Download presentation

Presentation is loading. Please wait.

Published byAiden Philpott Modified over 4 years ago

1
The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University

2
The Random Selection Problem Several mutually distrusting parties wish to select jointly at random an element of a fixed universe. Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”. Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

3
Types of Random Selection Blu82, Lin01, KO04Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04 CGMA85, GMW87, KOS03 BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99 ComputationalInformation-Theoretic 2 parties N parties Our focus

4
2-party Information-Theoretic Random Selection Protocols Examples of Uses Convert honest-verifier ZKPs to general ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded- storage model [CCM98, DHRS04] Perform general fault-tolerant computation [GGL98] Each evaluated by different criteria…

5
Defining Random Selection Alice Coins r A Bob Coins r B...... Output: Our complexity measure: # of rounds (k)

6
Evaluating a Protocol Statistical Criterion (SC) – 9 constants s.t. as long as one party is honest: 8 T µ {0,1} n of density · Pr[ Output 2 T ] · 1- Equivalent to the statistical difference of the protocol’s output with uniform being 1- (1). Extension of “resilience” in leader election/collective coin flipping Achievable? Yes! [GGL98] (with 2n rounds) What is the necessary and sufficient round complexity? “cheating sets”

7
Our results Upper bound: 9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages Lower bound: log*n-log*log*n – O(1) messages are necessary. Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

8
Our Protocol – Iterated Random Shift Given n, Alice and Bob want to select from U={0,1} n. Let m = n 3. Recursively apply: Inspired by leader election protocols [RZ98] and proof that BPP 2 2 P [Lau83] b 1, …, b m Ã U a 1, …, a m Ã U Recurse on U’ = {a i +b j }…

9
The Main Lower Bound Theorem: Any random selection protocol satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds. Recall Statistical Criterion: 9 constants s.t. 8 T µ {0,1} n of density · Pr[ Output 2 T ] · 1- First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

10
Proof Strategy Suppose protocol has ¿ log* n rounds. Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1). Strategy: induction on game tree…

11
The Two-Round Case Bob’s message Alice’s message Can think of any two-round protocol as: Bob sends S µ {0,1} n to Alice (according to some dist. on P ({0,1} n )) Alice selects output according to some dist. on S. m1m1 S={f(m 1, ² )} m2m2 Alice selects m 2, output is x=f(m 1,m 2 ) (“Alice selects x 2 S”) Bob selects m 1, restricting output to S={f(m 1, ² )} (“Bob selects set S”)

12
The Two-Round Case: Cheating Bob Bob’s message Alice’s message Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set.. 1) Bob’s cheating set 3) Alice’s chosen output 2 Bob’s cheating set with prob. 1 2) Bob deterministically chooses this branch

13
2) Bob plays honestly The Two-Round Case: Cheating Alice Bob’s message Alice’s message Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set. Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully. 1) Alice’s cheating set = random set of red elements 3) Alice selects output from intersection

14
The Three-Round Case Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output. Alice Bob Alice m1m1 m2m2 S = f(m 1, m 2, ² ) output = f(m 1, m 2, m 3 )m3m3

15
The Three-Round Case Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion. Alice Bob Alice 1) Alice’s random cheating set = set of red elements 4) Alice can choose output in her cheating set 2) Alice deterministically chooses branch 3) Bob plays honestly

16
The Three-Round Case Thus, every branch has at least one “small” set. Not immediately helpful to Bob… Alice Bob Alice

17
The Three-Round Case Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there? Bob benefits if there are many. Alice Bob Alice

18
The Three-Round Case Case 2: All initial Alice messages let Bob choose from many disjoint small sets. Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully. Alice Bob Alice 1) Bob’s random cheating set = set of red elements 4) Alice must choose output in his cheating set 3) Bob selects set contained in cheating set 2) Alice randomly picks a branch

19
The Three-Round Case What if there is a branch with few disjoint small sets? Need to argue Alice can take advantage. Alice Bob Alice

20
The Three-Round Case Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set ) Alice cheats successfully Alice Bob Alice 1) Alice’s cheating set = intersect-set + … … a random set 2) Alice deterministically selects branch 3) Bob plays honestly 4) Whether Bob chose big or small set, Alice selects from cheating set Implies a small set intersects every set in collection (e.g., union of maximal disjoint subcollection)

21
3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree… label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing cheating set randomly. TIE – both players can violate SC with a cheating set of the form R U S, where R is random and S is a small set of non-random elements. The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

22
Conclusions We provide matching upper and lower bounds (up to a constant factor) for the round complexity of protocols satisfying a natural criterion. Open Problems/Future Work Leverage results for open problems in well-studied multiparty protocols (leader election, collective coin-flipping, and collective sampling). Study the impact of additional constraints required in literature (e.g., simulatability or message length).

Similar presentations

OK

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google