Coin flipping from a cosmic source

OR

Error correction of truly random bits

Elchanan Mossel Ryan O’Donnell

Microsoft Research MIT

(now at Berkeley)

A new problem

We consider a new problem motivated by ideas in cryptography, coding theory, collective coin flipping, and noise sensitivity.

We prove some results using probability, convexity, Fourier analysis, and discrete symmetrization.

Many open problems remain.

The problem

Alice

Bob

Cindy

Kate

x 01010001011011011111 (n bits)

y1 01010001011011011111

y2 01010001011011011111

y3 01010001011011011111

° ° °

yk 01010001011011011111o o o

0

0

0

0

first bit

0

Broadcast with ε errors

Alice

Bob

Cindy

Kate

x 01010001011011011111 (n bits)

y1 01011000011011011111

y2 01010001011110011011

y3 11010001011010011111

° ° °

yk 01010011011001010111o o o

0

0

1

0

first bit

1

Broadcast with ε errors

Alice

Bob

Cindy

Kate

x 01010001011011011111 (n bits)

y1 01011000011011011111

y2 01010001011110011011

y3 11010001011010011111

° ° °

yk 01010011011001010111o o o

1

1

1

1

majority

The parameters

n bit uniform random “source” string x

k parties who cannot communicate, but wish to agree on a uniformly random bit

ε each party gets an independentlycorrupted version yi, each bit flippedindependently with probability ε

f (or f1… fk): balanced “protocol” functions

Our goal

For each n, k, ε,

find the best protocol function f (or functions f1…fk)

which maximize the probability that all parties agree

on the same bit.

Notation

We’re interested in the probability (over choice of x and broadcast corruptions) that all parties agree.

We write:

P (f1, …, fk; ε) = Pr[f1(y1) = ··· = fk(yk)],

Pk(f; ε) in the case f = f1 = ··· = fk.

MotivationOriginal motivation: The “Everlasting

Security” cryptographic protocol of Ding and Rabin [DR01].

In this model, many players want shared access to a random string.

Requires a satellite or other cosmic source to broadcast trillions (!) of random bits per second.

Errors in reception seem quite likely.

MotivationNatural question for the problem of error-

correction in a broadcast channel.

Of course, when the source is truly random, error correction is impossible.

However we don’t require that all parties recover the original info with high probability, only that they attain some shared info with high probability and this mutual info has high entropy.

MotivationSimilar to non-cryptographic collective coin-

flipping problems [BL90,…, Dod00].

In these, a number of players want to agree on a random coin toss. However some players are malicious and corrupt bits arbitrarily.

Two difference: 1. We assume random corruptions, not adversarial. 2. Our players cannot communicate.

MotivationFinally, the problem is intimately related to

the study of noise sensitivity of boolean functions [KKL88, Hås97, BKS98, BJT99, Bou01, KS03, O02, MO02, KOS02, BMOS03,…]:

this is the study of Pr[f(x) = f(y1)]. Technical aside: Noise sensitivity is

essentially given by ||Tε(f)||2 , where Tε is the linear operator from the Bonami-Beckner inequality. Our problem is essentially the study of ||Tε(f)||k.

IntuitionSuppose all players use the same balanced

function f.

In some sense, we want f to be the least noise sensitive balanced function possible. Normally, this is the first-bit dictator function.

But if there are many players, we’d rather have a function which has a few points which are extremely noise-stable, rather than having all points fairly noise-stable…

Intuition – cont’dWhen f(x) = x1, every source string is equally

good; for each player, the probability its first bit doesn’t flip is 1-ε so the probability of success is something like (1-ε)k.

When f(x) = majority, there are a few source strings, like 1111· · ·1, which are extremely good. So although majority is more noise sensitive “on the average,” it can be better in our problem if k is large.

Things harder than they seem?One theme we will allude to throughout the

talk is that certain elements of this problem were more difficult or more counterintuitive than Elchanan and I expected –

Some things we thought were obvious required or seemed to require nontrivial proofs; some things we thought were obvious weren’t even true!

About protocolsFor example, recall that we want the parties’

bits, when agreed upon, to be uniformly random.

To get this, we restricted protocol functions to balanced.

However this is neither necessary nor sufficient!

In particular, for n = 5 and k = 3, there is a balanced function f such that, if all players use f, they are more likely to agree on 1 than on 0!

Antisymmetric protocolsTo get agreed-upon bits to be uniform, it

suffices for functions be antisymmetric:

fi( x ) = fi(x).

Proof: Pr[f1(y1) = ··· = fk(yk) = 1]

= Pr[f1(y1) = ··· = fk(yk) = 0]

= Pr[f1(y1) = ··· = fk(yk) = 0].

So we can study antisymmetric protocols instead if we like, but often studying merely balanced protocols is okay too.

Our results

We first show that all players should use the same function, and it should have certain monotonicity properties.

When k = 2 or 3, the first-bit function is best.

For fixed n, when k→∞ majority is best, and when ε→0 and ε→½, the first-bit is best.

For unbounded n, things get harder… in general we don’t know the best function, but we can give a lower bound for Pk(f; ε).

Players should use same fcn.

First, as expected, all parties should use the same function:

Theorem 1: Fix n, k, ε and also a class of functions C for the parties’ functions to come from. Then every protocol which maximizes P (f1, …, fk; ε) has f1 = ··· = fk.

Proof: Convexity.

One page proof sketch

Let C = {g1, …, gm}, and suppose ti parties use gi, for i=1…m.

We have that the ti’s are integers and also:

ti ≥ 0 and t1 + ··· + tm = k. (*)

The success probability which we want to maximize is a convex function of the ti’s.

Hence its maximum occurs at a vertex of (*),which is a point (0, …, 0, k, 0, …, 0), which is already integral.

For k=2,3, f(x) = x1 is best

Theorem 2: For k = 2, 3 and for all n, ε, the unique best protocol is for the parties to use f(x) = x1.

Proof: Fourier analysis.

Comments: 1. If the players can be assumed to use the same function, the k=2 case is folklore.2. By “unique,” we shall mean up to trivial reordering of indices and switching 0 and 1.

More on k=2, 3

Corollary: No error correction is possible for k=2, 3.

Corollary: For all k, if the parties wish to maximize the expected number of agreements or the expected number of parties in the majority, they should all use f(x) = x1.

Proof: E[# (i,j) : f(yi) = f(yj)]

= ( ) Pr[f(yi) = f(yj)].n2

One page proof sketch for k = 2

When k = 2, we can think of party 1 as having the “true” random bits and party 2 as having an ε'-corruption. Thus the success probability is just the noise stability of f. For f balanced, this is:

αΣ|S|≥1 (1-2ε')|S| f(S)2,

so best function has Fourier weight all on level 1.

The k = 3 case reduces to k = 2 by a trick.

Any maximizing f has a special form:

Theorem 3: For all k, n, ε, any f maximizing Pk(f; ε) is left-monotone.

Proof: Steiner symmetrization (shifting).

Remark: This is again up to trivial permutations and switching 0 and 1.

A left-monotone function is one satisfying f(x1y) ≥ f(x0y) and f(x10y) ≥ f(x01y) x,y.

Properties of the best functionA

Fixed ε, n; k→∞

For k > 3, you can just do better than f(x) = x1:

Theorem 4: For all fixed ε and n (odd), for all sufficiently large k, the unique best protocol is f = MAJn.

Proof: Elementary probability and coupling.

Remark: In this case, the probability of success = Θ( (1 – Pr[Bin(n,ε) > n/2])k ), as compared to Θ( (1 – ε)k ) for f = x1.

One page proof sketch• intuitively, if n is fixed and k is very large, in

most cases it’s extremely unlikely all agree • to have a chance of success, must get a very

helpful source string• success probability indeed controlled by the

success probability for the best source x • since f can be assumed monotone, the best

source string is the all 1’s string• in this case, the best function is clearly MAJn.

Fixed n, k; ε → 0, ½.

Theorem 4 was for fixed n, ε and k → ∞. Dually:

Theorem 5: Fix n and k. Then for ε sufficiently close to 0 and for ε sufficiently close to ½, the unique best protocol is f = x1.

Proof: Isoperimetry for ε near 0, Fourier analysis for ε near ½.

One page proof sketch for ε → 0

When ε is extremely tiny, it’s almost as though there is just a single corruption error among all y1, …, yk.

In this case, we just want to maximize the probability that this one corruption doesn’t change the value of f.

This is equivalent to minimizing f’s “edge boundary.” By an isoperimetric theorem, the best f is the cube, f(x) = x1.

Unbounded n

As for k, ε fixed and n→∞, this is the heart of the problem and it seems quite difficult. Here we tend to imagine ε fixed and k→∞, but n is allowed to be unbounded in terms of k.

It seemed to us from Theorem 4 that in this case, the probability of success should go to 0 exponentially quickly as k→∞.

But…!

Polynomial decay

We were unable to prove this because, in fact, the decay is at worst polynomial:

Theorem 6: Fix ε. Then there is a sequence (nk) such that:

Pk(MAJnk; ε) ≥ Ω(k-2/(1-2ε)²).

Proof: Use normal approximation.

Shameful fact: We still believe that the success probability must go to 0 as k→∞ but we can’t prove it!

~

Using majorities

So far, in all of our theorems either MAJ1 or MAJn has been the best function. Unfortunately, it’s not true that one of these is always best.

Theorem 7: There exist particular k and ε such that neither MAJ1 nor MAJn is the best majority function protocol. Indeed, Pk(MAJr; ε) is not even unimodular in r!

Proof: Computer-assisted.

Are majorities best?Still, in every case we know and every case

considered by computer, some majority function has been best. Is this always the case? We present the two opposing conjectures on this intriguing question:

Conjecture M: For a particular k, ε, and odd n, there is an antisymmetric function strictly better than all majority functions.

Conjecture O: The best antisymmetric [balanced?] function is always a majority.

Wrap-up

In conclusion, we think the “cosmic coin flipping” problem is a nice one to think about, and one that presents many intriguing open problems.

We believe that some may be easy to resolve, whereas some might require much more heavy-duty techniques; perhaps some deeper isoperimetry ideas or the Bonami-Beckner inequality.

Open problems1. Show that for fixed ε, when k→∞ and n is

allowed to be unbounded, the success probability goes to 0.

2. Show that for all k, ε, as n→∞, the best majority is MAJn, up to a universal constant.

3. Show that MAJ1 is best for k ≤ … 9?

4. Show that the best weighted threshold function is always a majority.

5. Prove Conjecture M or Conjecture O.