Protocols for Multiparty Coin Toss with a Dishonest Majority

Amos Beimel, Eran Omri, Ilan Orlov

Research output: Contribution to journalArticlepeer-review

16 Scopus citations


Coin-tossing protocols are protocols that generate a random bit with uniform distribution, although some corrupted parties might try to bias the output. These protocols are used as a building block in many cryptographic protocols. Cleve (Proc. of the 18th ACM Symp. on the Theory of Computing, pp. 364–369, 1986) has shown that if at least half of the parties can be corrupted, then, in any r-round coin-tossing protocol, the corrupted parties can cause a bias of Ω(1/r) to the bit that the honest parties output. However, for more than two decades the best known protocols had bias ${t}/\sqrt{{r}}$, where t is the number of corrupted parties. Recently, in a surprising result, Moran, Naor, and Segev (Proc. of the Sixth Theory of Cryptography Conference, TCC 2009, pp. 1–18, 2009) constructed an r-round two-party coin-tossing protocol with the optimal bias of O(1/r). We extend the results of Moran et al. to the multiparty model where fewer than 2/3 of the parties are corrupted. The bias of our protocol is proportional to 1/r and doubly exponential in the gap between the number of corrupted parties and the number of honest parties in the protocol. In particular, for a constant number of parties, where fewer than 2/3 of them are corrupted. we present an r-round m-party coin-tossing protocol with an optimal bias of O(1/r). Furthermore, we achieve the same bias even when the number of parties m is non-constant and the number of corrupted parties is m/2+O(1).

Original languageEnglish
Pages (from-to)551-600
Number of pages50
JournalJournal of Cryptology
Issue number3
StatePublished - 12 Jul 2015


  • Cheat detection
  • Dishonest majority
  • Fair coin tossing
  • Multiparty computation
  • Secure with abort

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'Protocols for Multiparty Coin Toss with a Dishonest Majority'. Together they form a unique fingerprint.

Cite this