1 / 22

The Round Complexity of Two-Party Random Selection

The Round Complexity of Two-Party Random Selection. Saurabh Sanghvi and Salil Vadhan Harvard University. The Random Selection Problem. Several mutually distrusting parties wish to select jointly at random an element of a fixed universe.

annot
Télécharger la présentation

The Round Complexity of Two-Party Random Selection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University

  2. The Random Selection Problem • Several mutually distrusting parties wish to select jointly at random an element of a fixed universe. • Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”. • Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

  3. Our focus Types of Random Selection Computational Information-Theoretic 2 parties N parties

  4. 2-party Information-Theoretic Random Selection Protocols • Examples of Uses • Convert honest-verifier ZKPs to general ZKPs [Dam94, DGW94, GSV98] • Perform oblivious transfer in bounded-storage model [CCM98, DHRS04] • Perform general fault-tolerant computation [GGL98] • Each evaluated by different criteria…

  5. Alice Bob Coins rA Coins rB Defining Random Selection Our complexity measure: # of rounds (k) . . . Output:

  6. Evaluating a Protocol • Statistical Criterion (SC) – 9 constants ,  > 0 s.t. as long as one party is honest: 8 T µ {0,1}n of density ·, Pr[ Output 2 T ] · 1- • Equivalent to the statistical difference of the protocol’s output with uniform being 1-(1). • Extension of “resilience” in leader election/collective coin flipping • Achievable? Yes! [GGL98] (with 2n rounds) What is the necessary and sufficient round complexity? “cheating sets”

  7. Our results • Upper bound: • 9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages • Lower bound: • log*n-log*log*n – O(1) messages are necessary. • Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

  8. Our Protocol – Iterated Random Shift • Given n, Alice and Bob want to select from U={0,1}n. • Let m = n3. Recursively apply: • Inspired by leader election protocols [RZ98] and proof that BPP 2 2P [Lau83] a1, …, amà U b1, …, bmà U Recurse on U’ = {ai+bj}…

  9. The Main Lower Bound • Theorem: Any random selection protocol satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds. • Recall Statistical Criterion: 9 constants ,  > 0 s.t. 8 T µ {0,1}n of density ·, Pr[ Output 2 T ] · 1- • First nonconstant lower bound on round complexity for anyrandom selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

  10. Proof Strategy • Suppose protocol has ¿ log* n rounds. • Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1). • Strategy: induction on game tree…

  11. The Two-Round Case Bob selects m1, restricting output to S={f(m1,²)} (“Bob selects set S”) Bob’s message • Can think of any two-round protocol as: • Bob sends Sµ{0,1}n to Alice (according to some dist. on P({0,1}n)) • Alice selects output according to some dist. on S. m1 S={f(m1,²)} Alice’s message m2 Alice selects m2, output is x=f(m1,m2) (“Alice selects x2S”)

  12. 1) Bob’s cheating set The Two-Round Case: Cheating Bob 2) Bob deterministically chooses this branch Bob’s message • Case 1: 9 “small” set (of size o(n)). • Bob violates SC by selecting that set as his cheating set.. Alice’s message 3) Alice’s chosen output 2 Bob’s cheating set with prob. 1

  13. 2) Bob plays honestly The Two-Round Case: Cheating Alice Bob’s message • Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set. • Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully. Alice’s message 1) Alice’s cheating set = random set of red elements 3) Alice selects output from intersection

  14. The Three-Round Case Alice m1 • Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output. Bob m2 Alice S = f(m1, m2, ²) m3 output = f(m1, m2, m3)

  15. The Three-Round Case Alice • Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion. Bob 2) Alice deterministically chooses branch 3) Bob plays honestly Alice 4) Alice can choose output in her cheating set 1) Alice’s random cheating set = set of red elements

  16. The Three-Round Case Alice • Thus, every branch has at least one “small” set. • Not immediately helpful to Bob… Bob Alice

  17. The Three-Round Case Alice • Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there? • Bob benefits if there are many. Bob Alice

  18. 4) Alice must choose output in his cheating set The Three-Round Case Alice • Case 2: All initial Alice messages let Bob choose from many disjoint small sets. • Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully. Bob 2) Alice randomly picks a branch 3) Bob selects set contained in cheating set Alice 1) Bob’s random cheating set = set of red elements

  19. The Three-Round Case Alice • What if there is a branch with few disjoint small sets? • Need to argue Alice can take advantage. Bob Alice

  20. The Three-Round Case 2) Alice deterministically selects branch Alice • Case 3: A branch with no large disjoint subcollection • Set intersecting all small sets + random set) Alice cheats successfully Bob 3) Bob plays honestly Alice Implies a small set intersects every set in collection (e.g., union of maximal disjoint subcollection) 1) Alice’s cheating set = intersect-set + … 4) Whether Bob chose big or small set, Alice selects from cheating set … a random set

  21. 3 -> log*n-log*log*n-O(1) • To generalize, induct on the game tree…label every node A-WIN, B-WIN, or TIE: • WIN – player can violate SC by choosing cheating set randomly. • TIE – both players can violate SC with a cheating set of the form R U S, where R is random and S is a small set of non-random elements. • The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

  22. Conclusions • We provide matching upper and lower bounds (up to a constant factor) for the round complexity of protocols satisfying a natural criterion. • Open Problems/Future Work • Leverage results for open problems in well-studied multiparty protocols (leader election, collective coin-flipping, and collective sampling). • Study the impact of additional constraints required in literature (e.g., simulatability or message length).

More Related