An Optimally Fair Coin Toss

We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party $$r$$r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by $$\varOmega (1/r)$$Ω(1/r). However, the best previously known protocol only guarantees $$O(1/\sqrt{r})$$O(1/r) bias, and the question of whether Cleve’s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve’s lower bound is tight: We construct an $$r$$r-round protocol with bias $$O(1/r)$$O(1/r).

[1]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[2]  Itay Berman,et al.  Coin flipping of any constant bias implies one-way functions , 2014, STOC.

[3]  Moni Naor,et al.  Bit commitment using pseudorandomness , 1989, Journal of Cryptology.

[4]  Manuel Blum,et al.  Coin flipping by telephone a protocol for solving impossible problems , 1983, SIGA.

[5]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[6]  Nathan Linial,et al.  Collective Coin Flipping , 1989, Adv. Comput. Res..

[7]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols , 2010, Information Security and Cryptography.

[8]  Andris Ambainis,et al.  Multiparty quantum coin flipping , 2003, Proceedings. 19th IEEE Annual Conference on Computational Complexity, 2004..

[9]  Jonathan Katz,et al.  Partial Fairness in Secure Two-Party Computation , 2010, Journal of Cryptology.

[10]  Jonathan Katz,et al.  Rational Secret Sharing, Revisited , 2006, SCN.

[11]  Yehuda Lindell,et al.  Complete Fairness in Secure Two-Party Computation , 2011, JACM.

[12]  Eran Omri,et al.  Protocols for Multiparty Coin Toss with a Dishonest Majority , 2015, Journal of Cryptology.

[13]  Tal Malkin,et al.  Can Optimally-Fair Coin Tossing Be Based on One-Way Functions? , 2014, TCC.

[14]  Yehuda Lindell,et al.  Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[15]  Moni Naor,et al.  Cryptography and Game Theory: Designing Protocols for Exchanging Information , 2008, TCC.

[16]  Eran Omri,et al.  Coin Flipping with Constant Bias Implies One-Way Functions , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[17]  Yehuda Lindell,et al.  On the Black-Box Complexity of Optimally-Fair Coin Tossing , 2011, TCC.

[18]  Uriel Feige,et al.  Noncryptographic selection protocols , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[19]  M. Panella Associate Editor of the Journal of Computer and System Sciences , 2014 .

[20]  Iftach Haitner,et al.  An almost-optimally fair three-party coin-flipping protocol , 2014, STOC.

[21]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[22]  Jonathan Katz On achieving the "best of both worlds" in secure multiparty computation , 2007, STOC '07.

[23]  Amit Sahai,et al.  On the Computational Complexity of Coin Flipping , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[24]  Richard Cleve,et al.  Limits on the security of coin flips when half the processors are faulty , 1986, STOC '86.

[25]  Noga Alon,et al.  Coin-flipping games immune against linear-sized coalitions , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[26]  Joseph Y. Halpern,et al.  Ra-tional secret sharing and multiparty computation , 2004, STOC 2004.

[27]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[28]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[29]  Russell Impagliazzo,et al.  One-way functions are essential for complexity based cryptography , 1989, 30th Annual Symposium on Foundations of Computer Science.

[30]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[31]  Yehuda Lindell,et al.  Efficient Secure Two-Party Protocols: Techniques and Constructions , 2010 .

[32]  Andrew Chi-Chih Yao,et al.  Quantum bit escrow , 2000, STOC '00.

[33]  Andris Ambainis,et al.  A new protocol and lower bounds for quantum coin flipping , 2001, STOC '01.

[34]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[35]  Michael E. Saks A Robust Noncryptographic Protocol for Collective Coin Flipping , 1989, SIAM J. Discret. Math..

[36]  Moni Naor,et al.  Basing cryptographic protocols on tamper-evident seals , 2005, Theor. Comput. Sci..

[37]  Eran Omri,et al.  1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds , 2011, CRYPTO.

[38]  Alexander Russell,et al.  Perfect Information Leader Election in log* n+O (1) Rounds , 2001, J. Comput. Syst. Sci..

[39]  Eran Omri,et al.  Protocols for Multiparty Coin Toss with Dishonest Majority , 2010, CRYPTO.

[40]  Joseph Y. Halpern,et al.  Rational secret sharing and multiparty computation: extended abstract , 2004, STOC '04.