High Entropy Random Selection Protocols

Abstract

We study the two party problem of randomly selecting a common string among all the strings of length n. We want the protocol to have the property that the output distribution has high Shannon entropy or high min entropy, even when one of the two parties is dishonest and deviates from the protocol. We develop protocols that achieve high, close to n, Shannon entropy and simultaneously min entropy close to n/2. In the literature the randomness guarantee is usually expressed in terms of “resilience”. The notion of Shannon entropy is not directly comparable to that of resilience, but we establish a connection between the two that allows us to compare our protocols with the existing ones. We construct an explicit protocol that yields Shannon entropy \(n - O(1)\) and has \(O(\log ^* n)\) rounds, improving over the protocol of Goldreich et al. (SIAM J Comput 27: 506–544, 1998) that also achieves this entropy but needs O(n) rounds. Both these protocols need \(O(n^2)\) bits of communication. Next we reduce the number of rounds and the length of communication in our protocols. We show the existence, non-explicitly, of a protocol that has 6 rounds, O(n) bits of communication and yields Shannon entropy \(n- O(\log n)\) and min entropy \(n/2 - O(\log n)\). Our protocol achieves the same Shannon entropy bound as, also non-explicit, protocol of Gradwohl et al. (in: Dwork (ed) Advances in Cryptology—CRYPTO ‘06, 409–426, Technical Report , 2006), however achieves much higher min entropy: \(n/2 - O(\log n)\) versus \(O(\log n)\). Finally we exhibit a very simple 3-round explicit “geometric” protocol with communication length O(n). We connect the security parameter of this protocol with the well studied Kakeya problem motivated by Harmonic Analysis and Analytic Number Theory. We prove that this protocol has Shannon entropy \(n-o(n)\). Its relation to the Kakeya problem follows a new and different approach to the random selection problem than any of the previously known protocols.

A Appendix: Deferred Proofs

The proof of Lemma 2

For \(x\in \{0,1\}^n\), let \(p_x = {\mathrm{Pr}}[X=x]\). For any non-negative integer i let

$$\begin{aligned} S_i=\{x\in \{0,1\}^n\mid p_x\le 2^{-i}\}. \end{aligned}$$

Since the total probability sums to one, we have \(|\{0,1\}^n\setminus S_i|<2^{i}\).

1. 1.

   In order to prove the first claim note that

   $$\begin{aligned} H(X) = \sum _x p_x (-\log p_x) \ge \sum _{x \in S_{n-j}} p_x (-\log p_x) \ge (n-j)\sum _{x \in S_{n-j}} p_x. \end{aligned}$$

   Since \(|\{0,1\}^n\setminus S_{n-j}|<2^{n-j}\) and \(X\) is \((2^{-j},\varepsilon )\)-resilient, it follows that \(\text {Pr}[X\notin S_{n-j}]\le \varepsilon\). Hence \(\sum _{x \in S_{n-j}} p_x\ge 1-\varepsilon\) and

   $$\begin{aligned} H(X)\ge (n-j)(1-\varepsilon ). \end{aligned}$$
2. 2.

   To prove the second claim, we partition \(\{0,1\}^n\) into slices \(S_i\setminus S_{i+1}\):

   $$\begin{aligned} H(X) = \sum _x p_x (-\log p_x) =\sum _{i=0}^{\infty } \sum _{x \in S_{i}\setminus S_{i+1}} p_x (-\log p_x) \ge \sum _{i=0}^{\infty }\sum _{x \in S_{i}\setminus S_{i+1}}p_xi. \end{aligned}$$

   Hence

   $$\begin{aligned} n-H(X)\le \sum _{i=0}^{\infty }\sum _{x \in S_{i}\setminus S_{i+1}}(n-i)p_x \le \sum _{i=0}^{n-1}\sum _{x \in S_{i}\setminus S_{i+1}}(n-i)p_x \le \sum _{i=0}^{n-1}\sum _{x \notin S_{i+1}}(n-i)p_x \end{aligned}$$

   Since X is \((2^{-j},\varepsilon _j)\)-resilient for all \(j=0,1,\ldots ,n-1\) and \(|\{0,1\}^n\setminus S_{i+1}|<2^{i+1}\), we conclude that

   $$\begin{aligned} \sum _{x \notin S_{i+1}}p_x\le \varepsilon _{n-i-1}, \end{aligned}$$

   hence

   $$\begin{aligned} n-H(X)\le \sum _{i=0}^{n-1}(n-i)\varepsilon _{n-i-1}=\sum _{j=0}^{n-1}(j+1)\varepsilon _{j} \end{aligned}$$

\(\square\)

The proof of Lemma 3

We first prove the min entropy part. Assume that Alice’s strategy A guarantees that for all deterministic strategies B of Bob, the min entropy of the outcome is at least k. Let \(X_B\) denote the outcome random variable provided Bob uses a deterministic strategy B. Then for every x the probability \(\text {Pr}[X_B=x]\) is at most \(2^{-k}\).

Assume that Bob uses a randomized strategy \({\mathbf {B}}\). This strategy can be viewed as a probability distribution over his deterministic strategies. Let \(X\) denote the output random variable. Then \(\text {Pr}[X=x]\) is equal to the average value of \(\text {Pr}[X_B=x]\) with respect to that distribution. Hence the min entropy part follows from the fact that the average value of any random variable cannot exceed its maximal value, which is at most \(2^{-k}\) in our case.

Similar arguments prove the resilience part.

The Shannon entropy part follows from the inequality \(H(X)\ge H(X|{\mathbf {B}})\). Indeed, \(H(X|{\mathbf {B}})\) is the average value of \(H(X_B)\) over a randomly chosen B. \(\square\)

Proof of Lemma 4

Assume that Alice is honest and hence follows the strategy A prescribed by the protocol \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) to select the first half of the output and the strategy B prescribed by the protocol \(Q_{n/2}(\mathrm{Bob},\mathrm{Alice})\) to select the second half of the output. To prove the first statement, we have to show that whatever strategy S follows Bob, Shannon entropy of the outcome \(X\) is at least \(k(n/2)+l(n/2)\). By Lemma 3 we may assume that S is deterministic.

Let \(X_1,X_2\) denote the first and the second part of the output, respectively. Then

$$\begin{aligned} H(X)=H(X_1)+H(X_2|X_1). \end{aligned}$$

As the protocol \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) is (k(n/2), l(n/2))-Shannon good we have \(H(X_1)\ge k(n/2)\) and it remains to show that \(H(X_2|X_1)\ge l(n/2)\). As \(X_1\) is a function of messages \(M_1\) sent while selecting \(X_1\), by inequality (2) the conditional entropy \(H(X_2|X_1)\) is at least \(H(X_2|M_1)\). As the protocol \(Q_{n/2}(\mathrm{Bob}, \mathrm{Alice})\) is (l(n/2), k(n/2))-Shannon good, for every \(m_1\) we have \(H(X_2|M_1=m_1)\ge l(n/2)\). Indeed, once we fix \(m_1\), the action of Bob’s strategy S while selecting the second half of the output becomes deterministic.

The bound on min entropy is proven in a similar way: for all \(x_1,x_2\) we have

$$\begin{aligned} \text {Pr}[X=(x_1,x_2)]=\text {Pr}[X_1=x_1]\cdot \text {Pr}[X_2=x_2|X_1=x_1]. \end{aligned}$$

The first factor here is at most \(2^{-k(n/2)}\), as \(Q_{n/2}(\mathrm{Alice}, \mathrm{Bob})\) guarantees min entropy at least k(n/2) provided Alice is honest. The second factor is at most \(2^{-l(n/2)}\), as for all messages \(m_1\) we have \(\text {Pr}[X_2=x_2|M_1=m_1]\le 2^{-l(n/2)}\). Since \(X_1\) is a function of \(M_1\), this implies that \(\text {Pr}[X_2=x_2|X_1=x_1]\le 2^{-l(n/2)}\) as well. \(\square\)

The proof of Lemma 10

Fix an integer c. For \(x\in \{0,1\}^*\) let \(p_x={\mathrm{Pr}}[X=x]\). The statistical distance between \(U_n\) and \(X\) is equal to \(\sum _{x:p_x>2^{-n} }(p_x-2^{-n})\). For all integer \(i\le n\) let \(N_i\) stand for the cardinality of the set

$$\begin{aligned} T_i=\{x\mid 2^{-n+i-1}<p_x\le 2^{-n+i}\}. \end{aligned}$$

(12)

And let \(w_i\) denote the cumulative probability of \(T_i\). In terms of \(w_i,N_i\) the statistical distance between \(U_n\) and \(X\) can be rewritten as

$$\begin{aligned} \sum _{i=1}^n w_i - \sum _{i=1}^n N_i2^{-n}\le \sum _{i=1}^n w_i - \sum _{i=1}^n 2^{-i}w_i. \end{aligned}$$

Here the last inequality holds, as \(w_i\le N_i2^{-n+i}\) by (12).

Thus it suffices to prove that

$$\begin{aligned} \sum _{i=1}^n (1-2^{-i})w_i\le 1-2^{-2c-7} \end{aligned}$$

provided \(H(X)\ge n-c\). This can be done similar to the proof of Lemma 2. Indeed,

$$\begin{aligned} H(X)\le \sum _{i\le n}\sum _{x\in T_i}(-p_x\log p_x)< & {} \sum _{i\le n}\sum _{x\in T_i}p_x(n-i+1)= \sum _{i\le n}w_i(n+1-i)\\ {}= & {} n+1-\sum _{i\le n}iw_i \end{aligned}$$

hence

$$\begin{aligned}&\sum _{i\le n} iw_i \le c+1 \end{aligned}$$

(13)

Here i ranges over all integers \(i\le n\), including negative ones. However, the contribution of negative i’s is bounded by a constant. Indeed, as \(2^{n-i}w_i\le N_i\le 2^n\) we can conclude that \(w_i \le 2^{i}\) hence

$$\begin{aligned} 0\ge \sum _{i<0}iw_i\ge \sum _{i<0}i2^i= -2. \end{aligned}$$

Thus, inequality (13) implies that the sum of \(iw_i\) over positive i’s is bounded by a constant:

$$\begin{aligned} \sum _{i=1}^n iw_i \le c+3. \end{aligned}$$

(14)

Split the sum \(\sum _{i=1}^n (1-2^{-i})w_i\) into two sums: the sum over all \(i\ge 2(c+3)\) and the rest. Let \(p=\sum _{1\le i<2(c+3)}w_i\) and \(q=\sum _{n\ge i\ge 2(c+3)}w_i\). Then

$$\begin{aligned} \sum _{i=1}^n (1-2^{-i})w_i\le p+q(1-2^{-2(c+3)})\le p+(1-p)(1-2^{-2(c+3)})= 1-(1-p)2^{-2(c+3)}. \end{aligned}$$

It remains to show that \(p\le 1/2\). This follows from (14). Indeed,

$$\begin{aligned} \sum _{i=1}^n iw_i \ge \sum _{i=2(c+3)}^n iw_i \ge 2(c+3)p. \end{aligned}$$

Thus (14) implies that \(2(c+3)p \le c+3 \Rightarrow p\le 1/2\). Lemma 10 is proved. \(\square\)