In 1985, Ben-Or and Linial (Advances in Computing Research 1989) introduced the collective coin flipping problem, where n parties communicate via a single broadcast channel and wish to generate a common random bit in the presence of adaptive Byzantine corruptions. In this model, the adversary can decide to corrupt a party in the course of the protocol as a function of the messages seen so far. They showed that the majority protocol, in which each player sends a random bit and the output is the majority value, tolerates O(√n) adaptive corruptions. They conjectured that this is optimal for such adversaries.
We prove that the majority protocol is optimal (up to a poly-logarithmic factor) among all protocols in which each party sends a single, possibly long, message.
Previously, such a lower bound was known for protocols in which parties are allowed to send only a single bit (Lichtenstein, Linial, and Saks, Combinatorica 1989), or for symmetric protocols (Goldwasser, Kalai, and Park, ICALP 2015).
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
B. Awerbuch, M. Blum, B. Chor, S. Goldwasser and S Micali: How to implement bracha’s o(logn) byzantine agreement algorithm, 1985, unpublished manuscript.
M. Ajtai and N. Llnial: The influence of large coalitions, Combinatorial 13 (1993), 129–145.
N. Alon and M. Naor: Coin-flipping games immune against linear-sized coalitions, SIAM J. Comput. 22 (1993), 403–417.
B. Alon and E. Omri: Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious, in: Theory of Cryptography - 14th International Conference, TCC 2016-B, 307–335, 2016.
J. Aspnes: Lower bounds for distributed coin-flipping and randomized consensus, J. Acm 45 (1998), 415–450.
N. Buchbinder, I. Haitner, N. Levi and E. Tsfadia: Fair coin nipping: Tighter analysis and the many-party case, in: Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA, 2580–2600. SIAM, 2017.
A. Beimel, I. Haitner, N. Makriyannis and E. Omri: Tighter bounds on multiparty coin nipping, via augmented weak martingales and di erentially private sampling, Electronic Colloquium on Computational Complexity (ECCC), 24:168, 2017.
I. Berman, I. Haitner and A. Tentes: Coin flipping of Any constant bias implies one-way functions, J. Acm, 65 (2018), 1–95.
M. Ben-Or and Nathan Linial: Collective coin flipping, Advances in Computing Research 5 (1989), 91–115.
M. Blum: How to exchange (secret) keys, ACM Trans. Comput. Syst. 1 (1983), 175–193.
R. B. Boppana and B. O. Narayanan: Perfect-information leader election with optimal resilience, SIAM J. Comput. 29 (2000), 1304–1320.
A. Beimel, E. Omri and I. Orlov: Protocols for multiparty coin toss with a dishonest majority, J. Cryptology 28 (2015), 551–600.
R. Cleve and R. Impagliazzo: Martingales, collective coin flipping and discrete control processes (extended abstract), 1993, unpublished manuscript.
R. Cleve: Limits on the security of coin flips when half the processors are faulty (extended abstract), in: Juris Hartmanis, editor, Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 364–369. ACM, 1986.
D. Dachman-Soled, Y. Llndell, M. Mahmoody and T. Malkin: On the black-box complexity of optimally-fair coin tossing, in: Theory of Cryptography - TCC, 450–467, 2011.
D. Dachman-Soled, M. Mahmoody and T. Malkin: Can optimally-fair coin tossing be based on one-way functions?, in: Theory of Cryptography - TCC, 217–239, 2014.
Y. Dodis: Impossibility of black-box reduction from non-adaptively to adaptively secure coin-flipping, Electronic Colloquium on Computational Complexity (ECCC), 7(39), 2000.
D. P. Dubhashi and A. Panconesi: Concentration of Measure for the Analysis of Randomized Algorithms, Cambridge University Press, 2009.
O. Etesami, S. Mahloujifar and M. Mahmoody: Computational concentration of measure: Optimal bounds, reductions, and more, CoRR, arXiv:1907.05401, 2019.
U. Feige: Noncryptographic selection protocols, in: 40th Annual Symposium on Foundations of Computer Science, FOGS, 142–153, 1999.
S. Goldwasser, Y. T. Kalai and S. Park: Adaptively secure coin-flipping, revisited, in: 42nd International Colloquium on Automata, Languages and Programming,, ICALP, 663–674, 2015.
I. Haitner, N. Makriyannis and E. Omri: On the complexity of fair coin nipping, in: Theory of Cryptography - 16th International Conference, TCC, 539–562, 2018.
I. Haitner and E. Omri: Coin nipping with constant bias implies one-way functions, SIAM J. Comput. 43 (2014), 389–409.
I. Haitner and E. Tsfadia: An almost-optimally fair three-party coin-flipping protocol, SIAM J. Comput. 46 (2017), 479–542.
R. Impagliazzo and M. Luby: One-way functions are essential for complexity based cryptography (extended abstract), in: 30th Annual Symposium on Foundations of Computer Science, FOCS, 230–235. IEEE Computer Society, 1989.
Y. T. Kalai and I. Komargodski: Compressing communication in distributed protocols, in: Distributed Computing - 29th International Symposium, DISC, 467–479, 2015.
J. Kahn, G. Kalai and N. Linial: The influence of variables on boolean functions (extended abstract), in: 29th Annual Symposium on Foundations of Computer Science, FOCS, 68–80, 1988.
D. Llchtenstein, N. Llnial and M. E. Saks: Some extremal problems arising form discrete control processes, Combinatorial 9 (1989), 269–287.
S. Mahloujifar and M. Mahmoody: Can adversarially robust learning leverage-computational hardness? in: Algorithmic Learning Theory, ALT, 581–609, 2019.
T. Moran, M. Naor and G. Segev: An optimally fair coin toss, J. Cryptology 29 (2016), 491–513.
H. K. Maji, M. Prabhakaran and A. Sahai: On the computational complexity of coin nipping, in: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 613–622. IEEE Computer Society, 2010.
A. Russell, M. E. Saks and D. Zuckerman: Lower bounds for leader election and collective coin-flipping in the perfect information model, SIAM J. Comput. 31 (2002), 1645–1662.
M. E. Saks: A robust noncryptographic protocol for collective coin flipping, SIAM J. Discrete Math. 2 (1989), 240–244.
We thank Michael Ben-Or for letting us know about .
Part of this work done at MSR New England and Cornell Tech.
Research supported by the Simons Collaboration on Algorithms and Geometry and by the National Science Foundation grants No. CCF-1714779 and CCF-1412958.
About this article
Cite this article
Kalai, Y.T., Komargodski, I. & Raz, R. A Lower Bound for Adaptively-Secure Collective Coin Flipping Protocols. Combinatorica 41, 75–98 (2021). https://doi.org/10.1007/s00493-020-4147-4
Mathematics Subject Classification (2010)