Estimating Gaps in Martingales and Applications to Coin-Tossing: Constructions and Hardness
Consider designing a distributed coin-tossing protocol for n processors such that the probability of heads is X0 in [0,1], and an adversary can reset one processor to change the distribution of the final outcome. For X0=1/2, in the non-cryptographic setting, Blum's majority protocol is 1/√(2π n) insecure. For computationally bounded adversaries and any X0 in [0,1], the protocol of Moran,Naor,Segev (2009) is only O(1/n) insecure. In this paper, we study discrete-time martingales (X0,X1,..,Xn)
... h that Xi in [0,1], for all i in 0,..,n, and Xn in 0,1. In particular, for any X0 in [0,1], we construct martingales that yield 1/2√(X_0(1-X_0)/n) insecure coin-tossing protocols with n-bit communication; irrespective of the number of bits required to represent the output distribution. Note that for sufficiently small X0, we achieve higher security than Moran et al's protocol even against computationally unbounded adversaries. For X0=1/2, our protocol requires only 40 introduce a new inductive technique that uses geometric transformations to estimate the large gaps in these martingales. For any X0 in [0,1], we show that there exists a stopping time T such that E[|X_T-X_T-1|]≥2/√(2n-1)· X_0(1-X_0). The inductive technique also constructs martingales that demonstrate the optimality of our bound - we construct optimal martingales such that any T hasE[|X_T-X_T-1|]≤1/√(n)·√(X_0(1-X_0)). Our lower-bound holds for all X0 in [0,1]; while the previous bound of Cleve,Impagliazzo (1993) exists only for positive constant X0. Our approach only employs elementary techniques and avoids the complex probabilistic tools inherent to the approaches of Cleve,Impagliazzo (1993) and Beimel,Haitner,Makriyannis,Omri (2018).