An Optimally Fair Coin Toss

Tal Moran, Moni Naor, Gil Segev*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

22 Scopus citations


We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve (Proceedings of the 18th annual ACM symposium on theory of computing, pp 364–369, 1986) showed that for any two-party r-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by Ω(1 / r). However, the best previously known protocol only guarantees O(1/r) bias, and the question of whether Cleve’s bound is tight has remained open for more than 20 years. In this paper, we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve’s lower bound is tight: We construct an r-round protocol with bias O(1 / r).

Original languageAmerican English
Pages (from-to)491-513
Number of pages23
JournalJournal of Cryptology
Issue number3
StatePublished - 1 Jul 2016

Bibliographical note

Publisher Copyright:
© 2015, International Association for Cryptologic Research.


  • Coin flipping
  • Optimal bias
  • Round complexity


Dive into the research topics of 'An Optimally Fair Coin Toss'. Together they form a unique fingerprint.

Cite this