A stronger type of requirement is to demand universal composability, which basically means that the protocol imitates an ideal coin toss functionality even in arbitrary protocol environments.
#COIN FLIP SIM SIMULATOR#
(In fact, in this work, we will investigate also CRSs and CRS extension protocols, with somewhat different results compared to the coin toss case.)Ī little more technically, one specific kind of security requirement (which we call “standalone simulatability” here) is that the protocol imitates the ideal coin toss functionality in the sense of, where a simulator has to invent a realistic protocol run after learning the outcome of the ideal coin toss. This is quite different from a “common random string” (CRS) functionality that does not require such activation signals. Hence, the coin toss ideal functionality first expects an “activation signal” from both parties before handing out the random coins. However, we would like to stress that we would like to model an interactive coin toss protocol. For the case of coin toss, this ideal functionality will act as a trusted host that simply equips both parties with common random coins. In this work, we will consider simulation-based security notions, in which a protocol is secure if and only if it “imitates” an ideal functionality. The first thing the extensibility of a given coin toss depends on is the required kind of security. Is it possible for them to get \(n>m\) bits of common randomness? The answer we come up with is basically: “It depends on the security model and on the length of the coin toss used as seed.” That is, suppose that two parties already have the possibility of making a single m-bit coin toss. Here, we are interested in the task of extending a given coin toss. This general concept of generating common randomness in a way such that no dishonest party can dictate the outcome proved very useful in cryptography, for example, in the construction of protocols for general secure multiparty computation. His protocol guarantees that even if one party does not follow the protocol, the other party still gets a uniformly distributed coin toss outcome.
#COIN FLIP SIM HOW TO#
Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible.īlum showed in how to flip a coin over the telephone line. Our protocol works for superlogarithmic m, which is optimal as we show the impossibility of statistically secure coin toss extension for smaller m. On the other hand, for computational security, the existence of a protocol for coin toss extension depends on the number m of random coins that can be obtained “for free.” For the case of stand-alone security, i.e., a simulation-based security definition without an environment, we present a protocol for statistically secure coin toss extension. In the framework of universal composability, we show the impossibility of securely extending a coin toss for statistical and perfect security. A bit more formally, our goal is to generate n common random coins from a single use of an ideal functionality that gives \(m We consider the task of extending a given coin toss.
0 kommentar(er)
