Fair Coin Flipping: Tighter Analysis and the Many-Party Case

In a multi-party fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. In this work we focus on the case of dishonest majority, ie at least half of the parties can be corrupted. [18] [STOC 1986] has shown that in any m-round coin-flipping protocol the corrupted parties can bias the honest parties’ common output bit by Θ(1/m). For more than two decades the best known coin-flipping protocols against majority was the protocol of [9] [Manuscript 1985], who presented a t-party, m-round protocol with bias Θ(t/ √ m). This was changed by the breakthrough result of [40] [TCC 2009], who constructed an mround, two-party coin-flipping protocol with optimal bias Θ(1/m). Recently, [30] [STOC 14] constructed an m-round, three-party coin-flipping protocol with bias O(logm/m). Still for the case of more than three parties, against arbitrary number of corruptions, the best known protocol remained the Θ(t/ √ m)-bias protocol of [9]. We make a step towards eliminating the above gap, presenting a t-party, m-round coin-flipping protocol, with bias O( t ·2· √ logm m( t−1−2) ). This improves upon the Θ(t/ √ m)-bias protocol of [9] for any t ≤ 1/2 · log logm, and in particular for t ∈ O(1), this yields an 1/m 1 2 bias protocol. For the three-party case, this yields an O( √ logm/m)-bias protocol, improving over the the O(logm/m)-bias protocol of [30]. Our protocol generalizes that of [30], by presenting an appropriate “defense protocols” for the remaining parties to interact in, in the case that some parties abort or caught cheating ([30] only presented a two-party defense protocol, which limits their final protocol to handle three parties). ∗Statistics and Operations Research, Tel Aviv university. Email:[email protected]. †School of Computer Science, Tel Aviv University. E-mail:{[email protected], [email protected], [email protected]}. Research supported by ERC starting grant 638121. ‡Member of the Israeli Center of Research Excellence in Algorithms (ICORE) and the Check Point Institute for Information Security. We analyze our new protocols by presenting a new paradigm for analyzing fairness of coin-flipping protocols. We map the set of adversarial strategies that try to bias the honest parties outcome in the protocol to the set of the feasible solutions of a linear program. The gain each strategy achieves is the value of the corresponding solution. We then bound the the optimal value of the linear program by constructing a feasible solution to its dual.