Gilad Asharov Gilad Asharov parties, each has some private input, - PowerPoint PPT Presentation

𝒈 is 𝜺 balanced if there exist probability vectors 𝒒 = 𝑞 1 , … , 𝑞 𝑛 , 𝒓 = 𝑟 1 , … , 𝑟 ℓ and ⁡0 < 𝜀 < 1 s.t: 𝑔 ⋅ 𝒓 𝑈 = 𝜀 ⋅ 𝟐 𝑛 𝑈 ⁡𝒒⁡ ⋅ 𝑁 𝑔 = 𝜀 ⋅ 𝟐 ℓ AND 𝑁 Theorem If 𝑔 is 𝜀 -balanced then it implies fair coin-tossing

1 0 0 1 0 1 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 0 0 1 1 1 (left-balanced, right-unbalanced)

1 0 0 1 0 1 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 0 𝑞 1 0 𝑞 0 1 1 − 𝑞 = 0 1 1 − 𝑞 1 1 1 1 1 (left-balanced, right-unbalanced)

Theorem if 𝑔 is not 𝜀 -balanced for any 0 < 𝜀 < 1 , then it does not imply coin tossing*

Theorem if 𝑔 is not 𝜀 -balanced for any 0 < 𝜀 < 1 , then it does not imply coin tossing* • We show that for any coin-tossing protocol in the 𝑔 -hybrid model, there exists an adversary that can bias the result

Theorem if 𝑔 is not 𝜀 -balanced for any 0 < 𝜀 < 1 , then it does not imply coin tossing* • We show that for any coin-tossing protocol in the 𝑔 -hybrid model, there exists an adversary that can bias the result • Unlike Cleve – here we do have something simultaneously. A completely different argument is given

Theorem if 𝑔 is not 𝜀 -balanced for any 0 < 𝜀 < 1 , then it does not imply coin tossing* • We show that for any coin-tossing protocol in the 𝑔 -hybrid model, there exists an adversary that can bias the result • Unlike Cleve – here we do have something simultaneously. A completely different argument is given • Caveat : the adversary is inefficient

Theorem if 𝑔 is not 𝜀 -balanced for any 0 < 𝜀 < 1 , then it does not imply coin tossing* • We show that for any coin-tossing protocol in the 𝑔 -hybrid model, there exists an adversary that can bias the result • Unlike Cleve – here we do have something simultaneously. A completely different argument is given • Caveat : the adversary is inefficient • However, impossibility holds also when the parties have OT-oracle (and so commitments, ZK, etc.)

Asharov

Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol

Gordon, Hazay, Katz and Lindell [STOC08] presented a general protocol and proved that a particular function can be computed using this protocol Question: What functions can be computed using this protocol?

• Almost all functions with |X| ≠ 𝐙 : can be computed using the protocol • Almost all functions with 𝐘 = |𝐙| : cannot be computed using the protocol – If the function has monochromatic input, it may be possible even if 𝑌 = 𝑍 • Characterization of [GHKL08] is not tight! – There are functions that are left unknown

• Special round 𝑗 ∗ • Until round 𝑗 ∗ - the outputs are random and uncorrelated (𝑔 𝑦, 𝑧 , 𝑔 𝑦 , 𝑧 ) • Starting at 𝑗 ∗ - the outputs are correct • At 𝑗 ∗ , P x learns before P y

• Special round 𝑗 ∗ • Until round 𝑗 ∗ - the outputs are random and uncorrelated (𝑔 𝑦, 𝑧 , 𝑔 𝑦 , 𝑧 ) • Starting at 𝑗 ∗ - the outputs are correct • At 𝑗 ∗ , P x learns before P y • Security: – P y is always the second to receive output • Simulation is possible for all functions – P x is always the first to receive output • Simulation is possible only for some functions

Trusted Party

𝑧 Trusted Party

𝑦⁡ 𝑧 Trusted Party

𝑦⁡ 𝑧 Trusted Party 𝑔(𝑦, 𝑧)

𝑦⁡ 𝑧 Trusted Party 𝑔(𝑦, 𝑧) 𝑔(𝑦, 𝑧)

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) 1/3 1/3 1/3 ( 2 3 ⁡, 2 3 )

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) ( 2 3 + 𝜗, 2 3 )

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) 1/3 −ϵ 1/3 1/3 +ϵ ( 2 3 + 𝜗, 2 3 )

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) 1/3 −ϵ 1/3 1/3 +ϵ ( 2 3 + 𝜗, 2 3 )

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) y 1 y 2 1/2 x 1 0 1 x 2 1/2 1 0 (1/2, 1/2)

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) y 1 y 2 1/2 x 1 0 1 x 2 1/2 1 0 (1/2, 1/2) (1/2+ 𝝑 1/2)

Before 𝑗 ∗ : 𝑔(𝑦 , 𝑧) y 1 y 2 1/2 1/2 x 1 0 1 1/2+ 𝜗 x 2 1/2 1 0 (1/2, 1/2) (1/2+ 𝝑 1/2)

(1 − 𝑞, 𝑞) (1 − 𝑞 1 , 1 − 𝑞 2 )

(1 − 𝑞, 𝑞) (1 − 𝑞 1 , 1 − 𝑞 2 )

(1 − 𝑞, 𝑞) (1 − 𝑞 1 , 1 − 𝑞 2 )

1) General for multiparty computation: “The power of the ideal adversary” – Geometric representation 2) Specific for the [GHKL08] protocol: Adding more rounds – less to correct!

REAL Before 𝒋 ∗ : 𝑔(𝑦 , 𝑧) for uniform 𝑦 (1/3,1/3,1/3) ⇒ (2/3, 2/3) 𝐹 𝑆 = 5 𝐹 𝑆 = 100

All points that the simulator needs are inside some “ball” • The center – the output distribution of REAL • The radius – a function of number of rounds

All points that the simulator needs are inside some “ball” • The center – the output distribution of REAL • The radius – a function of number of rounds

• Let 𝑔: 𝑦 1 , … , 𝑦 ℓ × 𝑧 1 , … , 𝑧 𝑛 → {0,1} • Consider the ℓ points 𝑌 1 , … , 𝑌 ℓ in ℝ 𝑛 (the “rows” of the matrix)

• Let 𝑔: 𝑦 1 , … , 𝑦 ℓ × 𝑧 1 , … , 𝑧 𝑛 → {0,1} • Consider the ℓ points 𝑌 1 , … , 𝑌 ℓ in ℝ 𝑛 (the “rows” of the matrix) Definition If the geometric object defined by ⁡⁡𝑌 1 , … , 𝑌 ℓ ∈ ℝ 𝑛 is of dimension 𝑛, Then the function is full-dimensional

Theorem If 𝑔 is of full-dimension , then it can be computed with complete fairness

Theorem If 𝑔 is of full-dimension , then it can be computed with complete fairness Proof: • We use the protocol of [GHKL08]

Theorem If 𝑔 is of full-dimension , then it can be computed with complete fairness Proof: • We use the protocol of [GHKL08] • We show that all the points that the simulator needs are inside a small “ball”

Theorem If 𝑔 is of full-dimension , then it can be computed with complete fairness Proof: • We use the protocol of [GHKL08] • We show that all the points that the simulator needs are inside a small “ball” • The ball is embedded inside the geometric object defined by the function

y 1 y 2 y 3 x 1 1 0 0 x 2 0 1 0 x 3 0 0 1 x 4 1 1 1

• In ℝ 2 - all points do not lie on a single LINE • In ℝ 3 - all points do not lie on a single PLANE • … • In ℝ 𝑛 - all points do not lie on a single HYPERPLANE Not Full-Dimensional • In ℝ 2 - 𝑨 1 , 𝑨 2 ∃ 𝑟 1 , 𝑟 2 , 𝜀 ∈ ℝ s.t. 𝑟 1 𝑨 1 + 𝑟 2 𝑨 2 = 𝜀 ? • In ℝ 3 - (𝑨 1 , 𝑨 2 , 𝑨 3 ) ∃ 𝑟 1 , 𝑟 2 , 𝑟 3 , 𝜀 ∈ ℝ⁡ s.t. 𝑟 1 𝑨 1 + 𝑟 2 𝑨 2 + 𝑟 3 𝑨 3 = 𝜀 ?

• Full-dimensional function • The function is right-unbalanced : – For every non-zero 𝒓 ∈ ℝ 𝑛 , 𝜀 ∈ ℝ it holds that: 𝑁 𝑔 ⋅ 𝒓 ≠ 𝜀 ⋅ 𝟐

• Full-dimensional function • The function is right-unbalanced : – For every non-zero 𝒓 ∈ ℝ 𝑛 , 𝜀 ∈ ℝ it holds that: 𝑁 𝑔 ⋅ 𝒓 ≠ 𝜀 ⋅ 𝟐 Easy to Check Criterion: No solution 𝒓 for: 𝑁 𝑔 ⋅ 𝒓 = 𝟐 Only trivial solution for: 𝑁 𝑔 ⋅ 𝒓 = 𝟏

Balanced with respect to probability vector: IMPOSSIBLE!

Balanced with respect to probability vector: IMPOSSIBLE! Unbalanced with respect to arbitrary vectors: FAIR!

Balanced with respect to probability vector: IMPOSSIBLE! Unbalanced with respect to probability vector, balanced with respect to arbitrary vectors: • If the hyperplanes do not contain the origin: cannot be computed using [GHKL08] (with particular simulation strategy) • If the hyperplanes contain the origin: not characterized (sometimes the GHKL protocol is possible) Unbalanced with respect to arbitrary vectors: FAIR!

CONCLUSIONS

P d : The probability that a 0/1 matrix is singular?

• P d : The probability that a 0/1 matrix is singular? – Conjecture: (1/2+o(1)) d (roughly the probability to have two rows that are the same) – Komlos (67): 0.999 𝑒 – Tao and Vu [STOC 05]: (3/4+o(1)) d – Best known today [Vu and Hood 09] : (1/ √2 +o(1)) d

• P d : The probability that a 0/1 matrix is singular? – Conjecture: (1/2+o(1)) d (roughly the probability to have two rows that are the same) – Komlos (67): 0.999 𝑒 – Tao and Vu [STOC 05]: (3/4+o(1)) d – Best known today [Vu and Hood 09] : (1/ √2 +o(1)) d

• P d : The probability that a 0/1 matrix is singular? d P d – Conjecture: (1/2+o(1)) d 1 0.5 (roughly the probability to have two rows that are 5 0.627 the same) 10 0.297 – Komlos (67): 15 0.047 0.999 𝑒 20 0.0025 – Tao and Vu [STOC 05]: 25 0.0000689 (3/4+o(1)) d 30 0.0000015 – Best known today [Vu and Hood 09] : (1/ √2 +o(1)) d