4

Alice and Bob have divorced (Bob had an affair with Eve ). Now they quarrel about who gets the computer. They could throw a fair coin, but alas, they aren't at the same place. Neither do they trust each other or any mediator (otherwise they could both send a number to a third party, if the sum is even etc.).

Is there a no-trust protocol simulating a fair coin?

Hauke Reddmann
  • 735
  • Please show your work. – user2661923 Apr 11 '23 at 10:43
  • In the example given, what does "fair" mean? In normal English I would assume this means 50/50 chance of heads or tails. But even if the flipper has the option to choose a skewed coin, as long as the "flipper" has no information on how the "chooser" is going to guess -- P(win)==P(loss) no matter what coin is chosen? – Chuu Apr 11 '23 at 17:26
  • @Chuu: "Fair"=Alice and Bob both have exactly the same chance to get the computer (exact details of the protocol not relevant for them). – Hauke Reddmann Apr 11 '23 at 17:31
  • @HaukeReddmann It's probably too late to edit the question or title, but that is a significantly easier problem than asking how to simulate a "fair coin" flip, as the answers show. – Chuu Apr 11 '23 at 17:36

3 Answers3

3

This is known as coin-flipping protocol.

Assuming parties are computationally bounded and there exists a collision-free hash function (function $h$ s.t. solving $h(a) = h(b), a \neq b$ is hard), there is a simple protocol: Alice generates a random bit $x_a$ as well as long random string $y_a$, and sends hash of $y_a\#x_a$ to Bob, Bob similarly sends hash of $y_b\#x_b$ to Alice. Then they reveal $x$ and $y$ to each other, check that everything was correct, and say that final answer is $y_a \oplus y_b$. If at least one of them was honest, the final result will be fair.

In case of computationally unbounded parties, we can't guarantee perfect fairness - best we can do with $r$ rounds of communication is $O(1 / r)$ bias, see "An optimally fair coin toss" by Moran, Naor, Segev.

mihaild
  • 15,368
  • What would it mean to be dishonest in this context? – MJD Apr 11 '23 at 11:05
  • Generating $x$ by some non-uniform distribution (for example, choosing it). – mihaild Apr 11 '23 at 11:16
  • It's still fair even if neither bit is random: it's called Choosies. – MJD Apr 11 '23 at 11:32
  • 2
    No, if, for example, both Alice and Bob for sure choose $x_a = x_b = 0$, then they don't simulate a fair coin. And I am confused: how is game you linked relates to the question? – mihaild Apr 11 '23 at 11:36
  • I would think an improvement would be to have parties sequentially reveal what the hash values would be if the first 0, 1, 2, etc. nybbles of y were all zero, before either reveals x. This would ensure that if Alice had received enough data from Bob to be able to quickly determine Bob's x value, Bob would have received enough value from Alice to recover Alice's y in a plausible length of time (if Alice had 100 times as much computing power as Bob, the hashes were sent at one-second intervals, and Alice received one more nybble of Bob's y than Bob received of Alice's, then... – supercat Apr 11 '23 at 17:39
  • ...it should take Bob about 1,600 seconds to compute Alice's y in the event that Alice were to "lose" it after discovering that the coin flip would be unfavorable for her. – supercat Apr 11 '23 at 17:41
  • Something like this makes sense if we add stronger requirements than "if everybody follows the protocol, we get result; otherwise, we know who didn't follow the protocol", although it's possible that how difficult it is to reverse $h$ depends on input. But I think even formulating such requirements is harder then the original problem. – mihaild Apr 11 '23 at 18:31
1

A standard number theoretic approach:

$A$ selects two large primes ($p,q$) without revealing them. $A$ computes $N=pq$ and passes $N$ to $B$.

$B$ chooses an integer $0<m<N$, computes $m^2\pmod N$ and passes that to $A$.

$A$ extracts all $4$ square roots of $m^2\pmod N$. Here one is to imagine that $p,q$ are chosen to be of a scale where it is possible to do that, while $N$ is too large. Of course the square roots come in pairs, $\pm a, \pm b$.

$A$ then guesses which of those pairs $B$ used and passes the guess on to $B$. If $A$ is correct, $A$ wins. If $A$ is wrong, $B$ wins and $B$ can prove it by (easily) factoring $N$. That's a quick exercise given all the square, see, e.g., this question.

Note: It is possible for $B$ to "cheat" by pretending that $A$ guessed correctly even if $A$ was wrong. Of course, that's not the form of cheating people are generally worried about.

lulu
  • 70,402
0

Yes, there is a no-trust protocol that simulates a fair coin flip. It's called the "Mental Poker" protocol, and it allows two parties to play a fair game of poker without revealing their cards to each other or a third party. Here's how it would work:

  1. Alice and Bob agree on a large prime number, $p$ and a generator $g$ where $g$ is a primitive root modulo $p$.

  2. Alice chooses a random secret number $a$ between $1$ and $p-1$ and sends Bob the value $A = g^a$ mod $p$.

  3. Bob chooses a random secret number $b$ between $1$ and $p-1$ and sends Alice the value $B = g^b$ mod $p$.

  4. Alice computes $K = B^a$ mod $p$.

  5. Bob computes $K = A^b$ mod $p$.

Both Alice and Bob now have the same $K$, which is a shared secret. They can use $K$ to generate a random bit by computing $K$ mod $2$. If the result is $0$, they say the coin came up heads. If the result is $1$, they say the coin came up tails.

RyRy the Fly Guy
  • 5,950
  • 1
  • 11
  • 27
  • 1
    I personally like this version best (also due to symmetry) - it even has a Wiki page. (OK, could have done more research, but how should I guess THAT title...) – Hauke Reddmann Apr 12 '23 at 07:16