Limits on the Security of Coin Flips
When Half the Processors are Faulty
(Extended Abstract)
Richard Cleve
Department of Computer Science
University of Toronto
Toronto, Canada M5S 1A4
1. I n t r o d u c t i o n
may be faulty. This is the so-called coin flipping by tele-
Protocols which allow an asynchronous network of pro-
phone p r o b l e m which is proposed in [3] and cannot be
cessors to agree on a r a n d o m (unbiased) bit are proposed
solved w i t h very high security. T h e r e are protocols for
in [1] and [4]. It is claimed t h a t (assuming a t r a p d o o r
2-processor coin tossing which (assuming t h a t a t r a p d o o r
function exists), if less t h a n half of the processors are
function exists) achieve a weaker level of security (these
faulty t h e n the correct processors will still agree on a bit
are discussed in section 4). T h e processors run in poly(n)
whose bias is negligibly small (when the running t i m e of
t i m e and the bias of the bit which a correct processor out-
the processors is poly(n) the bias is smaller t h a n O(~r)
puts is less t h a n O(~r) for some fixed k. More precisely,
for all k).
the bias will be less t h a n O ( ~ )
If half the processors are faulty t h e n these
where r is the n u m b e r
protocols are no longer effective: the bits o u t p u t by the
of rounds of c o m m u n i c a t i o n in the protocol.
For m a n y
correct processors may be heavily biased.
applications (such as secret exchanging [5]) this weaker
We prove t h a t the above protocols are optimal in the
level of security is sufficient. In section 2 it is proven t h a t
sense t h a t no protocol exists which tolerates faults in at
no 2-processor protocol exists for which the bias of the
least half of the processors.
o u t p u t of a correct processor is less t h a n O(~).
The result is very general
because few restrictions are m a d e on the types of com-
In [4] it is pointed out t h a t multiprocessor coin toss-
munication allowed between correct processors (such as
ing schemes have their application in the p r o b l e m of ran-
private channels and global channels) and the correct pro-
domly choosing a leader in a network of processors and
cessors only need to agree on a bit in a weak probabilistic
the p r o b l e m of fairly allocating resources within a net-
sense.
WOrk.
Also, the faulty processors do not require very
m u c h power. T h e y can privately communicate w i t h each
2. 2 - P r o c e s s o r
Coin Tossing Schemes
other but they cannot read messages which are exchanged
In 2.1, 2-Processor coin tossing schemes are defined
privately between two correct processors.
precisely and, in 2.2, a lower b o u n d on the security of
An interesting instance of the p r o b l e m arises when
2-processor coin tossing schemes is proven.
the n u m b e r of processors is fixed at two and one of t h e m
2.1 Definitions
A Z-processor bit selection scheme is a sequence of
Permission to copy without fee all or part of.this material is granted
provided that the copies are not made or distributed for direct
commercial advantage, the ACM copyright notice and the title of the
publication and its date appear, and notice is given that copying is by
permission of the Association for Computing Machinery. To copy
otherwise, or to republish, requires a fee and/or specific permission.
pairs of processors { (A", B n) }~,~=1with the following properties. For each n, An and B '~ each have access to a private supply of r a n d o m bits and they can c o m m u n i c a t e
w i t h each other. If the system is executed t h e n A '~, B "
© 1986 ACM 0-89791-193-8/86/0500/0364 $00.75
364
will o u t p u t bits a, b (respectively) within poly(n) time.
W i t h o u t any loss of generality, it can be assumed t h a t
a-consistent (where e > 0) if Pr[a -~ b] > ~1 + E. Note t h a t
the o p e r a t i o n of the system consists of r(n) rounds (for
e-consistency is a considerably weaker p r o p e r t y t h a n the
some poly (n) b o u n d e d function r), where a round consists
two definitions of agreement proposed above.
of the following events. A" performs some computations
R a n d o m n e s s could be defined as the property t h a t a
(in poly(n) time) and then sends a message to B " and
and b have a bias of zero, where the bias of a bit x is
t h e n B n performs some computations (in poly(n) time)
defined as [Pr[z = 0] - }1 (and the bias towards 0 of
and sends a message to A".
bit x is defined as Pr[x = 0 ] -
½ (the bias towards 1 is
More formally, a processor can be viewed as a sequence
defined similarly)). Again, it may suffice to have a weaker
of r(n) + 1 circuits, each of which is poly(n) bounded in
definition of randomness such as the condition t h a t the
size. T h e first r(n) circuits simulate the bevavour of the
bias of b o t h a and b be b o u n d e d by O ( ~ ) for all k. T h e
processor at the r(n) rounds and the last circuit outputs
definition of security, which is given below, implies this
the bit which the processor selects. O u t p u t s of the first
second randomness condition.
r(n) circuits are state information and messages to the
Clearly, if one of the two processors is faulty then it
other processor. Inputs to the circuits are r a n d o m bits,
is unrealistic to expect agreement since the faulty proces-
state information from previous rounds or messages from
sor could o u t p u t a bit which the correct processor knows
the other processor.
nothing about.
ra~do~
It is desirable, however, for the o u t p u t
of the correct processor to still be random.
ml~etawl
Define a 2-
processor bit selection scheme {(A n, Bn)}~°=, to be secure
if, for any polynomial p, there exists a function f , with
f(n) < O(~r) for all k such t h a t the following holds. For
all n, if one of A n, B " is replaced by a faulty processor
roa~d 1
which runs in t i m e p(n) then the bias of the o u t p u t of the
other processor is less t h a n f(n). Thus, as n gets large,
no faulty processor of leasable running time can inflict
a significant bias on the o u t p u t of the other processor.
Note t h a t security is defined in such a way t h a t the sero~vla
2
curity condition implies the second randomness condition
A 2-round, 2-processor bit
selection scheme and
circuit representation.
proposed in the previous paragraph.
its
2.2 Impossibility Result
Theorem: If {(A n, B")}~'= 1 is an e-consistent, 2-processor
bit selection scheme then {(A '~, Bn)}~°= 1 is not secure. In
fact, for each n, there exists a faulty processor which
causes the bias of the o u t p u t of the correct processor to
be at least 4~(~+t, where r(n) is the number of rounds of
For a 2-processor bit selection scheme to qualify as a
coin tossing scheme, the bits t h a t the two processors select
c o m m u n i c a t i o n of the scheme.
should be in agreement and they should be random.
P r o o f : We say t h a t a processor quits at round i if, from
A strong definition of agreement would be the condi-
round i onwards, all the messages t h a t the processor sends
tion that, when the bit selection scheme is run, a = b.
are strings of zeroes. If, say, B ~ quits at some round i in
It may be sufficient for some purposes to adopt a weaker
the middle of the protocol t h e n A n will still o u t p u t some
definition of agreement such as Pr[a = b] _> 1 - O(~r)
bit ~ which we shall refer to as a default output. Note t h a t
for all k. Define a 2-processor bit selection scheme to be
A n could always c o m p u t e and store ~ at the beginning of
365
r o u n d i before receiving any messages f r o m B n in r o u n d
AT0:
simulate
An for rounds
i ( b u t A n c a n n o t , in general, c o m p u t e h before r o u n d i).
compute
For i E { 1 , 2 ..... r ( n ) } , let a~ b e t h e default o u t p u t of A n
i f a~ = 0 t h e n
if B n quits a t r o u n d i a n d let ar(n)+l b e t h e o u t p u t of
simulate
A n if B n does n o t quit d u r i n g t h e protocol.
quit at round
Also, for
i e {0, 1, ..., r(n) - 1}, let bi b e t h e default o u t p u t of B n
if A n quits t h e p r o t o c o l a t r o u n d i + 1 a n d let
1,2,...,i - 1
a~
An for round
i
i + 1
else
b,(n) b e t h e
quit at round
i
o u t p u t of B n if A n does n o t quit d u r i n g t h e protocol. Note
A~:
t h a t A n a n d B n c a n c o m p u t e b i t s a~ a n d b~ (respectively)
before t h e y s e n d t h e i r m e s s a g e in r o u n d i.
simulate
An for rounds
compute
al
1,2, ...,i - 1
if ~ = 1 then
simulate
A~ for round
quit at round
quit at round
bo
ro~v~d ~
ro~ol
Br0:
"
z
simulate
compute
{~
i
B n for rounds
1, 2, ..., i - 1
b~
i f bl = 0 t h e n
b,
simulate
B n for round
quit at round
•
round
i + 1
else
B
A
i
i
i + 1
•
r(n)
I~j
~.
else
quit at round
~r~)
B~:
simulate
compute
ifbi=l
B n for rounds
1, 2, ..., i -
1
b~
then
simulate
T h e d e f a u l t o u t p u t s are m a r k e d a t t h e p o i n t in
the protocol where they can be computed.
i
B n for round
quit at round
i
i + 1
else
quit at round
w
i
We now define 4 r ( n ) + 1 f a u l t y processors: A n, A~0,
A2%, ..., A,~n)o, A~i, A~i, ..., A,~(n)i, Bro, B2~o,..., BAn)0, B S ,
B~x , ..., B~(n) 1. We s h a l l e v e n t u a l l y show t h a t a t least one
Since A n a n d B n r u n in
of t h e s e processors biases t h e o u t p u t of t h e correct processor b y a t least
~
poly(n) t i m e , so do all t h e s e
f a u l t y processors.
F a u l t y processor ~in is very
T h e bias t o w a r d s 0 of t h e o u t p u t of B n w h e n (A~0 , B n)
simple. ~i n always q u i t s a t r o u n d 1. T h e o u t p u t of B n
is r u n is
w h e n ( ~ l n , B n) is r u n will b e b0 so ~ln biases t h e o u t p u t
Pr[a, = 0 A b, = 0] + Fr[a~ = 1 A bi_ 1 : 0]
of B n b y
max{Pr[b0 = 0],Pr[b0 -- 1]}
1
2"
1
2"
The, bias t o w a r d s 1 of t h e o u t p u t of B n w h e n (A~i , B n)
is r u n is
For each i E {1, 2, ..., r ( n ) } , f a u l t y processors A~0, Ai'~, B,'~,
Pr[a, = 1 A b, = 11 + Pr[a~ = 0 A b,-1 = 11
B ~ o p e r a t e as follows.
366
1
2"
T h e bias towards 0 of the o u t p u t of A n when (A n, B~o)
T h e second equation follows from the fact t h a t the
is run is
scheme is c-consistent and the third equation follows from
Pr[b, = 0 A a,+l = 0] + Pr[b, = 1 A a/ : 0]
the fact t h a t al and b0 can be c o m p u t e d before any infor-
1
2"
m a t i o n is exchanged between A n and B n so they must be
independent r a n d o m variables.
T h e bias towards 1 of the o u t p u t of A n when (A n, B~)
Since the average of the 4r(n) + 1 biases is ~ ( ~ ,
is run is
Pr[b, = 1 A a/+ 1
=
1] + Pr[b~ = 0 A a, = 1]
at
least one of t h e m must be greater t h a n or equal to ~ ( ~
1
2"
so the t h e o r e m is proved.
Let A be the average of these 4r(n) + 1 biases. T h e n
3. M u l t i p r o c e s s o r
Coin Tossing Schemes
In 3.1, a generalization of a 2-processor bit selection
1
max{Pr[bo -- 0], Pr[bo -- 1]}
= 4 r ( n ) +------i
1
2
scheme to a bit selection scheme which contains an arbitrary n u m b e r of processors is made. In 3.2, it is proven
t h a t a multiprocessor coin tossing scheme cannot be very
,(n)
+ ~(PrIa,
1
= 0Abl = 0 l + P r [ ~ = 1Abi-1 = 0 ] - 5
secure if half its processors are faulty.
i=l
3.1 D e f i n i t i o n s
Let s be a polynomially b o u n d e d function (Some in-
1
+ P r [ a , = 1Abi = l ] + P r [ a ~ = OAb,-x = 1 ] - 5
teresting cases are w h e n s(n) is constant or s(n) = n).
Define an s-processor bit selection scheme as a sequence
of tuples of processors of the form {(P~, P~, ..., P~,))}~=I
1
+ P r [ b , = 0Aai+x = 0]+Pr[b, = 1Aa, = 0 ] - - 2
with the following properties.
For each n, P~, P~, ...,
P i n ) are processors which have access to a private supply
of r a n d o m bits and which can c o m m u n i c a t e with each
13
+ Pr[b, = 1Aa,+, = 1]-I-Pr[b,-- 0Aa~ = 1]--2) j .
other.
Also, each processor, P~, will o u t p u t a bit, b~,
within poly(n) time, when the system is executed. T h e
The above equation reduces to
c o m m u n i c a t i o n between the processors is of a very general form. T h e network contains c(n) channels, where e
A > - -e
- 4r(n) + 1
is a poly(n) b o u n d e d function. Each channel is shared by
some subset of the s(n) processors.
because
Thus, the network
could consist only of one global c o m m u n i c a t i o n channel
or it could consist of a channel for each pair of processors
Pr[a, = 0Ab~ = 0 ] + P r [ a , = 0Ab, = l l + P r [ a , = lAb, = 0]
(in other words it could support only private communica+ P r [ a , = 1 A b~ = 1] = 1
tion). W i t h o u t any loss of generality, the system operates
for i E {1, 2, ..., r(n) -- 1} and
in rounds as follows. P~ performs some computations (in
poly(n) time) and then sends a message to each channel
1
Pr[ar(n)+l : br(n)] ~ ~ "k- ~-
which it has access to. T h e n P~, P~, ..., P~,) each in t u r n
do the s a m e thing.
and
As in the case of 2-processor bit selection schemes,
Pr[al = bo] = Pr[al = 0] Pr[bo = 0] + Pr[al = 1] Pr[bo = 1]
each processor can be formalized as a sequence of r(n) + 1
circuits which are poly(n) b o u n d e d in size.
These cir-
cuits simulate the behaviour of the processor at different
< max{Pr[bo = 0], Pr[bo = 1]}.
rounds.
367
t(n) of
the processors P~, P~, ...,P,]n) are replaced by
faulty processors whose running time is bounded by p(n)
!
then the bias of the output of all correct processors is
less than
f(n). The
faulty processors are given a private
communication channel (if one does not already exist for
the processors that they replace) but the communication
system is not altered in any other way. Faulty processors
cannot read messages transmitted on channels which they
do not belong to.
3.2 Imposslbiltly Result
Theorem:
If
{(Pf, Pf .....
e~n))}~=1 is an c-consistent,
.s-processor bit selection scheme t h e n it is not [hi-secure.
T h a t is, half the processors, if faulty, can bias the o u t p u t
of one of the other processors significantly. Specifically,
for each n, there exists a set of [ ~ 1 1 or [~_~1] proces-
r~,~d i
sors which, if faulty, can bias the o u t p u t of one of the
4,(nlr(n}c(n)+l'where r(n) is
c o m m u n i c a t i o n and e(n) is the
correct processors by at least
the n u m b e r of rounds of
n u m b e r of c o m m u n i c a t i o n channels in the network.
P r o o f : For each n, partition the
s(n)
processors into two
sets, one containing [.~1] processors and the other containing [ - ~ J
processors.
It is possible to simulate the
operation of this scheme by two processors, A n and B n
PO~ 2
(which each run in
poly(n)
time) where A n simulates all
the processors in the first set and B n simulates all the
processors in the second set.
A n and B n c o m m u n i c a t e
w i t h each other to simulate the exchanges of messages between processors in different sets. The number of rounds
of c o m m u n i c a t i o n t h a t occur between A n and B n during
the simulation is b o u n d e d by
r(n)8(n)c(n).
Therefore, by
the t h e o r e m in section 2.2, for each n, there exists either
a faulty A n or B n which can bias the o u t p u t of one of
A 2-round, 3-processor bit selection scheme w i t h
2 c o m m u n i c a t i o n channels and its circuit representation.
the bits of the other processor by at least
4r(n),(n)c(n)+l
"
The algorithm of the faulty processor can always be implemented within the processors that it simulates if these
processors have a private communication channel. This
A n 8-processor bit selection scheme is e-consistentit,
for all n, Pr[bi = bj] _> ~ + e for all 1 _< i,j
Let t be a
poly(n)
completes the proof of the theorem.
< s(n).
4. S o m e
b o u n d e d function. An s-processor
t-secure if for
function f , with f(n)
Positive Results
bit selection scheme is
any polynomial, p,
If a trapdoor function, F, exists then it is possible
there exists a
_< O(n~1 ) for all k
to construct an r-round, 2-processor bit selection scheme,
such t h a t the following holds. For all n, if not more t h a n
{ (An, Bn)},~I, for which all correct processors always out-
368
put the same bit, which satisfies the following weak secu-
facility to privately communicate with each other) could
rity condition. For any polynomial p, there exists w > 0
cause.
such that if, for some n, one of the processors A", B n is
Acknowledgements
replaced by a faulty one which runs in time pin) then the
I am grateful to Charles Rackoff for introducing me to
bias of the bit output by the other processor is bounded
the subject of distributed coin tossing and for his many
~o
by v / ~ .
{(A n, Bn)}~=l operates as follows. B n initially gener-
helpful remarks concerning this research.
ates r(n) random public/private key pairs
References
(K1, T1),
(K2, Tz),..., (KKn), TKn)) and selects r(n) random bits Xl,
[1] Awerbuch, B., Blum, M., Chor, B., Goldwasser, S.,
Xz,...,xKn } and sends the public keys Kx, Ks,..., KKn )
Micali, S., How to Implement Bracha's O{log n) Byzan-
and the encryptions FK, (Xl), FK2(x2) ..... FK,¢,) (x~(,)) to
tine Agreement Algorithm, Manuscript, 1985.
A n. During round i, A n randomly chooses a bit yi and
[2] Ben-Or, M., Linial, N., Collective Coin Flipping, Ro-
sends it to B n and then B n sends the private key Ti to
bust Voting Schemes and Minima of Banzhaf Values, 26th
A n.
FOCS, 1985.
Finally, A n and B n each output the majority of
(Xl @ yl,x2 @ y2,...,x~(n) • Y~(n)). If at some round, i,
[3] Blum, M., Coin Flipping by Telephone-a Protocol for
in the protocol B n does not send the valid private key
Solving Impossible Problems, Spring COMPCON Confer-
Ti which corresponds to K~ (which A" can verify) then
ence, 1982.
A n continues the protocol substituting random bits for
Xl,Xi+l,
[4] Broder, A., Dolce, D., Flipping Coins in Many Pock-
..., Xr(n).
ets, 25th FOCS, 1984.
We now investigate the security of {(An, B")}~=i. If
[5] Luby~ M., Micali, S., Rackoff, C., How to Simultane-
A n is replaced by a faulty processor then the output of
ously Exchange a Secret Bit by Flipping a Symetrically
B n will have very little bias since the faulty processor can
Biased Coin 24th FOCS, 1983.
never guess the value of xi ~ yi very well during round i
(the fact that F is a trapdoor function implies this). If
B n is replaced by a faulty processor then all that B n can
do is not send T~ to A n at some round i. This strategy
can change the balance of 0s and ls in (xl • yl,x2
Y~,...,xKn) $ YKn)) by at most 1 and therefore will only
change the output of A n with probability O ( ~ - ~ ) .
In [1] a description of a bit selection scheme which
is similar to the one described above, except that it applies to networks which contain an arbitrary number of
processors, is given.
5. O p e n P r o b l e m s
The scheme described in section 4 only has security
O(~r) (this is the bound of the bias that a faulty processor
can cause) while the the lower bound on security proven
in section 2 is O(~). It would be interesting to tighten
this gap.
It would also be interesting to see how much bias a
group of isolated processors (i.e. which have no special
369