Some Lower Bounds in Dynamic Networks with Oblivious Adversaries∗ IrvanJahja HaifengYu NationalUniversityofSingapore NationalUniversityofSingapore [email protected] [email protected] YudaZhao† Grab,Singapore [email protected] Abstract Thispaperconsidersseveralclosely-relatedproblemsinsynchronousdynamicnetworkswith obliviousadversaries,andprovesnovelΩ(d+poly(m))lowerboundsontheirtimecomplexity(in termsofrounds).Heredisthedynamicdiameterofthedynamicnetworkandmisthetotalnumberof nodes. Beforethiswork,theonlyknownlowerboundsontheseproblemsunderobliviousadversaries werethetrivialΩ(d)lowerbounds. Ournovellowerboundsarehencethefirstnon-triviallower boundsandalsothefirstlowerboundswithapoly(m)term. Ourproofreliesonanovelreduction fromacertaintwo-partycommunicationcomplexityproblem. Ourcentralprooftechniqueisunique in the sense that we consider the communication complexity with a special leaker. The leaker helpsAliceandBobinthetwo-partyproblem,bydisclosingtoAliceandBobcertain“non-critical” informationabouttheprobleminstancethattheyaresolving. 1 Introduction Dynamicnetworks[25]isaflourishingtopicinrecentyears. Weconsiderasynchronoussettingwhere them(fixed)nodesinthenetworkproceedinsynchronousrounds. Eachnodehasauniqueidofsize O(logm), and the messages are of size O(logm) as well. The nodes never fail. The topology of the dynamicnetworkcanchangefromroundtoround,asdeterminedbyanadversary,subjecttotheonly constraintthatthetopologyineachroundmustbeaconnectedandundirectedgraph. Thetimecomplexity ofaprotocolisthenumberofroundsneededforallnodestogeneratethefinaloutput,overtheworst-case adversary, worst-case initial values, and average coin flips of the protocol. We consider a number of fundamentaldistributedcomputingproblemswithinsuchacontext: • CONSENSUS: Each node has a binary input. The nodes aim to achieve a consensus (with the standardagreement,validity,andterminationrequirements)andoutputthefinaldecision. • LEADERELECT: Eachnodeshouldoutputtheleader’sid. • CONFIRMEDFLOOD: A certain node ν aims to propagate a token of size O(logm) to all other nodes,andwantstofurtherconfirmthatallnodeshavereceivedthetoken.1 Formally,nodeν’s ∗Theauthorsofthispaperarealphabeticallyordered.ThisworkispartlysupportedbytheresearchgrantMOE2014-T2-2-030 fromSingaporeMinistryofEducationAcademicResearchFundTier-2. †ThisworkwasdonewhilethisauthorwasinNationalUniversityofSingapore 1Suchconfirmationdoesnothavetocomefromexplicitacknowledgements,andcanbeviaimplicitmeans,suchascounting thenumberofrounds. 1 outputiscorrectonlyifbythetimethatν outputs,thetokenhasalreadybeenreceivedbyallthe nodes. (Thevalueoftheoutputisnotimportant.) Theremainingnodescanoutputanytime. • AGGREGATION: EachnodehasavalueofO(logm)bits,andthenodesaimtocomputeacertain aggregationfunctionoverallthesevalues. Weconsidertwospecificaggregationfunctions,SUM and MAX. Let d be the (dynamic) diameter (see definition later) of the dynamic network. (Note that since thetopologyiscontrolledbyanadversary,theprotocolneverknowsdbeforehand.) Givenanoptimal protocolforsolvinganyoftheaboveproblems,lettc(d,m)denotetheprotocol’stimecomplexity,when itrunsovernetworkswithddiameterandmnodes. Itiseasytoseethattc(d,m)cruciallydependsond, sincewetriviallyhavetc(d,m) = Ω(d). Givensuch,thispaperfocusonthefollowingcentralquestion: Ignoringpolylog(m)terms,istc(d,m)independentofthenetworksizem? Answeringthisfundamentalquestionwillrevealwhetherthecomplexityofallthesebasicproblemsis duetothediameterorduetoboththediameterandthenetworksize. Existingresults. Ifthenetworkwerestatic,thenbuildingaspanningtreewouldsolvealltheseproblems ineitherO(d)orO(dlogm)rounds,implyingayesanswertotheabovequestion. Indynamicnetworks, the picture is more complex. In a dynamic network model without congestion (i.e., message size unlimited), Kuhn et al. [23] have proposed elegant upper bound protocols with O(d) complexity for all these problems. Hence the answer is yes as well. For dynamic networks with congestion (i.e., messagesizelimitedtoO(logm)),Yuetal.[32]recentlyhaveprovedthattc(d,m) = O(dlogm)for CONSENSUSand LEADERELECT,ifthenodesknowagoodestimateonm.2 Hencetheanswerisyesin suchcases. Onetheotherhand,ifnodes’estimateonmispoor,3 thenYuetal.[32]provealowerbound ofΩ(d+poly(m))forCONSENSUSandLEADERELECT,implyinganoanswer. ForCONFIRMEDFLOOD andAGGREGATION,theyhavealsoprovedtc(d,m) = Ω(d+poly(m)),evenifthenodesknowm. This impliesanoanswerforthosetwoproblems. All the lower bound proofs in [32], however, critically relies on a powerful adaptive adversary: In each round, the adaptive adversary sees all the coin flip outcomes so far of the protocol P and manipulatesthetopologybasedonthose. Inparticular,ineachroundtheadversaryseeswhethereach nodewillbesending(andcanthenmanipulatethetopologyaccordingly),beforethenodesactuallysend theirmessages. Theirproofbreaksunderobliviousadversaries,whichdonotseeP’scoinflipoutcomes andhavetodecidethetopologiesinalltheroundsbeforeP starts.4 Insummary,ourcentralquestionofwhethertc(d,m)islargelyindependentofthenetworksizem hasbeenansweredin: i)staticnetworks,ii)dynamicnetworkswithoutcongestionunderbothadaptive andobliviousadversaries,andiii)dynamicnetworkswithcongestionunderadaptiveadversaries. Ourresults. Thisworkgivesthelastpieceofthepuzzleforansweringourcentralquestion. Specifically, weshowthatindynamicnetworkswithcongestionandunderobliviousadversaries,forCONSENSUSand LEADERELECT,theanswertothequestionisnowhenthenodes’estimateonmispoor. (Ifthenodes’ estimateonmisgood,resultsfrom[32]alreadyimpliedayesanswer.) Specifically,weproveanovel Ω(d+poly(m))lowerboundon CONSENSUS underobliviousadversaries,whenthenodes’estimateon mispoor. Thisisthefirstnon-triviallowerboundandalsothefirstlowerboundwithapoly(m)term, forCONSENSUSunderobliviousadversaries. ThebestlowerboundbeforethisworkwasthetrivialΩ(d) lowerbound. Our CONSENSUSlowerbounddirectlycarriesoverto LEADERELECTsince CONSENSUS reducesto LEADERELECT[32]. 2Moreprecisely,ifthenodesknowm(cid:48)suchthat|m(cid:48)−m|≤ 1 −cforsomepositiveconstantc.Obviously,thiscoversthe m 3 casewherethenodesknowmitself. 3Moreprecisely,ifthenodesonlyknowsm(cid:48)suchthat|m(cid:48)−m|reaches 1 orabove.Obviously,thiscoversthecasewhere m 3 thenodesdonothaveanyknowledgeaboutm. 4Notehoweverthatallupperbounds,from[23]and[32],willdirectlycarryovertoobliviousadversaries. 2 Our approach will also lead to a Ω(d + poly(m)) lower bound under oblivious adversaries for CONFIRMEDFLOOD, which in turn reduces to SUM and MAX [32]. Such a lower bound similarly givesanoanswerfor CONFIRMEDFLOOD and AGGREGATION. Butsincethelowerboundprooffor CONFIRMEDFLOODissimilartoandinfacteasierthanourCONSENSUSproof,forclarity,wewillnot separatelydiscussitinthispaper. Different adversaries. In dynamic networks, different kinds of adversaries often require different algorithmictechniquesandalsoyielddifferentresults. Henceitiscommonforresearcherstostudythem separately. For example, lower bounds for information dissemination were proved separately, under adaptiveadversaries[16]andthenlaterunderobliviousadversaries[1]. DynamicMISwasinvestigated separatelyunderadaptiveadversaries[20]andlaterunderobliviousadversaries[11]. Broadcastingwas firststudiedunderadaptiveadversaries[21],andlaterunderobliviousadversaries[17]. Our approach. Our novel CONSENSUS lower bound under oblivious adversaries is obtained via a reductionfromatwo-partycommunicationcomplexity(CC)problemcalledGapDisjointnesswithCycle Promise or GDC. Our reduction partly builds upon the reduction in [32] for adaptive adversaries, but hastwomajordifferences. Infact,thesetwonovelaspectsalsomakeourcentralprooftechniquerather unique,whencomparedwithotherworksthatusereductionsfromCCproblems[12,15,24]. ThefirstnovelaspectisthatwereducefromGDCwithaspecialleakerthatwedesign. Theleaker is an oracle in the GDC problem, and is separate from the two parties Alice and Bob . It helps Alice and Bob, by disclosing to them certain “non-critical” information in the following way. For a CC problem Π, let Π (X,Y) be the answer to Π for length-n inputs X and Y. Let x and y denote the n i i i-thcharacterofX andY,respectively. Apair(a,b)isdefinedtobealeakablepairifforalln,X,Y, andi ∈ [0,n],Π (x x ...x ,y y ...y ) = Π (x x ...x ax x ...x ,y y ...y by y ...y ). n 1 2 n 1 2 n n+1 1 2 i i+1 i+2 n 1 2 i i+1 i+2 n Intuitively,insertingorremovingaleakablepairdoesnotimpacttheanswertoΠ. Foreachindexiwhere (x ,y )isleakable,independentlywithprobability 1,ourleakerleakstheindexi,bylettingbothAlice i i 2 andBobknowforfreethevalueofiandthevalueofthepair(x ,y ),beforeAliceandBobstartrunning i i theirprotocol. OurreductionfromGDC(withourleaker)toCONSENSUSstilldoesnotallowustodirectlyusean obliviousadversary. Instead,asthesecondnovelaspect,wewilluseaspecialkindofadaptiveadversaries which we call sanitized adaptive adversaries. These adversaries are still adaptive, but their adaptive decisionshavebeen“sanitized”bytakingXORwithindependentcoinflips. Wethenshowthatasanitized adaptiveadversaryisnomorepowerfulthananobliviousadversary,intermsofincurringthecostofa protocol. 2 Related Work Thissectiondiscussesrelatedworksbeyondthosealreadycoveredintheprevioussection. RelatedworkonCONSENSUSandLEADERELECT. GiventheimportanceofCONSENSUSandLEAD- ERELECTindynamicnetworks,thereisalargebodyofrelatedeffortsandwecanonlycoverthemost relevant ones. In dynamic networks without congestion, Kuhn et al. [23] show that the simultaneous consensus problem has a lower bound of Ω(d+poly(m)) round. In this problem, the nodes need to output their consensus decisions simultaneously. Their knowledge-based proof exploits the need for simultaneous actions, and does not apply to our setting. Some other researchers (e.g., [3, 4, 5]) have studiedCONSENSUSandLEADERELECTinadynamicnetworkmodelwherethesetofnodescanchange andwherethetopologyisanexpander. Theirtechniques(e.g.,usingrandomwalks)criticallyreplyonthe expanderpropertyofthetopology,andhencedonotapplytooursetting. Augustineetal.[2]haveproved anupperboundofO(dlogm)forLEADERELECTindynamicnetworkswhileassumingdisknowntoall nodes. Thisdoesnotcontradictwithourlowerbound,sincewedonotassumetheknowledgeofd. Certain CONSENSUSandLEADERELECTprotocols(e.g.,[19])assumethatthenetwork’stopologyeventually stopschanging,whichisdifferentfromoursettingwherethechangedoesnotstop. CONSENSUS and 3 LEADERELECThavealsobeenstudiedindirecteddynamicnetworks(e.g.,[8,14,28,29]),whichare quite different from our undirected version. In particular, lower bounds there are mostly obtained by exploitingthelackofguaranteedbidirectionalcommunicationindirectedgraphs. Our AGGREGATION problemconsidersthetwoaggregationfunctionsSUMandMAX. Cornejoetal.[13]considersadifferent aggregationproblemwherethegoalistocollectdistributedtokens(withoutcombiningthem)toasmall numberofnodes. Someotherresearch(e.g.,[9])onAGGREGATIONassumesthatthetopologyiseach roundisa(perfect)matching,whichisdifferentfromoursettingwherethetopologymustbeconnected. RelatedworkonreductionsfromCC.Reducingfromtwo-partyCCproblemstoobtainlowerbounds fordistributedcomputingproblemhasbeenapopularapproachinrecentyears. Forexample,Kuhnet al.[24]andDasSarmaetal.[15]haveobtainedlowerboundsonthehear-fromproblemandthespanning tree verification problem, respectively, by reducing from DISJOINTNESS. In particular, Kuhn et al.’s √ resultssuggestthatthehear-fromproblemhasalowerboundofΩ(d+ m/logm)indirectedstatic networks. Chenetal.’swork[12]oncomputing SUM instaticnetworkswithnodefailureshasuseda reduction from the GDC1,q problem. Our reduction in this paper is unique, in the sense that none of n thesepreviousreductionsusethetwokeynoveltechniquesinthiswork,namelyCCwithourleakerand sanitizedadaptiveadversaries. RelatedworkonCC.Tothebestofourknowledge,wearethefirsttoexploittheCCwithaleakerin reductionstodistributedcomputingproblemssuchas CONSENSUS. Ourleakerservestoallowoblivious adversaries. Quite interestingly, for completely different purposes, the notions of leakable pairs and a leaker have been extensively (but implicitly) used in proofs for obtaining direct sum results on the informationcomplexity(IC)(e.g.,[6,10,31])ofvariouscommunicationproblems: First,leakablepairs havebeenusedtoconstructacollapsinginput,forthepurposeofensuringthattheanswertotheproblem Πisentirelydeterminedby(x ,y )atsomeindexi. Second, an(implicit)leakerhasoftenbeenused i i (e.g.,in[10,31])toenableAliceandBobtodraw(X,Y)fromanon-productdistribution. Becauseofthefundamentallydifferentpurposesofleaking,ourleakerdiffersfromthose(implicit) leakersusedinworksonIC,invariousspecificaspects. Forexampleinourwork,allleakablepairsare subjecttoleaking,whileintheworksonIC,thereissomeindexithatisneversubjecttoleaking. Also, whenourleakerleaksindexj,itdisclosesbothx andy tobothAliceandBob. Incomparison,inworks j j on IC, the (implicit) leaking is usually done differently: For example, Alice and Bob may use public coinstodrawx andBobmayusehisprivatecoinstodrawy . Doingso(implicitly)disclosesx to j j j bothAliceandBoband(implicitly)disclosesy onlytoBob. j AkeytechnicalstepinourworkistoprovealowerboundontheCCofGDCg,q withourleaker. For n simplerproblemssuchas DISJOINTNESS (whichiseffectively GDC1,2), webelievethatsuchalower n boundcouldalternativelybeobtainedbystudyingitsICwithourleaker. Butthegappromiseandthe cycle promise in GDCg,q make IC arguments rather tricky. Hence we will (in Section 8) obtain our n g,q intendedlowerboundbydoingadirectreductionfromtheCCof GDC withouttheleakertotheCCof n(cid:48) GDCg,q withtheleaker. n 3 Model and Definitions Conventions. All protocols in this paper refer to Monte Carlo randomized algorithms. We always considerpubliccoinprotocols, whichmakesourlowerboundsstronger. Alllog isbase2,whilelnis base e. Upper case fonts (e.g., X) denote strings, vectors, sets, etc. Lower case fonts (e.g., x) denote scalarvalues. Inparticular,ifX isastring,thenx meansthei-thelementinX. Boldfonts(e.g.,Xand i x)refertorandomvariables. Blackboardboldfonts(e.g.,D)denotedistributions. Wewritex ∼ Difx followsthedistributionD. Scriptfonts(e.g.,P andQ)denoteeitherprotocolsoradversaries. Dynamic networks. We consider a synchronous dynamic network with m fixed nodes, each with a uniqueidof Θ(logm)bits. A protocolinsucha networkproceedsinsynchronous rounds, andstarts executingonallnodesinround1. (Clearlysuchsimultaneousstartmakesourlowerboundstronger.) 4 Ineachround,eachnodeυ firstdoessomelocalcomputation,andthenchoosestoeithersendasingle messageofO(logm)sizeorreceive. Allnodeswhoareυ’sneighborsinthatroundandarereceivingin thatroundwillreceiveυ’smessageattheendoftheround. Anodewithmultipleneighborsmayreceive multiplemessages. Thetopologyofthenetworkmaychangearbitrarilyfromroundtoround,asdeterminedbysome adversary, exceptthatthetopologyineachroundmustbeaconnectedundirectedgraph. (Thisisthe sameasthe1-intervalmodel[22].) Anodedoesnotknowthetopologyinaround. Itdoesnotknowits neighborseitherunlessitreceivesmessagesfromtheminthatround. Section1alreadydefinedoblivious adversariesandadaptiveadversaries. Inparticularineachround,anadaptiveadversaryseesallP’scoin flipoutcomesuptoandincludingthecurrentround,andmanipulatesthetopologyaccordingly,beforeP usesthecurrentround’scoinflipoutcomes. Weusethestandarddefinitionforthe(dynamic)diameter[25]ofadynamicnetwork: Intuitively,the diameterofadynamicnetworkistheminimumnumberofroundsneededforeverynodetoinfluenceall othernodes. Formally,wesaythat(ω,r) → (υ,r+1)ifeitherω isυ’sneighborinroundr orω = υ. Thediameterdofadynamicnetworkisthesmallestdsuchthat(ω,r) (cid:32) (υ,r+d)forallω,υ,andr, where“(cid:32)”isthetransitiveclosureof“→”. Sincethetopologyiscontrolledbyanadversary,aprotocol neverknowsdbeforehand. Communicationcomplexity. Inatwo-partycommunicationcomplexity(CC)problemΠ ,Aliceand n Bob each hold input strings X and Y respectively, where each string has n characters. A charac- ter here is q-ary (i.e., an integer in [0,q − 1]) for some given integer q ≥ 2. For any given i, we sometimes call (x ,y ) as a pair. Alice and Bob aim to compute the value of the binary function i i Πn(X,Y). GivenaprotocolP forsolvingΠ(withoutaleaker),wedefinecc(P,X,Y,CP)tobethe communicationincurred(intermsofnumberofbits)byP,undertheinput(X,Y)andP’scoinflipout- comesCP. NotethatCP isarandomvariablewhilecc()isadeterministicfunction. Wesimilarlydefine err(P,X,Y,CP),whichis1ifP’soutputiswrong,and0otherwise. Wedefinethecommunicationcom- plexityofP tobecc(P) = maxXmaxY ECP[cc(P,X,Y,CP)],andtheerrorofP tobeerr(P) = maxXmaxY ECP[err(P,X,Y,CP)]. We define the δ-error (0 < δ < 12) communication complexity of Π to be R (Π ) = mincc(P), with the minimum taken over all P where err(P) ≤ δ. For n δ n convenience,wedefineR (Π ) = 0andR (Π ) = R (Π )fornon-integera. δ 0 δ a δ (cid:98)a(cid:99) Communication complexity with our leaker. We define similar concepts for CC with our leaker. Section 1 already defined leakable pairs and how our leaker works. Given P for solving Π with our leaker,cc(P,X,Y,CP,CL)isthecommunicationincurredbyP,undertheinput(X,Y),P’scoinflip outcomesCP,andtheleaker’scoinflipoutcomesCL. Here(X,Y)andCL uniquelydeterminewhich indices get leaked. We define cc(P) = maxXmaxY ECLECP[cc(P,X,Y,CP,CL)]. We similarly define err(P,X,Y,CP,CL) and err(P). Finally, we define the δ-error (0 < δ < 1) communication 2 complexityofΠ withourleaker,denotedasL (Π ),tobeL (Π ) = mincc(P),withtheminimum n δ n δ n taken over all P such that P solves Π with our leaker and err(P) ≤ δ. Note that we always have n L (Π ) ≤ R (Π ). δ n δ n 4 Preliminaries on Gap Disjointness with Cycle Promise Thesectiondefinesthetwo-party GDCproblemanddescribessomebasicpropertiesof GDC. Definition1(GapDisjointnesswithCyclePromise). InGapDisjointnesswithCyclePromise,denoted asGDCg,q,AliceandBobhaveinputstringsX andY,respectively. X andY eachhavencharacters, n andeachcharacterisanintegerin[0,q−1]. AliceandBobaimtocomputeGDCg,q(X,Y),definedtobe n 1if(X,Y)containsno(0,0)pair,and0otherwise. Theproblemcomeswiththefollowingtwopromises: • Gappromise: (X,Y)containseitherno(0,0)pairoratleastg suchpairs. 5 • Cyclepromise[12]: Foreachindexi,x andy satisfyexactlyoneofthefollowingfourconditions: i i i)x = y = 0,ii)x = y = q−1,iii)x = y +1,oriv)x = y −1. i i i i i i i i Onecaneasilyverifythatthecyclepromiseistriviallysatisfiedwhenq = 2. Itisalsoeasytosee GD1,2 degeneratestotheclassic DISJOINTNESS problem. Thegappromiseandthecyclepromisestart n toimposematerialrestrictionswheng ≥ 2andq ≥ 3,respectively. Forexampleforg = 2andq = 4, X = 02103andY = 03003satisfyboththetwopromises,where(X,Y)contains2pairsof(0,0),at indices1and4. ThefollowingresultontheCCof GDCisasimpleadaptionfromtheresultin[12]: Theorem1. Foranyδ where0 < δ < 0.5,thereexistconstantsc > 0andc > 0suchthatforalln,g, 1 2 andq,Rδ(GDCgn,q) ≥ cg1qn2 −c2log ng. Proof. First, weshowRδ(GDC1n,/qg) ≤ Rδ(GDCgn,q), viaasimplereduction: Givenanoracleprotocol P for solving GDCg,q, we construct a protocol Q for solving GDC1,q . In Q, Alice replicates her n n/g length-(n/g)inputgtimestogetalength-ninput. Bobdoesthesame. AliceandBobtheninvokeP and outputP’soutput. Itiseasytoverifythecorrectnessofthistrivialreduction. Next,thetheoremdirectly followsfromanexistingresultfromChenetal.[12]showingthatRδ(GDC1n,/qg) ≥ cg1qn2 −c2log ng. ForGDC,all(0,0)pairsarenon-leakable,whileallotherpairsareleakable. ForexampleforX = 02103 and Y = 03003, those 3 pairs at index 2, 3, and 5 are leakable. The proof of Theorem 1 leveraged Rδ(GDCgn,q) ≥ Rδ(GDC1n,/qg). ItisimportanttonotethatLδ(GDCgn,q) ≥ Lδ(GDC1n,/qg)doesnotholdin general. (Weomitacounter-examplehereduetospacelimitations.) Inparticular,thepreviousreduction failsforL : AfterAlicereplicatesherlength-(n/g)inputg times,theleaker(overthelength-ninput) δ mayleakdifferentpartsineachoftheg segments,andAlicecannotsimulatesuchbehavior. Hencewhen laterprovingthelowerboundonLδ(GDCgn,q),wewillhavetoworkwiththegappromisedirectly,instead ofobtainingthelowerboundviaLδ(GDCn1,/qg). 5 Review of Existing Proof under Adaptive Adversaries This section gives an overview of the recent CONSENSUS lower bound proof [32] under adaptive adversaries. Thatproofisquitelengthyandinvolved,hencewewillstayatthehigh-level,whilefocusing onaspectsthataremorerelevanttothispaper. Overview. Consider any oracle CONSENSUS protocol P with 1 error. Let tc(d,m) be P’s time 10 complexity,whenrunningoverdynamicnetworkcontrolledbyadaptiveadversariesandwithddiameter and m nodes. The proof in [32] is mainly for proving tc(8,m) = Ω(poly(m)). The proof trivially extends to tc(d,m) for all d ≥ 8. Combining with the trivial Ω(d) lower bound will lead to the final lowerboundofΩ(d+poly(m)). To prove tc(8,m) = Ω(poly(m)), [32] uses a reduction from GDCg,q to CONSENSUS. To solve n GDCg,q(X,Y), Alice knowing X and Bob knowing Y simulate the CONSENSUS protocol P in the n followingway: Inthesimulation,theinput(X,Y)ismappedtoadynamicnetwork. Roughlyspeaking, ifGDCg,q(X,Y) = 1,theresultingdynamicnetworkwillhaveadiameterof8. HenceP shoulddecide n withinr1 = tc(8,m)roundsonexpectation. If GDCgn,q(X,Y) = 0,thentheresultingdynamicnetwork willhaveadiameterofroughly q. Itisthenshown[32]thatP musttaker = Ω(q)roundstodecidein 2 2 dynamicnetworkswithsuchadiameter. Thevalueofq ischosen,asafunctionoftc(8,m),suchthat r2 > 10r1. AliceandBobdeterminetheanswerto GDCbasedonwhenP decides: IfP decideswithin 10r1 rounds,theyclaimthat GDCgn,q(X,Y) = 1. Otherwisetheyclaim GDCgn,q(X,Y) = 0. Tosolve GDCusingtheabovesimulation,AliceandBobneedtosimulateP for10r1 = 10tc(8,m) rounds. Ineachround,toenablethesimulationtocontinue,AliceandBobwillneedtoincurO(logm) bitsofcommunication. Hencealtogether,theyincur10tc(8,m)·O(logm)bitsforsolving GDCg,q. The n lowerboundontheCCof GDCg,q thenimmediatelytranslatestoalowerboundontc(8,m). n 6 t t+1 t+2 t t+1 t+2 i i i i i i (a)ν issendinginroundt +1 (b)ν isreceivinginroundt +1 i i Figure1: Theadaptivedecisionsoftheadversaryin[32]. Crux of the proof. When solving GDC, Alice only knows X and not Y. This means that Alice does notactuallyhavethefullknowledgeofthedynamicnetwork,whichisafunctionof(X,Y). Hencethe proof’scentraldifficultyistodesignthedynamicnetworkinsuchawaythatAlicecanneverthelessstill properlysimulateP overthatdynamicnetwork. Theproofin[32]overcomesthiskeydifficultybyi) leveraging the cycle promise in GDC, and ii) using an adaptive adversary — in particularly, using an adaptiveadversaryishighlighted[32]asakeytechnique. Wegiveaconcisereviewbelow. Given (X,Y), the dynamic network constructed in [32] has one chain for each index i ∈ [1,n]. Eachchainhas3nodeinaline(Figure1). Considerasanexamplethei-thchainwherex = 0. Since i x = 0,y mustbeeither0or1(bythecyclepromise). Thesetofedgesonthischainwillbedifferent i i dependingonwhethery is0or1—thisservestomakethediameterofthedynamicnetworkdifferent i when GDC = 1andwhen GDC = 0,asdiscussedearlier. ThedifficultyforAlice,isthatshedoesnot knowy ,andhencedoesnotknowtheexactsetofedgesonthischain. Thispreventsherfromproperly i simulatingthosenodesthatsheneedtosimulateforthischain. SimilardifficultyappliestoBob. Toovercomethisdifficulty,ifapair(x ,y )isnot(0,0),theadversaryin[32]willmakeanadaptive i i decisionformanipulatingtheedgesonthei-thchain,5 tohelpenableAlice(andalsoBob)tosimulate. The cycle promise already tells us that for given x (e.g., 0), there are two possibilities for y (e.g., 0 i i and1). Theadaptivedecisionsoftheadversarywillhavethefollowingendeffects: Underthetopology resulted from such adaptive decisions, the behavior of those nodes that Alice needs to simulate will dependonlyonx andnolongerdependony . AsimilarpropertyholdsforBob. i i Thedetailsonwhythoseadaptivedecisionscanachievesuchendeffectsarecomplex,andarerelated tothefundamentalfactthatanodedoesnotknowitsneighborsinarounduntilitreceivesmessagesfrom them. Atthesametime,thosedetailsareentirelyorthogonaltothiswork. Henceduetospacelimitations, we refer interested readers to [32] for such details. Here we will only describe the specifics of all the adaptivedecisionsmadebytheadversary,whichisneededforourlaterdiscussion: Consideranyiwhere (x ,y )isnot(0,0). Atthebeginningofroundt +1wheret issomefunctionofx andy ,theadversary i i i i i i examinesthecoinflipoutcomesofP anddetermineswhetherthemiddlenodeν onthei-thchainis sendingorreceivinginroundt +1(seeFigure1). Ifν issending,theadversaryremovesacertainedge i ethatisincidentaltoν,immediatelyinroundt +1. Otherwisetheadversarywillremovetheedgeein i roundt +2. Excepttheseadaptivedecisions,theadversarydoesnotmakeanyotheradaptivedecisions. i Inparticular,theadversarydoesnotneedtomakeadaptivedecisionsforchainscorrespondingto(0,0). 6 Roadmap for Lower Bound Proof under Oblivious Adversaries Thissectionprovidestheintuitionbehind,andtheroadmapfor,ournovelproofof CONSENSUSlower boundunderobliviousadversaries. Some concepts. To facilitate discussion, we define a few simple concepts. Consider the i-th chain in theprevioussectionwhere(x ,y )isnot(0,0),andthemiddlenodeν onthechain. Wedefinebinary i i randomvariablez = 0ifν issendinginroundt +1,anddefinez = 1otherwise. WeuseA(cid:48) todenote i 5Intheactualproof,theadversaryonlyneedstomakeadaptivedecisionsforasubset(usuallyaconstantfraction)ofsuch chains.Butitismucheasiertounderstandifwesimplylettheadversarymakeanadaptivedecisiononallofthem.Doingso hasnoimpactontheasymptoticresults. 7 theadaptiveadversarydescribedintheprevioussection. WedefineλA(cid:48) tobetheadaptivedecisionmade byA(cid:48),whereA(cid:48) removestheedgeeinroundti+1+λA(cid:48). Withtheseconcepts,A(cid:48) essentiallysetsits decisionλA(cid:48) tobeλA(cid:48) = z. Makingguesses. A(cid:48) isadaptivesinceλA(cid:48) dependsonz,andzinturnisafunctionofP’scoinflips. AnobliviousadversaryA cannothaveitsdecisionλA dependonz. Atthehighestlevel, ourideaof allowingA inthereductionissimple: WeletA makeablindguessonwhetherν issending. Specifically, imagine that A itself flips a fair coin c, and then directly set its decision to be λA = c. Same as A(cid:48), A stillremovestheedgeeinroundti +1+λA,exceptthatnowλA = c. Somequickclarifications willhelptoavoidconfusionhere. First,suchaguesscmaybeeithercorrect(i.e.,c = z)orwrong(i.e., c = z¯). A itself cannot tell whether the guess is correct, since A (being oblivious) does not know z. AliceandBob,however,cantelliftheguessiscorrect,becausetheyaresimulatingboththeprotocolP andtheadversaryA,andhenceknowbothzandc. Buttheycannotinterferewiththeguessevenifthey knowitiswrong. Nowiftheguessiscorrect,thenthedecisionofA willbeexactlythesameasA(cid:48),andeverything willworkoutasbefore. Butiftheguessiswrong,thenA cannolongerenableAlicetosimulatewithout knowingY. Morespecifically,iftheguessiswrong,thenforthei-thchain,thebehaviorofthosenodes thatAliceneedstosimulatewilldependonthevalueofy ,andAlicedoesnotknowy . Toovercomethis i i mainobstacle,ourkeyideaistoaddaspecialleakerentityinthetwo-partyCCproblem,whichshould beviewedasanoraclethatisseparatefromAliceandBob. Iftheguessiswrongforthei-thchain,the leakerwilldiscloseforfreetoAliceandBobthepair(x ,y ). Theknowledgeofy thenimmediately i i i enablesAlicetoinfertheexactbehaviorofthenodesthatsheneedstosimulate. Similarargumentsapply toBob. Roadmap. Therearetwonon-trivialtechnicalissuesremainingintheaboveapproach: i)whentomake guesses, and ii) how the leaker impacts the CC of GDC. Overcoming them will be the main tasks of Section7and8,respectively. Section9willpresentourfinalCONSENSUSlowerbound,whoselengthy andsomewhattediousproofisdeferredtotheappendix. 7 Sanitized Adaptive Adversaries The difficulty. It turns out that it does not quite work for Alice and Bob to approach the leaker for help when they feel needed. Consider the following example GDC2,4 instance with X = 000000 and 6 Y = 111100. As explained in Section 5, the dynamic network corresponding to this instance has six chains. Foralli,wesaythatthei-thchainisan“|a chain”ifx = aandy = b. Thefirstfourchainsin b i i thedynamicnetworkarethusall|0 chains,whiletheremainingtwoare|0 chains. Theadaptiveadversary 1 0 A(cid:48) in[32](seeSection5)willmakeadaptivedecisionsforall|0 chains,butdoesnotneedtodosofor|0 1 0 chains. ApplyingtheideafromSection6,theobliviousadversaryA shouldthusmakeguessesforthose four|0 chains. NotethatA needstobesimulatedbyAliceandBob. ThedifficultyisthatAlicedoesnot 1 knowforwhichchainsaguessshouldbemade,sinceshedoesnotknowwhichchainsare|0 chains. In 1 factifsheknew,shewouldhavealreadysolved GDCinthisinstance. SimilarargumentsapplytoBob. Anaivefixistosimplymakeaguessforeachofthesixchains. Imaginenowthattheguessturnsoutto bewrongforthelastchain,whichisa|0chain. AliceandBobwillthenasktheleakertodisclose(x ,y ). 0 6 6 Suchdisclosureunfortunatelydirectlyrevealstheanswertothe GDCinstance. Thisinturn,reducesthe CCof GDCto0,renderingthereductionmeaningless. (Refusingtodisclose(x6,y6)obviouslydoesnot workeither,sincetherefusalitselfrevealstheanswer.) Our idea. To overcome this, we do not let Alice and Bob decide for which chains the adversary A should make a guess. Instead, we directly let our leaker decide which indices should be leaked: For everyiwhere(x ,y ) (cid:54)= (0,0),theleakerleaksthepair(x ,y )withhalfprobability,tobothAliceand i i i i Bob. Intheearlierexample,theleakerwillleakeachoftheindices1through4independentlywithhalf 8 probability. Foranygiveni,definebinaryrandomvariables = 1ifftheleakerleaksindexi. Ifs = 1,thenAlice andBobwill“fabricate”awrongguessfortheadversaryA thattheyaresimulating,sothattheguess of A is wrong (and hence index i needs to be leaked). Specifically, Alice and Bob examine the coin flipoutcomesoftheprotocolP todeterminethevalueofz,andthensettheguesscofA tobec = z¯. (Recallthatzindicateswhetherthemiddlenodeissendinginroundt +1.) Insuchacase,thedecision i λA ofA willbeλA = c = z¯. Ontheotherhand, ifs = 0(meaningthatindexiisnotleaked), then AliceandBobletA behaveexactlythesameastheadaptiveadversaryA(cid:48) inSection5. Inparticular,if A(cid:48) makesanadaptivedecisionλA(cid:48) = zforthischain,thenthedecisionλA ofA willalsobeλA = z (i.e.,asifA guessedcorrectly). CombiningthetwocasesgivesλA = z⊕s. ObviouslyA hereisnolongeroblivious(sinceλA nowdependsonz),whichseemstodefeatthe wholepurpose. Fortunately,thisadaptiveadversaryA isspecialinthesensethatalltheadaptivity(i.e., z) has been “sanitized” by taking XOR with the independent coin of s. Intuitively, this prevents A fromeffectivelyadapting. ThefollowingdiscussionwillformalizeandprovethatsuchanA isnomore powerfulthananobliviousadversary,intermsofincurringthecostofaprotocol. Formalframeworkandresults. Withoutlossofgenerality,weassumethatanadversarymakesbinary decisionsthatfullydescribethebehavioroftheadversary. Anadversaryisdeterministicifitsdecisions arefixedgiventheprotocol’scoinflipoutcomes,otherwiseitisrandomized. Consideranydeterministic adaptive adversary A(cid:48). A decision λA(cid:48) made by A(cid:48) is called adaptive if λA(cid:48) can be different under differentcoinflipoutcomesoftheprotocol. ArandomizedadaptiveadversaryA iscalledasanitized version of A(cid:48), if A behaves the same as A(cid:48) except that A sanitizes all adaptive decisions made by A(cid:48) andalsoanarbitrary(possiblyempty)subsetofthenon-adaptivedecisionsmadebyA(cid:48). HereA sanitizesadecisionλA(cid:48) madebyA(cid:48) bysettingitsowndecisionλA tobeλA = λA(cid:48) ⊕s,wheresisa separatefaircoinandisindependentofallothercoins. WealsocalltheaboveA asasanitizedadaptive adversary. In our discussion above, λA(cid:48) = z, while λA = z⊕s = λA(cid:48) ⊕s. The following simple theoremconfirmsthatA isnomorepowerfulthananobliviousadversary(seeproofintheappendix): Theorem2. Letcost(P,A,CP,CA)beanydeterministicfunction(whichtheadversaryaimstomaxi- mize)oftheprotocolP,theadversaryA,thecoinflipoutcomesCP ofP,andthecoinflipoutcomes CA (ifany)thatmayalsoinfluencethebehaviorofA. ForanyprotocolP,anydeterministicadaptive adversaryA(cid:48),anditssanitizedversionA,thereexistsadeterministicobliviousadversaryB suchthat ECP[cost(P,B,CP,−)] ≥ ECP,CA[cost(P,A,CP,CA)]. Furthermore,foreveryCP inthesupport ofCP,thereexistsCA inthesupportofCA,suchthatB’sdecisionsareexactlythesameasthedecisions madebyA underCP andCA. Summaryofthissection. RecallthatA(cid:48) denotestheadaptiveadversaryusedin[32]andreviewedin Section5. Basedonthediscussioninthissection,ourreductionfromGDC(withaleaker)toCONSENSUS willuseasanitizedadaptiveadversaryA forthedynamicnetwork. A behavesexactlythesameasA(cid:48) except: For each i-th chain where A(cid:48) makes an adaptive decision λA(cid:48) for that chain, A sets its own decisionλA forthatchaintobeλA = λA(cid:48) ⊕s. Heresdenoteswhetherindexiisleakedbytheleaker. Theorem2confirmsthattheconsensusprotocolP’sendguarantees,eventhoughP wasdesignedto workagainstobliviousadversariesinsteadofadaptiveadversaries,willcontinuetoholdunderA. 8 Communication Complexity with The Leaker To get our final CONSENSUS lower bound , the next key step is to prove a lower bound on the CC of GDCwiththeleaker. Atfirstthought,onemaythinkthathavingtheleakerwillnotaffecttheCCofGDC much,sincei)theleakablepairshavenoimpactontheanswertotheproblemandarehence“dummy” parts,andii)theleakeronlyleaksabouthalfofsuch“dummy”parts. Asaperhapssurprisingexample, 16√nln1,2 √ Lemma1intheappendixshowsthathavingtheleakerreducestheCCofGDCn δ fromΩ( n)to 9 0. Thisimpliesthattheimpactoftheleakerismoresubtlethanexpected. Inparticular,withoutacareful investigation,itisnotevenclearwhethertheCCofGDCwithourleakerislargeenoughtotranslateto ourintendedΩ(d+poly(m))lowerboundon CONSENSUS. Thissectionwillthusdoacarefulinvestigationandeventuallyestablishaformalconnectionbetween theCCwiththeleaker(L )andtheCCwithouttheleaker(R ): δ δ Theorem3. Foranyconstantδ ∈ (0, 1),thereexistconstantsc > 0andc > 0suchthatforalln,g, √ 2 1 2 q,andn(cid:48) = c2 n/(q1.5logq),Lδ(GDCgn,q) ≥ c1Rδ(GDCgn,(cid:48)q). LaterwewillseethatthelowerboundonGDCwithourleakerasobtainedintheabovetheorem(combined withTheorem1)issufficientforustogetafinalΩ(d+poly(m))lowerboundon CONSENSUS. The theoremactuallyalsoholdsformanyotherproblemsbeyondGDC,thoughwedonotpresentthegeneral formhereduetospacelimitations. 8.1 OurApproachandKeyIdeas While we will only need to prove Theorem 3 for GDC, we will consider general two-party problem Π,sincethespecificsof GDC arenotneededhere. WewillproveTheorem3viaareduction: Wewill construct a protocol Q for solving Π without the leaker, by using an oracle protocol P for solving n(cid:48) Π with the leaker, where n(cid:48) is some value that is smaller than n. Such a reduction will then lead to n R (Π ) = O(L (Π )). δ(cid:48) n(cid:48) δ n We will call each kind of leakable pairs as a leakable pattern. For example, GDC1,2 has leakable n patternsof(1,1),(0,1),and(1,0). NotethatleakablepatternsaredeterminedbytheproblemΠandnot byaninstanceoftheproblem. Weusek ∈ [0,q2]todenotethetotalnumberofleakablepatternsforΠ whoseinputsareq-arystrings. For GDCg,q,k = 2q−1. n Simulatingtheleakerviapaddedpairs. ThecentraldifficultyinthereductionisthatAliceandBob runningQ needtosimulatetheleaker,inordertoinvoketheoracleprotocolP. (NotethatP hereisthe two-partyprotocol,andhasnothingtodowiththe CONSENSUSprotocol.) Thisisdifficultbecauseeach partyonlyknowsher/hisowninput. Ourfirststeptoovercomethisdifficultyistopadknowncharacters totheinputsandthenleakonlythosepaddedcharacters,asexplainednext. Let(X(cid:48),Y(cid:48))bethegiveninputtoQ. Assumeforsimplicitythat(2,1)istheonlyleakablepattern inΠ,andconsidertheprobleminstanceinFigure2whereX(cid:48) = 02andY(cid:48) = 01. AliceandBobwill append/padacertainnumberofoccurrencesofeachleakablepatternto(X(cid:48),Y(cid:48)). Let(X,Y)denotethe resultingstringsafterthepadding. IntheexampleinFigure2,AliceandBobappend1occurrenceof (2,1) to (X(cid:48),Y(cid:48)) — or more specifically, Alice appends 2 to X(cid:48) and Bob appends 1 to Y(cid:48). Doing so givesX = 022andY = 011. Notethatdoingsodoesnotinvolveanycommunication,sincetheleakable patternsarepubliclyknown. ImaginethatAliceandBobnowinvokeP using(X,Y),whereX = 022 andY = 011. Notethatthetwo-partyprotocolP assumesthehelpfromourleaker. AliceandBobcan easilysimulatetheleakingof(x ,y ),since(x ,y )isthepaddedpairandtheybothknowthatthepair 3 3 3 3 isexactly(2,1). However,(x ,y )isalsoaleakablepair. AliceandBobstillcannotsimulatetheleaking 2 2 ofthispair,sincethispairoriginatedfrom(X(cid:48),Y(cid:48))andtheydonotknowthevalueofthispair. Toovercomethis,AliceandBobusepubliccoinstogeneratearandompermutation,andthenusethe permutationtopermuteX andY,respectively(Figure2). Thisstepdoesnotinvolvecommunication. ForcertainproblemsΠ(e.g.,for GDC),onecaneasilyverifythatsuchpermutationwillnotaffectthe answertoΠ. Suchpermutationproducesaninterestingeffect,asillustratedinFigure2. Theupperpart ofFigure2plotsthe6possibleoutcomesafterthepermutation,forourearlierexampleofX = 022and Y = 011. Beforethepermutation,thelastpairin(X,Y)isapaddedpair. ImaginethatAliceandBob leakthispair. Nowafterthepermutation,thisleakedpairwilloccupydifferentindicesinthe6outcomes ofthepermutation. The bottom part of Figure 2 illustrates the (real) leaker’s behavior over certain inputs. To help understanding,assumehereforsimplicitythattheleakerleaksexactlyhalfofalltheleakablepairs. Now 10