On the Black-Box Complexity of Optimally-Fair Coin Tossing

  • Dana Dachman-Soled
  • Yehuda Lindell
  • Mohammad Mahmoody
  • Tal Malkin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6597)


A fair two-party coin tossing protocol is one in which both parties output the same bit that is almost uniformly distributed (i.e., it equals 0 and 1 with probability that is at most negligibly far from one half). It is well known that it is impossible to achieve fair coin tossing even in the presence of fail-stop adversaries (Cleve, FOCS 1986). In fact, Cleve showed that for every coin tossing protocol running for r rounds, an efficient fail-stop adversary can bias the output by Ω(1/r). Since this is the best possible, a protocol that limits the bias of any adversary to O(1/r) is called optimally-fair. The only optimally-fair protocol that is known to exist relies on the existence of oblivious transfer, because it uses general secure computation (Moran, Naor and Segev, TCC 2009). However, it is possible to achieve a bias of \(O(1/\sqrt{r})\) in r rounds relying only on the assumption that there exist one-way functions. In this paper we show that it is impossible to achieve optimally-fair coin tossing via a black-box construction from one-way functions for r that is less than O(n/logn), where n is the input/output length of the one-way function used. An important corollary of this is that it is impossible to construct an optimally-fair coin tossing protocol via a black-box construction from one-way functions whose round complexity is independent of the security parameter n determining the security of the one-way function being used. Informally speaking, the main ingredient of our proof is to eliminate the random-oracle from “secure” protocols with “low round-complexity” and simulate the protocol securely against semi-honest adversaries in the plain model. We believe our simulation lemma to be of broader interest.


black-box separations coin tossing optimally-fair coin tossing round-complexity lower-bound 


  1. [b82]
    Blum, M.: Coin flipping by telephone - a protocol for solving impossible problems. In: COMPCON, pp. 133–137 (1982)Google Scholar
  2. [bm07]
    Barak, B., Mahmoody, M.: Lower bounds on signatures from symmetric primitives. In: FOCS: IEEE Symposium on Foundations of Computer Science (FOCS) (2007)Google Scholar
  3. [bm09]
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — ano(n 2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. [c86]
    Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC, pp. 364–369 (1986)Google Scholar
  5. [ci93]
    Cleve, R., Impagliazzo, R.: Martingales, collective coin flipping and discrete control processes (1993) (unpublished)Google Scholar
  6. [ggkt05]
    Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SICOMP: SIAM Journal on Computing 35 (2005)Google Scholar
  7. [ggm86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  8. [gims10]
    Goyal, V., Ishai, Y., Mahmoody, M., Sahai, A.: Interactive locking, zero-knowledge pCPs, and unconditional cryptography. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 173–190. Springer, Heidelberg (2010)Google Scholar
  9. [gm84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)CrossRefMATHMathSciNetGoogle Scholar
  10. [hhrs07]
    Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - a tight lower bound on the round complexity of statistically-hiding commitments. In: FOCS, pp. 669–679 (2007)Google Scholar
  11. [hill99]
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)CrossRefMATHMathSciNetGoogle Scholar
  12. [hno +09]
    Haitner, I., Nguyen, M.-H., Ong, S.J., Reingold, O., Vadhan, S.: Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function. SIAM Journal on Computing 39(3), 1153–1218 (2009)CrossRefMATHMathSciNetGoogle Scholar
  13. [hr07]
    Haitner, I., Reingold, O.: A new interactive hashing theorem. In: IEEE Conference on Computational Complexity (CCC) (2007)Google Scholar
  14. [il89]
    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: FOCS, pp. 230–235 (1989)Google Scholar
  15. [ir89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC, pp. 44–61 (1989)Google Scholar
  16. [k92]
    Kushilevitz, E.: Privacy and communication complexity. SIAM J. Discrete Math 5(2), 273–284 (1992)CrossRefMATHMathSciNetGoogle Scholar
  17. [lr88]
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)CrossRefMATHMathSciNetGoogle Scholar
  18. [mns09]
    Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. [mp10]
    Maji, H., Prabhakaran, M.: Personal communication (2010)Google Scholar
  20. [mpr09]
    Maji, H.K., Prabhakaran, M., Rosulek, M.: Complexity of multi-party computation problems: The case of 2-party symmetric secure function evaluation. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 256–273. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. [n91]
    Naor, M.: Bit commitment using pseudorandomness. J. Cryptology 4(2), 151–158 (1991)CrossRefMATHGoogle Scholar
  22. [novy98]
    Naor, M., Ostrovsky, R., Venkatesan, R., Yung, M.: Perfect zero-knowledge arguments for NP using any one-way permutation. JCRYPTOL: Journal of Cryptology 11 (1998)Google Scholar
  23. [ny89]
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC, pp. 33–43 (1989)Google Scholar
  24. [r90]
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC, pp. 387–394 (1990)Google Scholar
  25. [rtv04]
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. [y82]
    Yao, A.C.-C.: Theory and applications of trapdoor functions. In: FOCS, pp. 80–91 (1982)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Dana Dachman-Soled
    • 1
  • Yehuda Lindell
    • 2
  • Mohammad Mahmoody
    • 3
  • Tal Malkin
    • 1
  1. 1.Columbia UniversityUSA
  2. 2.Bar-Ilan UniversityIsrael
  3. 3.Cornell UniversityUSA

Personalised recommendations