the round complexity of two-party random selection saurabh sanghvi and salil vadhan harvard...
TRANSCRIPT
The Round Complexity of Two-Party Random Selection
Saurabh Sanghvi and Salil VadhanHarvard University
The Random Selection Problem Several mutually distrusting parties wish to
select jointly at random an element of a fixed universe.
Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”.
Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.
Types of Random Selection
Blu82, Lin01, KO04 Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04
CGMA85, GMW87, KOS03
BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99
Computational Information-Theoretic
2 parties
N parties
Our focus
2-party Information-Theoretic Random Selection Protocols
Examples of Uses Convert honest-verifier ZKPs to general
ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded-
storage model [CCM98, DHRS04] Perform general fault-tolerant
computation [GGL98] Each evaluated by different criteria…
Defining Random Selection
Alice
Coins rA
Bob
Coins rB.
.
.
Output:
Our complexity measure: # of rounds
(k)
Evaluating a Protocol Statistical Criterion (SC) – 9 constants s.t. as
long as one party is honest:
8 T µ {0,1}n of density · Pr[ Output 2 T ] · 1-
Equivalent to the statistical difference of the protocol’s output with uniform being 1-(1).
Extension of “resilience” in leader election/collective coin flipping
Achievable? Yes! [GGL98] (with 2n rounds)
What is the necessary and sufficient round complexity?
“cheating sets”
Our results Upper bound:
9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages
Lower bound: log*n-log*log*n – O(1) messages are
necessary.
Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]
Our Protocol – Iterated Random Shift
Given n, Alice and Bob want to select from U={0,1}n.
Let m = n3. Recursively apply:
Inspired by leader election protocols [RZ98] and proof that BPP 2 2P [Lau83]
b1, …, bm à U
a1, …, am à U
Recurse on U’ = {ai+bj}…
The Main Lower Bound Theorem: Any random selection protocol
satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds.
Recall Statistical Criterion: 9 constants s.t. 8 T µ {0,1}n of density · Pr[ Output 2 T ] · 1-
First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).
Proof Strategy
Suppose protocol has ¿ log* n rounds.
Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1).
Strategy: induction on game tree…
The Two-Round CaseBob’s message
Alice’s message
Can think of any two-round protocol as: Bob sends Sµ{0,1}n to Alice (according to some dist.
on P({0,1}n)) Alice selects output according to some dist. on S.
m1
S={f(m1, ²)}
m2Alice selects m2, output is
x=f(m1,m2)
(“Alice selects x2S”)
Bob selects m1, restricting output to
S={f(m1,²)}
(“Bob selects set S”)
The Two-Round Case: Cheating Bob
Bob’s message
Alice’s message
Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set..
1) Bob’s cheating set
3) Alice’s chosen output 2 Bob’s cheating set with prob.
1
2) Bob deterministically
chooses this branch
2) Bob plays honestly
The Two-Round Case: Cheating Alice
Bob’s message
Alice’s message
Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set.
Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully.
1) Alice’s cheating set = random set of red elements
3) Alice selects output from intersection
The Three-Round Case
Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output.
Alice
Bob
Alice
m1
m2
S = f(m1, m2, ²) output = f(m1, m2, m3)
m3
The Three-Round Case
Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion.
Alice
Bob
Alice
1) Alice’s random cheating set = set of red elements
4) Alice can choose output in her cheating
set
2) Alice deterministically chooses branch
3) Bob plays honestly
The Three-Round Case
Thus, every branch has at least one “small” set.
Not immediately helpful to Bob…
Alice
Bob
Alice
The Three-Round Case
Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there?
Bob benefits if there are many.
Alice
Bob
Alice
The Three-Round Case
Case 2: All initial Alice messages let Bob choose from many disjoint small sets.
Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully.
Alice
Bob
Alice
1) Bob’s random cheating set = set of red elements
4) Alice must choose output in his cheating set
3) Bob selects set contained in cheating set
2) Alice randomly picks a branch
The Three-Round Case
What if there is a branch with few disjoint small sets?
Need to argue Alice can take advantage.
Alice
Bob
Alice
The Three-Round Case
Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set
) Alice cheats successfully
Alice
Bob
Alice
1) Alice’s cheating set = intersect-set + … … a random set
2) Alice deterministically selects branch
3) Bob plays honestly
4) Whether Bob chose big or small set, Alice selects from
cheating set
Implies a small set intersects every set in collection (e.g., union of maximal disjoint
subcollection)
3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree…
label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing
cheating set randomly. TIE – both players can violate SC with a
cheating set of the form R U S, where R is random and S is a small set of non-random elements.
The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.
Conclusions We provide matching upper and lower bounds
(up to a constant factor) for the round complexity of protocols satisfying a natural criterion.
Open Problems/Future Work Leverage results for open problems in well-studied
multiparty protocols (leader election, collective coin-flipping, and collective sampling).
Study the impact of additional constraints required in literature (e.g., simulatability or message length).