On the complexity of fair coin flipping

A two-party coin-flipping protocol is epsilon-fair if no efficient adversary can bias the output of the honest party (who always outputs a bit, even if the other party aborts) by more than epsilon. Cleve [STOC '86] showed that r-round o(1/r)-fair coin-flipping protocols do not exist. Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript '85] constructed a Theta(1/root r)- fair coin-flipping protocol, assuming the existence of one-way functions. Moran, Naor, and Segev [Journal of Cryptology '16] constructed an r-round coin-flipping protocol that is Theta(1/r)-fair (thus matching the aforementioned lower bound of Cleve [STOC '86]), assuming the existence of oblivious transfer. The above gives rise to the intriguing question of whether oblivious transfer, or more generally "public-key primitives, " is required for an o(1/root r)-fair coin-flipping protocol. Towards answering this intriguing question, Maji and Wang [Crypto '18] have recently showed that in the random oracle model (ROM), any coin-flipping protocol can be biased by Omega(1/root r). This implies that o(1/root r)-fair coin-flipping protocol cannot be constructed from one-way function, or from a family of collision-resistant hash functions, in a black -box way. This result does not rule out, however, non black-box constructions, and black-box constructions based on primitives that cannot be realized in the ROM. We make a different progress towards answering above question by showing that, for any constant r is an element of N, the existence of an 1/(c.root r)-fair, r-round coin-flipping protocol implies the existence of an infinitely-often key-agreement protocol, where c denotes some universal constant (independent of r). Our reduction is non black-box and makes a novel use of the recent dichotomy for two-party protocols of Haitner, Nissim, Omri, Shaltiel, and Silbak [SICOMP '20] to facilitate a two-party variant of the recent attack of Beimel, Haitner, Makriyannis, and Omri [FOCS '18] on multi-party coin-flipping protocols. (c) 2022 Elsevier B.V. All rights reserved.