Protocols for Multiparty Coin Toss with a Dishonest Majority

Coin-tossing protocols are protocols that generate a random bit with uniform distribution, although some corrupted parties might try to bias the output. These protocols are used as a building block in many cryptographic protocols. Cleve (Proc. of the 18th ACM Symp. on the Theory of Computing, pp. 364–369, 1986) has shown that if at least half of the parties can be corrupted, then, in any r-round coin-tossing protocol, the corrupted parties can cause a bias of Ω(1/r) to the bit that the honest parties output. However, for more than two decades the best known protocols had bias ${t}/\sqrt{{r}}$, where t is the number of corrupted parties. Recently, in a surprising result, Moran, Naor, and Segev (Proc. of the Sixth Theory of Cryptography Conference, TCC 2009, pp. 1–18, 2009) constructed an r-round two-party coin-tossing protocol with the optimal bias of O(1/r). We extend the results of Moran et al. to the multiparty model where fewer than 2/3 of the parties are corrupted. The bias of our protocol is proportional to 1/r and doubly exponential in the gap between the number of corrupted parties and the number of honest parties in the protocol. In particular, for a constant number of parties, where fewer than 2/3 of them are corrupted. we present an r-round m-party coin-tossing protocol with an optimal bias of O(1/r). Furthermore, we achieve the same bias even when the number of parties m is non-constant and the number of corrupted parties is m/2+O(1).