We study common randomness where two parties have access to i.i.d. samples from a known random source, and wish to generate a shared random key using limited (or no) communication with the largest possible probability of agreement. This problem is at the core of secret key generation in cryptography, with connections to communication under uncertainty and locality sensitive hashing. We take the approach of treating correlated sources as a critical resource, and ask whether common randomness can be generated resourceefficiently.
We consider two notable sources in this setup arising from correlated bits and correlated Gaussians. We design the first explicit schemes that use only a polynomial number of samples (in the key length) so that the players can generate shared keys that agree with constant probability using optimal communication. The best previously known schemes were both nonconstructive and used an exponential number of samples. In the amortized setting, we characterize the largest achievable ratio of key length to communication in terms of the external and internal information costs, two wellstudied quantities in theoretical computer science. In the relaxed setting where the two parties merely wish to improve the correlation between the generated keys of length k, we show that there are no interactive protocols using o(k) bits of communication having agreement probability even as small as 2–o(k). For the related communication problem where the players wish to compute a joint function f of their inputs using i.i.d samples from a known source, we give a simultaneous message passing protocol using 2O(c) bits where c is the interactive randomized publiccoin communication complexity of f. This matches the lower bound shown previously while the best previously known upper bound was doubly exponential in c.
Our schemes reveal a new connection between common randomness and unbiased errorcorrecting codes, e.g., dualBCH codes and their analogues in Euclidean space.
Read More: https://epubs.siam.org/doi/10.1137/1.9781611975031.120
more »
« less
The Power of Shared Randomness in Uncertain Communication
In a recent work (Ghazi et al., SODA 2016), the authors with Komargodski and Kothari initiated the study of communication with contextual uncertainty, a setup aiming to understand how efficient communication is possible when the communicating parties imperfectly share a huge context. In this setting, Alice is given a function f and an input string x, and Bob is given a function g and an input string y. The pair (x,y) comes from a known distribution mu and f and g are guaranteed to be close under this distribution. Alice and Bob wish to compute g(x,y) with high probability. The lack of agreement between Alice and Bob on the function that is being computed captures the uncertainty in the context. The previous work showed that any problem with oneway communication complexity k in the standard model (i.e., without uncertainty, in other words, under the promise that f=g) has publiccoin communication at most O(k(1+I)) bits in the uncertain case, where I is the mutual information between x and y. Moreover, a lower bound of Omega(sqrt{I}) bits on the publiccoin uncertain communication was also shown.
However, an important question that was left open is related to the power that public randomness brings to uncertain communication. Can Alice and Bob achieve efficient communication amid uncertainty without using public randomness? And how powerful are publiccoin protocols in overcoming uncertainty? Motivated by these two questions:
 We prove the first separation between privatecoin uncertain communication and publiccoin uncertain communication. Namely, we exhibit a function class for which the communication in the standard model and the publiccoin uncertain communication are O(1) while the privatecoin uncertain communication is a growing function of n (the length of the inputs). This lower bound (proved with respect to the uniform distribution) is in sharp contrast with the case of publiccoin uncertain communication which was shown by the previous work to be within a constant factor from the certain communication. This lower bound also implies the first separation between publiccoin uncertain communication and deterministic uncertain communication. Interestingly, we also show that if Alice and Bob imperfectly share a sequence of random bits (a setup weaker than public randomness), then achieving a constant blowup in communication is still possible.
 We improve the lowerbound of the previous work on publiccoin uncertain communication. Namely, we exhibit a function class and a distribution (with mutual information I approx n) for which the oneway certain communication is k bits but the oneway publiccoin uncertain communication is at least Omega(sqrt{k}*sqrt{I}) bits.
Our proofs introduce new problems in the standard communication complexity model and prove lower bounds for these problems. Both the problems and the lower bound techniques may be of general interest.
more »
« less
 Award ID(s):
 1650733
 NSFPAR ID:
 10078500
 Date Published:
 Journal Name:
 44th International Colloquium on Automata, Languages, and Programming (ICALP 2017)
 ISSN:
 18688969
 Format(s):
 Medium: X
 Sponsoring Org:
 National Science Foundation
More Like this


Tauman Kalai, Yael (Ed.)We introduce and study the communication complexity of computing the inner product of two vectors, where the input is restricted w.r.t. a norm N on the space ℝⁿ. Here, Alice and Bob hold two vectors v,u such that ‖v‖_N ≤ 1 and ‖u‖_{N^*} ≤ 1, where N^* is the dual norm. The goal is to compute their inner product ⟨v,u⟩ up to an ε additive term. The problem is denoted by IP_N, and generalizes important previously studied problems, such as: (1) Computing the expectation 𝔼_{x∼𝒟}[f(x)] when Alice holds 𝒟 and Bob holds f is equivalent to IP_{𝓁₁}. (2) Computing v^TAv where Alice has a symmetric matrix with bounded operator norm (denoted S_∞) and Bob has a vector v where ‖v‖₂ = 1. This problem is complete for quantum communication complexity and is equivalent to IP_{S_∞}. We systematically study IP_N, showing the following results, near tight in most cases: 1) For any symmetric norm N, given ‖v‖_N ≤ 1 and ‖u‖_{N^*} ≤ 1 there is a randomized protocol using 𝒪̃(ε^{6} log n) bits of communication that returns a value in ⟨u,v⟩±ε with probability 2/3  we will denote this by ℛ_{ε,1/3}(IP_N) ≤ 𝒪̃(ε^{6} log n). In a special case where N = 𝓁_p and N^* = 𝓁_q for p^{1} + q^{1} = 1, we obtain an improved bound ℛ_{ε,1/3}(IP_{𝓁_p}) ≤ 𝒪(ε^{2} log n), nearly matching the lower bound ℛ_{ε, 1/3}(IP_{𝓁_p}) ≥ Ω(min(n, ε^{2})). 2) One way communication complexity ℛ^{→}_{ε,δ}(IP_{𝓁_p}) ≤ 𝒪(ε^{max(2,p)}⋅ log n/ε), and a nearly matching lower bound ℛ^{→}_{ε, 1/3}(IP_{𝓁_p}) ≥ Ω(ε^{max(2,p)}) for ε^{max(2,p)} ≪ n. 3) One way communication complexity ℛ^{→}_{ε,δ}(N) for a symmetric norm N is governed by the distortion of the embedding 𝓁_∞^k into N. Specifically, while a small distortion embedding easily implies a lower bound Ω(k), we show that, conversely, nonexistence of such an embedding implies protocol with communication k^𝒪(log log k) log² n. 4) For arbitrary origin symmetric convex polytope P, we show ℛ_{ε,1/3}(IP_{N}) ≤ 𝒪(ε^{2} log xc(P)), where N is the unique norm for which P is a unit ball, and xc(P) is the extension complexity of P (i.e. the smallest number of inequalities describing some polytope P' s.t. P is projection of P').more » « less

The epsilonapproximate degree, deg_epsilon(f), of a Boolean function f is the least degree of a realvalued polynomial that approximates f pointwise to within epsilon. A sound and complete certificate for approximate degree being at least k is a pair of probability distributions, also known as a dual polynomial, that are perfectly kwise indistinguishable, but are distinguishable by f with advantage 1  epsilon. Our contributions are:  We give a simple, explicit new construction of a dual polynomial for the AND function on n bits, certifying that its epsilonapproximate degree is Omega (sqrt{n log 1/epsilon}). This construction is the first to extend to the notion of weighted degree, and yields the first explicit certificate that the 1/3approximate degree of any (possibly unbalanced) readonce DNF is Omega(sqrt{n}). It draws a novel connection between the approximate degree of AND and anticoncentration of the Binomial distribution.  We show that any pair of symmetric distributions on nbit strings that are perfectly kwise indistinguishable are also statistically Kwise indistinguishable with at most K^{3/2} * exp (Omega (k^2/K)) error for all k < K <= n/64. This bound is essentially tight, and implies that any symmetric function f is a reconstruction function with constant advantage for a ramp secret sharing scheme that is secure against sizeK coalitions with statistical error K^{3/2} * exp (Omega (deg_{1/3}(f)^2/K)) for all values of K up to n/64 simultaneously. Previous secret sharing schemes required that K be determined in advance, and only worked for f=AND. Our analysis draws another new connection between approximate degree and concentration phenomena. As a corollary of this result, we show that for any d <= n/64, any degree d polynomial approximating a symmetric function f to error 1/3 must have coefficients of l_1norm at least K^{3/2} * exp ({Omega (deg_{1/3}(f)^2/d)}). We also show this bound is essentially tight for any d > deg_{1/3}(f). These upper and lower bounds were also previously only known in the case f=AND.more » « less

Suppose Alice and Bob each start with private randomness and no other input, and they wish to engage in a protocol in which Alice ends up with a set x ⊆ [n] and Bob ends up with a set y ⊆ [n], such that (x, y) is uniformly distributed over all pairs of disjoint sets. We prove that for some constant β < 1, this requires Ω(n) communication even to get within statistical distance 1 − β^n of the target distribution. Previously, Ambainis, Schulman, TaShma, Vazirani, and Wigderson (FOCS 1998) proved that Ω(√n) communication is required to get within some constant statistical distance ε > 0 of the uniform distribution over all pairs of disjoint sets of size √n.more » « less

Suppose Alice and Bob each start with private randomness and no other input, and they wish to engage in a protocol in which Alice ends up with a set x ⊆ [ n ] and Bob ends up with a set y ⊆ [ n ], such that ( x , y ) is uniformly distributed over all pairs of disjoint sets. We prove that for some constant β < 1, this requires Ω ( n ) communication even to get within statistical distance 1− β n of the target distribution. Previously, Ambainis, Schulman, TaShma, Vazirani, and Wigderson (FOCS 1998) proved that Ω (√ n ) communication is required to get within some constant statistical distance ɛ > 0 of the uniform distribution over all pairs of disjoint sets of size √ n .more » « less