An Optimally Fair Coin Toss

by Tal Moran, Moni Naor, and Gil Segev.

Oded's comments

The great success of theoretical research in cryptography, in the 1980s, led to a feeling that everything is possible. This view has been changing during the 1990s when the emergence of various impossibility results got more attention. Most of these impossibility results are not absolute but rather refer to natural well-defined abstractions of the known (and even "perceivable") proof techniques.
For example, while 2-message zero-knowledge proofs were proven to exist only for BPP sets, restricting the simulation (which underlies the definition of ZK) to black-box use of the adversary rules out also 3-message protocols as well as any constant-round public-coin protocols. Indeed, Barak's ZK protocol (simulated via non-blackbox use of the adversary's program) is the most dramatic example of a construction that bypasses the known limitation of a natural and general formulation of the known (and "perceivable") proof techniques.
The current paper provides yet another striking example. It refers to the tradeoff between the round complexity of a coin tossing protocol and the influence an adversary may have on its outcome (in a model that mandates that the honest party outputs a coin value also in the case that the other party aborts the protocol).
Cleve showed in 1986 that in any $r$-round protocol one party can influence the outcome by at least $Omega(1/r)$, whereas a simple $r$-round protocol guarantees influence of at most $O(1/sqrt(r))$. Furthermore, Cleve and Impagliazzo (1993) proved that, within a natural well-defined construction paradigm, no protocol can outperform the aforementioned simple protocol. Yet, the current paper presents an $r$-round protocol (which deviates from the latter construction paradigm) that guarantees influence of at most $O(1/r)$.
For comments on seven other talks given at TCC'09, see my notes.

The original abstract

We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC '86] showed that for any two-party $r$-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by $\Omega(1/r)$. However, the best previously known protocol only guarantees $O(1/\sqrt{r})$ bias, and the question of whether Cleve's bound is tight has remained open for more than twenty years.
In this paper we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve's lower bound is tight: we construct an $r$-round protocol with bias $O(1/r)$.


Back to list of Oded's choices.