Coin flipping from a cosmic source OR Error correction of truly random bits Elchanan MosselRyan O’Donnell Microsoft Research MIT (now at Berkeley)

A new problem We consider a new problem motivated by ideas in cryptography, coding theory, collective coin flipping, and noise sensitivity. We prove some results using probability, convexity, Fourier analysis, and discrete symmetrization. Many open problems remain.

The problem Alice Bob Cindy Kate x (n bits) y y y ° ° ° y k o o o first bit 0

Broadcast with ε errors Alice Bob Cindy Kate x (n bits) y y y ° ° ° y k o o o first bit

1 Broadcast with ε errors Alice Bob Cindy Kate x (n bits) y y y ° ° ° y k o o o majority

The parameters n bit uniform random “source” string x k parties who cannot communicate, but wish to agree on a uniformly random bit ε each party gets an independently corrupted version y i, each bit flipped independently with probability ε f (or f 1 … f k ): balanced “protocol” functions

Our goal For each n, k, ε, find the best protocol function f (or functions f 1 …f k ) which maximize the probability that all parties agree on the same bit.

Notation We’re interested in the probability (over choice of x and broadcast corruptions) that all parties agree. We write: P (f 1, …, f k ; ε) = Pr[f 1 (y 1 ) = ··· = f k (y k )], P k (f; ε)in the case f = f 1 = ··· = f k.

Motivation Original motivation: The “Everlasting Security” cryptographic protocol of Ding and Rabin [DR01]. In this model, many players want shared access to a random string. Requires a satellite or other cosmic source to broadcast trillions (!) of random bits per second. Errors in reception seem quite likely.

Motivation Natural question for the problem of error- correction in a broadcast channel. Of course, when the source is truly random, error correction is impossible. However we don’t require that all parties recover the original info with high probability, only that they attain some shared info with high probability and this mutual info has high entropy.

Motivation Similar to non-cryptographic collective coin- flipping problems [BL90,…, Dod00]. In these, a number of players want to agree on a random coin toss. However some players are malicious and corrupt bits arbitrarily. Two difference: 1. We assume random corruptions, not adversarial. 2. Our players cannot communicate.

Motivation Finally, the problem is intimately related to the study of noise sensitivity of boolean functions [KKL88, Hås97, BKS98, BJT99, Bou01, KS03, O02, MO02, KOS02, BMOS03,…]: this is the study of Pr[f(x) = f(y 1 )]. Technical aside: Noise sensitivity is essentially given by ||T ε (f)|| 2, where T ε is the linear operator from the Bonami- Beckner inequality. Our problem is essentially the study of ||T ε (f)|| k.

Intuition Suppose all players use the same balanced function f. In some sense, we want f to be the least noise sensitive balanced function possible. Normally, this is the first-bit dictator function. But if there are many players, we’d rather have a function which has a few points which are extremely noise-stable, rather than having all points fairly noise-stable…

Intuition – cont’d When f(x) = x 1, every source string is equally good; for each player, the probability its first bit doesn’t flip is 1-ε so the probability of success is something like (1-ε) k. When f(x) = majority, there are a few source strings, like 1111· · ·1, which are extremely good. So although majority is more noise sensitive “on the average,” it can be better in our problem if k is large.

Things harder than they seem? One theme we will allude to throughout the talk is that certain elements of this problem were more difficult or more counterintuitive than Elchanan and I expected – Some things we thought were obvious required or seemed to require nontrivial proofs; some things we thought were obvious weren’t even true!

About protocols For example, recall that we want the parties’ bits, when agreed upon, to be uniformly random. To get this, we restricted protocol functions to balanced. However this is neither necessary nor sufficient! In particular, for n = 5 and k = 3, there is a balanced function f such that, if all players use f, they are more likely to agree on 1 than on 0!

Antisymmetric protocols To get agreed-upon bits to be uniform, it suffices for functions be antisymmetric: f i ( x ) = f i (x). Proof: Pr[f 1 (y 1 ) = ··· = f k (y k ) = 1] = Pr[f 1 (y 1 ) = ··· = f k (y k ) = 0] =Pr[f 1 (y 1 ) = ··· = f k (y k ) = 0]. So we can study antisymmetric protocols instead if we like, but often studying merely balanced protocols is okay too.

Our results We first show that all players should use the same function, and it should have certain monotonicity properties. When k = 2 or 3, the first-bit function is best. For fixed n, when k→ ∞ majority is best, and when ε→0 and ε→½, the first-bit is best. For unbounded n, things get harder… in general we don’t know the best function, but we can give a lower bound for P k (f; ε).

Players should use same fcn. First, as expected, all parties should use the same function: Theorem 1: Fix n, k, ε and also a class of functions C for the parties’ functions to come from. Then every protocol which maximizes P (f 1, …, f k ; ε) has f 1 = ··· = f k. Proof: Convexity.

One page proof sketch Let C = {g 1, …, g m }, and suppose t i parties use g i, for i=1…m. We have that the t i ’s are integers and also: t i ≥ 0 and t 1 + ··· + t m = k. ( * ) The success probability which we want to maximize is a convex function of the t i ’s. Hence its maximum occurs at a vertex of ( * ), which is a point (0, …, 0, k, 0, …, 0), which is already integral.

For k=2,3, f(x) = x 1 is best Theorem 2: For k = 2, 3 and for all n, ε, the unique best protocol is for the parties to use f(x) = x 1. Proof: Fourier analysis. Comments: 1. If the players can be assumed to use the same function, the k=2 case is folklore. 2. By “unique,” we shall mean up to trivial reordering of indices and switching 0 and 1.

More on k=2, 3 Corollary: No error correction is possible for k=2, 3. Corollary: For all k, if the parties wish to maximize the expected number of agreements or the expected number of parties in the majority, they should all use f(x) = x 1. Proof: E[# (i,j) : f(y i ) = f(y j )] = ( ) Pr[f(y i ) = f(y j )]. n2n2

One page proof sketch for k = 2 When k = 2, we can think of party 1 as having the “true” random bits and party 2 as having an ε'-corruption. Thus the success probability is just the noise stability of f. For f balanced, this is: αΣ |S|≥1 (1-2ε') |S| f(S) 2, so best function has Fourier weight all on level 1. The k = 3 case reduces to k = 2 by a trick.

Any maximizing f has a special form: Theorem 3: For all k, n, ε, any f maximizing P k (f; ε) is left-monotone. Proof: Steiner symmetrization (shifting). Remark: This is again up to trivial permutations and switching 0 and 1. A left-monotone function is one satisfying f(x1y) ≥ f(x0y) and f(x10y) ≥ f(x01y) x,y. Properties of the best function A

Fixed ε, n; k→ ∞ For k > 3, you can just do better than f(x) = x 1 : Theorem 4: For all fixed ε and n (odd), for all sufficiently large k, the unique best protocol is f = MAJ n. Proof: Elementary probability and coupling. Remark: In this case, the probability of success = Θ( (1 – Pr[Bin(n,ε) > n/2]) k ), as compared to Θ( (1 – ε) k ) for f = x 1.

One page proof sketch intuitively, if n is fixed and k is very large, in most cases it’s extremely unlikely all agree to have a chance of success, must get a very helpful source string success probability indeed controlled by the success probability for the best source x since f can be assumed monotone, the best source string is the all 1’s string in this case, the best function is clearly MAJ n.

Fixed n, k; ε → 0, ½. Theorem 4 was for fixed n, ε and k → ∞. Dually: Theorem 5: Fix n and k. Then for ε sufficiently close to 0 and for ε sufficiently close to ½, the unique best protocol is f = x 1. Proof: Isoperimetry for ε near 0, Fourier analysis for ε near ½.

One page proof sketch for ε → 0 When ε is extremely tiny, it’s almost as though there is just a single corruption error among all y 1, …, y k. In this case, we just want to maximize the probability that this one corruption doesn’t change the value of f. This is equivalent to minimizing f’s “edge boundary.” By an isoperimetric theorem, the best f is the cube, f(x) = x 1.

Unbounded n As for k, ε fixed and n→ ∞, this is the heart of the problem and it seems quite difficult. Here we tend to imagine ε fixed and k→ ∞, but n is allowed to be unbounded in terms of k. It seemed to us from Theorem 4 that in this case, the probability of success should go to 0 exponentially quickly as k→ ∞. But…!

Polynomial decay We were unable to prove this because, in fact, the decay is at worst polynomial: Theorem 6: Fix ε. Then there is a sequence (n k ) such that: P k (MAJ n k ; ε) ≥ Ω(k -2/(1-2ε) ² ). Proof: Use normal approximation. Shameful fact: We still believe that the success probability must go to 0 as k→ ∞ but we can’t prove it! ~

Using majorities So far, in all of our theorems either MAJ 1 or MAJ n has been the best function. Unfortunately, it’s not true that one of these is always best. Theorem 7: There exist particular k and ε such that neither MAJ 1 nor MAJ n is the best majority function protocol. Indeed, P k (MAJ r ; ε) is not even unimodular in r! Proof: Computer-assisted.

Are majorities best? Still, in every case we know and every case considered by computer, some majority function has been best. Is this always the case? We present the two opposing conjectures on this intriguing question: Conjecture M: For a particular k, ε, and odd n, there is an antisymmetric function strictly better than all majority functions. Conjecture O: The best antisymmetric [balanced?] function is always a majority.

Wrap-up In conclusion, we think the “cosmic coin flipping” problem is a nice one to think about, and one that presents many intriguing open problems. We believe that some may be easy to resolve, whereas some might require much more heavy-duty techniques; perhaps some deeper isoperimetry ideas or the Bonami- Beckner inequality.

Open problems 1.Show that for fixed ε, when k→ ∞ and n is allowed to be unbounded, the success probability goes to 0. 2.Show that for all k, ε, as n→ ∞, the best majority is MAJ n, up to a universal constant. 3.Show that MAJ 1 is best for k ≤ … 9? 4.Show that the best weighted threshold function is always a majority. 5.Prove Conjecture M or Conjecture O.