Fair coin flipping: Tighter analysis and the many-party case

Niv Buchbinder, Iftach Haitner, Nissan Levi, Eliad Tsfadia

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


In a multi-party fair coin-ipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [19] [STOC 1986] has shown that in any m-round coin-ipping protocol the corrupted parties can bias the honest parties' common output bit by Θ(1=m). For more than two decades the best known coin-ipping protocols against majority was the protocol of [9] [Manuscript 1985], who presented a t-party, m-round protocol with bias Θ(t= p m). This was changed by the breakthrough result of [42] [TCC 2009], who constructed an m- round, two-party coin-ipping protocol with optimal bias Θ(1=m). Recently, [32] [STOC 14] constructed an m-round, three-party coin-ipping protocol with bias O(log3 m=m). Still for the case of more than three parties, against arbitrary number of corruptions, the best known protocol remained the Θ(t= p m)-bias protocol of [9]. We make a step towards eliminating the above gap, presenting a t-party, m-round coin-ipping protocol, with bias O( t3.2t. p √logm/ m1=2+1=(2t-1-2) ). This improves upon the Θ(t= p m)-bias protocol of [9] for any t ≥ 1=2 . log logm, and in particular for t 2 O(1), this yields an 1=m 1 2 + Θ((1)- bias protocol. For the three-party case, this yields an O( p logm=m)-bias protocol, improving over the the O(log3 m=m)-bias protocol of [32]. Our protocol generalizes that of [32], by presenting an appropriate \defense protocols" for the remaining parties to interact in, in the case that some parties abort or caught cheating ([32] only presented a two-party defense protocol, which limits their final protocol to handle three parties). We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-ipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.

Original languageEnglish
Title of host publication28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017
EditorsPhilip N. Klein
PublisherAssociation for Computing Machinery
Number of pages21
ISBN (Electronic)9781611974782
StatePublished - 2017
Event28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017 - Barcelona, Spain
Duration: 16 Jan 201719 Jan 2017

Publication series

NameProceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms


Conference28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017


  • Coin-ipping
  • Fair computation
  • Stopping time problems


Dive into the research topics of 'Fair coin flipping: Tighter analysis and the many-party case'. Together they form a unique fingerprint.

Cite this