π is πΊ balanced if there exist probability vectors π = π 1 , β¦ , π π , π = π 1 , β¦ , π β and β‘0 < π < 1 s.t: π β π π = π β π π π β‘πβ‘ β π π = π β π β AND π Theorem If π is π -balanced then it implies fair coin-tossing
1 0 0 1 0 1 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 0 0 1 1 1 (left-balanced, right-unbalanced)
1 0 0 1 0 1 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 0 π 1 0 π 0 1 1 β π = 0 1 1 β π 1 1 1 1 1 (left-balanced, right-unbalanced)
Theorem if π is not π -balanced for any 0 < π < 1 , then it does not imply coin tossing*
Theorem if π is not π -balanced for any 0 < π < 1 , then it does not imply coin tossing* β’ We show that for any coin-tossing protocol in the π -hybrid model, there exists an adversary that can bias the result
Theorem if π is not π -balanced for any 0 < π < 1 , then it does not imply coin tossing* β’ We show that for any coin-tossing protocol in the π -hybrid model, there exists an adversary that can bias the result β’ Unlike Cleve β here we do have something simultaneously. A completely different argument is given
Theorem if π is not π -balanced for any 0 < π < 1 , then it does not imply coin tossing* β’ We show that for any coin-tossing protocol in the π -hybrid model, there exists an adversary that can bias the result β’ Unlike Cleve β here we do have something simultaneously. A completely different argument is given β’ Caveat : the adversary is inefficient
Theorem if π is not π -balanced for any 0 < π < 1 , then it does not imply coin tossing* β’ We show that for any coin-tossing protocol in the π -hybrid model, there exists an adversary that can bias the result β’ Unlike Cleve β here we do have something simultaneously. A completely different argument is given β’ Caveat : the adversary is inefficient β’ However, impossibility holds also when the parties have OT-oracle (and so commitments, ZK, etc.)
Asharov
Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol
Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol Question: What functions can be computed using this protocol?
β’ Almost all functions with |X| β π : can be computed using the protocol β’ Almost all functions with π = |π| : cannot be computed using the protocol β If the function has monochromatic input, it may be possible even if π = π β’ Characterization of [GHKL08] is not tight! β There are functions that are left unknown
β’ Special round π β β’ Until round π β - the outputs are random and uncorrelated (π π¦, π§ , π π¦ , π§ ) β’ Starting at π β - the outputs are correct β’ At π β , P x learns before P y
β’ Special round π β β’ Until round π β - the outputs are random and uncorrelated (π π¦, π§ , π π¦ , π§ ) β’ Starting at π β - the outputs are correct β’ At π β , P x learns before P y β’ Security: β P y is always the second to receive output β’ Simulation is possible for all functions β P x is always the first to receive output β’ Simulation is possible only for some functions
Trusted Party
π§ Trusted Party
π¦β‘ π§ Trusted Party
π¦β‘ π§ Trusted Party π(π¦, π§)
π¦β‘ π§ Trusted Party π(π¦, π§) π(π¦, π§)
Before π β : π(π¦ , π§) 1/3 1/3 1/3 ( 2 3 β‘, 2 3 )
Before π β : π(π¦ , π§) ( 2 3 + π, 2 3 )
Before π β : π(π¦ , π§) 1/3 βΟ΅ 1/3 1/3 +Ο΅ ( 2 3 + π, 2 3 )
Before π β : π(π¦ , π§) 1/3 βΟ΅ 1/3 1/3 +Ο΅ ( 2 3 + π, 2 3 )
Before π β : π(π¦ , π§) y 1 y 2 1/2 x 1 0 1 x 2 1/2 1 0 (1/2, 1/2)
Before π β : π(π¦ , π§) y 1 y 2 1/2 x 1 0 1 x 2 1/2 1 0 (1/2, 1/2) (1/2+ π 1/2)
Before π β : π(π¦ , π§) y 1 y 2 1/2 1/2 x 1 0 1 1/2+ π x 2 1/2 1 0 (1/2, 1/2) (1/2+ π 1/2)
(1 β π, π) (1 β π 1 , 1 β π 2 )
(1 β π, π) (1 β π 1 , 1 β π 2 )
(1 β π, π) (1 β π 1 , 1 β π 2 )
1) General for multiparty computation: βThe power of the ideal adversaryβ β Geometric representation 2) Specific for the [GHKL08] protocol: Adding more rounds β less to correct!
REAL Before π β : π(π¦ , π§) for uniform π¦ (1/3,1/3,1/3) β (2/3, 2/3) πΉ π = 5 πΉ π = 100
All points that the simulator needs are inside some βballβ β’ The center β the output distribution of REAL β’ The radius β a function of number of rounds
All points that the simulator needs are inside some βballβ β’ The center β the output distribution of REAL β’ The radius β a function of number of rounds
β’ Let π: π¦ 1 , β¦ , π¦ β Γ π§ 1 , β¦ , π§ π β {0,1} β’ Consider the β points π 1 , β¦ , π β in β π (the βrowsβ of the matrix)
β’ Let π: π¦ 1 , β¦ , π¦ β Γ π§ 1 , β¦ , π§ π β {0,1} β’ Consider the β points π 1 , β¦ , π β in β π (the βrowsβ of the matrix) Definition If the geometric object defined by β‘β‘π 1 , β¦ , π β β β π is of dimension π, Then the function is full-dimensional
Theorem If π is of full-dimension , then it can be computed with complete fairness
Theorem If π is of full-dimension , then it can be computed with complete fairness Proof: β’ We use the protocol of [GHKL08]
Theorem If π is of full-dimension , then it can be computed with complete fairness Proof: β’ We use the protocol of [GHKL08] β’ We show that all the points that the simulator needs are inside a small βballβ
Theorem If π is of full-dimension , then it can be computed with complete fairness Proof: β’ We use the protocol of [GHKL08] β’ We show that all the points that the simulator needs are inside a small βballβ β’ The ball is embedded inside the geometric object defined by the function
y 1 y 2 y 3 x 1 1 0 0 x 2 0 1 0 x 3 0 0 1 x 4 1 1 1
β’ In β 2 - all points do not lie on a single LINE β’ In β 3 - all points do not lie on a single PLANE β’ β¦ β’ In β π - all points do not lie on a single HYPERPLANE Not Full-Dimensional β’ In β 2 - π¨ 1 , π¨ 2 β π 1 , π 2 , π β β s.t. π 1 π¨ 1 + π 2 π¨ 2 = π ? β’ In β 3 - (π¨ 1 , π¨ 2 , π¨ 3 ) β π 1 , π 2 , π 3 , π β ββ‘ s.t. π 1 π¨ 1 + π 2 π¨ 2 + π 3 π¨ 3 = π ?
β’ Full-dimensional function β’ The function is right-unbalanced : β For every non-zero π β β π , π β β it holds that: π π β π β π β π
β’ Full-dimensional function β’ The function is right-unbalanced : β For every non-zero π β β π , π β β it holds that: π π β π β π β π Easy to Check Criterion: No solution π for: π π β π = π Only trivial solution for: π π β π = π
Balanced with respect to probability vector: IMPOSSIBLE!
Balanced with respect to probability vector: IMPOSSIBLE! Unbalanced with respect to arbitrary vectors: FAIR!
Balanced with respect to probability vector: IMPOSSIBLE! Unbalanced with respect to probability vector, balanced with respect to arbitrary vectors: β’ If the hyperplanes do not contain the origin: cannot be computed using [GHKL08] (with particular simulation strategy) β’ If the hyperplanes contain the origin: not characterized (sometimes the GHKL protocol is possible) Unbalanced with respect to arbitrary vectors: FAIR!
CONCLUSIONS
P d : The probability that a 0/1 matrix is singular?
β’ P d : The probability that a 0/1 matrix is singular? β Conjecture: (1/2+o(1)) d (roughly the probability to have two rows that are the same) β Komlos (67): 0.999 π β Tao and Vu [STOC 05]: (3/4+o(1)) d β Best known today [Vu and Hood 09] : (1/ β2 +o(1)) d
β’ P d : The probability that a 0/1 matrix is singular? β Conjecture: (1/2+o(1)) d (roughly the probability to have two rows that are the same) β Komlos (67): 0.999 π β Tao and Vu [STOC 05]: (3/4+o(1)) d β Best known today [Vu and Hood 09] : (1/ β2 +o(1)) d
β’ P d : The probability that a 0/1 matrix is singular? d P d β Conjecture: (1/2+o(1)) d 1 0.5 (roughly the probability to have two rows that are 5 0.627 the same) 10 0.297 β Komlos (67): 15 0.047 0.999 π 20 0.0025 β Tao and Vu [STOC 05]: 25 0.0000689 (3/4+o(1)) d 30 0.0000015 β Best known today [Vu and Hood 09] : (1/ β2 +o(1)) d
Recommend
More recommend
