Leakage-resilient coin tossing

Abstract

The ability to collectively toss a common coin among \(n\) parties in the presence of faults is an important primitive in the arsenal of randomized distributed protocols. In the case of dishonest majority, it was shown to be impossible to achieve less than \(\frac{1}{r}\) bias in \(O(r)\) rounds (Cleve STOC ’86). In the case of honest majority, in contrast, unconditionally secure \(O(1)\)-round protocols for generating common perfectly unbiased coins follow from general completeness theorems on multi-party secure protocols in the perfectly secure channels model (e.g., BGW, CCD STOC ’88). However, in the multi-party protocols with honest majority, parties must generate and hold local secret values which are assumed to be perfectly hidden from malicious parties: an assumption which is crucial to proving the resulting common coin is unbiased. This assumption unfortunately does not seem to hold in practice, as attackers can launch side-channel attacks on the local state of honest parties and leak information on their secrets. In this work, we present an \(O(1)\)-round protocol for collectively generating an unbiased common coin, in the presence of leakage on the local state of the honest parties. We tolerate \(t \le (\frac{1}{3} - \epsilon ) n\) computationally unbounded statically scheduled Byzantine faults and in addition a \(\varTheta (1)\)-fraction leakage on each (honest) party’s secret state. Our results hold in the memory leakage model (of Akavia, Goldwasser, Vaikuntanathan ’08) adapted to the distributed setting. Another contribution of our work is a tool we use to achieve collective coin flipping—leakage-resilient verifiable secret sharing (VSS). Informally, this is a variant of ordinary VSS in which secrecy guarantees are maintained even if information is leaked on individual shares of the secret.

Appendix: Proof of Theorem 4

In this section, we provide a construction and proof of a leakage-resilient oblivious VSS protocol.

Proof

(Proof of Theorem 4) Let \(\delta '\) be any constant such that \(\delta ' < \delta \). Fix any constant \(0 < \epsilon < 1\). We construct the desired protocol \((\mathsf {Share}_\mathsf {LR},\mathsf {Rec}_\mathsf {LR})\), making use of the following tools:

1. 1.

   \(\mathsf {Elect}\): Feige’s 1-round public-coin protocol to elect a primary committee of size approximately \(n' = n^{\epsilon }\), as in Lemma 2.

2. 2.

   \((\mathsf {Share}_\mathsf {WLR}, \mathsf {Rec}_\mathsf {WLR})\): a \(\left( \lambda , \frac{1}{2} \right) \)-weakly leakage-resilient VSS protocol for \(n'\) parties tolerating \(t' = \frac{n'}{3+\delta '}\) corrupted parties, terminating in \(O(1)\) rounds, as in Theorem 3. (Recall \(\frac{1}{2}\) refers to the fraction of entropy guaranteed to remain in the secret).

3. 3.

   \(\mathsf {Ext}_2:\{0,1\}^k \times \{0,1\}^k \rightarrow \{0,1\}^m\): a two-source extractor, where \(k = \delta 't'\log |\mathbb {F}|\) and \(m = \varOmega (k)\), as in Theorem 1.

A description of the protocol \((\mathsf {Share}_\mathsf {LR}, \mathsf {Rec}_\mathsf {LR})\) is given in Fig. 5.

By Lemma 2, with overwhelming probability in \(n\), both committees \(\mathcal {E}_1, \mathcal {E}_2\) will be “good,” in that they each have size \(n^{\epsilon /2} \le |\mathcal {E}_i| \le n^{\epsilon }\) and it holds that \(n'_i \ge (3+\delta ')t'_i\), where \(n'_i = |\mathcal {E}_i|\) and \(t'_i = |\mathcal {E}_i \cap {\mathcal {C}}|\) for \(i \in \{1,2\}\). We will thus assume this is the case. Since \(n'_i \ge (3+\delta ')t'_i\), the validity, reconstruction, and secrecy properties of the \((\lambda ,\frac{1}{2})\)-weakly leakage-resilient VSS protocol (see Definition 7) will hold for the \(i\)th execution of \((\mathsf {Share}_\mathsf {WLR}, \mathsf {Rec}_\mathsf {WLR})\) with overwhelming probability in \(n'_i\) (and thus in \(n\)).

We now show that \((\mathsf {Share}_\mathsf {LR},\mathsf {Rec}_\mathsf {LR})\) satisfies the reconstruction and secrecy properties given in Definition 8.

Reconstruction By the reconstruction property of the underlying \(\lambda \)-weakly leakage-resilient VSS protocol, the honest parties in \(\mathcal {E}_1\) (respectively, in \(\mathcal {E}_2\)) will agree on the reconstructed value \(x' \leftarrow \mathsf {Rec}_\mathsf {WLR}()\) (resp, \(y' \leftarrow \mathsf {Rec}_\mathsf {WLR}\)), it will hold that \(x' = x\) (resp, \(y'=y\)), and the honest parties will broadcast this value to all parties in Step 1 of the reconstruction phase. Since a majority of the parties in \(\mathcal {E}_i\) are honest, all honest parties in \([n]\) will agree on the values of \(x^* = x, y^* = y\), and thus will output the same value \(\mathsf {Ext}_2(x^*,y^*)\).

Secrecy Assume the dealer is honest. Note that since the dealer erases \(x\) (and all values related to \(x\)) before generating \(y\), any leakage function will be a function of purely \(x\) or \(y\), when conditioned on prior leakage.

Thus, conditioned on the leakage, the distribution of \(x\) and \(y\) will be independent. By the secrecy property of the underlying \(\lambda \)-weakly leakage-resilient VSS protocol, given the view of the adversary, both \(x\) and \(y\) retain at least \(\frac{1}{2}\) of their original entropy. Therefore, by Theorem 1, the final output \(\mathsf {Ext}_2(x,y)\) will be statistically close to uniform over \(\{0,1\}^m\) for \(m = \varOmega (k)\). \(\square \)

Fig. 5

Leakage-resilient oblivious VSS protocol, \((\mathsf {Share}_\mathsf {LR}, \mathsf {Rec}_\mathsf {LR})\)