A Complete Characterization of Game-Theoretically Fair, Multi-Party Coin Toss

Cleve’s celebrated lower bound (STOC’86) showed that a de facto strong fairness notion is impossible in 2-party coin toss, i.e., the corrupt party always has a strategy of biasing the honest party’s outcome by a noticeable amount. Nonetheless, Blum’s famous coin-tossing protocol (CRYPTO’81) achieves a strictly weaker “game-theoretic” notion of fairness — specifically, it is a 2-party coin toss protocol in which neither party can bias the outcome towards its own preference; and thus the honest protocol forms a Nash equilibrium in which neither party would want to deviate. Surprisingly, an n-party analog of Blum’s famous coin toss protocol was not studied till recently. The elegant work by Chung et al. was the first to explore the feasibility of game-theoretically fair n-party coin toss in the presence of corrupt majority. We may assume that each party has a publicly stated preference for either the bit 0 or 1, and if the outcome agrees with the party’s preference, it obtains utility 1; else it obtains nothing. A natural game-theoretic formulation is to require that the honest protocol form a coalitionresistant Nash equilibrium, i.e., no coalition should have incentive to deviate from the honest behavior. Chung et al. phrased this game-theoretic notion as “cooperative-strategy-proofness” or “CSP-fairness” for short. Unfortunately, Chung et al. showed that under (n− 1)-sized coalitions, it is impossible to design such a CSP-fair coin toss protocol, unless all parties except one prefer the same bit. In this paper, we show that the impossibility of Chung et al. is in fact not as broad as it may seem. When coalitions are majority but not n−1 in size, we can indeed get feasibility results in some meaningful parameter regimes. We give a complete characterization of the regime in which CSP-fair coin toss is possible, by providing a matching upperand lower-bound. Our complete characterization theorem also shows that the mathematical structure of game-theoretic fairness is starkly different from the de facto strong fairness notion in the multi-party computation literature. The author ordering is randomized kew2@andrew.cmu.edu gilad.asharov@biu.ac.il runting@gmail.com

[1]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[2]  Kai-Min Chung,et al.  Game-Theoretic Fairness Meets Multi-party Protocols: The Case of Leader Election , 2021, CRYPTO.

[3]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[4]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[5]  Jonathan Katz,et al.  How Fair is Your Protocol?: A Utility-based Approach to Protocol Optimality , 2015, PODC.

[6]  Yehuda Lindell,et al.  Utility Dependence in Correct and Fair Rational Secret Sharing , 2009, CRYPTO.

[7]  Shai Halevi,et al.  A Cryptographic Solution to a Game Theoretic Problem , 2000, CRYPTO.

[8]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  David Chaum,et al.  Multiparty Unconditionally Secure Protocols (Extended Abstract) , 1988, STOC.

[10]  Justin M. Reyneri,et al.  Coin flipping by telephone , 1984, IEEE Trans. Inf. Theory.

[11]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[12]  R. Aumann Subjectivity and Correlation in Randomized Strategies , 1974 .

[13]  David C. Parkes,et al.  Fairness with an Honest Minority and a Rational Majority , 2009, TCC.

[14]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.

[15]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[16]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[17]  Juan A. Garay,et al.  Fair Distributed Computation of Reactive Functions , 2015, DISC.

[18]  Dan Boneh,et al.  Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[19]  Ran Canetti,et al.  Cryptography and Game Theory , 2009 .

[20]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[21]  A. Yao How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[22]  S. Rajsbaum Foundations of Cryptography , 2014 .

[23]  Ueli Maurer,et al.  Rational Protocol Design: Cryptography against Incentive-Driven Adversaries , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[24]  Elaine Shi,et al.  FruitChains: A Fair Blockchain , 2017, IACR Cryptol. ePrint Arch..

[25]  Vinod Vaikuntanathan,et al.  Improvements to Secure Computation with Penalties , 2016, CCS.

[26]  Ran Canetti,et al.  Toward a Game Theoretic View of Secure Computation , 2011, Journal of Cryptology.

[27]  Rafail Ostrovsky,et al.  Secure Multi-Party Computation with Identifiable Abort , 2014, CRYPTO.

[28]  Danny Dolev,et al.  Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation , 2006, PODC '06.

[29]  Jonathan Katz,et al.  Fair Computation with Rational Players , 2012, EUROCRYPT.

[30]  Joseph Y. Halpern,et al.  Ra-tional secret sharing and multiparty computation , 2004, STOC 2004.

[31]  Sergei Izmalkov,et al.  Rational secure computation and ideal mechanism design , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[32]  Dan Boneh,et al.  A Survey of Two Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[33]  Jonathan Katz,et al.  Bridging Game Theory and Cryptography: Recent Results and Future Directions , 2008, TCC.

[34]  Iddo Bentov,et al.  How to Use Bitcoin to Incentivize Correct Computations , 2014, CCS.

[35]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[36]  Moni Naor,et al.  Cryptography and Game Theory: Designing Protocols for Exchanging Information , 2008, TCC.

[37]  Elaine Shi,et al.  Game Theoretic Notions of Fairness in Multi-party Coin Toss , 2018, TCC.