On the (Im-)Possibility of Extending Coin Toss

On the (Im-)Possibility of Extending Coin Toss

⋆

DennisHofheinz

1

,JörnMüller-Quade

2

,andDominiqueUnruh

2

1

CWI,CryptologyandInformationSeurityGroup,Prof.Dr.R.Cramer, Dennis.Hofheinzwi.nl

2

IAKS,ArbeitsgruppeSystemsiherheit,Prof.Dr.Th.Beth,UniversitätKarlsruhe,

{muellerq,unruh}ira.uka.de

Abstrat. We onsider theryptographi two-party protooltask ofextendinga given

oin toss. Thegoal isto generate

n

ommonrandomoinsfrom asingleuse ofanideal

funtionality whihgives

m < n

ommonrandom oinstotheparties. Intheframework

ofUniversalComposabilityweshowtheimpossibilityofseurelyextendingaointossfor

statistialandperfetseurity.Ontheotherhand,foromputationalseuritytheexistene

ofaprotoolforointossextensiondependsonthenumber

m

ofrandomoinswhihan

beobtainedforfree.

For the ase of stand-alone seurity, i.e., a simulation based seurity denition without

an environment,we present anovelprotoolfor unonditionally seure oin toss

exten-sion. Thenew protool worksfor superlogarithmi

m

,whih is optimalas we show the

impossibilityofstatistially seureointossextensionforsmaller

m

.

Combiningourresultswithalreadyknownresults,weobtaina(nearly)omplete

hara-terization underwhihirumstanesointossextensionispossible.

Keywords: ointoss,universalomposability,reativesimulatability,ryptographi

pro-tools.

Table of Contents

1 Introdution... 2

2 Seuritydenitions... 4

3 TheComputationalCase ... 6

3.1 UniversalComposability ... 6

4 StatistialandPerfetCases ... 9

4.1 Stand-alonesimulatability... 9

4.2 UniversalComposability ... 12

A DetailedProofs... 17

A.1 Anauxiliarylemma... 17

A.2 ProofofLemma3... 17

A.3 ProofofLemma4... 18

A.4 ProofofTheorem6... 19

A.5 ProofofTheorem7... 21

A.6 ProofofLemma12... 23

⋆

ManuelBlum showedin[Blu81℄howtoipaoinoverthetelephoneline.His protool

guaran-teed that even ifone partydoesnotfollowthe protool,the otherpartystill gets auniformly

distributed ointoss result. This general onept of generating ommon randomness in a way

suh that nodishonest partyanditatetheresult provedveryusefulin ryptography,e.g.,in

theonstrutionofprotoolsforgeneralseuremulti-partyomputation.

Here weare interestedin thetaskofextending agivenointoss.That is,supposethat two

partiesalreadyhavethepossibilityofmakingasingle

m

-bitoin-toss.Is itpossibleforthemto

get

n > m

bitsofommonrandomness?Theanswerweomeupwithisbasially:itdepends.

Therstthingtheextensibilityofagivenointossdependsonistherequiredseuritytype.

One type of seurity requirement (whih we allstand-alone simulatability here) ansimply

be that the protool imitates an idealoin toss funtionality in the sense of [Gol04℄, where a

simulatorhastoinventarealistiprotoolrunafterlearningtheoutomeoftheidealoin-toss.

A stronger type of requirement is to demand universal omposability, whih basially means

that the protool imitates an ideal oin toss funtionality even in arbitrary protool

environ-ments.Seurityin the lattersense anonvenientlybeaptured in asimulatabilityframework

like the Universal Composability framework [Can01a, Can05℄ or the Reative Simulatability

model[PW01,BPW04℄.

Orthogonal to this, onean vary the level of fullment of eah of these requirements. For

example,oneandemandstand-alonesimulatabilityoftheprotoolwithrespetto

polynomial-timeadversariesinthesensethatrealprotoolandidealfuntionalityareonlyomputationally

indistinguishable.ThisspeirequirementisalreadyfullledbytheprotoolofBlum.

Alterna-tively,oneandemand,e.g.,universalomposabilityoftheprotoolwithrespettounbounded

adversaries.Thiswouldthenyieldstatistialorevenperfetseurity.Weshowthatwhethersuh

aprotoolexistsdependsontheasymptotibehaviourof

m

.

Ourresultsaresummarizedin thetable below.A yes orno indiates whetheraprotool

forointossextension exists inthat setting. Depends meansthat theanswerdependsonthe

size of the seed (the

m

-bit oin toss available by assumption), and boldfae indiates novel

results.

Seuritytype

↓

/level

→

Computational Statistial Perfet

stand-alonesimulatability yes depends 3

no

universalomposability depends 4

no no

Knownresultsintheperfetandstatistial ase. A folkloretheoremstates,that(perfetly

non-trivial) statistially seure oin-toss is impossible from srath (even in very lenient seurity

models). ByKitaev,this resultwasextended evento protoolsusing quantum ommuniation

(f.[ABDR04℄).[BGR96℄rstinvestigatedtheproblemofextendingaoin-toss.Theypresented

astatistially seure protool for extending agivenoin-toss (pre-shared using a VSS), ifless

than

1

6

ofthepartiesareorrupted.Notethat theirmainattentionwasontheeieny ofthe protool,sine in that senario arbitrarymulti-partyomputations and therefore in partiular

oin-tossfromsrathareknowntobepossible.Theresultdoesnotapplytothetwo-partyase.

3

Cointossextensionispossibleifandonlyiftheseedhassuperlogarithmilength.

4

Coin tossextensionis impossibleif theseed doesnothavesuperlogarithmi length. Thepossibility

explained.Fortheperfetase,weshowimpossibilityofany ointossextension,nomatterhow

(in-)eient. Weshow this for stand-alone simulatability(Coro. 8) and for universal

ompos-ability(Coro.15).Nowforthestatistialase.Whendemandingonlystand-alonesimulatability,

thesituationdependsonthenumberofthealreadyavailableommonoins.Namely,wegivean

eientprotooltoextend

m

ommonoinstoanypolynomialnumber(intheseurity

param-eter),if

m

issuperlogarithmi(Th.11).Otherwise,weshowthat thereanevenbenoprotool

thatderives

m

+ 1

ommonrandomoins(Coro.8).Intheuniversalomposabilitysetting,the

situation ismorelear: weshowthat theresimply isnoprotoolthat derivesfrom

m

ommon

oins

m

+ 1

oins,no matter howlarge

m

is (Th.14). (However,herewerestritto protools

thatrun inapolynomialnumberofrounds.)

Known results in the omputational ase. In[Blu81℄ Blum gaveaomputationally seure

pro-tool.In [Gol04, Proposition 7.4.8℄, this protool is shown to be stand-alone simulatable, and

togetherwiththesequentialompositiontheorem[Gol04,Proposition7.4.3℄forstand-alone

sim-ulatable protools, this gives a omputationally stand-alone simulatable protool for tossing

polynomiallymanyoins.

Thismakesoin-tossextensiontrivialinthatsetting,onejustignoresthe

m

-bitoin-tossand

tosses

n

-bitfromsrath.

Intheomputationaluniversalomposabilitysetting,ithasbeenshownin[CF01℄that

oin-tossannotbeahievedfromsrath. However,theyshowedthatgivenasuientlylarge

om-monreferenestring(CRS),bitommitmentispossible.Fromthisitiseasyto seethat suha

CRS(andthereforealsoasuientlylargeoin-toss)anbeextendedtoanypolynomiallength.

However,itwasunlearwhat theminimumsize requiredfromtheCRSortheoin-tossis.

NotethatthereisasubtledierenebetweenthenotionofaCRSandaoin-toss.ACRSis

randomnessthat isavailabletoallpartiesatthebeginningoftheprotool,whilewithoin-toss

the randomness is only generated when all parties agree to run the oin-toss. This makesthe

oin-toss atually the stronger primitive, sine in somesituations it is neessary to guarantee

that not even orrupted parties learn the outomes of the oin-toss prior to a given protool

step.

In [Cle86℄, the task of oin-toss is onsidered in a senario slightly dierent from ours:

in[Cle86℄,protoolpartiipantsmaynotabortprotoolexeutionwithoutgeneratingoutput.In

that setting, [Cle86℄ showthat oin-tossis generallynotpossibleevenagainstomputationally

limitedadversaries.However,tothebestofourknowledge,anextensionofagivenointosshas

notbeenonsideredsofarin theomputationalsetting.

Our results in the omputational ase. We answer the question onerning the minimal size

neessary for a oin-toss to be extensible: If an

m

-bit oin-toss funtionality is given, and

m

is not superlogarithmi,then it is already impossiblefor the parties to derive

m

+ 1

ommon

randomoins(inauniversallyomposableway)fromit(Th.6).However,wealsoshowthatunder

strengthenedomputationalassumptions,there areprotoolsthat extend

m

toanypolynomial

number(intheseurityparameter)of ommonrandomoins,if

m

issuperlogarithmi(Th. 5).

Inthatsense,wegivetheremainingparts foraompleteharaterizationoftheomputational

ase.

Notation

Afuntion

f

isnegligible,ifforany

c >

0

,

f

(

k

)

≤

k

−

c

forsuientlylarge

k

(i.e.,

f

∈

k

−

ω

(1)

).

f

isoverwhelming,if

1

−

f

isnegligible(i.e.,

f

∈

1

−

k

−

ω

(1)

).

f

isnotieable,ifforsome

c >

0

,

f

(

k

)

≥

k

−

c

forsuientlylarge

k

(i.e.,

f

∈

k

−

O

(1)

).Note

that funtionsexists,whihareneithernegligiblenornotieable.

f

ispolynomiallybounded,ifforsome

c >

0

,

f

(

k

)

≤

k

c

forsuientlylarge

k

(i.e.,

f

∈

k

O

(1)

f

ispolynomially-large,ifthereisa

c >

0

s.t.

f

(

k

)

c

≥

k

forsuientlylarge

k

(i.e.,

f

∈

k

Ω

(1)

).

f

issuperpolynomial,ifforany

c >

0

,

f

(

k

)

> k

c

forsuientlylarge

k

(i.e.,

f

∈

k

ω

(1)

).

f

issuperlogarithmi,if

f /

log

k

→ ∞

(i.e.,

f

∈

ω

(log

k

)

).Itiseasytoseethat

f

is

superlog-arithmiifandonlyif

2

−

f

isnegligible.

f

is superpolylogarithmi, if for any

c >

0

,

f

(

k

)

>

(log

k

)

c

for suiently large

k

(i.e.,

f

_∈

(log

k

)

ω

(1)

).

f

isexponentially-small,ifthere exists a

c >

1

,s.t.

f

(

k

)

≤

c

−

k

forsuientlylarge

k

(i.e.,

f

_∈

Ω

(1)

−

k

_{= 2}

−

Ω

(

k

)

).

f

issubexponential,ifforany

c >

1

,

f

(

k

)

< c

k

forsuientlylarge

k

(i.e.,

f

∈

o

(1)

k

_{= 2}

o

(

k

)

).

2 Seurity denitions

In this setion we roughly sketh the seurity denitions used throughout this paper. We

dis-tinguish between twonotions: stand-alone simulatability asdened in [Gol04℄, 5

and Universal

Composability(UC) asdened in[Can01a℄.

Stand-alonesimulatability.In[Gol04℄adenitionfortheseurityoftwo-partyseurefuntion

evaluationsisgiven(alledseurityinthemaliiousmodel).Wewillgiveasketh,formoredetails

wereferto [Gol04℄.

Aprotoolonsistsoftwopartiesthatalternatinglysendmessagestoeahother.Theparties

mayalso invokean idealfuntionality,whih is givenasan orale(in ourases,they invokea

smalleroin-tosstorealisealargerone).

We saytheprotool

π

stand-alonesimulatablyrealisesaprobabilistifuntion

f

,iffor any

eient adversary

A

that mayreplae none orasingleparty, there is an eient simulator

S

s.t.forallinputsthefollowingrandomvariablesareomputationallyindistinguishable:

Therealprotoolexeution.Thisonsistsoftheviewoftheorruptedpartiesuponinputs

x

1

and

x

2

forthepartiesandtheauxiliaryinput

z

fortheadversary,togetherwiththeoutputs

I

oftheparties.

Theidealprotool exeution.Herethesimulatorrstlearntheauxiliaryinput

z

andpossibly

theinputfortheorruptedparty(the simulatormustorrupt thesamepartyasthe

adver-sary).Then heanhoosetheinputof theorrupted partyfortheprobabilistifuntion

f

,

theotherinputsarehosenhonestly(i.e.,therstinputis

x

1

iftherstpartyisunorrupted, andtheseondinput

x

2

iftheseondpartyis).

Thenthesimulatorlearnstheoutput

I

of

f

(weassumetheoutputtobeequalforallparties).

It may now generate afake view

v

of the orrupted parties. The ideal protool exeution

thenonsistsof

v

and

I

.

Of ourse, in our ase the probabilisti funtion

f

(the oin-toss) has no input, so the above

denitiongetssimpler.

What wehaveskethedaboveis whatweallomputational stand-alonesimulatability.We

further dene statistial stand-alone simulatability and perfet stand-alone simulatability. In

these ases we donot onsider eient adversaries and simulators, but unlimited ones. Inthe

aseofstatistial stand-alonesimulatabilitywerequiretherealand idealprotool exeutionto

be statistially indistinguishable (and not only omputationally ), and in the perfet ase we

evenrequirethesedistributions tobeidential.

UniversalComposability. Inontrasttostand-alonesimulatability,UniversalComposability

[Can01a℄isamuhstriterseuritynotion.Themaindiereneistheexisteneofanenvironment,

thatmayinteratwithprotool andadversary(orwithidealfuntionalityandsimulator)

5

Infat,[Gol04℄doesnotusethenamestand-alonesimulatabilitybutsimplyspeaksaboutseurityin

themaliousmodel.Weadoptthenamestand-alonesimulatabilityforthispapertobeabletobetter

advantageof aversatileomposition theorem(theUniversalCompositionTheorem[Can01a℄).

Weonlyskeththemodelhereandreferto [Can01a℄fordetails.

Aprotoolonsistsofseveralmahinesthatmay(a)getinputfromtheenvironment,(b)give

outputtotheenvironment(bothalsoduringtheexeutionoftheprotool),and()sendmessages

toeahother.

Thereal protool exeutiononsistsof aprotool

π

,anadversary

A

and anenvironment

Z

.

Heretheenvironmentmayfreelyommuniatewiththeadversary,andthelatterhasfullontrol

overthe network,i.e., it may deliver,delayordropmessagessentbetweenparties. Weassume

theauthentiated modelin this paper,sotheadversarylearnstheontentof themessagesbut

maynotmodifyit.When

Z

terminates,itgivesasinglebitofoutput.Theadversarymayhoose

toorruptparties atanypointintime. 6

The ideal protool exeution is dened analogously,but insteadof aprotool

π

there is an

idealfuntionality

F

andinsteadoftheadversarythereisasimulator

S

.Thesimulatoranonly

learnandinueneprotooldata,if(a)thefuntionalityexpliitlyallowsthis,or(b)itorrupts

aparty(note that the simulator may onlyorrupt the sameparties as the adversary).In the

latterase,thesimulatoranhooseinputsintothefuntionalityinthenameofthatpartyand

getstheoutputsappartainingtothatparty.Intheaseofunorruptedparties,theenvironment

isinontrol oftheorrespondingin- andoutputoftheidealfuntionality.

We say aprotool

π

universally omposably (UC)-implements an idealfuntionality

F

(or

short

π

isuniversallyomposableif

F

islearfromtheontext),ifforanyeientadversary

A

,

there is aneientsimulator

S

, s.t. for alleientenvironments

Z

and all auxiliaryinputs

z

for

Z

,the distributions ofthe output-bitof

Z

in thereal and theidealprotool exeutionare

indistinguishable.

What hasbeenskethed aboveweallomputational UC. Wefurther denestatistial and

perfet UC. In these notions,we allow adversary, simulator and environment to be unlimited

mahines.Further,in theaseofperfetUC,werequirethedistributionsoftheoutput-bitof

Z

tobeidential inrealandidealprotool exeution.

The Ideal Funtionality for Coin Toss. Todesribethetaskofimplementingauniversally

omposableoin-toss,wehaveto denetheidealfuntionalityof

n

-bitoin-toss.

Inthefollowing,let

n

denote apositiveinteger-valuedfuntion.

Below is an informal desription of our ideal funtionality for a

n

-bit oin toss. First, the

funtionalitywaitsforinitializationinputsfrombothparties

P

1

and

P

2

.Assoonasbothparties have this way signalled their willingness to start, the funtionality selets

n

oins in form of

an

n

-bit string

κ

uniformly andsends this

κ

to the adversary.(Note that aointoss doesnot

guaranteeserey ofanykind.)

Ifthefuntionalitynowsent

κ

diretlyandwithoutdelaytotheparties,thisbehaviourwould

not be implementable by any protool (this would basially mean that the protool output is

immediatelyavailable,evenwithoutinteration).Sothefuntionalityletstheadversarydeide

whentodeliver

κ

toeahparty.Notehowever,thattheadversarymaynotinanywayinuene

the

κ

that isdelivered.

A moredetaileddesriptionfollows:

6

Itisthenalledanadaptiveadversary.Iftheadversaryanonlyorruptpartiesbeforethestartofthe

protool,wespeakofstatiorruption.Allresultsinthispaperholdforbothvariantsoftheseurity

Idealfuntionality

CT

n

(

n

-bit Coin Toss)

1. Wait until there have been

init

inputs from

P

1

and

P

2

. Ignore messages from the adversary,but immediatelyinformtheadversaryaboutthe

init

.

2. Selet

κ

∈ {

0

,

1

}

n

uniformlyandsend

κ

totheadversary.Fromnowon:

on therst (and only the rst)

deliver to 1

message from the adversary, send

κ

to

P

1

,

on therst (and only the rst)

deliver to 2

message from the adversary, send

κ

to

P

2

.

Using

CT

n

,weanalsoformallyexpresswhatwemeanbyextendingaointoss.Namely: Denition1. Let

n

=

n

(

k

)

and

m

=

m

(

k

)

be positive, polynomially bounded and omputable

funtionssuhthat

m

(

k

)

< n

(

k

)

forall

k

.Thenaprotoolisauniversallyomposable

(

m

→

n

)

-ointossextensionprotoolifitseurelyandnon-triviallyimplements

CT

n

byhavingaessonly to

CT

m

.Thisseurity anbe omputational, statistial orperfet.

Byanon-trivial implementationwemeanaprotoolthat, withoverwhelmingprobability,

guaranteesoutputsifnopartyisorruptedandallmessagesaredelivered.(Alternatively,onemay

alsoonsiderprotoolsthatprovideoutputwithoverwhelmingprobability.)Thisrequirementis

usefulsinewithoutit,atrivialprotoolthatdoesnotgenerateanyoutputformallyimplements

everyfuntionality.(Cf.[CLOS02℄and[BHMQU05,Setion5.1℄formoredisussionandformal

denitionsofnon-triviality.)

Onunlimitedsimulators.Following[BPW04℄,wehavemodelledstatistialandperfet

stand-aloneandUCseurityusingunlimitedsimulators.Anotherapproahistorequirethesimulators

to bepolynomialin the running-timeof theadversary. All ourresults applyalso to that ase:

Fortheimpossibilityresults,thisisstraightforward,sinetheseuritynotiongetsstriterwhen

thesimulatorsbeomemorerestrited.Theonlypossibilityresultforstatistial/perfetseurity

isgivenin Theorem11.There, thesimulator weonstrutis in fatpolynomialin theruntime

oftheadversary.

In thefollowingsetions,weinvestigate theexisteneof suh ointoss extensionprotools,

dependingonthedesiredseurity level(i.e.,omputational/statistial /perfet seurity)and

theparameters

n

and

m

.

3 The Computational Case

3.1 Universal Composability

Inthe following,we need theassumption of enhanedtrapdoorpermutations with dense

pub-li desriptions (alled ETD heneforth). Roughly, these are trapdoor permutations with the

additional properties that (i) onean hoose the publi keyin an oblivious fashion, i.e., even

giventhe ointosses weused itis infeasibleto invertthefuntion,and (ii)thepubli keysare

omputationallyindistinguishablefrom randomstrings.

Denition2 (Enhaned trapdoor permutations with dense publi desriptions). A

system of enhaned trapdoor permutations with dense publi desriptions (ETD) onsists of

the following eient algorithms: a key generation algorithm

I

that (given seurity parameter

k

) generates publi keys

pk

and orresponding trapdoors

td

(we treat

pk

and

td

as eiently

omputable funtionsto failitate notation), anda domain sampling algorithm

S

that given

pk

outputsanelementin the domainof

pk

,satisfyingthe following:

Forany non-uniformprobabilistipolynomial-timealgorithm

A

thereisanegligible funtion

Permutations.

Pr

(pk

,

td)

_←

I

(1

k

_{) :}

_pk

isavalid publikeyand

td

=

pk

−1

≥

1

₋

µ

(

k

)

,

and any valid publikeyisapermutation.

Almost uniform sampling. For any valid publi key

pk

that an be output by

I

(

1

k

₎

, the

statistial distanebetweentheoutputof

S

(pk

)

andrandomly hosenelementsinthedomain

(=range)of

pk

isboundedby

µ

(

k

)

.

Enhanedhardness. For all

k

∈

N

Pr

(pk

,

td)

_←

I

(1

k

)

, y

_←

S

(pk

)

, x

′

_←

A

(

1

k

_,

_pk

_{, y, r}

_{) :}

_pk

₍

_x

′

_{) =}

_y

_≤

_µ

₍

_k

₎

Here

r

denotesthe randomnessusedby

S

.

Densepublidesriptions.Thereisapolynomiallybounded,eientlyomputablefuntion

s

(not dependingon

A

)s.t.

Pr

(pk

,

td)

←

I

(1

k

) :

A

(

1

k

_,

_pk

_{) = 1}

−

Pr

h

_pk

_{← {}

₀

_,

₁

_}

s

(

k

)

uniformly

:

A

(

1

k

_,

_pk

_{) = 1}

i

≤

µ

(

k

)

.

Exponentially-hardETDaredenedanalogously, exeptthat werequiretheonditionsabove

tohold for all subexponential-time

A

andan exponentially-small

µ

.

Lemma3. There isaonstant

d

∈

Ns.t. the following holds:

AssumethatETDexist,s.t.thesizeofthe iruitsdesribingthe ETDisboundedby

s

(

k

)

for

seurity parameter

k

. 7

Then thereis aprotool

π

usinga uniformommon referene string(CRS) of length

s

(

k

)

d

,

s.t.

π

seurelyUC-realisesabit ommitmentthat anbeusedpolynomially many times.

A protool forrealisingbit ommitmentusingaCRShasbeengivenin [CLOS02℄. Toshow

thislemma, weonlyneedtoreviewtheironstrutionto see,that aCRS oflength

s

d

is indeed

suient.Fordetails,seeAppendix A.2.

Lemma4. Let

s

(

k

)

beapolynomially boundedfuntion, thatisomputableintimepolynomial

in

k

.

Assumeoneof the following holds:

ETDexistand

s

isapolynomially-large funtion.

Exponentially-hard ETDexistand

s

isasuperlogarithmi funtion.

Then there also exist aonstant

e

∈

N independent of

s

and ETD, s.t. the sizeof the iruits

desribingthe ETDisboundedby

s

(

k

)

e

for seurity parameter

k

.

This is shownby saling theseurity parameterof the originalETD. The proof is givenin

AppendixA.3.

Theorem5. Let

n

=

n

(

k

)

and

m

=

m

(

k

)

be polynomially bounded andeiently omputable funtions.Assumeoneof the following onditions holds:

m

ispolynomially-large andETDexist,or

m

issuperpolylogarithmi andexponentially-hard ETDexist.

Thenthereisapolynomial-timeomputationallyuniversallyomposableprotool

π

for

(

m

→

n

)

-ointossextension.

7

Bythesize oftheiruitswemeansthetotalsizeoftheiruitsdesribingboththekeygeneration

andthe domainsamplingalgorithm.Notethat thentriviallyalso thesize of theresulting keysand

Proof. Let

d

beas in Lemma 3.Letfurther

e

be asin Lemma4. If

m

ispolynomially-largeor

superpolylogarithmi,then

s

:=

m

1

/

(

de

)

ispolynomially-largeorsuperlogarithmi,resp. So,by

Lemma4thereareETD,s.t.thesizeoftheiruitsdesribingtheETDisboundedby

s

e

₌

_m

1

/e

.

Then,byLemma3thereisaUC-seureprotoolforimplementing

n

bitommitmentsusingan

(

m

1

/d

₎

d

₌

_m

-bitCRS.

Given

n

bitommitments,thefollowingprotool

π

UC-realisesan

n

-bit oin-toss(basedon

theprotool of[Blu81℄):Uponinput

(init

)

, party

P

1

ommitsto

n

randombits

r

1

.Uponinput

(init

)

,andafter

P

1

hasommitteditself,party

P

2

sends

n

randombits

r

2

to

P

1

.Then

P

1

unveils

thebits

r

1

.Theoutputofthepartiesisthe

n

-bitstring

r

=

r

1

⊕

r

2

,where

⊕

denotesthebit-wise exlusiveor.

Itiseasytosee,thatthisprotoolUC-realisesan

n

-bitoin-toss.Weonlyroughlyskeththe

simulator

S

:Assoonasallunorruptedpartiesgotinput

(init

)

,

S

learnswhatvalue

r

theideal

n

-bitoin-tosshas.When

P

1

isorgetsorrupted,

S

learnsthevalue

r

1

assoonas

P

1

ommits,

sothesimulated

r

2

anbehosenas

r

1

⊕

r

.When

P

2

isorgetsorrupted,but

P

1

isunorrupted atleastduringtheommitmentto

r

1

,thesimulator

S

unveilvalue

r

1

to

r

2

⊕

r

.Intheasethat bothpartiesgetorrupted,theenvironmentdoesnotlearnthevaluefromtheidealoin-toss,so

thesimulatoransimplyhose itto be

r

1

⊕

r

2

.

Furthermore, an

m

-bit CRS an be trivially implemented using an

m

-bit oin-toss. Using

theCompositionTheorem weanput theaboveonstrutionstogetherand getaprotool that

UC-realisesan

n

-bit oin-tossusingan

m

-bitoin-toss.

⊓

⊔

Note that given stronger, but possibly unrealisti assumptions, the lower bound for

m

in

Theorem 5 an be dereased. If we assume that for any superlogarithmi

m

, there are ETD

s.t.thesizeoftheiriruitsisboundedby

m

1

/d

(where

d

istheonstantfromLemma3),weget

oin-tossextensionevenforsuperlogarithmi

m

(usingthesameproofasforTheorem5,exept

thatinsteadofLemma4weusethestrongerassumption).

However,weannotexpetanevenbetterlowerboundfor

m

,asthefollowingtheoremshows:

Theorem6. Let

n

=

n

(

k

)

and

m

=

m

(

k

)

be funtions with

n

(

k

)

> m

(

k

)

≥

0

for all

k

,

andassume that

m

isnot superlogarithmi (i.e.,

2

−

m

is non-negligible). Then there isno

non-trivial polynomial-time omputationally universally omposable protool for

(

m

→

n

)

-oin toss

extension.

Proof (sketh). Assume for ontradition that protool

π

, with parties

P

1

and

P

2

using

CT

m

, implements

CT

n

(with

m, n

as in the theorem statement). Let

A

1

bean adversary on

π

that, takingtheroleofaorruptedparty

P

1

,simplyreroutesallommuniationof

P

1

(witheither

P

2

or

CT

m

)totheprotoolenvironment

Z

1

andthuslets

Z

1

takepartas

P

1

in therealprotool.

Imagineaprotoolenvironment

Z

1

,runningwith

π

and

A

1

asabove,thatkeepsandinternal simulation

P

1

of

P

1

and lets this simulation take part in the protool (through

A

1

). After a protoolrun,

Z

1

inspetstheoutput

κ

1

of

P

1

andomparesittotheoutput

κ

2

oftheunorrupted

P

2

.

Inarealprotoolrunwith

π

,

A

1

,and

Z

1

,wewillhave

κ

1

=

κ

2

withoverwhelmingprobability sine

π

non-triviallyimplements

CT

n

,and

CT

n

guaranteesommonoutputs.Soasimulator

S

1

, runningin theidealmodel with

CT

n

and

Z

1

, mustbeabletoahievethat theidealoutput

κ

2

(thatisideallyhosenby

CT

n

andannotbeinuenedby

S

1

)isidentialtowhatthesimulation

P

1

of

P

1

inside

Z

1

outputs.Inthatsense,

S

1

mustbeabletoonvine

P

1

toalsooutput

κ

2

.To

thisend,

S

1

mayandmustfakeaompleterealprotoolommuniationas

A

1

woulddeliver itto

Z

1

(andthus, to

P

1

).

end, anadversary

A

2

on

π

withorrupted

P

2

is employed that forwardsall ommuniationof

P

2

witheither

P

1

or

CT

n

to

Z

2

.Internally,

Z

2

nowsimulates

S

1

(andnot

P

2

!)fromaboveand aninstane

CT

n

ofthetrustedhost

CT

n

.Reallthat

S

1

,givenatargetstring

κ

by

CT

n

,mimis anunorrupted

P

2

alongwithaninstaneof

CT

m

.Inthatsituation,

S

1

anonvineanhonest

P

1

withoverwhelmingprobabilitytoeventuallyoutput

κ

.

Chanes are

2

−

m

that the

CT

m

-instane made upby

S

1

outputsthe sameseedasthe real

CT

_m

inarunof

Z

2

with

π

and

A

2

.Sowithprobabilityatleast

2

−

m

−

µ

fornegligible

µ

,insuh arun,

Z

2

observesa

P

1

-output

κ

thatisidentialtotheoutputoftheinternallysimulated

CT

n

. Butthen,byassumptionabouttheseurityof

π

,thereisalsoasimulator

S

2

for

A

2

and

Z

2

that provides

Z

2

withanindistinguishableview.Inpartiular,in anidealrun with

S

2

and

CT

n

,

Z

2

observesequaloutputs from

CT

n

and

CT

n

with probabilityatleast

2

−

m

₋

_µ

′

for negligible

µ

′

.

This isaontradition,asbothoutputs areuniformly and independentlyhosen

n

-bit strings,

and

n

≥

m

+ 1

.

⊓

⊔

4 Statistial and Perfet Cases

4.1 Stand-alonesimulatability

Westarto withanegativeresult:

Theorem7. Let

m < n

befuntionsinthe seurityparameter

k

.If

m

isnotsuperlogarithmi,

thereis notwo-party

n

-bitoin-toss protool

π

(not evenan ineientone) that uses an

m

-bit

oin-tossandhas the following properties:

Non-triviality.If no partyisorrupted,the probability that the parties givedierent,invalid

or nooutput isnegligible (byinvalid output wemean outputnot in

{

0

,

1

}

n

).

Seurity. For any (possibly unbounded) adversary orrupting one of the parties there is a

negligiblefuntion

µ

,s.t.foreveryseurityparameter

k

andevery

c

∈ {

0

,

1

}

n

,theprobability

for protool output

c

isatmost

2

−

n

₊

_µ

₍

_k

₎

.

If we require perfet non-triviality (the probability for dierent or no outputs is

0

) andperfet seurity (the probability for agiven output

c

is at most

2

−

n

), suh aprotool

π

does not exist,

evenif

m

issuperlogarithmi.

Proof (sketh). Itissuienttoonsiderthease

n

=

m

+ 1

.

Without loss of generality, we an assume that the available

m

-bit oin toss is only used

at theend of theprotool. Similarly, weanassume that in thehonest ase, theparties never

outputdistintvalues.Adetailedproofforthesestatementsanbefoundin thefullproof.

Toshowthetheorem,werstonsiderompletetransripts oftheprotool.Byaomplete

transript wemean all messagessent during the run of a protool, exluding thevalue of the

m

-bitoin-toss.Wedistinguishthreesetsofompletetransripts:theset

A

oftransriptshaving

non-zeroprobabilityfortheprotooloutput

0

n

,theset

B

oftransriptshavingzeroprobability

ofoutput

0

n

andzeroprobabilitythattheprotoolgivesnooutput,andtheset

C

oftransripts

havingnon-zeroprobabilityofgivingnooutput. Notethat, sineforaompletetransript,the

protool outputonlydependsonthe

m

-bit oin-toss,anyof theabovenon-zeroprobabilitiesis

atleast

2

−

m

.

Foranypartialtransript

p

(i.e.,asituationduring therunoftheprotool),wedenethree

values

α

,

β

,

γ

. The value

α

denotes theprobability with whih aorrupted Aliean enfore

atransript in

A

startingfrom

p

, the value

β

denotesthe probability with whih a orrupted

Bob an enforea transript in

B

, andthe value

γ

denotes the probability that the omplete

protool transriptwillliein

C

ifno-oneisorrupted. Weshowindutivelythatforanypartial

simpliity,weassumethat

2

−

m

is notonlynon-negligible,but notieable(inthefull proof,the

generalaseisonsidered).Sineatransriptin

C

givesnooutputwithprobabilityatleast

2

−

m

,

theprobabilitythattheprotoolgeneratesnooutput(intheunorruptedase)isatleast

2

−

m

_γ

.

By the non-triviality ondition, this probability is negligible, so

γ

must be negligible, too. So

(1

₋

α

)(1

₋

β

)

is negligible,too. Therefore

max

{

1

−

α,

1

−

β

}

mustbenegligible. Fornow, we

assumethat

1

−

α

isnegligibleor

1

−

β

isnegligible(forthegeneralase,seethefullproof).

If

1

−

α

isnegligible,theprobabilityforoutput

0

n

isatleast

2

−

m

_α

.Sine

α

isoverwhelming

and

2

−

m

notieable,thisisgreaterthan

2

−

n

₌

1

2

2

−

m

byanotieableamountwhihontradits

theseurityproperty.

If

1

−

β

is negligible, we onsider the maximum probability a orrupted Bob an ahieve

thattheprotooloutputisnot

0

n

.Bytheseurityproperty,thisprobabilityshould beatmost

(2

n

₋

₁₎₂

−

n

plusanegligibleamount,whihisnotoverwhelming.However,sineeverytransript

in

B

givessuhanoutputwithprobability

1

,theprobabilityofsuhis

β

,whihisoverwhelming,

inontraditionoftheseurityproperty.

Theperfetaseisprovensimilarly.

⊓

⊔

Thefullproofisgivenin AppendixA.5.

Corollary8. By a non-trivial oin-toss protool we mean a protool s.t. (in the unorrupted

ase) the probability that the parties give no or dierent output is negligible. By a perfetly

non-trivialoin-tossprotool wherethisprobability iszero.

Let

m

be notsuperlogarithmi and

n > m

. Then there is no non-trivial protool realising

n

-bitoin-tossusing an

m

-bitoin-tossin thesense of statistial stand-alonesimulatability.

Let

m

be any funtion (possibly superlogarithmi) and

n > m

. Then there is no perfetly

non-trivial protool realising

n

-bit oin-toss using an

m

-bit oin-toss in the sense of perfet

stand-alone simulatability.

Proof. AstatistiallyseureprotoolwouldhavetheseuritypropertyfromTheorem7andthus,

ifnon-trivial,ontraditTheorem7.Analogouslyforperfet seurity.

⊓

⊔

However,notallislost:

Now we will prove that there exists a protool for oin toss extension from

m

to

n

bit

whih is statistially stand-alone simulatably seure. The basi ideais to have the parties

P

1

and

P

2

ontributerandomstringstogenerateonestringwithsuientlylargemin-entropy(the min-entropyofarandomvariable

X

is denedas

min

x

−

log

Pr

[

X

=

x

]

).Therandomnessfrom this stringisthen extrated usingarandomness extrator.Interestinglythe amountof perfet

randomness(i.e.,thesizeofthe

m

-bitoin-toss)oneneedstoinvestissmallerthantheamount

extrated.Thismakesointossextensionpossible.

Toobtaintheointossextensionweneedaresultaboutrandomnessextratorsabletoextrat

onebitof randomnesswhileleavingtheseedreusablelikeaatalyst.

Lemma9. For every

m

there exists afuntion

h

m

:

{

0

,

1

}

m

× {

0

,

1

_}

m

−1

_{→ {}

₀

_,

₁

_}

_,

₍

_{s, x}

₎

_7→

_r

suhthatforauniformlydistributed

s

andforan

x

withamin-entropyofatleast

t

thestatistial

distane of

s

k

h

m

(

s, x

)

andthe uniformdistributionon

{

0

,

1

}

m

+1

isatmost

2

−

t/

2

_/

√

₂

.

Proof. Let

h

m

(

s, x

) :=

h

s

1

. . . s

m

−1

, x

i ⊕

s

m

. Here

h·

,

·i

denotes the inner produt and

⊕

the addition over

GF(2)

. It is easy to verify that

h

m

(

s,

·

)

onstitutes a family of universal hash

funtions [CW79℄,where

s

is theindexseletingfrom that family.ThereforetheLeftoverHash

Lemma[ILL89,Sti02℄guaranteesthatthestatistialdistanebetween

s

k

h

m

(

s, x

)

andtheuniform

distributionon

{

0

,

1

}

m

+1

isboundedby

1

2

√

2

_·

2

−

t

_{= 2}

−

t/

2

_/

√

₂

Withthisfuntion

h

m

asimpleprotoolispossiblewhihextends

m

(

k

)

ointossesto

m

(

k

)+1

ifthefuntion

m

(

k

)

issuperlogarithmi.

Theorem10. Let

m

(

k

)

beasuperlogarithmi funtion, thenthereexistsa onstantround

sta-tistially stand-alone simulatable protool that realises an

(

m

+ 1)

-bit oin-toss using an

m

-bit

oin-toss.

Proof. Let

h

m

beas in Lemma9.Then thefollowingprotoolrealisesaointoss extensionby

onebit. Assume

m

:=

m

(

k

)

where

k

istheseurityparameter.

1.

P

1

uniformlyhooses

a

∈ {

0

,

1

}

⌊

m

₋₁

2

⌋

andsends

a

to

P

2

2.

P

2

uniformlyhooses

b

∈ {

0

,

1

}

⌈

m

₋₁

2

⌉

andsends

b

to

P

1

3. Ifonepartyfailstosendastringofappropriatelengthorabortsthenthisstringisassumed

bytheotherpartytobeanall-zerostringoftheappropriatelength

4.

P

1

and

P

2

invokethe

m

-bit ointoss funtionalityand obtainauniformly distributed

s

∈

{

0

,

1

}

m

. Ifoneparty

P

i

failsto invoketheointoss funtionality oraborts, then theother

partyhooses

s

at random

5. Both

P

1

and

P

2

ompute

s

k

h

m

(

s, a

k

b

)

andoutputthisstring.

Similartoonstrution7.4.7in[Gol04℄theprotoolisonstrutedinawaythattheadversary

is not able to abort the protool (not even by not terminating). Hene we ansafely assume

that the adversarywill send somemessage of the orret length and will invokethe oin toss

funtionality. Weassumetheadversaryto orrupt

P

2

,orruption of

P

1

ishandled analogously. Furtherweassumetherandomtapeof

A

tobexedinthefollowing.Duetotheseassumptions

there exists a funtion

f

A

:

{

0

,

1

}

⌊

m/

2⌋

_{→ {}

₀

_,

₁

_}

⌈

m/

2⌉

for eah real adversary

A

suh that the

message

b

sentinstep2oftheprotoolequals

f

A(

a

)

.Thereisnolossin generalityifweassume

theviewofthepartiestoonsistsofjust

a, b, s

andtheprotooloutputtobe

s

k

h

m

(

s, a

k

b

)

.

Nowfor a spei adversary

A

with xed random tape the output distribution of the real

protool (i.e., view and output) is ompletely desribed by the following experiment: hoose

a

∈ {

R

0

,

1

}

⌊

m/

2⌋

,let

b

←

f

A(

a

)

,hoose

s

R

∈ {

0

,

1

}

m

(

k

)

,let

r

←

s

k

h

m

(

s, a

k

b

)

andreturn

((

a, b, s

)

, r

)

.

We nowdesribethesimulator. Todistinguish thetherandom variablesin theidealmodel

from their real ounterparts, we deorate them with a

∼

, e.g.,

˜

a,

˜

b,

s

˜

. The simulator in the

idealmodel obtainsastring

˜

r

R

∈ {

0

,

1

}

m

+1

from theideal

n

-bit oin-tossfuntionalityand sets

˜

s

=

r

1

. . . r

m

. Thenthesimulator hooses

a

˜

R

∈ {

0

,

1

}

⌊

m

₋₁

2

⌋

andomputes

˜

b

=

f

A(˜

a

)

bygiving

˜

a

toasimulatedopyoftherealadversary.If

h

m

(˜

s,

a

˜

k

˜

b

) = ˜

r

m

+1

thenthesimulatorgives

s

˜

tothe simulatedrealadversaryexpetingtheointoss.Thenthesimulatoroutputstheview

(˜

a,

˜

b,

˜

s

)

.If however,

h

m

(˜

s,

a

˜

k

˜

b

)

6

= ˜

r

m

+1

thenthesimulatorrewindstheadversary,i.e.,thesimulatorhooses

afresh

˜

a

R

∈ {

0

,

1

_}

⌊

m

₋₁

2

⌋

and againomputes

˜

b

=

f

A

(

a

)

.Ifnow

h

m

(˜

s,

˜

a

k

˜

b

) = ˜

r

m

+1

thesimulator

outputs

(˜

a,

˜

b,

˜

s

)

. If again

h

m

(˜

s,

a

˜

k

˜

b

)

6

= ˜

r

m

+1

then the simulator rewinds the adversary again. If after

k

invoations of the adversary no triple

(˜

a,

˜

b,

s

˜

)

wasoutput, the simulator aborts and

outputs

fail

.

Toshowthatthesimulatorisorret,wehavetoshowthatthefollowingtodistributionsare

statistiallyindistinguishable:

((

a, b, s

)

, r

)

asdened intherealmodel,and

((˜

a,

˜

b,

˜

s

)

,

r

˜

)

.

Byonstrutionof thesimulator, itis obviousthatthetwodistributionsareidential under

theonditionthat

r

m

= 0

,

r

˜

m

= 0

and that thesimulator doesnotfail. Thesameholds given

r

m

= 1

,

˜

r

m

= 1

andthatthesimulatordoesnotfail.Thereforeitissuienttoshowtwothings:

(i) the statistial distane between

r

and the uniform distribution on

n

bits is negligible, and

(ii) the probability that that the simulator fails is negligible. Property (i) is shown using the

propertiesoftherandomnessextrator

h

m

.Sine

a

ishosenatrandom,themin-entropyof

a

is

at least

⌊

m

−1

2

⌋ ≥

m

2

−

1

, sothemin-entropyof

a

k

b

isalso at least

m

boundedby

2

−

m/

4−1

/

2

_/

√

_{2 = (2}

−

m

₎

1

/

4

_/

₂

.Sineforsuperlogarithmi

m

itis

2

−

m

negligible,this

statistialdistaneisnegligible.

Property(ii )istheneasilyshown:From(i)wesee,thataftereahinvoationoftheadversary

thedistributionof

h

m

(˜

s,

a

˜

k

˜

b

)

isnegligiblyfarfromuniform.Sotheprobabilitythat

h

m

(˜

s,

˜

a

k

˜

b

)

6

=

˜

r

m

isat mostnegligibly higherthan

1

2

. Sine the

h

m

(˜

s,

˜

a

k

˜

b

)

in thedierent invokations ofthe

adversaryareindependent,theprobabilitythat

h

m

(˜

s,

˜

a

k

˜

b

)

6

= ˜

r

m

aftereahativationisneglibigly

farfrom

2

−

k

.Sothesimulatorfailsonlywithnegligibleprobability.

Itfollowsthattherealandtheidealprotoolexeutionareindistinguishable,andtheprotool

stand-alonesimulatablyimplementsan

(

m

+1)

-bitoin-toss.

The idea of the one bit extension protool an be extended by using an extrator whih

extratsalargeramountofrandomness(whilenotneessarilytreatingtheseedlikeaatalyst).

This yields onstant round oin toss extension protools. However, the simulator needed for

suh a protool doesnot seem to be eient, even if the real adversary is. Toget aprotool

thatalsofulls boththepropertyofomputationalstand-alonesimulatabilityand ofstatistial

stand-alonesimulatability,weneedasimulatorthat iseientiftheadversaryis.

Below we give suh aoin toss extension protool for superlogarithmi

m

(

k

)

whih is

sta-tistially seure and omputationaly seure, i.e., the simulator for polynomial adversaries is

polynomiallybounded, too.Thebasiideahereisto extratonebit atatime in polynomially

manyrounds.

Theorem11. Let

m

(

k

)

besuperlogarithmi, and

p

(

k

)

beapositive polynomially-bounded

fun-tion, then there exists a statistially and omputationally stand-alone simulatable protool that

realisesan

(

m

+

p

)

-bitoin-tossusing an

m

-bitoin-toss.

Proof. Let

h

m

beas in Lemma9.Then thefollowingprotoolrealisesaointoss extensionby

p

(

k

)

bits.

1.

for

i

= 1

to

p

(

k

)

do

(a)

P

1

uniformlyhooses

a

i

∈ {

0

,

1

}

⌊

m

₋₁

2

⌋

andsends

a

i

to

P

2

(b)

P

2

uniformlyhooses

b

i

∈ {

0

,

1

}

⌈

m

₋₁

2

⌉

andsends

b

i

to

P

1

() If one party fails to send a string of appropriate length or aborts then this string is

assumedbytheotherpartytobeanall-zerostringoftheappropriatelength

2.

P

1

and

P

2

invoke the

m

-bit oin toss funtionality and obtain a uniformly distributed

s

∈ {

0

,

1

}

m

. If one party

P

i

fails to invoke the oin toss funtionality or aborts, then the

otherpartyhooses

s

at random

3.

P

1

and

P

2

ompute

s

k

h

m

(

s, a

1

k

b

1)

k

. . .

k

h

m

(

s, a

p

(

k

)

k

b

p

(

k

))

and outputthisstring.

WeonlyroughlyskeththedierenestotheproofofTheorem10.Foreahprotoolroundthe

simulatorfollowsthestrategydesribedintheproofofTheorem10(i.e.,thesimulatorrewindsthe

adversarybyoneround,iftheoin-tossproduedisnottheorretone.)Thenusingstandard

hy-bridtehniquesitanbeshownthatthissimulatorindeedgivesanindistinguishableideal

proto-olrun.Hereitisonlynoteworthythatweusethefatthat

s

k

h

m

(

s, a

1

k

b

1)

k

. . .

k

h

m

(

s, a

p

(

k

)

k

b

p

(

k

))

isstatistiallyindistinguishablefromtheuniformdistributionon

m

+

p

bits.However,thisfollows

diretlyfrom Lemma 9andthefat thateah

a

i

k

b

i

hasmin-entropyat least

⌊

m

−1

2

⌋

evengiven

thevaluesofall

a

µ

k

b

µ

for

µ < i

.

⊓

⊔

4.2 Universal Composability(statistial/perfetase)

In the aseof statistial seurity, adversaryand protool environmentare allowed to be

partiesto haltafter apolynomialnumberofativations. However,notethat wedo notimpose

any restritions on the amount of omputational work these parties perform in one of those

ativations.

Theproofofthisstatementisdonebyontradition.Furthermore,theproofissplitupinto

anauxiliarylemmaandtheatualproof.Intheauxiliarylemma, weshowthatwithoutlossof

generality, aprotool for statistially universally omposable oin toss extension has aertain

outerform.Thenweshowthat anysuhprotool(ofthispartiularouterform)isinseure.

For the following statements, we always assume that

m

=

m

(

k

)

, n

=

n

(

k

)

are arbitrary funtions,onlysatisfying

0

≤

m

(

k

)

< n

(

k

)

forall

k

.Wealsorestrittoprotoolsthatproeedin

apolynomialnumberofrounds.That is,byaprotool wemeanin thefollowingoneinwhih

eah partyhaltsafter atmost

p

(

k

)

ativations,where

p

(

k

)

isapolynomialwhihdependsonly

ontheprotool. (Asstatedabove,thepartiesarestill unboundedin eah ativation.)Westart

withahelping lemmawhoseproofisavailablein AppendixA.6.

Lemma12. If there isa non-trivial statistially universally omposable protool for

(

m

→

n

)

-ointossextension, thenthereisalso oneinwhih eahparty

has only oneonnetion tothe other party andoneonnetion to

CT

m

,

in eah ativation sends either an

init

message to

CT

m

or some message to the other party,

sendsineahprotoolrunatmostonemessageto

CT

m

,andthisisalwaysan

init

message, the internal state of eah of the two parties onsists only of the view that this party has

experienedsofar, and

after

P

i

sends

init

to

CT

m

,it does not furtherommuniate with

P

3−

i

(for

i

= 1

,

2

and in aseofno orruptions).

Weproeedwith

Lemma13. There isno non-trivial statistially universally omposable protool for

(

m

→

n

)

-ointossextensionwhih meetsthe requirementsfromLemma12 .

Proof. Assume for ontradition that

π

, using

CT

m

, is a statistially universally omposable implementationof

CT

n

, andalsosatisestherequirementsfrom Lemma12.

Assumeaxedenvironment

Z

0

that givesbothparties

init

inputandthenwaitsforboth partiestooutputaointossresult.Consideranadversary

A

0

thatdeliversallmessagesbetween thepartiesimmediately.Theresultingsetting

D

0

isdepitedinFigure 1.

Denote the protool ommuniation in a run of

D

0

, i.e., the ordered list of messages sent between

P

1

and

P

2

,by

com

.Denoteby

κ

1

and

κ

2

thenaloutputsoftheparties.For

M

⊆ {

0

,

1

}

n

andapossibleprotoolommuniationprex

c

,let

E

(

M, c

)

betheprobabilitythattheprotool outputsareidentialandin

M

,providedthat theprotoolommuniationstartswith

c

,i.e.,

E

₍

_{M, c}

_{) :=}

Pr

_[

_κ

₁

₌

_κ

₂

_∈

_M

_|

_c

_≤

_com]

_,

where

x

≤

y

meansthat

x

isaprexof

y

.

Note thatthepartieshave,apartfrom theirommuniation

com

,onlytheseed

ω

∈ {

0

,

1

}

m

provided by

CT

m

for omputingtheir naloutput

κ

. Sowemay assumethat there is a deter-ministifuntion

f

forwhih

κ

1

=

κ

2

=

f

(com

, ω

)

withoverwhelmingprobability.

Foraxedprotoolommuniation

com

=

c

,onsidertheset

P

₁

ω

ω

P

₂

com

CT

_m

A

0

κ

₂

Z

0

κ

₁

P

₁

ω

ω

P

₂

Z

1

A

1

CT

m

Z

0

κ

₂

κ

₁

Fig.1. Left: The initial setting

D

0

for the statistial ase. (Some onnetions whih are not importantforourproofhavebeenomitted.)Right: Setting

D

1

withaorrupted

P

1

.Setting

D

2

(with

P

2

orruptedinsteadof

P

1

)isdenedanalogously.

of improbable outputs after ommuniation

c

. Then obviously

|

M

c

| ≥

2

n

−

2

m

≥

2

n

−1

. By

denition of theidealoutput(i.e., theoutput of

CT

n

in theidealmodel),this impliesthat for suientlylargeseurityparameters

k

,theprobabilitythat

κ

1

=

κ

2

∈

M

c

isatleast

2

/

5

.(Here, any number stritly between

0

and

1

/

2

would have doneas well.) Otherwise, an environment

ould distinguishreal and idealmodel bytesting for

κ

1

=

κ

2

∈

M

c

. Sine

E

(

M

c

, ε

)

is exatly that probability, wehave

E

(

M

c

, ε

)

≥

2

/

5

forsuientlylarge

k

.Also,

E

(

M

c

, c

)

isnegligibleby denition,so

M

c

satises

E

₍

_M

_c

_{, ε}

₎

₋

E

₍

_M

_c

_{, c}

₎

_≥

1

3

(1)

forsuientlylarge

k

.

Sine the protool onsists by assumption onlyof polynomially many rounds,

c

is a list of

size atmost

p

(

k

)

foraxedpolynomial

p

.This meansthat thereisaprex

c

of

c

and asingle

message

m

(eithersentfrom

P

1

to

P

2

orvie versa)suhthat

cm

≤

c

and

E

₍

_M

_c

_{, c}

₎

₋

E

₍

_M

_c

_{, cm}

₎

_≥

1

3

p

(

k

)

(2)

forsuientlylarge

k

. Intuitively,thismeansthat ataertainpointduring theprotoolrun,a

singlemessage

m

hadasigniantimpatontheprobabilitythat theprotooloutputisin

M

c

.

Note that suh an

m

must be either sent by

P

1

or

P

2

. So there is a

j

∈ {

1

,

2

}

, suh that for innitely many

k

, party

P

j

sends suh an

m

with probability at least

1

/

2

. We desribea

modiation

D

j

of setting

D

0

. Insetting

D

j

, party

P

j

is orrupted and simulated (honestly) inside

Z

j

.Furthermore,adversary

A

j

simplyrelaysallommuniationbetweenthissimulation

inside

Z

j

andtheunorruptedparty

P

3−

j

. Forsupplyinginputstothesimulationof

P

j

and to the unorrupted

P

3−

j

, asimulation of

Z

0

is employed inside

Z

j

. The situation (for

j

= 1

) is depitedinFigure1.

Sine

D

j

is basially only a re-grouping of

D

0

, the random variables

com

,

ω

, and

κ

i

are distributedexatlyasin

D

0

,sowesimplyidentifythem.Inpartiular,in

D

j

,forinnitelymany

k

, there is with probability at least

1

/

2

a prex

c

and a message

m

sent by

P

j

of

com

that

Nowweslightlyhangetheenvironment

Z

j

intoanenvironment

Z

′

j

.Eahtimethesimulated

P

j

sendsamessage

m

to

P

3−

j

,

Z

′

j

heksforall subsets

M

of

{

0

,

1

}

n

whether

∃

M

⊆ {

0

,

1

}

n

_:

_E

₍

_{M, c}

₎

−

E

₍

_{M, cm}

₎

_≥

1

3

p

(

k

)

,

(3)

where

c

denotestheommuniationbetween

P

j

and

P

3−

j

so far. If(3)holdsatsomepointforthersttime,then

Z

′

j

tossesaoin

b

uniformlyatrandom,and

proeedsasfollows:if

b

= 0

,then

Z

′

j

keepsgoingjust as

Z

j

would have.Inpartiular,

Z

′

j

then

lets

P

j

send

m

to

P

3−

j

. However,if

b

= 1

, then

Z

′

j

rewinds the simulationof

P

j

to the point

before that ativation,and ativates

P

j

againwith freshrandomness,therebyletting

P

j

senda

possiblydierentmessage

m

′

.Inthefurtherproof,

c

,

m

, and

M

refertothese valuesforwhih

(3)holds.

In any ase, after having tossed the oin

b

one,

Z

′

j

remembers the set

M

from (3), and

doesnothek(3)again. Aftertheprotool nishes,

Z

j

outputseither

(

⊥

,

⊥

)

(if (3)wasnever

fullled),or

(

b, β

)

fortheevaluation

β

oftheprediate

[

κ

1

=

κ

2

∈

M

]

(i.e.,

β

= 1

itheprotool givesoutput, theprotooloutputsmathandliein

M

).

Nowbyourhoieof

j

,

Pr

[

b

=

6

⊥

]

≥

1

/

2

forinnitelymany

k

.

Also, Lemma 12 guarantees that the internal state of the parties at the time of tossing

b

onsistsonlyof

c

.So,when

Z

′

j

hashosen

b

= 1

,andrewoundthesimulated

P

j

,theprobability

that at the end of the protool

κ

1

=

κ

2

∈

M

is the same asthe probability of that eventin thesetting

D

j

undertheonditionthattheommuniation

com

beginswith

c

¯

.Thisprobability

againisexatly

E

(

M,

¯

c

)

bydenition. Similarly, when

Z

′

j

hashosen

b

= 0

, the probability that at the end of the protool

κ

1

=

κ

2

∈

M

isthesameastheprobabilityof thateventin thesetting

D

j

under theonditionthat

theommuniation

com

beginswith

¯

cm

,i.e.

E

(

M,

¯

cm

)

. Thereforejustbefore

Z

′

j

hooses

b

(i.e.,when

¯

c

and

M

arealreadydetermined),theprobability

that at the end we will have

β

= 1

∧

b

= 1

is

1

2

E

(

M,

c

¯

)

and the probability of

β

= 1

∧

b

=

0

is

1

2

E

(

M,

¯

cm

)

. Therefore the dierene between these probabilities is at least

1

2

E

(

M,

c

¯

)

−

E

₍

_M,

_¯

_cm

₎

≥

1

3

p

(

k

)

.

Sinethisboundonthediereneoftheprobabilitiesalwaysholdswhen

b

6

=

⊥

,byaveraging

weget

Pr

_[

_β

_{= 1}

_∧

_b

_{= 1}

_|

_b

₆

₌

_⊥

_]

₋

Pr

_[

_β

_{= 1}

_∧

_b

_{= 0}

_|

_b

₆

₌

_⊥

_]

_≥

1

3

p

(

k

)

andusingthefatthat

Pr

[

b

6

=

⊥

]

≥

1

2

forinnitelymany

k

wethenhavethat

Pr

_[

_β

_{= 1}

_∧

_b

_{= 1]}

₋

Pr

_[

_β

_{= 1}

_∧

_b

_{= 0]}

_≥

1

6

p

(

k

)

(4)

forinnitelymany

k

when

Z

′

j

runs withthereal protoolasdesribedabove.

We show that no simulator

S

j

an ahieveproperty(4) in theideal model, where

Z

′

j

runs

with

CT

n

and

S

j

. Todistinguish randomvariables during arun of

Z

′

j

in theideal model from

thosein thereal model, weaddatildeto arandomvariablein arun of

Z

′

j

intheidealmodel,

e.g.,

˜

b

,

β

˜

.

Sinetheprotool

π

isnon-trivial,forany

S

j

ahievingindistinguishabilityofrealandideal

model, wean assumewithoutlossofgeneralitythat

S

j

alwaysdeliversoutputs.

Byonstrutionof

˜

b

and

κ

,thevariable

˜

b

andthetuple

( ˜

M , κ

)

areindependentgiven

˜

b

6

=

⊥

.

Hene,sine

β

˜

isafuntionof

M

˜

and

κ

,