Game Theoretic Notions of Fairness in Multi-party Coin Toss

  • Kai-Min ChungEmail author
  • Yue Guo
  • Wei-Kai Lin
  • Rafael Pass
  • Elaine Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11239)


Coin toss has been extensively studied in the cryptography literature, and the well-accepted notion of fairness (henceforth called strong fairness) requires that a corrupt coalition cannot cause non-negligible bias. It is well-understood that two-party coin toss is impossible if one of the parties can prematurely abort; further, this impossibility generalizes to multiple parties with a corrupt majority (even if the adversary is computationally bounded and fail-stop only).

Interestingly, the original proposal of (two-party) coin toss protocols by Blum in fact considered a weaker notion of fairness: imagine that the (randomized) transcript of the coin toss protocol defines a winner among the two parties. Now Blum’s notion requires that a corrupt party cannot bias the outcome in its favor (but self-sacrificing bias is allowed). Blum showed that this weak notion is indeed attainable for two parties assuming the existence of one-way functions.

In this paper, we ask a very natural question which, surprisingly, has been overlooked by the cryptography literature: can we achieve Blum’s weak fairness notion in multi-party coin toss? What is particularly interesting is whether this relaxation allows us to circumvent the corrupt majority impossibility that pertains to strong fairness. Even more surprisingly, in answering this question, we realize that it is not even understood how to define weak fairness for multi-party coin toss. We propose several natural notions drawing inspirations from game theory, all of which equate to Blum’s notion for the special case of two parties. We show, however, that for multiple parties, these notions vary in strength and lead to different feasibility and infeasibility results.


  1. 1.
    Abraham, I., Dolev, D., Gonen, R., Halpern, J.: Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation. In: PODC (2006)Google Scholar
  2. 2.
    Alon, B., Omri, E.: Almost-optimally fair multiparty coin-tossing with nearly three-quarters malicious. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 307–335. Springer, Heidelberg (2016). Scholar
  3. 3.
    Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on bitcoin. In: S&P (2013)Google Scholar
  4. 4.
    Asharov, G., Canetti, R., Hazay, C.: Towards a game theoretic view of secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 426–445. Springer, Heidelberg (2011). Scholar
  5. 5.
    Asharov, G., Lindell, Y.: Utility dependence in correct and fair rational secret sharing. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 559–576. Springer, Heidelberg (2009). Scholar
  6. 6.
    Asharov, G., Lindell, Y.: Utility dependence in correct and fair rational secret sharing. J. Cryptol. 24(1), 157–202 (2011)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Awerbuch, B., Blum, M., Chor, B., Goldwasser, S., Micali, S.: How to implement brachas o (log n) byzantine agreement algorithm (1985, unpublished manuscript)Google Scholar
  8. 8.
    Bartoletti, M., Zunino, R.: Constant-deposit multiparty lotteries on bitcoin. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 231–247. Springer, Cham (2017). Scholar
  9. 9.
    Beimel, A., Groce, A., Katz, J., Orlov, I.: Fair computation with rational players. Full version of Eurocrypt 2012 proceeding version by Groce and Katz (2011)
  10. 10.
    Beimel, A., Haitner, I., Makriyannis, N., Omri, E.: Tighter bounds on multi-party coin flipping via augmented weak martingales and differentially private sampling. Technical report TR17-168, Electronic Colloquium on Computational Complexity (2017)Google Scholar
  11. 11.
    Beimel, A., Omri, E., Orlov, I.: Protocols for multiparty coin toss with a dishonest majority. J. Cryptol. 28(3), 551–600 (2015)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Ben-or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC (1988)Google Scholar
  13. 13.
    Bentov, I., Kumaresan, R.: How to use bitcoin to design fair protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014). Scholar
  14. 14.
    Berman, I., Haitner, I., Tentes, A.: Coin flipping of any constant bias implies one-way functions. JACM 65(3), 14 (2018)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Bernheim, B., Peleg, B., Whinston, M.D.: Coalition-proof nash equilibria i. concepts. J. Econ. Theory 42(1), 1–12 (1987)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Blum, M.: Coin flipping by telephone. In: CRYPTO (1981)Google Scholar
  17. 17.
    Buchbinder, N., Haitner, I., Levi, N., Tsfadia, E.: Fair coin flipping: tighter analysis and the many-party case. In: SODA (2017)Google Scholar
  18. 18.
    Chung, K.-M., Guo, Y., Lin, W.-K., Pass, R., Shi, E.: Game theoretic notions of fairness in multi-party coin toss. Cryptology ePrint Archive (2018)Google Scholar
  19. 19.
    Cleve, R.: Limits on the security of coin flips when half the processors are faulty. In: STOC (1986)Google Scholar
  20. 20.
    Dachman-Soled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the black-box complexity of optimally-fair coin tossing. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 450–467. Springer, Heidelberg (2011). Scholar
  21. 21.
    Dachman-Soled, D., Mahmoody, M., Malkin, T.: Can optimally-fair coin tossing be based on one-way functions? In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 217–239. Springer, Heidelberg (2014). Scholar
  22. 22.
    Delmolino, K., Arnett, M., Kosba, A., Miller, A., Shi, E.: Step by step towards creating a safe smart contract: lessons and insights from a cryptocurrency lab. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 79–94. Springer, Heidelberg (2016). Scholar
  23. 23.
    Dodis, Y., Halevi, S., Rabin, T.: A cryptographic solution to a game theoretic problem. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 112–130. Springer, Heidelberg (2000). Scholar
  24. 24.
    Dodis, Y., Rabin, T.: Cryptography and game theory. In: Algorithmic Game Theory (2007)Google Scholar
  25. 25.
    Games, B.: One-night werewolf. Accessed 21 Oct 2018
  26. 26.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). Scholar
  27. 27.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: STOC (1987)Google Scholar
  28. 28.
    Gordon, S.D., Katz, J.: Partial fairness in secure two-party computation. J. Cryptol. 25(1), 14–40 (2012)MathSciNetCrossRefGoogle Scholar
  29. 29.
    Groce, A., Katz, J.: Fair computation with rational players. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 81–98. Springer, Heidelberg (2012). Scholar
  30. 30.
    Haitner, I., Omri, E.: Coin flipping with constant bias implies one-way functions. SIAM J. Comput. 43(2), 389–409 (2014)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Haitner, I., Tsfadia, E.: An almost-optimally fair three-party coin-flipping protocol. SIAM J. Comput. 46(2), 479–542 (2017)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Halpern, J., Teague, V.: Rational secret sharing and multiparty computation. In: STOC (2004)Google Scholar
  33. 33.
    Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: FOCS (1989)Google Scholar
  34. 34.
    Izmalkov, S., Micali, S., Lepinski, M.: Rational secure computation and ideal mechanism design. In: FOCS (2005)Google Scholar
  35. 35.
    Aumann, R.J.: Acceptable points in general cooperative \(n\)-person games. In: Contributions to the Theory of Games IV. Princeton University Press, Princeton (1959)Google Scholar
  36. 36.
    Aumann, R.J.: Subjectivity and correlation in randomized strategies. J. Math. Econ. 1(1), 67–96 (1974)MathSciNetCrossRefGoogle Scholar
  37. 37.
    Katz, J.: Bridging game theory and cryptography: recent results and future directions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 251–272. Springer, Heidelberg (2008). Scholar
  38. 38.
    Kol, G., Naor, M.: Cryptography and game theory: designing protocols for exchanging information. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 320–339. Springer, Heidelberg (2008). Scholar
  39. 39.
    Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: S&P (2016)Google Scholar
  40. 40.
    Kumaresan, R., Bentov, I.: How to use bitcoin to incentivize correct computations. In: CCS (2014)Google Scholar
  41. 41.
    Kumaresan, R., Bentov, I.: Amortizing secure computation with penalties. In: CCS (2016)Google Scholar
  42. 42.
    Lin, H., Pass, R.: Constant-round nonmalleable commitments from any one-way function. J. ACM 62(1), 5:1–5:30 (2015)MathSciNetCrossRefGoogle Scholar
  43. 43.
    Lin, H., Pass, R., Venkitasubramaniam, M.: Concurrent non-malleable commitments from any one-way function. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 571–588. Springer, Heidelberg (2008). Scholar
  44. 44.
    Maji, H.K., Prabhakaran, M., Sahai, A.: On the computational complexity of coin flipping. In: FOCS (2010)Google Scholar
  45. 45.
    Miller, A., Bentov, I.: Zero-collateral lotteries in bitcoin and ethereum. In: EuroS&P Workshops (2017)Google Scholar
  46. 46.
    Moran, T., Naor, M., Segev, G.: An optimally fair coin toss. J. Cryptol. 29(3), 491–513 (2016)MathSciNetCrossRefGoogle Scholar
  47. 47.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  48. 48.
    Nash, J.: Non-cooperative games. Ann. Math. 54(2), 286–295 (1951)MathSciNetCrossRefGoogle Scholar
  49. 49.
    Ong, S.J., Parkes, D.C., Rosen, A., Vadhan, S.: Fairness with an honest minority and a rational majority. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 36–53. Springer, Heidelberg (2009). Scholar
  50. 50.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). Scholar
  51. 51.
    Pass, R., Shi, E.: Rethinking large-scale consensus. In: CSF (2017)Google Scholar
  52. 52.
    Yao, A.C.-C.: Protocols for secure computations. In: FOCS (1982)Google Scholar
  53. 53.
    Yao, A.C.-C.: How to generate and exchange secrets. In: FOCS (1986)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Kai-Min Chung
    • 2
    Email author
  • Yue Guo
    • 1
  • Wei-Kai Lin
    • 1
  • Rafael Pass
    • 1
    • 3
  • Elaine Shi
    • 1
  1. 1.Cornell UniversityIthacaUSA
  2. 2.Institute of Information ScienceAcademia SinicaTaipeiTaiwan
  3. 3.CornellTechNew YorkUSA

Personalised recommendations