Skip to main content
SpringerLink
Log in

Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious

  • Research Article
  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

An \(\alpha \)-fair coin-tossing protocol allows a set of mutually distrustful parties to generate a uniform bit, such that no efficient adversary can bias the output bit by more than \(\alpha \). Cleve (in: Proceedings of the 18th annual ACM symposium on theory of computing (STOC), 1986) has shown that if half of the parties can be corrupted, then no \(r\)-round coin-tossing protocol is \(o(1/r)\)-fair. For over two decades, the best-known m-party protocols, tolerating up to \({t}\ge m/2\) corrupted parties, were only \(O\left( {t}/\sqrt{r} \right) \)-fair. In a surprising result, Moran et al. (in: Theory of cryptography, sixth theory of cryptography conference, TCC, 2009) constructed an \(r\)-round two-party \(O(1/r)\)-fair coin-tossing protocol, i.e., an optimally fair protocol. Beimel et al. (in: Rabin (ed) Advances in cryptology—CRYPTO 2010, volume 6223 of lecture notes in computer science, Springer, 2010) extended the result of Moran et al. to the multiparty setting where strictly fewer than 2/3 of the parties are corrupted. They constructed a \(2^{2^k}/r\)-fair r-round m-party protocol, tolerating up to \(t=\frac{m+k}{2}\) corrupted parties. In a breakthrough result, Haitner and Tsfadia (in: Symposium on theory of computing, STOC, 2014) constructed an \(O\left( \log ^3(r)/r \right) \)-fair (almost optimal) three-party coin-tossing protocol. Their work brought forth a combination of novel techniques for coping with the difficulties of constructing fair coin-tossing protocols. Still, the best coin-tossing protocols for the case where more than 2/3 of the parties may be corrupted (and even when \(t=2m/3\), where \(m>3\)) were \(\theta \left( 1/\sqrt{r} \right) \)-fair. We construct an \(O\left( \log ^3(r)/r \right) \)-fair m-party coin-tossing protocol, tolerating up to t corrupted parties, whenever m is constant and \(t<3m/4\).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. This was generalized to include all functions that imply non-trivial sampling [1, 40], where the two parties wish to sample correlated values.

  2. The idea is to randomly and secretly choose a special round in which the parties unknowingly get the output of the computation.

  3. Note that computing \(\varepsilon \) might take super-polynomial time. However, as noted by [30], \(\varepsilon \) can be efficiently approximated without a significant loss in security.

  4. Beimel et al. [9] use a slightly more involved technique to distribute defense values to the different subsets of parties, allowing several subsets to be assigned the same output bit, while maintaining the guarantee that the adversary cannot bias the output of the honest parties without guessing the value of the special round \(i^{*}\).

  5. Actually, in our construction, we only call subsets \(\mathcal {J}\), such that \(2h-1\le \left| \mathcal {J}\right| \le t\), protected. This suffices since, if a smaller subset of active parties is left, they have an honest majority and thus can use the defense value of its lexicographically first superset of size \(2h-1\).

  6. Here we let \(\Delta _{r+1}\left( y \right) =1\) if \(Y_r\ge 0\) and 0 otherwise, and we let \(\Delta _{r+1}\left( y,d \right) =\Delta _{r+1}\left( y \right) \)

  7. Note that in the case where \(|\mathcal {J}|\le 2h-1\), there is an honest majority, and so, in \({\text {MultipartyShareGen}}_{<3/4}\) we could have given them a common bit to reconstruct with full security. We decided to instruct the parties to execute Protocol 3.2 for the sake of simplicity.

References

  1. S. Agrawal, M. Prabhakaran, On fair exchange, fair coins and fair sampling, in Advances in Cryptology—CRYPTO 2013 (Springer, 2013), pp. 259–276

  2. B. Alon, E. Omri, Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious, in Theory of Cryptography Conference (Springer, 2016), pp. 307–335

  3. G. Asharov, Towards characterizing complete fairness in secure two-party computation, in Proceedings of the Eleventh Theory of Cryptography Conference—TCC 2014, vol. 8349 (Springer, 2014), pp. 291–316

  4. G. Asharov, Y. Lindell, T. Rabin, A full characterization of functions that imply fair coin tossing and ramifications to fairness, in Proceedings of the Tenth Theory of Cryptography Conference—TCC 2013, volume 7785 of Lecture Notes in Computer Science (Springer, 2013), pp. 243–262

  5. G. Asharov, A. Beimel, N. Makriyannis, E. Omri, Complete characterization of fairness in secure two-party computation of boolean functions, in Theory of Cryptography Conference (Springer, 2015), pp. 199–228

  6. Y. Aumann, Y. Lindell, Security against covert adversaries: Efficient protocols for realistic adversaries, in Theory of Cryptography (Springer, 2007), pp. 137–156

  7. B. Averbuch, M. Blum, B. Chor, S. Goldwasser, S. Micali, How to implement Bracha’s \({O}(\log n)\) Byzantine agreement algorithm, 1985. Unpublished manuscript

  8. A. Beimel, Y. Lindell, E. Omri, I. Orlov, 1/p-secure multiparty computation without honest majority and the best of both worlds, in P. Rogaway, editor, Advances in Cryptology—CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science (Springer, 2011), pp. 277–296

  9. A. Beimel, E. Omri, I. Orlov, Protocols for multiparty coin toss with dishonest majority. J. Cryptology, 28(3), 551–600, 2015. Conference version, in T. Rabin, editor, Advances in Cryptology—CRYPTO 2010, volume 6223 of Lecture Notes in Computer Science (Springer-Verlag, 2010), pp. 538-557

  10. A. Beimel, I. Haitner, N. Makriyannis, E. Omri, Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling, in M. Thorup, editor, 59th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7–9, 2018 (IEEE Computer Society, 2018), pp. 838–849

  11. M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract), in Proceedings of the 29th Annual Symposium on Foundations of Computer Science (FOCS) (1988), pp. 1–10

  12. Berman, I. Haitner, A. Tentes, Coin flipping of any constant bias implies one-way functions, in Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31–June 03, 2014 (2014), pp. 398–407

  13. M. Blum, Coin flipping by telephone, in Advances in Cryptology—CRYPTO ’81 (1981), pp. 11–15

  14. M. Blum, Coin flipping by telephone a protocol for solving impossible problems. SIGACT News 15(1), 23–27 (1983)

    Article  MATH  Google Scholar 

  15. N. Buchbinder, I. Haitner, N. Levi, E. Tsfadia, Fair coin flipping: Tighter analysis and the many-party case, in Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms (SIAM, 2017), pp. 2580–2600

  16. R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  17. R. Cleve, Limits on the security of coin flips when half the processors are faulty, in Proceedings of the 18th Annual ACM Symposium on Theory of Computing (STOC) (1986), pp. 364–369

  18. R. Cleve, R. Impagliazzo, Martingales, collective coin flipping and discrete control processes. Manuscript (1993)

  19. D. Dachman-Soled, Y. Lindell, M. Mahmoody, T. Malkin, On the black-box complexity of optimally-fair coin tossing, in Theory of Cryptography, Eighth Theory of Cryptography Conference, TCC 2011, vol. 6597 (2011), pp. 450–467

  20. D. Dachman-Soled, M. Mahmoody, T. Malkin, Can optimally-fair coin tossing be based on one-way functions? in Theory of Cryptography—11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24–26, 2014. Proceedings (2014), pp. 217–239

  21. S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)

    Article  MathSciNet  MATH  Google Scholar 

  22. O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications. (Cambridge University Press, 2009)

  23. O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in stoc19 (1987), pp. 218–229

  24. S. Goldwasser, Y. Lindell, Secure computation without agreement, in Distributed Computing (Springer, 2002), pp. 17–32

  25. S. D. Gordon, J. Katz, Partial fairness in secure two-party computation, in H. Gilbert, editor, Advances in Cryptology—EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science (Springer, 2010), pp. 157–176

  26. S. D. Gordon, J. Katz, Partial fairness in secure two-party computation. J. Cryptol. 25(1), 14–40 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  27. S. D. Gordon, C. Hazay, J. Katz, Y. Lindell, Complete fairness in secure two-party computation, in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC) (2008), pp. 413–422

  28. I. Haitner, Implementing oblivious transfer using collection of dense trapdoor permutations, in Theory of Cryptography Conference (Springer, 2004), pp. 394–409

  29. I. Haitner, E. Omri, Coin Flipping with Constant Bias Implies One-Way Functions, in Proceedings of the 52nd Annual Symposium on Foundations of Computer Science (FOCS) (2011), pp. 110–119

  30. I. Haitner, E. Tsfadia, An almost-optimally fair three-party coin-flipping protocol, in Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31–June 03, 2014 (2014), pp. 408–416. http://www.cs.tau.ac.il/ iftachh/papers/3PartyCF/QuasiOptimalCF_Full.pdf

  31. I. Haitner, M. Nguyen, S. J. Ong, O. Reingold, S. Vadhan, Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM J. Comput. 39(3), 1153–1218 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  32. I. Haitner, N. Makriyannis, E. Omri, On the complexity of fair coin flipping, in A. Beimel and S. Dziembowski, editors, Theory of Cryptography—16th International Conference, TCC 2018, Panaji, India, November 11–14, 2018, Proceedings, Part I, volume 11239 of Lecture Notes in Computer Science (Springer, 2018), pp. 539–562

  33. W. Hoeffding, Probability inequalities for sums of bounded random variables, in The Collected Works of Wassily Hoeffding (Springer, 1994), pp. 409–426

  34. Y. Ishai, R. Ostrovsky, V. Zikas, Secure multi-party computation with identifiable abort, in Advances in Cryptology—CRYPTO 2014—34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part II (2014), pp. 369–386

  35. Y. T. Kalai, Smooth projective hashing and two-message oblivious transfer, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (Springer, 2005), pp. 78–95

  36. J. Katz, On achieving the “best of both worlds” in secure multiparty computation, in STOC07 (2007), pp. 11–20

  37. H. K. Maji, M. Wang, Black-box use of one-way functions is useless for optimal fair coin-tossing, IACR Cryptol. ePrint Arch. 2020, 253 (2020)

    MATH  Google Scholar 

  38. H. K. Maji, M. Prabhakaran, A. Sahai, On the Computational Complexity of Coin Flipping, in Proceedings of the 51st Annual Symposium on Foundations of Computer Science (FOCS) (2010), pp. 613–622

  39. N. Makriyannis, On the classification of finite boolean functions up to fairness, in Security and Cryptography for Networks—9th International Conference, SCN 2014, volume 8642 of Lecture Notes in Computer Science (Springer, 2014a), pp. 135–154

  40. N. Makriyannis, On the classification of finite boolean functions up to fairness, in International Conference on Security and Cryptography for Networks (Springer, 2014b), pp. 135–154

  41. T. Moran, M. Naor, G. Segev, An optimally fair coin toss, in Theory of Cryptography, Sixth Theory of Cryptography Conference, TCC 2009 (2009), pp. 1–18

  42. M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991). Preliminary version in CRYPTO’89.

  43. M. Naor, B. Pinkas, Efficient oblivious transfer protocols, in Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms (Society for Industrial and Applied Mathematics, 2001), pp. 448–457

  44. R. Pass, Bounded-concurrent secure multi-party computation with a dishonest majority, in Proceedings of the 36th Annual ACM Symposium on Theory of Computing (STOC) (2004), pp. 232–241

  45. M. O. Rabin, How to exchange secrets with oblivious transfer, 2005. URL http://eprint.iacr.org/2005/187. Harvard University Technical Report 81 talr@watson.ibm.com 12955 received 21 Jun 2005

  46. A. Shamir, How to share a secret. Commun. ACM, 22(11), 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

We are grateful to Iftach Haitner and Amos Beimel for useful conversations.

Author information

Authors and Affiliations

  1. Department of Computer Science, Ariel University, Ariel, Israel

    Bar Alon & Eran Omri

Authors
  1. Bar Alon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eran Omri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eran Omri.

Additional information

Communicated by Rafail Ostrovsky.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This work was supported by ISF Grant 544/13 and by the Ariel Cyber Innovation Center in conjunction with the Israel National Cyber directorate in the Prime Minister’s Office. A preliminary version of this work appeared in [2].

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alon, B., Omri, E. Almost-Optimally Fair Multiparty Coin-Tossing with Nearly Three-Quarters Malicious. J Cryptol 36, 24 (2023). https://doi.org/10.1007/s00145-023-09466-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-023-09466-2

Keywords

Search

Navigation