## Cryptology ePrint Archive: Report 2006/177

On the (Im-)Possibility of Extending Coin Toss

Dennis Hofheinz and Joern Mueller-Quade and Dominique Unruh

Abstract: We consider the cryptographic two-party protocol task of extending a given coin toss. The goal is to generate n common random coins from a single use of an ideal functionality which gives m<n common random coins to the parties. In the framework of Universal Composability we show the impossibility of securely extending a coin toss for statistical and perfect security. On the other hand, for computational security the existence of a protocol for coin toss extension depends on the number m of random coins which can be obtained "for free".

For the case of stand-alone security, i.e., a simulation based security definition without an environment, we present a novel protocol for unconditionally secure coin toss extension. The new protocol works for superlogarithmic m, which is optimal as we show the impossibility of statistically secure coin toss extension for smaller m.

Combining our results with already known results, we obtain a (nearly) complete characterization under which circumstances coin toss extension is possible.

Category / Keywords: cryptographic protocols / coin toss, universal composability, reactive simulatability, cryptographic protocols

Publication Info: This is the full version of the paper presented at Eurocrypt 2006