High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin

2 Random string selection: Alice Bob Alice Bob Goal: Alice and Bob want to agree on a random string r.

3 → Measure of randomness: Shannon entropy H( R ) = -  r Pr[R = r ] ∙ log Pr[ R = r ] e.g. R uniform on {0,1} n → H( R ) = n R uniform on 0 n/2 {0,1} n/2 → H( R ) = n /2 R uniform on 0 n → H( R ) = 0

4 Example: random r 1 r 2 … r n/2 Alice random r n/2+1 … r n Bob → output r = r 1 r 2 … r n H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n/2 if one of them cheats. H( R )  n/2 if one of them cheats.

5 Main results: Random selection protocol that guaranteesH( R )  n – O(1) even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ). Random selection protocol that guaranteesH( R )  n – O(1) even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ). Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits. Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits.

6 Previous work: Different variants Different variants random selection protocol [GGL’95, SV’05, GVZ’06] random selection protocol [GGL’95, SV’05, GVZ’06] collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …] collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …] leader selection [AN’90,…] leader selection [AN’90,…] fault-tolerant computation [GGL’95] fault-tolerant computation [GGL’95] multiple-party protocols [AN’90,…] multiple-party protocols [AN’90,…] quantum protocols [ABDR’04] quantum protocols [ABDR’04] different measures different measures resilience resilience statistical distance from uniform distribution statistical distance from uniform distribution entropy entropy

7 H( R )  n – O(1)  ( , log -1 1/  )-resilience. H( R )  n – O(1)  ( , log -1 1/  )-resilience. O( log* n )-rounds, O( n 2 )-communication. [GGL] ( ,  )-resilience, [GGL] ( ,  )-resilience, O( n 2 )-rounds, O( n 2 )-communication. [SV] ( ,  +  )-resilience, [SV] ( ,  +  )-resilience, O( log* n )-rounds, O( n 2 )-communication. [GVZ] ( ,  )-resilience [GVZ] ( ,  )-resilience O( log* n )-rounds, O( n )-communication. B {0,1} n ( ,  )-resilience:  B; |B|   2 n Pr[r  B]  

8 Our basic protocol: random x 1, …, x n  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output x i  y H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n – log n if Alice cheats. H( R )  n – log n if Alice cheats. H( R )  n – O(1) if Bob cheats. H( R )  n – O(1) if Bob cheats.

9 Alice cheats, Bob plays honestly: Alice carefully selects x 1, …, x n Alice carefully selects x 1, …, x n Bob picks a random y Bob picks a random y  for all i and r, Pr y [ r = x i  y ] = 2 -n.  for all r, Pr y [  i ; r = x i  y ]  n 2 -n.  H( R )  n – log n. H( R )  n – log n.

10 Alice plays honestly, Bob cheats: For any r 1, r 2, … r n, Pr x [ r 1 = x 1, … r n = x n ] = 2 – n 2 For any r 1, r 2, … r n, Pr x [ r 1 = x 1, … r n = x n ] = 2 – n 2  Pr[ r 1 = x 1  y, … r n = x n  y ]  2 n – n 2 where y is a function of the random x 1, x 2, … x n  H( x 1  y, …, x n  y )  n 2 - n  E[[ H( x i  y ) ]]  n – 1.   E[[ H( x i  y ) ]]  n – 1.  H( R )  n – O(1) H( R )  n – O(1)

11 Our basic protocol: random x 1, …, x n  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output x i  y H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n – log n if Alice cheats. H( R )  n – log n if Alice cheats. H( R )  n – O(1) if Bob cheats. H( R )  n – O(1) if Bob cheats.

12 Iterating our protocol x 1, …, x m y 1, …, y m’ x 1, …, x m y 1, …, y m’ A B ijijijij AB r’’ = … r = x i  r’ r’ = y i  r’’ r = x i  r’ r’ = y i  r’’ → log* n iterations H( R )  n – 3 regardless of who cheats. H( R )  n – 3 regardless of who cheats.

13 Protocol P i (A, B) x 1, …, x l i x 1, …, x l i A P i-1 (B,A) P i-1 (B,A) j y j y A r = x j  y r = x j  y l 0 = nl i = log l i-1 k = log* n – l l k = 2

14 Claim: For i =0,…, k, output R i of P i (Alice,Bob) satisfies H( R i ) = n if Alice and Bob follow the protocol. H( R i ) = n if Alice and Bob follow the protocol. H( R i )  n – log 4 l i if Alice cheats. H( R i )  n – log 4 l i if Alice cheats. H( R i )  n – 2 if Bob cheats. H( R i )  n – 2 if Bob cheats. Pf: Alice carefully selects x 1, …, x l i. P i-1 (Bob, Alice) gives y = R i-1 P i-1 (Bob, Alice) gives y = R i-1 with H( y| x 1, …, x l i )  n – 2. Alice carefully selects j to output R i = x j  y Alice carefully selects j to output R i = x j  y

15 Pf: Alice carefully selects x 1, …, x l i. P i-1 (Bob, Alice) gives y = R i-1 P i-1 (Bob, Alice) gives y = R i-1 with H( y| x 1, …, x l i )  n – 2. Alice carefully selects j to output R i = x j  y Alice carefully selects j to output R i = x j  y H( x j  y )  H( x j  y | x 1, …, x l i ) H( x j  y )  H( x j  y | x 1, …, x l i )  H( y | x 1, …, x l i ) - H( j | x 1, …, x l i )  H( y | x 1, …, x l i ) - H( j )  n – 2 – log l i H( x j  y, j| x 1, …, x l i )  H( y | x 1, …, x l i ) 

16 Cost of our protocol: 2 log* n rounds 2 log* n rounds O( n 2 ) bits communicated Question: How to reduce the amount of communication close to linear?

17 Generic protocol: random x  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output f ( x, y, i ) for some f : {0,1} n  {0,1} n  {1, …, n} → {0,1} n for some f : {0,1} n  {0,1} n  {1, …, n} → {0,1} n W.h.p for a random function f W.h.p for a random function f H( R )  n – O( log n ) regardless of cheating.

18 Explicit candidate functions: x i  yrotation of x i-times. x i  yrotation of x i-times. ix + yx, y  F k i  F ix + yx, y  F k i  F F = GF(2 log n ) k = n / log n ix + yx, y  F i  H  F ix + yx, y  F i  H  F F = GF(2 n ) |H|=n

19 Rotations: Fix i and j. For any x and y ( x i  y )  ( x j  y ) = x i  x j = x A ij where A ij has rank n – 1. x random  n – 1  H( x A ij )  H( x i  y, x j  y ) x random  n – 1  H( x A ij )  H( x i  y, x j  y )  H( R )  n – log nwhen Alice cheats H( R )  n /2when Bob cheats H( R )  n /2when Bob cheats

20 ¾n-protocol: 1. Pick one half of the string by A-B-A “rotating” protocol and the other one by B-A-B “rotating” protocol, i.e., use the asymmetry in the cheating powers. 2. The “line” protocol ix + y, where x, y  [GF(2 n/4 )] k and k = 4 → analysis related to the problem of Kakeya.

21 Kakeya Problem: P FkFkFkFk Q: P contains a line in each direction. How large is P ?

22 L … collection of lines; in each direction one line. Conjecture: |P L | must be close to |F | k where P L is the union of points in L. (|F |>2.) X L … random variable – choose a line from L at random and pick a random point on it. Def: H(|F |, k ) = min L H( X L ) H( X L )  log |P L | H( X L )  log |P L |

23 Geometric protocol: ix + yx, y  F k i  F ix + yx, y  F k i  F → line given by direction x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R )  H(|F |, k ). H( R )  H(|F |, k ). Furthermore, Bob can impose H( R ) = H(|F |, k ). → proof of security of our protocol implies the conjecture for Kakeya problem.

24 Geometric protocol: ix + yx, y  F k i  F ix + yx, y  F k i  F → line given by direction x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R )  (k /2 + 1)|F | – O(1). H( R )  (k /2 + 1)|F | – O(1). → For k = 4 and |F |= 2 n/4 we get H( R )  3n/4.

25 Open problems: Better analysis of our candidate functions. Better analysis of our candidate functions. Other candidate functions? Other candidate functions? Multiple parties. Multiple parties.