TY - GEN
T1 - An almost-optimally fair three-party coin-flipping protocol
AU - Haitner, Iftach
AU - Tsfadia, Eliad
PY - 2014
Y1 - 2014
N2 - In a multiparty fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [STOC 1986] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any m-round coinflipping protocol, the corrupted parties can bias the honest parties' common output bit by Ω(1/m). For more than two decades, the best known coin-flipping protocols against dishonest majority had bias ⊖(√ ℓ m), where ℓ is the number of corrupted parties. This was changed by a recent breakthrough result of Moran et al. [TCC 2009], who constructed an m-round, two-party coin-flipping protocol with optimal bias θ(1/m). In a subsequent work, Beimel et al. [Crypto 2010] extended this result to the multiparty case in which less than 2/3 of the parties can be corrupted. Still for the case of 2 3 (or more) corrupted parties, the best known protocol had bias θ(√ ℓ m). In particular, this was the state of affairs for the natural three-party case. We make a step towards eliminating the above gap, presenting an m-round, three-party coin-flipping protocol, with bias O(log2 m) m . Our approach (which we also apply for the two-party case) does not follow the "threshold round" paradigm used in the work of Moran et al. and Beimel et al., but rather is a variation of the majority protocol of Cleve, used to obtain the aforementioned θ(√ℓ m)-bias protocol.
AB - In a multiparty fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [STOC 1986] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any m-round coinflipping protocol, the corrupted parties can bias the honest parties' common output bit by Ω(1/m). For more than two decades, the best known coin-flipping protocols against dishonest majority had bias ⊖(√ ℓ m), where ℓ is the number of corrupted parties. This was changed by a recent breakthrough result of Moran et al. [TCC 2009], who constructed an m-round, two-party coin-flipping protocol with optimal bias θ(1/m). In a subsequent work, Beimel et al. [Crypto 2010] extended this result to the multiparty case in which less than 2/3 of the parties can be corrupted. Still for the case of 2 3 (or more) corrupted parties, the best known protocol had bias θ(√ ℓ m). In particular, this was the state of affairs for the natural three-party case. We make a step towards eliminating the above gap, presenting an m-round, three-party coin-flipping protocol, with bias O(log2 m) m . Our approach (which we also apply for the two-party case) does not follow the "threshold round" paradigm used in the work of Moran et al. and Beimel et al., but rather is a variation of the majority protocol of Cleve, used to obtain the aforementioned θ(√ℓ m)-bias protocol.
KW - Coin-flipping protocols
KW - Fair computation
KW - Fairness
UR - http://www.scopus.com/inward/record.url?scp=84904352254&partnerID=8YFLogxK
U2 - 10.1145/2591796.2591842
DO - 10.1145/2591796.2591842
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84904352254
SN - 9781450327107
T3 - Proceedings of the Annual ACM Symposium on Theory of Computing
SP - 408
EP - 416
BT - STOC 2014 - Proceedings of the 2014 ACM Symposium on Theory of Computing
PB - Association for Computing Machinery
T2 - 4th Annual ACM Symposium on Theory of Computing, STOC 2014
Y2 - 31 May 2014 through 3 June 2014
ER -