Utility Dependence in Correct and Fair Rational Secret Sharing
|
|
- Juniper Lynch
- 6 years ago
- Views:
Transcription
1 Utlty Dependence n Correct and Far Ratonal Secret Sharng Glad Asharov and Yehuda Lndell Department of Computer Scence Bar-Ilan Unversty, Israel glad asharov@yahoo.com, lndell@cs.bu.ac.l Abstract. The problem of carryng out cryptographc computatons when the partcpatng partes are ratonal n a game-theoretc sense has recently ganed much attenton. One problem that has been studed consderably s that of ratonal secret sharng. In ths settng, the am s to construct a mechansm (protocol) so that partes behavng ratonally have ncentve to cooperate and provde ther shares n the reconstructon phase, even f each party prefers to be the only one to learn the secret. Although ths queston was only recently asked by Halpern and Teague (STOC 2004), a number of works wth beautful deas have been presented to solve ths problem. However, they all have the property that the protocols constructed need to know the actual utlty values of the partes (or at least a bound on them). Ths assumpton s very problematc because the utltes of partes are not publc knowledge. We ask whether ths dependence on the actual utlty values s really necessary and prove that n the basc settng, ratonal secret sharng cannot be acheved wthout t. On the postve sde, we show that by somewhat relaxng the standard assumptons on the utlty functons, t s possble to acheve utlty ndependence. In addton to the above, observe that the known protocols for ratonal secret sharng that do not assume smultaneous channels all suffer from the problem that one of the partes can cause the others to output an ncorrect value. (Ths problem arses when a party gans hgher utlty by havng another output an ncorrect value than by learnng the secret tself; we argue that such a scenaro s not at all unlkely.) We show that ths problem s nherent n the non-smultaneous channels model, unless the actual values of the partes utltes from ths attack s known, n whch case t s possble to prevent ths from happenng. 1 Introducton Recently, there has been much nterest n the ntersecton between cryptography and game theory [6, 5, 10, 3, 1, 9, 10]. One specfc queston that has ganed much attenton s that of ratonal secret sharng. The basc problem that arses when consderng secret sharng (or to be more exact, protocols for the reconstructon Research supported by the srael scence foundaton (grant No. 781/07).
2 phase) s that the partes actually have no ncentve to reveal ther share. Specfcally, assume that t partes get together to reconstruct a secret that was shared usng a t-out-of-n secret sharng scheme. The way that ths reconstructon takes place s smply for each party to broadcast ts share to all others. However, f one party does not broadcast ts share, t can stll reconstruct the secret (because t receved the t 1 shares of all other partes and so has t shares overall), but the others cannot (because they only have t 1 shares). Thus, under the assumpton that partes prefer to be the only one to learn the secret, the ratonal behavor n the above nave reconstructon procedure s for every party to reman quet and not broadcast ts share [6]. The am of ratonal secret sharng s therefore to construct a mechansm so that t s n the nterest of ratonal partes to cooperate, wth the result beng that all partes learn the reconstructed secret. The fact that the partes are ratonal essentally means that they each have a utlty functon assgnng a value to every possble outcome of the protocol (ths value represents the gan that the party acheves f the gven outcome occurs). Furthermore, the partes am s to maxmze ther utlty. We remark that a mechansm s consdered successful f t acheves a Nash equlbrum (or one of ts varants) for the strategy whch nstructs all partes to cooperate. Loosely speakng, ths means that f any one of the partes devates from the prescrbed strategy (whle others follow t), then t wll not obtan a hgher utlty (and may even lose). Thus, t s n the nterest of all partes to follow the prescrbed strategy and cooperate. In order to construct a mechansm wth the above propertes, certan natural assumptons are made regardng the utltes of the partes. In partcular, t s assumed that a party always prefers to learn the secret than to not learn t (ths s essental to assume, or else there s no reason for a party to ever partcpate n the reconstructon). Furthermore, t s assumed that partes prefer to learn the secret, and have some or all of the other partes not learn t (when knowledge s power, ths makes a lot of sense). Although the above assumptons are very reasonable, a concern wth all of the known protocols s that they don t just assume that ths learnng preference holds. Rather, they assume that the actual utlty values of the partes (or at least bounds on them) are known to all, and the mechansm tself depends on these values. The problem wth ths assumpton s that n realty the utlty of a party may not even be known to tself, let alone to others. Furthermore, even f a party knows ts own utlty, t s unclear how others can learn ths value (t would not necessarly be ratonal for a party to be honest about ts utlty; rather, t may gan somethng by provdng ncorrect nformaton about ts utlty functon). Ths problem stands at the center of ths work, and we ask the followng fundamental queston: Is t possble to construct a sngle reconstructon mechansm for ratonal secret sharng that acheves a Nash equlbrum for all possble values of utlty functons that fulfll the aforementoned assumptons regardng learnng preference? In addton to the above, we observe that some of the known protocols suffer from a correctness ssue. Specfcally, most of the postve results on ths topc
3 assumed that the partes have access to a smultaneous channel (meanng that all partes can smultaneously send messages meanng that no party can see what the others broadcast before sendng ts own). Snce smultaneous channels are problematc to mplement n practce, a recent breakthrough was made that acheved ratonal secret sharng n non-smultaneous channels [10]. However, the protocol of [10] (and a follow-up protocol by [7]) has the problem that one of the partes can cause the others to output an ncorrect value, at the expense of not learnng the secret tself. Thus, the assumpton made by [10] s that snce a party always prefers to learn the secret, t wll never follow such a strategy. However, we do not beleve that ths assumpton s always reasonable. Rather, there are certanly scenaros where a party can gan more by havng another learn ncorrect nformaton than by learnng the nformaton tself (for example, consder the case where the use of ncorrect nformaton can result n a loss of reputaton, to the potental gan of others). In any case, t would certanly be preferable to not have to assume ths. Notng that ths problem of correctness does not arse n any of the protocols usng smultaneous channels, we ask: Is t possble to construct a reconstructon mechansm for ratonal secret sharng that uses non-smultaneous channels and acheves Nash equlbrum even f a party s utlty when another party outputs an ncorrect value s hgher than ts utlty when t learns the secret? Furthermore, s t possble to acheve ths wthout assumng knowledge of the actual utlty value? Our results. We focus manly on 2-out-of-2 secret sharng. Let U + denote the utlty of party P when t learns the secret and the other party does not. Furthermore, let U f denote the utlty of party P when the other party outputs an ncorrect (false) value, even f P tself dd not learn the output. We call a mechansm U + -ndependent f t acheves Nash equlbrum for all possble (polynomal) values of (U 1 +, U 2 + ) that fulfll the aforementoned learnng-preference assumptons (.e., that a party prefers to learn than not learn, and prefers to be the only one to learn). We defne U f -ndependence smlarly. We stress that when a mechansm s U + or U f -ndependent, t may stll know the values of the other utltes (.e., the utlty when all partes learn the secret or when none learn t). We begn by provng an nterestng connecton between U + -ndependence and complete farness, and between U f -ndependence and correctness (where farness and correctness here are n the presence of malcous adversaral behavor that may not be ratonal and s amed only to break the protocol). In Secton 3, we prove the followng nformally stated theorem: Theorem 1 Any two-party mechansm that acheves U + -ndependence guarantees complete farness n the presence of malcous adversaral behavor. Furthermore, any two-party mechansm that acheves U f -ndependence guarantees correctness n the presence of malcous adversaral behavor. Intutvely, Theorem 1 holds because f a mechansm s U + -ndependent, then t must be n a party s nterest to cooperate even f ts U + utlty s very
4 hgh. However, f a party s U + utlty s hgh enough but stll polynomal then t can be shown that ts best strategy s to just try and break farness (because then t gans U + ). Snce, t should not be able to succeed n dong ths, t follows that a malcous adversary also can only break farness wth neglgble probablty. The connecton between U f ndependence and correctness s proven n a smlar way. It s possble to use Theorem 1 n order to prove that there do not exst two-party reconstructon mechansms for ratonal secret sharng that are ndependent of U +, by showng how to toss a far con gven any such mechansm. (Intutvely, gven such a mechansm, we construct a protocol where n the frst stage multparty computaton s used to generate shares of an unbased con, and then the mechansm s used to farly reveal the con.) Usng the mpossblty result of Cleve [2] for con tossng, we then conclude that such a mechansm does not exst. However, we stress that unbased con tossng s only mpossble n the non-smultaneous channels model, and thus ths would only prove the mpossblty of obtanng U + -ndependence n ths model, and leaves open the possblty that there do exst U + -ndependent mechansms n the smultaneous channels model. We therefore provde a drect proof, rulng out the possblty of obtanng U + -ndependence even when gven a smultaneous channel. That s, we prove the followng: Theorem 2 There does not exst a two-party reconstructon mechansm for ratonal secret sharng that s ndependent of U + n ether the smultaneous or non-smultaneous channels model. In order to prove ths, we actually present a lower bound on the number of rounds needed for achevng far reconstructon and show that ths number s dependent on the actual utlty functons of the partes (or, to be more exact, a bound on them). Thus, no mechansm can be ndependent of the utltes because ths mples that ts number of rounds s also ndependent. Our lower bound s proven n the smultaneous-channels model and therefore also holds for non-smultaneous channels. Havng establshed that U + -ndependence s mpossble to acheve, we ask whether the other utlty values must also be known. For example, we know that U f -ndependence s possble n the smultaneous-channels model, because all of the known protocols for the smultaneous-channels model (cf. [5, 10]) are U f -ndependent. Ths leaves open the queston regardng U f -ndependence wth non-smultaneous channels. We prove that: Theorem 3 There does not exst a two-party reconstructon mechansm for ratonal secret sharng that s U f -ndependent n the non-smultaneous channels model. The proof of ths theorem uses Theorem 1 that states that a U f -ndependent mechansm guarantees correctness. We then prove that n the non-smultaneous channels model, t s not possble to construct a correct reconstructon mechansm.
5 Postve results. In Secton 5, we present two postve results as follows: 1. We present a two-party reconstructon mechansm for ratonal secret sharng that works n the non-smultaneous model. Ths mechansm uses the actual values of U f ; gven the mpossblty result of Theorem 3, ths s nherent. 2. We present a multparty reconstructon mechansm that uses smultaneous channels and s ndependent of all utlty values, under a relaxaton of the learnng-preference assumptons. Namely, we assume that a party prefers to be the only one to learn the secret but once one other party has learned the secret t makes no dfference f all learn t. In fact, t suffces to assume that even though each party prefers that as few other partes as possble learn the secret, the utlty f all but 1 or all but 2 partes learn s the same (.e., t makes no dfference f all partes learn the secret or f almost all partes learn the secret). The above results show that (a) correctness need not be forfeted n the model wth non-smultaneous channels, and (b) utlty ndependence s possble to acheve n some settngs, dependng on the assumptons on the utlty functons. Related work. The queston of ratonal secret sharng was frst ntroduced by [6]. They showed that there does not exst a mechansm wth a constant number of rounds, wth a Nash Equlbrum that survves terated deletons of weakly domnated strateges. Moreover, they presented a protocol for n 3 (that s U + -dependent) n the smultaneous model. More protocols, dealng wth other settngs, were presented for the smultaneous model n [5, 1, 9, 10], and for the non-smultaneous model n [10, 7]. The basc queston that we ask regardng utlty ndependence was proposed n [6]. The frst partal answer to ths queston was gven by [1] who showed that utlty ndependence s possble for t-out-of-n secret sharng as long as t < n/3. Ths queston was also consdered by [14] who gave a partal answer n ther model. Among other thngs, we have shown that t s not possble for the mportant case of 2-out-of-2 secret sharng. The works of [13, 11] can be used to obtan far secret sharng, but assume stronger physcal assumptons than a smultaneous channel. Other works have also consdered a mx of ratonal, honest and malcous partes [16, 14, 1]. 2 Defntons and Prelmnares We denote by S an effcently samplable dstrbuton for choosng the secret to be shared, by share the secret sharng scheme and by (Γ, σ) the reconstructon mechansm. Defntons of secret sharng and Nash equlbra can be found n the full verson. Outcome and utltes. The outcome of an executon of a game Γ wth some strategy profle σ s denoted o and conssts of the output of all of the partes. In the case of 2-out-of-2 secret sharng, each party may learn or may not learn the secret, and there are therefore exactly four possble outcomes. (Ths gnores the ssue of correctness whch we ntroduce n ths paper and dscuss below.)
6 Each party s utlty s a functon of these outcomes, and there are therefore also four possble utlty values for each party. The notatons for the four possble outcomes, and the assocated utlty for each party, are descrbed n Table 1. P 1 receves s P 2 receves s Outcome notaton P 1 s Utlty P 2 s Utlty NO NO o none U 1 U 2 NO YES o + 2 U 1 U + 2 YES NO o + 1 U + 1 U 2 YES YES o both U 1 U 2 Table 1. Outcome and Utlty In ths paper, we consder the possblty that partes may output ncorrect values and ntroduce a utlty U f for ths event (nformally, a party gans U f f t succeeds n havng the other party output a false/ncorrect value). Ths results n nne possble outcomes of the game (each party may learn the correct value, not learn, or output an ncorrect value). For smplcty we wll consder only the outcome where one party does not learn the secret whle the other outputs an ncorrect (or false) value. We denote ths event by o false, where P s the party who outputs the ncorrect value. (We explctly consder ths event because ths s the one that occurs naturally. Needless to say, when analyzng mechansms all possbltes need to be taken nto account.) Assumptons on the utlty functons. We assume that the utlty functons of all partes are polynomal n the securty parameter. Formally, a party s utlty functon u s a functon of the outcome and the securty parameter k. We therefore wrte U (1 k ) = u (1 k, o both ), U + (1k ) = u (1 k, o + ), U (1k ) = u (1 k, o none ), U (1 k ) = u (1 k, o + ), and U f (1k ) = u (1 k, o false ). As s now standard [6, 5, 10], we assume that each party always prefers to learn the secret than to not learn t, and that each party most prefers to be the sole party to learn the secret. We add an addtonal assumpton beng that a party prefers to have the other party output an ncorrect value than not, when n both cases the frst party does not learn anyway. We do not make any assumpton on U f beyond ths. (In [10] they mplctly assume that U f < U for all partes.) For lack of a better name, we call utlty functons that fulfll these assumptons natural. Formally: Defnton 4 Let U = {(U +, U, U, U, U f ) {1,2}} be a set of utlty functons for the partes. We say that U s natural f for every {1, 2} and for every k N t holds that U + (k) U (k) U (k) U (k) 0 and U f (k) U (k). We remark that n all prevous works, t was formally assumed that U (k) = U (k), even though none of the protocols utlzed ths fact. We have not defned t n ths way because we fnd t unsatsfactory to assume that once a party has not learned, t makes no dfference to ts utlty f others dd or dd not learn. On the contrary, t can be a lot worse f a party does not learn whle others do learn and so protocols should take ths nto account. We note that all prevous protocols can be modfed to work wth the value U. We also note that our
7 lower bounds hold even f U the value U. = U, and so we do not assume anythng about Far secret sharng. A number of dfferent notons have been used regardng the desred equlbrum for ratonal secret sharng. Our mpossblty results refer to the weakest of these assumptons, whch s ɛ-nash equlbrum for a neglgble functon ɛ( ) [10, 8]. However, we also requre that the number of rounds be polynomal (ths s needed for our lower bounds, but we argue that ths does not sgnfcantly weaken our results because a mechansm wth a super-polynomal of rounds s not computatonally feasble to run). The natural way to model ths s as a computatonal Nash equlbrum [3, 8] (although our results hold even f local computaton by each party s unbounded). We defne computatonally far reconstructon mechansms n ths lght: Defnton 5 Let U be a set of natural utlty functons for P 1 and P 2 (as n Defnton 4). We say that a mechansm (Γ, σ) s a far reconstructon mechansm for U f σ s a computatonal Nash Equlbrum and f the probablty that the result s not o both when both partes follow σ s neglgble. 3 Utlty-Independent Mechansms and Propertes 3.1 Defntons We now formalze the noton of utlty ndependence. Loosely speakng, a mechansm s ndependent of a gven utlty functon f t acheves ts desred propertes for any value of that utlty for all partes. Defnton 6 Let Û {U +, U, U, U, U f } be a utlty type and let U = {U +, U, U, U, U f }n =1 \ {Û} n =1 be a set of polynomal utlty functons (excludng all the Û values). We say that the mechansm (Γ, σ) s a Û-ndependent far reconstructon mechansm f for all polynomal utlty functons {Û} n =1 for whch U = U {Û} n =1 s natural, t holds that (Γ, σ) s a far reconstructon mechansm for U. Note that our defnton of utlty ndependence ncludes the assumpton that U s natural. In our results, we focus on U + and U f ndependence. Farness and correctness. In ths secton, we show that U + and U f ndependence mples the propertes of complete farness and correctness n the presence of adversaral behavor. 1 We stress that we defne these notons n an adversaral context and not n a game theoretc one. That s, we say that a protocol or mechansm s completely far/correct f t mantans ths property when one of the 1 We consder the two-party case only because we only deal wth the case of no coaltons n ths paper, and n the case of no coaltons we have an honest majorty and so farness and correctness (n the presence of a malcous adversary) can be acheved. Ths case s therefore not nterestng.
8 partes follows a worst-case strategy (meanng that t has no am to gan utlty and ts am s smply to break ths property of the protocol). We remark that we wll move freely between protocols n a cryptographc settng wth an adversary A and mechansms nvolvng ratonal adversares playng a game n order to acheve utlty. Ths s due to the fact that a mechansm trvally defnes a protocol and vce versa. We now proceed to defne complete farness and correctness. We present the defntons n a protocol context ; ther translaton to the game-theoretc context s dscussed below. Intutvely, a two-party reconstructon protocol s completely far f whenever one party learns the secret the other party s also guaranteed to learn the secret, except wth neglgble probablty. Lkewse, a reconstructon protocol s correct f the honest party s guaranteed to ether output the correct value (.e., the secret that was shared) or a specal abort symbol. Although t s dffcult to formalze these notons for general secure computaton wthout resortng to a full deal model/real model defnton (snce the output depends on the actual nputs used by the possbly malcous partes), n the case of secret sharng t s much smpler because the output of the protocol s well defned. In partcular, the output can only be the shared secret s or an abort symbol. We assume that any reconstructon protocol s non-trval meanng that f both partes are honest, then they both learn the secret except wth neglgble probablty. We frst ntroduce some notaton. Let real π,a, (share(s)) denote the outcome o of an executon of the reconstructon protocol π, wth the partes P 1 and P 2, an adversary A controllng party P ( {1, 2}), and a share s that was chosen by S and shared as n share; recall that an outcome s smply the concatenaton of the outputs of all partcpatng partes (snce A controls P, we consder only the output of A and the honest party). Next, denote by output X (real π,a, (share(s)) the output of party X (where X may be A or the honest party P ). Recall that the securty parameter s denoted k. Defnton 7 Let share be a share generaton algorthm for a 2-out-of-2 secret sharng scheme, and let π be the reconstructon protocol for the scheme. 1. We say that π s completely far f for every probablstc polynomal-tme adversary A that controls the party P there exsts a neglgble functon µ( ) such that Pr[output A (real π,a, (share(s))) = S] Pr[output P (real π,a, (share(s))) = S] + µ(k). 2. We say that π s correct f for every probablstc polynomal-tme adversary A that controls the party P there exsts a neglgble functon µ( ) such that Pr[output P (real π,a, (share(s))) / {S, }] µ(k). An equvalent formulaton of the above for mechansms s obtaned by requrng that the result of an executon where one party follows the prescrbed strategy and the other may follow any arbtrary alternatve strategy s far (or correct). For example, correctness of a mechansm (Γ, σ) can be formalzed by
9 sayng that for every arbtrary strategy σ followed by party P ( {1, 2}) there exsts a neglgble functon µ such that: Pr[output P (real Γ,P(σ ),P (σ ) (share(s))) {, S}] µ(k). (Observe that correctness s guaranteed only when party P follows the prescrbed strategy σ.) 3.2 U + -Independence vs Farness and U f -Independence vs Correctness We now prove that the exstence of a U + -ndependent reconstructon mechansm mples the exstence of a completely far reconstructon protocol. Intutvely ths holds because f complete farness s not acheved, then there exsts an adversary who can partcpate n the protocol nduced from the mechansm and wth nonneglgble probablty can learn the secret whle the honest party does not. Gven such an adversary, we can set the utlty U + of one of the partes to be hgh enough so that ts expected gan by followng the adversaral strategy s hgh enough. Our proof holds for both smultaneous and non-smultaneous channels. Proposton 8 If there exsts a U + -ndependent far reconstructon mechansm for a 2-out-of-2 secret sharng scheme (as n Defnton 6), then there exsts a completely far reconstructon protocol (as n Defnton 7) for the scheme. Proof: Let (Γ, σ) be a U + -ndependent far reconstructon mechansm and let U be a set of utltes specfyng {U, U, U, U f } for both partes. Denote by π the protocol derved from (Γ, σ) as descrbed above. Assume by contradcton that π s not a completely far reconstructon protocol. Ths mples that there exsts a probablstc polynomal-tme adversary A that controls some party P ( {1, 2}) and a polynomal p( ) such that for nfntely many k s: Pr [output A (real π,a, (share (S))) = S] > Pr [ output P (real π,a, (share (S))) = S ] + 1 p(k) Let σ A be the correspondng behavoral strategy of the adversary A n the game Γ. Note that the outcome of the game when party P plays accordng to σ A, whle the other party plays accordng to the prescrbed strategy σ, s o + wth probablty 1/p(k). We now defne the utlty functon U + for party P by U + p(k) (U +1). We show that for nfntely many k s, P s utlty s greater f t follows σ A than f t follows σ, whch s a contradcton to the assumpton that σ s a (computatonal) Nash equlbrum. Let O denote the set of all possble outcomes, and recall that u (o) s the utlty of P upon outcome o. We have that for nfntely many k s: ( ) u σ A, σ = Pr[o (σ A, σ )] u (o) o O Pr [ o + (σ A, σ ) ] U + 1 p(k) (p(k) (U + 1)) = U + 1.
10 In contrast, u (σ, σ ) = U. Thus, there exsts a non neglgble functon ɛ (even f U s neglgble), such that: u ( σ A, σ ) u (σ, σ ) + ɛ (k) n contradcton to the assumpton that σ s a computatonal Nash equlbrum for Γ. We therefore conclude that the protocol π nduced from (Γ, σ) s completely far, as n Defnton 7. U f -ndependence mples correctness. The followng s proved analogously to Proposton 8: Proposton 9 If a far reconstructon mechansm for a 2-out-of-2 secret sharng scheme s U f -ndependent (as n Defnton 6), then t acheve correctness (as n Defnton 7). 4 Negatve Results 4.1 Impossblty for U + -Independence As we have mentoned, Proposton 8 can be used to prove the mpossblty of obtanng U + -ndependent far reconstructon mechansms n the non-smultaneous channels model. Ths s because any such mechansm can be used to toss a far con, n contradcton to [2]. (Specfcally, secure computaton can be used to generate shares of a random bt, whch are then reconstructed usng the mechansm. By Proposton 8, ths mechansm guarantees complete farness n the presence of malcous behavor and so nether party can bas the outcome.) Such a proof leaves open the possblty of obtanng U + -ndependence n the smultaneous channels model. In ths secton we therefore prove a lower bound on the number of rounds that are needed n any far reconstructon mechansm, even n the smultaneous model. As we wll see, the number of rounds depends on the U + utltes of the partes; U + -ndependence s therefore not achevable. We prove our lower bound by consderng a specfc attack (or, an alternatve strategy) that can be carred out on every mechansm. The attack that we consder s a premature abort. When a party aborts prematurely, t does not broadcast ts message n the round that t quts, whle the other party does. Therefore, ntutvely, t may gan more nformaton about the secret than the other party. The mechansm must therefore guarantee that the amount of nformaton ganed n any sngle round s small enough so that carryng out such an attack s not proftable and wll yeld a lower utlty. We quantfy ths amount of nformaton and defne an abortng threshold for each party as follows: β 1 = U 1 U1 U U and β 2 = U 2 U2 U We now prove that the number of rounds n any far reconstructon mechansm depends on {β 1, β 2 } and so depends on the actual utltes. U + 2 2
11 Theorem 10 Let (Γ, σ) be a far reconstructon mechansm, let R Γ (σ 1,σ 2 ) be a random varable denotng the number of rounds n Γ when both partes play accordng to σ = (σ 1, σ 2 ), and let β mn {β 1, β 2 } be as above. Then: E[R Γ (σ 1,σ 2) ] > 1 8 β Proof Sketch: We start wth some notaton. Denote by a the output of party P 1 when P 2 quts at round before sendng ts message (that s, at round only P 1 broadcast ts message); lkewse b denotes the output of P 2 when P 1 quts at round. Note that when P 1 quts at round (before sendng ts message) and P 2 does not qut n that round, party P 1 receves an addtonal message and therefore may gan addtonal knowledge about the secret. In such a case, P 1 outputs a +1, whle P 2 outputs b. In the followng clam, we bound the amount of addtonal knowledge that a party can gan n such a stuaton: Clam 11 Let U be a set of natural utlty functons for P 1 and P 2 (as n Defnton 4), and let the mechansm (Γ, σ) be a far reconstructon mechansm for U (as n Defnton 5). For every round 0, the followng must hold: Pr [a +1 = s] Pr [b = s] + 2β 1 and Pr [b +1 = s] Pr [a = s] + 2β 2 Proof Sketch: Assume by contradcton that the above does not hold. Wthout loss of generalty, assume that there exsts an such that Pr [a +1 = s] > Pr [b = s] + 2β 1. In the proof, we consder an alternatve strategy σ 1 for P 1 whch s dentcal to the prescrbed strategy σ 1 except that t nstructs the party P 1 to qut before broadcastng the message n round. Assumng that the other party (P 2 ) does broadcast ts share n that round, and that the executon reaches round, we have that P 1 outputs a +1 whle P 2 outputs b. Usng the contradctng assumpton, t follows that: Pr [a +1 = s b s] Pr [a +1 = s] Pr [b = s] > 2β 1. That s, wth probablty at least 2β 1 the outcome s o + 1, and therefore P 1 gans U 1 + whle P 2 gans only U2. Thus, the expected utlty of P 1 s at least 2β 1 U + 1 +(1 2β 1) U 1 = 2β 1 (U + 1 U 1 )+U 1 = 2U 1 2U 1 +U 1 > U 1 where the last equalty s by the assumpton that U s non-neglgbly greater than U and U (note that f U U then P has no reason to play at all). Thus, the strategy σ1 of stoppng n round s a better strategy for P 1, n contradcton to the assumpton that σ = (σ 1, σ 2 ) s a Nash equlbrum. We stress that some mportant detals are omtted from ths proof sketch. For example, t does not take nto account the probablty that round s actually reached n the executon or the possblty of neglgble falure; see the full verson for detals.
12 We use the above clam to prove our lower bound. Now, consder the case that the secret s a unformly dstrbuted k-bt strng. In such a case, the probablty that any party outputs the correct secret before recevng any message s neglgble (.e., Pr[a 0 = s] = Pr[b 0 = s] = µ(k) for some neglgble functon µ). By smple nducton, we have that for every : and so Pr [a = s] 2β + µ(k) and Pr [b = s] 2β + µ(k) 2r(k) =1 Pr [a = s] 2r(k) =1 2β + µ(k) 4β r 2 (k) where r(k) denotes the expected number of rounds;.e., E[R(σ Γ 1,σ 2) ] = r(k). By ] [ ] Markov, Pr [R Γ(σ1,σ2) 2r(k) 1 2 and so Pr R(σ Γ < 2r(k) 1,σ 2) > 1 2. Now, f R(σ Γ < 2r(k) then for some {1,..., 2r(k)} t holds that a 1,σ 2) = s (because at the end, both partes must output s). Thus, We conclude that 2r(k) =1 Pr[a = s] > r(k) 1 2 < Pr [a = s] 4βr 2 (k) =1 mplyng that r(k) > 1. (Note that the theorem bounds r(k) > 1 and not 8β 8 β what we have shown here. Ths s due to addtonal factors that we have omtted from ths sketch; see the full verson for detals.) Usng Theorem 10 we conclude that there do not exst U + -ndependent far reconstructon mechansms wth an expected number of rounds that s polynomal, even n the smultaneous model. In order to see ths, we show that for all fxed polynomals U, U, U and r(k), there exsts a polynomal U + such that r(k) < 1. Specfcally, take U + 8 β 64r 2 (k) (U U because n such a case β = U U U U + and thus r(k) 1 8 β n contradcton. U U 64r 2 (k) (U U ) + U ) + U U =. Ths suffces 1 64r 2 (k) 4.2 Impossblty for U f -Independence (Non-Smultaneous) In Secton 3 we showed that any mechansm that s U f -ndependent acheves correctness. In the smultaneous channels model, U f -ndependence and correctness has been acheved by prevous protocols [5, 9]. However, as we have mentoned, the known protocols for the model wth non-smultaneous channels do not guarantee correctness. In partcular, f U f > U for some party P then the strategy profles σ of [10, 7] are not computatonal Nash equlbrums. In
13 ths secton we prove that ths s nherent to the non-smultaneous model. That s, there does not exst a far reconstructon mechansm that s U f -ndependent n the non-smultaneous model. The Kol-Naor mechansm [10] and correctness. Before proceedng wth our proof, we descrbe the mechansm of Kol and Naor for non-smultaneous channels and show why t does not acheve correctness. Ths example llustrates the problem of achevng U f -ndependence and s thus very nstructve. The Kol- Naor mechansm assumes that the utlty functons U fulfll the assumptons n Defnton 4. Furthermore, the mechansm tself s constructed gven the actual values of the utlty functons (.e., t s utlty dependent). The general dea of ther protocol s that the shares assgned to the party are actually lsts of possble secrets. One party receves a lst of sze l (ths party s called the short party ), and the other party receves a lst of sze l + d (ths party s called the long party ). The short lst s a strct prefx of the other. The lengths l and d are chosen accordng to a geometrc dstrbuton wth parameter β, where β depends on the utlty functons of the partes. The real secret s located at poston l + 1 n the long lst, whle all the other elements n the lsts are fake; the (l + 1)th round s called the defntve round because n ths round the secret s learned. In addton to the lsts descrbed above, the dealer selects an ndependent random permutaton for every round; ths permutaton determnes the order n whch the partes send ther lst elements n the round. The party that sends ts message frst n the defntve round s gven the long lst, and the other party s gven the short lst. In addton, the partes receve the permutatons for the rounds appearng n ther respectve lsts (.e., the short party receves the permutaton only for the frst l rounds). We stress that nether party knows f t the short or long party. In any gven round, we call the party who sends ts element frst the frst party and we call the other the second party. In order to reconstruct the secret, the partes proceed round by round; n the th round each party sends ts th lst element n the order determned by the permutaton. At teraton l + 1 (the defntve teraton ), the long party s the frst to broadcast ts share (that s, t s the frst party ). However, the short party s lst s fnshed and thus t has no element to send. It therefore remans slent n ths round. The frst round n whch only one party sends a lst element s the defntve round, and so the secret sent n ths round s taken to be the real secret. Intutvely, farness s acheved because the owner of the long lst does not know the length of the short lst, and n partcular does not know whch round s the defntve round. It therefore does not know whch of the elements n ts lst s the real secret and so has to send ts share every round. See [10] for detals. As ponted out n [10, Note 6.2], f one of the partes aborts prematurely (.e., remans slent n round for some < l) then the other party wll output an ncorrect value (wth hgh probablty the element s of the th round wll not equal the secret). It s mportant to note that the abortng party knows that s s not the real secret because ts lst s not yet fnshed. Furthermore, t can even have some nfluence over the ncorrect value output by the frst party (ths s because t can choose at whch pont to stop and thus t can choose whch of
14 the values n the prefx of the lst s output by the frst party). The protocol s therefore clearly not correct. We remark that the same problem also exsts for the protocol of [7]. As we have mentoned, [10] assume that ratonal partes wll not behave n ths way because they always prefer to learn the secret than to not learn t (observe that f a party aborts prematurely then t wll not learn the real secret). That s, they assume that U f < U. We show that ths assumpton s essental as long as U f -ndependence s desred. The mpossblty result. Our proof of mpossblty assumes that for all, U + s strctly greater than U by a non-neglgble amount; ths s called strct compettveness; see [10]. We are now ready to formally state the theorem. Theorem 12 There do not exst U f -ndependent far reconstructon mechansms for strctly compettve utlty functons n the non-smultaneous model. By Proposton 9, U f -ndependence mples correctness. We therefore prove that n the non-smultaneous model there does not exst a far reconstructon mechansm that s correct, as defned n Defnton 7. Intuton: We begn by descrbng 2 strateges σ stop 1 and σ stop 2. The strategy σ stop 1 for party P 1 s the strategy that follows the prescrbed σ n all the rounds wth the followng dfference. In every round, P 1 checks what ts output would be f P 2 quts at that round. In the frst round for whch the output s not, the strategy σ stop 1 nstructs P 1 to qut at that round. σ stop 2 s defned analogously. Snce we assume correctness, the probablty that one of the partes wll output a value whch s not s or when the other prematurely aborts s neglgble. Thus, when playng σ stop both of the partes wll output the correct s n the round that they qut. Next, we prove that when both partes follow σ stop, wth hgh probablty one of them learns the secret whle the other does not. We conclude by showng that the prescrbed strategy σ s not a computatonal Nash equlbrum by showng that one of the σ stop strateges has a better expected utlty than σ. That s, we show that ether u 2 (σ 1, σ stop 2 ) > u 2 (σ 1, σ 2 ) + ɛ or u 1 (σ stop 1, σ 2 ) > u 1 (σ 1, σ 2 ) + ɛ, for some non-neglgble functon ɛ. The proof of ths appears n the full verson. 5 Postve Results 5.1 U f -Dependent Reconstructon n the Non- Smultaneous Model In ths secton, we address the basc queston of whether or not t s possble to construct a far and correct reconstructon mechansm usng non-smultaneous channels even f U f U. We answer ths n the postve by constructng a mechansm that works as long as t knows the value of U f for each party P (n the same way that the mechansm knows the values of U +, U, U and U ). The dea behnd the mechansm. We wll consder the two party case only, but the dea works for the multparty case as well. We assume famlarty wth the protocol of Kol and Naor [10]; see the begnnng of Secton 4.2 for a short descrpton of the protocol and why t does not guarantee correctness. Ths wll
15 be used below. Lookng closely at the strategy for breakng correctness n the Kol-Naor mechansm, t arses because the frst party to send ts lst element n an teraton has no way of verfyng f the current round s the defntve round or not. Ths s necessary because f the long party could check f the current round s the defntve one before sendng ts element, t could learn the secret wthout the other party learnng t. Despte ths, our key observaton s that t s not necessary that all of the fake teratons be the same, as n the Kol-Naor mechansm. Rather, we ntroduce addtonal rounds wth the property that the second party n each such round knows that the round s fake whle the frst party does not. Now, f a frst party prematurely aborts on such a round, then t wll gan only U, and not U f (because the second party knows that the frst party has cheated and just aborts outputtng ). By addng enough of these addtonal rounds, we have that the probablty that a party successfully acheves U f s low enough so that a hgher expected utlty s obtaned by playng σ and obtanng U. See the full verson for a detaled descrpton and proof. 5.2 Full Independence for n 3 wth Relaxed Assumptons In ths secton we show that utlty dependence s not always essental. In partcular, we show that for a certan reasonable relaxaton of the utlty functons, t s possble to construct a utlty ndependent far reconstructon mechansm for the case of t-out-of-n secret sharng, where n 3. We do not clam that our assumptons always hold or should be used; rather our am here s to show that utlty ndependence can sometmes be acheved. The standard assumptons [6, 10] typcally used for the utlty functons are that a party always prefers to learn than not. Furthermore, assumng that a party learns, the fewer others that learn the better. We relax these assumptons, and assume that each party prefers to learn the secret alone, but once one of the other partes learns the secret t doesn t matter how many other partes learn t (thus U + denotes the utlty when t alone learns, and U denotes the utlty that t learns along wth any postve number of other partes). In addton to the above, we assume that the utlty functons are polynomal n the securty parameter, and that there s a non neglgble dfference between them. That s, there exsts a polynomal p( ), such that for nfntely many k s t holds that: U U + 1 p(k). (Our mpossblty result for U + -ndependence when n = 2 holds for such utlty functons.) Ths s a natural extenson of the strct dfferences between the utlty functons, as defned n [10], when they are modeled as functons of the securty parameter. (We remark that U + may equal U ; we only need a non-neglgble dfference between U and U.) Note that when the above does not hold, t means that P s utlty when not learnng s essentally the same as when learnng. Thus, P may as well not partcpate at all and ths case s not nterestng. Our protocol assumes smultaneous channels n order to acheve U f -ndependence. As we showed n Theorem 12, t s mpossble to acheve U f ndependence wth non-smultaneous channels. 2 2 A verson of our protocol for the non-smultaneous model can be constructed usng the technques of [10] and our protocol n Secton 5.1. However, note that the protocol
16 The protocol dea. The dea behnd our protocol s to enable one of the partes to learn the secret even when the others do not. Now, once ths party has learned the secret, t s not possble for any other party to obtan U +. Thus, the other partes can ether contnue wth the executon of the protocol and obtan U, or they can qut and obtan only U (whch s strctly less than U by the assumpton that U U + 1 p(k) ). The man queston s how to construct a protocol so that one of the partes can learn the secret, but only after there are t t partes partcpatng n the reconstructon phase, but then enable the resdual t 1 partes to reconstruct the secret wthout the cooperaton of the party who already learned the secret. We acheve ths n the followng way. Let s be the secret to be shared; for smplcty assume that s {0, 1} k (where k s the securty parameter). The dealer chooses a random r R {0, 1} k and generates shares of r and s wth threshold t and shares of r s wth threshold t 1 (overall three sets of shares). The dealer then sends each party ts shares. Before proceedng we note that no set of t 1 partes can reconstruct the secret s, because even though a set of ths sze can learn r s, wthout knowng r ths s of no help. In addton, gnorng ssues of ratonalty and utlty, t s possble for every set of t partes to obtan s by just reconstructng the shares of s, or by reconstructng r and r s (where the latter requres only t 1 to partcpate). We now nformally descrbe our reconstructon protocol. In the frst phase of the protocol t t partes reconstruct r by smply sendng ther shares to all others. In the second phase, the t partes reconstruct s by sendng ther shares one at a tme consecutvely (here t s crucal that a smultaneous channel not be used and so we use the smultaneous channel as a non-smultaneous one, by havng every party wat untl t receves all prevous messages before sendng ts own). Note that at the end of the second phase, the last t t + 1 partes can reconstruct the secret alone, and thus, they may not send ther shares. If any of the partes does not send ther share n the frst phase, or f any of the frst t 1 partes does not send ther share n the second phase, then all partes abort and output. At the end of ths phase, unless all have aborted, there reman t 1 partes who have not learned the secret. These partes contnue to the thrd phase. The crucal observaton s that none of these partes can obtan U + snce there are already t t partes who have learned the secret s. We utlze ths fact to use any one of the known ratonal reconstructon protocols whle settng β = 1 2 (where β s a parameter that usually depends on the utlty values, lke our β n the lower bound); observe that we fx β rrespectve of the actual utlty values. Ths works because at ths pont, once one party has learned the secret, the maxmum possble utlty the partes can obtan s U. In partcular, even f only one party of the remanng t 1 partes learns the secret, ts utlty s stll U because one party already knows the secret. Now, the known ratonal secret sharng protocols wth β = 1 2 all have the property that f the partes follow σ then they wll obtan U (wth probablty 1). However, f they for the non-smultaneous model needs to know the values of U f, U and U, and therefore the result s only U + -ndependent.
17 do not, then wth probablty 1 β they wll obtan U. Thus, the expected utlty by not followng σ s 1 2 U U < U, and so the partes follow σ and all learn the secret. Remark. Our constructon can be extended to deal wth the case that partes do prefer that as few as possble other partes learn, but do not care whether t 2 or t 1 partes learn (.e., t does not make any dfference f all learn, or all but one learn). Ths s a much mlder relaxaton on the utlty functons; see the full verson for detals. References 1. I. Abraham, D. Dolev, R. Gonen and J.Y. Halpern. Dstrbuted Computng Meets Game Theory: Robust Mechansms for Ratonal Secret Sharng and Multparty Computaton. In the 25th PODC, pages 53 62, R. Cleve. Lmts on the Securty of Con Flps when Half the Processors are Faulty. In 18th STOC, pages , Y. Dods and T. Rabn. Cryptography and Game Theory. In Algorthmc Game Theory, Cambrdge Unversty Press, O. Goldrech. Foundatons of Cryptography: Volume 2 Basc Applcatons. Cambrdge Unversty Press, S.D. Gordon and J. Katz. Ratonal Secret Sharng, Revsted. In the 5th Conference on Securty and Cryptography for Networks (SCN), pages , J. Halpern and V. Teague. Ratonal Secret Sharng and Multparty Computaton. In the 36th STOC, pages , G. Fuchsbauer, J. Katz, E. Level and D. Naccache. Effcent Ratonal Secret Sharng n the Standard Communcaton Model. Cryptology eprnt Archve, Report #2008/488, J. Katz. Brdgng Game Theory and Cryptography: Recent Results and Future Drectons. In 5th TCC, Sprnger-Verlag (LNCS 4948), pages , G. Kol and M. Naor. Cryptography and Game Theory: Desgnng Protocols for Exchangng Informaton. In the 5th TCC, Sprnger-Verlag (LNCS 4948), pages , G. Kol and M. Naor. Games for Exchangng Informaton. In the 40th STOC, pages , S. Izmalkov, S. Mcal, and M. Lepnsk. Ratonal Secure Computaton and Ideal Mechansm Desgn. In the 46th FOCS, pages , M. Lepnsk, S. Mcal, C. Pekert, and A. Shelat. Completely Far SFE and Coalton-Safe Cheap Talk. In the 23rd PODC, pages 1 10, M. Lepnsk, S. Mcal, and A. Shelat. Colluson-Free Protocols. In the 37th STOC, pages , A. Lysyanskaya and N. Trandopoulos. Ratonalty and Adversaral Behavor n Multparty Computaton. In CRYPTO 2006, Sprnger-Verlag (LNCS 4117), pages , A. Shamr. How to Share a Secret. In Communcatons of the ACM, 22(11): , S.J. Ong, D. Parkes, A. Rosen and S. Vadhan. Farness wth an Honest Mnorty and a Ratonal Majorty. In the 6th TCC, Sprnger-Verlag (LNCS 5444), pages 36 53, 2009.
Edge Isoperimetric Inequalities
November 7, 2005 Ross M. Rchardson Edge Isopermetrc Inequaltes 1 Four Questons Recall that n the last lecture we looked at the problem of sopermetrc nequaltes n the hypercube, Q n. Our noton of boundary
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationCS : Algorithms and Uncertainty Lecture 17 Date: October 26, 2016
CS 29-128: Algorthms and Uncertanty Lecture 17 Date: October 26, 2016 Instructor: Nkhl Bansal Scrbe: Mchael Denns 1 Introducton In ths lecture we wll be lookng nto the secretary problem, and an nterestng
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationPerfect Competition and the Nash Bargaining Solution
Perfect Competton and the Nash Barganng Soluton Renhard John Department of Economcs Unversty of Bonn Adenauerallee 24-42 53113 Bonn, Germany emal: rohn@un-bonn.de May 2005 Abstract For a lnear exchange
More informationAssortment Optimization under MNL
Assortment Optmzaton under MNL Haotan Song Aprl 30, 2017 1 Introducton The assortment optmzaton problem ams to fnd the revenue-maxmzng assortment of products to offer when the prces of products are fxed.
More informationCOS 521: Advanced Algorithms Game Theory and Linear Programming
COS 521: Advanced Algorthms Game Theory and Lnear Programmng Moses Charkar February 27, 2013 In these notes, we ntroduce some basc concepts n game theory and lnear programmng (LP). We show a connecton
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationLecture Space-Bounded Derandomization
Notes on Complexty Theory Last updated: October, 2008 Jonathan Katz Lecture Space-Bounded Derandomzaton 1 Space-Bounded Derandomzaton We now dscuss derandomzaton of space-bounded algorthms. Here non-trval
More informationLecture 4. Instructor: Haipeng Luo
Lecture 4 Instructor: Hapeng Luo In the followng lectures, we focus on the expert problem and study more adaptve algorthms. Although Hedge s proven to be worst-case optmal, one may wonder how well t would
More informationThe Second Anti-Mathima on Game Theory
The Second Ant-Mathma on Game Theory Ath. Kehagas December 1 2006 1 Introducton In ths note we wll examne the noton of game equlbrum for three types of games 1. 2-player 2-acton zero-sum games 2. 2-player
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationCS286r Assign One. Answer Key
CS286r Assgn One Answer Key 1 Game theory 1.1 1.1.1 Let off-equlbrum strateges also be that people contnue to play n Nash equlbrum. Devatng from any Nash equlbrum s a weakly domnated strategy. That s,
More informationImproving the Round Complexity of VSS in Point-to-Point Networks
Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng
More informationThe Order Relation and Trace Inequalities for. Hermitian Operators
Internatonal Mathematcal Forum, Vol 3, 08, no, 507-57 HIKARI Ltd, wwwm-hkarcom https://doorg/0988/mf088055 The Order Relaton and Trace Inequaltes for Hermtan Operators Y Huang School of Informaton Scence
More informationa b a In case b 0, a being divisible by b is the same as to say that
Secton 6.2 Dvsblty among the ntegers An nteger a ε s dvsble by b ε f there s an nteger c ε such that a = bc. Note that s dvsble by any nteger b, snce = b. On the other hand, a s dvsble by only f a = :
More informationEconomics 101. Lecture 4 - Equilibrium and Efficiency
Economcs 0 Lecture 4 - Equlbrum and Effcency Intro As dscussed n the prevous lecture, we wll now move from an envronment where we looed at consumers mang decsons n solaton to analyzng economes full of
More informationImplementation and Detection
1 December 18 2014 Implementaton and Detecton Htosh Matsushma Department of Economcs Unversty of Tokyo 2 Ths paper consders mplementaton of scf: Mechansm Desgn wth Unqueness CP attempts to mplement scf
More informationprinceton univ. F 17 cos 521: Advanced Algorithm Design Lecture 7: LP Duality Lecturer: Matt Weinberg
prnceton unv. F 17 cos 521: Advanced Algorthm Desgn Lecture 7: LP Dualty Lecturer: Matt Wenberg Scrbe: LP Dualty s an extremely useful tool for analyzng structural propertes of lnear programs. Whle there
More information= z 20 z n. (k 20) + 4 z k = 4
Problem Set #7 solutons 7.2.. (a Fnd the coeffcent of z k n (z + z 5 + z 6 + z 7 + 5, k 20. We use the known seres expanson ( n+l ( z l l z n below: (z + z 5 + z 6 + z 7 + 5 (z 5 ( + z + z 2 + z + 5 5
More informationTHE SUMMATION NOTATION Ʃ
Sngle Subscrpt otaton THE SUMMATIO OTATIO Ʃ Most of the calculatons we perform n statstcs are repettve operatons on lsts of numbers. For example, we compute the sum of a set of numbers, or the sum of the
More informationOnline Appendix. t=1 (p t w)q t. Then the first order condition shows that
Artcle forthcomng to ; manuscrpt no (Please, provde the manuscrpt number!) 1 Onlne Appendx Appendx E: Proofs Proof of Proposton 1 Frst we derve the equlbrum when the manufacturer does not vertcally ntegrate
More informationMin Cut, Fast Cut, Polynomial Identities
Randomzed Algorthms, Summer 016 Mn Cut, Fast Cut, Polynomal Identtes Instructor: Thomas Kesselhem and Kurt Mehlhorn 1 Mn Cuts n Graphs Lecture (5 pages) Throughout ths secton, G = (V, E) s a mult-graph.
More information} Often, when learning, we deal with uncertainty:
Uncertanty and Learnng } Often, when learnng, we deal wth uncertanty: } Incomplete data sets, wth mssng nformaton } Nosy data sets, wth unrelable nformaton } Stochastcty: causes and effects related non-determnstcally
More informationGraph Reconstruction by Permutations
Graph Reconstructon by Permutatons Perre Ille and Wllam Kocay* Insttut de Mathémathques de Lumny CNRS UMR 6206 163 avenue de Lumny, Case 907 13288 Marselle Cedex 9, France e-mal: lle@ml.unv-mrs.fr Computer
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationHila Etzion. Min-Seok Pang
RESERCH RTICLE COPLEENTRY ONLINE SERVICES IN COPETITIVE RKETS: INTINING PROFITILITY IN THE PRESENCE OF NETWORK EFFECTS Hla Etzon Department of Technology and Operatons, Stephen. Ross School of usness,
More informationCOS 511: Theoretical Machine Learning. Lecturer: Rob Schapire Lecture # 15 Scribe: Jieming Mao April 1, 2013
COS 511: heoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 15 Scrbe: Jemng Mao Aprl 1, 013 1 Bref revew 1.1 Learnng wth expert advce Last tme, we started to talk about learnng wth expert advce.
More informationModule 9. Lecture 6. Duality in Assignment Problems
Module 9 1 Lecture 6 Dualty n Assgnment Problems In ths lecture we attempt to answer few other mportant questons posed n earler lecture for (AP) and see how some of them can be explaned through the concept
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationAn Optimally Fair Coin Toss
An Optmally Far Con Toss Tal Moran Mon Naor Gl Segev Abstract We address one of the foundatonal problems n cryptography: the bas of con-flppng protocols. Con-flppng protocols allow mutually dstrustful
More informationStanford University CS359G: Graph Partitioning and Expanders Handout 4 Luca Trevisan January 13, 2011
Stanford Unversty CS359G: Graph Parttonng and Expanders Handout 4 Luca Trevsan January 3, 0 Lecture 4 In whch we prove the dffcult drecton of Cheeger s nequalty. As n the past lectures, consder an undrected
More informationFoundations of Arithmetic
Foundatons of Arthmetc Notaton We shall denote the sum and product of numbers n the usual notaton as a 2 + a 2 + a 3 + + a = a, a 1 a 2 a 3 a = a The notaton a b means a dvdes b,.e. ac = b where c s an
More informationLecture 4: Universal Hash Functions/Streaming Cont d
CSE 5: Desgn and Analyss of Algorthms I Sprng 06 Lecture 4: Unversal Hash Functons/Streamng Cont d Lecturer: Shayan Oves Gharan Aprl 6th Scrbe: Jacob Schreber Dsclamer: These notes have not been subjected
More informationECE559VV Project Report
ECE559VV Project Report (Supplementary Notes Loc Xuan Bu I. MAX SUM-RATE SCHEDULING: THE UPLINK CASE We have seen (n the presentaton that, for downlnk (broadcast channels, the strategy maxmzng the sum-rate
More informationSupplementary Notes for Chapter 9 Mixture Thermodynamics
Supplementary Notes for Chapter 9 Mxture Thermodynamcs Key ponts Nne major topcs of Chapter 9 are revewed below: 1. Notaton and operatonal equatons for mxtures 2. PVTN EOSs for mxtures 3. General effects
More informationModule 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationand problem sheet 2
-8 and 5-5 problem sheet Solutons to the followng seven exercses and optonal bonus problem are to be submtted through gradescope by :0PM on Wednesday th September 08. There are also some practce problems,
More information1 The Mistake Bound Model
5-850: Advanced Algorthms CMU, Sprng 07 Lecture #: Onlne Learnng and Multplcatve Weghts February 7, 07 Lecturer: Anupam Gupta Scrbe: Bryan Lee,Albert Gu, Eugene Cho he Mstake Bound Model Suppose there
More informationVapnik-Chervonenkis theory
Vapnk-Chervonenks theory Rs Kondor June 13, 2008 For the purposes of ths lecture, we restrct ourselves to the bnary supervsed batch learnng settng. We assume that we have an nput space X, and an unknown
More informationRemarks on the Properties of a Quasi-Fibonacci-like Polynomial Sequence
Remarks on the Propertes of a Quas-Fbonacc-lke Polynomal Sequence Brce Merwne LIU Brooklyn Ilan Wenschelbaum Wesleyan Unversty Abstract Consder the Quas-Fbonacc-lke Polynomal Sequence gven by F 0 = 1,
More informationMaximizing the number of nonnegative subsets
Maxmzng the number of nonnegatve subsets Noga Alon Hao Huang December 1, 213 Abstract Gven a set of n real numbers, f the sum of elements of every subset of sze larger than k s negatve, what s the maxmum
More informationprinceton univ. F 13 cos 521: Advanced Algorithm Design Lecture 3: Large deviations bounds and applications Lecturer: Sanjeev Arora
prnceton unv. F 13 cos 521: Advanced Algorthm Desgn Lecture 3: Large devatons bounds and applcatons Lecturer: Sanjeev Arora Scrbe: Today s topc s devaton bounds: what s the probablty that a random varable
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More informationG /G Advanced Cryptography 12/9/2009. Lecture 14
G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we
More informationLecture 10: May 6, 2013
TTIC/CMSC 31150 Mathematcal Toolkt Sprng 013 Madhur Tulsan Lecture 10: May 6, 013 Scrbe: Wenje Luo In today s lecture, we manly talked about random walk on graphs and ntroduce the concept of graph expander,
More informationTuring Machines (intro)
CHAPTER 3 The Church-Turng Thess Contents Turng Machnes defntons, examples, Turng-recognzable and Turng-decdable languages Varants of Turng Machne Multtape Turng machnes, non-determnstc Turng Machnes,
More informationLecture Notes on Linear Regression
Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume
More informationThe optimal delay of the second test is therefore approximately 210 hours earlier than =2.
THE IEC 61508 FORMULAS 223 The optmal delay of the second test s therefore approxmately 210 hours earler than =2. 8.4 The IEC 61508 Formulas IEC 61508-6 provdes approxmaton formulas for the PF for smple
More informationThe Geometry of Logit and Probit
The Geometry of Logt and Probt Ths short note s meant as a supplement to Chapters and 3 of Spatal Models of Parlamentary Votng and the notaton and reference to fgures n the text below s to those two chapters.
More information(1 ) (1 ) 0 (1 ) (1 ) 0
Appendx A Appendx A contans proofs for resubmsson "Contractng Informaton Securty n the Presence of Double oral Hazard" Proof of Lemma 1: Assume that, to the contrary, BS efforts are achevable under a blateral
More informationFeature Selection: Part 1
CSE 546: Machne Learnng Lecture 5 Feature Selecton: Part 1 Instructor: Sham Kakade 1 Regresson n the hgh dmensonal settng How do we learn when the number of features d s greater than the sample sze n?
More informationIntroductory Cardinality Theory Alan Kaylor Cline
Introductory Cardnalty Theory lan Kaylor Clne lthough by name the theory of set cardnalty may seem to be an offshoot of combnatorcs, the central nterest s actually nfnte sets. Combnatorcs deals wth fnte
More informationU.C. Berkeley CS294: Spectral Methods and Expanders Handout 8 Luca Trevisan February 17, 2016
U.C. Berkeley CS94: Spectral Methods and Expanders Handout 8 Luca Trevsan February 7, 06 Lecture 8: Spectral Algorthms Wrap-up In whch we talk about even more generalzatons of Cheeger s nequaltes, and
More informationCollege of Computer & Information Science Fall 2009 Northeastern University 20 October 2009
College of Computer & Informaton Scence Fall 2009 Northeastern Unversty 20 October 2009 CS7880: Algorthmc Power Tools Scrbe: Jan Wen and Laura Poplawsk Lecture Outlne: Prmal-dual schema Network Desgn:
More informationLecture 3: Probability Distributions
Lecture 3: Probablty Dstrbutons Random Varables Let us begn by defnng a sample space as a set of outcomes from an experment. We denote ths by S. A random varable s a functon whch maps outcomes nto the
More informationMessage modification, neutral bits and boomerangs
Message modfcaton, neutral bts and boomerangs From whch round should we start countng n SHA? Antone Joux DGA and Unversty of Versalles St-Quentn-en-Yvelnes France Jont work wth Thomas Peyrn 1 Dfferental
More informationLecture 3: Shannon s Theorem
CSE 533: Error-Correctng Codes (Autumn 006 Lecture 3: Shannon s Theorem October 9, 006 Lecturer: Venkatesan Guruswam Scrbe: Wdad Machmouch 1 Communcaton Model The communcaton model we are usng conssts
More informationGames of Threats. Elon Kohlberg Abraham Neyman. Working Paper
Games of Threats Elon Kohlberg Abraham Neyman Workng Paper 18-023 Games of Threats Elon Kohlberg Harvard Busness School Abraham Neyman The Hebrew Unversty of Jerusalem Workng Paper 18-023 Copyrght 2017
More informationEcon107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)
I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes
More informationGlobal Sensitivity. Tuesday 20 th February, 2018
Global Senstvty Tuesday 2 th February, 28 ) Local Senstvty Most senstvty analyses [] are based on local estmates of senstvty, typcally by expandng the response n a Taylor seres about some specfc values
More information2.3 Nilpotent endomorphisms
s a block dagonal matrx, wth A Mat dm U (C) In fact, we can assume that B = B 1 B k, wth B an ordered bass of U, and that A = [f U ] B, where f U : U U s the restrcton of f to U 40 23 Nlpotent endomorphsms
More informationComputing Correlated Equilibria in Multi-Player Games
Computng Correlated Equlbra n Mult-Player Games Chrstos H. Papadmtrou Presented by Zhanxang Huang December 7th, 2005 1 The Author Dr. Chrstos H. Papadmtrou CS professor at UC Berkley (taught at Harvard,
More informationAttacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction
Attacks on RSA The Rabn Cryptosystem Semantc Securty of RSA Cryptology, Tuesday, February 27th, 2007 Nls Andersen Square Roots modulo n Complexty Theoretc Reducton Factorng Algorthms Pollard s p 1 Pollard
More informationExcess Error, Approximation Error, and Estimation Error
E0 370 Statstcal Learnng Theory Lecture 10 Sep 15, 011 Excess Error, Approxaton Error, and Estaton Error Lecturer: Shvan Agarwal Scrbe: Shvan Agarwal 1 Introducton So far, we have consdered the fnte saple
More informationApproximate Smallest Enclosing Balls
Chapter 5 Approxmate Smallest Enclosng Balls 5. Boundng Volumes A boundng volume for a set S R d s a superset of S wth a smple shape, for example a box, a ball, or an ellpsod. Fgure 5.: Boundng boxes Q(P
More informationEndogenous timing in a mixed oligopoly consisting of a single public firm and foreign competitors. Abstract
Endogenous tmng n a mxed olgopoly consstng o a sngle publc rm and oregn compettors Yuanzhu Lu Chna Economcs and Management Academy, Central Unversty o Fnance and Economcs Abstract We nvestgate endogenous
More informationLecture 17 : Stochastic Processes II
: Stochastc Processes II 1 Contnuous-tme stochastc process So far we have studed dscrete-tme stochastc processes. We studed the concept of Makov chans and martngales, tme seres analyss, and regresson analyss
More informationNP-Completeness : Proofs
NP-Completeness : Proofs Proof Methods A method to show a decson problem Π NP-complete s as follows. (1) Show Π NP. (2) Choose an NP-complete problem Π. (3) Show Π Π. A method to show an optmzaton problem
More informationLecture Randomized Load Balancing strategies and their analysis. Probability concepts include, counting, the union bound, and Chernoff bounds.
U.C. Berkeley CS273: Parallel and Dstrbuted Theory Lecture 1 Professor Satsh Rao August 26, 2010 Lecturer: Satsh Rao Last revsed September 2, 2010 Lecture 1 1 Course Outlne We wll cover a samplng of the
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationFREQUENCY DISTRIBUTIONS Page 1 of The idea of a frequency distribution for sets of observations will be introduced,
FREQUENCY DISTRIBUTIONS Page 1 of 6 I. Introducton 1. The dea of a frequency dstrbuton for sets of observatons wll be ntroduced, together wth some of the mechancs for constructng dstrbutons of data. Then
More informationMA 323 Geometric Modelling Course Notes: Day 13 Bezier Curves & Bernstein Polynomials
MA 323 Geometrc Modellng Course Notes: Day 13 Bezer Curves & Bernsten Polynomals Davd L. Fnn Over the past few days, we have looked at de Casteljau s algorthm for generatng a polynomal curve, and we have
More informationAnti-van der Waerden numbers of 3-term arithmetic progressions.
Ant-van der Waerden numbers of 3-term arthmetc progressons. Zhanar Berkkyzy, Alex Schulte, and Mchael Young Aprl 24, 2016 Abstract The ant-van der Waerden number, denoted by aw([n], k), s the smallest
More informationTHE SCIENTIFIC METHOD
THE SCIENTIFIC METHOD A Hypotheses, sad Medawar n 1964, are magnatve and nspratonal n character ; they are adventures of the mnd. He was argung n favour of the poston taken by Karl Popper n The Logc of
More informationTHE CHINESE REMAINDER THEOREM. We should thank the Chinese for their wonderful remainder theorem. Glenn Stevens
THE CHINESE REMAINDER THEOREM KEITH CONRAD We should thank the Chnese for ther wonderful remander theorem. Glenn Stevens 1. Introducton The Chnese remander theorem says we can unquely solve any par of
More informationC/CS/Phy191 Problem Set 3 Solutions Out: Oct 1, 2008., where ( 00. ), so the overall state of the system is ) ( ( ( ( 00 ± 11 ), Φ ± = 1
C/CS/Phy9 Problem Set 3 Solutons Out: Oct, 8 Suppose you have two qubts n some arbtrary entangled state ψ You apply the teleportaton protocol to each of the qubts separately What s the resultng state obtaned
More informationComplete subgraphs in multipartite graphs
Complete subgraphs n multpartte graphs FLORIAN PFENDER Unverstät Rostock, Insttut für Mathematk D-18057 Rostock, Germany Floran.Pfender@un-rostock.de Abstract Turán s Theorem states that every graph G
More informationFor now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.
Neural Networks : Dervaton compled by Alvn Wan from Professor Jtendra Malk s lecture Ths type of computaton s called deep learnng and s the most popular method for many problems, such as computer vson
More informationarxiv: v1 [math.ho] 18 May 2008
Recurrence Formulas for Fbonacc Sums Adlson J. V. Brandão, João L. Martns 2 arxv:0805.2707v [math.ho] 8 May 2008 Abstract. In ths artcle we present a new recurrence formula for a fnte sum nvolvng the Fbonacc
More informationOnline Appendix: Reciprocity with Many Goods
T D T A : O A Kyle Bagwell Stanford Unversty and NBER Robert W. Stager Dartmouth College and NBER March 2016 Abstract Ths onlne Appendx extends to a many-good settng the man features of recprocty emphaszed
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More informationBasically, if you have a dummy dependent variable you will be estimating a probability.
ECON 497: Lecture Notes 13 Page 1 of 1 Metropoltan State Unversty ECON 497: Research and Forecastng Lecture Notes 13 Dummy Dependent Varable Technques Studenmund Chapter 13 Bascally, f you have a dummy
More information20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The first idea is connectedness.
20. Mon, Oct. 13 What we have done so far corresponds roughly to Chapters 2 & 3 of Lee. Now we turn to Chapter 4. The frst dea s connectedness. Essentally, we want to say that a space cannot be decomposed
More informationRandomness and Computation
Randomness and Computaton or, Randomzed Algorthms Mary Cryan School of Informatcs Unversty of Ednburgh RC 208/9) Lecture 0 slde Balls n Bns m balls, n bns, and balls thrown unformly at random nto bns usually
More informationSection 3.6 Complex Zeros
04 Chapter Secton 6 Comple Zeros When fndng the zeros of polynomals, at some pont you're faced wth the problem Whle there are clearly no real numbers that are solutons to ths equaton, leavng thngs there
More informationExercises of Chapter 2
Exercses of Chapter Chuang-Cheh Ln Department of Computer Scence and Informaton Engneerng, Natonal Chung Cheng Unversty, Mng-Hsung, Chay 61, Tawan. Exercse.6. Suppose that we ndependently roll two standard
More informationLecture 4: November 17, Part 1 Single Buffer Management
Lecturer: Ad Rosén Algorthms for the anagement of Networs Fall 2003-2004 Lecture 4: November 7, 2003 Scrbe: Guy Grebla Part Sngle Buffer anagement In the prevous lecture we taled about the Combned Input
More informationSection 8.3 Polar Form of Complex Numbers
80 Chapter 8 Secton 8 Polar Form of Complex Numbers From prevous classes, you may have encountered magnary numbers the square roots of negatve numbers and, more generally, complex numbers whch are the
More information10-701/ Machine Learning, Fall 2005 Homework 3
10-701/15-781 Machne Learnng, Fall 2005 Homework 3 Out: 10/20/05 Due: begnnng of the class 11/01/05 Instructons Contact questons-10701@autonlaborg for queston Problem 1 Regresson and Cross-valdaton [40
More informationModule 2. Random Processes. Version 2 ECE IIT, Kharagpur
Module Random Processes Lesson 6 Functons of Random Varables After readng ths lesson, ou wll learn about cdf of functon of a random varable. Formula for determnng the pdf of a random varable. Let, X be
More informationU.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 2/21/2008. Notes for Lecture 8
U.C. Berkeley CS278: Computatonal Complexty Handout N8 Professor Luca Trevsan 2/21/2008 Notes for Lecture 8 1 Undrected Connectvty In the undrected s t connectvty problem (abbrevated ST-UCONN) we are gven
More informationAppendix B: Resampling Algorithms
407 Appendx B: Resamplng Algorthms A common problem of all partcle flters s the degeneracy of weghts, whch conssts of the unbounded ncrease of the varance of the mportance weghts ω [ ] of the partcles
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More informationPsychology 282 Lecture #24 Outline Regression Diagnostics: Outliers
Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.
More informationFinding Primitive Roots Pseudo-Deterministically
Electronc Colloquum on Computatonal Complexty, Report No 207 (205) Fndng Prmtve Roots Pseudo-Determnstcally Ofer Grossman December 22, 205 Abstract Pseudo-determnstc algorthms are randomzed search algorthms
More informationAn Optimally Fair Coin Toss
An Optmally Far Con Toss Tal Moran, Mon Naor,,andGlSegev Department of Computer Scence and Appled Mathematcs, Wezmann Insttute of Scence, Rehovot 76100, Israel talm@seas.harvard.edu, {mon.naor,gl.segev}@wezmann.ac.l
More informationNote on EM-training of IBM-model 1
Note on EM-tranng of IBM-model INF58 Language Technologcal Applcatons, Fall The sldes on ths subject (nf58 6.pdf) ncludng the example seem nsuffcent to gve a good grasp of what s gong on. Hence here are
More information