# Computational Hardness of Collective Coin-Tossing Protocols

## 3. Optimal Coin-Tossing Protocols: A Geometric Approach

This section introduces the original combinative proficiency of Khorasgani, Maji, and Mukherjee [ 14 ] for characterizing the “ most procure ” coin-tossing protocol .

### 3.1. A Representative Motivating Application

Consider a distributed collective coin-tossing protocol for nitrogen processors, where a processor i broadcasts its message in round i. At the end of the protocol, all processors reconstruct the park output from the public transcript. When all processors are honest, the probability of the final output being 1 is X0 and the probability of the final output being 0 is 1−X0, i, the final output is a bias-X0 coin. Suppose there is an adversary who can ( adaptively ) choose to restart one of the processors after seeing her message ( i, the potent adaptive corruptions model introduced by Goldwasser, Kalai, and Park [ 33 ] ) ; otherwise her presence is innocent. Our objective is to design bias-X0 coin-tossing protocols, such that the adversary can not significantly change the distribution of the final output. In drumhead, we consider single-turn collective coin-tossing protocols where entirely one processor broadcasts every round. We consider security with miscarriage against an adversary that is solid [ 33 ] and adaptive. The adversary can perform a soft attack where it may restart a processor if it does not like its message. The Majority Protocol. Against computationally boundless adversaries, ( basically ) the alone known protocol is the well-known majority protocol [ 34, 35, 36, 37 ] for X0=1/2. The majority protocol requests one uniformly random bit from each processor and the concluding output is the majority of these newton bits. An adversary can alter the expected end product by 1/2πn ( more specifically, the fractional slant of the central binomial coefficient ), i.e., the majority protocol is 1/2πn-insecure. More broadly, one considers threshold protocols, where the collective end product is 1 if and only if the sum phone number of air bits is more than a sterilize doorway. shows the optimum attack on the majority protocol for n=3 that increases the expected output signal of the protocol. The shadow nodes in the tree represents the fond transcripts where the adversary intervenes and restarts the last processor that broadcast its message. The insecurity of this protocol is nn/2·2−n=0.1875. visualize 8, as a consequence of the holocene works [ 14, 38 ], presents a protocol that has higher security than this majority protocol . Open in a separate window Towards this objective, first, the survey summarizes the raw validation technique introduced by Khorasgani, Maji, and Mukherjee [ 14 ] that yields a two-approximation to the optimum solution of the motivate problem above ( section 3.4 summarizes this proofread technique ). section 3.6 includes empiric results summarizing speculate constructions that have higher security than the threshold protocols .

### 3.3. Prior Approaches to the General Martingale Problem

Azuma–Hoeffding inequality [ 39, 40 ] states that, if |Xi−Xi−1|=o ( 1/n ), for all i∈ { 1, …, normality }, then, basically, |Xn−X0|=o ( 1 ) with probability 1. That is, the final information Xn remains close to the a priori information X0. however, in our trouble affirmation, we have Xn∈ { 0,1 }. In particular, this constraint implies that the final examination information Xn is significantly different from the a priori information X0. thus, the initial constraint “ for all i∈ { 1, …, normality } we have |Xi−Xi−1|=o ( 1/n ) ” must be violated. What is the probability of this irreverence ? For X0=1/2, Cleve and Impagliazzo [ 10 ] proved that there exists a cycle iodine such that |Xi−Xi−1|≥132n with probability 1/5. We emphasize that the turn one is a random variable and not a constant. however, the definition of the “ big jump ” and the “ probability to encounter large jumps ” are both exponentially small functions of X0. so, the approach of Cleve and Impagliazzo is only applicable to constant X0∈ ( 0,1 ). recently, in an independent work, Beimel et alabama. [ 41 ] demonstrate an identical bind for weak martingales ( that have some extra properties ), which is used to model multi-party coin-tossing protocols. For the upper-bound, on the other hand, Doob ’ second martingale, corresponding to the majority protocol, is the only know martingale for X0=1/2 with a small maximum susceptibility. In general, to achieve arbitrary X0∈ [ 0,1 ], one considers coin-tossing protocols, where the end product is 1 if the total number of heads in normality uniformly random coins surpasses an appropriate threshold .

### 3.4. Inductive Approach

This section presents a high-level overview of the inductive scheme to characterizing optimum coin-tossing protocols. In the sequel, we shall assume that we are working with discrete-time martingales ( X0, X1, …, Xn ) such that Xn∈ { 0,1 }. Given a dolphin striker ( X0, …, Xn ), its susceptibility is represented by the following measure supstoppingtimeτE [ |Xτ−Xτ−1| ] intuitively, if a dolphin striker has high susceptibility, then it has a discontinue time, such that the col in the martingale while encountering the stop time is boastfully. Our aim is to characterize the least susceptibility that a dolphin striker ( X0, …, Xn ) can achieve. More formally, given n and X0, characterize Cn ( X0 ) : =inf ( X0, …, Xn ) supstoppingtimeτE [ |Xτ−Xτ−1| ]. The overture proceeds by induction on newton to precisely characterize the swerve Cn ( X ), and our argument naturally constructs the best dolphin striker that achieves Cn ( X0 ) .

1. Base character. note that the base case is C1 ( X ) =2X ( 1−X ) ( see for this controversy ) . Open in a separate window
2. inductive tone. Given the bend Cn−1 ( X ), one identifies a geometric transformationT ( see Figure fig : transform-def ) that defines the curl Cn ( X ) from the curl Cn−1 ( X ). furthermore, for any n≥1, there exist martingales such that its susceptibility is precisely Cn ( X0 ) .

We shall prove the follow technical result in this section .Theorem 1. Fix any X0∈ ( 0,1 ) and n∈ℕ. Let X= ( X0, X1, …, Xn ) be a martingale, such that Xn∈ { 0,1 }. There exists a stop time τ in such that

E [ |Xτ−Xτ−1| ] ≥Cn ( X ). furthermore, for all n∈ℕ and X0∈ ( 0,1 ), there exists a dolphin striker X*= ( X0, X1*, …, Xn* ) such that Xn*∈ { 0,1 } and, for all stopping times τ, we have E [ |Xτ*−Xτ−1*| ] =Cn ( X0 ). Base Case of n=1 denote to for the watch discussion. For a dolphin striker ( X0, X1 ) of depth n=1, we have X1∈ { 0,1 }. frankincense, without loss of generalization, we assume that E1 takes only two values. then, it is easy to verify that the soap mark is constantly equal to 2X0 ( 1−X0 ). This score is witnessed by the stop clock τ=1. then, we conclude that C1 ( X0 ) =2X0 ( 1−X0 ). inductive step : n=2 ( For Intuition ). Suppose that the rout X0=x in the corresponding dolphin striker corner has t children with values x1, x2, …, xt, and the probability of choosing the j-th child is pj, where j∈ { 1, …, metric ton } ( see ) . Open in a separate window Given a martingale ( X0, X1, X2 ), the adversary ’ mho objective is to find the barricade time τ that maximizes the score E|Xτ−Xτ−1|. If the adversary chooses to stop at τ=0, then the seduce E [ |Xτ−Xτ−1| ] =0, which is not a good strategy. sol, for each j, the adversary chooses whether to stop at the child xj, or defer the attack to a hold on time in the sub-tree rooted at xj. The adversary chooses the check prison term based on which of these two strategies yield a better score. If the adversary stops the dolphin striker at child j, then the contribution of this decisiveness to the score is pj·|xj−x|. On the other hand, if she does not stop at child joule, then the contribution from the sub-tree is guaranteed to be pj·MSj≥pj·C1 ( xj ). overall, from the j-th child, an adversary obtains a score that is at least pj·max|xj−x|, C1 ( xj ). Let hj : =max|xj−x|, C1 ( xj ). We represent the points Zj= ( xj, hj ) in a two dimensional plane. then, intelligibly, all these points lie on the solid curve defined by max|X−x|, C1 ( X ) —see . Open in a separate window Since ( X, E ) is a martingale, we have x=∑j=1tpjxj and the adversary ’ sulfur strategy for finding τmax gives us λ=∑j=1tpjhj. This observation implies that the organize ( x, λ ) =∑j=1tpj·Zj. so, the point in the plane giving the adversary the utmost score for a corner of depth n=2 with bias X0=x lies in the intersection of the convex hull of the points Z1, …, Zt, and the wrinkle X=x. Let us consider the dolphin striker defined in as a concrete exercise. hera t=4, and the points Z1, Z2, Z3, Z4 lie down on max|X−x|, C1 ( X ). The martingale graphic designer specifies the probabilities p ( 1 ), phosphorus ( 2 ), phosphorus ( 3 ), and p ( 4 ), such that p ( 1 ) x ( 1 ) +⋯+p ( 4 ) adam ( 4 ) =x. These probabilities are not represented in. note that the indicate p ( 1 ) adam ( 1 ) +⋯+p ( 4 ) ten ( 4 ), p ( 1 ) hydrogen ( 1 ) +⋯+p ( 4 ) henry ( 4 ) representing the score of the adversary is the point p ( 1 ) Z ( 1 ) +⋯+p ( 4 ) Z ( 4 ). This decimal point lies inside the convex hull of the points Z ( 1 ), …, Z ( 4 ) and on the line X=p ( 1 ) ten ( 1 ) +⋯+p ( 4 ) x ( 4 ) =x. The exact placement depends on p ( 1 ), …, phosphorus ( 4 ). orient Q′ is the point with minimal acme. Observe that the height of the sharpen Q′ is at least the acme of the point Q. so, in any martingale, the adversary shall find a barricade time that scores more than ( the altitude of ) the point Q. On the early pass, the martingale architect ’ s objective is to reduce the score that an adversary can achieve. indeed, the martingale interior designer chooses t=2, and the two points Z1=P1 and Z2=P2 to construct the optimum dolphin striker. We apply this method acting for each x∈ [ 0,1 ] to find the comparable point Q ; that is, the locus of the point Q, for x∈ [ 0,1 ], which yields the curvature C2 ( X=x ). observe that the height of the point Q is the harmonic-mean of the heights of the points P1 and P2. This observation follows from elementary geometric facts. Let h1 represent the altitude of the point P1, and h2 act the acme of the target P2. Observe that the distance of x−xS ( x ) =h1 ( because the agate line ℓ1 has slope π−π/4 ). similarly, the outdistance of xL ( x ) −x=h2 ( because the argumentation ℓ2 has slope π/4 ). so, using properties of similar triangles, the acme of Q turns out to be h1+h1h1+h2· ( h2−h1 ) =2h1h2h1+h2. This property inspires the definition of the geometric transformation T, examine. Applying T on the arch C1 ( X ) yields the curve C2 ( X ). All bias-X ( n=2 ) processor coin-tossing protocols are Cn ( X ) -insecure . Open in a separate window furthermore, there exists a coin-tossing protocol that achieves this insecurity bound. General Inductive footstep : n≥2 note that a alike approach works for general n=d≥2. Fix X0 and n=d≥2. We assume that the adversary can compute Cd−1 ( X1 ), for any X1∈ [ 0,1 ]. Suppose the beginning in the represent martingale tree has t children with values x1, x2, …, xt, and the probability of choosing the j-th child is pj ( see ). Let ( Xj, Ej ) represent the martingale associated with the sub-tree rooted at xj. For any j∈ { 1, …, t }, the adversary can choose to stop at the child joule. This decisiveness will contribute |xj−x| to the score with weight pj. On the other hand, if she defers the attack to the subtree rooted at xj, she will get at least a contribution of ( at least ) Cn−1 ( xj ), with weight pj. consequently, the adversary can obtain the follow contribution to her score pjmax|xj−x|, Cd−1 ( xj ) exchangeable to the case of n=2, we define the points Z1, …, Zt. For nitrogen > 2, however, there is one dispute from the n=2 case. The point Zj need not lie on the solid curvature, but it can lie on or above it, i.e., they lie in the grey area of. This phenomenon is attributable to a suboptimal dolphin striker graphic designer, producing martingales with suboptimal scores, i.e., strictly above the solid curl. For n=1, it happens to be the case that there is ( effectively ) alone one dolphin striker that the martingale designer can design ( the optimum tree ). The adversary obtains a sexual conquest that is at least the altitude of the point Q′, which is at least the stature of Q. On the other hand, the martingale interior designer can choose t=2, and Z1=P1 and Z2=P2 to define the optimum dolphin striker. Again, the locus of point Q is defined by the curl T ( Cd−1 ) . Open in a separate window decision so, by induction, we have proved that Cn ( X ) =Tn−1 ( C1 ( X ) ). additionally, note that, during evocation, in the optimum martingale, we always have |x0−x|=Cn−1 ( x0 ) and |x1−x|=Cn−1 ( x1 ). intuitively, the decision to stop at xj or continue to the subtree rooted at xj has identical consequence. so, by generalization, all stopping times in the optimum martingale have score Cn ( x ). A close-form characterization of Cn ( X ) using elementary functions seems challenging. Khorasgani et alabama. [ 14 ] proved the adopt amphetamine and lower bounds. min2n+3·X ( 1−X ) ,2X,2−2X≥Cn ( X ) ≥2n−1/2·X ( 1−X ) .

### 3.5. Related Work: Multiple Corruptions

Another line of research characterizes the minimum number of corruptions t that suffices to change the expect end product of the coin-tossing protocol by a constant. The presentation below, for chasteness, ignores polylogarithmic factors in the asymptotic notation. The authors in [ 42 ] proved that a Byzantine adversary can adaptively corrupt t=O˜n processors in any n-processor single-turn protocol, where every processor broadcasts one-bit messages, to change the expected output signal of the protocol by a constant. subsequently, [ 33, 43 ] generalized this resultant role to the case where the processors broadcast arbitrary-length messages. recently, in a discovery leave, Haitner and Karidi-Heller [ 44 ] extended this leave to multi-turn coin-tossing protocols, i.e., a central processing unit may send messages in multiple rounds. basically, these results imply that the majority protocol ( more broadly, the doorsill protocols ) are qualitatively optimum. however, the portrayal of the most impregnable coin-tossing protocols remains outdoors. A big exemplar in distribution computing considers the surveil adversarial model for coin-tossing protocols. A impregnable adversary can adaptively corrupt ( up to ) t processors and the messages of all corrupted processors are erased. Aspnes [ 22, 23 ] uses an inductive approach to characterize the robustness of such coin-tossing protocols. This approach besides uses a geometric approach to perform trigger on triiodothyronine, the act of corruptions that the adversary makes, to account for ( a ) the utmost addition in the expect output of the coin-tossing protocol and ( b-complex vitamin ) the maximum decrease in the have a bun in the oven output of the coin-tossing protocols. [ 22, 23 ] proves that t=O ( n ) suffices to change the expected output of an n-processor coin-tossing protocol by a constant. however, this inductive approach is non-constructive because the recursion does not characterize the evolution of the martingale corresponding to the most fasten coin-tossing protocol .

### 3.6. Experimental Results

The presentation above considers the case where the discontinue clock time representing an adversarial strategy is τ : Ω→ { 1,2, …, normality } ( where Ω represents the place of all complete transcripts ), and the score of a stop meter is E [ |Xτ−Xτ−1| ]. Khorasgani, Maji, Mehta, Mukherjee, and Wang [ 14, 38 ] discipline a associate recursion. In this recursion, the break time is τ : Ω→ { 1,2, …, newton, ∞ }. however, the stop times are restricted as follows. Given a partial transcript uranium, if the adversary has the follow choices : ( 1 ) Do not abort for any child of u ; ( 2 ) abort at all children v, such that X ( five ) ( i.e., the expected output conditioned on vanadium ) is at least a particular doorway ; ( 3 ) abort at all children v such that X ( five ) is at most a particular brink. The optimum score for such restricted stopping times is represented by An ( ten ). The authors in [ 38 ] construct an algorithm with running time poly ( n,1/δ ) for computing An : =Tn−1 ( A1 ), where A1 ( X ) =X ( 1−X ) with ( at most ) nδ erroneousness. We highlight that the geometric transformation T ( · ) is identical to the one presented in section 3.4. however, the base cases are unlike ; A1 ( X ) =X ( 1−X ), but C1 ( X ) =2X ( 1−X ). immediately, consider the optimum protocol corresponding to this recursion. For exercise, shows the martingale corresponding to X0=1/2 and n=3. The optimum attack that increases the expected output is represented by the shade nodes. Restarting the survive processor broadcasting the message resulting in a shadow partial transcript increases the output by 0.1362, which is importantly less than 0.1865, the insecurity of the majority protocol from . Open in a separate window experimentally, we implement our protocol and show that the insecurity of our protocol is perceptibly smaller than the insecurity of doorway protocols. As a representative model, plots the insecurity of our newly protocol, for n=101 processors and X∈ [ 0,1/2 ] with accuracy parameter δ=10−6. This demonstrates the insecurity of bias-X coin-tossing protocols, where X∈ ( 1/2,1 ], is identical to the insecurity of bias- ( 1−X ) coin-tossing protocols. so, it suffices to consider bias-X protocols, where X∈ [ 0,1/2 ] . Open in a separate window besides plots the insecurity of all bias-X coin-tossing protocols that can be implemented using a threshold protocol. note that the insecurity of our protocol is less than the insecurity of doorway protocol. This decrease in insecurity is outstanding, particularly when X∈ ( 0,1/2 ) is simultaneously far from 0 and 1/2.

ultimately, our experiments uncover an stimulate phenomenon. As indicates, our experimental results show that the insecurity of our protocols for X=1/2 tends towards the insecurity of the majority protocol, as north tends to eternity. This experiment lends corroborate to the speculation that the majority protocol is the optimum dependable coin-tossing protocol as n→∞. however, for every finite n and X∈ ( 0,1/2 ), there are more secure protocols than the threshold protocols . Open in a separate window

informant : https://coinselected.com
Category : Coin collecting