Abstract
We study the two party problem of randomly selecting a common string among all the strings of length n. We want the protocol to have the property that the output distribution has high Shannon entropy or high min entropy, even when one of the two parties is dishonest and deviates from the protocol. We develop protocols that achieve high, close to n, Shannon entropy and simultaneously min entropy close to n/2. In the literature the randomness guarantee is usually expressed in terms of “resilience”. The notion of Shannon entropy is not directly comparable to that of resilience, but we establish a connection between the two that allows us to compare our protocols with the existing ones. We construct an explicit protocol that yields Shannon entropy \(n - O(1)\) and has \(O(\log ^* n)\) rounds, improving over the protocol of Goldreich et al. (SIAM J Comput 27: 506–544, 1998) that also achieves this entropy but needs O(n) rounds. Both these protocols need \(O(n^2)\) bits of communication. Next we reduce the number of rounds and the length of communication in our protocols. We show the existence, non-explicitly, of a protocol that has 6 rounds, O(n) bits of communication and yields Shannon entropy \(n- O(\log n)\) and min entropy \(n/2 - O(\log n)\). Our protocol achieves the same Shannon entropy bound as, also non-explicit, protocol of Gradwohl et al. (in: Dwork (ed) Advances in Cryptology—CRYPTO ‘06, 409–426, Technical Report , 2006), however achieves much higher min entropy: \(n/2 - O(\log n)\) versus \(O(\log n)\). Finally we exhibit a very simple 3-round explicit “geometric” protocol with communication length O(n). We connect the security parameter of this protocol with the well studied Kakeya problem motivated by Harmonic Analysis and Analytic Number Theory. We prove that this protocol has Shannon entropy \(n-o(n)\). Its relation to the Kakeya problem follows a new and different approach to the random selection problem than any of the previously known protocols.
Similar content being viewed by others
Notes
Assume for instance that a random variable \(X\) with the range \(\{0,1\}^n\) is \((\mu ,2\sqrt{\mu })\)-resilient for some \(\mu\). If \(\mu \ge 1/\sqrt{n}\) then \(X\) may have the following distribution: \({\mathrm{Pr}}[X=00\dots 0]=\mu\) and the remaining probability \(1-\mu\) is uniformly distributed over the remaining strings. Then \(H(X)\le (1-\mu )n+1\le n - \sqrt{n}+1\) and \(X\) is \((\mu ,2\sqrt{\mu })\)-resilient, as \({\mathrm{Pr}}[X\in S]<{\mathrm{Pr}}[X=00\dots 0]+ |S|/2^n\le \mu +\mu \le 2\sqrt{\mu }\) for any set S of density \(\mu\). Otherwise, if \(\mu <1/\sqrt{n}\), let \(X\) be uniformly distributed over some \(\sqrt{\mu }2^n\) strings. Then \(H(X)=(1/2)\log \mu +n\le n -(1/4)\log n\) and \(X\) is \((\mu ,2\sqrt{\mu })\)-resilient, as \({\mathrm{Pr}}[X\in S] \le |S|/(\sqrt{\mu }2^n)=\mu 2^n/(\sqrt{\mu }2^n)=\sqrt{\mu }\) for any set S of density \(\mu\).
Indeed, assume that \({\mathrm{Pr}}[X=x_0]=\varepsilon\) and let \(Y=1\), if \(X=x_0\), and \(Y=0\) otherwise. Then \(H(X)=H(X,Y)=H(X|Y)+H(Y)\le \varepsilon \cdot 0+(1-\varepsilon )\cdot n+H(Y) \le (1-\epsilon )n+1\).
One can wrongly think that the concatenation of 3 round protocols P(Alice,Bob) and P(Bob,Alice) has 5 (and not 6) rounds, since the 3rd and 4th messages are on the same directions. Actually, the 3rd and 4th messages are on the opposite directions because the last message in P(Alice,Bob) is send by Alice, and the first message in P(Bob,Alice) is sent by Bob, who plays Alice’s part.
References
Alon, N., Naor, M.: Coin-flipping games immune against linear-sized coalitions. In: Proc. 31st FOCS, (1990)
Alon, N., Spencer, J.: The Probabilistic Method, 2nd edn. Wiley, Hoboken (2000)
Ambainis, A., Buhrman, H., Dodis, Y., Röhrig, H.: Flipping, multiparty quantum coin. In: IEEE Conference on Computational Complexity 2004, pp. 250–259 (2004)
Blum, M.: Coin flipping by telephone. In: IEEE Spring COMPCOM, (1982)
Ben-Or, M., Linial, N.: Collective coin-flipping. In: Micali, S. (ed.) Randomness and Computation. Academic Press, New York (1989)
Broughan, K.A.: The gcd-sum function. J. Integer Seq, 4, Article 01.2.2 (2001)
Buhrman, H., Christandl, M., Koucký, M., Lotker, Z., Patt-Shamir, B., Vereshchagin, N. K.: High Entropy Random Selection Protocols. In: Proceedings of 10th International Workshop, APPROX 2007, and 11th International Workshop, RANDOM 2007, Princeton, NJ, USA, August 20–22, 2007. Proceedings. Lecture Notes in Computer Science, volume 4627/2007 pp. 366–379
Cachin, C., Crepeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: Proc. 39th FOCS, (1998)
Damgard, I.: Interactive hashing can simplify zero-knowledge protocol design. In: Proc. CRYPTO ’95, Springer LNCS 403, (1994)
Damgard, I., Goldreich, O., Wigderson, A.: Hashing functions can simplify zero-knowledge protocol design (too). TR RS-94-39. BRICS, (1994)
Ding, Y., Harnik, D., Rosen, A., Shaltiel, R.: Constant-round oblivious transfer in the bounded storage model. In: Proc. 1st TCC, Springer LNCS 2951, (2004)
Dvir, Z.: On the size of Kakeya sets in finite fields. J. Am. Math. Soc. 22, 1093–1097 (2009)
Dvir, Z., Wigderson, A.: Kakeya sets, new mergers and old extractors. In: FOCS ’08 Proceedings of the 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 625-633. IEEE Computer Society, (2008)
Feige, U.: Noncryptographic selection protocols. In: Proc. 40th FOCS, (1999)
Goldreich, O., Goldwasser, S., Linial, N.: Fault-tolerant computation in the full information model. SIAM J. Comput. 27(2), 506–544 (1998)
Goldreich, O., Sahai, A., Vadhan, S.: Honest-verifier statistical zero-knowledge equals general statistical zero-knowledge. In: Proc. 30th STOC, (1998)
Gradwohl, R., Vadhan, S., Zuckerman, D.: Random selection with an Adversarial Majority In: Dwork, C. (Eds) Advances in Cryptology—CRYPTO ‘06, number 4117 in Lecture Notes in Computer Science, pp. 409–426, 2006. Electronic Colloquium on Computational Complexity, Technical Report TR06-026, (2006)
Mockenhaupt, Gerd, Tao, Terence: Restriction and Kakeya phenomena for finite fields. Duke Math. J. 121, 35–74 (2004)
Naor, M., Ostrovsky, R., Venkatesan, R., Yung, M.: Perfect zero-knowledge arguments for NP can be based on general complexity assumptions. J. Cryptol. 11, (1998)
Nguyen, A.T., Frison, J., Huy, K.P., Massar, S.: Experimental quantum tossing of a single coin. New J. Phys. 10(8), 083037 (2008)
Muchnik, A., Vereshchagin, N.: Shannon entropy vs. Kolmogorov complexity. In: Computer Science—Theory and Applications: First International Computer Science Symposium in Russia, CSR 2006. Proceedings. Editors: Dima, G., John, H., Hirsch, E. A. (Eds.), Lecture Notes in Computer Science, vol. 3967, 2006, pp. 281–291
Ostrovsky, R., Rajagopalan, S., Vazirani, U.: Simple and efficient leader election in the full information model. In: Proc. 26th STOC, (1994)
Russell, A., Zuckerman, D.: Perfect information leader election in \(\log ^* n+O(1)\) rounds. In: Proc. 39th FOCS, (1998)
Saks, M.: A robust noncryptographic protocol for collective coin-flipping. SIAM J. Discret. Math 2(2), 240–244 (1989)
Sanghvi, S., Vadhan, S.: the round complexity of two-party random selection. In: Thirty-seventh Annual ACM Symposium on Theory of Computing. Baltimore, MD, USA. Proceedings, pp. 338–347
Stepanov, T.: Random selection in few rounds. In: Proceedings of 8th International Computer Science Symposium in Russia, CSR 2013. Lecture Notes in Computer Science v. 7913, pp. 354–365
Wolff, T.: Recent work connected with the Kakeya problem. In: Rossi, H. (ed.) Prospects in Mathematics. AMS, Providence (1999)
Zermelo, E.: Über eine Anwendung der Mengenlehre auf die Theorie des Schachspiels. In: Proceedings of the Fifth International Congress Mathematics pp. 501–504 (1913)
Acknowledgements
We would like to thank to Troy Lee and John Tromp for useful discussions and Navin Goyal for pointing us to the problem of Kakeya. We also thank anonymous referees for valuable comments on the paper. Part of the work was done while the second, third, fourth, and sixth author were visiting CWI, Amsterdam. H. Buhrman was supported by EU Project QAP and BRICKS Project AFM1. H. Buhrman and M. Koucký were supported in part by an NWO VICI Grant (639.023.302). M. Koucký was supported in part by Grant GA ČR 201/07/P276, 201/05/0124, Project No. 1M0021620808 of MŠMT ČR and Institutional Research Plan No. AV0Z10190503. The work of N. Vereshchagin was partially supported by the Russian Academic Excellence Project ‘5-100’ and by the RFBR Grant 19-01-00563.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Matthias Christandl work done while visiting CWI. Michal Koucký work done while visiting CWI. Zvi Lotker work done while visiting CWI. Nikolay Vereshchagin work was partially done while visiting CWI.
A Appendix: Deferred Proofs
A Appendix: Deferred Proofs
The proof of Lemma 2
For \(x\in \{0,1\}^n\), let \(p_x = {\mathrm{Pr}}[X=x]\). For any non-negative integer i let
Since the total probability sums to one, we have \(|\{0,1\}^n\setminus S_i|<2^{i}\).
-
1.
In order to prove the first claim note that
$$\begin{aligned} H(X) = \sum _x p_x (-\log p_x) \ge \sum _{x \in S_{n-j}} p_x (-\log p_x) \ge (n-j)\sum _{x \in S_{n-j}} p_x. \end{aligned}$$Since \(|\{0,1\}^n\setminus S_{n-j}|<2^{n-j}\) and \(X\) is \((2^{-j},\varepsilon )\)-resilient, it follows that \(\text {Pr}[X\notin S_{n-j}]\le \varepsilon\). Hence \(\sum _{x \in S_{n-j}} p_x\ge 1-\varepsilon\) and
$$\begin{aligned} H(X)\ge (n-j)(1-\varepsilon ). \end{aligned}$$ -
2.
To prove the second claim, we partition \(\{0,1\}^n\) into slices \(S_i\setminus S_{i+1}\):
$$\begin{aligned} H(X) = \sum _x p_x (-\log p_x) =\sum _{i=0}^{\infty } \sum _{x \in S_{i}\setminus S_{i+1}} p_x (-\log p_x) \ge \sum _{i=0}^{\infty }\sum _{x \in S_{i}\setminus S_{i+1}}p_xi. \end{aligned}$$Hence
$$\begin{aligned} n-H(X)\le \sum _{i=0}^{\infty }\sum _{x \in S_{i}\setminus S_{i+1}}(n-i)p_x \le \sum _{i=0}^{n-1}\sum _{x \in S_{i}\setminus S_{i+1}}(n-i)p_x \le \sum _{i=0}^{n-1}\sum _{x \notin S_{i+1}}(n-i)p_x \end{aligned}$$Since X is \((2^{-j},\varepsilon _j)\)-resilient for all \(j=0,1,\ldots ,n-1\) and \(|\{0,1\}^n\setminus S_{i+1}|<2^{i+1}\), we conclude that
$$\begin{aligned} \sum _{x \notin S_{i+1}}p_x\le \varepsilon _{n-i-1}, \end{aligned}$$hence
$$\begin{aligned} n-H(X)\le \sum _{i=0}^{n-1}(n-i)\varepsilon _{n-i-1}=\sum _{j=0}^{n-1}(j+1)\varepsilon _{j} \end{aligned}$$
\(\square\)
The proof of Lemma 3
We first prove the min entropy part. Assume that Alice’s strategy A guarantees that for all deterministic strategies B of Bob, the min entropy of the outcome is at least k. Let \(X_B\) denote the outcome random variable provided Bob uses a deterministic strategy B. Then for every x the probability \(\text {Pr}[X_B=x]\) is at most \(2^{-k}\).
Assume that Bob uses a randomized strategy \({\mathbf {B}}\). This strategy can be viewed as a probability distribution over his deterministic strategies. Let \(X\) denote the output random variable. Then \(\text {Pr}[X=x]\) is equal to the average value of \(\text {Pr}[X_B=x]\) with respect to that distribution. Hence the min entropy part follows from the fact that the average value of any random variable cannot exceed its maximal value, which is at most \(2^{-k}\) in our case.
Similar arguments prove the resilience part.
The Shannon entropy part follows from the inequality \(H(X)\ge H(X|{\mathbf {B}})\). Indeed, \(H(X|{\mathbf {B}})\) is the average value of \(H(X_B)\) over a randomly chosen B. \(\square\)
Proof of Lemma 4
Assume that Alice is honest and hence follows the strategy A prescribed by the protocol \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) to select the first half of the output and the strategy B prescribed by the protocol \(Q_{n/2}(\mathrm{Bob},\mathrm{Alice})\) to select the second half of the output. To prove the first statement, we have to show that whatever strategy S follows Bob, Shannon entropy of the outcome \(X\) is at least \(k(n/2)+l(n/2)\). By Lemma 3 we may assume that S is deterministic.
Let \(X_1,X_2\) denote the first and the second part of the output, respectively. Then
As the protocol \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) is (k(n/2), l(n/2))-Shannon good we have \(H(X_1)\ge k(n/2)\) and it remains to show that \(H(X_2|X_1)\ge l(n/2)\). As \(X_1\) is a function of messages \(M_1\) sent while selecting \(X_1\), by inequality (2) the conditional entropy \(H(X_2|X_1)\) is at least \(H(X_2|M_1)\). As the protocol \(Q_{n/2}(\mathrm{Bob}, \mathrm{Alice})\) is (l(n/2), k(n/2))-Shannon good, for every \(m_1\) we have \(H(X_2|M_1=m_1)\ge l(n/2)\). Indeed, once we fix \(m_1\), the action of Bob’s strategy S while selecting the second half of the output becomes deterministic.
The bound on min entropy is proven in a similar way: for all \(x_1,x_2\) we have
The first factor here is at most \(2^{-k(n/2)}\), as \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) guarantees min entropy at least k(n/2) provided Alice is honest. The second factor is at most \(2^{-l(n/2)}\), as for all messages \(m_1\) we have \(\text {Pr}[X_2=x_2|M_1=m_1]\le 2^{-l(n/2)}\). Since \(X_1\) is a function of \(M_1\), this implies that \(\text {Pr}[X_2=x_2|X_1=x_1]\le 2^{-l(n/2)}\) as well. \(\square\)
The proof of Lemma 10
Fix an integer c. For \(x\in \{0,1\}^*\) let \(p_x={\mathrm{Pr}}[X=x]\). The statistical distance between \(U_n\) and \(X\) is equal to \(\sum _{x:p_x>2^{-n} }(p_x-2^{-n})\). For all integer \(i\le n\) let \(N_i\) stand for the cardinality of the set
And let \(w_i\) denote the cumulative probability of \(T_i\). In terms of \(w_i,N_i\) the statistical distance between \(U_n\) and \(X\) can be rewritten as
Here the last inequality holds, as \(w_i\le N_i2^{-n+i}\) by (12).
Thus it suffices to prove that
provided \(H(X)\ge n-c\). This can be done similar to the proof of Lemma 2. Indeed,
hence
Here i ranges over all integers \(i\le n\), including negative ones. However, the contribution of negative i’s is bounded by a constant. Indeed, as \(2^{n-i}w_i\le N_i\le 2^n\) we can conclude that \(w_i \le 2^{i}\) hence
Thus, inequality (13) implies that the sum of \(iw_i\) over positive i’s is bounded by a constant:
Split the sum \(\sum _{i=1}^n (1-2^{-i})w_i\) into two sums: the sum over all \(i\ge 2(c+3)\) and the rest. Let \(p=\sum _{1\le i<2(c+3)}w_i\) and \(q=\sum _{n\ge i\ge 2(c+3)}w_i\). Then
It remains to show that \(p\le 1/2\). This follows from (14). Indeed,
Thus (14) implies that \(2(c+3)p \le c+3 \Rightarrow p\le 1/2\). Lemma 10 is proved. \(\square\)
Rights and permissions
About this article
Cite this article
Buhrman, H., Christandl, M., Koucký, M. et al. High Entropy Random Selection Protocols. Algorithmica 83, 667–694 (2021). https://doi.org/10.1007/s00453-020-00770-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00453-020-00770-y