An optimally fair coin toss

Tal Moran*, Moni Naor, Gil Segev

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

60 Scopus citations

Abstract

We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC '86] showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1/r). However, the best previously known protocol only guarantees bias, and the question of whether Cleve's bound is tight has remained open for more than twenty years. In this paper we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve's lower bound is tight: we construct an r-round protocol with bias O(1/r).

Original languageEnglish
Title of host publicationTheory of Cryptography - 6th Theory of Cryptography Conference, TCC 2009, Proceedings
Pages1-18
Number of pages18
DOIs
StatePublished - 2009
Externally publishedYes
Event6th Theory of Cryptography Conference, TCC 2009 - San Francisco, CA, United States
Duration: 15 Mar 200917 Mar 2009

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5444 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference6th Theory of Cryptography Conference, TCC 2009
Country/TerritoryUnited States
CitySan Francisco, CA
Period15/03/0917/03/09

Fingerprint

Dive into the research topics of 'An optimally fair coin toss'. Together they form a unique fingerprint.

Cite this