User:Tylerni7/Cryptographic coin flipping: Difference between revisions

In cryptography a coin toss is a cryptographic primitive which allows two parties, Alice and Bob, to establish a shared random bit. This idea is a cryptographic analogue of a coin flip, in which Alice and Bob will both observe the outcome (heads or tails, or equivalently a bit 0 or 1) of a coin. However, when Alice and Bob are physically separated, this becomes a difficult prospect. The concept of a non-local coin toss was first posed in 1981 as follows:

Alice and Bob want to flip a coin by telephone. (They have just divorced, life in different cities, want to decide who gets the car.) Bob would not like to tell Alice HEADS and hear Alice (at the other end of the line) say "Here goes... I'm flipping the coin.... You lost!"

— Manuel Blum, ^[1]

As a cryptographic protocol, there are a number of questions that are natural to ask about coin tossing, such as:

• Under what conditions is such a protocol secure?
• Can the requirements of the coin toss be relaxed to make it easier for Alice and Bob to carry out?
• How certain can one be that their opponent did not cheat?
• If one's opponent does cheat, how can that be detected and proven?

To attempt to answer these questions, the problem of coin tossing is formalised thusly:

Denote the probability of Alice determining the result of the coin toss is the bit ${\displaystyle x}$ and Bob determining the result is the bit ${\displaystyle y}$ to be ${\displaystyle P_{x,y}}$ If neither Alice nor Bob cheat, the outcome of the coin tossing protocol should have the following probabilities

${\displaystyle P_{0,0}=P_{1,1}={\frac {1}{2}},\quad P_{0,1}=P_{1,0}=0}$

In other words, Alice and Bob should always agree on the outcome bit, which should have an equal chance of being 0 or 1.

Of course, it is possible that Alice or Bob does not follow the protocol when playing the game in order to try to adjust the outcome in their favor. In this case we want to know the bias, or how strongly one party can skew the probability distribution of the coin toss if the protocol is not followed.

If Bob cheats, the bias is the amount he can cause Alice's probability distribution deviate from a uniform probability distribution. We say that the bias is equal to ${\displaystyle \varepsilon }$ if

${\displaystyle P_{0,0}+P_{0,1}\in [{\frac {1}{2}}-\varepsilon ,{\frac {1}{2}}+\varepsilon ]}$

Likewise if Alice cheats with bias ${\displaystyle \varepsilon }$,

${\displaystyle P_{0,0}+P_{1,0}\in [{\frac {1}{2}}-\varepsilon ,{\frac {1}{2}}+\varepsilon ]}$

In this sense, the fairness of a particular protocol can be measured by how small the bias can be.

It is also useful to note the maximum probability of a certain outcome when Alice or Bob is cheating. Letting ${\displaystyle {\widetilde {A}},{\widetilde {B}}}$ represent any possible strategy for Alice and Bob, respectively, the maximum probabilities that can be obtained by cheating are

${\displaystyle P_{x,*}=\max _{\widetilde {B}}\;\operatorname {Pr} [{\text{Alice measures }}x],\quad P_{*,y}=\max _{\widetilde {A}}\;\operatorname {Pr} [{\text{Bob measures }}y]}$

Additionally, one may also consider the case in which one party detects the other party cheating. In this case, the coin flipping game can be modified to allow for some chance of an abort signal, in which case no bit is derived and the game is simply canceled.

Bit commitment is a related cryptographic primitive in which Alice chooses a bit and later proves to Bob her choice. A scheme of this sort clearly allows for coin tossing: Alice can commit to the outcome of a coin toss, the outcome of which she does not reveal to Bob. Bob guesses whether Alice's coin was heads or tails, and communicates his guess to Alice. Alice can then use the bit commitment scheme to prove to Bob the outcome she obtained. Bob will win the game if his guess was correct, and Alice will win otherwise.

Although the protocols seem related, bit commitment is strictly more powerful than coin tossing. That is, while the bit commitment primitive can be used to implement coin tossing, a coin tossing primitive cannot be used to implement bit commitment. ^[2]

In a classical setting (one in which Alice and Bob cannot share quantum information), the security of coin tossing relies on computational difficulty, which allows the use of bit commitment based on one-way functions. Moreover, classical coin flipping is not possible if players are allowed unlimited computational power. That is, if Alice or Bob have access to arbitrary computational resources, they can cheat with the help of these resources to obtain a bias of ${\displaystyle \varepsilon ={\frac {1}{2}}}$, making the game always come out in their favor. This result holds both for strong and weak coin flipping (discussed below). ^[3]

In the case where the coin tossing protocol allows Alice and Bob to exchange quantum information, protocols exist which are unconditionally robust. That is, their security relies on the laws of physics, and therefore the protocol works so long as Alice and Bob obey physical laws.

In a quantum coin flipping protocol, a single game can be regarded as an interactive proof between Alice and Bob. Looking at one player in particular, Bob's goal is to prove to Alice that he flipped a coin without cheating, whereas Alice's goal is to verify his proof is correct. Alice and Bob are each allowed to perform any operations they choose, represented as unitary operations ${\displaystyle A_{i},B_{i}}$, in their respective Hilbert spaces, which we will denote as ${\displaystyle {\mathcal {V}},{\mathcal {P}}}$ for Alice and Bob, respectively. Additionally, after one party completes a computation, they will send some output to their opponent, using the shared message space ${\displaystyle {\mathcal {M}}}$.

The states Alice interacts with are always in the Hilbert space ${\displaystyle {\mathcal {V}}\otimes {\mathcal {M}}}$, and can be denoted as ${\displaystyle \rho _{i}}$ at round ${\displaystyle i}$ of a coin flipping exchange. After passing through Alice's unitary for that round, the state can then be written as ${\displaystyle \rho '_{i}=A_{i}\rho _{i}A_{i}^{\dagger }}$. Using the partial trace, the state in Alice's space can easily be written as ${\displaystyle \operatorname {Tr} _{\mathcal {M}}(\rho '_{i})}$. When Bob operates on the message space and his own space, Alice's state cannot change. Therefore ${\displaystyle \operatorname {Tr} _{\mathcal {M}}(\rho '_{i})=\operatorname {Tr} _{\mathcal {M}}(\rho _{i+1})}$. Further, each of the ${\displaystyle \rho _{i}}$ states can be described as the partial trace over ${\displaystyle {\mathcal {P}}}$ of a state in the full Hilbert space ${\displaystyle {\mathcal {V}}\otimes {\mathcal {M}}\otimes {\mathcal {P}}}$. Using the purification theorem, two pure quantum states, ${\displaystyle |\psi \rangle ,|\phi \rangle }$, in the Hilbert space ${\displaystyle {\mathcal {V}}\otimes {\mathcal {M}}\otimes {\mathcal {P}}}$ can be constructed, such that ${\displaystyle \rho '_{i}=\operatorname {Tr} _{\mathcal {P}}(|\psi \rangle \langle \psi |),\rho _{i+1}=\operatorname {Tr} _{\mathcal {P}}(|\phi \rangle \langle \phi |)}$.

The unitary equivalence of purifications then guarantees that for any two pure states, ${\displaystyle |\psi \rangle \langle \psi |,|\phi \rangle \langle \phi |}$, whose partial traces are equal, there is a unitary operator ${\displaystyle U}$ such that ${\displaystyle |\psi \rangle =(\mathbb {I} \otimes U)|\phi \rangle }$. Therefore, Bob is guaranteed a strategy to take ${\displaystyle \rho '_{i}}$ to ${\displaystyle \rho _{i+1}}$ by choosing ${\displaystyle B_{i}=U}$.

At the end of the game, Alice and Bob must each make measurements on their quantum state in order to determine the outcome of the coin toss. Most generally this can be thought of as a positive operator valued measurement (POVM), which has outcomes for the coin returning 0, 1, or perhaps also an abort signal, if cheating is detected. The probability of any particular outcome associated with measurement ${\displaystyle E_{i}}$ with final state ${\displaystyle \rho _{n}}$ is then returned with probability ${\displaystyle \operatorname {Tr} (E_{i}\rho _{n})}$.

With this formulation, it is possible to present any cheating strategy for a player in a quantum coin tossing game as a semidefinite program (SDP). A cheating player seeks to maximize the probability of a certain result ${\displaystyle j}$ at the end of the game, ${\displaystyle \operatorname {Tr} (E_{j}\rho _{n})}$, by maximizing over all choices of intermediate states for the opponent ${\displaystyle \{\rho _{i}\}}$. As noted above, any set of ${\displaystyle \rho _{i}}$ values in which Alice's values are consistent is achievable by some unitary strategy for Bob, and so Bob need only maximize over all ${\displaystyle \rho _{i}}$ values.

So the SDP for Bob maximising his chance of winning (by he and Alice obtaining the result 1) can be written as

${\displaystyle {\begin{array}{rl}{\displaystyle \max _{\{\rho _{i}\}}}&\operatorname {Tr} (E_{1}\rho _{n})\\{\text{subject to}}&\rho _{0}=|0\rangle \langle 0|,\operatorname {Tr} _{\mathcal {P}}(\rho _{i+1})=\operatorname {Tr} _{\mathcal {P}}(A_{i}\rho _{i}A_{i}^{\dagger })\\&\forall i,\rho _{i}\succeq 0\end{array}}}$

And the dual problem can be worked out and simplified to

${\displaystyle {\begin{array}{rl}{\displaystyle \min _{Z^{A}\in \operatorname {L} ({\mathcal {V}})}}&\operatorname {Tr} (Z^{A}(0)|0\rangle \langle 0|)\\{\text{subject to}}&Z^{A}(n)=E_{1},\;\forall i,Z^{A}(i)\otimes \mathbb {I} \geq A_{i+1}^{\dagger }(Z^{A}(i+1)\otimes \mathbb {I} )A_{i+1}\\&\forall i,Z^{A}(i){\text{ is Hermetian}}\end{array}}}$

Where ${\displaystyle Z^{A}}$ can be interpreted as sub-goals for Bob--at each step ${\displaystyle i}$ he wants to maximize ${\displaystyle \operatorname {Tr} (Z^{A}(i)\operatorname {Tr} _{\mathcal {V}}(\rho _{i}))}$. ^[4]

A weak coin flipping protocol is one in which Alice and Bob each have a prefered (and opposite) outcome. The protocol restricts Alice and Bob from biasing the outcome of a coin too far in their favor. However, it makes no restrictions on how much they may bias it towards their opponents prefered outcome. This is a natural way to represent a coin flipping protocol: Alice and Bob each pick a side of the coin, and whoever guessed the outcome correctly wins.

Without loss of generality, Bob can prefer the outcome 1, and Alice the outcome 0, and so the weak coin flipping protocol has the restriction that

${\displaystyle P_{*,1}\leq {\frac {1}{2}}+\varepsilon ,\quad P_{0,*}\leq {\frac {1}{2}}+\varepsilon }$

Unconditional weak coin flipping protocols exist only for quantum players. With quantum information and a multi-round protocol, it is also possible for a quantum weak coin flipping protocol to achieve an arbitrarily small bias. ^[5]

A simple example of a weak coin flipping protocol is given by Mochon^[5]:

Alice and Bob work in the space ${\displaystyle \mathbb {C} ^{3}}$ spanned by the vectors ${\displaystyle |A\rangle ,|B\rangle ,|U\rangle }$ (representing a win for Alice, Bob, or undecided), and share a message space ${\displaystyle \mathbb {C} ^{2}}$. A unitary operation will also be used, which is defined as

${\displaystyle \operatorname {Rot} (|\alpha \rangle ,|\beta \rangle ,\epsilon )={\begin{pmatrix}|\alpha \rangle &|\beta \rangle \end{pmatrix}}{\begin{pmatrix}{\sqrt {1-\epsilon }}&-{\sqrt {\epsilon }}\\{\sqrt {\epsilon }}&{\sqrt {1\epsilon }}\end{pmatrix}}{\begin{pmatrix}\langle \alpha |\\\langle \beta |\end{pmatrix}}+{\begin{pmatrix}I-|\alpha \rangle \langle \alpha |-|\beta \rangle \langle \beta |\end{pmatrix}}}$

The winner of the coin toss will be whomever first outputs ${\displaystyle |1\rangle }$ in the shared message space. With honest play, the game can be specified by the probability that the ${\displaystyle i}$^th message sent is ${\displaystyle |1\rangle }$, which can be denoted by ${\displaystyle \{p_{i}\}}$.

At round ${\displaystyle i}$, the probability of a win going to Alice, Bob, or being undecided is:

${\displaystyle {\begin{aligned}P_{A}(i)&={\begin{cases}P_{A}(i-1)&{\text{ for i even}}\\P_{A}(i-t)+p_{i}P_{U}(i-1)&{\text{ for i odd}}\end{cases}}\\P_{B}(i)&={\begin{cases}P_{B}(i-t)+p_{i}P_{U}(i-1)&{\text{ for i even}}\\P_{B}(i-1)&{\text{ for i odd}}\end{cases}}\\P_{U}(i)&=(1-p_{i})P_{U}(i-1)\end{aligned}}}$

The game proceeds as follows:

1. Alice prepares ${\displaystyle |U\rangle \otimes |0\rangle }$ and Bob prepares ${\displaystyle |u\rangle }$
2. For ${\displaystyle i=1,\ldots ,n}$, (let X represent Alice and her state ${\displaystyle |A\rangle }$ and Y represent the corresponding quantities for Bob if ${\displaystyle i}$ is even, otherwise switch X and Y)
   1. X applies the operation ${\displaystyle \operatorname {Rot} (|U\rangle \otimes |0\rangle ,|X\rangle \otimes |1\rangle ,p_{i})}$
   2. X sends the message qubit to Y
   3. Y applies ${\displaystyle \operatorname {Rot} (|U\rangle \otimes |1\rangle ,|X\rangle \otimes |0\rangle ,{\frac {p_{i}P_{U}(i-1)}{P_{X}(i)}})}$
   4. Y measures the message qubit. If the output is 1, Y terminates the game and declares foulplay.
3. Alice and Bob will each measure their qutrit. If the outcome is ${\displaystyle U}$, they output themselves as the winner, otherwise they report the measurement outcome as the winner.

For a set of values of ${\displaystyle \{p_{i}\}}$ such that ${\displaystyle p_{i}\in (0,1)}$ and ${\displaystyle P_{A}(n)=P_{B}(n)={\frac {1}{2}}}$, this protocol achieves a bias of ${\displaystyle {\frac {1}{6}}}$. ^[5]

A strong coin flipping protocol is one in which biases away from randomness in either direction are limited. That is, Alice (or Bob) is not able to force either heads or tails to show up more than a certain amount. This is in contrast to weak coin flipping (in which each player has a prefered coin face), and is somewhat less of a natural way to represent the problem. Nevertheless, a strong coin flipping protocol meets all the criteria of a weak coin flipping protocol, but with some additional guarantees.

The restriction in the strong coin flipping case can be written as

${\displaystyle P_{*,1}\leq {\frac {1}{2}}+\varepsilon ,\quad P_{1,*}\leq {\frac {1}{2}}+\varepsilon }$

Note that now both Alice and Bob are trying to maximize the probability the other player returns 1 (though this can equivalently be 0 for both players).

In the quantum setting, unconditional strong coin flipping protocols exist, but they suffer from a large bias of ${\displaystyle \varepsilon ={\frac {1}{2}}-{\frac {1}{\sqrt {2}}}}$. It has been shown that this is the smallest bias possible for strong quantum coin flipping. ^[4] Additionally, it has been shown that a weak coin flipping protocol can be used to construct strong coin flipping protocols with biases arbitrarily close to the optimum. ^{[6] [5]}

Using the SDP formulation of a quantum coin flipping game given above, the lower bound on ${\displaystyle \varepsilon }$ is fairly simple. Taking ${\displaystyle Z^{B}}$ to be Alice's equivalent value for Bob's ${\displaystyle Z^{A}}$, and ${\displaystyle \{\rho _{j}^{H}\}}$ to be the set of intermediate states in a game in which Alice and Bob are both playing fairly, define

${\displaystyle F_{j}=\operatorname {Tr} ((Z^{A}(j)\otimes \mathbb {I} \otimes Z^{B}(j))\rho _{j}^{H})}$

By the constraints seen in the SDP formulation, ${\displaystyle F_{j}\geq F_{j+1}}$. Also using our SDP, along with strong duality, ${\displaystyle F_{0}}$ must be ${\displaystyle P_{1,*}P_{*,1}}$ Additionally, from the above formula and strong duality on our SDP, we can see that ${\displaystyle F_{0}=P_{1,*}P_{*,1}}$, and by the definition of a fair coin tossing game, ${\displaystyle F_{n}={\frac {1}{2}}}$. Therefore ${\displaystyle P_{1,*}P_{*,1}\geq {\frac {1}{2}}}$, which means that the minimum value we can get for ${\displaystyle P_{1,*}}$ and ${\displaystyle P_{*,1}}$ is ${\displaystyle {\frac {1}{\sqrt {2}}}}$. This gives us a bias of ${\displaystyle \varepsilon ={\frac {1}{2}}-{\frac {1}{\sqrt {2}}}}$.

Multiparty coin flipping generalizes the idea of Alice and Bob securely flipping a coin to ${\displaystyle k}$ parties flipping a coin. As before, if all parties are honest, a multiparty coin flip should output 0 or 1 with equal probability. Additionally, all parties should agree on the outcome, denoted ${\displaystyle b}$, of the coin toss. Cheating is generalized from one player diverging from the protocol and the other being honest to having ${\displaystyle g\geq }$ parties play honestly and the remaining ${\displaystyle k-g}$ cheating. If at least ${\displaystyle g}$ players follow the protocol, the bias is bounded

${\displaystyle \operatorname {Pr} [b=0]\in [{\frac {1}{2}}-\varepsilon ,{\frac {1}{2}}+\varepsilon ]}$

In the classical setting, nontrivial protocols (those in which ${\displaystyle \varepsilon <{\frac {1}{2}}}$) exist with unconditional security only when the majority of players are honest. In a general classical setting, a bias of ${\displaystyle {\frac {1}{2}}-\Omega (\delta ^{1.65})}$ can be achieved when ${\displaystyle {\frac {g}{k}}\geq {\frac {1}{2}}+\delta }$. ^[7]

However, quantum multiparty coin flipping has nontrivial protocols for any nonzero fraction of honest players. Dishonest players are afforded infinite computational abilities, so long as they obey quantum mechanics, as well as unlimited communication with the other dishonest players. Messages between two parties are also considered secure, so that dishonest players can read the message space only if dictated by the coin flipping protocol.

A common primitive used in classical multiparty communication is a broadcast. However, in the quantum setting, this is generally impossible. However, a variant can be used along with two-party coin tosses to construct a quantum multiparty coin flipping protocol.

The quantum broadcast channel used here^[8] is a channel that maps the space ${\displaystyle \mathbb {C} ^{2}}$ to ${\displaystyle \mathbb {C} ^{2k}}$ (a one qubit to k qubit channel). This channel's action can be seen by it's action on a general qubit state ${\displaystyle \operatorname {Broadcast} (\alpha |0\rangle +\beta |1\rangle )=\alpha |0\rangle ^{\otimes k}+\beta |1\rangle ^{\otimes k}}$. Each of the k qubits will then be distributed to each of the parties who are to receive the broadcast. This can be implemented unitarily using CNOT gates.

When all parties are honest, this channel has the following properties:

• One quantum broadcast can be simulated with ${\displaystyle 2k-1}$ uses pairwise quantum channels
• One classical broadcast can be simulated with one quantum broadcast
• One use of a pairwise quantum channel can be simulated using ${\displaystyle k+1}$ quantum broadcasts.

Additionally, if exactly one party follows the broadcast protocol honestly, replacing any of these actions with their simulated counterparts will not give the dishonest parties any advantage.

A quantum multiparty coin flipping protocol between parties labelled ${\displaystyle 1,\ldots ,k}$ can then be constructed as follows ^[8] :

1. For ${\displaystyle i=1,\ldots ,k-1}$, have parties ${\displaystyle i}$ and ${\displaystyle i+1}$ perform a two party weak coin toss. The winner will advance to the next stage of the protocol, and the loser will not.
2. If the number of parties is odd, the party with the highest label will advance to the next round automatically.
3. When only two parties remain, they use a two party strong coin tossing protocol to determine the outcome of the overall game.

Recall that a weak coin toss is possible with arbitrarily small bias, and a strong coin toss is possible with bias arbitrarily close to ${\displaystyle {\frac {1}{2}}-{\frac {1}{\sqrt {2}}}}$. So the probability of a particular honest player advancing to the final round is ${\displaystyle P_{H}={\frac {(1-2\varepsilon )^{\log k}}{k}}}$, and the probability of a particular cheating player advancing to the final round is ${\displaystyle P_{C}={\frac {(1+2\varepsilon )^{\log k}}{k}}}$.

If a game has only one honest player, analysis is simple: the total bias for the game will be

${\displaystyle P_{H}({\frac {1}{2}}-{\frac {1}{\sqrt {2}}}+\varepsilon )+(1-P_{H})={\frac {1}{2}}-\Omega ({\frac {1}{k}})}$

To generalize to the case of multiple good players, the lightest-bin protocol can be implemented from the classical multiparty coin tossing procedure. ^[7] This procedure works as follows to select a committee of ${\displaystyle c}$ parties:

1. Each of the ${\displaystyle k}$ players publicly assign themselves to a random bin, ${\displaystyle B_{0}}$ or ${\displaystyle B_{1}}$
2. If bin ${\displaystyle B_{0}}$ contains less than ${\displaystyle \operatorname {Half} (k,c)}$ parties, they advance to the next round. Otherwise the parties in ${\displaystyle B_{1}}$ advance to the next round.
3. Repeat this process until ${\displaystyle c}$ parties remain.

Here, ${\displaystyle \operatorname {Half} (k,c)}$ is a function approximately equal to ${\displaystyle k/2}$ defined as follows: represent ${\displaystyle k}$ as ${\displaystyle 2(c+1)i+j}$, where ${\displaystyle i}$ is the largest integer possible so that ${\displaystyle 2(c+1)i\leq k}$. Then ${\displaystyle \operatorname {Half} (k,c)=2(c+1)i}$.

This selection procedure has the property that if there were originally a fraction of honest parties ${\displaystyle \delta }$, with probability at least ${\displaystyle {\frac {1}{2}}}$ a committee of size order ${\displaystyle {\frac {1}{\delta }}}$ will be selected with at least one honest party.

Thus, the multiparty coin tossing protocol can be modified to first use the lightest-bin protocol to shrink the number of parties to a fraction of order ${\displaystyle {\frac {k}{g}}}$. With good probability, this will still contain one honest player. Then using the multi-party coin tossing protocol with one honest party, the expected bias is ${\displaystyle {\frac {1}{2}}-\Omega ({\frac {g}{k}})}$. Thus, the bias for the multiparty coin tossing protocol with multiple good parties is ${\displaystyle {\frac {1}{2}}-\Omega ({\frac {g}{k}})}$.

For any specific coin flipping protocol, let the probabilities ${\displaystyle \{p_{i,b}\}}$ represent the largest probability that party ${\displaystyle i}$ can be convinced of outcome ${\displaystyle b}$ by the other players, and let ${\displaystyle p_{b}}$ be the probability of outcome ${\displaystyle b}$ when all parties play honestly. Clearly ${\displaystyle \prod _{i}p_{i,b}\geq p_{b}}$, as the probabilities must be equal when all parties play honestly.

If ${\displaystyle q}$ represents the maximum probability that any party can force a particular output,

${\displaystyle q^{k}\geq \prod _{i}p_{i,b}\geq {\frac {1}{2}}\Rightarrow q\geq \left({\frac {1}{2}}\right)^{1/k}\geq 1-O\left({\frac {1}{k}}\right)}$

Grouping together the parties into ${\displaystyle k'=k/g}$ parties acting together, the optimal bias a protocol can achieve is

${\displaystyle \varepsilon =1-O\left({\frac {g}{k}}\right)}$

Therefore, the protocol presented above is asymptotically optimal. ^[8]

• Bit commitment
• Coin flipping
• Randomized communication complexity
• Oblivious transfer
• Quantum cryptography
• Quantum interactive proofs