TY - JOUR

T1 - TIGHTER BOUNDS ON MULTIPARTY COIN FLIPPING VIA AUGMENTED WEAK MARTINGALES AND DIFFERENTIALLY PRIVATE SAMPLING

AU - Beimel, Amos

AU - Haitner, Iftach

AU - Makriyannis, Nikolaos

AU - Omri, Eran

N1 - Publisher Copyright:
© 2022 Society for Industrial and Applied Mathematics.

PY - 2022

Y1 - 2022

N2 - In his seminal work, Cleve [Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 1986, pp. 364-369] has proved that any r-round coin-flipping protocol can be efficiently biased by Θ(1/r). This lower bound was met for the two-party case by Moran, Naor, and Segev [J. Cryptology, 29 (2016), pp. 491-513] and the three-party case (up to a polylog factor) by Haitner and Tsfadia [SIAM J. Comput., 46 (2017), pp. 479-542] and was approached for nparty protocols when n < loglog r by Buchbinder et al. [Proceedings of the 28th Annual ACMSIAM Symposium on Discrete Algorithms, 2017, pp. 2580-2600]. For n > loglog r, however, the best bias for n-party coin-flipping protocols remains O(n/ √ r) achieved by the majority protocol of Awerbuch et al. [How to implement Bracha's O(log n) Byzantine Agreement Algorithm, manuscript, 1985]. Our main result is a tighter lower bound on the bias of coin-flipping protocols, showing that, for every constant ϵ > 0, an rϵ-party r-round coin-flipping protocol can be efficiently biased by eΩ(1/ √ r). As far as we know, this is the first improvement of Cleve's bound and is only n = rϵ (multiplicative) far from the aforementioned upper bound of Awerbuch et al. We prove the above bound using two new results that we believe are of independent interest. The first result is that a sequence of ("augmented") weak martingales have large gap: with constant probability there exists two adjacent variables whose gap is at least the ratio between the gap between the first and last variables and the square root of the number of variables. This generalizes over the result of Cleve and Impagliazzo [Martingales, Collective Coin Flipping and Discrete Control Processes (Extended Abstract), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.51.1797, 1993], who showed that the above holds for strong martingales, and allows in some setting to exploit this gap by efficient algorithms. We prove the above using a novel argument that does not follow the more complicated approach of R. Cleve and R. Impagliazzo. The second result is a new sampling algorithm that uses a differentially private mechanism to minimize the effect of data divergence.

AB - In his seminal work, Cleve [Proceedings of the 18th Annual ACM Symposium on Theory of Computing, 1986, pp. 364-369] has proved that any r-round coin-flipping protocol can be efficiently biased by Θ(1/r). This lower bound was met for the two-party case by Moran, Naor, and Segev [J. Cryptology, 29 (2016), pp. 491-513] and the three-party case (up to a polylog factor) by Haitner and Tsfadia [SIAM J. Comput., 46 (2017), pp. 479-542] and was approached for nparty protocols when n < loglog r by Buchbinder et al. [Proceedings of the 28th Annual ACMSIAM Symposium on Discrete Algorithms, 2017, pp. 2580-2600]. For n > loglog r, however, the best bias for n-party coin-flipping protocols remains O(n/ √ r) achieved by the majority protocol of Awerbuch et al. [How to implement Bracha's O(log n) Byzantine Agreement Algorithm, manuscript, 1985]. Our main result is a tighter lower bound on the bias of coin-flipping protocols, showing that, for every constant ϵ > 0, an rϵ-party r-round coin-flipping protocol can be efficiently biased by eΩ(1/ √ r). As far as we know, this is the first improvement of Cleve's bound and is only n = rϵ (multiplicative) far from the aforementioned upper bound of Awerbuch et al. We prove the above bound using two new results that we believe are of independent interest. The first result is that a sequence of ("augmented") weak martingales have large gap: with constant probability there exists two adjacent variables whose gap is at least the ratio between the gap between the first and last variables and the square root of the number of variables. This generalizes over the result of Cleve and Impagliazzo [Martingales, Collective Coin Flipping and Discrete Control Processes (Extended Abstract), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.51.1797, 1993], who showed that the above holds for strong martingales, and allows in some setting to exploit this gap by efficient algorithms. We prove the above using a novel argument that does not follow the more complicated approach of R. Cleve and R. Impagliazzo. The second result is a new sampling algorithm that uses a differentially private mechanism to minimize the effect of data divergence.

KW - augmented weak martingales

KW - coin-flipping

KW - differential privacy

KW - multiparty computation

KW - oblivious sampling

UR - http://www.scopus.com/inward/record.url?scp=85135700757&partnerID=8YFLogxK

U2 - 10.1137/18M1210782

DO - 10.1137/18M1210782

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85135700757

SN - 0097-5397

VL - 51

SP - 1126

EP - 1171

JO - SIAM Journal on Computing

JF - SIAM Journal on Computing

IS - 4

ER -