The Round Complexity of TwoParty Random Selection

1
The Round Complexity of Two-Party Random Selection

• Saurabh Sanghvi and Salil Vadhan
• Harvard University

2
The Random Selection Problem

• Several mutually distrusting parties wish to
  select jointly at random an element of a fixed
  universe.
• Goal Protocol such that even if a party cheats,
  the outcome will not be too biased.
• Applications Design a protocol where a trusted
  third-party makes the selection, then replace
  third-party with random selection protocol.

3
Types of Random Selection
Computational
Information-Theoretic
2 parties
N parties
4
2-party Information-Theoretic Random Selection
Protocols

• Examples of Uses
• Convert honest-verifier ZKPs to general ZKPs
  Dam94, DGW94, GSV98
• Perform oblivious transfer in bounded-storage
  model CCM98, DHRS04
• Perform general fault-tolerant computation
  GGL98
• Each evaluated by different criteria

5
Defining Random Selection
Our complexity measure of rounds (k)
. . .
Output
6
Evaluating a Protocol

• Statistical Criterion (SC) 9 constants ?, ? 0
  s.t. as long as one party is honest
• 8 T µ 0,1n of density ?, Pr Output 2 T
  1-?
• Equivalent to the statistical difference of the
  protocols output with uniform being 1-?(1).
• Extension of resilience in leader
  election/collective coin flipping
• Achievable? Yes! GGL98 (with 2n rounds)
• What is the necessary and sufficient round
  complexity?

cheating sets
7
Our results

• Upper bound
• 9 protocol satisfying the Statistical Criterion
  with 2log n O(1) messages
• Lower bound
• logn-loglogn O(1) messages are necessary.
• Tantalizingly similar to results in leader
  election, collective coin-flipping RZ98, RSZ99,
  Fei99

8
Our Protocol Iterated Random Shift

• Given n, Alice and Bob want to select from
  U0,1n.
• Let m n3. Recursively apply
• Inspired by leader election protocols RZ98 and
  proof that BPP 2 ?2P Lau83

a1, , am à U
b1, , bm à U
Recurse on U aibj
9
The Main Lower Bound

• Theorem Any random selection protocol satisfying
  the Statistical Criterion must have at least
  logn loglogn O(1) rounds.
• Recall Statistical Criterion 9 constants ?, ?
  0 s.t. 8 T µ 0,1n of density ?, Pr Output 2
  T 1-?
• First nonconstant lower bound on round complexity
  for any random selection protocol not imposing
  additional constraints (e.g., on communication
  size or simulatability).

10
Proof Strategy

• Suppose protocol has log n rounds.
• Show that one of the players can force the output
  into a cheating set of density o(1) with
  probability 1-o(1).
• Strategy induction on game tree

11
The Two-Round Case
Bob selects m1, restricting output to Sf(m1,²)
(Bob selects set S)
Bobs message
m1
Sf(m1, ²)
Alices message
m2
Alice selects m2, output is xf(m1,m2) (Alice
selects x2S)

• Can think of any two-round protocol as
• Bob sends Sµ0,1n to Alice (according to some
  dist. on P(0,1n))
• Alice selects output according to some dist. on
  S.

12
The Two-Round Case Cheating Bob
2) Bob deterministically chooses this branch
Bobs message
Alices message
3) Alices chosen output 2 Bobs cheating set
with prob. 1

• Case 1 9 small set (of size o(n)).
• Bob violates SC by selecting that set as his
  cheating set..

13
The Two-Round Case Cheating Alice
Bobs message
Alices message
1) Alices cheating set random set of red
elements
3) Alice selects output from intersection

• Case 2 Bob must give Alice a big (i.e., ?(1)
  elements) set.
• Random cheating set of density o(1) intersects
  w.h.p. ) Alice cheats successfully.

14
The Three-Round Case
Alice
m1
Bob
m2
Alice
S f(m1, m2, ²)
output f(m1, m2, m3)
m3

• Now, Alice chooses a set of sets, from which Bob
  chooses a set, from which Alice chooses the
  output.

15
The Three-Round Case
Alice
Bob
2) Alice deterministically chooses branch
3) Bob plays honestly
Alice
4) Alice can choose output in her cheating set
1) Alices random cheating set set of red
elements

• Case 1 If Alice can choose a branch whereby all
  sets are big, then she can violate the
  statistical criterion.

16
The Three-Round Case
Alice
Bob
Alice

• Thus, every branch has at least one small set.
  
• Not immediately helpful to Bob

17
The Three-Round Case
Alice
Bob
Alice

• Key question Down a given branch chosen by
  Alice, how many disjoint, small sets are there?
• Bob benefits if there are many.

18
The Three-Round Case
Alice
Bob
2) Alice randomly picks a branch
3) Bob selects set contained in cheating set
Alice
1) Bobs random cheating set set of red elements

• Case 2 All initial Alice messages let Bob choose
  from many disjoint small sets.
• Randomly chosen set of o(1) density contains a
  small set w.h.p. ) Bob cheats successfully.

19
The Three-Round Case
Alice
Bob
Alice

• What if there is a branch with few disjoint small
  sets?
• Need to argue Alice can take advantage.

20
The Three-Round Case
2) Alice deterministically selects branch
Alice
Bob
3) Bob plays honestly
Alice
Implies a small set intersects every set in
collection (e.g., union of maximal disjoint
subcollection)
1) Alices cheating set intersect-set
4) Whether Bob chose big or small set, Alice
selects from cheating set

• Case 3 A branch with no large disjoint
  subcollection
• Set intersecting all small sets random set)
  Alice cheats successfully

a random set
21
3 - logn-loglogn-O(1)

• To generalize, induct on the game treelabel
  every node A-WIN, B-WIN, or TIE
• WIN player can violate SC by choosing cheating
  set randomly.
• TIE both players can violate SC with a cheating
  set of the form R U S, where R is random and S is
  a small set of non-random elements.
• The result stops at log n rounds because S
  grows as a tower in the of rounds.

22
Conclusions

• We provide matching upper and lower bounds (up to
  a constant factor) for the round complexity of
  protocols satisfying a natural criterion.
• Open Problems/Future Work
• Leverage results for open problems in
  well-studied multiparty protocols (leader
  election, collective coin-flipping, and
  collective sampling).
• Study the impact of additional constraints
  required in literature (e.g., simulatability or
  message length).