In a multiparty fair coin-ipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [in Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 1986, pp. 364-369] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any m-round coin-ipping protocol the corrupted parties can bias the honest parties' common output bit by Ω(1-m). For more than two decades the best known coin-ipping protocols against dishonest majority had bias Θ ( ℓ√m), where is the number of corrupted parties. This was changed by a recent breakthrough result of Moran, Naor, and Segev [in Theory of Cryptography, Lecture Notes in Comput. Sci. 5444, Springer, Berlin, 2009, pp. 1-18], who constructed an m-round, two-party coin-ipping protocol with optimal bias Θ (1-m). In a subsequent work, Beimel, Omri, and Orlov [in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (STOC), ACM, New York, 1990, pp. 503-513] extended this result to the multiparty case in which less than 2 3 of the parties can be corrupted. Still, for the case of 2 3 (or more) corrupted parties, the best known protocol had bias Θ ( ℓ√m). In particular, this was the state of affairs for the natural three-party case. We take a step toward eliminating the above gap, presenting an m-round, three-party coin-ipping protocol, with bias O(log3 m) m . Our approach (which we also apply to the two-party case) does not follow the "threshold round" paradigm used in the work of Moran, Naor, and Segev and Beimel, Omri, and Orlov but rather is a variation of the majority protocol of Cleve used to obtain the aforementioned Θ ( ℓ√m)-bias protocol.
- Fair computation