On the (Im-)Possibility of Extending Coin Toss

We consider the task of extending a given coin toss. By this, we mean the two-party task of using a single instance of a given coin toss protocol in order to interactively generate more random coins. A bit more formally, our goal is to generate n common random coins from a single use of an ideal functionality that gives $$m<n$$ m<n common random coins to both parties. In the framework of universal composability, we show the impossibility of securely extending a coin toss for statistical and perfect security. On the other hand, for computational security, the existence of a protocol for coin toss extension depends on the number m of random coins that can be obtained “for free.” For the case of stand-alone security, i.e., a simulation-based security definition without an environment, we present a protocol for statistically secure coin toss extension. Our protocol works for superlogarithmic m, which is optimal as we show the impossibility of statistically secure coin toss extension for smaller m. Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible.


Introduction
Manuel Blum showed in [5] how to flip a coin over the telephone line. His protocol guaranteed that even if one party does not follow the protocol, the other party still gets a uniformly distributed coin toss result. This general concept of generating common randomness in a way such that no dishonest party can dictate the result proved very useful in cryptography, e.g., in the construction of protocols for general secure multi-party computation.
Here we are interested in the task of extending a given coin toss. That is, suppose that two parties already have the possibility of making a single m-bit coin-toss. Is it possible for them to get n > m bits of common randomness? The answer we come up with is basically: "it depends." The first thing the extensibility of a given coin toss depends on is the required security type. One type of security requirement (which we call "stand-alone simulatabiliy" here) can simply be that the protocol imitates an ideal coin toss functionality in the sense of [13], where a simulator has to invent a realistic protocol run after learning the outcome of the ideal coin-toss. A stronger type of requirement is to demand universal composability, which basically means that the protocol imitates an ideal coin toss functionality even in arbitrary protocol environments. Security in the latter sense can conveniently be captured in a simulatability framework like the Universal Composability framework [6,8] or the Reactive Simulatability model [16,3].
Orthogonal to this, one can vary the level of fulfilment of each of these requirements. For example, one can demand stand-alone simulatability of the protocol with respect to polynomial-time adversaries in the sense that real protocol and ideal functionality are only computationally indistinguishable. This specific requirement is already fulfilled by the protocol of Blum. Alternatively, one can demand, e.g., universal composability of the protocol with respect to unbounded adversaries. This would then yield statistical or even perfect security. We show that whether such a protocol exists depends on the asymptotic behaviour of m.
Our results are summarized in the table below. A "yes" or "no" indicates whether a protocol for coin toss extension exists in that setting. "Depends" means that the answer depends on the size of the seed (the m-bit coin toss available by assumption), and boldface indicates novel results.
Security type ↓ / level → Computational Statistical Perfect stand-alone simulatability yes depends 1 no universal composability depends 2 no no Known results in the perfect and statistical case. A folklore theorem states, that (perfectly non-trivial) statistically secure coin-toss is impossible from scratch (even in very lenient security models). By Kitaev, this result was extended even to protocols using quantum communication (cf. [1]). [4] first investigated the problem of extending a coin-toss. They presented a statistically secure protocol for extending a given coin-toss (pre-shared using a VSS), if less than 1 6 of the parties are corrupted. Note that their main attention was on the efficiency of the protocol, since in that scenario arbitrary multi-party computations and therefore in particular coin-toss from scratch are known to be possible. The result does not apply to the two-party case.
Our results in the perfect and statistical case. Our results in the perfect case are most easily explained. For the perfect case, we show impossibility of any coin toss extension, no matter how (in-)efficient. We show this for stand-alone simulatability (Coro. 1) and for universal composability. Now for the statistical case. When demanding only stand-alone simulatability, the situation depends on the number of the already available common coins. Namely, we give an efficient protocol to extend m common coins to any polynomial number (in the security parameter), if m is superlogarithmic (Th. 5). Otherwise, we show that there can even be no protocol that derives m + 1 common random coins (Coro. 1). In the universal composability setting, the situation is more clear: we show that there simply is no protocol that derives from m common coins m + 1 coins, no matter how large m is (Th. 6). (However, here we restrict to protocols that run in a polynomial number of rounds.) Known results in the computational case. The possibility of coin tossing (in a non-simulation based model) was first shown by [5] and this protocol can be proven secure in a stand-alone security model. For the UC framework coin-toss was proven to be impossible in [9], unless a helping functionality like a CRS is given. In [12], the task of coin-toss is considered in a scenario slightly different from ours: in [12], protocol participants may not abort protocol execution without generating output. In that setting, [12] show that coin-toss is generally not possible even against computationally limited adversaries. However, to the best of our knowledge, an extension of a given coin toss has not been considered so far in the computational setting.
Our results in the computational case. We answer the question concerning the minimal size necessary for a coin-toss to be extensible: If an m-bit coin-toss functionality is given, and m is not superlogarithmic, then it is already impossible for the parties to derive m + 1 common random coins (in a universally composable way) from it (Th. 2). However, we also show that under strengthened computational assumptions, there are protocols that extend m to any polynomial number (in the security parameter) of common random coins, if m is superlogarithmic (Th. 1). In that sense, we give the remaining parts for a complete characterization of the computational case.

Security Definitions
In this section we roughly sketch the security definitions used throughout this paper. We distinguish between two notions: stand-alone simulatability as defined in [13], 3 and Universal Composability (UC) as defined in [6].
Stand-Alone Simulatability. In [13] a definition for the security of two-party secure function evaluations is given (called security in the malicious model). We will give a sketch, for more details we refer to [13]. A protocol consists of two parties that alternatingly send messages to each other. The parties may also invoke an ideal functionality, which is given as an oracle (in our cases, they invoke a smaller coin-toss to realise a larger one).
We say the protocol π stand-alone simulatably realises a probabilistic function f , if for any efficient adversary A that may replace none or a single party, there is an efficient simulator S s.t. for all inputs the following random variables are computationally indistinguishable: -The real protocol execution. This consists of the view of the corrupted parties upon inputs x 1 and x 2 for the parties and the auxiliary input z for the adversary, together with the outputs I of the parties. -The ideal protocol execution. Here the simulator first learn the auxiliary input z and possibly the input for the corrupted party (the simulator must corrupt the same party as the adversary). Then he can choose the input of the corrupted party for the probabilistic function f , the other inputs are chosen honestly (i.e., the first input is x 1 if the first party is uncorrupted, and the second input x 2 if the second party is). Then the simulator learns the output I of f (we assume the output to be equal for all parties). It may now generate a fake view v of the corrupted parties. The ideal protocol execution then consists of v and I. Of course, in our case the probabilistic function f (the coin-toss) has no input, so the above definition gets simpler.
What we have sketched above is what we call computational stand-alone simulatability. We further define statistical stand-alone simulatability and perfect stand-alone simulatability. In these cases we do not consider efficient adversaries and simulators, but unlimited ones. In the case of statistical stand-alone simulatability we require the real and ideal protocol execution to be statistically indistinguishable (and not only computationally ), and in the perfect case we even require these distributions to be identical.
Universal Composability. In contrast to stand-alone simulatability, Universal Composability [6] is a much stricter security notion. The main difference is the existence of an environment, that may interact with protocol and adversary (or with ideal functionality and simulator) and try to distinguish between real and ideal protocol. This additional strictness brings the advantage of a versatile composition theorem (the Universal Composition Theorem [6]).
We only sketch the model here and refer to [6] for details. A protocol consists of several machines that may (a) get input from the environment, (b) give output to the environment (both also during the execution of the protocol), and (c) send messages to each other.
The real protocol execution consists of a protocol π, an adversary A and an environment Z. Here the environment may freely communicate with the adversary, and the latter has full control over the network, i.e., it may deliver, delay or drop messages sent between parties. We assume the authenticated model in this paper, so the adversary learns the content of the messages but may not modify it. When Z terminates, it gives a single bit of output. The adversary may choose to corrupt parties at any point in time. 4 The ideal protocol execution is defined analogously, but instead of a protocol π there is an ideal functionality F and instead of the adversary there is a simulator S. The simulator can only learn and influence protocol data, if (a) the functionality explicitly allows this, or (b) it corrupts a party (note that the simulator may only corrupt the same parties as the adversary). In the latter case, the simulator can choose inputs into the functionality in the name of that party and gets the outputs appartaining to that party. In the case of uncorrupted parties, the environment is in control of the corresponding in-and output of the ideal functionality.
We say a protocol π universally composably (UC)-implements an ideal functionality F (or short π is universally composable if F is clear from the context), if for any efficient adversary A, there is an efficient simulator S, s.t. for all efficient environments Z and all auxiliary inputs z for Z, the distributions of the output-bit of Z in the real and the ideal protocol execution are indistinguishable.
What has been sketched above we call computational UC. We further define statistical and perfect UC. In these notions, we allow adversary, simulator and environment to be unlimited machines. Further, in the case of perfect UC, we require the distributions of the output-bit of Z to be identical in real and ideal protocol execution.

The Ideal Functionality for Coin Toss.
To describe the task of implementing a universally composable coin-toss, we have to define the ideal functionality of n-bit coin-toss.
In the following, let n denote a positive integer-valued function.
Below is an informal description of our ideal functionality for a n-bit coin toss. First, the functionality waits for initialization inputs from both parties P 1 and P 2 . As soon as both parties have this way signalled their willingness to start, the functionality selects n coins in form of an n-bit string κ uniformly and sends this κ to the adversary. (Note that a coin toss does not guarantee secrecy of any kind.) If the functionality now sent κ directly and without delay to the parties, this behaviour would not be implementable by any protocol (this would basically mean that the protocol output is immediately available, even without interaction). So the functionality lets the adversary decide when to deliver κ to each party. Note however, that the adversary may not in any way influence the κ that is delivered.
A more detailed description follows: Ideal functionality CT n (n-bit Coin Toss) 1. Wait until there have been "init" inputs from P 1 and P 2 . Ignore messages from the adversary, but immediately inform the adversary about the init. 2. Select κ ∈ {0, 1} n uniformly and send κ to the adversary. From now on: on the first (and only the first) "deliver to 1" message from the adversary, send κ to P 1 , -on the first (and only the first) "deliver to 2" message from the adversary, send κ to P 2 .
Using CT n , we can also formally express what we mean by extending a coin toss. Namely:

Definition 1. Let n = n(k) and m = m(k) be positive, polynomially bounded and computable functions such that m(k) < n(k) for all k. Then a protocol is a universally composable (m → n)-coin toss extension protocol if it securely and non-trivially implements CT n by having access only to CT m . This security can be computational, statistical or perfect.
By a "non-trivial" implementation we mean a protocol that, with overwhelming probability, guarantees outputs if no party is corrupted and all messages are delivered. (Alternatively, one may also consider protocols that provide output with overwhelming probability.) This requirement is useful since without it, a trivial protocol that does not generate any output formally implements every functionality. (Cf. [10] and [2, Section 5.1] for more discussion and formal definitions of "non-triviality.") On Unlimited Simulators. Following [3], we have modelled statistical and perfect stand-alone and UC security using unlimited simulators. Another approach is to require the simulators to be polynomial in the running-time of the adversary. All our results apply also to that case: For the impossibility results, this is straightforward, since the security notion gets stricter when the simulators become more restricted. The only possibility result for statistical/perfect security is given in Theorem 5. There, the simulator we construct is in fact polynomial in the runtime of the adversary.
In the following sections, we investigate the existence of such coin toss extension protocols, depending on the desired security level (i.e., computational / statistical / perfect security) and the parameters n and m.

Universal Composability
In the following, we need the assumption of enhanced trapdoor permutations with dense public descriptions (called ETD henceforth). Roughly, these are trapdoor permutations with the additional properties that (i) one can choose the public key in an oblivious fashion, i.e., even given the coin tosses we used it is infeasible to invert the function, and (ii) the public keys are computationally indistinguishable from random strings. We also need the notion of exponentiallyhard ETD, which are secure even against subexponential-time adversaries. For detailed definitions, cf. the full version [14].

the following holds:
Assume that ETD exist, s.t. the size of the circuits describing the ETD is bounded by s(k) for security parameter k. 5 Then there is a protocol π using a uniform common reference string (CRS) of length s(k) d , s.t. π securely UC-realises a bit commitment that can be used polynomially many times.
A protocol for realising bit commitment using a CRS has been given in [10]. To show this lemma, we only need to review their construction to see, that a CRS of length s d is indeed sufficient. For details, see the full version [14].

Lemma 2. Let s(k) be a polynomially bounded function, that is computable in time polynomial in k.
Assume one of the following holds: -ETD exist and s is a polynomially-large function.
-Exponentially-hard ETD exist and s is a superlogarithmic function. Then there also exist a constant e ∈ independent of s and ETD, s.t. the size of the circuits describing the ETD is bounded by s(k) e for security parameter k. This is shown by scaling the security parameter of the original ETD. The proof is given in the full version [14].

Theorem 1. Let n = n(k) and m = m(k) be polynomially bounded and efficiently computable functions. Assume one of the following conditions holds:
m is polynomially-large and ETD exist, or m is super polylogarithmic and exponentially-hard ETD exist. Then there is a polynomial-time computationally universally composable protocol π for (m → n)-coin toss extension. 5 By the size of the circuits we means the total size of the circuits describing both the key generation and the domain sampling algorithm. Note that then trivially also the size of the resulting keys and the amount of randomness used by the domain sampling algorithm are bounded by s(k).
Proof. Let d be as in Lemma 1. Let further e be as in Lemma 2. If m is polynomially-large or superpolylogarithmic, then s := m 1/(de) is polynomiallylarge or superlogarithmic, resp. So, by Lemma 2 there are ETD, s.t. the size of the circuits describing the ETD is bounded by s e = m 1/e . Then, by Lemma 1 there is a UC-secure protocol for implementing n bit commitments using an It is straightforward to see that using n UC-bit-commitments one can UCsecurely implement an n-bit coin-toss using the protocol from [5]. Furthermore, an m-bit CRS can be trivially implemented using an m-bit coin-toss. Using the Composition Theorem we can put the above constructions together and get a protocol that UC-realises an n-bit coin-toss using an m-bit coin-toss.
Note that given stronger, but possibly unrealistic assumptions, the lower bound for m in Theorem 1 can be decreased. If we assume that for any superlogarithmic m, there are ETD s.t. the size of their circuits is bounded by m 1/d (where d is the constant from Lemma 1), we get coin-toss extension even for superlogarithmic m (using the same proof as for Theorem 1, except that instead of Lemma 2 we use the stronger assumption).
However, we cannot expect an even better lower bound for m, as the following theorem shows: Proof (sketch). Assume for contradiction that protocol π, with parties P 1 and P 2 using CT m , implements CT n (with m, n as in the theorem statement). Let A 1 be an adversary on π that, taking the role of a corrupted party P 1 , simply reroutes all communication of P 1 (with either P 2 or CT m ) to the protocol environment Z 1 and thus lets Z 1 take part as P 1 in the real protocol.
Imagine a protocol environment Z 1 , running with π and A 1 as above, that keeps and internal simulation P 1 of P 1 and lets this simulation take part in the protocol (through A 1 ). After a protocol run, Z 1 inspects the output κ 1 of P 1 and compares it to the output κ 2 of the uncorrupted P 2 .
In a real protocol run with π, A 1 , and Z 1 , we will have κ 1 = κ 2 with overwhelming probability since π non-trivially implements CT n , and CT n guarantees common outputs. So a simulator S 1 , running in the ideal model with CT n and Z 1 , must be able to achieve that the ideal output κ 2 (that is ideally chosen by CT n and cannot be influenced by S 1 ) is identical to what the simulation P 1 of P 1 inside Z 1 outputs. In that sense, S 1 must be able to "convince" P 1 to also output κ 2 . To this end, S 1 may-and must-fake a complete real protocol communication as A 1 would deliver it to Z 1 (and thus, to P 1 ).
However, then we can construct another protocol environment Z 2 that expects to take the role of party P 2 in a real protocol run (just like Z 1 expected to take the role of P 1 ). To this end, an adversary A 2 on π with corrupted P 2 is employed that forwards all communication of P 2 with either P 1 or CT n to Z 2 . Internally, Z 2 now simulates S 1 (and not P 2 !) from above and an instance CT n of the trusted host CT n . Recall that S 1 , given a target string κ by CT n , mimics an uncorrupted P 2 along with an instance of CT m . In that situation, S 1 can convince an honest P 1 with overwhelming probability to eventually output κ.
Chances are 2 −m that the CT m -instance made up by S 1 outputs the same seed as the real CT m in a run of Z 2 with π and A 2 . So with probability at least 2 −m − μ for negligible μ, in such a run, Z 2 observes a P 1 -output κ that is identical to the output of the internally simulated CT n . But then, by assumption about the security of π, there is also a simulator S 2 for A 2 and Z 2 that provides Z 2 with an indistinguishable view. In particular, in an ideal run with S 2 and CT n , Z 2 observes equal outputs from CT n and CT n with probability at least 2 −m − μ for negligible μ . This is a contradiction, as both outputs are uniformly and independently chosen n-bit strings, and n ≥ m + 1.

Stand-Alone Simulatability
We start off with a negative result: Theorem 3. Let m < n be functions in the security parameter k. If m is not superlogarithmic, there is no two-party n-bit coin-toss protocol π (not even an inefficient one) that uses an m-bit coin-toss and has the following properties: -Non-triviality. If no party is corrupted, the probability that the parties give different, invalid or no output is negligible (by invalid output we mean output not in {0, 1} n ). -Security. For any (possibly unbounded) adversary corrupting one of the parties there is a negligible function μ, s.t. for every security parameter k and every c ∈ {0, 1} n , the probability for protocol output c is at most 2 −n + μ(k). If we require perfect non-triviality (the probability for different or no outputs is 0) and perfect security (the probability for a given output c is at most 2 −n ), such a protocol π does not exist, even if m is superlogarithmic.
Proof (sketch). It is sufficient to consider the case n = m + 1.
Without loss of generality, we can assume that the available m-bit coin toss is only used at the end of the protocol. Similarly, we can assume that in the honest case, the parties never output distinct values. A detailed proof for these statements can be found in the full proof.
To show the theorem, we first consider "complete transcripts" of the protocol. By a complete transcript we mean all messages sent during the run of a protocol, excluding the value of the m-bit coin-toss. We distinguish three sets of complete transcripts: the set A of transcripts having non-zero probability for the protocol output 0 n , the set B of transcripts having zero probability of output 0 n and zero probability that the protocol gives no output, and the set C of transcripts having non-zero probability of giving no output. Note that, since for a complete transcript, the protocol output only depends on the m-bit coin-toss, any of the above non-zero probabilities is at least 2 −m .
For any partial transcript p (i.e., a situation during the run of the protocol), we define three values α, β, γ. The value α denotes the probability with which a corrupted Alice can enforce a transcript in A starting from p, the value β denotes the probability with which a corrupted Bob can enforce a transcript in B, and the value γ denotes the probability that the complete protocol transcript will lie in C if no-one is corrupted. We show inductively that for any partial transcript p, (1 − α)(1 − β) ≤ γ. In particular, this holds for the beginning of the protocol. For simplicity, we assume that 2 −m is not only non-negligible, but noticeable (in the full proof, the general case is considered). Since a transcript in C gives no output with probability at least 2 −m , the probability that the protocol generates no output (in the uncorrupted case) is at least 2 −m γ. By the non-triviality condition, this probability is negligible, so γ must be negligible, too. So (1 − α)(1 − β) is negligible, too. Therefore max {1 − α, 1 − β} must be negligible. For now, we assume that 1 − α is negligible or 1 − β is negligible (for the general case, see the full proof).
If 1 − α is negligible, the probability for output 0 n is at least 2 −m α. Since α is overwhelming and 2 −m noticeable, this is greater than 2 −n = 1 2 2 −m by a noticeable amount which contradicts the security property.
If 1 − β is negligible, we consider the maximum probability a corrupted Bob can achieve that the protocol output is not 0 n . By the security property, this probability should be at most (2 n − 1)2 −n plus a negligible amount, which is not overwhelming. However, since every transcript in B gives such an output with probability 1, the probability of such is β, which is overwhelming, in contradiction of the security property.
The perfect case is proven similarly.
The full proof is given in the full version [14].

Corollary 1. By a non-trivial coin-toss protocol we mean a protocol s.t. (in the uncorrupted case) the probability that the parties give no or different output is negligible. By a perfectly non-trivial coin-toss protocol where this probability is zero. Let m be not superlogarithmic and n > m. Then there is no non-trivial protocol realising n-bit coin-toss using an m-bit coin-toss in the sense of statistical stand-alone simulatability.
Let m be any function (possibly superlogarithmic) and n > m. Then there is no perfectly non-trivial protocol realising n-bit coin-toss using an m-bit coin-toss in the sense of perfect stand-alone simulatability.
Proof. A statistically secure protocol would have the security property from Theorem 3 and thus, if non-trivial, contradict Theorem 3. Analogously for perfect security.
However, not all is lost: Now we will prove that there exists a protocol for coin toss extension from m to n bit which is statistically stand-alone simulatably secure. The basic idea is to have the parties P 1 and P 2 contribute random strings to generate one string with sufficiently large min-entropy (the min-entropy of a random variable X is defined as min x − log Pr[X = x]). The randomness from this string is then extracted using a randomness extractor. Interestingly the amount of perfect randomness (i.e., the size of the m-bit coin-toss) one needs to invest is smaller than the amount extracted. This makes coin toss extension possible.
To obtain the coin toss extension we need a result about randomness extractors able to extract one bit of randomness while leaving the seed reusable like a catalyst.
Here ·, · denotes the inner product and ⊕ the addition over GF (2). It is easy to verify that h m (s, ·) constitutes a family of universal hash functions [11], where s is the index selecting from that family. Therefore the Leftover Hash Lemma [15,17] guarantees that the statistical distance between s h m (s, x) and the uniform distribution on {0, 1} m+1 is bounded by 1 With this function h m a simple protocol is possible which extends m(k) coin tosses to m(k) + 1 if the function m(k) is superlogarithmic. and sends b to P 1 3. If one party fails to send a string of appropriate length or aborts then this string is assumed by the other party to be an all-zero string of the appropriate length 4. P 1 and P 2 invoke the m-bit coin toss functionality and obtain a uniformly distributed s ∈ {0, 1} m . If one party P i fails to invoke the coin toss functionality or aborts, then the other party chooses s at random 5. Both P 1 and P 2 compute s h m (s, a b) and output this string.
Similar to construction 7.4.7 in [13] the protocol is constructed in a way that the adversary is not able to abort the protocol (not even by not terminating). Hence we can safely assume that the adversary will send some message of the correct length and will invoke the coin toss functionality. We assume the adversary to corrupt P 2 , corruption of P 1 is handled analogously. Further we assume the random tape of A to be fixed in the following. Due to these assumptions there exists a function f A : {0, 1} m/2 → {0, 1} m/2 for each real adversary A such that the message b sent in step 2 of the protocol equals f A (a). There is no loss in generality if we assume the view of the parties to consists of just a, b, s and the protocol output to be s h m (s, a b). Now for a specific adversary A with fixed random tape the output distribution of the real protocol (i.e., view and output) is completely described by the fol- let r ← s h m (s, a b) and return ((a, b, s), r).
We now describe the simulator. To distinguish the the random variables in the ideal model from their real counterparts, we decorate them with a ∼, e.g.,ã,b,s. The simulator in the ideal model obtains a stringr and again computesb = f A (a). If now h m (s,ã b ) =r m+1 the simulator outputs (ã,b,s). If again h m (s,ã b ) =r m+1 then the simulator rewinds the adversary again. If after k invocations of the adversary no triple (ã,b,s) was output, the simulator aborts and outputs fail .
To show that the simulator is correct, we have to show that the following to distributions are statistically indistinguishable: ((a, b, s), r) as defined in the real model, and ((ã,b,s),r).
By construction of the simulator, it is obvious that the two distributions are identical under the condition that r m = 0,r m = 0 and that the simulator does not fail. The same holds given r m = 1,r m = 1 and that the simulator does not fail. Therefore it is sufficient to show two things: (i) the statistical distance between r and the uniform distribution on n bits is negligible, and (ii) the probability that that the simulator fails is negligible. Property (i) is shown using the properties of the randomness extractor h m . Since a is chosen at random, the min-entropy of a is at least m−1 2 ≥ m 2 − 1, so the min-entropy of a b is also at least m 2 − 1. Since s is uniformly distributed, it follows by Lemma 3 that the statistical distance between r = s h m (s, a b) is bounded by 2 −m/4−1/2 / √ 2 = (2 −m ) 1/4 /2. Since for superlogarithmic m it is 2 −m negligible, this statistical distance is negligible.
Property (ii) is then easily shown: From (i) we see, that after each invocation of the adversary the distribution of h m (s,ã b ) is negligibly far from uniform. So the probability that h m (s,ã b ) =r m is at most negligibly higher than 1 2 . Since the h m (s,ã b ) in the different invokations of the adversary are independent, the probability that h m (s,ã b ) =r m after each activation is neglibigly far from 2 −k . So the simulator fails only with negligible probability.
It follows that the real and the ideal protocol execution are indistinguishable, and the protocol stand-alone simulatably implements an (m+1)-bit coin-toss.
The idea of the one bit extension protocol can be extended by using an extractor which extracts a larger amount of randomness (while not necessarily treating the seed like a catalyst). This yields constant round coin toss extension protocols. However, the simulator needed for such a protocol does not seem to be efficient, even if the real adversary is. To get a protocol that also fulfils both the property of computational stand-alone simulatabiliy and of statistical stand-alone simulatabiliy, we need a simulator that is efficient if the adversary is.
Below we give such a coin toss extension protocol for superlogarithmic m(k) which is statistically secure and computationaly secure, i.e., the simulator for polynomial adversaries is polynomially bounded, too. The basic idea here is to extract one bit at a time in polynomially many rounds. and sends b i to P 1 (c) If one party fails to send a string of appropriate length or aborts then this string is assumed by the other party to be an all-zero string of the appropriate length 2. P 1 and P 2 invoke the m-bit coin toss functionality and obtain a uniformly distributed s ∈ {0, 1} m . If one party P i fails to invoke the coin toss functionality or aborts, then the other party chooses s at random 3. P 1 and P 2 compute s h m (s, a 1 b 1 ) . . . h m (s, a p(k) b p(k) ) and output this string. We only roughly sketch the differences to the proof of Theorem 4. For each protocol round the simulator follows the strategy described in the proof of Theorem 4 (i.e., the simulator rewinds the adversary by one round, if the coin-toss produced is not the correct one.) Then using standard hybrid techniques it can be shown that this simulator indeed gives an indistinguishable ideal protocol run. Here it is only noteworthy that we use the fact that s h m (s, a 1 b 1 ) . . . h m (s, a p(k) b p(k) ) is statistically indistinguishable from the uniform distribution on m + p bits. However, this follows directly from Lemma 3 and the fact that each a i b i has min-entropy at least m−1 2 even given the values of all a μ b μ for μ < i.

Universal Composability (Statistical/Perfect Case)
In the case of statistical security, adversary and protocol environment are allowed to be computationally unbounded. In that case, we show that there is no simulatably secure coin toss extension protocol that runs in a polynomial number of rounds. This is forced by requiring the parties to halt after a polynomial number of activations. However, note that we do not impose any restrictions on the amount of computational work these parties perform in one of those activations.
The proof of this statement is done by contradiction. Furthermore, the proof is split up into an auxiliary lemma and the actual proof. In the auxiliary lemma, we show that without loss of generality, a protocol for statistically universally composable coin toss extension has a certain outer form. Then we show that any such protocol (of this particular outer form) is insecure.
For the following statements, we always assume that m = m(k), n = n(k) are arbitrary functions, only satisfying 0 ≤ m(k) < n(k) for all k. We also restrict to protocols that proceed in a polynomial number of rounds. That is, by a "protocol" we mean in the following one in which each party halts after at most p(k) activations, where p(k) is a polynomial which depends only on the protocol. (As stated above, the parties are still unbounded in each activation.) We start with a helping lemma whose proof is available in the full version [14].

Lemma 4.
If there is a statistically universally composable protocol for (m → n)-coin toss extension, then there is also one in which each party has only one connection to the other party and one connection to CT m , -in each activation sends either an "init" message to CT m or some message to the other party, -sends in each protocol run at most one message to CT m , and this is always an "init" message, -the internal state of each of the two parties consists only of the view that this party has experienced so far, and after P i sends "init" to CT m , it does not further communicate with P 3−i (for i = 1, 2 and in case of no corruptions).
We proceed with Lemma 5. There is no statistically universally composable protocol for (m → n)-coin toss extension which meets the requirements from Lemma 4.
Proof. Assume for contradiction that π, using CT m , is a statistically universally composable implementation of CT n , and also satisfies the requirements from Lemma 4. Assume a fixed environment Z 0 that gives both parties "init" input and then waits for both parties to output a coin toss result. Consider an adversary A 0 that delivers all messages between the parties immediately. The resulting setting D 0 is depicted in Figure 1.
Denote the protocol communication in a run of D 0 , i.e., the ordered list of messages sent between P 1 and P 2 , by com. Denote by κ 1 where x ≤ y means that x is a prefix of y.
Note that the parties have, apart from their communication com, only the seed ω ∈ {0, 1} m provided by CT m for computing their final output κ. So we may assume that there is a deterministic function f for which κ 1 = κ 2 = f (com, ω) with overwhelming probability.
of "improbable outputs" after communication c. Then obviously |M c | ≥ 2 n − 2 m ≥ 2 n−1 . By definition of the ideal output (i.e., the output of CT n in the ideal model), this implies that for sufficiently large security parameters k, the probability that κ 1 = κ 2 ∈ M c is at least 2/5. (Here, any number strictly between 0 and 1/2 would have done as well.) Otherwise, an environment could distinguish real and ideal model by testing for κ 1 = κ 2 ∈ M c . Since E(M c , ε) is exactly that probability, we have E(M c , ε) ≥ 2/5 for sufficiently large k. Also, E(M c , c) is negligible by definition, so M c satisfies for sufficiently large k. Since the protocol consists by assumption only of polynomially many rounds, c is a list of size at most p(k) for a fixed polynomial p. This means that there is a prefix c of c and a single message m (either sent from P 1 to P 2 or vice versa) such that cm ≤ c and for sufficiently large k. Intuitively, this means that at a certain point during the protocol run, a single message m had a significant impact on the probability that the protocol output is in M c . Note that such an m must be either sent by P 1 or P 2 . So there is a j ∈ {1, 2}, such that for infinitely many k, party P j sends such an m with probability at least 1/2. We describe a modification D j of setting D 0 . In setting D j , party P j is corrupted and simulated (honestly) inside Z j . Furthermore, adversary A j simply relays all communication between this simulation inside Z j and the uncorrupted party P 3−j . For supplying inputs to the simulation of P j and to the uncorrupted P 3−j , a simulation of Z 0 is employed inside Z j . The situation (for j = 1) is depicted in Figure 1.
Since D j is basically only a re-grouping of D 0 , the random variables com, ω, and κ i are distributed exactly as in D 0 , so we simply identify them. In particular, in D j , for infinitely many k, there is with probability at least 1/2 a prefix c and a message m sent by P j of com that satisfy (2). Now we slightly change the environment Z j into an environment Z j . Each time the simulated P j sends a message m to P 3−j , Z j checks for all subsets M of {0, 1} n whether where c denotes the communication between P j and P 3−j so far. If (3) holds at some point for the first time, then Z j tosses a coin b uniformly at random, and proceeds as follows: if b = 0, then Z j keeps going just as Z j would have. In particular, Z j then lets P j send m to P 3−j . However, if b = 1, then Z j rewinds the simulation of P j to the point before that activation, and activates P j again with fresh randomness, thereby letting P j send a possibly different message m . In the further proof, c, m, and M refer to these values for which (3) holds.
In any case, after having tossed the coin b once, Z j remembers the set M from (3), and does not check (3) again. After the protocol finishes, Z j outputs either (⊥, ⊥) (if (3) was never fulfilled), or (b, β) for the evaluation β of the predicate [κ 1 = κ 2 ∈ M ] (i.e., β = 1 iff the protocol gives output, the protocol outputs match and lie in M ). Now by our choice of j, Pr[b = ⊥] ≥ 1/2 for infinitely many k. Also, Lemma 4 guarantees that the internal state of the parties at the time of tossing b consists only of c. So, when Z j has chosen b = 1, and rewound the simulated P j , the probability that at the end of the protocol κ 1 = κ 2 ∈ M is the same as the probability of that event in the setting D j under the condition that the communication com begins withc. This probability again is exactly E(M,c) by definition.
Similarly, when Z j has chosen b = 0, the probability that at the end of the protocol κ 1 = κ 2 ∈ M is the same as the probability of that event in the setting D j under the condition that the communication com begins withcm, i.e. E(M,cm).
Therefore just before Z j chooses b (i.e., whenc and M are already determined), the probability that at the end we will have β = 1 ∧ b = 1 is 1 2 E(M,c) and the probability of β = 1 ∧ b = 0 is 1 2 E(M,cm). Therefore the difference between these probabilities is at least 1 2 E(M,c) − E(M,cm) ≥ 1 3p(k) .
Since this bound on the difference of the probabilities always holds when b = ⊥, by averaging we get and using the fact that Pr[b = ⊥] ≥ 1 2 for infinitely many k we then have that for infinitely many k when Z j runs with the real protocol as described above. We show that no simulator S j can achieve property (4) in the ideal model, where Z j runs with CT n and S j . To distinguish random variables during a run of Z j in the ideal model from those in the real model, we add a tilde to a random variable in a run of Z j in the ideal model, e.g.,b,β.
For any S j achieving indistinguishability of real and ideal model, this can happen only with negligible probability, so we can assume without losing generality that S j always delivers outputs.
So comparing (4) and and (5), Z j 's output distribution differs non-negligibly in real and ideal model. So no simulator S j can simulate attacks carried out by Z j and A j , which gives the desired contradication.
Combining the above Lemmas 4 and 5 we therefore get:

Theorem 6.
There is no non-trivial statistically universally composable protocol for (m → n)-coin toss extension that proceeds in a polynomial of rounds.
The case of perfect security is shown analogously.