1 / 25

High-entropy random selection protocols

High-entropy random selection protocols. Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin. Random string selection: Alice Bob. Goal: Alice and Bob want to agree on a random string r.

tmcfarland
Download Presentation

High-entropy random selection protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. High-entropy random selection protocols Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin

  2. Random string selection: Alice Bob Goal: Alice and Bob want to agree on a random string r.

  3. Goal: Alice and Bob want to agree on a random string r. →Measure of randomness: Shannon entropy H( R) = - r Pr[R = r ] ∙ log Pr[ R = r ] e.g.R uniform on {0,1}n→H( R) = n R uniform on 0n/2{0,1}n/2→H( R) = n /2 R uniform on 0n→H( R) = 0

  4. Example: random r1r2 … rn/2 Alice random rn/2+1 … rn Bob →output r= r1r2 … rn • H( R ) = nif Alice and Bob follow the protocol. • H( R ) n/2if one of them cheats.

  5. Main results: • Random selection protocol that guarantees H( R)  n– O(1)even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ). • Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits.

  6. Previous work: • Different variants • random selection protocol [GGL’95, SV’05, GVZ’06] • collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …] • leader selection [AN’90,…] • fault-tolerant computation [GGL’95] • multiple-party protocols [AN’90,…] • quantum protocols [ABDR’04] • different measures • resilience • statistical distance from uniform distribution • entropy

  7. (,)-resilience: B; |B| 2n Pr[rB]   {0,1}n B • H( R)  n– O(1)  (, log-1 1/)-resilience. O( log* n)-rounds, O( n 2 )-communication. • [GGL] (, )-resilience, O( n 2 )-rounds, O( n 2 )-communication. • [SV] (, +)-resilience, O( log* n)-rounds, O( n 2 )-communication. • [GVZ] (, )-resilience O( log* n)-rounds, O( n )-communication.

  8. Our basic protocol: random x1, …, xn{0,1}n Alice random y {0,1}n Bob random i {1, …, n} →output xi y • H( R ) = nif Alice and Bob follow the protocol. • H( R) n – log n if Alice cheats. • H( R) n – O(1)if Bob cheats.

  9. Alice cheats, Bob plays honestly: • Alice carefully selects x1, …, xn • Bob picks a random y  for all i and r, Pry [ r = xiy ] = 2 -n. for all r, Pry [  i ; r = xiy ] n 2 -n.  • H( R ) n– log n .

  10. Alice plays honestly, Bob cheats: • For any r1, r2 , … rn , Prx [ r1 = x1 , … rn = xn ] = 2 – n2  Pr[ r1 = x1y , … rn = xny ]  2 n – n2 where y is a function of the random x1, x2 , … xn  H(x1y , …, xny ) n2 - n  E[[ H( xiy ) ]] n– 1 .  • H( R) n – O(1)

  11. Our basic protocol: random x1, …, xn{0,1}n Alice random y {0,1}n Bob random i {1, …, n} →output xi y • H( R ) = nif Alice and Bob follow the protocol. • H( R) n – log n if Alice cheats. • H( R) n – O(1)if Bob cheats.

  12. Iterating our protocol x1, …, xmy1, …, ym’ A B ij A B r’’ = … r = xir’ r’ = yir’’ → log* niterations H( R ) n– 3 regardless of who cheats.

  13. Protocol Pi(A, B) x1, …, xli A Pi-1(B,A) jy A r = xjy l0 = n li = log li-1 k = log* n – l lk = 2

  14. Claim: For i =0,…, k, output Ri of Pi (Alice,Bob) satisfies • H( Ri) = nif Alice and Bob follow the protocol. • H( Ri) n – log 4 liif Alice cheats. • H( Ri) n – 2if Bob cheats. Pf: Alice carefully selects x1, …, xli. Pi-1(Bob, Alice) gives y = Ri-1 with H( y| x1, …, xli ) n – 2. Alice carefully selects j to output Ri = xjy

  15. Pf: Alice carefully selects x1, …, xli. Pi-1(Bob, Alice) gives y = Ri-1 with H( y| x1, …, xli ) n – 2. Alice carefully selects j to output Ri = xjy H( xjy ) H( xjy | x1, …, xli ) H( y | x1, …, xli ) - H( j | x1, …, xli ) H( y | x1, …, xli ) - H( j )  n – 2 – log li H( xjy , j| x1, …, xli ) H( y | x1, …, xli ) 

  16. Cost of our protocol: 2 log* nrounds O( n 2 ) bits communicated Question: How to reduce the amount of communication close to linear?

  17. Generic protocol: random x  {0,1}n Alice random y {0,1}n Bob random i {1, …, n} →output f ( x,y,i) for some f : {0,1}n{0,1}n{1, …, n}→ {0,1}n • W.h.p for a random function f H( R) n – O( log n ) regardless of cheating.

  18. Explicit candidate functions: • x iyrotation of x i-times. • ix + yx,yFk i F F = GF(2log n) k= n / log n • ix + yx,y F i H F F = GF(2n) |H|=n

  19. Rotations: Fix i and j. For any x and y ( x iy)  ( x jy ) =x i x j = x Aij where Aijhas rank n – 1. • x random n– 1  H( x Aij)  H(x iy ,x jy )  H( R ) n– log n when Alice cheats H( R ) n/2 when Bob cheats

  20. ¾n-protocol: • Pick one half of the string by A-B-A “rotating” protocol and the other one by B-A-B “rotating” protocol, i.e., use the asymmetry in the cheating powers. • The “line” protocol ix + y , where x,y [GF(2 n/4 )]k and k = 4 →analysis related to the problem of Kakeya.

  21. Fk Kakeya Problem: P Q: Pcontains a line in each direction. How large is P ?

  22. L … collection of lines; in each direction one line. Conjecture: |PL | must be close to |F |k where PL is the union of points in L. (|F |>2.) XL… random variable – choose a line from L at random and pick a random point on it. Def: H(|F |, k) = minL H( XL) • H( XL)  log |PL |

  23. Geometric protocol: • ix + yx,yF k i F → line given bydirection x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R ) H(|F|, k ). Furthermore, Bob can impose H( R ) =H(|F|, k ). → proof of security of our protocol implies the conjecture for Kakeya problem.

  24. Geometric protocol: • ix + yx,yF k i F → line given bydirection x and point y Claim: Let R be the outcome of the geometric protocol. If Alice is honest then H( R )  (k /2 + 1)|F| – O(1). → For k = 4 and |F|= 2n/4 we get H( R )  3n/4.

  25. Open problems: • Better analysis of our candidate functions. • Other candidate functions? • Multiple parties.

More Related