Can Optimally-Fair Coin Tossing Be Based on One-Way Functions?

  • Dana Dachman-Soled
  • Mohammad Mahmoody
  • Tal Malkin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8349)


Coin tossing is a basic cryptographic task that allows two distrustful parties to obtain an unbiased random bit in a way that neither party can bias the output by deviating from the protocol or halting the execution. Cleve [STOC’86] showed that in any r round coin tossing protocol one of the parties can bias the output by Ω(1/r) through a “fail-stop” attack; namely, they simply execute the protocol honestly and halt at some chosen point. In addition, relying on an earlier work of Blum [COMPCON’82], Cleve presented an r-round protocol based on one-way functions that was resilient to bias at most \(O(1/\sqrt r)\). Cleve’s work left open whether ”‘optimally-fair’” coin tossing (i.e. achieving bias O(1/r) in r rounds) is possible. Recently Moran, Naor, and Segev [TCC’09] showed how to construct optimally-fair coin tossing based on oblivious transfer, however, it was left open to find the minimal assumptions necessary for optimally-fair coin tossing. The work of Dachman-Soled et al. [TCC’11] took a step toward answering this question by showing that any black-box construction of optimally-fair coin tossing based on a one-way functions with n-bit input and output needs Ω(n/logn) rounds.

In this work we take another step towards understanding the complexity of optimally-fair coin-tossing by showing that this task (with an arbitrary number of rounds) cannot be based on one-way functions in a black-box way, as long as the protocol is ”‘oblivious’” to the implementation of the one-way function. Namely, we consider a natural class of black-box constructions based on one-way functions, called function oblivious, in which the output of the protocol does not depend on the specific implementation of the one-way function and only depends on the randomness of the parties. Other than being a natural notion on its own, the known coin tossing protocols of Blum and Cleve (both based on one-way functions) are indeed function oblivious. Thus, we believe our lower bound for function-oblivious constructions is a meaningful step towards resolving the fundamental open question of the complexity of optimally-fair coin tossing.


Coin-Tossing One-Way Functions Black-Box Separations 


  1. [Blu82]
    Blum, M.: Coin flipping by telephone - a protocol for solving impossible problems. In: COMPCON, pp. 133–137 (1982)Google Scholar
  2. [BM07]
    Barak, B., Mahmoody, M.: Lower bounds on signatures from symmetric primitives. In: FOCS: IEEE Symposium on Foundations of Computer Science, FOCS (2007)Google Scholar
  3. [BM09]
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal–an o(n 2)-query attack on key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. [BM13]
    Barak, B., Mahmoody, M.: Merkle’s key agreement protocol is optimal - an O(n 2)-query attack on any key exchange from random oracles (2013),
  5. [CI93]
    Cleve, R., Impagliazzo, R.: Martingales, collective coin flipping and discrete control processes (1993) (unpublished)Google Scholar
  6. [Cle86]
    Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC, pp. 364–369 (1986)Google Scholar
  7. [DSLMM11]
    Dachman-Soled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the black-box complexity of optimally-fair coin tossing. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 450–467. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  9. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)CrossRefzbMATHMathSciNetGoogle Scholar
  10. [GT00]
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS, pp. 305–313 (2000)Google Scholar
  11. [HILL99]
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)CrossRefzbMATHMathSciNetGoogle Scholar
  12. [HOZ13]
    Haitner, I., Omri, E., Zarosim, H.: Limits on the usefulness of random oracles. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 437–456. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. [IL89]
    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: FOCS, pp. 230–235 (1989)Google Scholar
  14. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC, pp. 44–61 (1989)Google Scholar
  15. [LR88]
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)CrossRefzbMATHMathSciNetGoogle Scholar
  16. [MMP13]
    Mahmoody, M., Maji, H.K., Prabhakaran, M.: Limits of random oracles in secure computation. To Appear in: Innovations in Theoretical Computer Science, ITCS (2013)Google Scholar
  17. [MNS09]
    Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. [Nao91]
    Naor, M.: Bit commitment using pseudorandomness. J. Cryptology 4(2), 151–158 (1991)CrossRefzbMATHGoogle Scholar
  19. [NY89]
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC, pp. 33–43 (1989)Google Scholar
  20. [Rom90]
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC, pp. 387–394 (1990)Google Scholar
  21. [RTV04]
    Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. [Yao82]
    Yao, A.C.-C.: Theory and applications of trapdoor functions. In: FOCS, pp. 80–91 (1982)Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Dana Dachman-Soled
    • 1
  • Mohammad Mahmoody
    • 2
  • Tal Malkin
    • 3
  1. 1.University of MarylandUSA
  2. 2.University of VirginiaUSA
  3. 3.Columbia University and Bar-Ilan UniversityUSA

Personalised recommendations