Robust Coin Flipping

Alice seeks an information-theoretically secure source of private random data. Unfortunately, she lacks a personal source and must use remote sources controlled by other parties. Alice wants to simulate a coin flip of specified bias $\alpha$, as a function of data she receives from $p$ sources; she seeks privacy from any coalition of $r$ of them. We show: If $p/2 \leq r < p$, the bias can be any rational number and nothing else; if $0 < r < p/2$, the bias can be any algebraic number and nothing else. The proof uses projective varieties, convex geometry, and the probabilistic method. Our results improve on those laid out by Yao, who asserts one direction of the $r=1$ case in his seminal paper [Yao82]. We also provide an application to secure multiparty computation.

💡 Research Summary

The paper addresses the fundamental problem of generating a privately shared random bit with a prescribed bias α when the only available randomness comes from p remote parties that may be untrusted. Alice, lacking any personal source of entropy, must combine the data received from these parties to simulate a biased coin flip while guaranteeing that any coalition of at most r parties learns nothing about the individual inputs of the honest parties. This security requirement is called r‑privacy.

The authors first formalize the set of feasible probability vectors v ∈ ℝ^p that satisfy the r‑privacy constraints. These constraints are linear inequalities that bound the total weight that any subset of size ≤ r can contribute, yielding a convex polytope C_{p,r}. The desired bias α is simply the average of the coordinates of v, i.e., α = (1/p)·∑{i=1}^{p} v_i. Consequently, the problem reduces to asking which real numbers can appear as the average of a point inside C{p,r}.

The main technical contribution is a complete characterization of this set in terms of the relationship between p and r.

• Case p/2 ≤ r < p: The polytope C_{p,r} has vertices only at the 0‑1 vectors, which means every feasible point is a rational convex combination of these vertices. Hence the average α must be a rational number. Conversely, for any rational α ∈