How to perform a fair coin toss experiment over phone?

I was recently asked this question by my friend. Suppose the two individuals participating in a toss are not near each other, but could communicate over a telephone. How does one construct a fair coin toss experiment that is mutually agreeable to both of them? They can't agree on a function of quantities like the time or the telephone number, as these decide the winner a priori (before the experiment is conducted).

I suggested they disconnect the call and try again; whoever manages to reach the other first is the winner. But the state machine involved here is a bit complicated to get the simple (0.5,0.5) probabilities.

PS: They do not trust each other, so one of them can't toss a fair coin and convey its outcome to the other. Both of them throwing simultaneously also doesn't work, as the second person has the incentive to lie when they are communicating the results to each other.

Solution 1:

Here's one way to do it. Let's call the two parties Alice and Bob (as is popular to do in cryptography and theoretical computer science more broadly these days).

Alice and Bob agree on a secure hash function $h$. Alice chooses a random string $r_A$ and Bob chooses a random string $r_B$. Bob tells Alice $r_B$.

Now, Alice flips a coin, call the result $x$. Alice sends $h(x,r_A,r_B)$ to Bob and asks Bob to call the toss. Let's say Bob calls $y$. Then Alice tells Bob $(x,r_A)$ and he can verify himself that $x = y$ by checking that $h(x,r_A,r_B) = h(y,r_A,r_B)$. In this way if Bob called it wrong, then Alice can prove that he was wrong.

Obviously, if Bob calls the coin flip correctly, then the two hashes match. Moreover, it's extremely hard for Alice to cheat because if Bob says "tails" for example when the coin toss was indeed "tails" but Alice wants to trick him into thinking it was "heads", she'd have to come up with a random string $r$ such that $h(H,r,r_B) = h(T,r_A,r_B)$, which is hard by the assumption that $h$ is a secure hash function and the fact that Bob chose $r_B$. Essentially, the purpose of $r_A$ and $h$ are to make Alice "commit" to her initial toss $x$. The point of $r_B$ is so that, without it, Alice might pick some $r_A$ for which she knows another string $r$ which might let her lie.

Solution 2:

This was answered by Manuel Blum in 1983.

http://dl.acm.org/citation.cfm?id=1008911

Blum proposed a scheme that is similar in security to RSA.

Edit: Here is a summary of Blum's approach.

1. Alice chooses two large prime numbers $p$ and $q$, with the property $p \equiv 3 \mod 4$ and $q \equiv 3 \mod 4$. She computes the number $n = pq$ and reads it to Bob over the phone. She keeps the numbers $p$ and $q$ secret.

2. Bob chooses a random integer $x$ between $1$ and $n$. He computes the square $a = x^2 \mod n$ and reads it to Alice over the phone. He keeps the number $x$ secret.

3. Since Alice knows the factorization of n, she can compute the square roots of $a$ modulo $n$. There are four such square roots, let's say $x$ and $n-x$ and $x'$ and $n-x'$. Alice can compute them all, but she does not know which number Bob has chosen. Alice chooses one of these square roots and reads it to Bob over the phone.

4. Bob compares the number read to him over the phone to the number that he chose. If Alice communicated the number $x$ or $n-x$, he says to Alice "you win, but you must now tell me the factors $p$ and $q$". Then Alice reads the factors $p$ and $q$ to him over the phone, and Bob can check that they are both prime numbers and that $n = pq$. The game is over, and Alice has won.

5. If Alice communicated the number $x'$ or $n-x'$, Bob can use this information and the fact that he knows the other square root, namely $x$, to find the factors of $n$. He does this, and he says to Alice "you lose, here are your factors". The game is over, and Bob has won.