16
$\begingroup$

I was recently asked this question by my friend. Suppose the two individuals participating in a toss are not near each other, but could communicate over a telephone. How does one construct a fair coin toss experiment that is mutually agreeable to both of them? They can't agree on a function of quantities like the time or the telephone number, as these decide the winner a priori (before the experiment is conducted).

I suggested they disconnect the call and try again; whoever manages to reach the other first is the winner. But the state machine involved here is a bit complicated to get the simple (0.5,0.5) probabilities.

PS: They do not trust each other, so one of them can't toss a fair coin and convey its outcome to the other. Both of them throwing simultaneously also doesn't work, as the second person has the incentive to lie when they are communicating the results to each other.

  • 0
    It strikes me as more of a computer science-related question than mathematics-related, but I'm not sure, so I won't vote to close for now...2012-11-17

5 Answers 5

15

Here's one way to do it. Let's call the two parties Alice and Bob (as is popular to do in cryptography and theoretical computer science more broadly these days).

Alice and Bob agree on a secure hash function $h$. Alice chooses a random string $r_A$ and Bob chooses a random string $r_B$. Bob tells Alice $r_B$.

Now, Alice flips a coin, call the result $x$. Alice sends $h(x,r_A,r_B)$ to Bob and asks Bob to call the toss. Let's say Bob calls $y$. Then Alice tells Bob $(x,r_A)$ and he can verify himself that $x = y$ by checking that $h(x,r_A,r_B) = h(y,r_A,r_B)$. In this way if Bob called it wrong, then Alice can prove that he was wrong.

Obviously, if Bob calls the coin flip correctly, then the two hashes match. Moreover, it's extremely hard for Alice to cheat because if Bob says "tails" for example when the coin toss was indeed "tails" but Alice wants to trick him into thinking it was "heads", she'd have to come up with a random string $r$ such that $h(H,r,r_B) = h(T,r_A,r_B)$, which is hard by the assumption that $h$ is a secure hash function and the fact that Bob chose $r_B$. Essentially, the purpose of $r_A$ and $h$ are to make Alice "commit" to her initial toss $x$. The point of $r_B$ is so that, without it, Alice might pick some $r_A$ for which she knows another string $r$ which might let her lie.

11

This was answered by Manuel Blum in 1983.

http://dl.acm.org/citation.cfm?id=1008911

Blum proposed a scheme that is similar in security to RSA.

Edit: Here is a summary of Blum's approach.

  1. Alice chooses two large prime numbers $p$ and $q$, with the property $p \equiv 3 \mod 4$ and $q \equiv 3 \mod 4$. She computes the number $n = pq$ and reads it to Bob over the phone. She keeps the numbers $p$ and $q$ secret.

  2. Bob chooses a random integer $x$ between $1$ and $n$. He computes the square $a = x^2 \mod n$ and reads it to Alice over the phone. He keeps the number $x$ secret.

  3. Since Alice knows the factorization of n, she can compute the square roots of $a$ modulo $n$. There are four such square roots, let's say $x$ and $n-x$ and $x'$ and $n-x'$. Alice can compute them all, but she does not know which number Bob has chosen. Alice chooses one of these square roots and reads it to Bob over the phone.

  4. Bob compares the number read to him over the phone to the number that he chose. If Alice communicated the number $x$ or $n-x$, he says to Alice "you win, but you must now tell me the factors $p$ and $q$". Then Alice reads the factors $p$ and $q$ to him over the phone, and Bob can check that they are both prime numbers and that $n = pq$. The game is over, and Alice has won.

  5. If Alice communicated the number $x'$ or $n-x'$, Bob can use this information and the fact that he knows the other square root, namely $x$, to find the factors of $n$. He does this, and he says to Alice "you lose, here are your factors". The game is over, and Bob has won.

  • 0
    I'm a little confused, for it seems that not all $x$ have the property that $x^2$ will have four roots. For instance, take $n = 11 \times 19 = 209$, and $x = 11$. Then $x^2 = 121$, and $121$ only has two roots, $11$ and $-11$. Am I missing something?2013-07-09
  • 0
    If $x \equiv 0 \mod p$, then $x^2$ will have only two roots $\mod pq$ (unless also $x \equiv 0 \mod q$). This is such a case.2013-07-10
  • 0
    Ah, I see. Thank you. So Bob should avoid multiples of $p$ or $q$ ... but if he can find them in the first place, then Alice should have chosen bigger primes; therefore Bob need not worry about this. Got it.2013-07-12
  • 0
    I'd like to point out that in the [answer from Hans Engler](https://math.stackexchange.com/a/239231/604043) in step 2, Bob computes the $a \equiv x^2 \mod n$, not only the square. Otherwise, Alice would easily know $x$ by taking the square root of $a$.2018-10-14
  • 0
    @MarkusWaas - Thanks, I corrected my answer.2018-10-15
9

One person imagines a number $x$, computes its hash, and speaks that hash into the telephone, promising that the value of $x$ to be revealed later hashes to the spoken hash. The other person then calls the shot, which is a bit. Then the first person reveals $x$, the second verifies that its hash corresponds to what was heard over the telephone, and if the lowest bit of $x$ matches the shot then the coin is HEADS; otherwise the coin is TAILS.

2

The first asks a hard yes/no question and the second agrees to answer fast enough that finding the answer is nearly impossible. Then both can check what the real answer was. Example questions include "does the 1000th prime number contain a digit 9" or "is the number of black cells on the 1000th iteration of rule 110 even". A question can be found, such that even a computer would take a minute to answer. Demanding a fast response from the second person is key.

  • 1
    Well, but if no one trust each other, i don't think both of them can memorize the hard question after just heard it so they may argue about the questions.2012-11-17
  • 0
    A hard question does not need to be long.2012-11-17
  • 0
    @KarolisJuodelė: But it does need to be a fifty-fifty question, so you should probably consider binary expansions instead of decimal. ;)2012-11-17
  • 0
    If there's no trust, the first can just ask a question to which he already knows the answer.2012-11-17
  • 0
    @AlanGuo, that's the idea. Essentially the player 2 is trying to guess whether the answer to the question player 1 made up is "yes" or "no".2012-11-17
  • 0
    Oh I misread - I thought they were racing to answer it.2012-11-17
  • 0
    @tomasz, the probability that a certain statement is true is 1 or 0. The idea is that player 2 does not know which answer is more likely. Surely player 1 can pick such question and surely then the probability of the right answer is 0.5. For example, if 2 does not know Fermat's last theorem (and can't approximate well), 1 can ask whether $12^{999} + 13^{999} = 14^{999}$. Of course a question like that is a gamble on 1's side.2012-11-17
  • 0
    @KarolisJuodelė: I think considerations like that make asking the question a bit too psychologically involved. I think it's better to just choose a question so that either answer is a priori equally likely, for example, what is the $n$th least significant binary digit of $m$th prime number, where $n,m$ are natural numbers and $m$ is large (and greater than $2^n$), and both are chosen at random.2012-11-17
  • 0
    @tomasz, are you sure that, for example, $\nexists N$ such that $\forall$ primes $p > N$, 15th binary digit of $p$ is 1? There is no such thing as a fifty-fifty question, only a question that you know very little about.2012-11-17
  • 0
    @KarolisJuodelė: I'm pretty sure. It would follow from Dirichlet's theorem on arithmetic progressions, for example (notice that I specified 15th *least* significant digit). A perfect fifty-fifty question would be asking the result of a large iteration of a perfect semirandom number generator for a given seed, and I believe what I specified should work well enough. Still, it was just an example. Note that I did not downvote, if that's what you were thinking.2012-11-17
  • 0
    @tomasz, I don't see how this follows from Dirichlet's theorem. My intuition why 15th digit needs not be random is that 1st isn't. I'm asking this out of pure interest, by the way. While your method with perfect randomness would definitely work, my point is that this condition is entirely unnecessary. You may think of my suggestion like this. Player 1 chooses "yes" or "no" and encodes it (in a computationally hard problem). Player 2 guesses what 1 chose and can then check whether he was right (by solving the problem).2012-11-17
  • 0
    @KarolisJuodelė: what I mean is that when doing the "encoding" there's some psychological element involved. Using the perfect randomness that can be avoided by asking a question that neither player knows the answer to in advance. It follows if you take, for instance, the progression which starts with $2^{15}-1$ (or $2^{14}-1$ to get zeroes) with the difference $2^{15}$. Again, I suggested looking at least significant digits.2012-11-18
-1

One party chooses a town in your state; the other party immediately states odd or even. Let's say the zip code ends in an even number. So even would win and odd would lose. This is how we have done a "coin flip" over the phone before.

  • 1
    I'm not sure how this will work.2016-04-26
  • 1
    Are zip codes evenly distributed between evens and odds? And what about the fact that many (most?) cities have several if not dozens of different zip codes?2016-04-26