How to construct random functions
Journal of the ACM (JACM)
Limits on the security of coin flips when half the processors are faulty
STOC '86 Proceedings of the eighteenth annual ACM symposium on Theory of computing
How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
Universal one-way hash functions and their cryptographic applications
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Limits on the provable consequences of one-way permutations
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
One-way functions are necessary and sufficient for secure signatures
STOC '90 Proceedings of the twenty-second annual ACM symposium on Theory of computing
Privacy and communication complexity
SIAM Journal on Discrete Mathematics
A Pseudorandom Generator from any One-way Function
SIAM Journal on Computing
Bounds on the Efficiency of Generic Cryptographic Constructions
SIAM Journal on Computing
A New Interactive Hashing Theorem
CCC '07 Proceedings of the Twenty-Second Annual IEEE Conference on Computational Complexity
FOCS '07 Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
Lower Bounds on Signatures From Symmetric Primitives
FOCS '07 Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science
Theory and application of trapdoor functions
SFCS '82 Proceedings of the 23rd Annual Symposium on Foundations of Computer Science
One-way functions are essential for complexity based cryptography
SFCS '89 Proceedings of the 30th Annual Symposium on Foundations of Computer Science
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
Merkle Puzzles Are Optimal -- An O(n2)-Query Attack on Any Key Exchange from a Random Oracle
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Statistically Hiding Commitments and Statistical Zero-Knowledge Arguments from Any One-Way Function
SIAM Journal on Computing
Interactive locking, zero-knowledge PCPs, and unconditional cryptography
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
On the power of nonuniformity in proofs of security
Proceedings of the 4th conference on Innovations in Theoretical Computer Science
Limits on the usefulness of random oracles
TCC'13 Proceedings of the 10th theory of cryptography conference on Theory of Cryptography
Limits of random oracles in secure computation
Proceedings of the 5th conference on Innovations in theoretical computer science
Hi-index | 0.00 |
A fair two-party coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of fail-stop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient fail-stop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to Ω(1/r) is called optimally-fair. The only optimally-fair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of Ω(1/√r) in r rounds relying only on the assumption that there exist one-way functions. In this paper we show that it is impossible to achieve optimally-fair coin tossing via a black-box construction from one-way functions for r that is less than O(n/log n), where n is the input/output length of the one-way function used. An important corollary of this is that it is impossible to construct an optimally-fair coin tossing protocol via a black-box construction from one-way functions whose round complexity is independent of the security parameter n determining the security of the one-way function being used. Informally speaking, the main ingredient of our proof is to eliminate the random-oracle from "secure" protocols with "low round-complexity" and simulate the protocol securely against semi-honest adversaries in the plain model. We believe our simulation lemma to be of broader interest.