Biasing Boolean Functions and Collective Coin-Flipping Protocols over Arbitrary Product Distributions
Yuval Filmus, Lianna Hambardzumyan, Hamed Hatami, Pooya Hatami, David, Zuckerman

TL;DR
This paper extends key results on coalition biasing of Boolean functions from the uniform measure to arbitrary product measures, advancing towards Friedgut's conjecture and analyzing multi-round protocols.
Contribution
It generalizes the biasing results of Kahn, Kalai, Linial, and Russell et al. to arbitrary product distributions, including multi-round protocols and functions with finite ranges.
Findings
Coalitions of o(n) players can bias Boolean functions under arbitrary product measures.
The results include multi-round protocols with o(log* n) rounds.
Introduces a novel boosting argument for general product distributions.
Abstract
The seminal result of Kahn, Kalai and Linial shows that a coalition of players can bias the outcome of any Boolean function with respect to the uniform measure. We extend their result to arbitrary product measures on , by combining their argument with a completely different argument that handles very biased coordinates. We view this result as a step towards proving a conjecture of Friedgut, which states that Boolean functions on the continuous cube (or, equivalently, on ) can be biased using coalitions of players. This is the first step taken in this direction since Friedgut proposed the conjecture in 2004. Russell, Saks and Zuckerman extended the result of Kahn, Kalai and Linial to multi-round protocols, showing that when the number of rounds is , a coalition of players…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsGame Theory and Voting Systems · Random Matrices and Applications · Complexity and Algorithms in Graphs
Biasing Boolean Functions and Collective Coin-Flipping Protocols over Arbitrary Product Distributions
Yuval Filmus
Computer Science Department,
Technion
[email protected] Taub Fellow — supported by the Taub Foundations. The research was funded by ISF grant 1337/16.
Lianna Hambardzumyan
School of Computer Science,
McGill University
Hamed Hatami
School of Computer Science,
McGill University
[email protected] Supported by an NSERC grant.
Pooya Hatami
Department of Computer Science,
UT Austin
[email protected] Supported by a Simons Investigator Award (#409864, David Zuckerman)
David Zuckerman
Department of Computer Science,
UT Austin
[email protected] Supported by NSF Grant CCF-1705028 and a Simons Investigator Award (#409864)
Abstract
The seminal result of Kahn, Kalai and Linial shows that a coalition of players can bias the outcome of any Boolean function with respect to the uniform measure. We extend their result to arbitrary product measures on , by combining their argument with a completely different argument that handles very biased coordinates.
We view this result as a step towards proving a conjecture of Friedgut, which states that Boolean functions on the continuous cube (or, equivalently, on ) can be biased using coalitions of players. This is the first step taken in this direction since Friedgut proposed the conjecture in 2004.
Russell, Saks and Zuckerman extended the result of Kahn, Kalai and Linial to multi-round protocols, showing that when the number of rounds is , a coalition of players can bias the outcome with respect to the uniform measure. We extend this result as well to arbitrary product measures on .
The argument of Russell et al. relies on the fact that a coalition of players can boost the expectation of any Boolean function from to with respect to the uniform measure. This fails for general product distributions, as the example of the AND function with respect to shows. Instead, we use a novel boosting argument alongside a generalization of our first result to arbitrary finite ranges.
1 Introduction
How can distributed processors collectively flip a somewhat fair coin if some processors may try to bias the outcome? In the Collective Coin-Flipping Problem, a classical problem in distributed computing, processors wish to generate a single common random bit, even in the presence of faulty and possibly malicious processors. Collective coin-flipping protocols can be used to expedite Byzantine Agreement [CD89] and are closely related to Leader Election Protocols [Dod06]. The problem has been considered in several scenarios, depending on the assumptions made on the type of the communication between the processors, the kind and number of faults, and the power of the adversary [CD89, BOLS89, Dod06, BOL89].
A Boolean function , where is endowed with a product measure , naturally corresponds to a single round collective coin-flipping protocol in the perfect information model introduced by Ben-Or and Linial [BOL89], where players each broadcast a bit according to a private distribution, and at the end, the output of the protocol is the value of on the broadcast string. An interesting and important concept in the design of collective coin-flipping protocols is resilience against coalitions of a significant number of players who attempt to influence the output of the protocol towards a particular value.
A coalition is a subset of players that have a particular desired value in mind, and if possible, broadcast bits that set the output of the protocol to . We study the model where the coalition is allowed rushing: the corrupt players may wait until all the other players broadcast their bits before deciding on what bit to broadcast. In other words, they succeed on if it is possible to modify only on the coordinates in to obtain a string with ; they fail if the value of is already determined to be not equal to by the bits broadcast by the players outside the coalition. The success of such a coalition can be easily quantified as the probability that the coalition succeeds on a random .
Fix a parameter . A protocol is said to be -resilient against coalitions of players if no coalition of size at most succeeds with probability at least . How resilient can a function be against large coalitions? Over the uniform distribution, perhaps the most natural candidate for a highly resilient function is the majority function, which can be easily seen to be resilient against size coalitions. However, somewhat surprisingly, it turns out that plain democracy is not the most effective way to be immune against the influence of coalitions. Indeed, Ajtai and Linial [AL93] gave a randomized construction of a Boolean function that is resilient against coalitions of size , significantly better than the bound of the majority function. More recently, Chattopadhyay and Zuckerman [CZ16] gave an explicit construction of a highly resilient function over the uniform measure. This was a key ingredient in their breakthrough work that introduced explicit two-source extractors for polylogarithmic min-entropy. Subsequently, Meka [Mek17] gave an explicit construction of a monotone depth three Boolean function that is as resilient as the randomized construction of Ajtai and Linial.
In this article, we are mainly interested in the limitations of resilience. The most classical theorem in this direction is due to Kahn, Kalai, and Linial [KKL88], who proved that, for the uniform distribution, no Boolean function is resilient against coalitions of size . Closing the gap between this bound and the construction of Ajtai and Linial remains a longstanding open problem.
Starting with the work of Ben-Or and Linial [BOL89], researchers have studied two natural ways to generalize the discussed protocols: First, allow players to broadcast longer messages, and second, allow many rounds. In this paper, we mostly focus on the latter generalization. In the multi-round setting, the voting procedure that is described above is repeated times: at every round, first the players who are not in the coalition broadcast their random messages, and then the players in the coalition decide and broadcast their messages in an adversarial manner. When the players are sending single-bit messages, the outcome is decided by a function .
The most efficient known protocols are due to Russell and Zuckerman [RZ01] and to Feige [Fei99]. In the case where players are allowed to send longer messages, they constructed round protocols resilient against coalitions of size for any . In the case when players are allowed to broadcast single bit messages, their protocols use rounds, and are still resilient against coalitions of size for any . For a discussion of various models and known upper and lower bounds, see a survey of Dodis [Dod06].
In the multi-round setting, the players in the coalition have the disadvantage that they will not see the future-round votes of the other players before voting in the current round. Thus, it becomes significantly more difficult to prove limitations on resilience as grows, and naturally the known bounds are weaker. Russell, Saks and Zuckerman [RSZ02], building upon the work of Kahn et al. [KKL88], showed that over the uniform measure, no Boolean function is -resilient against coalitions of size , where is an iterated logarithm. It follows as a simple corollary that rounds are necessary in order for a protocol to be resilient against coalitions of size .
The purpose of this paper is to generalize the above results from the uniform distribution to arbitrary product distributions on the Boolean cube.
A moment of reflection reveals that there are major differences between the uniform distribution and the general case, and indeed, prior to this work, it was not clear to us whether similar results were true for general product distributions. We will elaborate on this later, but for now, we only mention that the coordinates that are not highly biased, i.e. for some that is not too small, can be handled using the same argument as in Kahn et al. [KKL88]. Similarly, the argument of Russell et al. [RSZ02] can be used to analyze these coordinates in the multi-round setting. However, the highly biased coordinates behave very differently, and to handle those, we need to take an entirely new approach, and employ a new set of ideas. Indeed, our proofs for the highly biased case have almost no resemblance to those in previous works.
Our first theorem concerns single round protocols. By combining the argument of Kahn, Kalai and Linial with an argument geared towards biased coordinates, we are able to show that these protocols can always be influenced towards a single value, with coalitions which are only slightly worse than those guaranteed by the KKL theorem.
Theorem 1.1**.**
Over any product distribution , there is no function that is -resilient against coalitions of size .
(In contrast, the KKL theorem shows the impossibility of -resilience against coalitions of size .)
Next, we prove an impossibility result for resilience in the multi-round setting over arbitrary product distributions. This was posed as an open problem by Russell et al. [RSZ02]. Here we face several new challenges. Generalizing our argument for the biased coordinates to the multi-round setting is far from straightforward, and combining it with the argument of Russell et al. [RSZ02] for the unbiased coordinates also requires new ideas.
Theorem 1.2**.**
Let and be given. Over any product distribution over , there is no -round coin-flipping protocol that is -resilient against coalitions of size .
As a result, over any product distribution , rounds are necessary in order for a protocol to be resilient against coalitions of size .
Influences
The notion of resilience of a Boolean function is related to the influences of variables and coalitions of variables. For a Boolean function over a product probability measure , the influence of the -th variable is defined as
[TABLE]
where
[TABLE]
The influence of the -th variable towards a value is defined as
[TABLE]
Similarly, the influence of a coalition towards a value is defined as
[TABLE]
where
[TABLE]
Equivalently, is the probability that a random can be modified on its variables such that the output of becomes .
A function is not -resilient against coalitions of size if and only if there exists a set of size at most and a value such that .
The seminal work of Kahn, Kalai and Linial introduced discrete Fourier-analytic techniques to the study of influences. Their main theorem, known as the KKL inequality, states that over the uniform measure, every unbiased Boolean function has an influential variable. Formally, there exists such that when . Let satisfy . Then repeated applications of the KKL inequality imply the existence of a set with such that . In particular, there are no -resilient functions over the uniform distribution.
The above argument shows that unless is already very biased towards [math] or , one can pick any and find a small coalition that can bias towards . However, this is no longer true if we consider general product distributions.
Example 1.3**.**
Consider the -biased distribution over , i.e. each coordinate is with probability . Set and let be the OR function . Obviously, , and yet for every with , we have . In other words, despite the fact that the expected value of the function is bounded away from both [math] and , no small coalition can influence the output of the function towards [math]. However, this is not a counterexample to Theorem 1.1 because any set with satisfies , and thus the function is not even -resilient.
As the above example illustrates, part of the difficulty of generalizing the coalition theorem of KKL is to figure out which to bias towards.
Using the notation , Theorem 1.1 can be restated as follows.
Theorem 1.4** (Theorem 1.1 reformulated).**
Let be a function over a product distribution . There exists a set of size such that for some .
Remark*.*
To simplify the statement, in Theorem 1.4, we did not explicitly state the dependence of on . Our proof yields the bound .
Continuous cube and a conjecture of Friedgut
The Bernoulli distribution on with parameter can be embedded in the continuous interval via the measure-preserving map defined as if and only if . By taking the product of these maps, for every product probability measure on , we obtain a measure-preserving map . As a result, every function naturally corresponds to a function defined by . Note that
[TABLE]
for every and . Thus, a more general setting for studying resilience is the set of measurable functions . Indeed, Bourgain et al [BKK*+*92] proved a generalization of the KKL inequality, but erroneously claimed that as a corollary, if , then for a set of size . Interestingly, Example 1.3, which was introduced in the same paper to demonstrate that the proof of the KKL inequality breaks down for the continuous cube, is also a counterexample to this false claim. Friedgut [Fri04] pointed out this error, and suggested the following tantalizing conjecture to replace the false statement111Nati Linial told the last author about this error and conjecture years earlier, but as far as we know this is the first published account..
Conjecture 1.5* ([Fri04]).*
Let be a measurable function. There exists a set of size such that for some .
A standard compression argument shows that it suffices to prove this conjecture for increasing functions, and indeed the original form of the conjecture is stated for increasing functions. Furthermore, by discretization, the statement can be further reduced to functions , where the domain is endowed with the uniform measure. Note that this form of the conjecture corresponds to resilience of one-round collective coin-flipping protocols where each player is allowed to send -bit messages.
The above discussion show that, qualitatively, Conjecture 1.5 is a generalization of Theorem 1.4, and thus our theorem can be considered as a step towards resolving Friedgut’s conjecture. However, our techniques and ideas seem to fall short of proving the full conjecture.
Beyond the Boolean range
As we discussed above, the coalition theorem of KKL says that if then there exists a small coalition such that . Now consider a function over the uniform distribution, where is a constant size set. Pick any with . We can apply the KKL theorem to the function defined as if and only if , and conclude that there is a coalition of size with . This shows that over the uniform distribution, the general range easily reduces to the Boolean range.
Unfortunately, the above reduction cannot be carried for general product distributions, for in Theorem 1.4, the final outcome is dictated to us by the function. To illustrate the problem, consider a function and a general product distribution . By bundling into a single value and applying Theorem 1.4, we can conclude that there exists a small coalition such that either it biases the outcome of the function towards [math], or it biases the outcome towards being in . If it is the former case, then we are done, but in the latter case, it is not clear how to proceed.
We know that except for the ’s that belong to a small-measure set , the coalition can modify in such a way that the outcome is in . Now at first glance, it might seem that by applying Theorem 1.4 again, we can find another coalition that can modify further to refine the outcome to a single value , and thus conclude that for most ’s the alliance can influence the outcome of the function towards . Unfortunately, this is actually not the case. One reason is that and might intersect, and suggest conflicting modifications to . Even if and are disjoint, the proof doesn’t work: denoting by the vector obtained from after modification by , we no longer have , and so there is no guarantee that on most inputs can be applied successfully. In other words, need not be small.
The above discussion shows that one cannot deduce the general case via the simple reduction that was outlined above for the uniform measure, but surely, as cumbersome as it may be, one can go over the proof and generalize every step from to by making small notational adjustments. This turns out not to be the case either! The proof of Theorem 1.4, rather unexpectedly, relies on the assumption that the function takes only two values. Indeed, to generalize the result to larger ranges, we had to introduce new ideas, and in particular a strengthening of Theorem 1.4 (see Theorem 3.5 below) that provides stronger control over the set described above.
Theorem 1.6** (Single round, general range).**
Let be a constant size set, and be a function over a product distribution . There exists a set of size such that for some .
Remark*.*
At the heart of the proof of Theorem 1.6 there is an intermediate result, Theorem 3.5, which states that if all coordinates are biased, say , then a random coalition of size biases the outcome with high probability. This intermediate result is an essential ingredient in the proof of our result on the multi-round setting, Theorem 1.2. For this application, it was crucial to obtain a bound which depends only polylogarithmically in .
Even though Theorem 1.4 is a special case of Theorem 1.6, we prove them separately, as Theorem 1.4 can be proven using a shorter and simpler proof.
Paper organization
We prove Theorem 1.1, which shows that all single-round protocols can be biased using coalitions of size , in Section 2. We prove Theorem 1.6, which generalizes the preceding result to arbitrary finite domains, in Section 3. We prove our main result, Theorem 1.2, which shows the multi-round protocols can be biased, in Section 4.
Finally, Section 5 presents some concluding remarks.
2 Single Round Case: Proof of Theorem 1.1
In this section we prove Theorem 1.1, showing that, under any product distribution, there exists a small coalition which can bias the output of the function towards one of the outputs.
Note that in order to prove Theorem 1.1, without loss of generality, we can assume that for every , as otherwise we can simply change the role of [math] and for the -th coordinate. In light of this observation, the coordinates can be divided into two sets: the small bias coordinates, satisfying , and the highly biased coordinates, satisfying , where is a threshold that is chosen to be .
Indeed, we first consider the case where all the coordinates are of the same type:
- •
Small bias case: for every .
- •
Large bias case: for every .
We handle the large bias case in Section 2.1, which is the novel part of the proof. The small bias case is handled in Section 2.2 via a reduction to the previous work of Russell et al. [RSZ02]. Finally, in Section 2.3 we show how to combine the two cases to handle any product distribution , thus completing the proof of Theorem 1.1.
2.1 Large Bias Case
We will sometimes identify the subsets of with elements of . For example, would mean that , where is sampled according to . We construct the coalitions from a certain boosted form of .
Definition 2.1** (Boosted distribution).**
For a positive integer , we denote by the distribution of , where are i.i.d. random variables distributed according to .
The large bias case of Theorem 1.1 follows from the following general proposition, that holds for distributions that are not necessarily product distributions.
Proposition 2.2**.**
Consider , where is an arbitrary probability measure, and let , where . For some , we have .
Note that Proposition 2.2 implies (via a straightforward concentration bound) that in the large bias case, there exists a random coalition of expected size at most such that . As it will become apparent later, for the application to the multiround setting, it is important that in Proposition 2.2 the set is chosen randomly from a distribution that does not depend on .
Proposition 2.2 is a direct consequence of the following lemma, as for the Boolean range , either Condition I holds for or Condition II holds for . This, however, is not true for larger .
Lemma 2.3** (Key Lemma for Single Round).**
Consider , where is an arbitrary probability measure. Let , , where . For , either of
- •
Condition I: , or
- •
Condition II: ,
implies .
Proof.
Let , where are drawn independently. Let the sets and denote the following subsets of the input space :
[TABLE]
If we are in the Type I setting, then , and so
[TABLE]
Note that if there exists which is a subset of then for every , the two elements and can only differ on a subset of , and thus
[TABLE]
Now we turn our attention to Condition II. In this case, we shall prove that . Indeed,
[TABLE]
To bound the last probability, for let denote the event that for every , . Then
[TABLE]
Plugging this into (1), we get
[TABLE]
Since ,
[TABLE]
showing that
[TABLE]
2.2 Small Bias Case
To handle the small bias case for the sake of proving Theorem 1.1, one can simply repeat the argument of Kahn et al. [KKL88], i.e. iteratively select influential variables and set them to the value that increases the probability of success. However, for the purposes of our results in the multi-round setting, we will need to prove a stronger result, which states that even if the coalition is selected randomly, there is a nontrivial chance of succeeding in influencing the outcome.
We start with the case that for every . The following lemma is proved in [RSZ02] for the uniform distribution. By inspection, it is easy to check that the proof extends to any product distribution in which the marginal biases are bounded away from [math] and .
Lemma 2.4** ([RSZ02], Lemma 11 modified).**
Let , and . Assume . Let , where is a product distribution such that for each . If then
[TABLE]
We can extend Lemma 2.4 to somewhat higher biases by representing a distributed variable as an of variables that are distributed, where and .
Lemma 2.5**.**
Let , and . Let , where is a product distribution such that for all , . Assume . If then
[TABLE]
Proof.
The lemma is proved by a reduction to Lemma 2.4. Let . For each variable , we pick and an integer such that : first choose so that (note the intervals are overlapping since ), and then choose appropriately. For each variable , introduce new variables . Consider , where and
[TABLE]
We designed so that the input to is distributed according to . Applying Lemma 2.4, we deduce that typical of size satisfy . Let . A moment’s thought shows that . A simple coupling argument now completes the proof. ∎
2.3 Finishing the Proof: Combining the Two Cases
We are ready to finish the proof of Theorem 1.1. Let , and recall that . For every , define as . By Proposition 2.2, for every , there exists such that
[TABLE]
where . Moreover, since every variable in satisfies , Chernoff’s bound gives,
[TABLE]
for some constant . Therefore,
[TABLE]
It follows that
[TABLE]
assuming without loss of generality that . Hence, there exists a fixed and a set , satisfying and
[TABLE]
Now, define as if and only if . Note that, depends only on variables. The above inequality asserts that . Since, contains only small bias variables, we may apply Lemma 2.5. Namely, there is such that
[TABLE]
Thus, there exists a coalition of size of players that can bias towards . In other words, can bias towards cases where is able to bias towards . As a result,
[TABLE]
Moreover, , as desired.
3 The Larger Range: Proof of Theorem 1.6
As outlined in the introduction, there are certain obstacles to generalizing Theorem 1.1 to larger ranges. In particular, the fact that the set of all the points on which the coalition fails in Theorem 1.1 is of small measure does not seem to be a sufficiently strong condition for an induction to go through. We will need to prove a strengthening of Theorem 1.1 which shows that not only is of small measure, but it is also small if it is measured via the boosted distributions introduced in Definition 2.1. This leads to a more general definition of influence.
Definition 3.1** (Boosted influence towards value).**
Let be an arbitrary set. For a function and , define
[TABLE]
Note that , as .
The following lemma generalizes Lemma 2.3, as we spell out in its corollary.
Lemma 3.2**.**
Consider , let , and let , where . Let . We have
[TABLE]
if any of the following two cases hold:
- •
Case I: For some ,
[TABLE]
- •
Case II: For every ,
[TABLE]
Proof.
Case I: Suppose the condition in Case I is satisfied. Fix a , and consider an . Since
[TABLE]
by Markov’s inequality would imply that
[TABLE]
or equivalently
[TABLE]
In other words,
[TABLE]
Averaging over , we conclude that by the assumption of Case I, we have
[TABLE]
Hence, recalling that , the probability that there exists such that is at least
[TABLE]
But if this event happens then . Hence by the union bound,
[TABLE]
Case II: Next assume that the condition in Case II is satisfied. Consider an . Define
[TABLE]
and note that by our assumption
[TABLE]
Since , we can set , where are i.i.d. random variables. This shows that
[TABLE]
Hence
[TABLE]
Define now
[TABLE]
and notice that
[TABLE]
Therefore,
[TABLE]
When , the probability that is at most , and so
[TABLE]
This shows that . We complete the proof by an application of the union bound. ∎
Corollary 3.3**.**
Consider , let , and , where . At least for one of the values , we have
[TABLE]
Proof.
Setting , either Case I holds for or Case II holds for . ∎
Another corollary allows the function to attain a third value , as long as its probability is small enough (with respect to various boostings of ).
Corollary 3.4**.**
Consider , let , and let , where . If for all , then at least for one of the values , we have
[TABLE]
Proof.
Set , and fix an . Suppose that neither Case I holds for , nor Case II holds for . That is
[TABLE]
and
[TABLE]
Let
[TABLE]
and note that for every we have
[TABLE]
On the other hand, by (2) and (3) we have
[TABLE]
This is a contradiction, as it implies that
[TABLE]
Hence for every , either Case I holds for , or Case II holds for , and thus Lemma 3.2 implies the corollary. ∎
We can now state and prove the main result of this section, which generalizes Corollary 3.4 to allow more output bits. The failure output allows the inductive proof of Theorem 3.5, as well as our multi-round result, Theorem 4.2, to go through, as we explain in Section 4.
Theorem 3.5**.**
Let , and suppose that is endowed with a probability measure . Let be a positive integer, and let , where . If for every , then there exists a value such that
[TABLE]
Proof.
We prove this by induction on . The base case is established in Corollary 3.4.
We divide into two parts and corresponding to the first bit and the following bits, respectively. That is, if , and otherwise equals the first bit, and equals the last bits of . Let , , , and .
Since , applying the base case to with parameters , and , we find a value such that
[TABLE]
Let us call an good if for all we have . For a fixed good , for every satisfying , let , where is an element satisfying . We call such values of good with respect to . We call the other values of bad with respect to . Note that if is good, then not only a random is unlikely to be bad, but the same is true if for larger values of as long as . More precisely, for every ,
[TABLE]
This stronger statement is the key property that will allow us to proceed with our strong induction.
Now we need to force the last bit of . Let be defined as for good values of , and for bad values of . Note that
[TABLE]
where the last inequality can be verified easily.
Provided that is good, applying the induction hypothesis to with and , we conclude that there exists a value such that
[TABLE]
Let us call good with respect to if the condition in the above probability holds.
Now suppose that is good, and that is good with respect to . Then for a random , with probability at least , there is a with . On the other hand, and . This shows that satisfies and . Hence conditioned on and being good, we have for and every ,
[TABLE]
We conclude that for ,
[TABLE]
Finally, denoting by the value such that , we get the recurrence
[TABLE]
with base case . Accordingly, define .
Let us define a sequence , ; note that is the corresponding to . Then
[TABLE]
Since the sequence is monotone, we see that . Choose a constant so that satisfies . The same calculation shows that satisfies , that satisfies , and so on. In general, . On the other hand, . This shows that
[TABLE]
Now choose the minimal so that . Then either or . In both cases, . Therefore,
[TABLE]
3.1 Proof of Theorem 1.6
Finally, we show how Theorem 1.6 follows from Theorem 3.5. Similar to the proof of Theorem 1.1 in Section 2.3, we need to combine Theorem 3.5 that handles the highly biased coordinates with the KKL argument that handles the small bias coordinates.
Let , and embed inside . As in Section 2.3, let , where , and for every , define as (note for all ). Theorem 3.5 (applied with and ) shows that for every there exists such that
[TABLE]
where . An averaging argument similar to the one in Section 2.3 shows that there exists and a set of size such that
[TABLE]
We now define the function just as in Section 2.3: it equals when . Applying Lemma 2.5 with , we deduce the existence of a coalition of players such that . As in Section 2.3, we conclude that
[TABLE]
Finally, the size of the coalition is
[TABLE]
as claimed.
4 Multi-Round Protocols: Proof of Theorem 1.2
In this section we will prove Theorem 1.2, showing that even in the multi-round setting, there are no protocols that are resilient against all coalitions of size . As described in the introduction, here at every round, first the players who are not in the coalition broadcast their random messages, and then the players in the coalition decide and broadcast their messages in an adversarial manner. The outcome is decided by a function .
To be more formal, let be a product distribution over , where each is a product distribution over . An coin-flipping protocol is simply a map . Such a protocol is executed in rounds. In the presence of a coalition of bad players, the protocol operates as follows. In round , the players in select according to . Then, the bad players choose their values depending on . Formally, an -strategy for a set is a sequence of functions where
[TABLE]
The function describes the choice of bits the bad players make in the -th round based on the broadcasted bits of the good players in the first rounds.
Definition 4.1**.**
Let be an coin-flipping protocol, and let be a product distribution on . Given a Boolean value , a set , and an -strategy for the bad players ,
- •
* is the probability that outputs given that the bad players follow .*
- •
* is the influence of on towards .*
Our goal is to show that there exists a coalition of size such that for some . For the moment, let us assume that we have only two rounds, and let denote the protocol, where correspond to the inputs in the first and the second round respectively. Let us also denote .
Russell et al. [RSZ02] proof of the uniform case:
Pick such that . Let be the set of all that satisfy , and note that . By Lemma 2.4 of Russell et al. [RSZ02], for every , a random coalition can bias towards , with a probability that is not too small. Since is chosen randomly and independently of , it follows that there exists a fixed coalition that can bias for at least a fraction of , and thus for at least a fraction of . Let denote the set of such . If , the coalition is able to bias the protocol by only interfering in the second round. The set is of measure at least , which is not too small. Thus, applying Lemma 2.4 again, we can find another coalition which can modify most ’s to fall in . Now we can form the desired coalition : In the first round, the players in try to modify into an element in , and if they succeed, in the second round, the players in interfere to change the outcome of the protocol into . This argument easily generalizes to more rounds.
We point out that it was crucial for the above argument, that the distribution of in Proposition 2.2 is independent of .
What fails for the general product distributions:
Consider over , where is highly biased, and is the uniform distribution. Similar to the previous paragraph, we can find a set , a value , and a small coalition such that , and moreover for every , the coalition is able to influence towards by interfering only in the second round. Now, if we are to follow the argument of Russell et al., we would like to find a set of players to add to the coalition such that, with high probability, is able to modify a random into an element in . We could then conclude that can bias towards .
Unfortunately, Proposition 2.2, the highly-biased counterpart of Lemma 2.4, only guarantees the existence of a small coalition which either modifies a random into being in or modifies a random into not being in ; in the latter case, the coalition is useless. As Example 1.3 shows, this is not just a caveat of the proof of the proposition. To be more concrete, suppose is the -biased distribution, and consists only of the single element . Even though , there is no coalition of size which can, with high probability, modify a random into an element in . On the other hand, even a single player can modify every into an element outside , but this is not helpful for our purposes, as the elements outside are the elements that cannot handle.
How to overcome the problem:
Consider the same setting as in the previous paragraph. We know that for every , a random coalition of size succeeds in influencing towards one of the outputs, with probability at least , where is not too small. Instead of picking one , we select a collection of coalitions that cover almost all ’s. More precisely, we find and , where , such that apart from a small set of exceptions , every can be biased towards some using the coalition .
Let be defined as follows: If , then , and otherwise is equal to some such that can bias towards . This brings us to the non-Boolean range case, which was analyzed in Section 3. We can apply Theorem 3.5 to find a coalition that can influence towards one of the values in . Now will be our desired coalition. With high probability, in the first round the players in can successfully modify a random element into an element with , and then in the second round, the players in can modify to bias the outcome towards . This is the main new idea used below to resolve the multi-round setting over arbitrary distributions.
Theorem 1.2 is a consequence of the following more elaborate theorem which states that for sufficiently large , and , no protocol over an arbitrary product distribution is resilient against coalitions of bad players.
Theorem 4.2**.**
For every , and integers , and , there exists , and such that the following holds. For every over a product distribution , there exists , such that the corresponding -round protocol satisfies
[TABLE]
where is a distribution on that depends only but not on . To be more precise, one can take .
Proof.
Let . We make two simplifying assumptions:
Without loss of generality, we may assume for every and that , as otherwise, we can exchange the role of [math] and for the -th variable.
- 2.
Let be set later. By potentially doubling the number of rounds, and modifying the product distributions, we will assume that for every , the distribution is either highly biased or not very biased. Namely, one of the following two cases holds
- –
Highly biased with parameter : For all , ;
- –
Small biased with parameter : For all , ;
In more detail, let be the original distributions. If , then for each , either or . We let be the highly biased distribution with parameter obtained from by replacing the -unbiased coordinates with dummy coordinates, and similarly is the small biased distribution with parameter obtained from in an analogous fashion. If , then instead will be -unbiased and will be -biased.
Let , , and . For every we set the following parameters, some of them recursively:
- •
- •
- •
- •
We will show by induction on that the following modified statement of the theorem holds.
Let be an -protocol. There is a choice of and a probability measure over subsets of of size at most , such that
[TABLE]
Moreover, does not depend on .
Note that the case is then the statement of the theorem. The base case of is about biasing a zero-round protocol (namely, a protocol that outputs a constant value in with no players involved). The base case of is trivially true, as no bad players are needed to fully bias a constant valued protocol with probability .
For the induction step, in the case when the first round of is highly biased, we apply the following lemma.
Lemma 4.3** (Large bias).**
Let be an -round coin-flipping protocol, and suppose that for each , the -th round is endowed with the distribution . Suppose that is highly biased with parameter . There is such that for
[TABLE]
it holds that
[TABLE]
(Here is the union of the supports of independent samples from .)
Proof.
Throughout the proof it helps to think of sampling in two stages: We first sample M=O\bigl{(}\frac{\log(1/\epsilon)+r}{\delta_{\ell-1}}\bigr{)} sets independently from . We later sample uniformly at random and let . Note that, even though we sampled in two stages, is still distributed according to .
For every define an -round protocol as . By the induction hypothesis, for every ,
[TABLE]
For let denote the binary representation of (we chose so that the all zeros vector does not go unused). We define a function as follows. We set if for every , both and . Otherwise, we let , where is the lexicographically first tuple such that .
We will apply Theorem 3.5 to with , but before doing so, we will show that the conditions on the probability will hold with high probability over the choice of . We need to verify that and . We first observe that,
[TABLE]
Thus (4) gives us,
[TABLE]
Applying Markov’s inequality, we get
[TABLE]
An identical argument gives
[TABLE]
Thus, satisfies the conditions of Theorem 3.5 for with probability at least . Define to be this event. Conditioned on , there exist and for which
[TABLE]
where .
Let be such that . This means that a set of bad players can use the first round to bias towards inputs , for most of which, can be used to bias towards . As a result, for such , . The probability that the final set is equal to this specific is . To sum up, we have proved
[TABLE]
Note that for we have . Applying the Chernoff bound, choosing we have
[TABLE]
which follows from our choice of .
We let be the distribution that samples conditioned on and and takes their union. It follows from the above Chernoff bound and Lemma 4.3 that there exists such that
[TABLE]
In particular, if
[TABLE]
and
[TABLE]
the distribution satisfies the induction step.
We now verify these two conditions by recalling our choices of , , , and . Now, (5) follows from
[TABLE]
and (6) holds because
[TABLE]
In the case when the first round of has small bias, we apply the following lemma for the induction step.
Lemma 4.4** (Small bias).**
Let be an -round coin-flipping protocol, and suppose that for each , the -th round is endowed with the distribution . Suppose that is small biased with parameter . There is such that for it holds that
[TABLE]
Proof.
Similar to the proof of Lemma 4.3, we consider the functions . Let be the event that at least one of or holds. By the induction hypothesis, for every ,
[TABLE]
Thus
[TABLE]
On the other hand,
[TABLE]
and thus
[TABLE]
Recalling the definition of , there exists such that
[TABLE]
Let denote the event that \Pr_{x\sim\mu_{r-\ell+1}}\bigl{[}I_{T}^{b}(g_{x})\geq 1-\frac{\epsilon}{2^{r-\ell+1}}\bigr{]}\geq\frac{\delta_{\ell-1}}{4}. For a fixed , define as if and only if . Note that . Hence, by Lemma 2.5, for , assuming we have
[TABLE]
Now, note that whenever , the set is able to use the bits to bias towards . In particular, we have shown
[TABLE]
Hence, if is even, applying the above lemma provides the induction step as long as
[TABLE]
and
[TABLE]
Recall, again, our choices of , , , and . We see that for sufficiently large , and every ,
[TABLE]
implying (7). Finally (8), namely is immediate from our definition of . ∎
5 Concluding Remarks and Open Problems
- •
Perhaps the most interesting next step is proving limitations for resilience of protocols where players may send longer messages. As was discussed below Conjecture 1.5, it is conjectured that even when the players are allowed to broadcast arbitrarily long messages, only resilience against coalitions of size is possible. This question has also been studied in the multi-round setting [RSZ02, RZ01, Fei99]. In this case, if the players are allowed -bit messages, we know of -round protocols resilient against coalitions of size [RZ01, Fei99]. On the other hand, Russell et al. [RSZ02] showed that rounds are necessary if we have the added restriction that in the -th round the players are allowed messages of length . Strengthening this impossibility result to messages of length is another interesting problem that remains open.
- •
The key qualitative point of Theorems 1.1 and 1.2 is that there always exists a coalition of size that can bias the outcome of the protocol towards a particular value. Interestingly, we are not aware of a simpler proof of this weaker qualitative statement even in the case of the uniform measure. The proof techniques introduced in this paper for the highly biased coordinates are more combinatorial and probabilistic in nature; however, the less biased coordinates are ultimately handled by the Fourier-analytic proof of [KKL88]. These Fourier analytic arguments are hard in nature, in the sense that their purpose is to give effective bounds. It would be interesting to find more intuitive combinatorial proofs for these statements, potentially at the cost of obtaining less effective bounds, or by appealing to soft analytic tools such as compactness, at the cost of obtaining no quantitative bounds. We refer the reader to Terence Tao’s blog post [Tao07] for a discussion about hard and soft analysis.
- •
Over the uniform distribution, Kahn et al. [KKL88] proved that there exists no Boolean function that is -resilient against coalitions of size . In this work we show that a similar bound of on resilience holds over arbitrary product distributions. A natural question is whether the in our bound necessary. However, even in the uniform setting there is work left to be done. Here, the best known constructions guarantee resilience against coalitions of size [Mek17, AL93], which is a factor of off from the impossibility result of Kahn, Kalai, and Linial.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[AL 93] Miklós Ajtai and Nathan Linial, The influence of large coalitions , Combinatorica 13 (1993), no. 2, 129–145.
- 2[BKK + 92] Jean Bourgain, Jeff Kahn, Gil Kalai, Yitzhak Katznelson, and Nathan Linial, The influence of variables in product spaces , Israel Journal of Mathematics 77 (1992), no. 1–2, 55–64.
- 3[BOL 89] Michael Ben-Or and Nathan Linial, Collective coin flipping. , Advances in Computing Research 5 (1989), 91–115.
- 4[BOLS 89] Michael Ben-Or, Nathan Linial, and Michael Saks, Collective coin flipping and other models of imperfect randomness , IBM Thomas J. Watson Research Division, 1989.
- 5[CD 89] Benny Chor and Cynthia Dwork, Randomization in Byzantine Agreement , Advances in Computing Research 5 (1989), 443–497.
- 6[CZ 16] Eshan Chattopadhyay and David Zuckerman, Explicit two-source extractors and resilient functions , Annals of Mathematics, to appear (2016), Preliminary version in STOC 2016.
- 7[Dod 06] Yevgeniy Dodis, Fault-tolerant leader election and collective coin-flipping in the full information model , Survey (2006).
- 8[Fei 99] Uriel Feige, Noncryptographic selection protocols , Proceedings of the 40th Annual Symposium on Foundations of Computer Science, IEEE Computer Society, 1999, p. 142.
