The Round Complexity of Two-Party Random Selection

Saurabh Sanghvi and Salil VadhanHarvard University

The Random Selection Problem Several mutually distrusting parties wish to

select jointly at random an element of a fixed universe.

Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”.

Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

Types of Random Selection

Blu82, Lin01, KO04 Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04

CGMA85, GMW87, KOS03

BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99

Computational Information-Theoretic

2 parties

N parties

Our focus

2-party Information-Theoretic Random Selection Protocols

Examples of Uses Convert honest-verifier ZKPs to general

ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded-

storage model [CCM98, DHRS04] Perform general fault-tolerant

computation [GGL98] Each evaluated by different criteria…

Defining Random Selection

Alice

Coins rA

Bob

Coins rB.

.

.

Output:

Our complexity measure: # of rounds

(k)

Evaluating a Protocol Statistical Criterion (SC) – 9 constants s.t. as

long as one party is honest:

8 T µ {0,1}n of density · Pr[ Output 2 T ] · 1-

Equivalent to the statistical difference of the protocol’s output with uniform being 1-(1).

Extension of “resilience” in leader election/collective coin flipping

Achievable? Yes! [GGL98] (with 2n rounds)

What is the necessary and sufficient round complexity?

“cheating sets”

Our results Upper bound:

9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages

Lower bound: log*n-log*log*n – O(1) messages are

necessary.

Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

Our Protocol – Iterated Random Shift

Given n, Alice and Bob want to select from U={0,1}n.

Let m = n3. Recursively apply:

Inspired by leader election protocols [RZ98] and proof that BPP 2 2P [Lau83]

b1, …, bm à U

a1, …, am à U

Recurse on U’ = {ai+bj}…

The Main Lower Bound Theorem: Any random selection protocol

satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds.

Recall Statistical Criterion: 9 constants s.t. 8 T µ {0,1}n of density · Pr[ Output 2 T ] · 1-

First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

Proof Strategy

Suppose protocol has ¿ log* n rounds.

Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1).

Strategy: induction on game tree…

The Two-Round CaseBob’s message

Alice’s message

Can think of any two-round protocol as: Bob sends Sµ{0,1}n to Alice (according to some dist.

on P({0,1}n)) Alice selects output according to some dist. on S.

m1

S={f(m1, ²)}

m2Alice selects m2, output is

x=f(m1,m2)

(“Alice selects x2S”)

Bob selects m1, restricting output to

S={f(m1,²)}

(“Bob selects set S”)

The Two-Round Case: Cheating Bob

Bob’s message

Alice’s message

Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set..

1) Bob’s cheating set

3) Alice’s chosen output 2 Bob’s cheating set with prob.

1

2) Bob deterministically

chooses this branch

2) Bob plays honestly

The Two-Round Case: Cheating Alice

Bob’s message

Alice’s message

Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set.

Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully.

1) Alice’s cheating set = random set of red elements

3) Alice selects output from intersection

The Three-Round Case

Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output.

Alice

Bob

Alice

m1

m2

S = f(m1, m2, ²) output = f(m1, m2, m3)

m3

The Three-Round Case

Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion.

Alice

Bob

Alice

1) Alice’s random cheating set = set of red elements

4) Alice can choose output in her cheating

set

2) Alice deterministically chooses branch

3) Bob plays honestly

The Three-Round Case

Thus, every branch has at least one “small” set.

Not immediately helpful to Bob…

Alice

Bob

Alice

The Three-Round Case

Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there?

Bob benefits if there are many.

Alice

Bob

Alice

The Three-Round Case

Case 2: All initial Alice messages let Bob choose from many disjoint small sets.

Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully.

Alice

Bob

Alice

1) Bob’s random cheating set = set of red elements

4) Alice must choose output in his cheating set

3) Bob selects set contained in cheating set

2) Alice randomly picks a branch

The Three-Round Case

What if there is a branch with few disjoint small sets?

Need to argue Alice can take advantage.

Alice

Bob

Alice

The Three-Round Case

Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set

) Alice cheats successfully

Alice

Bob

Alice

1) Alice’s cheating set = intersect-set + … … a random set

2) Alice deterministically selects branch

3) Bob plays honestly

4) Whether Bob chose big or small set, Alice selects from

cheating set

Implies a small set intersects every set in collection (e.g., union of maximal disjoint

subcollection)

3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree…

label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing

cheating set randomly. TIE – both players can violate SC with a

cheating set of the form R U S, where R is random and S is a small set of non-random elements.

The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

Conclusions We provide matching upper and lower bounds

(up to a constant factor) for the round complexity of protocols satisfying a natural criterion.

Open Problems/Future Work Leverage results for open problems in well-studied

multiparty protocols (leader election, collective coin-flipping, and collective sampling).

Study the impact of additional constraints required in literature (e.g., simulatability or message length).