Hi all,

I've been trying to develop a provably fair scheme that would work with multiple players (e.g. multiple players each betting on the same coin flip). After doing some research[0][1], I'm drawn to the conclusion that such a scheme is impossible to achieve.

As with the 2 party provably fair scheme, we assume in our model that the "House" knows how each players will bet in advance (because players can be predictable in practice). The coin toss can be represented as 0 = Heads and 1 = Tails. The final outcome is determined by adding up all the coin tosses, checking if it's even for Tails and Heads otherwise (this is equivalent to XORing all the tosses). A commitment is a secure one way function (e.g. sha256(nonce + value)).

1) House, Alice and Bob each pick a coin toss and share a commitment to all (so that they can't alter it during the reveal phase)

2) Alice reveals coin toss

3) Bob reveals coin toss

4) House reveals coin toss

So far so good: all of the participants had an input in the coin toss and none of them could have influenced it somehow in their favor.

The issue arises when Bob is in fact a puppet of the House (e.g. Bob is a fake player controlled by the House). After step 2 when Alice reveals her coin toss, the House knows the final outcome (since it already knows Bob's coin toss). If the outcome is unfavorable (e.g. Alice would win her bet), it could make Bob abort the protocol (e.g. "oops, wifi disconnected"). We either have to continue and ignore Bob's coin toss or we cancel the round.

- If we ignore Bob's coin toss, the House now has a 50% chance to lose instead of 100% if Bob hadn't aborted.

- If we cancel the round, the House can never lose: it could just always have Bob abort when it knows it is going to lose.

There appears to be solutions to this problem if

- Majority of players are honest (e.g. using Shamir secret sharing). but that's an overly optimistic assumption from the point of view of a player.

- A trusted third party is allowed.

Possible line of research: each player picks multiple coin tosses instead of just one. Instead of revealing it all at once, use a fair key exchange protocol to exchange the tosses... This would have some drawbacks as well.

Feedback and thoughts appreciated.

0)

https://www.cs.bgu.ac.il/~ilanorv/CryptoFinal.pdf1)

https://link.springer.com/chapter/10.1007/978-3-642-14623-7_29**edit**: this reddit thread appears to confirm what I thought:

https://www.reddit.com/r/crypto/comments/95d8rd/multiparty_random_number_generation/