Advances in Cryptology – CRYPTO 2013

Volume 8042 of the series Lecture Notes in Computer Science pp 259-276

On Fair Exchange, Fair Coins and Fair Sampling

  • Shashank AgrawalAffiliated withUniversity of Illinois, Urbana-Champaign
  • , Manoj PrabhakaranAffiliated withUniversity of Illinois, Urbana-Champaign

* Final gross prices may vary according to local VAT.

Get Access


We study various classical secure computation problems in the context of fairness, and relate them with each other. We also systematically study fair sampling problems (i.e., inputless functionalities) and discover three levels of complexity for them.

Our results include the following:

  • Fair exchange cannot be securely reduced to the problem of fair cointossing by an r-round protocol, except with an error that is \(\Omega(\frac{1}{r})\).

  • Finite fair sampling problems with rational probabilities can all be reduced to fair coin-tossing and unfair 2-party computation (or equivalently, under computational assumptions). Thus, for this class of functionalities, fair coin-tossing is complete.

  • Only sampling problems which have fair protocols without any fair setup are the trivial ones in which the two parties can sample their outputs independently.Others all have an \(\Omega(\frac{1}{r})\) error, roughly matching an upperbound for fair sampling from [21].

  • We study communication-less protocols for sampling, given another sampling problem as setup, since such protocols are inherently fair. We use spectral graph theoretic tools to show that it is impossible to reduce a sampling problem with common information (like fair cointossing) to a sampling problem without (like “noisy” coin-tossing, which has a small probability of disagreement).

The last result above is a slightly sharper version of a classical result by Witsenhausen from 1975. Our proof reveals the connection between the tool used by Witsenhausen, namely “maximal correlation,” and spectral graph theoretic tools like Cheeger inequality.