Presentation is loading. Please wait.

Presentation is loading. Please wait.

High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir,

Published byReginald Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir,"— Presentation transcript:

1 High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin

2 2 Random string selection: Alice Bob Alice Bob Goal: Alice and Bob want to agree on a random string r.

3 3 → Measure of randomness: Shannon entropy H( R ) = -  r Pr[R = r ] ∙ log Pr[ R = r ] e.g. R uniform on {0,1} n → H( R ) = n R uniform on 0 n/2 {0,1} n/2 → H( R ) = n /2 R uniform on 0 n → H( R ) = 0

4 4 Example: random r 1 r 2 … r n/2 Alice random r n/2+1 … r n Bob → output r = r 1 r 2 … r n H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n/2 if one of them cheats. H( R )  n/2 if one of them cheats.

5 5 Main results: Random selection protocol that guaranteesH( R )  n – O(1) even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ). Random selection protocol that guaranteesH( R )  n – O(1) even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ). Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits. Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits.

6 6 Previous work: Different variants Different variants random selection protocol [GGL’95, SV’05, GVZ’06] random selection protocol [GGL’95, SV’05, GVZ’06] collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …] collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …] leader selection [AN’90,…] leader selection [AN’90,…] fault-tolerant computation [GGL’95] fault-tolerant computation [GGL’95] multiple-party protocols [AN’90,…] multiple-party protocols [AN’90,…] quantum protocols [ABDR’04] quantum protocols [ABDR’04] different measures different measures resilience resilience statistical distance from uniform distribution statistical distance from uniform distribution entropy entropy

7 7 H( R )  n – O(1)  ( , log -1 1/  )-resilience. H( R )  n – O(1)  ( , log -1 1/  )-resilience. O( log* n )-rounds, O( n 2 )-communication. [GGL] ( ,  )-resilience, [GGL] ( ,  )-resilience, O( n 2 )-rounds, O( n 2 )-communication. [SV] ( ,  +  )-resilience, [SV] ( ,  +  )-resilience, O( log* n )-rounds, O( n 2 )-communication. [GVZ] ( ,  )-resilience [GVZ] ( ,  )-resilience O( log* n )-rounds, O( n )-communication. B {0,1} n ( ,  )-resilience:  B; |B|   2 n Pr[r  B]  

8 8 Our basic protocol: random x 1, …, x n  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output x i  y H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n – log n if Alice cheats. H( R )  n – log n if Alice cheats. H( R )  n – O(1) if Bob cheats. H( R )  n – O(1) if Bob cheats.

9 9 Alice cheats, Bob plays honestly: Alice carefully selects x 1, …, x n Alice carefully selects x 1, …, x n Bob picks a random y Bob picks a random y  for all i and r, Pr y [ r = x i  y ] = 2 -n.  for all r, Pr y [  i ; r = x i  y ]  n 2 -n.  H( R )  n – log n. H( R )  n – log n.

10 10 Alice plays honestly, Bob cheats: For any r 1, r 2, … r n, Pr x [ r 1 = x 1, … r n = x n ] = 2 – n 2 For any r 1, r 2, … r n, Pr x [ r 1 = x 1, … r n = x n ] = 2 – n 2  Pr[ r 1 = x 1  y, … r n = x n  y ]  2 n – n 2 where y is a function of the random x 1, x 2, … x n  H( x 1  y, …, x n  y )  n 2 - n  E[[ H( x i  y ) ]]  n – 1.   E[[ H( x i  y ) ]]  n – 1.  H( R )  n – O(1) H( R )  n – O(1)

11 11 Our basic protocol: random x 1, …, x n  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output x i  y H( R ) = n if Alice and Bob follow the protocol. H( R ) = n if Alice and Bob follow the protocol. H( R )  n – log n if Alice cheats. H( R )  n – log n if Alice cheats. H( R )  n – O(1) if Bob cheats. H( R )  n – O(1) if Bob cheats.

12 12 Iterating our protocol x 1, …, x m y 1, …, y m’ x 1, …, x m y 1, …, y m’ A B ijijijij AB r’’ = … r = x i  r’ r’ = y i  r’’ r = x i  r’ r’ = y i  r’’ → log* n iterations H( R )  n – 3 regardless of who cheats. H( R )  n – 3 regardless of who cheats.

13 13 Protocol P i (A, B) x 1, …, x l i x 1, …, x l i A P i-1 (B,A) P i-1 (B,A) j y j y A r = x j  y r = x j  y l 0 = nl i = log l i-1 k = log* n – l l k = 2

14 14 Claim: For i =0,…, k, output R i of P i (Alice,Bob) satisfies H( R i ) = n if Alice and Bob follow the protocol. H( R i ) = n if Alice and Bob follow the protocol. H( R i )  n – log 4 l i if Alice cheats. H( R i )  n – log 4 l i if Alice cheats. H( R i )  n – 2 if Bob cheats. H( R i )  n – 2 if Bob cheats. Pf: Alice carefully selects x 1, …, x l i. P i-1 (Bob, Alice) gives y = R i-1 P i-1 (Bob, Alice) gives y = R i-1 with H( y| x 1, …, x l i )  n – 2. Alice carefully selects j to output R i = x j  y Alice carefully selects j to output R i = x j  y

15 15 Pf: Alice carefully selects x 1, …, x l i. P i-1 (Bob, Alice) gives y = R i-1 P i-1 (Bob, Alice) gives y = R i-1 with H( y| x 1, …, x l i )  n – 2. Alice carefully selects j to output R i = x j  y Alice carefully selects j to output R i = x j  y H( x j  y )  H( x j  y | x 1, …, x l i ) H( x j  y )  H( x j  y | x 1, …, x l i )  H( y | x 1, …, x l i ) - H( j | x 1, …, x l i )  H( y | x 1, …, x l i ) - H( j )  n – 2 – log l i H( x j  y, j| x 1, …, x l i )  H( y | x 1, …, x l i ) 

16 16 Cost of our protocol: 2 log* n rounds 2 log* n rounds O( n 2 ) bits communicated Question: How to reduce the amount of communication close to linear?

17 17 Generic protocol: random x  {0,1} n Alice random y  {0,1} n Bob random i  {1, …, n} → output f ( x, y, i ) for some f : {0,1} n  {0,1} n  {1, …, n} → {0,1} n for some f : {0,1} n  {0,1} n  {1, …, n} → {0,1} n W.h.p for a random function f W.h.p for a random function f H( R )  n – O( log n ) regardless of cheating.

18 18 Explicit candidate functions: x i  yrotation of x i-times. x i  yrotation of x i-times. ix + yx, y  F k i  F ix + yx, y  F k i  F F = GF(2 log n ) k = n / log n ix + yx, y  F i  H  F ix + yx, y  F i  H  F F = GF(2 n ) |H|=n

19 19 Rotations: Fix i and j. For any x and y ( x i  y )  ( x j  y ) = x i  x j = x A ij where A ij has rank n – 1. x random  n – 1  H( x A ij )  H( x i  y, x j  y ) x random  n – 1  H( x A ij )  H( x i  y, x j  y )  H( R )  n – log nwhen Alice cheats H( R )  n /2when Bob cheats H( R )  n /2when Bob cheats

20 20 ¾n-protocol: 1. Pick one half of the string by A-B-A “rotating” protocol and the other one by B-A-B “rotating” protocol, i.e., use the asymmetry in the cheating powers. 2. The “line” protocol ix + y, where x, y  [GF(2 n/4 )] k and k = 4 → analysis related to the problem of Kakeya.

21 21 Kakeya Problem: P FkFkFkFk Q: P contains a line in each direction. How large is P ?

22 22 L … collection of lines; in each direction one line. Conjecture: |P L | must be close to |F | k where P L is the union of points in L. (|F |>2.) X L … random variable – choose a line from L at random and pick a random point on it. Def: H(|F |, k ) = min L H( X L ) H( X L )  log |P L | H( X L )  log |P L |

23 23 Geometric protocol: ix + yx, y  F k i  F ix + yx, y  F k i  F → line given by direction x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R )  H(|F |, k ). H( R )  H(|F |, k ). Furthermore, Bob can impose H( R ) = H(|F |, k ). → proof of security of our protocol implies the conjecture for Kakeya problem.

24 24 Geometric protocol: ix + yx, y  F k i  F ix + yx, y  F k i  F → line given by direction x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R )  (k /2 + 1)|F | – O(1). H( R )  (k /2 + 1)|F | – O(1). → For k = 4 and |F |= 2 n/4 we get H( R )  3n/4.

25 25 Open problems: Better analysis of our candidate functions. Better analysis of our candidate functions. Other candidate functions? Other candidate functions? Multiple parties. Multiple parties.

Download ppt "High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir,"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.

Optimal Bounds for Johnson- Lindenstrauss Transforms and Streaming Problems with Sub- Constant Error T.S. Jayram David Woodruff IBM Almaden.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.

The Round Complexity of Two-Party Random Selection Saurabh Sanghvi and Salil Vadhan Harvard University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.

Random non-local games Andris Ambainis, Artūrs Bačkurs, Kaspars Balodis, Dmitry Kravchenko, Juris Smotrovs, Madars Virza University of Latvia.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:1305.6626.

Robust Randomness Expansion Upper and Lower Bounds Matthew Coudron, Thomas Vidick, Henry Yuen arXiv:
Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.

Gillat Kol (IAS) joint work with Ran Raz (Weizmann + IAS) Interactive Channel Capacity.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.

On Fair Exchange, Fair Coins and Fair Sampling Shashank Agrawal, Manoj Prabhakaran University of Illinois at Urbana-Champaign.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Experimental Bit String Generation Serge Massar Université Libre de Bruxelles.

Experimental Bit String Generation Serge Massar Université Libre de Bruxelles.

Similar presentations

Ads by Google