An Optimally Fair Coin Toss

Tal Moran; Moni Naor; Gil Segev

doi:10.1007/s00145-015-9199-z

An Optimally Fair Coin Toss

Tal Moran, Moni Naor, Gil Segev^*

^*Corresponding author for this work

The Rachel and Selim Benin School of Engineering and Computer Science

Research output: Contribution to journal › Article › peer-review

21 Scopus citations

Abstract

We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1 / r). However, the best previously known protocol only guarantees O(1/r) bias, and the question of whether Cleve’s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve’s lower bound is tight: We construct an r-round protocol with bias O(1 / r).

Original language	American English
Pages (from-to)	491-513
Number of pages	23
Journal	Journal of Cryptology
Volume	29
Issue number	3
DOIs	https://doi.org/10.1007/s00145-015-9199-z
State	Published - 1 Jul 2016

Bibliographical note

Funding Information:
Tal Moran: Supported by the European Union’s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant and by the Israel Science Foundation (Grant No. 1790/13). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science.

Funding Information:
Gil Segev: Supported by the European Union’s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant, by the Israel Science Foundation (Grant No. 483/13), and by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science.

Funding Information:
Moni Naor: Research supported in part by a grant from the I-CORE Program of the Planning and Budgeting Committee, the Israel Science Foundation, BSF and the Israeli Ministry of Science and Technology.

Publisher Copyright:
© 2015, International Association for Cryptologic Research.

Keywords

Coin flipping
Optimal bias
Round complexity

Access to Document

10.1007/s00145-015-9199-z

Cite this

@article{8d958b7a5fed427f821dae6ef3e0b51d,

title = "An Optimally Fair Coin Toss",

abstract = "We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1 / r). However, the best previously known protocol only guarantees O(1/r) bias, and the question of whether Cleve{\textquoteright}s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve{\textquoteright}s lower bound is tight: We construct an r-round protocol with bias O(1 / r).",

keywords = "Coin flipping, Optimal bias, Round complexity",

author = "Tal Moran and Moni Naor and Gil Segev",

note = "Funding Information: Tal Moran: Supported by the European Union{\textquoteright}s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant and by the Israel Science Foundation (Grant No. 1790/13). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science. Funding Information: Gil Segev: Supported by the European Union{\textquoteright}s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant, by the Israel Science Foundation (Grant No. 483/13), and by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science. Funding Information: Moni Naor: Research supported in part by a grant from the I-CORE Program of the Planning and Budgeting Committee, the Israel Science Foundation, BSF and the Israeli Ministry of Science and Technology. Publisher Copyright: {\textcopyright} 2015, International Association for Cryptologic Research.",

year = "2016",

month = jul,

day = "1",

doi = "10.1007/s00145-015-9199-z",

language = "American English",

volume = "29",

pages = "491--513",

journal = "Journal of Cryptology",

issn = "0933-2790",

publisher = "Springer New York",

number = "3",

}

TY - JOUR

T1 - An Optimally Fair Coin Toss

AU - Moran, Tal

AU - Naor, Moni

AU - Segev, Gil

N1 - Funding Information: Tal Moran: Supported by the European Union’s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant and by the Israel Science Foundation (Grant No. 1790/13). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science. Funding Information: Gil Segev: Supported by the European Union’s Seventh Framework Programme (FP7) via a Marie Curie Career Integration Grant, by the Israel Science Foundation (Grant No. 483/13), and by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11). Most of this work was done while the author was a PhD student at the Weizmann Institute of Science. Funding Information: Moni Naor: Research supported in part by a grant from the I-CORE Program of the Planning and Budgeting Committee, the Israel Science Foundation, BSF and the Israeli Ministry of Science and Technology. Publisher Copyright: © 2015, International Association for Cryptologic Research.

PY - 2016/7/1

Y1 - 2016/7/1

N2 - We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1 / r). However, the best previously known protocol only guarantees O(1/r) bias, and the question of whether Cleve’s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve’s lower bound is tight: We construct an r-round protocol with bias O(1 / r).

AB - We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1 / r). However, the best previously known protocol only guarantees O(1/r) bias, and the question of whether Cleve’s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve’s lower bound is tight: We construct an r-round protocol with bias O(1 / r).

KW - Coin flipping

KW - Optimal bias

KW - Round complexity

UR - http://www.scopus.com/inward/record.url?scp=84923252736&partnerID=8YFLogxK

U2 - 10.1007/s00145-015-9199-z

DO - 10.1007/s00145-015-9199-z

M3 - Article

AN - SCOPUS:84923252736

SN - 0933-2790

VL - 29

SP - 491

EP - 513

JO - Journal of Cryptology

JF - Journal of Cryptology

IS - 3

ER -

An Optimally Fair Coin Toss

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this