The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Optimal Lower Bounds for 2-Query Locally Decodable Linear Codes Kenji Obata.
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO.
Optimal Space Lower Bounds for All Frequency Moments David Woodruff MIT
The Average Case Complexity of Counting Distinct Elements David Woodruff IBM Almaden.
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Tight Lower Bounds for the Distinct Elements Problem David Woodruff MIT Joint work with Piotr Indyk.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Truthful Mechanisms for Combinatorial Auctions with Subadditive Bidders Speaker: Shahar Dobzinski Based on joint works with Noam Nisan & Michael Schapira.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Complexity Theory Lecture 6
Lecture 6. Prefix Complexity K The plain Kolmogorov complexity C(x) has a lot of “minor” but bothersome problems Not subadditive: C(x,y)≤C(x)+C(y) only.
Inapproximability of Hypergraph Vertex-Cover. A k-uniform hypergraph H= : V – a set of vertices E - a collection of k-element subsets of V Example: k=3.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Separating Deterministic from Randomized Multiparty Communication Complexity Joint work with Paul Beame (University of Washington) Matei David (University.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
Secure Computation of Linear Algebraic Functions
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
The Communication Complexity of Approximate Set Packing and Covering
Pondering more Problems. Enriching the Alice-Bob story Go to AGo to B Go to A Alice Go to B Go to A Go to B Go shoot pool Alice.
Secure Multiparty Computations on Bitcoin
I NFORMATION CAUSALITY AND ITS TESTS FOR QUANTUM COMMUNICATIONS I- Ching Yu Host : Prof. Chi-Yee Cheung Collaborators: Prof. Feng-Li Lin (NTNU) Prof. Li-Yi.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
MIT and James Orlin © Game Theory 2-person 0-sum (or constant sum) game theory 2-person game theory (e.g., prisoner’s dilemma)
Study Group Randomized Algorithms 21 st June 03. Topics Covered Game Tree Evaluation –its expected run time is better than the worst- case complexity.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Short course on quantum computing Andris Ambainis University of Latvia.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
CS151 Complexity Theory Lecture 6 April 15, 2015.
Algorithms in Exponential Time. Outline Backtracking Local Search Randomization: Reducing to a Polynomial-Time Case Randomization: Permuting the Evaluation.
CSEP 590tv: Quantum Computing
DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen
Finite probability space set  (sample space) function P:  R + (probability distribution)  P(x) = 1 x 
How to play ANY mental game
Complexity Theory Lecture 2 Lecturer: Moni Naor. Recap of last week Computational Complexity Theory: What, Why and How Overview: Turing Machines, Church-Turing.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
PROBABILITY AND STATISTICS FOR ENGINEERING Hossein Sameti Department of Computer Engineering Sharif University of Technology Independence and Bernoulli.
1 Introduction to Approximation Algorithms. 2 NP-completeness Do your best then.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir,
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
One-way multi-party communication lower bound for pointer jumping with applications Emanuele Viola & Avi Wigderson Columbia University IAS work done while.
A limit on nonlocality in any world in which communication complexity is not trivial IFT6195 Alain Tapp.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
Flipping coins over the telephone and other games.
The Cost of Fault Tolerance in Multi-Party Communication Complexity Binbin Chen Advanced Digital Sciences Center Haifeng Yu National University of Singapore.
Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.
Communication Complexity Guy Feigenblat Based on lecture by Dr. Ely Porat Some slides where adapted from various sources Complexity course Computer science.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
CS Lecture 26 Monochrome Despite Himself. Pigeonhole Principle: If we put n+1 pigeons into n holes, some hole must receive at least 2 pigeons.
1 Fault-Tolerant Consensus. 2 Communication Model Complete graph Synchronous, network.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Random Sampling Algorithms with Applications Kyomin Jung KAIST Aug ERC Workshop.
Randomized Algorithms for Distributed Agreement Problems Peter Robinson.
The Cost of Fault Tolerance in Multi-Party Communication Complexity Haifeng Yu National University of Singapore Joint work with Binbin Chen, Yuda Zhao,
Existence of Non-measurable Set
Information Complexity Lower Bounds
Branching Programs Part 3
Locality In Distributed Graph Algorithms
Blockchain Mining Games
Presentation transcript:

The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University

The Random Selection Problem Several mutually distrusting parties wish to select jointly at random an element of a fixed universe. Goal: Protocol such that even if a party cheats, the outcome will not be too “biased”. Applications: Design a protocol where a trusted third-party makes the selection, then replace third-party with random selection protocol.

Types of Random Selection Blu82, Lin01, KO04Dam94, DGW94, GGL98, GSV98, CCM98, DHRS04 CGMA85, GMW87, KOS03 BL89, Sak89, AN90, ORV94, GGL98, RZ98, Fei99 ComputationalInformation-Theoretic 2 parties N parties Our focus

2-party Information-Theoretic Random Selection Protocols Examples of Uses Convert honest-verifier ZKPs to general ZKPs [Dam94, DGW94, GSV98] Perform oblivious transfer in bounded- storage model [CCM98, DHRS04] Perform general fault-tolerant computation [GGL98] Each evaluated by different criteria…

Defining Random Selection Alice Coins r A Bob Coins r B Output: Our complexity measure: # of rounds (k)

Evaluating a Protocol Statistical Criterion (SC) – 9 constants  s.t. as long as one party is honest: 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  Equivalent to the statistical difference of the protocol’s output with uniform being 1-  (1). Extension of “resilience” in leader election/collective coin flipping Achievable? Yes! [GGL98] (with 2n rounds) What is the necessary and sufficient round complexity? “cheating sets”

Our results Upper bound: 9 protocol satisfying the Statistical Criterion with 2log* n + O(1) messages Lower bound: log*n-log*log*n – O(1) messages are necessary. Tantalizingly similar to results in leader election, collective coin-flipping [RZ98, RSZ99, Fei99]

Our Protocol – Iterated Random Shift Given n, Alice and Bob want to select from U={0,1} n. Let m = n 3. Recursively apply: Inspired by leader election protocols [RZ98] and proof that BPP 2  2 P [Lau83] b 1, …, b m à U a 1, …, a m à U Recurse on U’ = {a i +b j }…

The Main Lower Bound Theorem: Any random selection protocol satisfying the Statistical Criterion must have at least log*n – log*log*n – O(1) rounds. Recall Statistical Criterion: 9 constants  s.t. 8 T µ {0,1} n of density ·  Pr[ Output 2 T ] · 1-  First nonconstant lower bound on round complexity for any random selection protocol not imposing additional constraints (e.g., on communication size or “simulatability”).

Proof Strategy Suppose protocol has ¿ log* n rounds. Show that one of the players can force the output into a “cheating” set of density o(1) with probability 1-o(1). Strategy: induction on game tree…

The Two-Round Case Bob’s message Alice’s message Can think of any two-round protocol as: Bob sends S µ {0,1} n to Alice (according to some dist. on P ({0,1} n )) Alice selects output according to some dist. on S. m1m1 S={f(m 1, ² )} m2m2 Alice selects m 2, output is x=f(m 1,m 2 ) (“Alice selects x 2 S”) Bob selects m 1, restricting output to S={f(m 1, ² )} (“Bob selects set S”)

The Two-Round Case: Cheating Bob Bob’s message Alice’s message Case 1: 9 “small” set (of size o(n)). Bob violates SC by selecting that set as his cheating set.. 1) Bob’s cheating set 3) Alice’s chosen output 2 Bob’s cheating set with prob. 1 2) Bob deterministically chooses this branch

2) Bob plays honestly The Two-Round Case: Cheating Alice Bob’s message Alice’s message Case 2: Bob must give Alice a “big” (i.e., ω(1) elements) set. Random cheating set of density o(1) intersects w.h.p. ) Alice cheats successfully. 1) Alice’s cheating set = random set of red elements 3) Alice selects output from intersection

The Three-Round Case Now, Alice chooses a set of sets, from which Bob chooses a set, from which Alice chooses the output. Alice Bob Alice m1m1 m2m2 S = f(m 1, m 2, ² ) output = f(m 1, m 2, m 3 )m3m3

The Three-Round Case Case 1: If Alice can choose a branch whereby all sets are “big”, then she can violate the statistical criterion. Alice Bob Alice 1) Alice’s random cheating set = set of red elements 4) Alice can choose output in her cheating set 2) Alice deterministically chooses branch 3) Bob plays honestly

The Three-Round Case Thus, every branch has at least one “small” set. Not immediately helpful to Bob… Alice Bob Alice

The Three-Round Case Key question: Down a given branch chosen by Alice, how many disjoint, small sets are there? Bob benefits if there are many. Alice Bob Alice

The Three-Round Case Case 2: All initial Alice messages let Bob choose from many disjoint small sets. Randomly chosen set of o(1) density contains a small set w.h.p. ) Bob cheats successfully. Alice Bob Alice 1) Bob’s random cheating set = set of red elements 4) Alice must choose output in his cheating set 3) Bob selects set contained in cheating set 2) Alice randomly picks a branch

The Three-Round Case What if there is a branch with few disjoint small sets? Need to argue Alice can take advantage. Alice Bob Alice

The Three-Round Case Case 3: A branch with no large disjoint subcollection Set intersecting all small sets + random set ) Alice cheats successfully Alice Bob Alice 1) Alice’s cheating set = intersect-set + … … a random set 2) Alice deterministically selects branch 3) Bob plays honestly 4) Whether Bob chose big or small set, Alice selects from cheating set Implies a small set intersects every set in collection (e.g., union of maximal disjoint subcollection)

3 -> log*n-log*log*n-O(1) To generalize, induct on the game tree… label every node A-WIN, B-WIN, or TIE: WIN – player can violate SC by choosing cheating set randomly. TIE – both players can violate SC with a cheating set of the form R U S, where R is random and S is a small set of non-random elements. The result stops at ~log* n rounds because |S| grows as a tower in the # of rounds.

Conclusions We provide matching upper and lower bounds (up to a constant factor) for the round complexity of protocols satisfying a natural criterion. Open Problems/Future Work Leverage results for open problems in well-studied multiparty protocols (leader election, collective coin-flipping, and collective sampling). Study the impact of additional constraints required in literature (e.g., simulatability or message length).