On the Complexity of Fair Coin Flipping

Size: px

Start display at page:

Download "On the Complexity of Fair Coin Flipping"

April Smith
5 years ago
Views:

1 On the Complexty of Far Con Flppng ftach Hatner Nkolaos Makryanns Eran Omr Aprl 16, 2018 Abstract n ther breakthrough result, Moran et al. Journal of Cryptology 16 show how to construct an r-round two-party con-flppng wth bas Θ(1/r), for any r N. Ths mproves over the Θ(1/ r) protocol of Awerbuch et al. Manuscrpt 85, and matches the lower bound of Cleve STOC 86. The protocol of 21, however, uses oblvous transfer, to be compared wth the protocol of 3 that can be based on any one-way functon. An ntrgung open queston s whether oblvous transfer, or more generally publc-key prmtves, s requred for an o(1/ r)-bas con flppng. The queston was partally answered n the black-box settngs by Dachman-Soled et al. 11 TCC 11 and Dachman-Soled et al. 12 TCC 14, who showed that restrcted types of fully black-box reductons cannot establshed such o(1/ r)-bas con-flppng protocols from one-way functons. We make progress towards answerng the above queston, showng that for any (constant) r N, the exstence of an o(1/ r)-bas con-flppng protocol mples the exstence of an nfntelyoften key-agreement protocol. Our reducton s non black-box, and makes a novel use of the recent dchotomy for two-party protocols of Hatner et al. 16 to facltate, for the two-party case, the recent attack of Bemel et al. 5 on mult-party con-flppng protocols. School of Computer Scence, Tel Avv Unversty. E-mal: ftachh@cs.tau.ac.l. Member of the Check Pont nsttute for nformaton Securty. Research supported by ERC startng grant School of Computer Scence, Tel Avv Unversty. E-mal: n.makryanns@gmal.com. Department of Computer Scence, Arel Unversty. E-mal: omrer@arel.ac.l. Research supported by SF grant 152/17.

2 Contents 1 ntroducton Our Results Our Technque Related Work Prelmnares Notaton Protocols Martngales Far Con-Flppng to Key Agreement Approxmatng the Expected-outcome Sequence Forecasted Backup Values are Close to Expected-outcome Sequence ndependence of Attack Decson

3 1 ntroducton n a two-party con-flppng protocol, ntroduced by Blum 7, the partes wsh to output a common (close to) unform bt, even though one of the partes may be corrupted and try to bas the output. Slghtly more formally, a (far) con-flppng protocol should satsfy the followng two propertes: frst, when both partes behave honestly (.e., follow the prescrbed protocol), they both output the same bt. Second, the output of an honest party should always be an (almost) unbased bt, even f the other party s corrupted (.e., arbtrary devate from the protocol). We emphasze that the above noton requres an honest party to always output a bt, regardless of what the corrupted party does, and, n partcular, t s not allowed to abort f a cheat was detected. 1 Con-flppng s a fundamental prmtve wth numerous applcatons, and thus lower bounds on con-flppng protocols mply analogous bounds for many basc cryptographc prmtves ncludng other nputless prmtves and secure computaton of functons that take nput (e.g., XOR). n hs semnal work, Cleve 9 showed that for any effcent two-party r-round con-flppng protocol, there exsts an effcent adversaral strategy that bases the output of the honest party by Θ(1/r). The above lower bound on con-flppng protocols was met for the two-party case by Moran, Naor, and Segev 21 mprovng over the Θ(n/ r)-bas acheved by the majorty protocol of Awerbuch, Blum, Chor, Goldwasser, and Mcal 3. The protocol of 21, however, uses oblvous transfer, to be compared wth the protocol of 3 that can be based on any one-way functon. An ntrgung open queston s whether oblvous transfer, or more generally publc-key prmtves, s requred for an o(1/ r)-bas con-flppng. The queston was partally answered n the black-box settngs by Dachman-Soled et al. 11 and Dachman-Soled et al. 12, who showed that restrcted types of fully black-box reductons cannot establshed such o(1/ r)-bas con-flppng protocols from one-way functons. 1.1 Our Results Our man result s that constant-round con-flppng protocols wth better bas compared to the majorty protocol of 2 mples the exstence of nfntely-often key-agreement. Theorem 1.1 (Man result, nformal). For any (constant) r N, the exstence of an 1/(c r)- bas, r-round con-flppng protocol mples the exstence an nfntely-often key-agreement protocol, for c > 0 beng a unversal constant (ndependent of r). As n 9, 11, 12, our result extends va a smple reducton to general mult-party con-flppng protocols (wth more than two-partes) wthout an honest majorty. Our reducton s non blackbox, and makes a novel use of the recent dchotomy for two-party protocols of Hatner et al. 16. Specfcally, assumng that.o. key agreement does not exst and applyng Hatner et al. s dchotomy, we show that a two-party varant of the recent mult-party attack of Bemel et al. 5 yelds a Ω(1/ r)-bas attack. 1.2 Our Technque Let π = (A, B) be an r-round two-party con-flppng protocol. We show that the nexstence of key-agreement protocols, yelds an effcent Θ(1/ r)-bas attack on π. We start by descrbng the 1/ r-bas neffcent attack of Cleve and mpaglazzo 10, and the approach of Bemel et al. 5 1 Such protocols are typcally addressed as havng guaranteed output delvery, or, abusng termnology, as far. 1

4 towards makng ths attack effcent. We then explan how to use the recent results by Hatner et al. 16 to mount an effcent attack (assumng the nexstence of o-key-agreement protocols) Cleve and mpaglazzo s neffcent Attack We descrbe the neffcent 1/ r-bas attack due to Cleve and mpaglazzo 10. Let M 1,..., M r denote the messages n a random executon of π, and let out denote the (wthout loss of generalty) always common output of the partes n a random honest executon of π. Let X = E out M. Namely, X s the expected outcome of the partes n π gven M = M 1,..., M. t s easy to see that X 0,..., X r s a martngale sequence: E X X 0,..., X 1 = X 1 for every. Snce the partes n an honest executon of π output a unform bt, t holds that X 0 = Pr out = 1 = 1/2 and X r {0, 1}. Cleve and mpaglazzo 10 (see Bemel et al. 5 for an alternatve smpler proof) prove that for such a sequence (omttng absolute values and constant factors) t holds that Jump: Pr r: X X 1 1/ r 1/2 (1) Let the th backup value of party P, denote Z P, be output of party P f the other aborts prematurely after the th message was sent (recall that, by defnton, the honest party must always output a bt). n partcular, Zr P denotes the fnal output of P (no abort occurred). We clam that the followng holds Backup values approxmate outcome: Pr r: X E Z P M 1/2 r 1/4 (2) for both P {A, B}. Assume otherwse, then wthout loss of generalty the (possbly neffcent) adversary that controls A and aborts after M was sent f X E Z B M 1/ r, bases the output of B towards zero by Θ(1/ r), and we are done. Fnally, we note that snce the cons of the partes are ndependent condtoned on the transcrpt, f for example party A sends the ( + 1) message then ndependence: E Z B M = E Z B M +1 (3) Combnng the above observatons yelds that wthout loss of generalty: Pr r: A sends the th message X E Z 1 B M 1/2 r 1/8 (4) Equaton (4) mples the followng (possbly neffcent) attack for a corrupted party A basng B s output towards zero: before sendng the th message M, party A aborts f X E Z 1 B M 1/2 r. By Equaton (4), ths attack bases B output towards zero by Ω(1/2 r). The clear lmtaton of the above attack s that, assumng one-way functons, the value of X = E out M = t and of E Z P M = t mght not be effcently computable, as a functon of t. 2 Facng ths dffculty, Bemel et al. 5 consdered the martngale sequence X = E out Z P (recall that Z P s the th backup value of P). t follows that for constant-round protocols, the value of X s only a functon of a constant sze strng, and thus t s effcently computable (5 have facltated ths approach for protocols of super-constant round complexty, see Footnote 3). The prce of usng the alternatve sequence Y 1,..., Y r, s that the ndependence property (Equaton (3)) mght no longer hold. Yet, 5 manage to facltate the above approach nto an effcent Ω(1/ r)- attack on many partes protocols. n the followng we show how to use the dchotomy of Hatner et al. 16, to facltate an attack n the sprt of 5 for two-party protocols. 2 For nstance, the frst two messages mght contan commtments to the partes randomness. 2

5 1.2.2 nexstence of Key-Agreement mples an Effcent Attack Let U p denote the Bernoull random varable takng the value 1 wth probablty p, and let P C ρ Q stand for Q and P are ρ-computatonally ndstngushablty (.e., an effcent dstngusher cannot tell P from Q wth advantage better than ρ). We are usng two results by Hatner et al. 16. The frst one gven below holds for any two-party protocol. Theorem 1.2 (Hatner et al. 16 s forecaster, nformal). Let = (A, B) be a sngle-bt output (each party outputs a bt) two-party protocol. Then for any constant ρ > 0 there exsts a constant-output length poly-tme algorthm (forecaster) F mappng transcrpts of nto (the bnary descrpton of) pars n 0, 1 0, 1, such that the followng holds: let (X, Y, T ) be the partes outputs and transcrpt n a random executon of then (X, T ) C ρ (U p A, T ) (p A, ) F(T ), and (Y, T ) C ρ (U p B, T ) (,p B ) F(T ). Namely, gven the transcrpt, F forecasts the output dstrbuton of each of the partes n a way that s computatonally dstngushable from the real value. Consder the (r + 1)-round protocol π = (Ã, B), defned by Ã sendng a random r to B as the frst message, and then the partes nteract n a random executon of π for the frst rounds. At the end of the executon, the partes output ther th backup values z A and z B and halt. Let F be the forecaster for π guaranteed by Theorem 1.2 for ρ = 1/r 2 (note that ρ s ndeed constant). A smple averagng argument yelds that (Z P, M ) C 1/r (U p P, M ) (p A,p B ) F(M ) (5) for both P {A, B} and every r, lettng F(m ) = F(, m ). Namely, F s a good forecaster for the partal transcrpts of π. Let M 1,..., M r denote the messages n a random executon of π and let out denote the output of the partes n π. Let Y = ( Y A, Y B ) = F(M ) and let X = E out Y. t s easy to see that X 1,..., X r s a martngale sequence and that X 0 = 1/2. We assume wthout loss of generalty that the last message of π contans the common output. t thus follows from Equaton (5) that Y r (out, out) {(0, 0), (1, 1)} (otherwse, t wll be very easy to dstngush the emulated outputs from the real ones, gven M r ). Hence, smlarly to Secton 1.2.1, t holds that Jump: Pr r: X X 1 1/ r 1/2 (6) Snce Y has constant sze support and snce π s constant round, t follows that X s effcently computable from M. 3 3 n the sprt of Bemel et al. 5, we could have modfed the defnton of the X s to make them effcently computable even for non constant-round protocols. The dea s to defne X = E out Y, X 1. Whle the resultng sequence mght not be a martngale, 5 proves that a 1/ r gap also occurs wth constant probablty wth respect to such a sequence. Unfortunately, we cannot beneft from ths mprovement, snce the results of Hatner et al. 16 only guarantees ndstngushablty for constant ρ, whch makes t useful only for attackng constant-round protocols. 3

6 Let Z P denote the backup value computed by party P n round of a random executon of π. The ndstngushablty of F yelds that E Z P Y Y P. Smlarly to Secton 1.2.1, unless there s a smple 1/ r-attack t holds that Backup values approxmate outcome: Pr r: X E Z P Y 1/2 r 1/4 (7) So, to emulate the attack of Cleve and mpaglazzo 10, t suffces to prove that ndependence: E Z P C 1/r Y E Z P Y +1 (8) for every P {A, B} and round n whch the other party P sends the ( + 1) message. However, unlke Equaton (3) n Secton 1.2.1, Equaton (8) mght not be true. (n fact, assumng oblvous transfer exsts, the above attack must fal for some protocols, yeldng that Equaton (8) s false for these protocols). Rather, we relate Equaton (8) to the exstence of a key-agreement protocol. Specfcally, we show that f Equaton (8) s not true, then there exsts a key-agreement protocol. Provng that Y +1 and Z b are approxmately ndependent gven Y, assumng nexstence of key agreement. We are now usng a second result by Hatner et al Theorem 1.3 (Hatner et al. 16 s dchotomy, nformal). Let = (A, B) be an effcent sngle-bt output two-party protocol and assume nfntely-often key-agreement protocol does not exsts. Then, for any constant ρ > 0, there exsts a ploy-tme algorthm (decorrelator) Dcr mappng transcrpts of nto 0, 1 0, 1 such that the followng holds. let (X, Y, T ) be the partes outputs and transcrpt n a random executon of, then (X, Y, T ) C ρ (U p A, U p B, T ) (p A,p B ) Dcr(T ). Namely, assumng.o-key-agreement do not exst, the dstrbuton of the partes output gven the transcrpt seems ρ-close to the product dstrbuton gven by Dcr. We assume for smplcty that the theorem holds for many-bt output protocols, and not merely sngle bt (we get rd of ths assumpton n the actual proof). We defne another varant π of π that nternally uses the forecaster F. We prove that assumng the exstence of a decorrelator for π, t holds that X +1 and Z P are approxmately ndependent gven Y, and Equaton (8) follows. For concreteness, we focus on party P = B. Fx such that A sends the ( + 1) message n π. Let π = (Â, B) be a protocol n whch the partes nteract just as n π for the frst rounds. Then, B outputs the th backup value of B, and Â nternally computes t +1, and outputs y +1 = F(t +1 ). Assume key-agreement protocols do not exsts, Theorem 1.3 mples the exstence an effcent decorrelator Dcr for π wth respect to ρ = 1/r. By defnton, t holds that (Y +1, Z B, M ) C 1/r (U p Â, U p B, M ) (pâ,p B) Dcr(M ), (9) 4 Assumng the nexstence of key-agreement protocols, Theorem 1.3 mples Theorem 1.2. Yet, we chose to use both results to make the text more modular. 4

7 where now pâ descrbes a non-boolean dstrbuton, and U p Â denotes an ndependent sample from ths dstrbuton. Hence, to prove that Y +1 and Z B are approxmately ndependent gven Y, t suffces to prove that U p Â and U p B are approxmately ndependent gven Y. Snce F and Dcr both output an estmate of ( the expectaton of) Z B M n a way that s ndstngushable from the real dstrbuton of Z B (gven M ), both algorthms output essentally the same value. Otherwse, at least one of the algorthms s far from the real value, and the other algorthm can be used to dstngush the real dstrbuton from the smulated one. t follows that (U p Â, U p B, M ) (pâ,p B) Dcr(M ) C 1/r (U p Â, U Y B, M ) pâ Dcr(M )Â (10) Usng a data-processng argument n combnaton wth Equatons (9) and (10), we deduce that (Y +1, Z B, Y ) C 1/r (U p Â, U p B, Y ) (pâ,p B) Dcr(M ) C 1/r (U p Â, U Y B, Y )pâ Dcr(M )Â Fnally, condtoned on Y, the dstrbuton of (U p Â, U Y B) s a convex combnaton of product dstrbutons of the form (, U Y B) = (U p Â, U Y B) M =t (for t M Y ), and thus t s a product dstrbuton. 1.3 Related Work We revew some of the relevant work on far con-flppng protocols. Necessary hardness assumptons. Ths lne of work examnes the mnmal assumptons requred to acheve an o(1/ r)-bas two-party con-flppng protocols, as done n ths paper. The necessty of one-way functons for weaker varants of con flppng protocol where the honest party s allowed to abort f the other party aborts or devates from the prescrbed protocol, were consdered n 18, 19, 13, 6. More related to our bound s the work of Dachman-Soled et al. 11 who showed that any fully black-box constructon of O(1/r)-bas two-party protocols based on one-way functons (wth r-bt nput and output) needs Ω(r/ log r) rounds, and the work of Dachman-Soled et al. 12 showed that there s no fully black-box and functon oblvous constructon of O(1/r)- bas two-party protocols from one-way functons (a protocol s functon oblvous f the outcome of protocol s ndependent of the choce of the one-way functon used n the protocol). Lower bounds. Cleve 9 proved that for every r-round two-party con-flppng protocol, there exsts an effcent adversary that can bas the output by Ω(1/r). Cleve and mpaglazzo 10 proved that for every r-round two-party con-flppng protocol, there exsts an neffcent fal-stop adversary that bases the output by Ω(1/ r). They also showed that a smlar attack exsts f the partes have access to an deal commtment scheme. All above bounds extend to the mult-party case (wth no honest majorty) va a smple reducton. Very recently, Bemel et al. 5 showed that any r-round n-partes con-flppng wth n k > r, for some k N, can be based by 1/( r (log r) k ). gnorng logarthmc factors, ths means that f the number of partes s r Ω(1), the majorty protocol of 3 s optmal. (11) 5

8 Upper bounds. Blum 7 presented a two-party two-round con-flppng protocol wth bas 1/4. Awerbuch et al. 3 presented an n-party r-round protocol wth bas O(n/ r) (the two-party case appears also n Cleve 9). Moran et al. 20 solved the two-party case by gvng a two-party r-round con-flppng protocol wth bas O(1/r). Hatner and Tsfada 14 solved the three-party case up to poly-logarthmc factor by gvng a three-party con-flppng protocol wth bas O(polylog(r)/r). Buchbnder et al. 8 showed an n-party r-round con-flppng protocol wth bas Õ(n3 2 n /r n 1 2 ). n partcular, ther protocol for four partes has bas Õ(1/r2/3 ), and for n = log log r ther protocol has bas smaller than Awerbuch et al. 3. For the case where less than 2/3 of the partes are corrupt, Bemel et al. 4 showed an n-party r-round con-flppng protocol wth bas 2 2k /r, toleratng up to t = (n + k)/2 corrupt partes. Alon and Omr 1 showed an n-party r-round con-flppng protocol wth bas Õ(22n /r), toleratng up to t corrupted partes, for constant n and t < 3n/4. Paper Organzaton Basc defntons and notaton used through the paper, are gven n Secton 2. The formal statement and proof of the man theorem are gven n Secton 3. 2 Prelmnares 2.1 Notaton We use callgraphc letters to denote sets, uppercase for random varables and functons, lowercase for values. For a, b R, let a ± b stand for the nterval a b, a + b. For n N, let n = {1,..., n} and (n) = {0,..., n}. Let poly denote the set of all polynomals, let ppt stand for probablstc polynomal tme and pptm denote a ppt algorthm (Turng machne). A functon ν : N 0, 1 s neglgble, denoted ν(n) = neg(n), f ν(n) < 1/p(n) for every p poly and large enough n. For a sequence x 1,..., x r and r, let x = x 1,..., x and x < = x 1,..., x 1. Gven a dstrbuton, or random varable, D, we wrte x D to ndcate that x s selected accordng to D. Gven a fnte set S, let s S denote that s s selected accordng to the unform dstrbuton over S. The support of D, denoted Supp(D), be defned as {u U : D(u) > 0}. The statstcal dstance between two dstrbutons P and Q over a fnte set U, denoted as SD(P, Q), s defned as max S U P (S) Q(S) = 1 2 u U P (u) Q(u). Dstrbuton ensembles X = {X κ} κ N and Y = {Y κ } κ N are δ-computatonally ndstngushable n the set, denoted by X C,δ Y, f for every pptm D and suffcently large κ : Pr D(1 κ, X κ ) = 1 Pr D(1 κ, Y κ ) = 1 δ. 2.2 Protocols Let π = (A, B) be a two-party protocol. The protocol π s ppt f the runnng tme of both A and B s polynomal n ther nput length (regardless of the party they nteract wth). We denote by (A(x), B(y))(z) a random executon of π wth prvate nputs x and y, and common nput z, and sometmes abuse notaton and wrte (A(x), B(y))(z) for the partes output n ths executon. We wll focus on no-nput two-party sngle-bt output ppt protocol: the only nput of the two ppt partes s the common securty parameter, gven n unary representaton. At the end of the executon, each party outputs a sngle bt. Throughout, we assume wthout loss of generalty that 6

9 the transcrpt contans 1 κ as the frst message. Let π = (A, B) be such a two-party sngle-bt output protocol. For κ N, let Oπ A,κ, Oπ B,κ and Tπ κ denote the outputs of A, B and the transcrpt of π, respectvely, n a random executon of π(1 κ ) Far Con Flppng Snce we care of a lower bound, we only gve the game base defnton of con-flppng protocols (see 15 for the stronger smulaton based defnton). Defnton 2.1 (Far con-flppng protocols). A ppt sngle-bt output two-party protocol π = (A, B) s an ε-far con-flppng protocol, f the followng holds. Output delvery: The honest party always outputs a bt (even f the other party acts dshonestly, or aborts). Agreement: The partes always output the same bt n an honest executon. Unformty: Pr O A κ = b = 1/2 (and thus Pr O B κ = b = 1/2), for both b {0, 1} and all κ N. 5 Farness: For any ppt A and b {0, 1}, for suffcently large κ N t holds that Pr O B,(A,B) κ = b 1/2 + ε, and the same holds for the output bt of A. The proof of our man result easly extends to non optmal unformty condton. Say, f we only requre that Pr O A κ = b 1/4 for both b {0, 1} Key Agreement We focus on sngle bt output key-agreement protocols. Defnton 2.2 (Key-agreement protocols). A ppt sngle-bt output two-party protocol π = (A, B) s o-key-agreement, f there exst an nfnte N, such that the followng hold for κ s n : Agreement. Pr X π κ = Y π κ 1 neg(κ). Secrecy. Pr Eve(T π κ ) = X π κ 1/2 + neg(κ), for every ppt Eve. 2.3 Martngales Defnton 2.3 (Martngales). Let X 0,..., X r be a sequence of random varables. We say that the sequence s a martngale sequence f E X +1 X = x = x for every r 1. n plan terms, a sequence s a martngale f the expectaton of the next pont condtoned on the entre hstory s exactly the last observed pont. One way to obtan a martngale sequence s by constructng a Doob martngale. Such a sequence s defned by X = E f(z) Z, for arbtrary random varables Z = (Z 1,..., Z r ) and a functon f of nterest. We wll use the followng fact proven by 10 (we use the varant as proven n 5). Theorem 2.4. Let X 0,..., X r be a martngale sequence such that X 0, 1, for every r. f X 0 = 1/2 and Pr X r {0, 1} = 1, then Pr r s.t. X X r The proof of our man result easly extends to non optmal unformty condton. Say, f we only requre that Pr O A κ = b 1/4 for both b {0, 1}. 7

10 3 Far Con-Flppng to Key Agreement n ths secton we prove the man result of the present work. We show that there exst constantround con-flppng protocols whch mprove over the 1/ r-bas majorty protocol of 2, then nfntely-often key-agreement exsts as well. Formally, we prove the followng theorem. Theorem 3.1. The followng holds for any (constant) r N: f there exsts an r-round, r - far two-party con-flppng protocol, see Defnton 2.1, then there exsts an nfntely-often keyagreement protocol. 6 Before formally provng Theorem 3.1, we brefly recall the outlne of the proof as presented n the ntroducton. We begn wth a good forecaster for the con-flppng protocol π (whch must exst, accordng to 16), and defne an effcently computable condtonal expected outcome sequence X = (X 0,..., X r ) for π, condtoned of the forecaster s outputs. Then, we show that (1) the th backup value (default output n case the opponent aborts) should be close to X ; otherwse, an effcent attacker can use the forecaster to bas the output of the other party (ths attack s applcable regardless of the exstence of nfntely-often key-agreement). And (2), snce X s a martngale sequence, large (Ω(1/ r)) jumps are bound to occur n some round, wth constant probablty. Hence, combnng (1) and (2), wth constant probablty, at some round there a Ω(1/ r)-gap between X and the forecasters predcton for one party at the precedng round. We show that the aforementoned gap can be exploted to bas that party s output by Ω(1/ r), by nstructng the opponent to abort as soon as the gap s detected, unless protocol π mples.o-key-agreement. n more detals, the success of the attack requres that (3) the event that a gap occurs s (almost) ndependent of the backup value of the honest party. t turns out that f π does not mply.okey-agreement, ths thrd property s guaranteed by the dchotomy theorem of 16. n summary, f o-key-agreement does not exst, protocol π s not Θ(1/ r) far. Movng to the formal proof, fx an r-round, two-party con-flppng protocol π = (A, B) (we assume nothng about ts farness parameter for now). We assocate the followng random varables wth a random honest executon of π(1 κ ). Let M κ = (M1 κ,..., M r κ ) denote the message of the protocol and let O κ denote the always common output of the partes. For {0,..., r} and P {A, B}, let Z P,κ be the backup value party P outputs, f the other party aborts after the th message was sent. n partcular, Zr A,κ = Zr B,κ = O κ and Pr Z P,κ 0 = 1 = 1/2. Forecaster for π. We are usng a forecaster for π guaranteed by the followng theorem (proof readly follows from Hatner et al. 16, Thm 3.8). Theorem 3.2 (Hatner et al. 16, exstence of forecasters). Let be a no-nput, sngle-bt output two-party protocol. Then for any constant ρ > 0, there exsts a ppt constant-output length algorthm F (forecaster) mappng transcrpts of nto (the bnary descrpton of) pars n 0, 1 0, 1 and an nfnte set N, such that the followng holds: let O A,κ, O B,κ and T κ denote the partes outputs and protocol transcrpt, respectvely, n a random executon of (1 κ ). Let m(κ) poly be a bound on the number of cons used by F on transcrpts n supp(t κ ), and let S κ be a unform strng of length m(κ). Then 6 Defnton 2.1 requres perfect unformty: the common output n an honest executon s an unbased bt. The proof gven below, however, easly extends to any non-trval unformty condton, e.g., the common output equals one wth probablty 3/4. 8

11 (O A,κ, T κ, S κ ) C ρ, (U p A, T κ, S κ ) (p A, )=F(T κ ;S κ ), and (O B,κ, T κ, S κ ) C ρ, (U p B, T κ, S κ ) (,p B )=F(T κ ;S κ ). lettng U p be a Boolean random varable takng the value one wth probablty p. 7 Snce we wsh to have a forecaster for all (ntermedate) backup values of π, we apply Theorem 3.2 wth respect to the followng varant of protocol π, whch smply stops the executon at a random round. ) Protocol 3.3 ( π = (Ã, B ). Common nput: securty parameter 1 κ. Descrpton: 1. Ã samples r and sends t to B. 2. The partes nteract n the frst rounds of a random executon of π(1 κ ), wth Ã and B takng the role of A and B receptvely. Let z A and z B be the th backup values of A and B as computed by the partes n the above executon. 3. Ã outputs za, and B outputs z B Let ρ = 10 6 r 5/2. Let N and a ppt F be the nfnte set and ppt forecaster resultng by applyng Theorem 3.2 wth respect to protocol π and ρ, and let S κ denote a long enough unform strng to be used by F on transcrpts of π(1 κ ). The followng holds wth respect to π. Clam 3.4. For r, t holds that (Z A,κ, M κ, Sκ ) C ρ, (U p A, M κ, Sκ ) (p A, )=F(M ;S κ ), and (Z B,κ, M κ, Sκ ) C ρ, (U p B, M κ, Sκ ) (,p B )=F(M ;S κ ), lettng F(m ; r) = F(, m ; r). Proof. mmedate, by Theorem 3.2 and the defnton of π. We assume wthout loss of generalty that the common output appears on the last message of π (otherwse, we wll add a fnal message the contans ths value, ths wll clearly wont hurt the securty of π). Hence, wthout loss of generalty t holds that F(m r ; ) = (b, b), where b s the output bt as mpled by m r (otherwse, we can change F to do so wthout hurtng ts forecastng qualty). For κ N, we defne the random varables Y0 κ,..., Y r κ, by Y κ = (Y A,κ, Y B,κ ) = F(M ; S κ ) (12) 7 Hatner et al. 16 do not lmt the output length of F. Nevertheless, by applyng 16 wth parameter ρ/2 and choppng each of the resultng forecaster s outputs to ts frst log 1/ρ + 1 (most sgnfcant) bts, yelds the desred constant output length forecaster. 9

12 The expected-outcome sequence. To attack the protocol, t s useful to evaluate at each round the expected outcome of the protocol, condtoned on the forecasters outputs so far. To allevate notaton, we assume that the value of κ s determned by S κ. Defnton 3.5 (the expected outcome functon). For κ N, r, y supp(y κ ) and s Supp(S κ ), let g(y, s) = E O κ Y κ = y, S κ = s. Namely, g(y, s) s the probablty that the output of the protocol n a random executon s one, condtoned that F(T j ; s) = y j for every j (), for T 1,..., T r beng the transcrpt of ths executon, Expected-outcome sequence s approxmable. The followng clam, proven n Secton 3.1, yelds that the expected-outcome sequence can be approxmated effcently. Clam 3.6 (Expected-outcome sequence s approxmable). There exsts pptm G such that for every κ N and r. Pr G(Y κ, S κ ) / g(y κ, S κ ) ± ρ ρ Algorthm G approxmates the value of g on nput (y, s) supp(y κ, Sκ ) by runnng multple ndependent nstances of protocol π(1 κ ) and keepng track of the number of tmes t encounters y and the protocol outputs one. Standard approxmaton technques yeld that, unless y s very unlkely, the output of G s close to g(y, s). Clam 3.6 follows by carefully choosng the number of teratons for G and boundng the probablty of encounterng an unlkely y. Forecasted backup values are close to expected-outcome sequence. The followng clam bounds the probablty that the expected-outcome sequence and the forecaster s outputs devate by more than 1/8 r. The proof s gven n Secton 3.2. Clam 3.7 (Forecasted backup values are close to expected-outcome sequence). Assumng π s -far, then r Pr r s.t. for both P {A, B} and large enough κ. g(y, κ S κ ) Y P,κ 1/8 r < 1/100 Loosely speakng, Clam 3.7 states that the expected-output sequence and the forecaster s outputs are close for a far protocol. f not, then ether of the followng attackers P 0, P 1, descrbed next, can bas the output of party P: for fxed randomness s supp(s κ ), attacker P z computes y = F(m, s) for partal transcrpt m at round r, and aborts as soon as ( 1) 1 z (G(y κ, s) y ) 1/8 r ρ. The desred bas s guaranteed by the accuracy of the forecaster (Clam 3.4), the accuracy of algorthm G (Clam 3.6) and the presumed frequency of occurrence of a sutable gap. The detals of the proof are gven n Secton

13 Expected-outcome sequence has large jump. Smlarly to 10, the success of our attack depends on the occurrence of large jumps n the expected-outcome sequence, whch s guaranteed from the fact that the expected-outcome sequence, as defned above, s a Doob martngale, and 10, 5. Clam 3.8 (Game values have large jump). For every κ N, t holds that Pr r: g(y κ, Sκ ) g(y κ 1, Sκ ) 1/4 r > 1/20. Proof. Consder the sequence of random varables G κ 0,..., Gκ r defned by G κ = g(y κ, Sκ ). Observe that ths s a Doob (and hence, strong) martngale sequence, wth respect to the random varables Z 0 = S κ and Z = Y κ for r, and the functon f(s κ, Y r κ ) = g(y r κ, Sκ ) = Yr κ 0 (.e., the functon that outputs the actual output of the protocol, as mpled by Yr κ ). Clearly, G κ 0 = 1/2 and G κ r {0, 1} (recall that we assume that F(M r ; ) = (b, b), where b s the output bt as mpled by M r ). Thus, the proof follows by Theorem 2.4. ndependence of attack decson. Clam 3.4 mmedately yelds that the expected values of Y and Z P are close, for both P {A, B} and every r. Assumng o-key-agreement does not exst, the followng clam essentally states that ths remans true, even f we condton on some event that depends on the other party s next message. Ths observaton wll allow us to show that, when a large jump n the expected-outcome s observed by one of the partes, the (expected value of the) backup value of the other party stll lags behnd. The followng clam captures the core of the novel dea n our attack, and provng t s the more techncal part of the proof of our man result. Clam 3.9 (ndependence of attack decson). Let C be a sngle-bt output pptm. For κ N and P {A, B}, let E P,κ 1,..., Er P,κ be the sequence of random varables such that E P,κ s the ndcator for the event P sends the th message n π(1 κ ) C(Y κ, S κ ) = 1. Assume o-key-agreement protocol does not exst, then for any P {A, B} and nfnte subset, there exsts an nfnte set such that E E P,κ +1 (ZP,κ Y P,κ ) ±4rρ for every κ and (r 1), where P denotes (the party n) {A, B} \ {P}. Snce E E P,κ +1 (ZP,κ Y P,κ ) = E E P,κ +1 E Z P,κ Y P,κ E P,κ +1, = 1 Clam 3.9 yelds that the expected values Y and Z P reman close, even when condtonng on a lkely enough event over the next message of P. The proof of Clam 3.9 s gven n Secton 3.3. n essence, we use the recent dchotomy of Hatner et al. 16 to assert that f o-key-agreement does not exst, then the values of E P,κ +1 and Z P,κ condtoned on T (whch determnes the value of Y P,κ ), are (computatonally) close to be n a product dstrbuton. 11

14 Puttng everythng together. Equpped wth the above observatons, we prove Theorem 3.1 as follows. 1 Proof of Theorem 3.1. Let π be an ε = far con flppng protocol. By Clams 3.7 and 3.8, r we can assume wthout loss of generalty that there exsts an nfnte subset such that Pr r: A sends th message n π(1 κ ) g(y, κ S κ ) Y B,κ r = (13) We defne the followng ppt fal-stop attacker A takng the role of A n π. We wll show below that assumng o-key-agreement do not exst, algorthm A succeeds n basng the output of B towards zero by ε for all κ, contradctng the presumed farness of π. n the followng let G be the pptm guaranteed to exst by Clam 3.6. Algorthm 3.10 (A ). nput: securty parameter 1 κ. Descrpton: 1. Sample s S κ and start a random executon of A(1 κ ). 2. Upon recevng the ( 1) message m 1, do (a) Forward m 1 to A, and let m be the next message sent by A. (b) Compute y = (y A, yb ) = F(m, s). (c) Compute g = G(y, s). (d) f g y B 1 + 1/16 r, abort (wthout sendng further messages). Otherwse, send m to B and proceed to the next round t s clear that A s a pptm. We conclude the proof showng that assumng o-key-agreement do not exst, B s output when nteractng wth A s based towards zero by at least ε. The followng random varables are defned wth respect to a a random executon of (A, B)(1 κ ). Let S κ and Y κ = (Y1 κ,..., Y r κ ) denote the values of s and y 1,..., y r sampled by A. Let Z B,κ = (Z B,κ 1,..., Zr B,κ ) denote the backup values computed by B. For r, let E κ be the event that A decdes to abort n round. Fnally, let J κ be the ndex wth E κ = 1, settng t to r + 1 f no such ndex exst. n the followng f we do not quantfy over κ, t means that th statement holds for any κ N. By Clam 3.6 and Equaton (13), Pr J κ r + 1 > ρ (14) 12

15 for every κ. Where snce the events E κ and Ej κ for j are dsjont, r+1 E Z B,κ J κ 1 Y B,κ J κ 1 = E E κ (Z B,κ 1 Y B,κ 1 ) =1 r+1 = E = =1 r =1 E κ (Z B,κ 1 Y B,κ 1 ) E E κ (Z B,κ 1 Y B,κ 1 ). (15) The last nequalty holds snce, by assumpton, the protocol output appears n the last message, and thus wthout loss of generalty Zr B,κ = Yr B,κ. Consder the sngle-bt output pptm C defned as follows: on nput (y = ((y1 A, yb 1 ),..., (ya, yb )), s), t outputs one f G(y, s) y 1 B 1/16 r, and G(y j, s) yj 1 B < 1/16 r for all j < ; (otherwse, t outputs zero.) We note that the event that A sends the th message n π(1 κ ) and C(Y κ, Sκ ) = 1, and the event E κ, are dentcally dstrbuted, gven any fxng of (Y κ, S κ, Z B,κ ). Thus assumng o-key-agreement protocols do not exst, Clam 3.9 yelds that that there exsts an nfnte set such that E E+1 κ (Z B,κ Y B,κ ) ±4rρ (16) for every κ and r 1. Puttng together Equatons (15) and (16), we conclude that E Z B,κ J κ 1 Y B,κ J κ 1 ±4r 2 ρ (17) for every κ. Recall that our goal s to show that E showng that t s sgnfcantly smaller than E Z B,κ J κ 1 s sgnfcantly smaller than 1/2. We do t by, whch, as we show next, equals 1/2. g(y κ J κ, Sκ ) ndeed, lettng Yr+1 κ = Y r κ and g(y 1,..., y r+1, s) = g(y 1,..., y r, s), we compute E g(y κ J κ, Sκ ) = E j J κ = E j J κ = E O κ = 1/2. E(y,s (Y κ,s κ ) J κ =j E(y,s) (Y κ,s κ ) J κ =j O κ (Y, κ S κ ) = (y, s) (18) O κ (Y, κ S κ, J κ ) = (y, s, j) Fnally, let G be the value of G(Y, S κ ) computed by A n the executon of (A, B)(1 κ ) consdered above, lettng G r+1 = g(y κ r+1, Sκ ). Clam 3.6 yelds that E g(y κ J κ, Sκ ) G J κ 2rρ (19) 13

16 Puttng all the above observatons together, we conclude that for every κ E Z B,κ J κ 1 = E g(y J κ κ, Sκ ) E G J κ Y B,κ J κ 1 + E Z B,κ J κ 1 Y B,κ J κ 1 E g(y J κ κ, Sκ ) G J κ 1 2 E G J κ Y B,κ J κ 1 J κ r + 1 Pr J κ r r 2 ρ + 2rρ 1 2 (1/16 r) (1/800) + 4r 2 ρ + 2rρ < r. The frst nequalty holds by Equaton (18) and Equaton (17) and Equaton (19). The second nequalty holds by defnton of J κ and Equaton (14). The last nequalty holds by our choce of ρ. 3.1 Approxmatng the Expected-outcome Sequence n ths secton we prove Clam 3.6, restated below. Clam 3.11 (Clam 3.6, restated). There exsts pptm G such that for every κ N and r. Pr G(Y κ, S κ ) / g(y κ, S κ ) ± ρ ρ The proof of Clam 3.11 s straghtforward. Snce there are only constant number of rounds and F has constant output length, when fxng the randomness of F, the doman of G has constants sze. Hence, the value of of g can be well approxmated va samplng. Detals below. Let c be a bound on the number of possble outputs of F (recall that F has constant output length). We are usng the the followng mplementaton for G. n the followng let F((m 1,..., m ); s) = (F(m 1 ; s),..., (F(m ; s)) (.e., F(M ; S κ ) = Y ). Algorthm 3.12 (G). 1 Parameters: v = 2 ( 2c r ρ ) 4 ln ( 8 ρ ). nput: y supp(y κ ) and s Supp(Sκ ). Descrpton: by takng the (full) transcrpts and outputs of v ndepen- 1. Sample v transcrpts { m j, out j} j v dent executons of π(1 κ ). 2. For every j v let y j = F(mj ; s). { } { 3. Let q = j v: y j = y and p = j v: y j = y out j. = 1} 4. Set g = p/q. (Set g = 0 f q = p = 0.) 14

17 5. Output g Remark 3.13 (A more effcent approxmator.). The runnng tme of algorthm G above s an exponental n r. Whle ths does not pose a problem n our settngs, snce r s constant, t mght leave the mpresson that out approach cannot be extended to protocols wth super-constant round complexty. So t s worth mentonng that, by usng the sum-of-squares weak martngale approach of Bemel et al. 5, the runnng tme of G can be reduced to be polynomal n r. Unfortunately, we currently cannot beneft from ths mprovement, snce the results of 16 only guarantees ndstngushablty for constant ρ, whch makes t useful only for attackng constant-round protocols. We prove Clam 3.11 by showng that the above algorthm ndeed approxmates g well. Proof of Clam To prove the qualty of G n approxmatng g, t suffces to prove the clam for every every κ N, r and fxed s supp(s κ ). That s Pr g(f(m, s), s) G(F(M, s), s) ρ ρ, (20) where the probablty s taken also the random cons of G. Fx κ N and omt t from the notaton, and fx r and s S κ. Let D = { y : Pr F(M, s) = y ρ/2c r }. By Hoeffdng s nequalty 17, for every y D, t holds that ( Pr g(y, s) G(y, s) ρ 4 exp 2 v (ρ/2c r ) 4) (21) ) 4 exp ( vρ4 8c 4r ρ/2. t follows that Pr g(f(m, s), s) G(F(M, s), s) ρ Pr (F(M j, s) / D + ρ/2 Supp(F(M j, s)) ρ/2c r + ρ/2 c r ρ/2c r + ρ/2 = ρ. 3.2 Forecasted Backup Values are Close to Expected-outcome Sequence n ths secton we prove Clam 3.7, restated below. 1 Clam 3.14 (Clam 3.7, restated). Assumng π s far, then r Pr r s.t. for both P {A, B} and large enough κ. g(y, κ S κ ) Y P,κ 1/8 r < 1/100 15

18 Proof. Assume the clam does not holds for P = B and nfntely many securty parameters (the case P = A s proven analogously). That s, for all κ wthout loss of generalty t holds that Pr r s.t. g(y, κ S κ ) Y B,κ (22) r 200 Consder the followng ppt fal-stop attacker A takng the role of A n π, to bas the output of B towards zeros. Algorthm 3.15 (A ). nput: securty parameter 1 κ. Descrpton: 1. Samples s S κ and start a random executon of A(1 κ ). 2. For = 1... r: After sendng (or recevng) the prescrbed message m : (a) Let y = F(m ; s) and µ = G(y, s) y. (b) Abort f µ 1 8 ρ (wthout sendng further messages). r Otherwse, proceed to the next round n the followng we fx a large enough κ such that Equaton (22) holds, and omt t from the notaton when clear from the context. We show that algorthm A bases the output of B towards zero by at least 1/(6400 r). We assocate the followng random varables wth a random executon of (A, B). Let J denote the ndex where the adversary aborted,.e., the smallest j such that G(Y j, S) Y B j 1 8 r ρ, or J = r f no abort occurred. The followng expectatons are taken over (Y, S) and the random cons of G. We bound E ZJ B,.e. the expected output of the honest party. E Z B J = E Z B J + E g(y J, S) E g(y J, S) + E = E g(y J, S) E = 1 2 E G(Y J, S) Y B G(Y J, S) Y B J J G(Y J, S) YJ B E G(Y J, S) YJ B + E G(Y J, S) g(y J, S) + E ZJ B YJ B ZJ B YJ B. + E G(Y J, S) g(y J, S) + E The last equaton follows from the fact that E g(y J, S) = E out and thus E g(y J, S) = 1 2 (see a more detals argument n the text followng??). We bound each of the terms above separately. (23) 16

19 Frst, observe that Pr J r (24) ( Pr ( r: G(Y, S) g(y, S) ρ) j r: g(y j, S) Yj B 1 ) 8 r Pr j r: g(y j, S) Y j 1 8 Pr r: G(Y, S) g(y, S) > ρ r ρ The penultmate nequalty s by Equaton (23) and Clam 3.6. t follows that E g(y J, S) YJ B = Pr J r E g(y J, S) YJ B J r 1 ( ) r ρ E G(Y J, S) g(y J, S) r 3ρ. The penultmate nequalty s by Clam 3.6. Fnally, snce we were takng κ large enough, Clam 3.4 and a data-processng argument yelds that E ZJ B YJ B rρ (26) We conclude that E g(y J, S) YJ B r (r + 3)ρ > 1/(6400 r), n contradcton to the assumed farness of π. 3.3 ndependence of Attack Decson n ths secton we prove Clam 3.9, restated blow. Clam 3.16 (Clam 3.9, restated). Let C be a sngle-bt output pptm. For κ N and P {A, B}, let E P,κ 1,..., Er P,κ be the sequence of random varables such that E P,κ s the ndcator for the event P sends the th message n π(1 κ ) C(Y κ, S κ ) = 1. Assume o-key-agreement protocol does not exst, then for any P {A, B} and nfnte subset, there exsts an nfnte set such that E E P,κ +1 (ZP,κ Y P,κ ) ±4rρ for every κ and (r 1), where P denotes (the party n) {A, B} \ {P}. We prove for P = A. Consder the followng varant of π n whch the party playng A s outputtng E A and the party playng B s outputtng ts backup value. 17 (25)

20 ) Protocol 3.17 ( π = (Â, B ). Common nput: securty parameter 1 κ. Descrpton: 1. Party Â samples r and s Sκ, and sends them to B. 2. The partes nteract n the frst 1 rounds of a random executon of π(1 κ ), wth Â and B takng the role of A and B respectvely. Let m 1,..., m 1 be the messages, and let z 1 B be the ( 1) backup output of B n the above executon. 3. Â sets the value of ea as follows: f A sends the 1 message above, then t sets e A = 0. Otherwse, t (a) Contnues the above executon of π to compute ts next message m. (b) Computes y = F(m, s). (c) Let e A = C(y, s). 4. Â outputs ea and B outputs z B We apply the the followng dchotomy result of Hatner et al. 16 on the above protocol. Theorem 3.18 (Hatner et al. 16, Thm. 3.18, dchotomy of two-party protocols). Let be an effcent sngle-bt output two-party protocol. Assume o-key-agreement protocol does not exts, then for any constant ρ > 0 and nfnte subset N, there exsts a ppt algorthm Dcr (decorelator) mappng transcrpts of nto (the bnary descrpton of) pars n 0, 1 0, 1 and an nfnte set N, such that the followng holds: let O A,κ, O B,κ and T κ denote the partes output and protocol transcrpt n a random executon of (1 κ ). Let m(κ) poly be a bound on the number of cons used by F on transcrpts n supp(t κ ), and let S κ be a unform strng of length m(κ). Then (O A,κ, O B,κ, T κ, S κ ) C ρ, (U p A, U p A, T κ, S κ ) (p A,p B )=Dcr(T κ ;S κ ) lettng U p be a Boolean random varable takng the value one wth probablty p. Proof of Clam Assume o-key-agreement does not exts, and let and a ppt Dcr be the nfnte set and ppt decorrelator resultng by applyng Theorem 3.18 wth respect to protocol π and ρ. Let Ŝκ denote a long enough unform strng to be used by Dcr on transcrpts of π(1 κ ). Then for (r 1), t holds that (E A,κ +1, ZB,κ, M κ, S κ, Ŝκ ) C ρ, (U p A, U p B, M κ, S κ, Ŝκ ) (p A,p B )=Dcr(M,S κ ;Ŝκ ) (27) lettng Dcr(m, s; ŝ) = Dcr(, s, m ; ŝ). For r, let W κ = (W A,κ, W B,κ ) = Dcr(M, S κ ; Ŝκ ). The proof of Clam 3.19 follows by the followng three observatons, proven below, that hold for large enough κ. 18

21 Clam E Clam E Clam E E A,κ +1 ZB,κ W A,κ W A,κ t follows that E Y B,κ W B,κ ±4rρ for every (r 1). Provng Clam W A,κ W B,κ E A,κ +1 Y B,κ W A,κ Y B,κ E P,κ +1 ZP,κ E P,κ +1 Y P,κ ±ρ. ±ρ. ±2ρ. ±4ρ, and thus E E P,κ +1 ZP,κ E P,κ +1 Y P,κ Proof of Clam Consder algorthm D that on nput (z A, z B, ), outputs z A z B. By defnton, 1. Pr D(U W A,κ, U W B,κ, M κ, Sκ ) = 1 = E U W A,κ U W B,κ = E W A,κ W B,κ, and 2. Pr D(E A,κ +1, ZB,κ, M κ, Sκ ) = 1 = E E A,κ +1 ZB,κ. Hence, the proof follows by Equaton (27). Provng Clam Proof of Clam Consder the algorthm D that on nput (z A, z B, (m, s)): (1) computes (, y B ) = F(m ; s), (2) samples u U y B, (3) outputs z A u. By defnton, 1. Pr D(U W A,κ, U W B,κ, M κ, Sκ ) = 1 = E U W A,κ U Y B,κ = E W A,κ Y B,κ, and 2. Pr D(E A,κ +1, ZB,κ, M κ, Sκ ) = 1 = E E A,κ +1 U Y B,κ = E E A,κ +1 Y B,κ. Hence, also n ths case the proof follows by Equaton (27). Provng Clam Proof of Clam Snce W A,κ W B,κ 1, t suffces to prove E Y B,κ 2ρ. We show that W B,κ f E Y B,κ > 2ρ, then there exsts a dstngusher wth advantage greater than ρ for ether the real outputs of π and the emulated outputs of Dcr, or, the real outputs of π and the emulated outputs of F, n contradcton wth the assumed propertes of Dcr and F. Consder algorthm D that on nput (z A, z B, m, s) acts as follows: (1) samples ŝ Ŝκ, (2) computes (, y B ) = F(m ; s) and (, w B ) = Dcr(m, s; ŝ), (3) outputs z B f w B y B, and 1 z B otherwse. We compute the dfference n probablty that D outputs one gven a sample from Dcr(M κ ) or a sample from F(M κ ) (we omt the superscrpt κ and subscrpt below to reduce 19

22 clutter) Pr D(U W A,κ, U W B,κ, M, κ S κ ) = 1 Pr D(U Y A,κ, U Y B,κ, M, κ S κ ) = 1 = E U W B W B Y B Pr W B Y B + E 1 U W B W B < Y B Pr W B < Y B E U Y B W B Y B Pr W B Y B E 1 U Y B W B < Y B Pr W B < Y B = E W B W B Y B Pr W B Y B E W B W B < Y B Pr W B < Y B E Y B W B Y B Pr W B Y B + E Y B W B < Y B Pr W B < Y B = E W B Y B W B Y B Pr W B Y B + E W B + Y B W B < Y B Pr W B < Y B W = E Y B > 2ρ. An averagng argument yelds that ether D s a dstngusher for (U Y A,κ, Z B,κ, M κ, Sκ ) wth advantage greater than ρ, n contradcton wth Clam 3.4, or, D s (Z A,κ, U Y B,κ, M κ, Sκ ) and a dstngusher for (U W A,κ, U W B,κ, M κ, Sκ ) and (E A,κ, Z B,κ, M κ, Sκ ) wth advantage greater than ρ, n contradcton wth Equaton (27). References 1 B. Alon and E. Omr. Almost-optmally far multparty con-tossng wth nearly three-quarters malcous. n Proceedngs of the 14th Theory of Cryptography Conference, TCC 2016-B, part, pages , B. Averbuch, M. Blum, B. Chor, S. Goldwasser, and S. Mcal. How to mplement Bracha s O(log n) Byzantne agreement algorthm, Unpublshed manuscrpt. 3 B. Awerbuch, M. Blum, B. Chor, S. Goldwasser, and S. Mcal. How to mplement Bracha s O(log n) byzantne agreement algorthm. Unpublshed manuscrpt, A. Bemel, E. Omr, and. Orlov. Protocols for multparty con toss wth a dshonest majorty. Journal of Cryptology, 28(3): , A. Bemel,. Hatner, N. Makryanns, and E. Omr. Tghter bounds on mult-party con flppng, va augmented weak martngales and dfferentally prvate samplng. Techncal Report TR17-168, Electronc Colloquum on Computatonal Complexty, Berman,. Hatner, and A. Tentes. Con flppng of any constant bas mples one-way functons. Journal of the ACM, 65(3):14, M. Blum. How to exchange (secret) keys. ACM Transactons on Computer Systems, N. Buchbnder,. Hatner, N. Lev, and E. Tsfada. Far con flppng: Tghter analyss and the many-party case. n Proceedngs of the 28th Annual ACM-SAM Symposum on Dscrete Algorthms (SODA), pages ,

23 9 R. Cleve. Lmts on the securty of con flps when half the processors are faulty. n Proceedngs of the 18th Annual ACM Symposum on Theory of Computng (STOC), pages , R. Cleve and R. mpaglazzo. Martngales, collectve con flppng and dscrete control processes (extended abstract) , D. Dachman-Soled, Y. Lndell, M. Mahmoody, and T. Malkn. On the black-box complexty of optmally-far con tossng. n Proceedngs of the 8th Theory of Cryptography Conference, TCC 2011, volume 6597, pages , D. Dachman-Soled, M. Mahmoody, and T. Malkn. Can optmally-far con tossng be based on one-way functons? n Y. Lndell, edtor, Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, volume 8349 of Lecture Notes n Computer Scence, pages Sprnger, Hatner and E. Omr. Con flppng wth constant bas mples one-way functons. SAM Journal on Computng, 43(2): , Hatner and E. Tsfada. An almost-optmally far three-party con-flppng protocol. n Proceedngs of the 46th Annual ACM Symposum on Theory of Computng (STOC), pages , Hatner and E. Tsfada. An almost-optmally far three-party con-flppng protocol. SAM J. Comput., 46(2): , Hatner, K. Nssm, E. Omr, R. Shaltel, and J. Slbak. Computatonal two-party correlaton. Techncal Report TR18-071, Electronc Colloquum on Computatonal Complexty, W. Hoeffdng. Probablty nequaltes for sums of bounded random varables. Journal of the Amercan Statstcal Assocaton, pages 13 30, R. mpaglazzo and M. Luby. One-way functons are essental for complexty based cryptography. n Proceedngs of the 30th Annual Symposum on Foundatons of Computer Scence (FOCS), pages , H. K. Maj, M. Prabhakaran, and A. Saha. On the computatonal complexty of con flppng. n Proceedngs of the 51st Annual Symposum on Foundatons of Computer Scence (FOCS), pages , T. Moran, M. Naor, and G. Segev. An optmally far con toss. n Proceedngs of the 6th Theory of Cryptography Conference, TCC 2009, pages 1 18, T. Moran, M. Naor, and G. Segev. An optmally far con toss. Journal of Cryptology, 29(3): ,

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture #21 Scribe: Lawrence Diao April 23, 2013

COS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture #21 Scribe: Lawrence Diao April 23, 2013 COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture #21 Scrbe: Lawrence Dao Aprl 23, 2013 1 On-Lne Log Loss To recap the end of the last lecture, we have the followng on-lne problem wth N