Unconditionally secure relativistic multi-party biased coin flipping and die rolling.

We introduce relativistic multi-party biased die-rolling protocols, generalizing coin flipping to M ≥ 2 parties and to N ≥ 2 outcomes for any chosen outcome biases and show them unconditionally secure. Our results prove that the most general random secure multi-party computation, where all parties receive the output and there is no secret input by any party, can be implemented with unconditional security. Our protocols extend Kent's (Kent A. 1999 Phys. Rev. Lett. 83, 5382) two-party unbiased coin-flipping protocol, do not require any quantum communication, are practical to implement with current technology and to our knowledge are the first multi-party relativistic cryptographic protocols.

Introduction

M mistrustful parties at different locations roll a N-faced die via some agreed protocol in such a way that if the kth party follows honestly and the other parties deviate arbitrarily from then the outcome o is obtained with a probability satisfying , for all , for all , for agreed integers and for an agreed probability distribution . This task is called M-party-biased N-faced die rolling, or simply die rolling, and is the most general type of random secure multi-party computation where all parties receive the output of the computation and there is no secret input by any party [1]. Unbiased die rolling corresponds to the case , for all . A die-rolling protocol is secure if or if δ tends to zero by increasing some security parameter. In the former case, is called ideal, while in the latter case is called arbitrarily secure.

Blum [2] invented coin flipping (also called coin tossing) in 1981, which corresponds to die rolling with and , and which is more precisely called two-party unbiased coin flipping, and showed that it can be implemented securely with classical (non-relativistic) protocols based on computational assumptions, like the absence of efficient protocols to factor large integers.

There exists a weak version of coin flipping and die rolling, where each party must only be guaranteed that specific outcomes o are obtained with probabilities close to P. In weak die rolling (also called leader election [3]), there are mistrustful parties at different locations rolling a N-faced die. For all , the kth party wins if the outcome is . Thus, the kth party must be guaranteed that if he follows the agreed protocol honestly then , for or δ tending to zero by increasing some security parameter. Weak coin flipping corresponds to the case . We note that a protocol implementing secure unbiased die rolling for also implements weak die rolling. But, the converse is not in general true.

To emphasize the difference between die rolling (coin flipping) and weak die rolling (weak coin flipping), the former task is sometimes called strong die rolling (strong coin flipping). In this paper, we focus on strong die rolling and strong coin flipping, but we use the simpler terms ‘die rolling’ and ‘coin flipping’ to refer to these tasks.

Coin flipping and die rolling are important cryptographic tasks with many applications. Die rolling can be used by M mistrustful parties in randomized consensus protocols, for example, to gamble, to choose a leader at random or to fairly allocate resources in a network [4]. It can also be used by M parties to authenticate to each other remotely and securely [5].

Die rolling and other cryptographic tasks are investigated in different cryptographic models, i.e. with different rules for the agreed protocols and with different constraints on the dishonest parties, giving rise to different security levels. The highest security level is unconditional security, in which the dishonest parties are only constrained by the laws of physics. In particular, protocols in relativistic quantum cryptography that are provably unconditionally secure guarantee that dishonest parties who are only limited by quantum physics and the principle of no-superluminal signalling cannot break the protocols’ security in close to Minkowski space–time (like near the Earth surface) [6,7].

No-superluminal signalling is a fundamental physical principle of relativity theory stating that information cannot travel faster than the speed of light through vacuum in close to Minkowski space–time. This principle is satisfied by quantum physics. In particular, two or more parties sharing an arbitrary quantum entangled state cannot communicate information faster than the speed of light by applying arbitrary quantum measurements on the quantum state.

In principle, if the dishonest parties were able to sufficiently modify the space–time geometry, then they could communicate information faster than the speed at which light travels in close to Minkowski space–time, making the protocols in relativistic quantum cryptography insecure. However, we believe this is humanly impractical for the foreseeable future [6]. Thus, we consider that security based on quantum physics and the principle of no-superluminal signalling in approximately Minkowski space–time is the highest level of security humanly achievable in the foreseeable future and we can then sensibly call it ‘unconditional security’.

We note that relativistic quantum cryptography can in principle also be applied in space–time geometries that are not approximately Minkowski and unconditional security can be guaranteed, if the parties know the space–time geometry where the protocols take place with good approximation, and if there is a known upper bound on the speed of light among the protocols’ locations. This requires in particular that there are no wormholes or other means allowing signalling between spacelike separated regions [6]. However, as mentioned earlier, we think it is sensible to assume that relativistic quantum cryptography will only be implemented by humans near the Earth surface in the foreseeable future. Thus, we think it is reasonable, and it will simplify our presentation, to assume in this paper that space–time is approximately Minkowski.

Bit commitment [8-10], oblivious transfer [11] and a class of secure two-party computations [11,12] cannot achieve unconditional security with quantum non-relativistic protocols but can be implemented securely with quantum non-relativistic protocols if the dishonest parties have bounds on the performance of their quantum memories [13-16]. Bit commitment can achieve unconditional security with classical relativistic [6,17-20] or quantum relativistic [21-26] protocols. On the other hand, oblivious transfer and a class of two-party secure computations cannot achieve unconditional security even with quantum relativistic protocols [1,27]. However, a class of oblivious transfer protocols with constraints on the space–time regions where the parties must obtain the outputs are provably unconditionally secure with quantum relativistic protocols [28-31].

Classical non-relativistic multi-party unbiased coin-flipping protocols cannot achieve unconditional security [32,33]. Furthermore, they cannot unconditionally guarantee if a weak majority of the players is dishonest [32]. Thus, two-party unbiased coin-flipping protocols cannot unconditionally guarantee , as in this case, security proofs require to assume that one party is dishonest.

Quantum non-relativistic multi-party unbiased die-rolling protocols cannot achieve unconditional security either [34-36]. Furthermore, they can only unconditionally guarantee [36]. This bound was first shown by Kitaev [34] for and then was generalized to and by Ambainis et al. [35] and to by Aharon & Silman [36]. The non-existence of unconditionally secure ideal quantum non-relativistic protocols was shown by Lo & Chau [10].

Moreover, quantum non-relativistic multi-party unbiased die-rolling protocols have been shown to unconditionally guarantee , for any even positive integer M and any , with any positive integer n and any [36]. This was first shown for two-party unbiased coin-flipping () by Chailloux & Kerenidis [37]. There exist various quantum non-relativistic protocols for two-party unbiased coin flipping that unconditionally guarantee [37-43]. Furthermore, the optimal achievable δ that can be unconditionally guaranteed by quantum non-relativistic multi-party unbiased coin-flipping protocols with honest parties is , i.e. satisfying , for constants and with [35].

We note that, in contrast to (strong) coin flipping and (strong) die rolling, weak coin flipping [44,45] and weak die rolling [36] can achieve unconditional security, and arbitrarily small δ, with quantum non-relativistic protocols.

Kent [5] showed that unconditionally secure two-party unbiased coin flipping with arbitrarily small δ can be achieved with relativistic protocols. Colbeck & Kent [1] introduced variable bias coin tossing, in which one of the parties secretly chooses the bias of the coin within a stipulated range, and gave unconditionally secure quantum relativistic protocols.

Here we extend Kent’s [5] two-party unbiased coin-flipping protocol and prove that for any integers and any probability distribution there exists a relativistic die-rolling protocol that is unconditionally secure, with arbitrarily small δ. Furthermore, we show that if the probabilities in the distribution are rational numbers and the parties have access to perfect devices and particularly to perfectly unbiased random number generators then our protocols are ideal with unconditional security. Our results prove the claim made in Ref. [1]—without proof—that all random secure two-party computations can be implemented with unconditional security. Furthermore, our results prove that this holds for an arbitrary number of parties. Our protocols do not require any quantum communication and are practical to implement with current technology. To the best of our knowledge, our protocols are the first multi-party relativistic cryptographic protocols.

Security definition

Die rolling is a task in mistrustful cryptography. In mistrustful cryptography, the parties are assumed to agree on a protocol to implement a task in collaboration, but they are not assumed to follow the agreed protocol honestly. It is in this sense that we call the parties mistrustful. This is in contrast to quantum key distribution [46], for instance, where Alice and Bob collaborate with mutual trust to establish a shared key, while guaranteeing that the key remains secret to any third party.

As discussed in the introduction, in a die-rolling protocol , parties agree on the number of possible outcomes and on the ideal probability distribution for the outcomes. The protocol must satisfy the following two properties:

Correctness. The protocol is correct if all parties agree on the outcome o when all parties follow honestly and no party aborts.

Security. The protocol is secure if for all , when the kth party follows honestly and no party aborts, then the outcome o is obtained with a probability satisfying for all , where , or where δ tends to zero by increasing some security parameter; in the former case is called ideal, while in the latter case is called arbitrarily secure.

An alternative figure of merit in the security definition could be the variational distance between the probability distribution of the protocol and the ideal probability distribution , given by An important property of is that the maximum probability to distinguish and is given by However, we note that according to our security definition, if is secure then it holds that with or with δ decreasing with some security parameter, where we used (2.1) and (2.2).

Space–time setting

M mistrustful parties define a reference frame F in near-Minkowski space–time, for example, near the Earth surface. The parties agree in the following setting defined in F. We use units in which the speed of light through vacuum is unity.

Let B be non-intersecting three-dimensional balls in space with radii r, for all . Let be the shortest distance between any point of B and any point of B, for all and all . The balls are defined such that , for all and all . Let be time coordinates satisfying for all and all .

For all , at least for the whole duration of the protocol, the kth party sets a secure laboratory L completely contained within B. The kth party does not need to trust the locations of the other parties’ laboratories; but he must guarantee that his laboratory L is within B during the protocol, for all .

Unconditionally secure relativistic multi-party biased die rolling

Before implementing our protocol below, the parties agree on a positive integer , on N non-intersecting subsets of , for all , on a small , and on small numbers , for all . For all , the kth party chooses such that his random number generator can prepare a message with probability distribution satisfying for all , where the value of can correspond to the experimental uncertainty of R. The parties choose n and such that for all . The parties must also guarantee that and are sufficiently small to satisfy for all and all . From (4.2), the parties can choose only if P is a rational number, for all . If not all probabilities P are rational numbers then the parties must choose arbitrarily small and n arbitrarily large so that (4.2) holds.

Our protocol comprises three stages. Stage I is a preparation stage that can take place arbitrarily in the past of stages II and III. Stage II comprises the transmission of various classical messages at spacelike separation. Finally, in stage III, the parties verify that the protocol was implemented correctly and agree on the outcome o, after comparing the various messages received in stage II.

Our die-rolling protocol is the following (see figure 1).

Figure 1

Schematic representation of the relativistic die-rolling protocol described in the main text in dimensions in the reference frame F. The case of three parties () is illustrated. (a) The random number generator and classical communication channels of the first, second and third party are given in colour blue, red and green, respectively. For all and all , the random number generator R outputting the message is represented by the small box in the laboratory , the fast classical channel by a short solid arrow, and the slow classical channel by a long dotted arrow; the channels are not illustrated. The diagram is not at scale, as the balls’ radii satisfy , for all and all . (b) The balls B at the time and their light-like separated space–time regions with time coordinates are illustrated, for all . (Online version in colour.)

Stage I: predistribution

For all , prepares a message securely using a random number generator R sufficiently before the time , with probability distribution satisfying (4.1), for all , and for some satisfying (4.2) and (4.3).

For all and all , sends a copy of to L through a secure and authenticated classical channel , so that L receives it before the time ; the channel does not need to be very fast because can be sent arbitrarily before .

Stage II: relativistic communication

For all and all , L sends to through a fast classical communication channel within the time-interval ; does not abort only if it receives not after .

Stage III: verification

For all , all and all , and use a secure and authenticated classical channel to verify that they received the same message from and , respectively; otherwise, they abort.

If do not abort, then they agree that the die rolling outcome is for , where

We note that in the second step, the communication channel can be implemented via secure physical transportation of the message from to L, or using one-time pads if and L had been previously distributed secure keys, for all and all . Because this step can be made arbitrarily in advance of the following steps, there is great flexibility in the method employed and the speed at which this is accomplished.

Similarly, the communication channels between and in the fourth step can in principle also be implemented via secure and authenticated physical transportation of messages, for all and all . However, this method might not be very practical and could add undesired delays in the verification stage. For this reason, it could be preferable to implement these channels with previously distributed keys.

In principle, there could be situations where the message sent by the laboratory does not reach the laboratory L at the required time, due to failure of the channel or due to interception of the message by a dishonest party, for some and some . However, these situations do not arise if the channels are secure and authenticated, for all and all , as we have assumed in the second step of the protocol. Nevertheless, a way to avoid these problems comprises the laboratory L to confirm to the reception of the message using a secure and authenticated channel , and the laboratory to abort if it does not receive such a confirmation, for all and all . The same observations apply to the communication channels in the fourth step, for all and all .

It is straightforward to see that the protocol is correct. If all parties follow the protocol honestly, then no party aborts and all parties agree that the outcome o is given by (4.4) and (4.5).

For , below we assume that the kth party follows the protocol honestly and the other parties perform any collective quantum cheating strategy , with no party aborting. We show that in this case the probability that the die rolling outcome is o satisfies where From (4.3) and (4.7), since and , we have .

Thus, if , the protocol is ideal with unconditional security. From (4.7), this holds if for all . From (4.2), can only hold if the probability distribution only has rational numbers. From (4.1), can only hold if R outputs perfectly uniform random numbers from the set , for all .

Alternatively, if with δ decreasing exponentially by increasing some parameter then the protocol is arbitrarily secure with unconditional security. From (4.7), this holds if and decrease exponentially by increasing some security parameter, for all . From (4.2), can be chosen arbitrarily small by choosing n arbitrarily large. Furthermore, from the Piling up Lemma [47], if R produces bits with biases from the range then can be obtained from these bits with decreasing exponentially with , for all .

The unbiased case

It is straightforward to see that the unbiased case, i.e for all , can be implemented by setting , and , for all , in which case the die rolling outcome is .

Security proof

For all , we assume that the kth party follows the protocol honestly and the other parties implement an arbitrary collective quantum cheating strategy , with no party aborting, and show (4.6).

We have the following properties in the frame F, for all and all .

The kth party generates securely in one of his laboratories and communicates it to his other laboratories using secure and authenticated classical channels.

The kth party sends to the ith party at a space–time region with spatial coordinates in B and time coordinates from the interval .

The kth party does not abort in step 3 only if he receives a message within a space–time region with spatial coordinates in B and time coordinates not greater than .

From (3.1), the shortest distance between any point in B and any point in B satisfies . Thus, the space–time regions and are spacelike separated (see figure 1).

The principle of no-superluminal signalling states that information cannot travel faster than the speed of light through vacuum in close to Minkowski space–time. Thus, from the previous points, the probability to obtain the set of messages given the message , is given by for all and all . That is, the probability distribution for is independent of . We note that this holds for an arbitrary quantum cheating strategy by the dishonest parties. In particular, in a general quantum cheating strategy, the laboratories of all the parties (honest and dishonest) may share an arbitrary entangled quantum state , and each laboratory may apply an arbitrary quantum measurement on its share of in order to obtain its input or trying to communicate received information to laboratories at other locations. However, the principle of no-superluminal signalling, and consequently (4.8), hold in this general situation.

It follows from (4.8) that the probability distribution for the string of messages m satisfies for all and all , were in the second equality we used (4.8). We define for all and all .

From (4.4), (4.5), (4.9) and (4.10), the probability that the die rolling outcome is o satisfies for all . In (4.11), we sum over all strings satisfying that the sum of their entries equals ; we also sum over all possible values for , and over all . From (4.11), we have for all , where in the first line we used (4.1); in the second line we used (4.10); in the third line we used that in the fourth line we used (4.2); and in the last line we used (4.7). Similarly, it follows straightforwardly that for all . Thus, (4.6) follows from (4.11) and (4.14).

Composability

An important security property in cryptography is that of composable security. Broadly speaking, for a cryptographic protocol to have composable security, not only must it be secure when implemented on its own, but it must also be composed as a secure subroutine for more general cryptographic tasks.

According to Ref. [48], coin flipping (and bit commitment) cannot achieve composable security even with the most general type of protocols in relativistic quantum cryptography. The argument of Ref. [48] is that a condition for a coin-flipping protocol to have composable security is that the outcome o of the protocol must be independent of the outcome of another arbitrary coin-flipping protocol that may take place in parallel, and that this condition cannot be guaranteed because a dishonest party may apply a man-in-the-middle attack and correlate the outcomes o and of both protocols. We discuss below how this argument applies to our die-rolling protocols.

Consider the case of two parties (). Alice and Bob implement a die-rolling protocol giving outcome o. Bob and Charlie implement another die-rolling protocol in parallel, with the same parameters of , giving outcome . Let Alice and Charlie be honest and let Bob be dishonest. Bob implements the following man-in-the-middle attack with the effect that [48,49].

The protocols and are implemented in the space balls and in parallel with arbitrarily small time delays. Bob plays the role of the second party in and the role of the first party in , whereas Alice plays the role of the first party in , and Charlie plays the role of the second party in . In , Alice sends the message to Bob in the protocol ; Bob then sends the message to Charlie in the protocol . In , Charlie sends the message to Bob in the protocol ; Bob then sends the message to Alice in the protocol . Thus, from (4.5), we obtain that the value of x in and its corresponding value in , given by satisfy . Thus, from (4.4), we have .

However, the previous man-in-the-middle attack does not apply if Alice and Charlie both play the roles of the first (second) party and they are guaranteed to be honest. Alternatively, we may consider Alice and Charlie to be the same party, playing the role of the first (second) party in both and and performing the protocols honestly. In this case, if Alice and Charlie play the roles of say the first party then their messages and given to Bob in are independent. Thus, because Bob must give messages and to Alice and Charlie in at spacelike separation from Alice and Charlie giving Bob the messages and in , it follows that the messages and are independent of and . Thus, from (4.5) and (4.15), x and are independent. It follows from (4.4) that the die rolling outcomes o and are also independent.

The previous arguments can be extended straightforwardly to the case of parties. In this case, if we assume that the kth party is honest in the protocol and the th party is honest in the protocol , with , and all other parties are dishonest and collaborate as a single party in both protocols and , then a simple extension of the previous man-in-the-middle attack implies that the die rolling outcomes of and satisfy .

However, if the kth party is honest in both protocols and then the previous attack does not apply, and the kth party can be guaranteed that the outcomes o and are independent. This is because in this case, in the protocol (), the kth party gives the ith party a message () in the space ball B at spacelike separation from the kth party receiving a message () from the ith party in the space ball B, for all . Thus, the messages and are independent of and , for all . Furthermore, since the kth party is honest in and , the messages and are independent. It follows from (4.5) that the respective values of x and in and are independent, which implies from (4.4) that the respective outcomes o and of and are also independent.

It follows from Ref. [48] and from the previous discussion that our die-rolling protocols cannot be composed securely in arbitrary ways. However, an honest party can participate in various die-rolling protocols in parallel and be guaranteed not only that each protocol is secure on its own but also that the outcomes of the protocols are independent, by choosing carefully the space–time regions where she communicates her messages to, and where she accepts messages from, the other parties in all the protocols where she is participating. We have discussed this possibility above for die-rolling protocols taking place in space–time regions that are arbitrarily close when the honest party plays the role of the kth party in all protocols, for some . Another straightforward way to guarantee to an honest party that the outcomes of different die-rolling protocols and are independent is that every space–time region where she receives or communicates a message in is spacelike separated from every space–time region where she receives or communicates a message in . Given these observations, we believe that whether our die-rolling protocols can be composed securely to implement other cryptographic tasks, perhaps under some assumptions and/or in relativistic settings, deserves further investigation.

Discussion

Apart from achieving unconditional security with arbitrarily small δ, our protocols have the following advantages over existing quantum non-relativistic coin-flipping and die-rolling protocols.

First, our protocols do not require any quantum communication. Thus, they are free from various experimental challenges of quantum non-relativistic coin-flipping and die-rolling protocols, like noise and losses [50-59], and side-channel and multi-photon attacks [60].

Second, the distance among the parties can be made very large in practice in our protocols, with laboratories spread on the Earth surface or in satellites orbiting the Earth, for instance. For example, Ref. [23] experimentally demonstrated a relativistic protocol with laboratories separated by 9354 km. This cannot be easily achieved with protocols involving quantum communication. For example, Refs. [58,59] experimentally demonstrated two-party quantum non-relativistic coin-flipping protocols achieving a security advantage over classical non-relativistic protocols at distance separations of only a few metres and 15 km, respectively.

As already mentioned, weak coin flipping and weak die rolling can achieve unconditional security and arbitrarily small δ with quantum non-relativistic protocols [36,44,45]. Our protocols trivially implement these tasks with unconditional security too and have the advantages mentioned above.

Nevertheless, implementing our protocols has some important challenges. First, some communication steps must be very fast to achieve spacelike separation. However, this is feasible with field programmable gate arrays if the protocol sites are sufficiently far apart, as demonstrated by Refs. [18,20,23,24,61]. In particular, Ref. [61] experimentally demonstrated a relativistic cryptographic protocol with locations separated by only 60 m.

Second, the laboratories must be synchronized securely to a common reference frame with sufficient time precision. This can be achieved with GPS devices and atomic clocks [18,20,23,24,61], for instance.

We note that a dishonest party can in principle implement attacks in the reference frame synchronization of the other parties, for example, by spoofing their GPS signals. If these attacks are implemented successfully without being caught, the parties under attack may believe that the communications in the relativistic stage were implemented at spacelike separation, while in fact they were not, in this way compromising the protocol’s security. To our knowledge, previous experimental demonstrations of relativistic cryptography have been vulnerable to these attacks [18,20,23,24,61]. A countermeasure against these attacks is for each party to synchronize her clocks in a secure laboratory and then distribute them securely to her other laboratories, guaranteeing that the clocks remain sufficiently synchronized during the relativistic stage of the protocol [20].

Our protocols are intrinsically classical but can be made quantum by using quantum random number generators. Ideally, the parties use quantum random number generators to guarantee that their inputs are truly random. Additionally, quantum key distribution links [46,62,63] can be used to expand the secure keys shared among the various laboratories used to implement the long distance communication channels. This can be suitably implemented in quantum networks [64-67] or a quantum internet [68,69].