$n$ seems to be picked by Bob or a trusted third party:
As Lindell already mentioned, the n is also tested by the other party.
Alternative
Here's an alternative protocol using non-malleable commitments:
- Alice and Bob commit to a random $r_a, r_b \leftarrow \{0,1\}$
- Bob additionally commits to the outcome $c$ they predict the coin-toss to have
- Everything is revealed, and Bob wins if $r_a \oplus r_b = c$
If either party is malicious they can't meaningfully influence the result since the other parties randomness is added to the final coin flip.
If every message is signed (together with some transcript hash), you could probably also prove the outcome of the run to a third party (the court).
Optimization
The guess $c$ can be optimized away: since $r_a \oplus r_b$ is uniformly distributed, and Bob doesn't know it, there's no point in making a guess.
Bob can just always guess a fixed value.
Furthermore, as Lindell mentioned in the comments, Bob doesn't need to commit to their value.
Full Protocol
For completeness here's a full protocol:
- $B \to A$: nonce $n_B$
- $A \to B$: $\{B \| n_A \| n_B \| \mathrm{Commit}(r_a)\}_{sk_A}$
- $B \to A$: $\{A \| n_A \| n_B \| r_b\}_{sk_B}$
- $A \to B$: $\{B \| n_A \| n_B \| r_a\}_{sk_A}$
Where $\{x\}_{sk}$ denotes $x \| \mathrm{Sign}_{sk}(x)$, the plaintext and its signature under the signing key $sk$.
