Communication-Rounds Tradeoffs for Common Randomness and Secret Key Generation

by   Mitali Bafna, et al.
Harvard University

We study the role of interaction in the Common Randomness Generation (CRG) and Secret Key Generation (SKG) problems. In the CRG problem, two players, Alice and Bob, respectively get samples X_1,X_2,... and Y_1,Y_2,... with the pairs (X_1,Y_1), (X_2, Y_2), ... being drawn independently from some known probability distribution μ. They wish to communicate so as to agree on L bits of randomness. The SKG problem is the restriction of the CRG problem to the case where the key is required to be close to random even to an eavesdropper who can listen to their communication (but does not have access to the inputs of Alice and Bob). In this work, we study the relationship between the amount of communication and the number of rounds of interaction in both the CRG and the SKG problems. Specifically, we construct a family of distributions μ = μ_r, n,L, parametrized by integers r, n and L, such that for every r there exists a constant b = b(r) for which CRG (respectively SKG) is feasible when (X_i,Y_i) ∼μ_r,n,L with r+1 rounds of communication, each consisting of O( n) bits, but when restricted to r/2 - 3 rounds of interaction, the total communication must exceed Ω(n/^b(n)) bits. Prior to our work no separations were known for r ≥ 2.



page 1

page 2

page 3

page 4


Round Complexity of Common Randomness Generation: The Amortized Setting

We study the effect of rounds of interaction on the common randomness ge...

Resource-Efficient Common Randomness and Secret-Key Schemes

We study common randomness where two parties have access to i.i.d. sampl...

Efficient Certifiable Randomness from a Single Quantum Device

Brakerski et. al [BCM+18] introduced the model of cryptographic testing ...

Compressed Communication Complexity of Longest Common Prefixes

We consider the communication complexity of fundamental longest common p...

How much does randomness help with locally checkable problems?

Locally checkable labeling problems (LCLs) are distributed graph problem...

Learning without Interaction Requires Separation

One of the key resources in large-scale learning systems is the number o...

Logspace Reducibility From Secret Leakage Planted Clique

The planted clique problem is well-studied in the context of observing, ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

1.1 Problem Definition

In this work, we study the Common Randomness Generation (CRG) and Secret Key Generation (SKG) problems — two central questions in information theory, distributed computing and cryptography — and study the need for interaction in solving these problems.

In the CRG problem, two players, Alice and Bob, have access to correlated randomness, with Alice being given , and Bob being given , where are drawn i.i.d from some known probability distribution . Their goal is to agree on bits of entropy with high probability while communicating as little as possible. In the SKG problem, the generated random key is in addition required to be secure against a third player, Eve, who does not have access to the inputs of Alice and Bob but who can eavesdrop on their conversation. The CRG and SKG settings are illustrated in Figures 1 and 2 respectively.

Common random keys play a fundamental role in distributed computing and cryptography. They can often be used to obtain significant performance gains that would otherwise be impossible using deterministic or private-coin protocols. Under the additional secrecy constraints, the generated keys are of crucial importance as they can be used for encryption – a central goal of cryptography.

Figure 1: Common Randomness Generation (CRG)
Figure 2: Secret Key Generation (SKG)

This paper investigates the tradeoff between rounds and communication for protocols for common randomness and secret key generation: We start with some terminology needed to describe our problem. We say that a communication protocol is an -protocol if it involves at most rounds of interaction with Alice starting and with the total length of all the messages being at most bits. Let denote the min-entropy function. A protocol is said to be an -CRG scheme for a correlation source if Alice and Bob get a finite number of i.i.d. samples of , and after the final round of , Alice outputs a key and Bob outputs a key , with and belonging to a finite set, satisfying , and with and being equal with probability at least . A protocol is said to be an -SKG scheme for if it is an -CRG scheme for and satisfies the additional security guarantee that where is also used to denote the protocol transcript and is the mutual information. Then, we define the -round communication complexity of -CRG of a correlation source , denoted by , as the smallest for which there is an -protocol that is an -CRG scheme for . We similarly define the -round communication complexity of -SKG of and denote it by . In terms of the above notation we study the functions and as we vary .

1.2 History

The CRG and SKG problems have been well-studied in information theory and theoretical computer science. In information theory, they go back to the seminal work of Shannon on secrecy systems [Sha49], which was followed by the central works of Maurer [Mau93] and Ahlswede and Csiszár [AC93, AC98]. A crucial motivation for the study of SKG is the task of secure encryption, where a common secret key can potentially be used to encrypt/decrypt messages over an insecure channel. It turns out that without correlated inputs (and even allowing each party an unlimited amount of private randomness), efficiently generating common randomness is infeasible: agreeing on bits of randomness with probability can be shown to require communicating at least bits 111This fact is a special case of several known results in the literature on CRG. In particular, it follows from the proof of the agreement distillation lower bound of [CGMS17]. Since the original work of Shannon, the questions of how much randomness can be agreed on, with what probability, with what type of correlation and with how many rounds of interaction have attracted significant effort in both the information theory and theoretical computer science communities (e.g., [Mau93, AC93, AC98, CN00, GK73, Wyn75, CN04, ZC11, Tya13, LCV15, LCV16, BM11, CMN14, GR16, GJ18] to name a few). In particular, Ahlswede and Csiszár studied the CRG and SKG problems in the case of one-way communication where they gave a characterization of the ratio of the entropy of the key to the communication in terms of the strong data processing constant of the source (which is closely related to its hypercontractive properties [AG76, AGKN13]).

We point out that the aforementioned results obtained in the information theory community hold for the amortized setup where the aim is to characterize the achievable pairs for which for every positive , there is a large enough , such that there is a CRG/SKG scheme taking as input i.i.d. copies from the source and generating bits of entropy while communicating at most bits. Moreover, these results mostly focus on the regime where the agreement probability gets arbitrarily close to one for sufficiently large . The non-amortized setup, where the entropy of the keys and the communication are potentially independent of the number of i.i.d. samples drawn from the source, as well as the setting where the agreement probability is not necessarily close to one, have been studied in several works within theoretical computer science. In particular, for the doubly symmetric binary source, Bogdanov and Mossel gave a CRG protocol with a nearly tight agreement probability in the zero-communication case where Alice and Bob are not allowed to communicate [BM11]. This CRG setup can be viewed as an abstraction of practical scenarios where hardware-based procedures are used for extracting a unique random ID from process variations [LLG05, SHO08, YLH09] that can then be used for authentication [LLG05, SD07]. Guruswami and Radhakrishnan generalized the study of Bogdanov and Mossel to the case of one-way communication (in the non-amortized setup) where they gave a protocol achieving a near-optimal tradeoff between (one-way) communication and agreement probability [GR16]. Later, [GJ18] gave explicit and sample-efficient CRG (and SKG) schemes matching the bounds of [BM11] and [GR16] for the doubly symmetric binary source and the bivariate Gaussian source.

Common randomness is thus a natural model for studying how shared keys can be generated in settings where only weaker forms of correlation are available. It is one of the simplest and most natural questions within the study of correlation distillation and the

simulation of joint distributions

 [GK73, Wyn75, Wit75, MO04, MOR06, KA15, GKS16b, DMN18, GKR17].

Moreover, when studying the setup of communication with imperfectly shared randomness, Canonne et al. used lower bounds for CRG as a black box when proving the existence of functions having small communication complexity with public randomness but large communication complexity with imperfectly shared randomness [CGMS17]

. Their setup – which interpolates between the extensively studied public-coin and private-coin models of communication complexity – was first also independently introduced by

[BGI14] and further studied in [GKS16a, GJ18].

Despite substantial work having been done on CRG and SKG, some very basic questions remained open such as the the quest of this paper, namely the role of interaction in generating common randomness (or secret keys). Recently, Liu, Cuff and Verdu generalized the CRG and SKG characterizations of Ahlswede and Csiszár to the case of multi-round communication [LCV15, LCV16, Liu16]. Their characterization has been shown by [GJ18] to be intimately connected to the notions of internal and external information costs of protocols which were first defined by [BJKS04, BBCR13] and [CSWY01] respectively (who were motivated by the study of direct-sum questions arising in theoretical computer science). However their work does not yield sources for which randomness generation requires many rounds of interaction (to be achieved with low commununication). Their work does reveal sources where interaction does not help. For example, in the case where the agreement probability tends to one, Tyagi had shown that for binary symmetric sources, interaction does not help, and conjectured the same to be true for any (possibly asymmetric) binary source [Tya13]– a conjecture which was proved by Liu, Cuff and Verdu [LCV16]. Morever, Tyagi constructed a source on ternary alphabets for which there is a constant factor gap between the -round and -round communication complexity for Common Randomness and Secret Key Generation. This seems to be the strongest tradeoff known for communication complexity of CRG or SKG till our work.

1.3 Our Results

In this work, we study the relationship between the amount of communication and the number of rounds of interaction in each of the CRG and SKG setups, namely: can Alice and Bob communicate less and still generate a random/secret key by interacting for a larger number rounds?

For every constant and parameters and , we construct a family of probability distributions for which CRG (respectively SKG) is possible with rounds of communication, each consisting of bits, but when restricted to rounds, the total communication of any protocol should exceed bits. Formally, we show that while for every constant we have that (and similarly for SKG).

Theorem 1.1 (Communication-Rounds Tradeoff for Common Randomness Generation).

For all , there exist , such that for all there exists a source for which the following hold:

  1. There exists an -protocol for -CRG from .

  2. For every there is no -protocol for -CRG from .

We also get an analogous theorem for SKG, with the same source!

Theorem 1.2 (Communication-Rounds Tradeoff for Secret Key Generation).

For all , there exist , such that for all there exists a source for which the following hold:

  1. There exists an -protocol for -SKG from .

  2. For every there is no -protocol for -SKG from .

In particular, our theorems yield a gap in the amount of communication that is almost exponentially large if the number of rounds of communication is squeezed by a constant factor. Note that every communication protocol can be converted to a two-round communication protocol with an exponential blowup in communication - so in this sense our bound is close to optimal. Prior to our work, no separations were known for any number of rounds larger than two!

1.4 Brief Overview of Construction and Proofs

Our starting point for constructing the source is the well-known “pointer-chasing” problem [NW93] used to study tradeoffs between rounds of interaction and communication complexity. In (our variant of) this problem Alice and Bob get a series of permutations along with an initial pointer and their goal is to “chase” the pointers, i.e., compute where for every

. Alice’s input consists of the odd permutations

and Bob gets the initial pointer and the even permutations . The natural protocol to determine takes rounds of communication with the th round involving the message (for ). Nisan and Wigderson show that any protocol with rounds of interaction requires bits of communication [NW93].

To convert the pointer chasing instance into a correlated source, we let the source include strings and where is uniform in conditioned on . Thus the source outputs and satisfy with for every . (See creftypecap 2.1 and Figure 3 for more details.) The natural protocol for the pointer chasing problem also turns into a natural protocol for CRG and SKG with rounds of communication, and our challenge is to show that protocols with few rounds cannot extract randomness.

The lower bound does not follow immediately from the lower bound for the pointer chasing problem — and indeed we do not even give a lower bound for rounds of communication. We explain some of the challenges here and how we overcome them.

Our first challenge is that there is a low-complexity “non-deterministic protocol” for common randomness generation in our setting. The players somehow guess and then verify (by exchanging the first bits of these strings) and if they do, then they output and respectively. While the existence of a non-deterministic protocol does not imply the existence of a deterministic one, it certainly poses hurdles to the lower bound proofs. Typical separations between non-deterministic communication complexity and deterministic ones involve lower bounds such as those for “set-disjointness” [KS92, Raz92, BJKS04] which involve different reasoning than the “round-elimination” arguments in [NW93]. Our lower bound would somehow need to combine the two approaches.

We manage to do so “modularly” at the expense of a factor of in the number of rounds of communication by introducing an intermediate “pointer verification (PV)” problem. In this problem Alice and Bob get permutations (with Alice getting the odd ones and Bob the even ones) and additionally Bob gets pointers and . Their goal is to decide if the final pointer equals given that the initial pointer is equal to . The usefulness of this problem comes from the fact that we can reduce the common randomness generation problem to the complexity of the pointer verification problem on a specific (and natural) distribution: Specifically if PV is hard on this distribution with rounds of communication, then we can show (using the hardness of set disjointness as a black box) that the common randomness generation problem is hard with rounds of communication.

We thus turn to showing lower bounds for PV. We first note that we cannot expect a lower bound for rounds of communication: PV can obviously be solved in rounds of communication with Alice and Bob chasing both the initial and final pointers till they meet in the middle. We also note that one can use the lower bound from [NW93] as a black box to get a lower bound of rounds of communication for PV but it is no longer on the “natural” distribution we care about and thus this is not useful for our setting.

The bulk of this paper is thus devoted to proving an round lower bound for the PV problem on our distribution. We get this lower bound by roughly following the “round elimination” strategy of [NW93]. A significant challenge in extending these lower bounds to our case is that we have to deal with distributions where Alice and Bob’s inputs are dependent. This should not be surprising since the CRG problem provides Alice and Bob with correlated inputs, and so there is resulting dependency between Alice and Bob even before any messages are sent. The dependency gets more complex as Alice and Bob exchange messages, and we need to ensure that the resulting mutual information is not correlated with the desired output, i.e., the PV value of the game. We do so by a delicate collection of conditions (see Definition 5.6) that allow the inputs to be correlated while guaranteeing sufficient independence to carry out a round elimination proof. See Section 5 for details.

Organization of Rest of the Paper.

In Section 2, we present our construction of the distribution alluded to in Theorem 1.1 and Theorem 1.2. In Section 3 we reduce the task of proving communication lower bounds for CRG with few rounds to the task of proving lower bounds for distinguishing some distributions. We then introduce our final problem, the Pointer Verification problem, and the distribution on which we need to analyze it in Section 4. This section includes the statement of our main technical theorem about the pointer verification problem (Theorem 4.2) and the proofs of Theorem 1.1 and Theorem 1.2 assuming this theorem. Finally in Section 5, we prove Theorem 4.2.

2 Construction

We start with some basic notation used in the rest of the paper. For any positive integer , we denote by the set . We use to denote the logarithm to the base . For a distribution on a universe we use the notation

to denote a random variable

sampled according to . For any positive integer , we denote by the distribution obtained by sampling independent identically distributed samples from . We use the notation to denote that is independent of and to denote that and are independent conditioned on . We denote by the expectation of and for an event , we denote by the probability of the event . For , (and sometimes ) denotes the probability of the element , i.e., . For distributions and on , the total variation distance . The entropy of is the quantity . The min-entropy of is the quantity . For a pair of random variables , denotes the marginal distribution on and denotes the distribution of conditioned on . The conditional entropy , where . The mutual information between and , denoted , is the quantity . The conditional mutual information between and conditioned on , denoted , is the quantity where

. We use standard properties of entropy and information such as the Chain rules and the fact “conditioning does not increase entropy”. For further background material on information theory and communication complexity, we refer the reader to the books

[CT12] and [KN97] respectively.

We start by describing the family of distributions that we use to prove Theorem 1.1 and Theorem 1.2. For a positive integer , we let denote the family of all permutations of .

Definition 2.1 (The Pointer Chasing Source ).

For positive integers , and , the support of is . Denoting and , a sample is drawn as follows:

  • and are sampled uniformly and independently.

  • Let .

  • is sampled uniformly and independently of and ’s.

  • For every , and are sampled uniformly and independently.

See Figure 3 for an illustration of the inputs to the Pointer Chasing Source.

Figure 3: The Pointer Chasing Source

Informally, a sample from contains a common hidden block of randomness that Alice and Bob can find by following a sequence of pointers, where Alice holds the odd pointers in the sequence and Bob holds the even pointers. The next lemma gives (the obvious) upper bound on the -round communication needed to generate common randomness from .

Lemma 2.2 (Upper bound on -round communication of SKG).

For every , and , there exists an -protocol for -SKG (and hence also for -CRG) from with Bob speaking in the first round.


The protocol is the obvious one in which Bob and Alice alternate by sending a pointer to each other starting with and culminating in , and the randomness they “agree on” is .

Formally, for , let with . In odd round , Bob sends to Alice and in even round , Alice sends to Bob. At the end of rounds of communication Alice outputs and Bob outputs .

Note that by the construction of , we have that and . Note further that at the beginning of the st round of communication both Alice and Bob know . Furthermore if is odd, then Bob also knows and hence can compute (and similarly Alice knows her message in even rounds).

Thus we conclude that the above is a valid -protocol for -CRG. Furthermore since is independent of it follows that (and similarly for ) and so this is also a valid protocol -SKG. ∎

In the rest of the paper we show that no round protocol can solve CRG from with non-trivial communication.

3 Related Indistinguishability Problems

Our lower bound on the number of rounds needed to generate common randomness comes from an “indistinguishability argument”. We show that to protocols with a small number of rounds and small amount of communication, the distribution is indistinguishable from the distribution , where Alice and Bob’s inputs are independent. Using the well-known fact that generating bits of common randomness essentially requires bits of communication in the absence of correlated inputs, this leads us to conclude that CRG is hard with limited number of rounds of communication.

In this section we simply set up the stage by defining the notion of indistinguishability and connecting it to the task of common randomness generation, leaving the task of proving the indistinguishability to later sections.

3.1 The Main Distributions and Indistinguishability Claims

We start by defining the indistinguishability of inputs to protocols.

Definition 3.1.

We say that two distributions and on are -indistinguishable to a protocol if the distributions of transcripts (the sequence of messages exchanged by Alice and Bob) generated when has total variation distance at most from the distribution of transcripts when .

We say that distributions and are -indistinguishable if they are -indistinguishable to every -protocol using public randomness. Conversely, we say that the distributions and are -distinguishable if they are not -indistinguishable.

Fix and let . Now let denote the marginal distribution of under , i.e., have all coordinates chosen independently and uniformly from their domains. Similarly let denote the marginal on , and let denote the distribution where and are chosen independently.

Our main technical result (Theorem 4.2 and in particular its implication Lemma 4.5) shows that and are -indistinguishable, even to protocols with common randomness. In the rest of this section, we explain why this rules out common randomness generation.

3.2 Reduction to Common Randomness Generation

Proposition 3.2.

There exists a constant such that for every and , there is no -protocol for -CRG from , where with and being its marginals.


This is essentially folklore. For instance it follows immediately from [CGMS17, Theorem 2.6] using (which corresponds to private-coin protocols). ∎

Proposition 3.3.

There is an absolute constant such that the following holds. Let be the constant from Proposition 3.2. If there exists an -protocol that solves the -CRG problem from with , then there exists some positive integer for which and are -distinguishable.


Let be an protocol with private randomness for -CRG from and let denote the distribution of conditioned on . Let be the number of samples of used by . Let be the indicator variable determining if . Let be the distribution of when is run on samples from . Let be the distribution of the when is run on samples from . Define and analogously. We distinguish between the cases where and are both small from the cases where one of them is large.

Case 1: is -far from (in total variation distance). We argue that in this case, and are distinguishable. Let be the optimal distinguisher of from (i.e., is a valued function with ). Let denote . We now describe a protocol which uses public randomness and augments by including a bit (which is usually equal to ) and as part of the transcript. We consider two subcases: (1) If Bob is the last speaker in , then executes and then at the conclusion of , Bob sends a random hash which is bits long (so that for we have ). Alice then sends and the bit . (2) If Alice is the last speaker in , then executes and then Alice sends to Bob, as well as and . Bob then sends and .

Note that in both cases has rounds of communication and the total number of bits of communucation is . We now show that distinguishes from with probability . To see this note that . On the other hand we also have . We conclude that . And since is a part of the transcript of we conclude that the two distributions are -distinguished by .

Case 2: is -far from . This is similar to the above and yields that and are -distinguishable.

Case 3: and . We argue that this case can not happen since this allows a low-communication protocol to solve CRG with private randomness, thereby contradicting Proposition 3.2. The details are the following.

Our main idea here is to run on (which, being a product distribution involves only private randomness). The proximity of to implies that the probability that when is run on is at least (since the probability that on is at least and the probability that is different under than under is at most ). But we are not done since the min-entropy of or when is run on might not be lower-bounded by . So we modify to get a protocol as follows: Run and let be the output of . (The output of will be different as we see next.) If the probability of outputting is more than then let be a uniformly random string in , else let . Similarly if the probability of outputting is more than then let be a uniformly random string in , else let . (Note that when then and are independent.) Let be the outputs of . We claim below that solves the -CRG from which contradicts Proposition 3.2 if . First note that by design the probability of outputting any fixed output is at most . (If then , else .) It remains to see that . First note that . This is so since every such that contributes at least to (the probability of on is at most ). Thus using , we conclude . But now we have .

3.3 Reduction to the Case

Next we show that we can work with the case without loss of generality. Roughly the intuition is that all permutations look the same, and so chasing one series of pointers is not harder than chasing a sequence of pointers of the form . Informally, even if the players in latter problem are given the extra information , for every and , they still have to effectively chase the pointers . This intuition is formalized in the reduction below.

Proposition 3.4.

Fix and let and and be its marginals. If there exists such that and are -distinguishable, then and are -distinguishable.


Suppose is a -protocol that -distinguishes from . We show how to distinguish from using . Let be an instance of the vs. distinguishability problem. We now show how Alice and Bob can use common randomness to generate such that if and if . It follows that by applying to , Alice and Bob can distinguish from .

Let and , where and . Further, let and where and denotes concatenation. Alice and Bob use their common randomness to generate permutations , for and , uniformly and independently from . Now let . Let . And let and . Finally, let and . We claim that this sequence has the claimed properties.

First note that the permutations are uniform and independent from due to the fact that the ’s are uniform and independent. Similarly ’s are uniform and independent of the s. If then the ’s and ’s are also uniform and independent of s and ’s, estabilishing that if . If then note that . We thus have that and otherwise the ’s and ’s are uniform and independent. This establishes that if , and thus the proposition is proved.

4 The Pointer Verification Problem

When is very large compared to , there are two possible natural options for trying to distinguish from . One option is for Alice and Bob to ignore the pointers and simply try to see if there exists such that . The second option is for Alice and Bob to ignore the and the while communicating and simply try to find the end of the chain of pointers and then check to see if .

The former turns out to be a problem that is at least as hard as Set Disjointness on bit inputs (and so requires bits of communication). The latter requires bits of communication with fewer than rounds. But combining the two lower bounds seems like a non-trivial challenge. In this section we introduce an intermediate problem, that we call the pointer verification (PV) problem, that allows us to modularly use lower bounds on the set disjointness problem and on the (small-round) communication complexity of PV, to prove that is indistinguishable from .

The main difference between PV and pointer chasing is that here Alice and Bob are given both a source pointer and a target pointer and simply need to decide if chasing pointers from leads to . We note that the problem is definitely easier than pointer chasing in that for a sequence of pointers, Alice and Bob can decide PV in rounds (by “chasing forward and backwards simultaneously”). This leads us to a bound that is weaker in the round complexity by a factor of , but allows us the modularity alluded to above. Finally the bulk of the paper is devoted to proving a communication lower bound for round protocols for solving PV (or rather again, an indistinguishability result for two distributions related to PV). This lower bound is similar to the lower bound of Nisan and Wigderson [NW93] though the proofs are more complex due to the fact that we need to reason about settings where Alice’s input and Bob’s input are correlated.

We start with the definition of a distributional version of the Pointer Verification Problem and then relate it to the complexity of distinguishing from .

Definition 4.1.

For integers and with being odd, the distributions and are supported on .

is just the uniform distribution over this domain. On the other hand,

is sampled as follows: Sample uniformly and independently from and further sample uniformly and independently. Finally let , and let and .

Our main theorem about Pointer Verification is the following:

Theorem 4.2.

For every and odd there exists such for every , and are -indistinguishable.

The proof of Theorem 4.2 is developed in the following sections and proved in Section 5. We now show that this suffices to prove our main theorem. First we prove in Lemma 4.5 below that is indistinguishable from . This proof uses the theorem above, and the fact that set disjointness cannot be solved with bits of communication, that we recall next.

Theorem 4.3 ([Raz92]).

For every there exists such that for all the following holds: Let , respectively , be the uniform distribution on pairs with and