An Almost-Optimally Fair Three-Party Coin-Flipping Protocol
share
In a multiparty fair coin-flipping protocol, the parties output a common (close to) unbiased bit, even when some corrupted parties try to bias the output. Cleve [STOC 1986] has shown that in the case of dishonest majority (i.e., at least half of the parties can be corrupted), in any m-round coin-flipping protocol the corrupted parties can bias the honest parties' common output bit by Ω(1/m). For more than two decades the best known coin-flipping protocols against dishonest majority had bias Θ(ℓ/√(m)), where ℓ is the number of corrupted parties. This was changed by a recent breakthrough result of Moran et al. [TCC 2009], who constructed an m-round, two-party coin-flipping protocol with optimal bias Θ(1/m). In a subsequent work, Beimel et al. [Crypto 2010] extended this result to the multiparty case in which less than 2/3 of the parties can be corrupted. Still for the case of 2/3 (or more) corrupted parties, the best known protocol had bias Θ(ℓ/√(m)). In particular, this was the state of affairs for the natural three-party case. We make a step towards eliminating the above gap, presenting an m-round, three-party coin-flipping protocol, with bias O(log^3 m)/m. Our approach (which we also apply for the two-party case) does not follow the "threshold round" paradigm used in the work of Moran et al. and Beimel et al., but rather is a variation of the majority protocol of Cleve, used to obtain the aforementioned Θ(ℓ/√(m))-bias protocol.
READ FULL TEXT
