## Abstract

In his seminal work, Cleve [STOC ’86] has proved that any r-round coin-flipping protocol

can be efficiently biased by Θ(1/r). This lower bound was met for the two-party case by

Moran, Naor, and Segev [Journal of Cryptology ’16], and the three-party case (up to a polylog

factor) by Haitner and Tsfadia [SICOMP ’17], and was approached for n-party protocols when

n < loglog r by Buchbinder, Haitner, Levi, and Tsfadia [SODA ’17]. For n > loglog r, however,

the best bias for n-party coin-flipping protocols remains O(n/√

r) achieved by the majority

protocol of Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript ’85].

Our main result is a tighter lower bound on the bias of coin-flipping protocols, showing that,

for every constant ε > 0, an r

ε

-party r-round coin-flipping protocol can be efficiently biased by

Ω(1 e /

√

r). As far as we know, this is the first improvement of Cleve’s bound, and is only n = r

ε

(multiplicative) far from the aforementioned upper bound of Awerbuch et al.

We prove the above bound using two new results that we believe are of independent interest.

The first result is that a sequence of (“augmented”) weak martingales have large gap: with

constant probability there exists two adjacent variables whose gap is at least the ratio between

the gap between the first and last variables and the square root of the number of variables.

This generalizes over the result of Cleve and Impagliazzo [Manuscript ’93], who showed that the

above holds for strong martingales, and allows in some setting to exploit this gap by efficient

algorithms. We prove the above using a novel argument that does not follow the more complicated approach of [12]. The second result is a new sampling algorithm that uses a differentially

private mechanism to minimize the effect of data divergence.

can be efficiently biased by Θ(1/r). This lower bound was met for the two-party case by

Moran, Naor, and Segev [Journal of Cryptology ’16], and the three-party case (up to a polylog

factor) by Haitner and Tsfadia [SICOMP ’17], and was approached for n-party protocols when

n < loglog r by Buchbinder, Haitner, Levi, and Tsfadia [SODA ’17]. For n > loglog r, however,

the best bias for n-party coin-flipping protocols remains O(n/√

r) achieved by the majority

protocol of Awerbuch, Blum, Chor, Goldwasser, and Micali [Manuscript ’85].

Our main result is a tighter lower bound on the bias of coin-flipping protocols, showing that,

for every constant ε > 0, an r

ε

-party r-round coin-flipping protocol can be efficiently biased by

Ω(1 e /

√

r). As far as we know, this is the first improvement of Cleve’s bound, and is only n = r

ε

(multiplicative) far from the aforementioned upper bound of Awerbuch et al.

We prove the above bound using two new results that we believe are of independent interest.

The first result is that a sequence of (“augmented”) weak martingales have large gap: with

constant probability there exists two adjacent variables whose gap is at least the ratio between

the gap between the first and last variables and the square root of the number of variables.

This generalizes over the result of Cleve and Impagliazzo [Manuscript ’93], who showed that the

above holds for strong martingales, and allows in some setting to exploit this gap by efficient

algorithms. We prove the above using a novel argument that does not follow the more complicated approach of [12]. The second result is a new sampling algorithm that uses a differentially

private mechanism to minimize the effect of data divergence.

Original language | English |
---|---|

Number of pages | 52 |

Journal | Electronic Colloquium on Computational Complexity |

Volume | 24 |

State | Published - 2021 |