Almost-Optimally Fair Multiparty Coin-Tossing

An α-fair coin-tossing protocol allows a set of mutually distrustful parties to generate a uniform bit, such that no efficient adversary can bias the output bit by more than α. Cleve [STOC 1986] has shown that if half of the parties can be corrupted, then, no r-round coin-tossing protocol is o(1/r)-fair. For over two decades the best known m-party protocols, tolerating up to t ≥ m/2 corrupted parties, were only O ( t/ √ r ) -fair. In a surprising result, Moran, Naor, and Segev [TCC 2009] constructed an r-round two-party O(1/r)-fair coin-tossing protocol, i.e., an optimally fair protocol. Beimel, Omri, and Orlov [Crypto 2010] extended the result of Moran et al. to the multiparty setting where strictly fewer than 2/3 of the parties are corrupted. They constructed a 22 k /r-fair r-round m-party protocol, tolerating up to t = m+k 2 corrupted parties. Recently, in a breakthrough result, Haitner and Tsfadia [STOC 2014] constructed an O ( log3(r)/r ) -fair (almost optimal) three-party cointossing protocol. Their work brought forth a combination of novel techniques for coping with the difficulties of constructing fair coin-tossing protocols. Still, the best coin-tossing protocols for the case where more than 2/3 of the parties may be corrupted (and even when t = 2m/3, where m > 3) were θ ( 1/ √ r ) -fair. We construct an O ( log3(r)/r ) -fair mparty coin-tossing protocol, tolerating up to t corrupted parties, whenever m is constant and t < 3m/4.