A Lower Bound for Adaptively-Secure Collective Coin Flipping Protocols


In 1985, Ben-Or and Linial (Advances in Computing Research 1989) introduced the collective coin flipping problem, where n parties communicate via a single broadcast channel and wish to generate a common random bit in the presence of adaptive Byzantine corruptions. In this model, the adversary can decide to corrupt a party in the course of the protocol as a function of the messages seen so far. They showed that the majority protocol, in which each player sends a random bit and the output is the majority value, tolerates O(√n) adaptive corruptions. They conjectured that this is optimal for such adversaries.

We prove that the majority protocol is optimal (up to a poly-logarithmic factor) among all protocols in which each party sends a single, possibly long, message.

Previously, such a lower bound was known for protocols in which parties are allowed to send only a single bit (Lichtenstein, Linial, and Saks, Combinatorica 1989), or for symmetric protocols (Goldwasser, Kalai, and Park, ICALP 2015).

This is a preview of subscription content, access via your institution.


  1. [1]

    B. Awerbuch, M. Blum, B. Chor, S. Goldwasser and S Micali: How to implement bracha’s o(logn) byzantine agreement algorithm, 1985, unpublished manuscript.

    Google Scholar 

  2. [2]

    M. Ajtai and N. Llnial: The influence of large coalitions, Combinatorial 13 (1993), 129–145.

    MathSciNet  Article  Google Scholar 

  3. [3]

    N. Alon and M. Naor: Coin-flipping games immune against linear-sized coalitions, SIAM J. Comput. 22 (1993), 403–417.

    MathSciNet  Article  Google Scholar 

  4. [4]

    B. Alon and E. Omri: Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious, in: Theory of Cryptography - 14th International Conference, TCC 2016-B, 307–335, 2016.

    Google Scholar 

  5. [5]

    J. Aspnes: Lower bounds for distributed coin-flipping and randomized consensus, J. Acm 45 (1998), 415–450.

    MathSciNet  Article  Google Scholar 

  6. [6]

    N. Buchbinder, I. Haitner, N. Levi and E. Tsfadia: Fair coin nipping: Tighter analysis and the many-party case, in: Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA, 2580–2600. SIAM, 2017.

    Google Scholar 

  7. [7]

    A. Beimel, I. Haitner, N. Makriyannis and E. Omri: Tighter bounds on multiparty coin nipping, via augmented weak martingales and di erentially private sampling, Electronic Colloquium on Computational Complexity (ECCC), 24:168, 2017.

    Google Scholar 

  8. [8]

    I. Berman, I. Haitner and A. Tentes: Coin flipping of Any constant bias implies one-way functions, J. Acm, 65 (2018), 1–95.

    MathSciNet  Article  Google Scholar 

  9. [9]

    M. Ben-Or and Nathan Linial: Collective coin flipping, Advances in Computing Research 5 (1989), 91–115.

    Google Scholar 

  10. [10]

    M. Blum: How to exchange (secret) keys, ACM Trans. Comput. Syst. 1 (1983), 175–193.

    Article  Google Scholar 

  11. [11]

    R. B. Boppana and B. O. Narayanan: Perfect-information leader election with optimal resilience, SIAM J. Comput. 29 (2000), 1304–1320.

    MathSciNet  Article  Google Scholar 

  12. [12]

    A. Beimel, E. Omri and I. Orlov: Protocols for multiparty coin toss with a dishonest majority, J. Cryptology 28 (2015), 551–600.

    MathSciNet  Article  Google Scholar 

  13. [13]

    R. Cleve and R. Impagliazzo: Martingales, collective coin flipping and discrete control processes (extended abstract), 1993, unpublished manuscript.

    Google Scholar 

  14. [14]

    R. Cleve: Limits on the security of coin flips when half the processors are faulty (extended abstract), in: Juris Hartmanis, editor, Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 364–369. ACM, 1986.

    Google Scholar 

  15. [15]

    D. Dachman-Soled, Y. Llndell, M. Mahmoody and T. Malkin: On the black-box complexity of optimally-fair coin tossing, in: Theory of Cryptography - TCC, 450–467, 2011.

    Google Scholar 

  16. [16]

    D. Dachman-Soled, M. Mahmoody and T. Malkin: Can optimally-fair coin tossing be based on one-way functions?, in: Theory of Cryptography - TCC, 217–239, 2014.

    Google Scholar 

  17. [17]

    Y. Dodis: Impossibility of black-box reduction from non-adaptively to adaptively secure coin-flipping, Electronic Colloquium on Computational Complexity (ECCC), 7(39), 2000.

    Google Scholar 

  18. [18]

    D. P. Dubhashi and A. Panconesi: Concentration of Measure for the Analysis of Randomized Algorithms, Cambridge University Press, 2009.

    Google Scholar 

  19. [19]

    O. Etesami, S. Mahloujifar and M. Mahmoody: Computational concentration of measure: Optimal bounds, reductions, and more, CoRR, arXiv:1907.05401, 2019.

    Google Scholar 

  20. [20]

    U. Feige: Noncryptographic selection protocols, in: 40th Annual Symposium on Foundations of Computer Science, FOGS, 142–153, 1999.

    Google Scholar 

  21. [21]

    S. Goldwasser, Y. T. Kalai and S. Park: Adaptively secure coin-flipping, revisited, in: 42nd International Colloquium on Automata, Languages and Programming,, ICALP, 663–674, 2015.

    Google Scholar 

  22. [22]

    I. Haitner, N. Makriyannis and E. Omri: On the complexity of fair coin nipping, in: Theory of Cryptography - 16th International Conference, TCC, 539–562, 2018.

    Google Scholar 

  23. [23]

    I. Haitner and E. Omri: Coin nipping with constant bias implies one-way functions, SIAM J. Comput. 43 (2014), 389–409.

    MathSciNet  Article  Google Scholar 

  24. [24]

    I. Haitner and E. Tsfadia: An almost-optimally fair three-party coin-flipping protocol, SIAM J. Comput. 46 (2017), 479–542.

    MathSciNet  Article  Google Scholar 

  25. [25]

    R. Impagliazzo and M. Luby: One-way functions are essential for complexity based cryptography (extended abstract), in: 30th Annual Symposium on Foundations of Computer Science, FOCS, 230–235. IEEE Computer Society, 1989.

    Google Scholar 

  26. [26]

    Y. T. Kalai and I. Komargodski: Compressing communication in distributed protocols, in: Distributed Computing - 29th International Symposium, DISC, 467–479, 2015.

    Google Scholar 

  27. [27]

    J. Kahn, G. Kalai and N. Linial: The influence of variables on boolean functions (extended abstract), in: 29th Annual Symposium on Foundations of Computer Science, FOCS, 68–80, 1988.

    Google Scholar 

  28. [28]

    D. Llchtenstein, N. Llnial and M. E. Saks: Some extremal problems arising form discrete control processes, Combinatorial 9 (1989), 269–287.

    Article  Google Scholar 

  29. [29]

    S. Mahloujifar and M. Mahmoody: Can adversarially robust learning leverage-computational hardness? in: Algorithmic Learning Theory, ALT, 581–609, 2019.

    Google Scholar 

  30. [30]

    T. Moran, M. Naor and G. Segev: An optimally fair coin toss, J. Cryptology 29 (2016), 491–513.

    MathSciNet  Article  Google Scholar 

  31. [31]

    H. K. Maji, M. Prabhakaran and A. Sahai: On the computational complexity of coin nipping, in: 51th Annual IEEE Symposium on Foundations of Computer Science, FOCS, 613–622. IEEE Computer Society, 2010.

    Google Scholar 

  32. [32]

    A. Russell, M. E. Saks and D. Zuckerman: Lower bounds for leader election and collective coin-flipping in the perfect information model, SIAM J. Comput. 31 (2002), 1645–1662.

    MathSciNet  Article  Google Scholar 

  33. [33]

    M. E. Saks: A robust noncryptographic protocol for collective coin flipping, SIAM J. Discrete Math. 2 (1989), 240–244.

    MathSciNet  Article  Google Scholar 

Download references


We thank Michael Ben-Or for letting us know about [5].

Author information



Corresponding author

Correspondence to Ilan Komargodski.

Additional information

Part of this work done at MSR New England and Cornell Tech.

Research supported by the Simons Collaboration on Algorithms and Geometry and by the National Science Foundation grants No. CCF-1714779 and CCF-1412958.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Kalai, Y.T., Komargodski, I. & Raz, R. A Lower Bound for Adaptively-Secure Collective Coin Flipping Protocols. Combinatorica 41, 75–98 (2021). https://doi.org/10.1007/s00493-020-4147-4

Download citation

Mathematics Subject Classification (2010)

  • 68Q01
  • 68Q17
  • 68Q25