How to perform a fair coin toss experiment over phone?

Question

I was recently asked this question by my friend. Suppose the two individuals participating in a toss are not near each other, but could communicate over a telephone. How does one construct a fair coin toss experiment that is mutually agreeable to both of them? They can't agree on a function of quantities like the time or the telephone number, as these decide the winner a priori (before the experiment is conducted).

I suggested they disconnect the call and try again; whoever manages to reach the other first is the winner. But the state machine involved here is a bit complicated to get the simple (0.5,0.5) probabilities.

PS: They do not trust each other, so one of them can't toss a fair coin and convey its outcome to the other. Both of them throwing simultaneously also doesn't work, as the second person has the incentive to lie when they are communicating the results to each other.

It strikes me as more of a computer science-related question than mathematics-related, but I'm not sure, so I won't vote to close for now... — tomasz, Nov 17 '12 at 13:28

score 20 · Accepted Answer · edited Oct 26 '13 at 21:57

Here's one way to do it. Let's call the two parties Alice and Bob (as is popular to do in cryptography and theoretical computer science more broadly these days).

Alice and Bob agree on a secure hash function $h$. Alice chooses a random string $r_A$ and Bob chooses a random string $r_B$. Bob tells Alice $r_B$.

Now, Alice flips a coin, call the result $x$. Alice sends $h(x,r_A,r_B)$ to Bob and asks Bob to call the toss. Let's say Bob calls $y$. Then Alice tells Bob $(x,r_A)$ and he can verify himself that $x = y$ by checking that $h(x,r_A,r_B) = h(y,r_A,r_B)$. In this way if Bob called it wrong, then Alice can prove that he was wrong.

Obviously, if Bob calls the coin flip correctly, then the two hashes match. Moreover, it's extremely hard for Alice to cheat because if Bob says "tails" for example when the coin toss was indeed "tails" but Alice wants to trick him into thinking it was "heads", she'd have to come up with a random string $r$ such that $h(H,r,r_B) = h(T,r_A,r_B)$, which is hard by the assumption that $h$ is a secure hash function and the fact that Bob chose $r_B$. Essentially, the purpose of $r_A$ and $h$ are to make Alice "commit" to her initial toss $x$. The point of $r_B$ is so that, without it, Alice might pick some $r_A$ for which she knows another string $r$ which might let her lie.

Hans Engler · Answer 2 · 2018-10-15T02:08:51.123

This was answered by Manuel Blum in 1983.

http://dl.acm.org/citation.cfm?id=1008911

Blum proposed a scheme that is similar in security to RSA.

Edit: Here is a summary of Blum's approach.

Alice chooses two large prime numbers $p$ and $q$, with the property $p \equiv 3 \mod 4$ and $q \equiv 3 \mod 4$. She computes the number $n = pq$ and reads it to Bob over the phone. She keeps the numbers $p$ and $q$ secret.
Bob chooses a random integer $x$ between $1$ and $n$. He computes the square $a = x^2 \mod n$ and reads it to Alice over the phone. He keeps the number $x$ secret.
Since Alice knows the factorization of n, she can compute the square roots of $a$ modulo $n$. There are four such square roots, let's say $x$ and $n-x$ and $x'$ and $n-x'$. Alice can compute them all, but she does not know which number Bob has chosen. Alice chooses one of these square roots and reads it to Bob over the phone.
Bob compares the number read to him over the phone to the number that he chose. If Alice communicated the number $x$ or $n-x$, he says to Alice "you win, but you must now tell me the factors $p$ and $q$". Then Alice reads the factors $p$ and $q$ to him over the phone, and Bob can check that they are both prime numbers and that $n = pq$. The game is over, and Alice has won.
If Alice communicated the number $x'$ or $n-x'$, Bob can use this information and the fact that he knows the other square root, namely $x$, to find the factors of $n$. He does this, and he says to Alice "you lose, here are your factors". The game is over, and Bob has won.

I'm a little confused, for it seems that not all $x$ have the property that $x^2$ will have four roots. For instance, take $n = 11 \times 19 = 209$, and $x = 11$. Then $x^2 = 121$, and $121$ only has two roots, $11$ and $-11$. Am I missing something? — Théophile, Jul 09 '13 at 22:23
If $x \equiv 0 \mod p$, then $x^2$ will have only two roots $\mod pq$ (unless also $x \equiv 0 \mod q$). This is such a case. — Hans Engler, Jul 10 '13 at 14:49
Ah, I see. Thank you. So Bob should avoid multiples of $p$ or $q$ ... but if he can find them in the first place, then Alice should have chosen bigger primes; therefore Bob need not worry about this. Got it. — Théophile, Jul 12 '13 at 18:38
I'd like to point out that in the answer from Hans Engler in step 2, Bob computes the $a \equiv x^2 \mod n$, not only the square. Otherwise, Alice would easily know $x$ by taking the square root of $a$. — Markus Waas, Oct 14 '18 at 09:58

Dan Brumleve · Answer 3 · 2012-11-17T14:06:46.810

One person imagines a number $x$, computes its hash, and speaks that hash into the telephone, promising that the value of $x$ to be revealed later hashes to the spoken hash. The other person then calls the shot, which is a bit. Then the first person reveals $x$, the second verifies that its hash corresponds to what was heard over the telephone, and if the lowest bit of $x$ matches the shot then the coin is HEADS; otherwise the coin is TAILS.

score 3 · Answer 4 · answered Nov 17 '12 at 13:19

3

The first asks a hard yes/no question and the second agrees to answer fast enough that finding the answer is nearly impossible. Then both can check what the real answer was. Example questions include "does the 1000th prime number contain a digit 9" or "is the number of black cells on the 1000th iteration of rule 110 even". A question can be found, such that even a computer would take a minute to answer. Demanding a fast response from the second person is key.

answered Nov 17 '12 at 13:19

Karolis Juodelė

9,778

1

Well, but if no one trust each other, i don't think both of them can memorize the hard question after just heard it so they may argue about the questions. – Mathematics Nov 17 '12 at 13:23
A hard question does not need to be long. – Karolis Juodelė Nov 17 '12 at 13:28
@KarolisJuodelė: But it does need to be a fifty-fifty question, so you should probably consider binary expansions instead of decimal. ;) – tomasz Nov 17 '12 at 13:30
If there's no trust, the first can just ask a question to which he already knows the answer. – Alan Guo Nov 17 '12 at 13:41
@AlanGuo, that's the idea. Essentially the player 2 is trying to guess whether the answer to the question player 1 made up is "yes" or "no". – Karolis Juodelė Nov 17 '12 at 14:40
Oh I misread - I thought they were racing to answer it. – Alan Guo Nov 17 '12 at 14:52
@tomasz, the probability that a certain statement is true is 1 or 0. The idea is that player 2 does not know which answer is more likely. Surely player 1 can pick such question and surely then the probability of the right answer is 0.5. For example, if 2 does not know Fermat's last theorem (and can't approximate well), 1 can ask whether $12^{999} + 13^{999} = 14^{999}$. Of course a question like that is a gamble on 1's side. – Karolis Juodelė Nov 17 '12 at 14:52
@KarolisJuodelė: I think considerations like that make asking the question a bit too psychologically involved. I think it's better to just choose a question so that either answer is a priori equally likely, for example, what is the $n$th least significant binary digit of $m$th prime number, where $n,m$ are natural numbers and $m$ is large (and greater than $2^n$), and both are chosen at random. – tomasz Nov 17 '12 at 15:14
@tomasz, are you sure that, for example, $\nexists N$ such that $\forall$ primes $p > N$, 15th binary digit of $p$ is 1? There is no such thing as a fifty-fifty question, only a question that you know very little about. – Karolis Juodelė Nov 17 '12 at 15:57
@KarolisJuodelė: I'm pretty sure. It would follow from Dirichlet's theorem on arithmetic progressions, for example (notice that I specified 15th least significant digit). A perfect fifty-fifty question would be asking the result of a large iteration of a perfect semirandom number generator for a given seed, and I believe what I specified should work well enough. Still, it was just an example. Note that I did not downvote, if that's what you were thinking. – tomasz Nov 17 '12 at 19:40
@tomasz, I don't see how this follows from Dirichlet's theorem. My intuition why 15th digit needs not be random is that 1st isn't. I'm asking this out of pure interest, by the way.
While your method with perfect randomness would definitely work, my point is that this condition is entirely unnecessary.

You may think of my suggestion like this. Player 1 chooses "yes" or "no" and encodes it (in a computationally hard problem). Player 2 guesses what 1 chose and can then check whether he was right (by solving the problem).
– Karolis Juodelė Nov 17 '12 at 20:18
@KarolisJuodelė: what I mean is that when doing the "encoding" there's some psychological element involved. Using the perfect randomness that can be avoided by asking a question that neither player knows the answer to in advance. It follows if you take, for instance, the progression which starts with $2^{15}-1$ (or $2^{14}-1$ to get zeroes) with the difference $2^{15}$. Again, I suggested looking at least significant digits. – tomasz Nov 18 '12 at 02:24

score 0 · Answer 5 · answered Apr 26 '16 at 03:40

0

One party chooses a town in your state; the other party immediately states odd or even. Let's say the zip code ends in an even number. So even would win and odd would lose. This is how we have done a "coin flip" over the phone before.

answered Apr 26 '16 at 03:40

Lexi

11

1

I'm not sure how this will work. – Shailesh Apr 26 '16 at 03:48
1

Are zip codes evenly distributed between evens and odds? And what about the fact that many (most?) cities have several if not dozens of different zip codes? – Apr 26 '16 at 06:25

john_hatten2 · Answer 6 · 2024-12-12T12:58:39.280

This post made me think a lot over night, i was mostly trying to find a solution (and a good hash function) that i could explain to my grandma. Let's assume I play with my grandma and she toss the coin. Basically, here are the rules I made up.

1- Let's separate the hash question (Hq) and hash function (Hf).

2- The hash function takes 2 parameters. Let Hf(x, Hq), with x = head or tail, and Hf a possible answer to the hash function. It's impossible to track back Hf(x, Hq) to Hq. For a fixed Hq answer, Hf(tail, Hq) and Hf(head, Hq) must give a different number, and take the same amount of time to compute. For a varying Hq, it would take an unreasonable amount of time to find a new Hq that outputs both the same Hf(tail, Hq) and Hf(head, Hq).

3- The person who toss the coin must not have prior knowledge of the hash question/function and potential answers, the game itself must be fast so they cannot change its answer.

Example : The hash question is to find a restaurant in some random city. The hash function is to take the phone number of that restaurant. If head, double this number, if tail, divide this number by 2 and round down. Then, add up all the digits together.

1- my grandma choose "McDonald". She toss the coin : tail. She computes Hf(tail, McDonald) = 34. She tell me 34.

2- She also compute and tell me Hf(head, McDonald) = 40. This is a double security.

3- All I know is she rolled 34 and the other answer is 40. I have not idea what are x and Hq yet. I will make the following guess : head.

4- Grandma must give me both her x and Hq, which is "tail" and "McDonald". If she wanted to cheat here, she would need to find a new restaurant which give the opposite hash return values. Hopefully, since the end of step 1, she didn't have more than few seconds to do this. Grandma knows she won.

5- I have all informations needed to confirm the answer. I look for the McDonald phone number, compute both hashes and validate they match both hashes I received earlier.

Note : There is a very hard tradeoff to make these "grandma friendly" while respecting all the rules to make it secure. Let me know if you think of something else

How to perform a fair coin toss experiment over phone?

6 Answers6

Linked