Leakage-Resilient Coin Tossing

  • Elette Boyle
  • Shafi Goldwasser
  • Yael Tauman Kalai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6950)


The ability to collectively toss a common coin among n parties in the presence of faults is an important primitive in the arsenal of randomized distributed protocols. In the case of dishonest majority, it was shown to be impossible to achieve less than \(\frac{1}{r}\) bias in O(r) rounds (Cleve STOC ’86). In the case of honest majority, in contrast, unconditionally secure O(1)-round protocols for generating common unbiased coins follow from general completeness theorems on multi-party secure protocols in the secure channels model (e.g., BGW, CCD STOC ’88).

However, in the O(1)-round protocols with honest majority, parties generate and hold secret values which are assumed to be perfectly hidden from malicious parties: an assumption which is crucial to proving the resulting common coin is unbiased. This assumption unfortunately does not seem to hold in practice, as attackers can launch side-channel attacks on the local state of honest parties and leak information on their secrets.

In this work, we present an O(1)-round protocol for collectively generating an unbiased common coin, in the presence of leakage on the local state of the honest parties. We tolerate \(t \le (\frac{1}{3} - \epsilon) n\) computationally-unbounded Byzantine faults and in addition a Ω(1)-fraction leakage on each (honest) party’s secret state. Our results hold in the memory leakage model (of Akavia, Goldwasser, Vaikuntanathan ’08) adapted to the distributed setting.

Additional contributions of our work are the tools we introduce to achieve the collective coin toss: a procedure for disjoint committee election, and leakage-resilient verifiable secret sharing.


Secret Sharing Scheme Secret State Overwhelming Probability Honest Party Byzantine Agreement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Akavia, A., Goldwasser, S., Hazay, C.: Distributed public key schemes secure against continual leakage (2010) (manuscript)Google Scholar
  2. 2.
    Akavia, A., Goldwasser, S., Vaikuntanathan, V.: Simultaneous hardcore bits and cryptography against memory attacks. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 474–495. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Ben-Or, M.: Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract). In: PODC, pp. 27–30 (1983)Google Scholar
  4. 4.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC, pp. 1–10 (1988)Google Scholar
  5. 5.
    Bitansky, N., Canetti, R., Goldwasser, S., Halevi, S., Kalai, Y., Rothblum, G.: Program obfuscation with leaky hardware (manuscript, 2011)Google Scholar
  6. 6.
    Boyle, E., Goldwasser, S., Kalai, Y.T.: Leakage-resilient coin tossing. Cryptology ePrint Archive, Report 2011/291 (2011),
  7. 7.
    Bracha, G.: An asynchronous [(n − 1)/3]-resilient consensus protocol. In: PODC, pp. 154–162 (1984)Google Scholar
  8. 8.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: STOC, pp. 639–648 (1996)Google Scholar
  9. 9.
    Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: STOC, pp. 11–19 (1988)Google Scholar
  10. 10.
    Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults. In: FOCS, pp. 383–395 (1985)Google Scholar
  11. 11.
    Cleve, R.: Limits on the security of coin flips when half the processors are faulty (extended abstract). In: STOC, pp. 364–369 (1986)Google Scholar
  12. 12.
    Dwork, C., Shmoys, D.B., Stockmeyer, L.J.: Flipping persuasively in constant time. SIAM J. Comput. 19(3), 472–499 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Dziembowski, S., Pietrzak, K.: Leakage-resilient cryptography. In: FOCS (2008)Google Scholar
  14. 14.
    Feige, U.: Noncryptographic selection protocols. In: FOCS (1999)Google Scholar
  15. 15.
    Feldman, P., Micali, S.: Byzantine agreement in constant expected time (and trusting no one). In: FOCS, pp. 267–276 (1985)Google Scholar
  16. 16.
    Garg, S., Jain, A., Sahai, A.: Leakage-resilient zero knowledge. In: Advances in Cryptology – CRYPTO 2011 (To appear, 2011)Google Scholar
  17. 17.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC (1987)Google Scholar
  18. 18.
    Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377 (1982)Google Scholar
  19. 19.
    Goldwasser, S., Sudan, M., Vaikuntanathan, V.: Distributed computing with imperfect randomness. In: Fraigniaud, P. (ed.) DISC 2005. LNCS, vol. 3724, pp. 288–302. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: Securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Kalai, Y.T., Li, X., Rao, A.: 2-source extractors under computational assumptions and cryptography with defective randomness. In: FOCS, pp. 617–626 (2009)Google Scholar
  22. 22.
    Kalai, Y.T., Li, X., Rao, A., Zuckerman, D.: Network extractor protocols. In: FOCS, pp. 654–663 (2008)Google Scholar
  23. 23.
    Kamp, J., Rao, A., Vadhan, S., Zuckerman, D.: Deterministic extractors for small-space sources. In: STOC, pp. 691–700 (2006)Google Scholar
  24. 24.
    McEliece, R.J., Sarwate, D.V.: On sharing secrets and reed-solomon codes. Commun. ACM 24, 583–584 (1981)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Micali, S., Reyzin, L.: Physically observable cryptography. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 278–296. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Rabin, M.O.: Randomized byzantine generals. In: FOCS, pp. 403–409 (1983)Google Scholar
  29. 29.
    Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Elette Boyle
    • 1
  • Shafi Goldwasser
    • 1
    • 2
  • Yael Tauman Kalai
    • 3
  1. 1.MITCambridgeUSA
  2. 2.Weizmann Institute of ScienceRehovotIsrael
  3. 3.Micorosft Research New EnglandCambridgeUSA

Personalised recommendations