TY - GEN
T1 - Fair coin flipping
T2 - 28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017
AU - Buchbinder, Niv
AU - Haitner, Iftach
AU - Levi, Nissan
AU - Tsfadia, Eliad
N1 - Publisher Copyright:
Copyright © by SIAM.
PY - 2017
Y1 - 2017
N2 - In a multi-party fair coin-ipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [19] [STOC 1986] has shown that in any m-round coin-ipping protocol the corrupted parties can bias the honest parties' common output bit by Θ(1=m). For more than two decades the best known coin-ipping protocols against majority was the protocol of [9] [Manuscript 1985], who presented a t-party, m-round protocol with bias Θ(t= p m). This was changed by the breakthrough result of [42] [TCC 2009], who constructed an m- round, two-party coin-ipping protocol with optimal bias Θ(1=m). Recently, [32] [STOC 14] constructed an m-round, three-party coin-ipping protocol with bias O(log3 m=m). Still for the case of more than three parties, against arbitrary number of corruptions, the best known protocol remained the Θ(t= p m)-bias protocol of [9]. We make a step towards eliminating the above gap, presenting a t-party, m-round coin-ipping protocol, with bias O( t3.2t. p √logm/ m1=2+1=(2t-1-2) ). This improves upon the Θ(t= p m)-bias protocol of [9] for any t ≥ 1=2 . log logm, and in particular for t 2 O(1), this yields an 1=m 1 2 + Θ((1)- bias protocol. For the three-party case, this yields an O( p logm=m)-bias protocol, improving over the the O(log3 m=m)-bias protocol of [32]. Our protocol generalizes that of [32], by presenting an appropriate \defense protocols" for the remaining parties to interact in, in the case that some parties abort or caught cheating ([32] only presented a two-party defense protocol, which limits their final protocol to handle three parties). We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-ipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.
AB - In a multi-party fair coin-ipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [19] [STOC 1986] has shown that in any m-round coin-ipping protocol the corrupted parties can bias the honest parties' common output bit by Θ(1=m). For more than two decades the best known coin-ipping protocols against majority was the protocol of [9] [Manuscript 1985], who presented a t-party, m-round protocol with bias Θ(t= p m). This was changed by the breakthrough result of [42] [TCC 2009], who constructed an m- round, two-party coin-ipping protocol with optimal bias Θ(1=m). Recently, [32] [STOC 14] constructed an m-round, three-party coin-ipping protocol with bias O(log3 m=m). Still for the case of more than three parties, against arbitrary number of corruptions, the best known protocol remained the Θ(t= p m)-bias protocol of [9]. We make a step towards eliminating the above gap, presenting a t-party, m-round coin-ipping protocol, with bias O( t3.2t. p √logm/ m1=2+1=(2t-1-2) ). This improves upon the Θ(t= p m)-bias protocol of [9] for any t ≥ 1=2 . log logm, and in particular for t 2 O(1), this yields an 1=m 1 2 + Θ((1)- bias protocol. For the three-party case, this yields an O( p logm=m)-bias protocol, improving over the the O(log3 m=m)-bias protocol of [32]. Our protocol generalizes that of [32], by presenting an appropriate \defense protocols" for the remaining parties to interact in, in the case that some parties abort or caught cheating ([32] only presented a two-party defense protocol, which limits their final protocol to handle three parties). We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-ipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.
KW - Coin-ipping
KW - Fair computation
KW - Stopping time problems
UR - http://www.scopus.com/inward/record.url?scp=85016215173&partnerID=8YFLogxK
U2 - 10.1137/1.9781611974782.170
DO - 10.1137/1.9781611974782.170
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:85016215173
T3 - Proceedings of the Annual ACM-SIAM Symposium on Discrete Algorithms
SP - 2580
EP - 2600
BT - 28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017
A2 - Klein, Philip N.
PB - Association for Computing Machinery
Y2 - 16 January 2017 through 19 January 2017
ER -