 Hello everyone. My name is Mingyuan. Today I will be talking about black box use of one-way functions is useless for optimal fair coin tossing. This is a drawing work with my advisor Hamada Maji. So in this work, we will be focusing on a two-party fair coin tossing protocol. So this is an inputless protocol where Alice and Bob exchange our messages. At the end of the protocol, both parties will agree on an output which is either 0 or 1. The fairness requires that even if one party aborts during the execution of the protocol, the other party should still output a bit. Consequently, every party will maintain a defense coin which will be their output if the other party aborts. Insecurity of this protocol is defined as how much an adversary can alter the expected output of the other party. So let me first tell you about our contribution by positioning it among prior works. Firstly, in the information theoretic setting, we know that for any protocol, its insecurity is at least a constant. However, if you are willing to assume the existence of one-way functions by a sequence of work in the 1980s, we now have an explicit protocol that achieves one over a square root of r insecurity. Recall that r is the number of message exchanged in the protocol. If you are willing to assume a stronger assumption that oblivious transfer exists, we also have an explicit protocol that achieves one over r insecurity. So note that one over r is smaller than one over a square root of r. And Cliff shows that one over r insecurity is unavoidable by showing that any r message protocol is at least one over r insecure. So given this result, it is very natural to ask that can we construct optimal coin tossing, fair coin tossing protocols based on one-way functions alone. In this work, we partially answer this question by showing that any black box construction of optimal fair coin tossing protocol on one-way function is at least a one over square root of r insecure. That is, one-way function cannot help to achieve one-way function not only cannot help to achieve one over r insecurity, it also cannot help achieve any insecurity lower than one over square root of r. For example, it cannot achieve one over r to the three fourth insecurity. So after three decades, we have now shown that the protocols from the 1980s are actually achieves the optimal insecurity. We prove this result by extending the potential-based argument introduced by recent works. I want to stress that the hardness of computation result for fair coin tossing protocols extend naturally to all multi-party randomized functionalities as long as the honest players are not in the majority. So now let me formulate this problem in more details. We consider a fair coin tossing protocol where parties exchange a total of r messages and in this talk, we will not be restricted to protocols whose output is uniform. So we will use x to denote the expected output of the protocol and we refer to such protocols as BIOS X protocol. As I said, Alice will maintain the defense coin which will be her output if Bob avoids. Note that she might constantly update her defense whenever she prepares a new message. And similarly, Bob will set up his defense and also we will make one simplification that we shall only consider fair stock adversaries. So that is the adversary follows the protocol honestly, but may abort prematurely. This simplification can be justified by the following two reasons. Firstly, this weak adversary is actually already powerful enough to do the most devastating attack. Secondly, by using private key cryptography primitives, we can ensure honest behavior. So Cleave showed that for any r message fair coin tossing protocols, there exists a computationally efficient fair stock adversary that altered the expected output by one by r. Hence, every r message protocol is at least one of our insecure, no matter what computational assumption you assume. Therefore, we call an r message coin tossing protocol an optimal fair coin tossing protocol if it is one of our insecure. Now let's look at what are the known constructions that we have. First, if you assume the existence of one way functions, we have this protocol called majority protocol. In this protocol, Alice will sample private randomness AI. Bob will sample private randomness BI. In the first round, Alice commits all her private bits a1, a2 up to AR to Bob. And then alternatively, Bob and Alice will review one bit at a time. At the end of the protocol, the output is the majority of a1, xl, b1, a2, xl, b2, and so on. So it is known that this majority protocol is one over square root of r insecure. On the other hand, if you are willing to assume the existence of oblivious transfer in a beautiful work, Moran, Nao, and Cleave constructed the optimal fair coin tossing protocol. That is, the MNS protocol is one over r insecure. So to summarize, on one hand, you have this MNS protocol which assumes that oblivious transfer exists and achieves the optimal insecurity. On the other hand, you have the majority protocol which have a higher insecurity but assumes a weaker assumption that one function exists. So in theoretical cryptography, a guiding principle is to build primitives using the minimum or the weakest harness of computational assumptions. And if such constructions do not exist, we want to understand what are inherent hurdles. So the question we are asking here is that, can we construct optimal fair coin tossing protocol from one way function, or can we prove that it is inherently impossible? Unfortunately, one cannot prove the negative result unconditionally. One of the prominent ways of studying such questions is through the lens of black box construction introduced by Impeggriazzo and Lulish. On a high level, a construction is a fully black box if the construction and the security reduction treat the primitive and the adversary in a black box manner. That is, they only care about the input and output behavior of the primitive and the adversary. In light of this, Impeggriazzo proposed his well-known five words. In the mini-crypt word, we have all the primitives that can be black box constructed from one way function. In the cryptomania word, we have primitives like key agreement protocol, public encryption, and oblivious transfer. All of them cannot be black box constructed from one way function. So actually, many of the primitives inside the mini-crypt were not known to be not known to be able to black box constructed from one way function for a very long time. So for the case of optimal fair coin tossing protocol, is this still the case that there is a mysterious construction that we have not found out yet? Or is there a reason why black box construction does not exist? So whether optimal fair coin tossing belongs to mini-crypt or cryptomania remains to be one of the major open problems in this field. So in this work, we resolve this problem in the negative. As we prove that for every black box construction of an R message bias X fair coin tossing protocol from one way function is at least X times one minus X over square root of R insecure. So the implication of this theorem is that first the black box use of one way function cannot yield optimal fair coin tossing protocols. Secondly, the majority protocol is actually qualitatively the most secure protocol that one can build using one way function in a black box manner. So following the paradigm proposed by impact liaison and Routish, we consider the coin tossing protocol in the random oracle model. So in this model, Alice and Bob besides just talking to each other, they also have black box access to a random oracle, which is just a function that takes a Namda bit input, Namda bit string as input and output a Namda bit string where Namda is the security parameter. So in this work, Alice and Bob are computationally unbounded. In an honest execution, Alice and Bob ask polynomially many queries. An adversary, however, may ask additional queries to the random oracle. Intuitively, this models the usefulness of black box access to an idealized one way function because random oracle is hard to invert, even given unbounded computational ability. So our objective is to prove that there exists a fair stop strategy that asks polynomially many additional queries and altered expected output by one number skirt of R. Let me tell you what are the prior works in this setting. In the work by Dahman, so leading down Muhammadian marking, they show that if the message complexity is if the message complexity is small, then a fair stop adversary can alter the expected output by one number squared of R. In another work, Dahman sold Muhammadian marking proved that if the protocol satisfy a special property that they call function oblivious, then a fair stop adversary can alter the expected output by strictly more than one over R. So intuitively, function oblivious requires that the output of the protocol depends solely on the private randomness of each party, but is independent of the instantiation of the random oracle. So all the known protocols, for example, like the majority protocol, are function oblivious. In comparison to this to work, our results resolve this problem in the full generality. We impose no restriction on the message complexity or the type of protocols. And our attacker asks only polynomially many additional queries. The insecurity it achieves actually matches the positive result. And our results works for bias X protocols, where this X can be an arbitrary number. In particular, X may depend on the security parameter. In another relevant work, Hettner, Makryanis and Omri prove that there exists a universal constant C such that for any constant R, the existence of our message fairy coin tossing protocol with insecurity less than C over squared of R implies the existence of key element protocols. This work is incomparable to our work as it proves a stronger consequence but for restricted class of protocols. So now let me tell you a bit about our technical proof. So recall that we have an R message bias X fairy coin tossing protocol in a random oracle model. Our objective is to find a fair stock adversary that asks polynomially many additional queries and out to the expected output by one by a squared over R. The first issue in a random oracle model is that condition on a public transcript, Alice and Bob's private view are correlated due to the common private queries they ask to the random oracle. So our first step is to make Alice and Bob's private view independent. This can be done by a tool called heavy query. Heavy query is introduced by Brock and Muhammadi and it's a standard techniques for removing correlations between Alice and Bob's private view in a random oracle model. So heavy query has the following properties. First it's a public algorithm meaning that it can be performed by either Alice or Bob. It takes the partial transcript as input and outputs a number of query and answer pairs. Heavy query guarantees that condition on a partial transcript and the heavy query message, Alice and Bob's private view are close to being independent and the heavy query asks polynomially many additional queries. So we shall use the heavy query in a following way. Immediately after every protocol message we will invoke heavy query and attach its message to the protocol's message. So for example when Alice prepare her first message she will after she prepare her first message she will invoke heavy query and attach that message to her first message. Now this become the first message in augmented protocol. So note that this does not change the message complexity of the protocol. So in augmented protocol for any partial transcript v we shall define the following quantities. First let pv denote the probability that v at the partial transcript v happens. Secondly we use xv to stand for the expected output condition on this partial transcript v. Lastly we use av and bv to denote the expectation of Alice and Bob's defense coin condition on this partial transcript. So given these definitions we're interested in finding a stocking time tau and the following score. So a stocking time is just a prefix free collection of partial transcript. So let's take a closer look at our score function. So the term av minus xv is the change in Alice's expected output if Bob aborts at v. So this is because if Bob does not abort at v in an honest execution the output of the protocol will have expectation xv by definition. However if Bob does abort at node v the output of the protocol will be Alice's defense which has an expectation av. So Bob by aborting at node v it result in a change in Alice's expected output the difference between av and xv. Analogously if Alice aborts at node v it result in a change in Bob's expected output the difference between Bob's defense and the expected output. So overall when this node v is draw according to this stocking time this score reflects the change in the expected output when parties abort at this stocking time. Now we shall prove that the maximum score yielded by the maximum stocking time is large. So following the recent work we shall use an inductive approach to prove that this maximum score is higher than c times x times one minus x over square root of r where c is a universal constant. So let's use this figure as an example. So let's suppose phi is the beginning of the protocol where the first message has k possibilities. So the first message can either be one, two or k. Now to pick our stocking time we need to make an independent decision for every node. For example at node one we need to decide whether we pick node one as our stocking time or we deferred a tag to the remaining r minus one sub protocol and we need to make the same decision for node two, node three and so on. So by the definition of our of our score function if we pick node one as our stocking time this yields a score of a one minus x one plus b one minus x one. On the other hand if we deferred at the attack to this remaining sub protocol by our inductive hypothesis this is guaranteed to be higher than c times x one times one minus x one over square root of r minus one. Recall that x one is the expected output of this sub protocol. So the highest score will pick decide on whether to pick node one as stocking time or pick tau one as the stocking time based on which quantity is larger. So the maximum score will at least be higher than the maximum of these two quantity and the same argument holds for node two, node three and so on. So overall the maximum score is guaranteed to be higher than the average of the maximum of these two quantities which can be written in this way. So now we have now need to we just need to prove that the expectation of the maximum of these two quantities is higher than our goal. So in a work by Horisgani, Maji and Wang they identify the following potential function phi x a and b defined as this. So the intuition behind this potential function is the following. So x times one minus x is the quality of the attack attributed to the bias of the protocol and the x minus a terms punishes as Alice if her defense is too far away which is if her defense which is a is too far away from the expected output and similarly x minus b square punishes Bob if his defense is too far away from the expected output. So they prove that the maximum of these two quantity is guaranteed to be higher than c over square root of r times the potential function with input x i, a i and b i. So we stress that there could exist other potential functions. It just happens to be the case that this this potential function serves our purposes. So now we know that maximum of this quantity is lower bounded by this. We just need to prove that expectation of this c over square root of r times the potential function is greater than our goal. So no step to c over square root of r appears on both side. So it is suffices to prove that the expectation of the potential function is greater than x times one minus x. So we completed the proof in the following way. So we first note that this potential function actually has can be written in this another form which is x plus x minus a minus b square minus two a b. So we what we do is that we first write this potential function in this second form. Now we can use the linearity of the expectation to push the expectation onto each term individually. Now we note that x minus a minus b square is a tri-variate convex function. So we can apply Jensen's inequality and push the expectation inside each term. Now finally we note that because Alice and Bob's view are independent, therefore expectation of ai times bi is exactly expectation of ai times expectation of bi. Therefore we have this identity. Now note that this equation is exactly in the form of this second form. So now we can return it back as the potential function with input expectation of xi, expectation of ai and expectation of bi. We want to stress that although this phi function is not a tri-variate convex function, we actually prove that the Jensen's inequality holds for this scenario. This is because we identify a global invariant which is this in the augmented protocol that ensures that Jensen's inequality holds. So now the proof falls from the following simple facts. Because the expectation of the expected output at each children node is exactly the expected output at their root which is x. Now recall that this potential function can be written as the first input x times 1 minus x plus 2 square terms which is non-negative. So this is square root of equal to x times 1 minus x and this completes the proof. So now to summarize we have considered an R message coin tossing protocol in a random oracle model. We use the heavy query algorithm to kill the correlation between Alice and Bob's prior view. These steps ask polynomially many additional queries. We use an inductive approach with a carefully crafted potential function to identify a stocking time tau such that the score that we have defined with respect to a stocking time is guaranteed to be high. Now this stocking time can be translated into an attack that will alter the expected output by the same bound. In particular when this protocol output an uniform bit this this deviation to the expected output is guaranteed to be 1 over square root of R. So I want to mention that in an ongoing work we prove that the optimal fair coin tossing is also black box separated from public encryption schemes. That is all for my talk. Thank you.