# The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

## Presentation on theme: "The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University."— Presentation transcript:

The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University

The Random Selection Problem Several mutually distrusting parties wish to select jointly at random an element of a fixed universe. Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”. Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

Types of Random Selection Blu82, Lin01, KO04Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04 CGMA85, GMW87, KOS03 BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99 ComputationalInformation-Theoretic 2 parties N parties Our focus

2-party Information-Theoretic Random Selection Protocols Examples of Uses Convert honest-verifier ZKPs to general ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded- storage model [CCM98, DHRS04] Perform general fault-tolerant computation [GGL98] Each evaluated by different criteria…

Defining Random Selection Alice Coins r A Bob Coins r B...... Output: Our complexity measure: # of rounds (k)

Evaluating a Protocol Statistical Criterion (SC) – 9 constants  s.t. as long as one party is honest: 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  Equivalent to the statistical difference of the protocol’s output with uniform being 1-  (1). Extension of “resilience” in leader election/collective coin flipping Achievable? Yes! [GGL98] (with 2n rounds) What is the necessary and sufficient round complexity? “cheating sets”

Our results Upper bound: 9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages Lower bound: log*n-log*log*n – O(1) messages are necessary. Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

Our Protocol – Iterated Random Shift Given n, Alice and Bob want to select from U={0,1} n. Let m = n 3. Recursively apply: Inspired by leader election protocols [RZ98] and proof that BPP 2  2 P [Lau83] b 1, …, b m Ã U a 1, …, a m Ã U Recurse on U’ = {a i +b j }…

The Main Lower Bound Theorem: Any random selection protocol satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds. Recall Statistical Criterion: 9 constants  s.t. 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

Proof Strategy Suppose protocol has ¿ log* n rounds. Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1). Strategy: induction on game tree…

The Two-Round Case Bob’s message Alice’s message Can think of any two-round protocol as: Bob sends S µ {0,1} n to Alice (according to some dist. on P ({0,1} n )) Alice selects output according to some dist. on S. m1m1 S={f(m 1, ² )} m2m2 Alice selects m 2, output is x=f(m 1,m 2 ) (“Alice selects x 2 S”) Bob selects m 1, restricting output to S={f(m 1, ² )} (“Bob selects set S”)

The Two-Round Case: Cheating Bob Bob’s message Alice’s message Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set.. 1) Bob’s cheating set 3) Alice’s chosen output 2 Bob’s cheating set with prob. 1 2) Bob deterministically chooses this branch

2) Bob plays honestly The Two-Round Case: Cheating Alice Bob’s message Alice’s message Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set. Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully. 1) Alice’s cheating set = random set of red elements 3) Alice selects output from intersection

The Three-Round Case Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output. Alice Bob Alice m1m1 m2m2 S = f(m 1, m 2, ² ) output = f(m 1, m 2, m 3 )m3m3

The Three-Round Case Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion. Alice Bob Alice 1) Alice’s random cheating set = set of red elements 4) Alice can choose output in her cheating set 2) Alice deterministically chooses branch 3) Bob plays honestly

The Three-Round Case Thus, every branch has at least one “small” set. Not immediately helpful to Bob… Alice Bob Alice

The Three-Round Case Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there? Bob benefits if there are many. Alice Bob Alice

The Three-Round Case Case 2: All initial Alice messages let Bob choose from many disjoint small sets. Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully. Alice Bob Alice 1) Bob’s random cheating set = set of red elements 4) Alice must choose output in his cheating set 3) Bob selects set contained in cheating set 2) Alice randomly picks a branch

The Three-Round Case What if there is a branch with few disjoint small sets? Need to argue Alice can take advantage. Alice Bob Alice

The Three-Round Case Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set ) Alice cheats successfully Alice Bob Alice 1) Alice’s cheating set = intersect-set + … … a random set 2) Alice deterministically selects branch 3) Bob plays honestly 4) Whether Bob chose big or small set, Alice selects from cheating set Implies a small set intersects every set in collection (e.g., union of maximal disjoint subcollection)

3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree… label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing cheating set randomly. TIE – both players can violate SC with a cheating set of the form R U S, where R is random and S is a small set of non-random elements. The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

Conclusions We provide matching upper and lower bounds (up to a constant factor) for the round complexity of protocols satisfying a natural criterion. Open Problems/Future Work Leverage results for open problems in well-studied multiparty protocols (leader election, collective coin-flipping, and collective sampling). Study the impact of additional constraints required in literature (e.g., simulatability or message length).