Abstract
We study the round complexity of two-party protocols for generating a random n-bit string such that the output is guaranteed to have bounded bias (according to some measure) even if one of the two parties deviates from the protocol (even using unlimited computational resources). Specifically, we require that the output's statistical difference from the uniform distribution on zon is bounded by a constant less than 1.We present a protocol for the above problem that has 2 log*n+O(1) rounds, improving a 2n-round protocol that follows from the work of Goldreich, Goldwasser, and Linial (FOCS'91). Like the GGL protocol, our protocol actually provides a stronger guarantee, ensuring that the output lands in any set T⊆zon of density μ with probability at most O(√μ+δ), where δ is an arbitarily small constant.We then prove a matching lower bound, showing that any protocol guaranteeing bounded statistical difference requires at least log*n - log* log*n-O(1) rounds. As far as we know, this is the first nontrivial lower bound on the round complexity of random selection protocols (of any type) that does not impose additional constraints (e.g. on communication or simulatability).We also state several results for the case when the output's bias is measured by the maximum multiplicative factor by which a party can increase the probability of a set T ⊆ zon.
Highlights
One of the most basic protocol problems in cryptography and distributed computing is that of random selection, in which several mutually distrusting parties aim to generate an n-bit random string jointly
The goal is to design a protocol so that even if a party cheats, the outcome will still not be too “biased”. (There are many different choices for how to measure the “bias” of the output; the one we use will be specified later.) Random selection protocols can dramatically simplify the design of protocols for other tasks via the following common methodology: first design a protocol in a model where truly random strings are provided by a trusted third party, and use the random selection protocol to eliminate the trusted third party
There is a wide literature on random selection protocols, both in the computational setting, where cheating parties are restricted to polynomial time, and the information-theoretic setting, where security is provided even against computationally unbounded adversaries
Summary
One of the most basic protocol problems in cryptography and distributed computing is that of random selection, in which several mutually distrusting parties aim to generate an n-bit random string jointly. Statistical Criterion: There are fixed constants μ > 0 and > 0 such that for every n and every subset T ⊆ {0, 1}n of density at most μ, the probability that the output lands in T is at most 1 − , even if one party deviates arbitrarily from the specified protocol. Theorem 1.2 For every constant δ > 0, there is a two-party protocol producing output in {0, 1}n with 2 log∗ n + O(1) rounds such that, as long as one party plays√honestly, the probability that the output lands in any set T of density μ is at most p = O( μ + δ). A different measure of the quality of random selection protocol is a multiplicative guarantee, whereby we require that, even if one player cheats, the probability that the outcome lands in any set T of density μ is at most ρ · μ, for some parameter ρ ≥ 1. Theorem 1.3 implies that this round complexity is tight up to a constant factor, because a constant multiplicative guarantee implies a constant statistical guarantee
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
