Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

Published byAiden Philpott Modified over 9 years ago

Similar presentations

Presentation on theme: "The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University."— Presentation transcript:

1 The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University

2 The Random Selection Problem Several mutually distrusting parties wish to select jointly at random an element of a fixed universe. Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”. Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

3 Types of Random Selection Blu82, Lin01, KO04Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04 CGMA85, GMW87, KOS03 BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99 ComputationalInformation-Theoretic 2 parties N parties Our focus

4 2-party Information-Theoretic Random Selection Protocols Examples of Uses Convert honest-verifier ZKPs to general ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded- storage model [CCM98, DHRS04] Perform general fault-tolerant computation [GGL98] Each evaluated by different criteria…

5 Defining Random Selection Alice Coins r A Bob Coins r B...... Output: Our complexity measure: # of rounds (k)

6 Evaluating a Protocol Statistical Criterion (SC) – 9 constants  s.t. as long as one party is honest: 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  Equivalent to the statistical difference of the protocol’s output with uniform being 1-  (1). Extension of “resilience” in leader election/collective coin flipping Achievable? Yes! [GGL98] (with 2n rounds) What is the necessary and sufficient round complexity? “cheating sets”

7 Our results Upper bound: 9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages Lower bound: log*n-log*log*n – O(1) messages are necessary. Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

8 Our Protocol – Iterated Random Shift Given n, Alice and Bob want to select from U={0,1} n. Let m = n 3. Recursively apply: Inspired by leader election protocols [RZ98] and proof that BPP 2  2 P [Lau83] b 1, …, b m à U a 1, …, a m à U Recurse on U’ = {a i +b j }…

9 The Main Lower Bound Theorem: Any random selection protocol satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds. Recall Statistical Criterion: 9 constants  s.t. 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

10 Proof Strategy Suppose protocol has ¿ log* n rounds. Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1). Strategy: induction on game tree…

11 The Two-Round Case Bob’s message Alice’s message Can think of any two-round protocol as: Bob sends S µ {0,1} n to Alice (according to some dist. on P ({0,1} n )) Alice selects output according to some dist. on S. m1m1 S={f(m 1, ² )} m2m2 Alice selects m 2, output is x=f(m 1,m 2 ) (“Alice selects x 2 S”) Bob selects m 1, restricting output to S={f(m 1, ² )} (“Bob selects set S”)

12 The Two-Round Case: Cheating Bob Bob’s message Alice’s message Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set.. 1) Bob’s cheating set 3) Alice’s chosen output 2 Bob’s cheating set with prob. 1 2) Bob deterministically chooses this branch

13 2) Bob plays honestly The Two-Round Case: Cheating Alice Bob’s message Alice’s message Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set. Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully. 1) Alice’s cheating set = random set of red elements 3) Alice selects output from intersection

14 The Three-Round Case Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output. Alice Bob Alice m1m1 m2m2 S = f(m 1, m 2, ² ) output = f(m 1, m 2, m 3 )m3m3

15 The Three-Round Case Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion. Alice Bob Alice 1) Alice’s random cheating set = set of red elements 4) Alice can choose output in her cheating set 2) Alice deterministically chooses branch 3) Bob plays honestly

16 The Three-Round Case Thus, every branch has at least one “small” set. Not immediately helpful to Bob… Alice Bob Alice

17 The Three-Round Case Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there? Bob benefits if there are many. Alice Bob Alice

18 The Three-Round Case Case 2: All initial Alice messages let Bob choose from many disjoint small sets. Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully. Alice Bob Alice 1) Bob’s random cheating set = set of red elements 4) Alice must choose output in his cheating set 3) Bob selects set contained in cheating set 2) Alice randomly picks a branch

19 The Three-Round Case What if there is a branch with few disjoint small sets? Need to argue Alice can take advantage. Alice Bob Alice

20 The Three-Round Case Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set ) Alice cheats successfully Alice Bob Alice 1) Alice’s cheating set = intersect-set + … … a random set 2) Alice deterministically selects branch 3) Bob plays honestly 4) Whether Bob chose big or small set, Alice selects from cheating set Implies a small set intersects every set in collection (e.g., union of maximal disjoint subcollection)

21 3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree… label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing cheating set randomly. TIE – both players can violate SC with a cheating set of the form R U S, where R is random and S is a small set of non-random elements. The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

22 Conclusions We provide matching upper and lower bounds (up to a constant factor) for the round complexity of protocols satisfying a natural criterion. Open Problems/Future Work Leverage results for open problems in well-studied multiparty protocols (leader election, collective coin-flipping, and collective sampling). Study the impact of additional constraints required in literature (e.g., simulatability or message length).

Download ppt "The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.

Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.

1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.
Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT

Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT
The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.

Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.

Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Truthful Mechanisms for Combinatorial Auctions with Subadditive Bidders Speaker: Shahar Dobzinski Based on joint works with Noam Nisan & Michael Schapira.

Truthful Mechanisms for Combinatorial Auctions with Subadditive Bidders Speaker: Shahar Dobzinski Based on joint works with Noam Nisan & Michael Schapira.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Lecture 6. Prefix Complexity K The plain Kolmogorov complexity C(x) has a lot of “minor” but bothersome problems Not subadditive: C(x,y)≤C(x)+C(y) only.

Lecture 6. Prefix Complexity K The plain Kolmogorov complexity C(x) has a lot of “minor” but bothersome problems Not subadditive: C(x,y)≤C(x)+C(y) only.
Inapproximability of Hypergraph Vertex-Cover. A k-uniform hypergraph H= : V – a set of vertices E - a collection of k-element subsets of V Example: k=3.

Inapproximability of Hypergraph Vertex-Cover. A k-uniform hypergraph H= : V – a set of vertices E - a collection of k-element subsets of V Example: k=3.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Separating Deterministic from Randomized Multiparty Communication Complexity Joint work with Paul Beame (University of Washington) Matei David (University.

Separating Deterministic from Randomized Multiparty Communication Complexity Joint work with Paul Beame (University of Washington) Matei David (University.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Similar presentations

Ads by Google