#### Abstract

The coin-tossing protocol is an important research area in cryptography. It generates a random bit with uniform distribution even if some participants might fraud. However, traditional coin-tossing protocol could not solve the situation of multiparty. It only divides participants into two parts. In this paper, a new kind of multiparty strict coin-tossing protocol based on the eigenvalue of matrix was proposed. First, matrix tampering attacks can be resisted. On the other hand, collusion attack which was caused by the addition of the Lagrange interpolation formula could be overcome. The analysis shows that the correctness and security of both protocols was guaranteed. Based on the above statements, comparing with the classic coin-tossing protocols, the proposed scheme has the advantage of resisting parties aborting, low complexity, and practicability.

#### 1. Introduction

In network communication that the communicating party is not in the same geographical position, once the judgment needs to be made, both parties should compare the guessing result and ensure the information is not disclosed at the same time. The coin-tossing protocol can be seen as an application case for secure multiparty computation.

In cryptography, suppose Alice and Bob throw coins, and before the results are revealed, neither side wants to let the other one knows their own result, which is one of the important models for multiparty confidential computing [1]. Obviously, as there is no third-party arbitration, the fairness based on fraud prevention has become the most important consideration for the coin-tossing protocol.

Many scholars have conducted research on the coin-tossing protocol. In 1982, Blum introduced the problem of tossing a fair coin through a modem [2]. In 1990, Ben et al. proposed a coin throw problem in Reference [3]. In 2003, Lindell et al. raised the fair coin-tossing protocol of two-party [4]. Kun et al. raised the coin-tossing protocol based on knapsack problem [5].

Apparently, these protocols are limited to two parties and have not solved the problem of multiparty participation in coin-tossing. On the other hand, they did not solve the problem that all the participants have to decide their order in a fair way rather than be divided into two parts.

In this paper, based on the matrix eigenvalues and eigenvectors, we have first proposed a new kind of strict multiparty coin-tossing protocol. Furthermore, we applied the Lagrange interpolation formula to design an improved strict multiparty tossing protocol which can resist collusion attacks. At last, analysis of both protocols and specific examples are proposed.

#### 2. Basic Knowledge

##### 2.1. Coin-Tossing Protocol

The definition of coin-tossing protocol is as follows:

*Definition 1. *[6] Coin-tossing protocols are protocols that generate a random bit with uniform distribution, although some corrupted parties might try to bias the output. The coin-tossing protocol is used as a building block in many cryptographic protocols.

Secure multiparty computation allows distrustful parties to compute it correctly and privately [4, 7, 8].The coin-tossing protocol raises questions of fairness and how corrupted parties can influence the scheme [9, 10].This is the problem we are going to discuss in the following section.

##### 2.2. Eigenvalue and Eigenvector

The eigenvalue and eigenvector are defined as follows:

*Definition 2. *[11] Let **A** be a *n*-order matrix, if the number and *n*-dimensional nonzero column vectors **p** make the equation be established.Then, the number is called the eigenvalue of the matrix **A**, and the nonzero vector **p** is called the eigenvector of **A** corresponding to the eigenvalue . Equation (1) can also be written as follows:Equation (2) is a homogeneous linear system of *n* equations with *n* unknowns.

##### 2.3. Lagrange Interpolation Formula

Let distinct interpolation points (nodes) , be given, together with corresponding numbers , which may or may not be samples of a function *f*. Unless stated otherwise, we assume that the nodes are real, although most of the results and comments generalize to the complex plane. Let denote the vector space of all polynomials of degree at most *n*. The classical problem addressed here is that of finding the polynomial that interpolates *f* at the points , i.e.,

The problem is well-posed, i.e., it has a unique solution that depends continuously on the data. Moreover, as explained in virtually every introductory numerical analysis text, the solution can be written in the Lagrange form [12]:

The Lagrange polynomial corresponding to the node has the following property:

##### 2.4. Meaning of Strict Multiparty

We could compare the protocols described in Section 3 to the grouping process of a soccer game. A group of players are fairly and randomly divided into team *A* and team *B*. This process only divides the participants into two parts, but does not draw the strict order.

Therefore, considering the order of all participants, we could define the meaning of the word “strict.” Its work process is more like drawing lots. All players need to decide their order in a fair way. We associate this idea with the matrix and propose a kind of the strict multiparty coin-tossing protocol.

#### 3. Classic Coin-Tossing Protocols

##### 3.1. Blum’s Coin-Tossing Protocol

Suppose two sides of the communication are Alice and Bob. They execute the following protocol [13]: Step1: Alice chooses a random bit a and sends a commitment *c* = commit(a) to Bob. Step2: Bob chooses a random bit *b* and sends it to Alice. Step3: Alice sends the bit a to Bob together with de-commit(*c*). Step4: If Bob does not abort during the protocol, Alice outputs *a*⊕*b*, otherwise she outputs a random bit. Step5: If Alice does not abort during the protocol and *c* is a commitment to a, and then Bob outputs *a*⊕*b*, otherwise he outputs a random bit.

##### 3.2. Coin-Tossing Protocol Based on Quadratic Residue

Suppose two sides of the communication are Alice and Bob. The protocol is as follows [14]: Step1: Bob chooses large prime numbers and calculate , then chooses random number a that satisfied with Jacobi symbol [15] and sends *n*, a to Alice. Step2: Alice guesses if a is the quadratic residue of *n*. Telling the result to Bob. Step3: Bob tells Alice she is right or not and sends to Alice. Step4: Alice checks ’s parity and calculates .

##### 3.3. Coin-Tossing Protocol Based on One Way Function

Suppose two sides of the communication are Alice and Bob. They both hold a one way function and do not know . The protocol is as follows [16]: Step1: Bob chooses a random number *x* and sends Alice . Step2: Alice guesses the parity of *x* and tells the result to Bob. Step3: Bob tells Alice she is right or not and sends *x* to Alice.

#### 4. Multiparty Coin-Tossing Protocol Based on the Eigenvalue

Suppose there are *n* participants who are marked as . The protocol is based on finite field where and a secret matrix A which is held by . It is worth mentioning that matrix **A** has the following two properties:(1).**A** is a *n*-order matrix.(2).The eigen equation of **A** has no multiple roots which means **A** has *n* different eigenvalues.

Suppose **A**’s eigenvalues are and corresponding eigenvectors are **p**_{i}. The content of the protocol is as follows: Step 1: Participant chooses a secret n-order matrix **A**. announces the main diagonal of **A** and all eigenvectors **p**_{i}. Step 2: Participants randomly select an eigenvector from **p ***i* and the last one belongs to participant . None of the eigenvectors could be chosen twice. Step 3: Participant announces the secret matrix **A**. All participants calculate of their own according to equation (1). Step 4: Sort in ascending sequence, then each participant could get the corresponding order.

As can be seen from the above protocol, the final order of each participant depends only on the size of the eigenvalues. It could not prevent multiple participants in the conspiracy from exchanging eigenvectors to adjust the order. This means that this protocol cannot resist collusion attack. We use the Lagrange interpolation formula to make up for this security hole.

#### 5. Improved Multiparty Coin-Tossing Protocol Based on the Eigenvalue

Suppose there are *n* participants who are marked as . The protocol is based on finite field where and a secret matrix **A** which is held by . It is worth mentioning that matrix **A** has the following two properties:(1)**A** is a *n*-order matrix.(2)The eigen equation of **A** has no multiple roots which means **A** has *n* different eigenvalues.

Suppose **A**’s eigenvalues are and corresponding eigenvectors are **p**_{i} . The content of the protocol is as follows: Step 1: Participant chooses a secret *n*-order matrix **A**. announces the main diagonal of **A** and all eigenvectors *p*_{i}. Step 2: Participants randomly select an eigenvector from **p**_{i} and the last one belongs to participant . None of the eigenvectors could be chosen twice. Step 3: Participant announces the secret matrix **A**. All participants calculate of their own according to equation (1). Step 4: All participants randomly select constant to form and calculate polynomial according to equation (3): As there are *n* points in total, so is a -th degree polynomial at most: We choose the coefficient of the nonzero minimum degree term in , suppose it is . Step 5: All participants calculate:

Sort in the ascending sequence, then each participant could get the corresponding order of themselves.

#### 6. Instance of the Protocol

The protocol is based on finite field . Suppose there are 6 participants who is marked as *P*_{i} and a secret matrix **A** is held by *P*1. **A** is a 6-order matrix which is designed as follows:

All eigenvalues and related eigenvectors pairs (*i* = 1, 2, …, 6) are as follows: Step1: According to the protocol, participant *P*1 holds the secret matrix **A** and announces the main diagonal: and to all members. Step2: Assume that *P*2 chooses eigenvector **p**2, *P*3 chooses eigenvector **p**5, *P*4 chooses eigenvector **p**1, *P*5 chooses eigenvector **p**6, and *P*6 chooses eigenvector **p**3. The last eigenvector **p**4 is left to *P*1. Step3: Participant announces the secret matrix **A**. All participants calculate of their own according to equation (1). So, the eigenvalues held by each participant are — . Step4: All participants randomly select constant to form , assume that *P*1 chooses , *P*2 chooses , *P*3 chooses , P4 chooses , P5 chooses , and *P*6 chooses , we can obtain according to equation (3): We choose the coefficient of the nonzero minimum degree term in , which is Step5: All participants calculate:

Sort in the ascending sequence —, the order of all members is —.

#### 7. Analysis of the Protocol

##### 7.1. Analysis of Correctness

Because the protocol of multiparty is a kind of promotion of two-party, both have the same properties. We only need to analyze the situation of multiparty.

When it comes to classic two-party coin-tossing protocol (suppose two sides of the communication are Alice and Bob), a correct and effective process should meet the following three principles [17]:(1)Alice must throw a coin before Bob guess.(2)After Bob guessing, Alice can no longer throw coins.(3)Bob does not know how the coins land before guessing.

Multiparty coin-tossing protocol also needs to meet these above principles. Under the premise of correct implementation of the protocol proposed in Sections 4 and 5, once participant announces the main diagonal of **A** and all eigenvectors **p**_{i}, the “coin” has landed. Then, the step that every participant randomly chooses their own eigenvector can be seen as the “guess the front and back.” Apparently, this satisfies the principle one.

The principle two is also satisfied. Since all eigenvectors have been selected in Step 2, so the coin throwing party cannot toss the coin again. On the other hand, because the main diagonal of **A** is made public, has no way to change the eigenvalue of **p**_{i}.The proof is detailed in Section 6.

Obviously, the principle three is satisfied. Every participant has no need to know how the concrete structure of matrix **A ***.* Participant cannot unilaterally deceive other participants for example tampering with the secret matrix as long as the protocol is executed correctly.

To summarize, both protocols are based on the basic coin-tossing protocol’s principle of design. The correctness is proved.

##### 7.2. Analysis of Security

There are three points worth discussing in terms of security. The first is the disclosure of the main diagonal and the eigenvectors of the secret matrix. This design prevents the matrix holder from tampering with the secret matrix. The second is the resistance of the collusion attack by the Lagrange interpolation formula. The third is verification of legal participants.

###### 7.2.1. Protection against Matrix Tampering

What if is a fraud? Obviously if only announces all eigenvectors **p**_{i} of **A**, he can manipulate the result of a coin toss by alter the secret matrix **A** to make being different. The design of making the main diagonal of **A** public can prevent this kind of fraud. The proof is as follows:

Proposition 1. *Only one exactly matrix can be determined by the main diagonal’s elements and all eigenvectors.**Prove: Suppose the n-order secret matrix is A = whose elements is unknown except the main diagonal elements . Besides, eigenvalues of A are unknown and eigenvectors p_{i} are all known. We suppose the column vector p_{i} = and vector composed of unknowns is x = , According to formula (1), we can get , , which is equation set:*

We put the term with the unknowns on the left and the constant term on the right:

The above system of nonhomogeneous linear equations can be considered as the form of , **D** is the coefficient matrix and **b** is the vector consist of constant terms. The coefficient matrix **D** is as follows:

When *i* is arranged from 1 to *n* row by row, the size of the coefficient matrix **D** is .Because the eigenvector **p**_{i} are linearly independent, the elementary row operation cannot make any row of the matrix get all 0s which means the rank of **D** is full. We obtain the following conclusion:

The system of nonhomogeneous linear equations has a unique solution, only one exactly matrix **A** can be determined.

The proposition we just proposed directly limits *P*_{1} to tamper with matrix elements or matrix eigenvalues. Once the main diagonal and all eigenvectors are published, the secret matrix **A** is locked. But there is still a security issue, what if two or more participants collude to deceive? For example, Alice and Bob exchange the eigenvector of themselves. At this time, the role of the Lagrange interpolation formula is reflected.

###### 7.2.2. Protection against Collusion Attack

The main purpose of the introduction of the Lagrange interpolation formula is to prevent members from collusion attacks. This idea mainly comes from Shamir’s Lagrange interpolation secret sharing threshold system [18–20].

The scheme in Section 4 directly determines the final strict order based on the sort of the eigenvalues. However, in the improved protocol proposed in Section 5, we do not directly sort the eigenvalues, all the participants negotiate a polynomial together and take a nonzero coefficient as a factor. This makes the final order completely random and is decided by all participants, and any collusion attack will not work.

###### 7.2.3. Verification

Suppose participant wants to manipulate the result of a coin toss. The only way he can take is to alter the secret matrix **A**. However, participants can identify the fraud in the following ways:(1)The main diagonal and eigenvectors of **A** are not the same as what *P*_{1} published.(2)Cannot calculate the correct like is not in finite field .(3)There are one or more repeated eigenvalues of matrix **A**.

As long as any of the above three cases occur, it should be taken seriously because of fraud. At this time, participants who have an abnormal situation will report an error.

From this perspective, participant *P*_{1} is under the supervision of all people. The protocol is reliable.

#### 8. Protocol Comparison

In Blum’s coin-tossing protocol, there are problems caused by parties aborting the protocol. It is proved that the best case is 1/4 of the bias of the protocol [6]. In this paper, apparently eigenvalue secrete matrix can not only solve this problem but also sort multi participants strictly. We only need to focus on the final sequence rather than pay attention to the specific value. Legitimate users are not affected.

According to the coin-tossing protocol based on quadratic residue [7], the large prime numbers are used to calculate composite number *n*. The execute of the protocol based on the quadratic residue calculation involving large prime numbers and congruence equations. Therefore, the computational complexity of the scheme is high. When it comes to the coin-tossing protocol based on the eigenvalue, the computational complexity is mainly based on the construction of secret matrix **A** which can be easily constructed. The reason lies in there is no need to care about the particular numbers of the eigenvalues.

Some classic coin-tossing protocols lack of practicality. For example, the coin-tossing protocols based on one-way function [21] have this drawback because there are no real one-way functions, the almost-optimally fair multiparty coin-tossing [22] and multiparty coin tossing in four rounds [23] have no low complexity and strict property. In this respect, the proposal in this paper has advantage of practicability. The program can easily construct a matrix that has the properties to meet the requirements in protocols we proposed. The protocols in this paper are convenient and reliable.

To summarize, a comparison of several coin-throwing protocols is shown in Figure 1, which shows that our proposed solution is more advantageous.

#### 9. Conclusion

This paper first proposes a new kind of strict multiparty coin-tossing protocol based on the eigenvalue, then takes a step further to propose an improved version which is based on the Lagrange interpolation formula. The analysis shows the protocol is correct and can resist matrix tampering attack as long as collusion attack. Furthermore, we make sure the protocols based on the eigenvalue can resist parties aborting, have low complexity, and practicability which means they could easily be constructed.

The coin-tossing protocol can resist the attack proposed in literature [24, 25], which has been studied in literature [26].

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.