high entropy random selection protocols n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
High-entropy random selection protocols PowerPoint Presentation
Download Presentation
High-entropy random selection protocols

Loading in 2 Seconds...

play fullscreen
1 / 25

High-entropy random selection protocols - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

High-entropy random selection protocols. Michal Koucký (Institute of Mathematics, Prague) Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin. Random string selection: Alice Bob. Goal: Alice and Bob want to agree on a random string r.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'High-entropy random selection protocols' - tyler


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
high entropy random selection protocols

High-entropy random selection protocols

Michal Koucký

(Institute of Mathematics, Prague)

Harry Buhrman, Matthias Christandl, Zvi Lotker, Boaz Patt-Shamir, KoliaVereshchagin

slide2
Random string selection:

Alice Bob

Goal: Alice and Bob want to agree on a random string r.

slide3
Goal: Alice and Bob want to agree on a random string r.

→Measure of randomness: Shannon entropy

H( R) = - r Pr[R = r ] ∙ log Pr[ R = r ]

e.g.R uniform on {0,1}n→H( R) = n

R uniform on 0n/2{0,1}n/2→H( R) = n /2

R uniform on 0n→H( R) = 0

slide4
Example:

random r1r2 … rn/2

Alice

random rn/2+1 … rn

Bob

→output r= r1r2 … rn

  • H( R ) = nif Alice and Bob follow the protocol.
  • H( R ) n/2if one of them cheats.
slide5
Main results:
  • Random selection protocol that guarantees H( R)  n– O(1)even if one of the parties cheats. This protocol runs in log* n rounds and communicates O( n 2 ).
  • Three-round protocol that guarantees H( R )  ¾ n and communicates O( n ) bits.
slide6
Previous work:
  • Different variants
    • random selection protocol [GGL’95, SV’05, GVZ’06]
    • collective coin flipping [B’82, Y’86, B-OL’89, AN’90, …]
    • leader selection [AN’90,…]
    • fault-tolerant computation [GGL’95]
    • multiple-party protocols [AN’90,…]
    • quantum protocols [ABDR’04]
  • different measures
    • resilience
    • statistical distance from uniform distribution
    • entropy
slide7

(,)-resilience:

B; |B| 2n

Pr[rB]  

{0,1}n

B

  • H( R)  n– O(1)  (, log-1 1/)-resilience.

O( log* n)-rounds, O( n 2 )-communication.

  • [GGL] (, )-resilience,

O( n 2 )-rounds, O( n 2 )-communication.

  • [SV] (, +)-resilience,

O( log* n)-rounds, O( n 2 )-communication.

  • [GVZ] (, )-resilience

O( log* n)-rounds, O( n )-communication.

slide8
Our basic protocol:

random x1, …, xn{0,1}n

Alice

random y {0,1}n

Bob

random i {1, …, n}

→output xi y

  • H( R ) = nif Alice and Bob follow the protocol.
  • H( R) n – log n if Alice cheats.
  • H( R) n – O(1)if Bob cheats.
slide9
Alice cheats, Bob plays honestly:
  • Alice carefully selects x1, …, xn
  • Bob picks a random y

 for all i and r, Pry [ r = xiy ] = 2 -n.

for all r, Pry [  i ; r = xiy ] n 2 -n. 

  • H( R ) n– log n .
slide10
Alice plays honestly, Bob cheats:
  • For any r1, r2 , … rn , Prx [ r1 = x1 , … rn = xn ] = 2 – n2

 Pr[ r1 = x1y , … rn = xny ]  2 n – n2

where y is a function of the random x1, x2 , … xn

 H(x1y , …, xny ) n2 - n

 E[[ H( xiy ) ]] n– 1 . 

  • H( R) n – O(1)
slide11
Our basic protocol:

random x1, …, xn{0,1}n

Alice

random y {0,1}n

Bob

random i {1, …, n}

→output xi y

  • H( R ) = nif Alice and Bob follow the protocol.
  • H( R) n – log n if Alice cheats.
  • H( R) n – O(1)if Bob cheats.
slide12
Iterating our protocol

x1, …, xmy1, …, ym’

A B

ij

A B r’’ = …

r = xir’ r’ = yir’’

→ log* niterations

H( R ) n– 3 regardless of who cheats.

slide13
Protocol Pi(A, B)

x1, …, xli

A

Pi-1(B,A)

jy

A

r = xjy

l0 = n li = log li-1 k = log* n – l

lk = 2

slide14
Claim: For i =0,…, k, output Ri of Pi (Alice,Bob) satisfies
  • H( Ri) = nif Alice and Bob follow the protocol.
  • H( Ri) n – log 4 liif Alice cheats.
  • H( Ri) n – 2if Bob cheats.

Pf: Alice carefully selects x1, …, xli.

Pi-1(Bob, Alice) gives y = Ri-1

with H( y| x1, …, xli ) n – 2.

Alice carefully selects j to output Ri = xjy

slide15
Pf: Alice carefully selects x1, …, xli.

Pi-1(Bob, Alice) gives y = Ri-1

with H( y| x1, …, xli ) n – 2.

Alice carefully selects j to output Ri = xjy

H( xjy ) H( xjy | x1, …, xli )

H( y | x1, …, xli ) - H( j | x1, …, xli )

H( y | x1, …, xli ) - H( j )

 n – 2 – log li

H( xjy , j| x1, …, xli ) H( y | x1, …, xli )

slide16
Cost of our protocol:

2 log* nrounds

O( n 2 ) bits communicated

Question: How to reduce the amount of communication close to linear?

slide17
Generic protocol:

random x  {0,1}n

Alice

random y {0,1}n

Bob

random i {1, …, n}

→output f ( x,y,i)

for some f : {0,1}n{0,1}n{1, …, n}→ {0,1}n

  • W.h.p for a random function f

H( R) n – O( log n ) regardless of cheating.

slide18
Explicit candidate functions:
  • x iyrotation of x i-times.
  • ix + yx,yFk i F

F = GF(2log n) k= n / log n

  • ix + yx,y F i H F

F = GF(2n) |H|=n

slide19
Rotations:

Fix i and j. For any x and y

( x iy)  ( x jy ) =x i x j = x Aij

where Aijhas rank n – 1.

  • x random n– 1  H( x Aij)  H(x iy ,x jy )

 H( R ) n– log n when Alice cheats

H( R ) n/2 when Bob cheats

slide20
¾n-protocol:
  • Pick one half of the string by A-B-A “rotating” protocol and the other one by B-A-B “rotating” protocol, i.e., use the asymmetry in the cheating powers.
  • The “line” protocol ix + y , where

x,y [GF(2 n/4 )]k and k = 4

→analysis related to the problem of Kakeya.

slide21

Fk

Kakeya Problem:

P

Q: Pcontains a line in each direction. How large is P ?

slide22
L … collection of lines; in each direction one line.

Conjecture: |PL | must be close to |F |k where PL is the union of points in L. (|F |>2.)

XL… random variable – choose a line from L at random and pick a random point on it.

Def: H(|F |, k) = minL H( XL)

  • H( XL)  log |PL |
slide23
Geometric protocol:
  • ix + yx,yF k i F

→ line given bydirection x and point y

Claim: Let R be the outcome of the geometric protocol. If Alice is honest then

H( R ) H(|F|, k ).

Furthermore, Bob can impose H( R ) =H(|F|, k ).

→ proof of security of our protocol implies the conjecture for Kakeya problem.

slide24
Geometric protocol:
  • ix + yx,yF k i F

→ line given bydirection x and point y

Claim: Let R be the outcome of the geometric protocol. If Alice is honest then

H( R )  (k /2 + 1)|F| – O(1).

→ For k = 4 and |F|= 2n/4 we get H( R )  3n/4.

slide25
Open problems:
  • Better analysis of our candidate functions.
  • Other candidate functions?
  • Multiple parties.