On the Complexity of Fair Coin Flipping

by   Iftach Haitner, et al.

A two-party coin-flipping protocol is ϵ-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than ϵ. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali[Manuscript '85] constructed a Θ(1/√(r))-fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Θ(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer. The above gives rise to the intriguing question of whether oblivious transfer, or more generally “public-key primitives,” is required for an o(1/√(r))-fair coin flipping protocol. We make a different progress towards answering the question by showing that, for any constant r∈, the existence of an 1/(c·√(r))-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [FOCS '18] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flipping protocols.


page 1

page 2

page 3

page 4


Tighter Bounds on Multi-Party Coin Flipping via Augmented Weak Martingales and Differentially Private Sampling

In his seminal work, Cleve [STOC '86] has proved that any r-round coin-f...

Coin Flipping of Any Constant Bias Implies One-Way Functions

We show that the existence of a coin-flipping protocol safe against any ...

Fair Coin Flipping: Tighter Analysis and the Many-Party Case

In a multi-party fair coin-flipping protocol, the parties output a commo...

Computational Two-Party Correlation: A Dichotomy for Key-Agreement Protocols

Let π be an efficient two-party protocol that given security parameter κ...

Systematic benchmarking of HTTPS third party copy on 100Gbps links using XRootD

The High Luminosity Large Hadron Collider provides a data challenge. The...

Separating Key Agreement and Computational Differential Privacy

Two party differential privacy allows two parties who do not trust each ...

Classification Protocols with Minimal Disclosure

We consider multi-party protocols for classification that are motivated ...

Please sign up or login with your details

Forgot password? Click here to reset