,4,5] are one-round protocols that securely sample a common output from some distribution $\mathcal {D}$. Though several security definitions have been proposed for this primitive, our final protocol relies specifically upon indistinguishability-preserving distributed samplers [5], which are known to exist in the CRS model under a combination of subexponentially secure indistinguishability obfuscation, multi-key FHE, extremely lossy functions [36], and other, weaker tools. Unlike other flavors of distributed sampler, indistinguishability-preserving ones do not require idealized models such as the random oracle. Suppose that $\varPi $ is an r-round protocol relying on a CRS sampled from $\mathcal {D}$, and that $\varPi $ realizes some functionality $\mathcal {F}_{\mathsf {}}$. If $\varPi $ satisfies some particular properties, indistinguishability-preserving distributed samplers permit us to compile $\varPi $ into an $r+1$-round protocol realizing the same functionality $\mathcal {F}_{\mathsf {}}$. This new protocol will rely on a simpler CRS that is reusable, unstructured (i.e. uniformly distributed), and of length independent of $\mathcal {D}$ and $\varPi $. In our setting, we can generate this simpler CRS for the compiled protocol by a making once-and-for-all call to the seed oracle.

The Protocol We Will Compile. The protocol $\varPi $ that we will compile has zero rounds of communication. The CRS consists of an obfuscated program that hides a puncturable PRF key. When provided with a $\lambda $-bit string $\boldsymbol{s}$ as input, this program evaluates the puncturable PRF on $\boldsymbol{s}$ and uses the result to compute a sample from $\mathcal {D}$, which is the program’s output. In our zero-round protocol, the parties generate $\boldsymbol{s}$ by calling the seed oracle, feed $\boldsymbol{s}$ into the obfuscated program that is encoded in the CRS, and output the result.

It is easy to see that forgoing protocol realizes the functionality $\mathcal {F}_{\mathsf {\mathcal {D}}}$. The simulator must simply sample a random $\boldsymbol{\hat{s}}$ and modify the obfuscated program so that it outputs the sample chosen by the functionality on input $\boldsymbol{\hat{s}}$. Then, when the parties call the seed oracle, the simulator provides $\boldsymbol{\hat{s}}$. Since our protocol is zero rounds before compilation, it will have one round after compilation, with calls to the seed oracle at the beginning and end.

In the full version of our work [2, Section 9], we formalize the above intuition and prove that the zero-round protocol satisfies the conditions required by indistinguishability-preserving distributed samplers. This is why we construct such an unusual zero-round protocol, rather than the trivial protocol that simply provides a sample from $\mathcal {D}$ as a CRS for the parties to output: the latter trivial protocol clearly implements $\mathcal {F}_{\mathsf {\mathcal {D}}}$, but it cannot be compiled by an indistinguishability-preserving distributed sampler, because if $\mathcal {D}$ outputs random strings of bits, then the result would be a fully-secure coin tossing protocol that contradicts Cleve’s impossibility [17].

3 One-Round, One-Sample Adaptive Coin Tossing Extension from LWE

In this section, we present our construction for one-round one-query CRS-free CTE with universally composable security against adaptive adversaries, from subexponential LWE. We previously overviewed this construction in Sect. 2.3, and invite the reader to review the basic definitions and common tools we use in the full version of our work [2, Section 3.1, 3.3]. We begin with our protocol, then prove it secure and show by corollary the class of explainable extractors that it implies.

The following theorem essentially formalizes Theorem 2.5.

Theorem 3.3

Assuming the hardness of the Learning with Errors (LWE) problem with a subexponential modulus-to-noise ratio (see [2, Definition 3.3]), Protocol 3.1 UC-realizes $\mathcal {F}_{\textsf{Coin}}^m$ among N parties in the $\mathcal {F}_{\textsf{Coin}}^n $-hybrid model, with security against a malicious PPT adversary adaptively corrupting up to $N-1$ parties. For any function $\eta =\textsf{poly}(\lambda )$, if we set $s_1=\sqrt{K\cdot \log q}\cdot \log K$, $M=\beta \cdot (K+V)\cdot \log q$, $W=\beta \cdot K\cdot \log q$, $V=(\eta \cdot \lambda ^2-1)\cdot K\cdot t$, and $L=\eta ^2\cdot t^3\cdot \lambda ^2\cdot \log N\cdot K$, then the multiplicative stretch of the construction is $m/(t\cdot n)=\varOmega (\eta )$.

Proof

We start by proving security. Let $\iota $ be the index of a party that is honest in the first round of the protocol. Define $\alpha :=2^{-\omega (\log ^2 \lambda )}$ and set $s_2\leftarrow \alpha \cdot q$. Let $\chi _2$ be $\mathcal {D}_{\mathbb {Z}, s_2}$. We proceed to prove security using a sequence of indistinguishable hybrids starting from the real world and arriving at the ideal world.

Hybrid $\mathcal {H}_{0}$. This hybrid corresponds to the real execution of the protocol.

Hybrid $\mathcal {H}_{1}$. In this hybrid, whenever a party $P_i$ is corrupted after sending $(\boldsymbol{x_{i, \ell }})_{\ell \in [L]}$, instead of providing the randomness used to produce these values, we provide the adversary with for every $\ell \in [L]$ ( is an algorithm that produces random-looking coins that, when input in $\chi _0^M$, produce $\boldsymbol{x_{i, \ell }}$). This hybrid is indistinguishable from $\mathcal {H}_{0}$ due to the explainability of discrete Gaussians [6, 19].

Hybrid $\mathcal {H}_{2}$. In this hybrid, instead of providing the adversary with the randomness that produces $(\boldsymbol{e_{\ell }})_{\ell \in [L]}$, we provide it with for every $\ell \in [L]$. This hybrid is indistinguishable from $\mathcal {H}_{1}$ due to the explainability of discrete Gaussians [6, 19] (see [2, Theorem 3.7]).

Hybrid $\mathcal {H}_{3}$. In this hybrid, we change the distribution of $X_1, \dots , X_{\lceil \log N\rceil }$. In particular, we sample and . We then set $X_j\leftarrow U\cdot R_j+\iota _j\cdot G$ for every $j\in [\lceil \log N\rceil ]$ where $\iota _j$ denote the j-th bit of $\iota $. $\mathcal {H}_{3}$ is statistically indistinguishable from $\mathcal {H}_{2}$ thanks to the leftover hash lemma (see [2, Lemma 3.4], we are using the fact that $M\ge \beta \cdot (K+V)\cdot \log q$, $\beta >1$ and $K=\varOmega (\lambda )$).

Hybrid $\mathcal {H}_{4}$. In this hybrid, we change the distribution of U and D. In particular, we sample , , and . We then set $U_2\leftarrow S\cdot U_1+E_1$, $U^\intercal \leftarrow (U_1^\intercal \mathbin {\Vert } U_2^\intercal )$ and $D\leftarrow S\cdot C+E_2$. $\mathcal {H}_{4}$ is indistinguishable from $\mathcal {H}_{3}$ thanks to the security of LWE with subexponential modulus-to-noise ratio (see [2, Definition 3.3]).

Hybrid $\mathcal {H}_{5}$. In this hybrid, we change the distribution of C. In particular, we sample it along with a lattice trapdoor, i.e., . This hybrid is statistically indistinguishable from $\mathcal {H}_{4}$ (see [7, 8, 19, 28] and [2, Theorem 3.5], we are using the fact that $W\ge \beta \cdot K\cdot \log q$ and $K=\varOmega (\lambda )$).

Hybrid $\mathcal {H}_{6}$. In this hybrid, we change the distribution of Y. In particular, we sample it along with a lattice trapdoor, i.e., . This hybrid is statistically indistinguishable from $\mathcal {H}_{5}$ (see [7, 8, 19, 28] and [2, Theorem 3.5], we are using the fact that $M\ge \beta \cdot (K+V)\cdot \log q$ and $K=\varOmega (\lambda )$).

Hybrid $\mathcal {H}_{7}$. In this hybrid, we change the distribution of $(\boldsymbol{x_{\iota , \ell }})_{\ell \in [L]}$. In particular, for every $\ell \in [L]$, we sample and . For every $\ell \in [L]$, we set $\boldsymbol{v_\ell ''}\leftarrow S\cdot \boldsymbol{u''_\ell }$ and sample a preimage where $\boldsymbol{w_\ell }$ is the vector obtained by concatenating $\boldsymbol{u_\ell }+\boldsymbol{u_\ell ''}$ and $\boldsymbol{v'_\ell }+\boldsymbol{v_\ell ''}$ (in other words, $\boldsymbol{x_{\iota , \ell }}$ looks like a discrete Gaussian sample such that $Y\cdot \boldsymbol{x_{\iota , \ell }}=\boldsymbol{w_\ell }$). This hybrid is statistically indistinguishable from $\mathcal {H}_{6}$ (see [7, 8, 19, 28] and [2, Theorem 3.5, Lemma 3.4, Lemma 3.6], we are using the fact that $s_0= \sqrt{(K+V)\log q}\cdot \omega (\sqrt{\log (K+V)})$, $M\ge \beta \cdot (K+V)\cdot \log q$, $\beta >1$ and $K=\varOmega (\lambda )$). We observe that the probability that $\Vert \boldsymbol{x_{\iota , \ell }}\Vert _\infty >\sqrt{K}\cdot s_0$ is negligible in $\lambda $ (see [2, Lemma 3.6], we are using the fact that $K=\varOmega (\lambda )$).

Hybrid $\mathcal {H}_{8}$. In this hybrid, we change the distribution of $(\boldsymbol{e_{\ell }})_{\ell \in [L]}$. In particular, for every $\ell \in [L]$, we compute $\boldsymbol{\widetilde{u}_\ell }\leftarrow \boldsymbol{u''_\ell }+\sum _{i\ne \iota }A_i\cdot \boldsymbol{x_{i, \ell }}+U_1\cdot F_\iota \cdot G^{-1}(Y)\cdot \boldsymbol{x_{\iota , \ell }}$ where $R_\iota \leftarrow (\delta _\iota , X_1, \dots , X_{\lceil \log N\rceil },R_1, \dots , R_{\lceil \log N\rceil }, \iota )$ (see Algorithm 3.4). Then, we sample a preimage (in other words, $\boldsymbol{e_{\ell }}$ looks like a discrete Gaussian sample such that $C\cdot \boldsymbol{e_{\ell }}=\boldsymbol{\widetilde{u}_\ell }$). This hybrid is statistically indistinguishable from $\mathcal {H}_{7}$ (see [7, 8, 19, 28] and [2, Theorem 3.5, Lemma 3.4, Lemma 3.6], we are using the fact that $s_1= \sqrt{K\log q}\cdot \omega (\sqrt{\log K})$, $W\ge \beta \cdot K\cdot \log q$, $\beta >1$ and $K=\varOmega (\lambda )$). Observe that $\boldsymbol{x_{\iota , \ell }}$ leaks nothing about $\boldsymbol{u''_\ell }$ as $\boldsymbol{u_\ell }$ and $\boldsymbol{v'_\ell }$ mask all the information.

Claim 3.5

( [20]). Let $X_i=U\cdot R_i+x_i\cdot G$ where $R_i\in \mathbb {Z}_2^{M\times (K+V)\cdot t}$ for every $i\in [m]$. Let $f:Z_q^m\rightarrow \mathbb {Z}_q$ be a function. Then, $\textsf{Eval} (f, X_1, \dots , X_m)=U\cdot R_f+f(\boldsymbol{x})\cdot G$, where $R_f\leftarrow (f, X_1, \dots , X_m, R_1, \dots , R_m, \boldsymbol{x})$.

Proof

For every wire w, let $X_w$ be the matrix associated with w during the execution of $\textsf{Eval} (f, X)$. Let $R_w$ be the second element in the pair associated with w during the execution of $ (f, \boldsymbol{X}, \boldsymbol{R})$. Let $x_w$ be the value associated with w during the evaluation of f(x). We show that for any wire w, we have $X_w=U\cdot R_w+x_w\cdot G$. This true for the input wires, and we show that it holds for every other wire w by induction. Consider the gate that outputs wire w:

If the gate is an addition gate with input wires u, v, then
$$\begin{aligned} X_w&=X_u+X_v=U\cdot R_u+x_u\cdot G+U\cdot R_v+x_v\cdot G\\ &=U\cdot (R_u+R_v)+(x_u+x_v)\cdot G=U\cdot R_w+x_w\cdot G. \end{aligned}$$
If the gate adds a constant $k\in \mathbb {Z}_q$ to a wire u, then
$$\begin{aligned} X_w&=X_u+k\cdot G=U\cdot R_u+x_u\cdot G+k\cdot G\\ &=U\cdot R_u+(x_u+k)\cdot G=U\cdot R_w+x_w\cdot G. \end{aligned}$$
If the gate switches the sign of a wire u, then
$$\begin{aligned} X_w&=-X_u=-U\cdot R_u-x_u\cdot G\\ {} &=U\cdot (-R_u)+(-x_u)\cdot G=U\cdot R_w+x_w\cdot G. \end{aligned}$$
If the gate is a multiplication with input wires u, v, then
$$\begin{aligned} X_w&=X_u\cdot G^{-1}(X_v) =U\cdot R_u\cdot G^{-1}(X_v)+x_u\cdot G\cdot G^{-1}(X_v)\\ &=U\cdot R_u\cdot G^{-1}(X_v)+x_u\cdot X_v\\ &=U\cdot R_u\cdot G^{-1}(X_v)+x_u\cdot (U\cdot R_v+x_v\cdot G)\\ &=U\cdot (R_u\cdot G^{-1}(X_v)+x_u\cdot R_v)+(x_u\cdot x_v)\cdot G = U\cdot R_w+x_w\cdot G. \end{aligned}$$
If the gate multiplies a wire u by a constant $k\in \mathbb {Z}_q$, then
$$\begin{aligned} X_w&=X_u\cdot G^{-1}(k\cdot G)=U\cdot R_u\cdot G^{-1}(k\cdot G) +x_u\cdot G\cdot G^{-1}(k\cdot G)\\ &=U\cdot (R_u\cdot G^{-1}(k\cdot G))+(k\cdot x_u)\cdot G=U\cdot R_w+x_w\cdot G. \end{aligned}$$

This ends the proof of the claim. $\Box $

Let $G_1$ denote the matrix consisting of the first K rows of G. Let $G_2$ be the matrix consisting of the last V rows of G. Let $Y_1$ be the matrix consisting of the first K rows of Y. Let $Y_2$ be the matrix consisting of the last V rows of Y. Observe that, for every $\ell \in [L]$, we have

$$\begin{aligned} &\sum _{i\in [N]} A_i\cdot \boldsymbol{x_{i, \ell }}-C\cdot \boldsymbol{e_{\ell }} = A_\iota \cdot \boldsymbol{x_{\iota , \ell }}- C\cdot \boldsymbol{e_{\ell }}+\sum _{i\ne \iota }A_i\cdot \boldsymbol{x_{i, \ell }}\\ &\quad =U_1\cdot F_\iota \cdot G^{-1}(Y)\cdot \boldsymbol{x_{\iota , \ell }}+\delta _{\iota }(\iota )\cdot G_1\cdot G^{-1}(Y)\cdot \boldsymbol{x_{\iota , \ell }} -\boldsymbol{\widetilde{u}_\ell }+\sum _{i\ne \iota } A_i\cdot \boldsymbol{x_{i, \ell }}\\ &\quad =Y\cdot \boldsymbol{x_{\iota , \ell }}-\boldsymbol{u''_\ell }=\boldsymbol{u_\ell }.\\ \\ &\sum _{i\in [N]} B_i\cdot \boldsymbol{x_{i, \ell }}-D\cdot \boldsymbol{e_{\ell }} = B_\iota \cdot \boldsymbol{x_{\iota , \ell }}- D\cdot \boldsymbol{e_{\ell }}+\sum _{i\ne \iota } B_i\cdot \boldsymbol{x_{i, \ell }}\\ &\quad =\sum _{i\in [N]}\bigl (U_2\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}+\delta _{i}(\iota )\cdot G_2\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}\bigr )-(S\cdot C+E_2)\cdot \boldsymbol{e_{\ell }}\\ &\quad =\sum _{i\in [N]}(S\cdot U_1+E_1)\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}+ Y_2\cdot \boldsymbol{x_{\iota , \ell }}-(S\cdot C+E_2)\cdot \boldsymbol{e_{\ell }}\\ &\quad =\boldsymbol{v'_\ell }+ \boldsymbol{v''_\ell }+S\cdot \Big (\sum _{i\in [N]} U_1\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}-C\cdot \boldsymbol{e_\ell }\Big )\\ &\quad +\sum _{i\in [N]} E_1\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}-E_2\cdot \boldsymbol{e_{\ell }}\\ &\quad ~=\boldsymbol{v'_\ell }+S\cdot \boldsymbol{u''_\ell }+S\cdot \Big (U_1\cdot F_\iota \cdot G^{-1}(Y)\cdot \boldsymbol{x_{\iota , \ell }}+\sum _{i\ne \iota } A_i\cdot \boldsymbol{x_{i, \ell }}-\boldsymbol{\widetilde{u}_\ell }\Big )\\ &\quad +\sum _{i\in [N]} E_1\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}-E_2\cdot \boldsymbol{e_{\ell }}\\ &\quad =\boldsymbol{v'_\ell }+\sum _{i\in [N]} E_1\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}-E_2\cdot \boldsymbol{e_{\ell }}. \end{aligned}$$

If $\varGamma $ is an upper-bound on $\Vert F_i\Vert _\infty $ for every $j\in [N]$, the bound on discrete Gaussians [9, 31] summarised in [2, Lemma 3.6] implies a polynomial $c(\lambda )$ such that for every $\ell \in [L]$, with overwhelming probability,

$$\begin{aligned}&\left\Vert \sum _{i\in [N]} E_1\cdot F_i\cdot G^{-1}(Y)\cdot \boldsymbol{x_{i, \ell }}-E_2\cdot \boldsymbol{e_{\ell }}\right\Vert _\infty \\ &\le M^{\frac{5}{2}} \sqrt{M+W} (K+V) t\cdot s_0\cdot \varGamma \cdot \alpha q+W^{\frac{3}{2}}\sqrt{M+W}s_1\cdot \alpha q\\ &\le c\cdot \varGamma \cdot \alpha q.\end{aligned}$$

If we compute $\delta _i$ as in Protocol 3.1, then for every $i\in [N]$,

$$\begin{aligned} \Vert F_i\Vert _\infty \le ((K+V)\cdot t)^{\lceil \log N\rceil } \end{aligned}$$

Since N, K, V and t are polynomial quantities in $\lambda $, we have $\Vert F_i\Vert _\infty \le 2^{O(\log ^2\lambda )}$.

Hybrid $\mathcal {H}_{9}$. In this hybrid, we changed the distribution of $(\boldsymbol{v'_\ell })_{\ell \in [L]}$. Specifically, for every $\ell \in [L]$, first, we sample and then, we set $\boldsymbol{v_\ell '}$ to be a random element in $\mathbb {Z}_q^V$ such that $\lceil \boldsymbol{v_\ell '}+\boldsymbol{z}\rfloor _p=\boldsymbol{v_\ell }$ for every $\boldsymbol{z}\in \mathbb {Z}^V$ having $\Vert \boldsymbol{z}\Vert _\infty \le c\cdot \varGamma \cdot \alpha \cdot q$. This hybrid is statistically indistinguishable from $\mathcal {H}_{8}$. Indeed, since $\alpha (\lambda ), 1/q(\lambda )\le \textsf{negl}(\lambda )$, the statistical distance between the distribution of $\boldsymbol{v'_\ell }$ in this hybrid and in the previous one is upper-bounded by

$$\begin{aligned} V\cdot p\cdot \frac{2c\cdot \alpha \cdot q+1}{q}\le \textsf{negl}(\lambda ). \end{aligned}$$

This is because each entry of $\boldsymbol{v'_\ell }$ is now uniformly distributed over a set with $q-p\cdot (2c\cdot \alpha \cdot q+1)$ (i.e. all the elements in $\mathbb {Z}_q$ except those that have distance smaller than $c\cdot \alpha \cdot q$ from q/4 and (3/4)q). $\mathcal {H}_{9}$ corresponds to the ideal execution of the protocol. The simulation strategy is sketched in simulator 3.6.

We now analyse our protocol’s stretch. The number of seed bits is

$$\begin{aligned} n=O\Bigl (\log N\cdot (K+V)\cdot M\cdot t+(K+V)\cdot W\cdot t+L\cdot W\cdot \lambda ^2+L\cdot W\cdot \lambda \cdot \log s_1\Bigr ). \end{aligned}$$

If $s_1=\sqrt{K\cdot \log q}\cdot \log K$, $M=\beta \cdot (K+V)\cdot \log q$ and $W=\beta \cdot K\cdot \log q$, then

$$\begin{aligned} n=O\Bigl ( \log N\cdot (K+V)^2\cdot t^2+ L\cdot K\cdot t\cdot (\lambda ^2+\lambda \cdot \log K+\lambda \cdot \log t)\bigr )\Bigr ). \end{aligned}$$

Now, t, K are polynomial quantities in $\lambda $, so $\log t, \log K\in O(\log \lambda )$, and thus

$$\begin{aligned} n=O\Bigl ( \log N\cdot (K+V)^2\cdot t^2+ L\cdot K\cdot t\cdot \lambda ^2\Bigr ). \end{aligned}$$

The number of coins produced by the protocol is $L\cdot (K\cdot t+ V)$, which implies that if we pick $V=(\eta \cdot \lambda ^2-1)\cdot K\cdot t$ and $L=\eta ^2\cdot t^3\cdot \lambda ^2\cdot \log N\cdot K$, then the multiplicative stretch of our construction becomes $\varOmega (\eta )$. $\Box $

Corollary 3.7

Under the hardness of LWE with a subexponential modulus-to-noise ratio, for any polynomial function $N(\lambda )$, there exists a polynomial $L(\lambda )$ and a computational explainable extractor for the class of entropy sources $\mathcal {S}$, such that for every $S\in \mathcal {S}$, there exist $i\in [N]$ and a PPT algorithm $\mathcal {M}$ such that the source S can be sampled as follows:

1.
2.
3.
Output $(\boldsymbol{x_1}, \dots , \boldsymbol{x_N}), \textsf{aux}$.

Notes

1.
Hofheinz et al. [23] proved that Protocol 1.1 can in fact be simulated for some parameterizations, but not all.
2.
Other models exist that achieve a similar goal. UC security is always black-box.
3.
Also known as the Hidden Subgroup Assumption.
4.
$f^{-1}$ may be non-deterministic.
5.
Note that in this provisional version, the output length is linear in L but the seed length is independent of L; the analysis of the final protocol’s stretch will be more complex.
6.
For convenience, we say that the seed oracle outputs discrete Gaussian samples directly, but in order to meet the definition of a seed oracle it must actually output uniform coins from which such samples can be calculated. We highlight that discrete Gaussians are explainable distributions [6]. In other words, given a Gaussian sample $\boldsymbol{e}$, we are able to efficiently produce coins that produce the sample $\boldsymbol{e}$ when provided as randomness for the distribution, and the distribution of these coins is uniform, as required.
7.
Note that in the real world, these “ciphertexts” are uniformly random and there is no public key corresponding to them.
8.
Our setting is simpler since we consider only statistical security, but on the other hand Abram et al. focused on the one-round setting, whereas our argument applies to protocols with multiple rounds.

References

Abram, D., Damgård, I., Orlandi, C., Scholl, P.: An algebraic framework for silent preprocessing with trustless setup and active security. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 421–452. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15985-5_15
Chapter Google Scholar
Abram, D., Doerner, J., Ishai, Y., Narayanan, V.: Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output. Cryptology ePrint Archive, 2024 (2024)
Google Scholar
Abram, D., Obremski, M., Scholl, P.: On the (Im)possibility of Distributed Samplers: Lower Bounds and Party-Dynamic Constructions. Cryptology ePrint Archive, Paper 2023/863 (2023)
Google Scholar
Abram, D., Scholl, P., Yakoubov, S.: Distributed (correlation) samplers: how to remove a trusted dealer in one round. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 790–820. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-06944-4_27
Chapter Google Scholar
Abram, D., Waters, B., Zhandry, M.: Security-preserving distributed samplers: how to generate any CRS in one round without random oracles. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14081, pp. 489–514. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38557-5_16
Chapter Google Scholar
Agrawal, S., Wichs, D., Yamada, S.: Optimal broadcast encryption from LWE and pairings in the standard model. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 149–178. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_6
Chapter Google Scholar
Ajtai, M.: Generating hard instances of the short basis problem. In: Wiedermann, J., van Emde Boas, P., Nielsen, M. (eds.) ICALP 1999. LNCS, vol. 1644, pp. 1–9. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48523-6_1
Chapter Google Scholar
Alwen, J., Peikert, C.: Generating shorter bases for hard random lattices. In: STACS (2009)
Google Scholar
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen (1993)
Google Scholar
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Chapter Google Scholar
Bellare, M., Garay, J.A., Rabin, T.: Distributed pseudo-random bit generators - a new way to speed-up shared coin tossing. In: Burns, J.E., Moses, Y. (eds.) 15th ACM PODC, pp. 191–200. ACM, August 1996. https://doi.org/10.1145/248052.248090
Blum, M.: Coin flipping by telephone. In: Proceedings IEEE Spring COMPCOM, pp. 133–137 (1982)
Google Scholar
Buchbinder, N., Haitner, I., Levi, N., Tsfadia, E.: Fair coin flipping: tighter analysis and the many-party case. In: Klein, P.N. (ed.) 28th SODA, pp. 2580–2600. ACM-SIAM, January 2017. https://doi.org/10.1137/1.9781611974782.170
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000). https://doi.org/10.1007/s001459910006
Article MathSciNet Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001. https://doi.org/10.1109/SFCS.2001.959888
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from $\sf DDH$. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26
Chapter Google Scholar
Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: 18th ACM STOC, pp. 364–369. ACM Press, May 1986. https://doi.org/10.1145/12130.12168
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Article MathSciNet Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Chapter Google Scholar
Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge, UK (2004)
Book Google Scholar
Goyal, V., Lee, C.K., Ostrovsky, R., Visconti, I.: Constructing non-malleable commitments: a black-box approach. In: 53rd FOCS, pp. 51–60. IEEE Computer Society Press, October 2012. https://doi.org/10.1109/FOCS.2012.47
Hofheinz, D., Müller-Quade, J., Unruh, D.: On the (Im-)possibility of extending coin toss. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 504–521. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_30
Chapter Google Scholar
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, pp. 12–24. ACM Press, May 1989. https://doi.org/10.1145/73007.73009
Ishai, Y., Ostrovsky, R., Zikas, V.: Secure multi-party computation with identifiable abort. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 369–386. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_21
Chapter Google Scholar
Ladner, R.E., Dwork, C. (eds.): 40th ACM STOC. ACM Press, May 2008
Google Scholar
Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. J. Cryptol. 16(3), 143–184 (2003). https://doi.org/10.1007/s00145-002-0143-7
Article MathSciNet Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996). https://doi.org/10.1006/jcss.1996.0004
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Chapter Google Scholar
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Chapter Google Scholar
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Chapter Google Scholar
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, May 2008. https://doi.org/10.1145/1374376.1374406
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005. https://doi.org/10.1145/1060590.1060603
Yeung, R.: A new outlook on Shannon’s information measures. IEEE Trans. Inf. Theory 37(3), 466–474 (1991). https://doi.org/10.1109/18.79902
Article MathSciNet Google Scholar
Zhandry, M.: The magic of ELFs. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 479–508. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_18
Chapter Google Scholar

Download references

Acknowledgements

Damiano Abram was supported by a GSNS travel grant from Aarhus University, by the Aarhus University Research Foundation (AUFF) and by the Independent Research Fund Denmark (DFF) under project number 0165-00107B (C3PO). Jack Doerner was supported by the ERC projects NTSC (742754) and HSS (852952), ISF grant 2774/20, the Azrieli Foundation, and the Brown University Data Science Institute. Yuval Ishai was supported by ERC grant NTSC (742754), BSF grant 2022370, ISF grant 2774/20, and ISF-NSFC grant 3127/23. Varun Narayanan was supported by NSF grants CNS-2246355, CCF-2220450, and CNS-2001096.

Author information

Authors and Affiliations

Aarhus University, Aarhus, Denmark
Damiano Abram
Technion, Haifa, Israel
Jack Doerner & Yuval Ishai
Reichman University, Herzliya, Israel
Jack Doerner
Brown University, Providence, USA
Jack Doerner
University of California, Los Angeles, USA
Varun Narayanan

Authors

Damiano Abram
View author publications
You can also search for this author in PubMed Google Scholar
Jack Doerner
View author publications
You can also search for this author in PubMed Google Scholar
Yuval Ishai
View author publications
You can also search for this author in PubMed Google Scholar
Varun Narayanan
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Damiano Abram .

Editor information

Editors and Affiliations

Zama, Paris, France
Marc Joye
Ruhr University Bochum, Bochum, Germany
Gregor Leander

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Abram, D., Doerner, J., Ishai, Y., Narayanan, V. (2024). Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14655. Springer, Cham. https://doi.org/10.1007/978-3-031-58740-5_5

Download citation

DOI: https://doi.org/10.1007/978-3-031-58740-5_5
Published: 29 April 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58739-9
Online ISBN: 978-3-031-58740-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Constant-Round Simulation-Secure Coin Tossing Extension with Guaranteed Output

Abstract

1 Introduction

2 Technical Overview

2.1 The Round Structure of CTE Protocols

Theorem 2.2

2.2 Coin Tossing Extension and Explainable Extractors

2.3 Computational Coin Tossing Extension with Long Stretch

Corollary 2.3

Theorem 2.4

Theorem 2.5

2.4 A Lower Bound for Statistical Coin Tossing Extension

Theorem 2.6

2.5 One-Round Unbiased Sampling from Any Distribution

Theorem 2.7

3 One-Round, One-Sample Adaptive Coin Tossing Extension from LWE

Theorem 3.3

Proof

Claim 3.5

Proof

Corollary 3.7

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation