communication-rounds tradeoffs for common …communication-rounds tradeo s for common randomness and...
TRANSCRIPT
Communication-Rounds Tradeoffs forCommon Randomness and Secret Key
Generation
Mitali Bafna†, Badih Ghazi∗,Noah Golowich†, and Madhu Sudan†
† Harvard University ∗ Google Research
January 8, 2019
1
Common Randomness Generation (CRG)
(Xi ,Yi) ∼ µ (source), Alice ← Xi , Bob ← Yi .
Several rounds of commun., starting w/ Alice:I m1 = m1(Xi);I m2 = m2(m1, Yi);I m3 = m3(Xi,m1,m2), . . ..
At end: Alice & Bob output KA,KB , resp., s.t.:I KA = KA(Xi,m1, . . . ,mr );
KB = KB(Yi,m1, . . . ,mr ).I KA = KB w.h.p., andI KA,KB have large min-entropy.
2
Common Randomness Generation (CRG)
(Xi ,Yi) ∼ µ (source), Alice ← Xi , Bob ← Yi .Several rounds of commun., starting w/ Alice:
I m1 = m1(Xi);I m2 = m2(m1, Yi);I m3 = m3(Xi,m1,m2), . . ..
At end: Alice & Bob output KA,KB , resp., s.t.:I KA = KA(Xi,m1, . . . ,mr );
KB = KB(Yi,m1, . . . ,mr ).I KA = KB w.h.p., andI KA,KB have large min-entropy.
2
Common Randomness Generation (CRG)
(Xi ,Yi) ∼ µ (source), Alice ← Xi , Bob ← Yi .Several rounds of commun., starting w/ Alice:
I m1 = m1(Xi);I m2 = m2(m1, Yi);I m3 = m3(Xi,m1,m2), . . ..
At end: Alice & Bob output KA,KB , resp., s.t.:I KA = KA(Xi,m1, . . . ,mr );
KB = KB(Yi,m1, . . . ,mr ).
I KA = KB w.h.p., andI KA,KB have large min-entropy.
2
Common Randomness Generation (CRG)
(Xi ,Yi) ∼ µ (source), Alice ← Xi , Bob ← Yi .Several rounds of commun., starting w/ Alice:
I m1 = m1(Xi);I m2 = m2(m1, Yi);I m3 = m3(Xi,m1,m2), . . ..
At end: Alice & Bob output KA,KB , resp., s.t.:I KA = KA(Xi,m1, . . . ,mr );
KB = KB(Yi,m1, . . . ,mr ).I KA = KB w.h.p., andI KA,KB have large min-entropy.
2
Secret Key Generation (SKG)
Alice Bob
Eve
Y1, Y2, Y3 ...
X1, X2, X3 ...
Same as CRG, but key must be secure againsteavesdropper Eve that watches the communication.
Question: Are there sources µ such thathaving more rounds can lead to more efficient(i.e. lower communication) protocols for CRGor SKG?
3
Secret Key Generation (SKG)
Alice Bob
Eve
Y1, Y2, Y3 ...
X1, X2, X3 ...
Same as CRG, but key must be secure againsteavesdropper Eve that watches the communication.
Question: Are there sources µ such thathaving more rounds can lead to more efficient(i.e. lower communication) protocols for CRGor SKG?
3
Background: 1-Round & 2-Round Communication
[Ahlswede & Csiszar, ’93 & ’98]: CRG and SKG for1-round, 2-round protocols in amortized setting:For ε→ 0, characterize (H ,C ) pairs s.t.
I Samples: (XN ,Y N) ∼ µ⊗N ;I Communication: (C + ε) · N ;I Entropy of key: (H − ε) · N .
[Guruswami & Radhakrishnan, ’16] & [Ghazi & Jayram, ’18]:non-amortized setting (our work): near-optimaltradeoff between communication, key length, &agreement probability for “simple” sources: BSC,BEC, BGS.
4
Background: 1-Round & 2-Round Communication
[Ahlswede & Csiszar, ’93 & ’98]: CRG and SKG for1-round, 2-round protocols in amortized setting:For ε→ 0, characterize (H ,C ) pairs s.t.
I Samples: (XN ,Y N) ∼ µ⊗N ;I Communication: (C + ε) · N ;I Entropy of key: (H − ε) · N .
[Guruswami & Radhakrishnan, ’16] & [Ghazi & Jayram, ’18]:non-amortized setting (our work): near-optimaltradeoff between communication, key length, &agreement probability for “simple” sources: BSC,BEC, BGS.
4
Background: Multi-Round Communication
Generalization of Ahlswede & Csiszarcharacterization to multi-round protocols by [Tyagi,
’13] & [Liu et al., ’16].
For binary channels, additional rounds does nothelp reduce communication.
[Tyagi, ’13]: ternary source s.t. 2-round protocolsrequire less communication than 1-round protocols.
Otherwise: no rounds vs. communication tradeoffs(incl. in non-amortized case)!
5
Formalizing Non-Amortized Setting
Definition ((r , c)-protocol)Π is (r , c)-protocol if:
≤ r rounds (messages).
≤ c bits total.
L represents number of bits of entropy in random keys:
Definition (L-CRG)Π gives L-CRG if Alice, Bob, given samples(X1,Y1), . . . , (XT ,YT ) ∼ µ⊗T , output KA,KB , s.t.:
minH∞(KA),H∞(KB) ≥ L.
Pr[KA = KB ] ≥ 1− ε.
6
Formalizing Non-Amortized Setting
Definition ((r , c)-protocol)Π is (r , c)-protocol if:
≤ r rounds (messages).
≤ c bits total.
L represents number of bits of entropy in random keys:
Definition (L-CRG)Π gives L-CRG if Alice, Bob, given samples(X1,Y1), . . . , (XT ,YT ) ∼ µ⊗T , output KA,KB , s.t.:
minH∞(KA),H∞(KB) ≥ L.
Pr[KA = KB ] ≥ 1− ε.6
r vs. r/2 gap
Question: ∀δ > 0, r , L, ∃µ s.t.
∃(r , δL)-protocol for L-CRG from µ;
No (r − 1, (1− δ)L)-protocol for L-CRG from µ?
Theorem (BGGS, ’19)∀n, r , L construct µr ,n,L s.t.
∃(r + 1,O(r log n))-protocol for L-CRG from µr ,n,L;
No(
r2 − 2,min
o(L), n
poly log(n)
)-protocol for
L-CRG from µr ,n,L.
Also: same theorem for L-SKG!
7
r vs. r/2 gap
Question: ∀δ > 0, r , L, ∃µ s.t.
∃(r , δL)-protocol for L-CRG from µ;
No (r − 1, (1− δ)L)-protocol for L-CRG from µ?
Theorem (BGGS, ’19)∀n, r , L construct µr ,n,L s.t.
∃(r + 1,O(r log n))-protocol for L-CRG from µr ,n,L;
No(
r2 − 2,min
o(L), n
poly log(n)
)-protocol for
L-CRG from µr ,n,L.
Also: same theorem for L-SKG!
7
r vs. r/2 gap
Question: ∀δ > 0, r , L, ∃µ s.t.
∃(r , δL)-protocol for L-CRG from µ;
No (r − 1, (1− δ)L)-protocol for L-CRG from µ?
Theorem (BGGS, ’19)∀n, r , L construct µr ,n,L s.t.
∃(r + 1,O(r log n))-protocol for L-CRG from µr ,n,L;
No(
r2 − 2,min
o(L), n
poly log(n)
)-protocol for
L-CRG from µr ,n,L.
Also: same theorem for L-SKG!
7
Pointer-chasing source for CRG: µr ,n,L
i0 ~ [n]
π1 , .., π
r ~ S
n
A1 , …, A
n ~ 0,1L
B1 , …, B
n ~ 0,1L
Bob's inputs = (i
0, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
8
Pointer-chasing source for CRG: µr ,n,L
π1
i0 ~ [n]
π1 , .., π
r ~ S
n
A1 , …, A
n ~ 0,1L
B1 , …, B
n ~ 0,1L
ij+1
= πj+1
(ij).
ij = “pointers”
i0
π2
π3
πr-1
πr
Bob's inputs = (i
0, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
8
Pointer-chasing source for CRG: µr ,n,L
π1
i0 ~ [n]
π1 , .., π
r ~ S
n
A1 , …, A
n ~ 0,1L
B1 , …, B
n ~ 0,1L
Where Ai = B
i ,
ij+1
= πj+1
(ij).
ij = “pointers”
r r
i0
π2
π3
πr-1
πr
An
A1
A3...A
2B
nB
3...B
2B
1
Bob's inputs = (i
0, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
8
Background: Standard Pointer Chasing Problem
[Duris et al., ’84] & [Nisan & Wigderson, ’93], etc.:
π1
i0
π2
π3
πr-1
πr
Bob's inputs = (i
0, π
2 , π
4 , …, π
r-1 )
Alice's inputs = (π
1 , π
3 , …, π
r )
ir = π
r ... π
1(i
0) =
?
i0 ~ [n]
π1 , .., π
r ~ S
n 9
Upper/lower bounds for CRG from µr ,n,L
Upper bound: follow pointers:(r + 1) rounds,communication (r + 1)dlog ne.
π1
i0
π2
π3
πr-1
πr
An
A1
A3...A
2B
nB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
Lower bound for protocols w/ ≤ r rounds:I [Duris et al., ’84] & [Nisan & Wigderson, ’93], etc.:
Pointer chasing is hard (for det. & rand. protocols).I Problem: don’t have to solve pointer chasing for
L-CRG!I “Guess” index j such that Aj = Bj ⇒ dlog ne-bit
non-deterministic protocol!I Modular solution?
10
Upper/lower bounds for CRG from µr ,n,L
Upper bound: follow pointers:(r + 1) rounds,communication (r + 1)dlog ne.
π1
i0
π2
π3
πr-1
πr
An
A1
A3...A
2B
nB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
Lower bound for protocols w/ ≤ r rounds:I [Duris et al., ’84] & [Nisan & Wigderson, ’93], etc.:
Pointer chasing is hard (for det. & rand. protocols).
I Problem: don’t have to solve pointer chasing forL-CRG!
I “Guess” index j such that Aj = Bj ⇒ dlog ne-bitnon-deterministic protocol!
I Modular solution?
10
Upper/lower bounds for CRG from µr ,n,L
Upper bound: follow pointers:(r + 1) rounds,communication (r + 1)dlog ne.
π1
i0
π2
π3
πr-1
πr
An
A1
A3...A
2B
nB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
Lower bound for protocols w/ ≤ r rounds:I [Duris et al., ’84] & [Nisan & Wigderson, ’93], etc.:
Pointer chasing is hard (for det. & rand. protocols).I Problem: don’t have to solve pointer chasing for
L-CRG!I “Guess” index j such that Aj = Bj ⇒ dlog ne-bit
non-deterministic protocol!
I Modular solution?
10
Upper/lower bounds for CRG from µr ,n,L
Upper bound: follow pointers:(r + 1) rounds,communication (r + 1)dlog ne.
π1
i0
π2
π3
πr-1
πr
An
A1
A3...A
2B
nB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
Lower bound for protocols w/ ≤ r rounds:I [Duris et al., ’84] & [Nisan & Wigderson, ’93], etc.:
Pointer chasing is hard (for det. & rand. protocols).I Problem: don’t have to solve pointer chasing for
L-CRG!I “Guess” index j such that Aj = Bj ⇒ dlog ne-bit
non-deterministic protocol!I Modular solution?
10
Reduction 1: Indistinguishability
Marginals of µr ,n,L: X = (π1, π3, . . . , πr ,A1, . . . ,An),Y = (i0, π2, . . . , πr−1,B1, . . . ,Bn).
Π distinguishes µ, ν if TVD(Πµ,Πν) ≥ const.
ClaimSuppose c L. If ∃ (r/2− 2, c) protocol for L-CRGfrom µ = µr ,n,L, then µ & µX × µY are distinguishable by(r/2− 1)-round protocol w/ communication c + O(1).
Idea of proof: L-CRG is impossible with communication L when parties have indep. inputs (e.g., [Cannone et al.,
’17]).
11
Reduction 1: Indistinguishability
Marginals of µr ,n,L: X = (π1, π3, . . . , πr ,A1, . . . ,An),Y = (i0, π2, . . . , πr−1,B1, . . . ,Bn).
Π distinguishes µ, ν if TVD(Πµ,Πν) ≥ const.
ClaimSuppose c L. If ∃ (r/2− 2, c) protocol for L-CRGfrom µ = µr ,n,L, then µ & µX × µY are distinguishable by(r/2− 1)-round protocol w/ communication c + O(1).
Idea of proof: L-CRG is impossible with communication L when parties have indep. inputs (e.g., [Cannone et al.,
’17]).
11
Reduction 1: Indistinguishability
Marginals of µr ,n,L: X = (π1, π3, . . . , πr ,A1, . . . ,An),Y = (i0, π2, . . . , πr−1,B1, . . . ,Bn).
Π distinguishes µ, ν if TVD(Πµ,Πν) ≥ const.
ClaimSuppose c L. If ∃ (r/2− 2, c) protocol for L-CRGfrom µ = µr ,n,L, then µ & µX × µY are distinguishable by(r/2− 1)-round protocol w/ communication c + O(1).
Idea of proof: L-CRG is impossible with communication L when parties have indep. inputs (e.g., [Cannone et al.,
’17]).
11
Overview of Reductions
12
Reduction 2: Pointer Verification
PVYES(r , n),PVNO(r , n) distributions on (X , Y ):X = (π1, π3, . . . , πr), Y = (i0, j0, π2, π4, . . . , πr−1):
PVYES: j0 = πr · · · π1(i0). PVNO: j0 random.
Protocol distinguishing µ = µr ,n,L & µX × µYgives protocol distinguishing PVYES & PVNO
(using Ω(n) disjointness lower bound).
13
Reduction 2: Pointer Verification
PVYES(r , n),PVNO(r , n) distributions on (X , Y ):X = (π1, π3, . . . , πr), Y = (i0, j0, π2, π4, . . . , πr−1):
PVYES: j0 = πr · · · π1(i0). PVNO: j0 random.
Protocol distinguishing µ = µr ,n,L & µX × µYgives protocol distinguishing PVYES & PVNO
(using Ω(n) disjointness lower bound).
13
Reduction 2: Pointer Verification
PVYES(r , n),PVNO(r , n) distributions on (X , Y ):X = (π1, π3, . . . , πr), Y = (i0, j0, π2, π4, . . . , πr−1):
PVYES: j0 = πr · · · π1(i0). PVNO: j0 random.
Protocol distinguishing µ = µr ,n,L & µX × µYgives protocol distinguishing PVYES & PVNO
(using Ω(n) disjointness lower bound).
13
Reduction 2: Pointer Verification
PVYES(r , n),PVNO(r , n) distributions on (X , Y ):X = (π1, π3, . . . , πr), Y = (i0, j0, π2, π4, . . . , πr−1):
PVYES: j0 = πr · · · π1(i0). PVNO: j0 random.
Protocol distinguishing µ = µr ,n,L & µX × µYgives protocol distinguishing PVYES & PVNO
(using Ω(n) disjointness lower bound).13
Overview of Reductions
14
Indistinguishability of PVYES, PVNO
r , n implicit: PVYES = PVYES(n, r), PVNO = PVNO(n, r):
Theorem (BGGS, ’19)
∀r , n, PVNO & PVYES are(r−12 ,
npoly log(n)
)-indisting.
Why only r−12 rounds? ∃
(r+12 ,O(r log n)
)-protocol:
PVNO: PVYES:
15
Indistinguishability of PVYES, PVNO
r , n implicit: PVYES = PVYES(n, r), PVNO = PVNO(n, r):
Theorem (BGGS, ’19)
∀r , n, PVNO & PVYES are(r−12 ,
npoly log(n)
)-indisting.
Why only r−12 rounds?
∃(r+12 ,O(r log n)
)-protocol:
PVNO: PVYES:
15
Indistinguishability of PVYES, PVNO
r , n implicit: PVYES = PVYES(n, r), PVNO = PVNO(n, r):
Theorem (BGGS, ’19)
∀r , n, PVNO & PVYES are(r−12 ,
npoly log(n)
)-indisting.
Why only r−12 rounds? ∃
(r+12 ,O(r log n)
)-protocol:
PVNO: PVYES:
15
Proof of indist. of PVYES & PVNO
Idea: “round elimination” ([Nisan & Wigderson, ’93]).
Dealing with non-independence of inputs underPVYES makes proof more difficult.1
Idea: “peel” off 2 permutations (1 round) at a time,maintaining invariants:
I H(π1, . . . , πr | transcript) ≥ r log(n!)− O(c).I H(i0|π1, . . . , πr , transcript) ≥ log(n)− o(1).I H(j0|π1, . . . , πr , transcript) ≥ log(n)− o(1).I H(1[πr · · · π1(i0) = j0]|i0, π1, . . . , πr , transcript) ≥
1− o(1).I Few others...
1Technically under 12 (PVYES +PVNO).
16
Proof of indist. of PVYES & PVNO
Idea: “round elimination” ([Nisan & Wigderson, ’93]).
Dealing with non-independence of inputs underPVYES makes proof more difficult.1
Idea: “peel” off 2 permutations (1 round) at a time,maintaining invariants:
I H(π1, . . . , πr | transcript) ≥ r log(n!)− O(c).I H(i0|π1, . . . , πr , transcript) ≥ log(n)− o(1).I H(j0|π1, . . . , πr , transcript) ≥ log(n)− o(1).I H(1[πr · · · π1(i0) = j0]|i0, π1, . . . , πr , transcript) ≥
1− o(1).I Few others...
1Technically under 12 (PVYES +PVNO).
16
Conclusion
First round/communication tradeoffs for CRG &SKG for r > 2 rounds.Explicitly constructed source µ = µr ,n,L s.t.:
I ∃ efficient (i.e. O(r log n) communication) (r + 1)-roundprotocol for L-CRG/SKG
I Any (r/2− 2)-round protocol for L-CRG/SKG hascommunication Ω (minL, n).
Open questions:I Improve (r + 1)-vs-(r/2− 2) tradeoff to (r + 1)-vs-r forµr ,n,L?
I Extend analysis to amortized case?
17
Conclusion
First round/communication tradeoffs for CRG &SKG for r > 2 rounds.Explicitly constructed source µ = µr ,n,L s.t.:
I ∃ efficient (i.e. O(r log n) communication) (r + 1)-roundprotocol for L-CRG/SKG
I Any (r/2− 2)-round protocol for L-CRG/SKG hascommunication Ω (minL, n).
Open questions:I Improve (r + 1)-vs-(r/2− 2) tradeoff to (r + 1)-vs-r forµr ,n,L?
I Extend analysis to amortized case?
17
I am grateful to the NSF for a SODA travel grant.
Thank you!
18
Proof Outline of Reduction 2
Overall goal: µ & µX × µY are indistinguishable to(r ′, c)-protocols.
Intermediate distr. µmid:
Aj = Bj forrandom j .
I.e., j isindependent ofπr · · · π1(i0).
π1
i0
π2
π3
πr-1
πr
Aj
A1
A3...A
2B
jB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
An
... Bn
...
19
Proof Outline of Reduction 2
Intermediate distr. µmid:
Aj = Bj for random j .
I.e., j isindependent ofπr · · · π1(i0).
π1
i0
π2
π3
πr-1
πr
Aj
A1
A3...A
2B
jB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
An
... Bn
...
µX × µY indist. from µmid to protocols w/communication o(n) (set disjointness hard).
PVYES & PVNO indist. to (r ′, c)-protocols⇒ µ indist. from µmid to (r ′, c)-protocols.
20
Proof Outline of Reduction 2
Intermediate distr. µmid:
Aj = Bj for random j .
I.e., j isindependent ofπr · · · π1(i0).
π1
i0
π2
π3
πr-1
πr
Aj
A1
A3...A
2B
jB
3...B
2B
1
Bob's inputs = (i, π
2 , π
4 , …, B
1 , …, B
n )
Alice's inputs = (π
1 , π
3 , …, A
1 , …, A
n )
An
... Bn
...
µX × µY indist. from µmid to protocols w/communication o(n) (set disjointness hard).
PVYES & PVNO indist. to (r ′, c)-protocols⇒ µ indist. from µmid to (r ′, c)-protocols.
20
Proof of indisting. of PVYES & PVNO
Idea: “round elimination” ([Nisan & Wigderson, ’93]).
“Problem” 1: Want to work with a functionalproblem.
Solution 1:Π disting. PVYES & PVNO
⇔ Π outputs 1[j0 = πr · · · π1(i0)] whp
under PVMIX = 12(PVYES + PVNO).
“Problem” 2: Players’ inputs under PVMIX aren’tindependent.
21
Proof of indisting. of PVYES & PVNO
Idea: “round elimination” ([Nisan & Wigderson, ’93]).
“Problem” 1: Want to work with a functionalproblem.
Solution 1:Π disting. PVYES & PVNO
⇔ Π outputs 1[j0 = πr · · · π1(i0)] whp
under PVMIX = 12(PVYES + PVNO).
“Problem” 2: Players’ inputs under PVMIX aren’tindependent.
21