Unconditionally secure relativistic multi-party biased coin flipping and die rolling

We introduce relativistic multi-party biased die-rolling protocols, generalizing coin flipping to M≥2 parties and to N≥2 outcomes for any chosen outcome biases and show them unconditionally secure. Our results prove that the most general random secure multi-party computation, where all parties receive the output and there is no secret input by any party, can be implemented with unconditional security. Our protocols extend Kent’s (Kent A. 1999 Phys. Rev. Lett. 83, 5382) two-party unbiased coin-flipping protocol, do not require any quantum communication, are practical to implement with current technology and to our knowledge are the first multi-party relativistic cryptographic protocols.


Introduction
. This task is called M-party-biased N-faced die rolling, or simply die rolling, and is the most general type of random secure multi-party computation where all parties receive the output of the computation and there is no secret input by any party [1]. Unbiased die rolling corresponds to the case is secure if δ = 0 or if δ tends to zero by increasing some security parameter. In the former case, R is called ideal, while in the latter case is called arbitrarily secure.
Blum [2] invented coin flipping (also called coin tossing) in 1981, which corresponds to die rolling with M = N = 2 and P 0 = P 1 = 1 2 , and which is more precisely called two-party unbiased coin flipping, and showed that it can be implemented securely with classical (non-relativistic) protocols based on computational assumptions, like the absence of efficient protocols to factor large integers.
There exists a weak version of coin flipping and die rolling, where each party must only be guaranteed that specific outcomes o are obtained with probabilities close to P o . In weak die rolling (also called leader election [3]), there are M = N mistrustful parties at different locations rolling a N-faced die. For all k ∈ [M], the kth party wins if the outcome is o = k − 1. Thus, the kth party must be guaranteed that if he follows the agreed protocol honestly then |P(o = k − 1) − P k−1 | ≤ δ, for δ = 0 or δ tending to zero by increasing some security parameter. Weak coin flipping corresponds to the case M = N = 2. We note that a protocol implementing secure unbiased die rolling for M = N also implements weak die rolling. But, the converse is not in general true.
To emphasize the difference between die rolling (coin flipping) and weak die rolling (weak coin flipping), the former task is sometimes called strong die rolling (strong coin flipping). In this paper, we focus on strong die rolling and strong coin flipping, but we use the simpler terms 'die rolling' and 'coin flipping' to refer to these tasks.
Coin flipping and die rolling are important cryptographic tasks with many applications. Die rolling can be used by M mistrustful parties in randomized consensus protocols, for example, to gamble, to choose a leader at random or to fairly allocate resources in a network [4]. It can also be used by M parties to authenticate to each other remotely and securely [5].
Die rolling and other cryptographic tasks are investigated in different cryptographic models, i.e. with different rules for the agreed protocols and with different constraints on the dishonest parties, giving rise to different security levels. The highest security level is unconditional security, in which the dishonest parties are only constrained by the laws of physics. In particular, protocols in relativistic quantum cryptography that are provably unconditionally secure guarantee that dishonest parties who are only limited by quantum physics and the principle of no-superluminal signalling cannot break the protocols' security in close to Minkowski space-time (like near the Earth surface) [6,7].
No-superluminal signalling is a fundamental physical principle of relativity theory stating that information cannot travel faster than the speed of light through vacuum in close to Minkowski space-time. This principle is satisfied by quantum physics. In particular, two or more parties sharing an arbitrary quantum entangled state cannot communicate information faster than the speed of light by applying arbitrary quantum measurements on the quantum state.
In principle, if the dishonest parties were able to sufficiently modify the space-time geometry, then they could communicate information faster than the speed at which light travels in close to Minkowski space-time, making the protocols in relativistic quantum cryptography insecure. However, we believe this is humanly impractical for the foreseeable future [6]. Thus, we consider that security based on quantum physics and the principle of no-superluminal signalling in approximately Minkowski space-time is the highest level of security humanly achievable in the foreseeable future and we can then sensibly call it 'unconditional security'.
We note that relativistic quantum cryptography can in principle also be applied in spacetime geometries that are not approximately Minkowski and unconditional security can be guaranteed, if the parties know the space-time geometry where the protocols take place with good approximation, and if there is a known upper bound on the speed of light among the protocols' locations. This requires in particular that there are no wormholes or other means allowing signalling between spacelike separated regions [6]. However, as mentioned earlier, we think it is sensible to assume that relativistic quantum cryptography will only be implemented by humans near the Earth surface in the foreseeable future. Thus, we think it is reasonable, and it will simplify our presentation, to assume in this paper that space-time is approximately Bit commitment [8][9][10], oblivious transfer [11] and a class of secure two-party computations [11,12] cannot achieve unconditional security with quantum non-relativistic protocols but can be implemented securely with quantum non-relativistic protocols if the dishonest parties have bounds on the performance of their quantum memories [13][14][15][16]. Bit commitment can achieve unconditional security with classical relativistic [6,[17][18][19][20] or quantum relativistic [21][22][23][24][25][26] protocols. On the other hand, oblivious transfer and a class of two-party secure computations cannot achieve unconditional security even with quantum relativistic protocols [1,27]. However, a class of oblivious transfer protocols with constraints on the space-time regions where the parties must obtain the outputs are provably unconditionally secure with quantum relativistic protocols [28][29][30][31].
Classical non-relativistic multi-party unbiased coin-flipping protocols cannot achieve unconditional security [32,33]. Furthermore, they cannot unconditionally guarantee δ < 1 2 if a weak majority of the players is dishonest [32]. Thus, two-party unbiased coin-flipping protocols cannot unconditionally guarantee δ < 1 2 , as in this case, security proofs require to assume that one party is dishonest.
We note that, in contrast to (strong) coin flipping and (strong) die rolling, weak coin flipping [44,45] and weak die rolling [36] can achieve unconditional security, and arbitrarily small δ, with quantum non-relativistic protocols.
Kent [5] showed that unconditionally secure two-party unbiased coin flipping with arbitrarily small δ can be achieved with relativistic protocols. Colbeck & Kent [1] introduced variable bias coin tossing, in which one of the parties secretly chooses the bias of the coin within a stipulated range, and gave unconditionally secure quantum relativistic protocols.
Here we extend Kent's [5] two-party unbiased coin-flipping protocol and prove that for any integers M, N ≥ 2 and any probability distribution P, there exists a relativistic die-rolling protocol that is unconditionally secure, with arbitrarily small δ. Furthermore, we show that if the probabilities in the distribution P are rational numbers and the parties have access to perfect devices and particularly to perfectly unbiased random number generators then our protocols are ideal with unconditional security. Our results prove the claim made in Ref. [1]-without proofthat all random secure two-party computations can be implemented with unconditional security. Furthermore, our results prove that this holds for an arbitrary number of parties. Our protocols do not require any quantum communication and are practical to implement with current technology. To the best of our knowledge, our protocols are the first multi-party relativistic cryptographic protocols.

Security definition
Die rolling is a task in mistrustful cryptography. In mistrustful cryptography, the parties are assumed to agree on a protocol to implement a task in collaboration, but they are not assumed to follow the agreed protocol honestly. It is in this sense that we call the parties mistrustful. This is in contrast to quantum key distribution [46], for instance, where Alice and Bob collaborate with mutual trust to establish a shared key, while guaranteeing that the key remains secret to any third party.
As discussed in the introduction, in a die-rolling protocol R, M ≥ 2 parties agree on the number N ≥ 2 of possible outcomes o ∈ Z N and on the ideal probability distribution P = {P o } N−1 o=0 for the outcomes. The protocol R must satisfy the following two properties: Correctness. The protocol R is correct if all parties agree on the outcome o when all parties follow R honestly and no party aborts.
Security. The protocol R is secure if for all k ∈ [M], when the kth party follows R honestly and no party aborts, then the outcome o is obtained with a probability P(o) satisfying for all o ∈ Z N , where δ = 0, or where δ tends to zero by increasing some security parameter; in the former case R is called ideal, while in the latter case is called arbitrarily secure. An alternative figure of merit in the security definition could be the variational distance between the probability distribution P R = {P(o)} N−1 o=0 of the protocol R and the ideal probability distribution P, given by An important property of P R − P is that the maximum probability to distinguish P R and P is given by However, we note that according to our security definition, if R is secure then it holds that with δ = 0 or with δ decreasing with some security parameter, where we used (2.1) and (2.2).

Space-time setting
M mistrustful parties define a reference frame F in near-Minkowski space-time, for example, near the Earth surface. The parties agree in the following setting defined in F. We use units in which the speed of light through vacuum is unity. random number generator R k can prepare a message m k ∈ Z n with probability distribution P k (m k ) satisfying for all m k ∈ Z n , where the value of k can correspond to the experimental uncertainty of R k . The parties choose n and Ω o such that for all o ∈ Z N . The parties must also guarantee that α and k are sufficiently small to satisfy Our protocol comprises three stages. Stage I is a preparation stage that can take place arbitrarily in the past of stages II and III. Stage II comprises the transmission of various classical messages at spacelike separation. Finally, in stage III, the parties verify that the protocol was implemented correctly and agree on the outcome o, after comparing the various messages received in stage II.
Our die-rolling protocol R is the following (see figure 1).

Stage I: predistribution
1. For all k ∈ [M], L kk prepares a message m k ∈ Z n securely using a random number generator R k sufficiently before the time t = − max{d ki } i∈[M]\{k} , with probability distribution P k (m k ) satisfying (4.1), for all m k ∈ Z n , and for some k ≥ 0 satisfying (4.2) and (4. , L kk and L ii use a secure and authenticated classical channel C kk↔ii to verify that they received the same message m j ∈ Z n from L jk and L ji , respectively; otherwise, they abort. 5. If L 11 , . . . , L MM do not abort, then they agree that the die rolling outcome is   It is straightforward to see that the protocol is correct. If all parties follow the protocol honestly, then no party aborts and all parties agree that the outcome o is given by (4.4) and (4.5).
For k ∈ [M], below we assume that the kth party follows the protocol honestly and the other parties perform any collective quantum cheating strategy S, with no party aborting. We show that in this case the probability P(o) that the die rolling outcome is o satisfies Alternatively, if δ > 0 with δ decreasing exponentially by increasing some parameter then the protocol is arbitrarily secure with unconditional security. From (4.7), this holds if α > 0 and k > 0 decrease exponentially by increasing some security parameter, for all k ∈ [M]. From (4.2), α can be chosen arbitrarily small by choosing n arbitrarily large. Furthermore, from the Piling up Lemma [47], if R k produces n bits bits with biases from the range (0, 1 2 ) then m k ∈ Z n can be obtained from these bits with k decreasing exponentially with n bits , for all k ∈ [M]. . That is, the probability distribution form k is independent of m k . We note that this holds for an arbitrary quantum cheating strategy by the dishonest parties. In particular, in a general quantum cheating strategy, the laboratories of all the parties (honest and dishonest) may share an arbitrary entangled quantum state |ψ , and each laboratory may apply an arbitrary quantum measurement on its share of |ψ in order to obtain its input or trying to communicate received information to laboratories at other locations. However, the principle of no-superluminal signalling, and consequently (4.8), hold in this general situation.
It follows from (4.8) that the probability distribution for the string of messages m satisfies for all m ∈ Z M n and all k ∈ [M], were in the second equality we used (4.8). We define for all k ∈ [M] and all y ∈ Z n . From (4.4), (4.5), (4.9) and (4.10), the probability P(o) that the die rolling outcome is o satisfies for all o ∈ Z N . In (4.11), we sum over all stringsm k satisfying that the sum of their entries m i equals x − y mod n; we also sum over all possible values y mod n for m k , and over all x ∈ Ω o . From (4.11), we have for all o ∈ Z N , where in the first line we used (4.1); in the second line we used (4.10); in the third line we used that in the fourth line we used (4.2); and in the last line we used (4.7). Similarly, it follows straightforwardly that for all o ∈ Z N . Thus, (4.6) follows from (4.11) and (4.14).

(c) Composability
An important security property in cryptography is that of composable security. Broadly speaking, for a cryptographic protocol to have composable security, not only must it be secure when implemented on its own, but it must also be composed as a secure subroutine for more general cryptographic tasks. According to Ref. [48], coin flipping (and bit commitment) cannot achieve composable security even with the most general type of protocols in relativistic quantum cryptography. The argument of Ref. [48] is that a condition for a coin-flipping protocol to have composable security is that the outcome o of the protocol must be independent of the outcome o of another arbitrary coinflipping protocol that may take place in parallel, and that this condition cannot be guaranteed because a dishonest party may apply a man-in-the-middle attack and correlate the outcomes o and o of both protocols. We discuss below how this argument applies to our die-rolling protocols.
Consider the case of two parties (M = 2). Alice and Bob implement a die-rolling protocol R giving outcome o. Bob and Charlie implement another die-rolling protocol R in parallel, with the same parameters of R, giving outcome o . Let Alice and Charlie be honest and let Bob be dishonest. Bob implements the following man-in-the-middle attack with the effect that o = o [48,49].
The protocols R and R are implemented in the space balls B 1 and B 2 in parallel with arbitrarily small time delays. Bob plays the role of the second party in R and the role of the first party in R , whereas Alice plays the role of the first party in R, and Charlie plays the role of the second party in R . In B 2 , Alice sends the message m 1 to Bob in the protocol R; Bob then sends the message m 1 = m 1 to Charlie in the protocol R . In B 1 , Charlie sends the message m 2 to Bob in the protocol R ; Bob then sends the message m 2 = m 2 to Alice in the protocol R. Thus, from (4.5), we obtain that the value of x in R and its corresponding value x in R , given by The previous arguments can be extended straightforwardly to the case of M > 2 parties. In this case, if we assume that the kth party is honest in the protocol R and the jth party is honest in the protocol R , with k = j, and all other parties are dishonest and collaborate as a single party in both protocols R and R , then a simple extension of the previous man-in-the-middle attack implies that the die rolling outcomes of R and R satisfy o = o .
However, if the kth party is honest in both protocols R and R then the previous attack does not apply, and the kth party can be guaranteed that the outcomes o and o are independent. This is because in this case, in the protocol R (R ), the kth party gives the ith party a message m k (m k ) in the space ball B i at spacelike separation from the kth party receiving a message m i (m i ) from the ith party in the space ball B k , for all i ∈ [M]\{k}. Thus, the messages m i and m i are independent of m k and m k , for all i ∈ [M]\{k}. Furthermore, since the kth party is honest in R and R , the messages m k and m k are independent. It follows from (4.5) that the respective values of x and x in R and R are independent, which implies from (4.4) that the respective outcomes o and o of R and R are also independent.
It follows from Ref. [48] and from the previous discussion that our die-rolling protocols cannot be composed securely in arbitrary ways. However, an honest party can participate in various die-rolling protocols in parallel and be guaranteed not only that each protocol is secure on its own but also that the outcomes of the protocols are independent, by choosing carefully the space-time regions where she communicates her messages to, and where she accepts messages from, the other parties in all the protocols where she is participating. We have discussed this possibility above for die-rolling protocols taking place in space-time regions that are arbitrarily Another straightforward way to guarantee to an honest party that the outcomes of different dierolling protocols R and R are independent is that every space-time region where she receives or communicates a message in R is spacelike separated from every space-time region where she receives or communicates a message in R . Given these observations, we believe that whether our die-rolling protocols can be composed securely to implement other cryptographic tasks, perhaps under some assumptions and/or in relativistic settings, deserves further investigation.

Discussion
Apart from achieving unconditional security with arbitrarily small δ, our protocols have the following advantages over existing quantum non-relativistic coin-flipping and die-rolling protocols.
Second, the distance among the parties can be made very large in practice in our protocols, with laboratories spread on the Earth surface or in satellites orbiting the Earth, for instance. For example, Ref. [23] experimentally demonstrated a relativistic protocol with laboratories separated by 9354 km. This cannot be easily achieved with protocols involving quantum communication. For example, Refs. [58,59] experimentally demonstrated two-party quantum non-relativistic coinflipping protocols achieving a security advantage over classical non-relativistic protocols at distance separations of only a few metres and 15 km, respectively.
As already mentioned, weak coin flipping and weak die rolling can achieve unconditional security and arbitrarily small δ with quantum non-relativistic protocols [36,44,45]. Our protocols trivially implement these tasks with unconditional security too and have the advantages mentioned above.
Nevertheless, implementing our protocols has some important challenges. First, some communication steps must be very fast to achieve spacelike separation. However, this is feasible with field programmable gate arrays if the protocol sites are sufficiently far apart, as demonstrated by Refs. [18,20,23,24,61]. In particular, Ref. [61] experimentally demonstrated a relativistic cryptographic protocol with locations separated by only 60 m.
Second, the laboratories must be synchronized securely to a common reference frame with sufficient time precision. This can be achieved with GPS devices and atomic clocks [18,20,23,24,61], for instance.
We note that a dishonest party can in principle implement attacks in the reference frame synchronization of the other parties, for example, by spoofing their GPS signals. If these attacks are implemented successfully without being caught, the parties under attack may believe that the communications in the relativistic stage were implemented at spacelike separation, while in fact they were not, in this way compromising the protocol's security. To our knowledge, previous experimental demonstrations of relativistic cryptography have been vulnerable to these attacks [18,20,23,24,61]. A countermeasure against these attacks is for each party to synchronize her clocks in a secure laboratory and then distribute them securely to her other laboratories, guaranteeing that the clocks remain sufficiently synchronized during the relativistic stage of the protocol [20].
Our protocols are intrinsically classical but can be made quantum by using quantum random number generators. Ideally, the parties use quantum random number generators to guarantee that their inputs are truly random. Additionally, quantum key distribution links [46,62,63] can be used to expand the secure keys shared among the various laboratories used to implement the long distance communication channels. This can be suitably implemented in quantum networks [64][65][66][67] or a quantum internet [68,69].
Data accessibility. This article has no additional data. Competing interests. I declare I have no competing interests.