The traditional template (possibly the simplest) for a simulatable protocol of two-party coin-flipping into-the-well requires a single party to use an extractable and equivocable commitment scheme to commit to her contribution. This is concisely described in Fig. 7, with the two parties being called PAand PB. In a setup phase, PAand PBare activated to start a coin-flipping for a given target length and agreeing that PAis the one to learn the bit-string in the first place (79)-(80). PAselects her contribution randomly (81) and then commits to it using a X-commitphase (82); i.e., such that a simulator in the role of
17
FunctionalityFMCF
FMCFactivated with session identifiersidproceeds as follows, running with partiesP1, ...,Pn, an adversaryS, and a computational security parameter1κ. (Note: the suffix[`]may be added to the notation to denote the obvious restriction to commitments of bit-strings of length`.)
Start instructions.
– When receiving a message (cf-start-1,sid,cfid, PA, PB,`) from a running party PA :
A∈[n], with sub-session identifier (cfid, PA, PB), where PB:B ∈[n], and specifying a polynomialtarget-length`∈O(poly(κ)), record the tuple (cf-start-1,cfid, PA, PB,`), send (cf-start-1-receipt,sid,cfid, PA, PB,`) to the adversaryS, and ignore subsequent messages of type (cf-start-1,sid,cfid, PA, PB, ...).
– When receiving a message (cf-start-2,sid,cfid, PA, PB,`) from PB, do the same as in the previous item but replacingcf-start-1bycf-start-2andcf-start-1-receiptby
cf-start-2-receipt.
First delivery.After receiving a pair of correlated messages as specified in the previous two items, i.e., with the same sub-session identifier (cfid, PA, PB) and covering the message-typescf-start-1
andcf-start-2, if the target-length specified in the two messages is the same:
– thenuniformly sample a bit-stringm∈ {0,1}`
and then send (cf-deliver-1,sid,cfid, PA, PB,m) to PA(i.e., to the party whose initial message was of typecf-start-1) and send (cf-deliver-1-receipt,sid,cfid, PA, PB) to the adversaryS,aand record (cf-deliver-1, (cfid, PA, PB));
– elsesend (cf-fail,sid,cfid, PA, PB) to both parties PA, PBand to the adversaryS, and record the tuple (cf-end, (cfid,PA,PB)).
Second delivery.Upon receiving (cf-OK,sid,cfid, PA, PB) from PA, if (cf-deliver-1,cfid, PA, PB) has been recorded and (cf-end,cfid, PA, PB) has not been recorded, then send (cf-deliver-2,
sid,cfid, PA, PB,m) to PBand (cf-deliver-2-receipt,sid,cfid, PA, PB) to the adversaryS, and record (cf-end,cfid, PA, PB).
Early abort requests.
– Upon receiving (cf-abort-1,sid, (cfid, PA, PB)) from PA, if (cf-start-1,cfid, PA, PB) has been recorded and (cf-end,cfid, PA, PB) has not been recorded, then send (abort-1,sid, (cfid, PA, PB)) to PBandSand record (cf-end,cfid, PA, PB).
– Upon receiving (cf-abort-2,sid,cfid, PA, PB) from PB, do the same as in the previous item but replacingcf-abort-1withcf-abort-2, and replacing the recipient PBby PA.
a
Notice thatSdoes not obtain the messagemfrom the receipt. However, ifSis controlling PA then it will be able to read such value inside thecf-deliver-1message.
Fig. 6. Ideal functionality for multiple bit-string coin-flippings.
PBwould be able to extract the contribution of PAin this step. Then, PBsimply decides (83) and sends his random contribution to PA(84). Then, using a Q-openphase, PA opens her contribution to PB(85); i.e., such that a simulator in the role of PAwould be able to successfully open any contribution of his choice, namely one decided only after knowing the contribution of PB. Finally, each party locally computes the final output as a combination of both contributions (86), and each party outputs the result (87)-(88).
0. Setup – private inputs.
inputA→PA: (cf-start-1,sid,cfid,PA,PB, `) (79)
inputB→PA: (cf-start-2,sid,cfid,PA,PB, `) (80)
1. X-Commit contribution of PA.
PA:χA←${0,1}` (81)
CX-Commit
XQ,sid,cfid,PA,PB(PA(χA)←$(χA, χA),PB←χA) (82)
2. Send clear contribution of PB.
PB:χB←${0,1}` (83)
PB→PA: (cf-contrib-2,sid,cfid,PA,PB, χB) (84)
3. Q-Open contribution of PA. CQ-Open
XQ,sid,cfid,PA,PB(χA)(PA(χA, χA),PB←χA) (85)
4. Locally combine contributions.
PA,PB:χ=χA⊕χB (86)
PA→outputA: (cf-output-1,sid,cfid,PA,PB, χ) (87)
PB→outputB: (cf-output-2,sid,cfid,PA,PB, χ) (88)
Fig. 7. Traditional template for coin-flipping
Proposition 1. Themultiple bit-string coin-flippingprotocolΠMCF(Fig. 7) UC-realizes the idealmultiple bit-string coin-flippingfunctionalityFMCF(Fig. 6) in theFX&Q-hybrid model in the presence of static computationally active adversaries.
If the base commitment scheme is indeed X&Q, then the protocol is simulatable because the simulator is able to use the X or Q properties (depending on which party is being simulated) to induce the outcome of the simulated execution to be the target
bit-stringdecided byFMCFin the ideal world. Specifically, after learning the contribution of the malicious party in the simulated real world,S is able to calculate theneeded complementary contribution, i.e., the one that once combined with the other contribution leads to the target bit-string, and use it as the contribution of the honest party in the simulated execution. Naturally, it is here assumed that thecombinationoperation is efficiently invertible in respect to any fixed contribution of a party, e.g., as in the case of bit-wise XOR or modular integer multiplication. The possibility of a malicious party aborting the simulated execution is also contemplated in simulatability. Anabortis not an issue in this template, because it can only happen in an execution that otherwise (i.e., if notabortedby the malicious party and notrewoundby the simulator) would lead to the target bit-string outcome. Thus, in case ofabortin the simulated execution the simulator simplyemulates an abortin the ideal world. Section C.2 highlights an issue withabortif the commitment scheme is not X or not Q.
B
Ideal commitments with suppressed properties
While this section is not essential for the remaining analysis of the new protocols (and its reading can be safely skipped), it is helpful by providing a complementary perspective of the dual nature of X and Q. First, a motivation is given for the formalization of X and Q in isolation, namely by suppressing the respective complementary property (§B.1). Then, as an initial attempt, the properties are suppressed based on a circular definition of a new type of ideal commitment functionalities (§B.2). The circularity is then removed by nesting the hybrid model inside another hybrid model (§B.3). Finally, in respect to their use in proofs of security, a brief comparison is made between the plain model and the other two mentioned models (§B.4).