Multiparty Strict Coin-Tossing Protocols Based on the Eigenvalue

.e coin-tossing protocol is an important research area in cryptography. It generates a random bit with uniform distribution even if some participants might fraud. However, traditional coin-tossing protocol could not solve the situation of multiparty. It only divides participants into two parts. In this paper, a new kind of multiparty strict coin-tossing protocol based on the eigenvalue of matrix was proposed. First, matrix tampering attacks can be resisted. On the other hand, collusion attack which was caused by the addition of the Lagrange interpolation formula could be overcome. .e analysis shows that the correctness and security of both protocols was guaranteed. Based on the above statements, comparing with the classic coin-tossing protocols, the proposed scheme has the advantage of resisting parties aborting, low complexity, and practicability.


Introduction
In network communication that the communicating party is not in the same geographical position, once the judgment needs to be made, both parties should compare the guessing result and ensure the information is not disclosed at the same time.
e coin-tossing protocol can be seen as an application case for secure multiparty computation.
In cryptography, suppose Alice and Bob throw coins, and before the results are revealed, neither side wants to let the other one knows their own result, which is one of the important models for multiparty confidential computing [1]. Obviously, as there is no third-party arbitration, the fairness based on fraud prevention has become the most important consideration for the coin-tossing protocol.
Many scholars have conducted research on the cointossing protocol. In 1982, Blum introduced the problem of tossing a fair coin through a modem [2]. In 1990, Ben et al. proposed a coin throw problem in Reference [3]. In 2003, Lindell et al. raised the fair coin-tossing protocol of twoparty [4]. Kun et al. raised the coin-tossing protocol based on knapsack problem [5].
Apparently, these protocols are limited to two parties and have not solved the problem of multiparty participation in coin-tossing. On the other hand, they did not solve the problem that all the participants have to decide their order in a fair way rather than be divided into two parts.
In this paper, based on the matrix eigenvalues and eigenvectors, we have first proposed a new kind of strict multiparty coin-tossing protocol. Furthermore, we applied the Lagrange interpolation formula to design an improved strict multiparty tossing protocol which can resist collusion attacks. At last, analysis of both protocols and specific examples are proposed.

Coin-Tossing Protocol.
e definition of coin-tossing protocol is as follows: Definition 1. [6] Coin-tossing protocols are protocols that generate a random bit with uniform distribution, although some corrupted parties might try to bias the output. e coin-tossing protocol is used as a building block in many cryptographic protocols.
Secure multiparty computation allows distrustful parties to compute it correctly and privately [4,7,8]. e cointossing protocol raises questions of fairness and how corrupted parties can influence the scheme [9,10]. is is the problem we are going to discuss in the following section.

Eigenvalue and Eigenvector.
e eigenvalue and eigenvector are defined as follows: Definition 2. [11] Let A be a n-order matrix, if the number λ and n-dimensional nonzero column vectors p make the equation be established.
en, the number λ is called the eigenvalue of the matrix A, and the nonzero vector p is called the eigenvector of A corresponding to the eigenvalue λ. Equation (1) can also be written as follows: Equation (2) is a homogeneous linear system of n equations with n unknowns.

Lagrange Interpolation Formula.
Let n + 1 distinct interpolation points (nodes) x j , j � 0, 1 . . . n, be given, together with corresponding numbers f j , which may or may not be samples of a function f. Unless stated otherwise, we assume that the nodes are real, although most of the results and comments generalize to the complex plane. Let n denote the vector space of all polynomials of degree at most n. e classical problem addressed here is that of finding the polynomial p ∈ n that interpolates f at the points x j , i.e., p x j � f j , j � 0, . . . , n. (3) e problem is well-posed, i.e., it has a unique solution that depends continuously on the data. Moreover, as explained in virtually every introductory numerical analysis text, the solution can be written in the Lagrange form [12]: e Lagrange polynomial l j corresponding to the node x j has the following property:

Meaning of Strict Multiparty.
We could compare the protocols described in Section 3 to the grouping process of a soccer game. A group of players are fairly and randomly divided into team A and team B. is process only divides the participants into two parts, but does not draw the strict order.
erefore, considering the order of all participants, we could define the meaning of the word "strict." Its work process is more like drawing lots. All players need to decide their order in a fair way. We associate this idea with the matrix and propose a kind of the strict multiparty cointossing protocol. Step1: Alice chooses a random bit a and sends a commitment c � commit(a) to Bob.

Classic Coin-Tossing Protocols
Step2: Bob chooses a random bit b and sends it to Alice.
Step3: Alice sends the bit a to Bob together with decommit(c).
Step4: If Bob does not abort during the protocol, Alice outputs a⊕b, otherwise she outputs a random bit.
Step5: If Alice does not abort during the protocol and c is a commitment to a, and then Bob outputs a⊕b, otherwise he outputs a random bit.

Coin-Tossing Protocol Based on Quadratic Residue.
Suppose two sides of the communication are Alice and Bob. e protocol is as follows [14]: Step1: Bob chooses large prime numbers p, q and calculate n � pq, then chooses random number a that satisfied with Jacobi symbol [15] (a/n) � 1 and sends n, a to Alice.
Step2: Alice guesses if a is the quadratic residue of n.
Telling the result to Bob.
Step3: Bob tells Alice she is right or not and sends p, q to Alice.

Coin-Tossing Protocol Based on One Way Function.
Suppose two sides of the communication are Alice and Bob. ey both hold a one way function f(x) and do not know f − 1 (x). e protocol is as follows [16]: Step1: Bob chooses a random number x and sends Alice y � f(x).
Step2: Alice guesses the parity of x and tells the result to Bob.
Step3: Bob tells Alice she is right or not and sends x to Alice.

Multiparty Coin-Tossing Protocol Based on the Eigenvalue
Suppose there are n participants who are marked as P i (i � 1, 2 . . . n). e protocol is based on finite field Z q where q > n and a secret matrix A which is held by P 1 . It is worth mentioning that matrix A has the following two properties: (1). A is a n-order matrix. (2). e eigen equation of A has no multiple roots which means A has n different eigenvalues.
Suppose A's eigenvalues are λ i (i � 1, 2 . . . n) and corresponding eigenvectors are p i (i � 1, 2 . . . n). e content of the protocol is as follows: Step 1: Participant P 1 chooses a secret n-order matrix A. P 1 announces the main diagonal of A and all ei- Step 2: Participants P i (i � 2 . . . n) randomly select an eigenvector from p i (i � 1, 2 . . . n) and the last one belongs to participant P 1 . None of the eigenvectors could be chosen twice.
Step 3: Participant P 1 announces the secret matrix A. All participants calculate λ i (i � 1, 2 . . . n) of their own according to equation (1).
Step 4: Sort λ i (i � 1, 2 . . . n) in ascending sequence, then each participant could get the corresponding order.
As can be seen from the above protocol, the final order of each participant depends only on the size of the eigenvalues. It could not prevent multiple participants in the conspiracy from exchanging eigenvectors to adjust the order. is means that this protocol cannot resist collusion attack. We use the Lagrange interpolation formula to make up for this security hole.

Improved Multiparty Coin-Tossing Protocol Based on the Eigenvalue
Suppose there are n participants who are marked as P i (i � 1, 2 . . . n). e protocol is based on finite field Z q where q > n and a secret matrix A which is held by P 1 . It is worth mentioning that matrix A has the following two properties: (1) A is a n-order matrix.
(2) e eigen equation of A has no multiple roots which means A has n different eigenvalues.
Suppose A's eigenvalues are λ i (i � 1, 2 . . . n) and corresponding eigenvectors are p i (i � 1, 2 . . . n) . e content of the protocol is as follows: Step 1: Participant P 1 chooses a secret n-order matrix A. P 1 announces the main diagonal of A and all eigenvectors p i (i � 1, 2 . . . n).
Step 2: Participants P i (i � 2, · · · n) randomly select an eigenvector from p i (i � 1, 2 . . . n) and the last one belongs to participant P 1 . None of the eigenvectors could be chosen twice.
Step 3: Participant P 1 announces the secret matrix A. All participants calculate λ i (i � 1, 2 . . . n) of their own according to equation (1).
Step 4: All participants P i (i � 1, 2 . . . n) randomly select constant n i ∈ Z q to form (i, n i )(i � 1, 2 . . . n) and calculate polynomial according to equation (3): As there are n points in total, so p(x) is a (n − 1)-th degree polynomial at most: We choose the coefficient of the nonzero minimum degree term in p(x), suppose it is a j .
Step 5: All participants P i (i � 1, 2 . . . n) calculate: Sort s i (i � 1, 2 . . . n) in the ascending sequence, then each participant could get the corresponding order of themselves.

Instance of the Protocol
e protocol is based on finite field Z 23 . Suppose there are 6 participants who is marked as P i (i � 1, 2, 3) and a secret matrix A is held by P1. A is a 6-order matrix which is designed as follows: All eigenvalues and related eigenvectors pairs (λ i , p i ) (i � 1, 2, . . ., 6) are as follows: Step1: According to the protocol, participant P1 holds the secret matrix A and announces the main diagonal: e last eigenvector p4 is left to P1.

Analysis of Correctness.
Because the protocol of multiparty is a kind of promotion of two-party, both have the same properties. We only need to analyze the situation of multiparty.
When it comes to classic two-party coin-tossing protocol (suppose two sides of the communication are Alice and Bob), a correct and effective process should meet the following three principles [17]: (1) Alice must throw a coin before Bob guess.
(2) After Bob guessing, Alice can no longer throw coins.
(3) Bob does not know how the coins land before guessing.
Multiparty coin-tossing protocol also needs to meet these above principles. Under the premise of correct implementation of the protocol proposed in Sections 4 and 5, once participant P 1 announces the main diagonal of A and all eigenvectors p i (i � 1, 2 . . . n), the "coin" has landed. en, the step that every participant randomly chooses their own eigenvector can be seen as the "guess the front and back." Apparently, this satisfies the principle one. e principle two is also satisfied. Since all eigenvectors have been selected in Step 2, so the coin throwing party P 1 cannot toss the coin again. On the other hand, because the main diagonal of A is made public, P 1 has no way to change the eigenvalue of p i (i � 1, 2 . . . n). e proof is detailed in Section 6.
Obviously, the principle three is satisfied. Every participant has no need to know how the concrete structure of matrix A . Participant P 1 cannot unilaterally deceive other participants for example tampering with the secret matrix as long as the protocol is executed correctly.
To summarize, both protocols are based on the basic coin-tossing protocol's principle of design. e correctness is proved.

Analysis of Security.
ere are three points worth discussing in terms of security. e first is the disclosure of the main diagonal and the eigenvectors of the secret matrix. is design prevents the matrix holder P 1 from tampering with the secret matrix. e second is the resistance of the collusion attack by the Lagrange interpolation formula. e third is verification of legal participants.

Protection against Matrix
Tampering. What if P 1 is a fraud? Obviously if P 1 only announces all eigenvectors p i (i � 1, 2 . . . n) of A, he can manipulate the result of a coin toss by alter the secret matrix A to make λ i (i � 1, 2 . . . n) being different. e design of making the main diagonal of A public can prevent this kind of fraud. e proof is as follows: x � (x 12 · · · x 1n , x 21 , x 23 · · · x 2n · · ·

Proposition 1. Only one exactly matrix can be determined by the main diagonal's elements and all eigenvectors. Prove: Suppose the n-order secret matrix is
x n1 · · · x n(n− 1) , λ 1 , λ 2 · · · λ n ) Τ , According to formula (1), we can get Ap i � λ i p i , (i � 1, 2 · · · n), which is equation set: ⋮, x n1 p 1i + x n2 p 2i + · · · + c n p ni � λ i p ni , We put the term with the unknowns on the left and the constant term on the right: e above system of nonhomogeneous linear equations can be considered as the form of Dx � b, D is the coefficient matrix and b is the vector consist of constant terms. e coefficient matrix D is as follows: When i is arranged from 1 to n row by row, the size of the coefficient matrix D is n 2 × n 2 .Because the eigenvector p i (i � 1, 2 · · · n) are linearly independent, the elementary row operation cannot make any row of the matrix get all 0s which means the rank of D is full. We obtain the following conclusion: e system of nonhomogeneous linear equations Dx � b has a unique solution, only one exactly matrix A can be determined. e proposition we just proposed directly limits P 1 to tamper with matrix elements or matrix eigenvalues. Once the main diagonal and all eigenvectors are published, the secret matrix A is locked. But there is still a security issue, what if two or more participants collude to deceive? For example, Alice and Bob exchange the eigenvector of themselves. At this time, the role of the Lagrange interpolation formula is reflected.

Protection against Collusion Attack.
e main purpose of the introduction of the Lagrange interpolation formula is to prevent members from collusion attacks. is idea mainly comes from Shamir's Lagrange interpolation secret sharing threshold system [18][19][20]. e scheme in Section 4 directly determines the final strict order based on the sort of the eigenvalues. However, in the improved protocol proposed in Section 5, we do not directly sort the eigenvalues, all the participants negotiate a polynomial together and take a nonzero coefficient as a factor. is makes the final order completely random and is decided by all participants, and any collusion attack will not work.

Verification.
Suppose participant p 1 wants to manipulate the result of a coin toss. e only way he can take is to alter the secret matrix A. However, participants can identify the fraud in the following ways: (1) e main diagonal and eigenvectors of A are not the same as what P 1 published. (2) Cannot calculate the correct λ like λ is not in finite field Z q . (3) ere are one or more repeated eigenvalues of matrix A.
As long as any of the above three cases occur, it should be taken seriously because of fraud. At this time, participants who have an abnormal situation will report an error.
From this perspective, participant P 1 is under the supervision of all people. e protocol is reliable.

Protocol Comparison
In Blum's coin-tossing protocol, there are problems caused by parties aborting the protocol. It is proved that the best case is 1/4 of the bias of the protocol [6]. In this paper, apparently eigenvalue secrete matrix can not only solve this problem but also sort multi participants strictly. We only need to focus on the final sequence rather than pay attention to the specific value. Legitimate users are not affected.
According to the coin-tossing protocol based on quadratic residue [7], the large prime numbers p, q are used to calculate composite number n. e execute of the protocol based on the quadratic residue calculation involving large prime numbers and congruence equations. erefore, the computational complexity of the scheme is high. When it comes to the cointossing protocol based on the eigenvalue, the computational complexity is mainly based on the construction of secret matrix A which can be easily constructed. e reason lies in there is no need to care about the particular numbers of the eigenvalues.
Some classic coin-tossing protocols lack of practicality. For example, the coin-tossing protocols based on one-way function [21] have this drawback because there are no real one-way functions, the almost-optimally fair multiparty cointossing [22] and multiparty coin tossing in four rounds [23] have no low complexity and strict property. In this respect, the proposal in this paper has advantage of practicability. e program can easily construct a matrix that has the properties to meet the requirements in protocols we proposed. e protocols in this paper are convenient and reliable.
To summarize, a comparison of several coin-throwing protocols is shown in Figure 1, which shows that our proposed solution is more advantageous.

Conclusion
is paper first proposes a new kind of strict multiparty coin-tossing protocol based on the eigenvalue, then takes a step further to propose an improved version which is based on the Lagrange interpolation formula. e analysis shows the protocol is correct and can resist matrix tampering attack as long as collusion attack. Furthermore, we make sure the protocols based on the eigenvalue can resist parties aborting, have low complexity, and practicability which means they could easily be constructed. e coin-tossing protocol can resist the attack proposed in literature [24,25], which has been studied in literature [26].

Data Availability
e data used to support the findings of this study are included within the article.  6 Security and Communication Networks