New Lower Bounds for Privacy in Communication Protocols

Abstract

Communication complexity is a central model of computation introduced by Yao [22], where two players, Alice and Bob, receive inputs \(x\) and \(y\) respectively and want to compute \(f(x,y)\) for some fixed function \(f\) with the least amount of communication. Recently people have revisited the question of the privacy of such protocols: is it possible for Alice and Bob to compute \(f(x,y)\) without revealing too much information about their inputs? There are two types of privacy for communication protocols that have been proposed: first, an information theoretic definition ([9, 15]), which for Boolean functions is equivalent to the notion of information cost introduced by [12] and that has since found many important applications; second, a combinatorial definition introduced by [13] and further developed by [1].

We provide new results for both notions of privacy, as well as the relation between them. Our new lower bound techniques both for the combinatorial and the information-theoretic definitions enable us to give tight bounds for the privacy of several functions, including Equality, Disjointness, Inner Product, Greater Than. In the process we also prove tight bounds (up to 1 or 2 additive bits) for the external information complexity of these functions.

We also extend the definitions of privacy to bounded-error randomized protocols and provide a relation between the two notions and the communication complexity. Again, we are able to prove tight bounds for the above-mentioned functions as well as the Vector in Subspace and Gap Hamming Distance problems.

A Appendix

1.1 A.1 Complements to Sect. 2

Omitted Proofs. The proofs of Lemma 1 and Theorem 9 will appear in the full version of the article [17].

Discussion About the Definition of PAR. In Sect. 2, definition 7, we have defined PAR for randomized bounded-error protocols relatively to the transcript and the output value of the function. This definition is consistent with the one for deterministic protocols. However it is also possible to extend the definition of PAR by taking the output of the protocol instead of the output of the function:

Definition 10

• An alternative definition for the external \(\mathrm {PAR}\) of a randomized protocol \(P\) is: \({\mathrm {PAR}^{ext, alt}_{\mu }(P)} := \mathbb {E}_{x,y,r} \left[ \tfrac{\mathbb {P}_{X,Y,R}((X,Y) = (x,y) \, | \, T_P(X,Y,R) = T_P(x,y,r) )}{\mathbb {P}_{X,Y}((X,Y) = (x,y) \,|\, P(X,Y) = P(x,y))} \right] .\) For \(\epsilon \ge 0\), the external \(\epsilon \)-error \(\mathrm {PAR}\) of \(f\) is defined as the following, where the infimum is taken over all protocols \(P\) computing \(f\) with error at most \(\epsilon \): \( {\mathrm {PAR}^{ext, alt}_{\mu ,\epsilon }(f)} := \inf _P \mathrm {PAR}^{ext, alt}_{\mu }(P) \).

• An alternative definition for the internal \(\mathrm {PAR}\) of a randomized protocol \(P\) is:

  $$\begin{aligned} {\mathrm {PAR}^{int, alt}_{\mu }(P)} :=&\mathbb {E}_{x,y,r} \left[ \tfrac{\mathbb {P}_{X,Y,R}(Y = y \, | \, T_P(X,Y,R) = T_P(x,y,r) \wedge X=x )}{\mathbb {P}_{X,Y}(Y = y \,|\, P(X,Y) = P(x,y) \wedge X=x)} \right] \\&+ \mathbb {E}_{x,y,r} \left[ \tfrac{\mathbb {P}_{X,Y,R}(X = x \, | \, T_P(X,Y,R) = T_P(x,y,r) \wedge Y=y )}{\mathbb {P}_{X,Y}(X = x \,|\, P(X,Y) = P(x,y) \wedge Y=y)} \right] . \end{aligned}$$

  For \(\epsilon \ge 0\), the external \(\epsilon \)-error \(\mathrm {PAR}\) of \(f\) is defined as the following, where the infimum is taken over all protocols \(P\) computing \(f\) with error at most \(\epsilon \): \( {\mathrm {PAR}^{int, alt}_{\mu ,\epsilon }(f)} := \inf _P \mathrm {PAR}^{int, alt}_{\mu }(P) \).

1.2 A.2 Omitted Roofs from Sect. 3

We have proven Theorem 8 in Sect. 3. We prove here the other theorems stated in this section.

Relations Between the Different Notions of Privacy and Communication Complexity. Firstly we show that for any protocol (deterministic or randomized), the external privacy-approximation ratio is at most exponential in the communication of the protocol.

Theorem 11

For any protocol \(P\), \( \mathrm {PAR}^{ext}_\mu (f,P) \le 2^{\mathbf {CC}(P)}.\)

The proof will appear in the full version of the article [17].

The relation between internal \(\mathrm {IC}\) and internal \(\mathrm {PRIV}\) for deterministic protocols was explained in [1]. It is possible to improve the lower bound and to show the same relationship for external notions and any (deterministic or randomized) protocol.

Theorem 12

For any protocol \(P\) and any distribution \(\mu \),

$$\begin{aligned} \qquad&\mathrm {PRIV}_{\mu }^{int}(f,P)\le \mathrm {IC}^{int}_{\mu }(P) \le \mathrm {PRIV}_{\mu }^{int}(f,P) + 2\log (|\mathcal {Z}|)\\ \qquad&{\mathrm {PRIV}_{\mu }^{ext}(f,P) \le \mathrm {IC}^{ext}_{\mu }(P) \le \mathrm {PRIV}_{\mu }^{ext}(f,P)} + \log (|\mathcal {Z}|) \end{aligned}$$

Proof

By definition of \(\mathrm {IC}\) and \(\mathrm {PRIV}\) we have, respectively for the external and the internal notions:

$$\begin{aligned} \mathrm {IC}^{int}_{\mu }(P) - \mathrm {PRIV}_{\mu }^{int}(f,P)&= \mathbf {I}(X;f(X,Y)|Y) + \mathbf {I}(Y;f(X,Y)|X) \le 2\log (|\mathcal {Z}|),\\ \mathrm {IC}^{ext}_{\mu }(P) - \mathrm {PRIV}_{\mu }^{ext}(f,P)&= \mathbf {I}(X,Y;f(X,Y)) \le \log (|\mathcal {Z}|). \end{aligned}$$

For the lower bounds, note that mutual information is always positive.

Moreover, if \(\mathrm {Dist}_{\mu , \epsilon }\) for \(\epsilon \ge 0\) represents the expected distributional complexity of a randomized \(\epsilon \)-error protocol with respect to some input distribution \(\mu \), we have:

Theorem 13

([11]) For any randomized \(\epsilon \)-error protocol and any input distribution, \(\mathrm {Dist}_{\mu ,\epsilon }(P) \ge \mathrm {IC}^{ext}_{\mu ,\epsilon }(P).\)

The proof of this well-known fact can be found in [11] for example.

Note that, since \(\mathrm {IC}^{ext}_{\mu ,\epsilon }(P) \ge \mathrm {IC}^{int}_{\mu ,\epsilon }(P)\), we also have: \(\mathrm {Dist}_{\mu ,\epsilon }(P) \ge \mathrm {IC}^{int}_{\mu ,\epsilon }(P)\).

Relation Between Internal and External Privacy. We first study the case of PRIV and then focus on PAR.

Theorem 14

\(\mathrm {PRIV}_{\mu }^{int}(f,P) \le \mathrm {PRIV}_{\mu }^{ext}(f,P) + \log (|\mathcal {Z}|).\)

Proof

Braverman [7] proved that: \(\mathrm {IC}^{int}_{\mu }(P) \le \mathrm {IC}^{ext}_{\mu }(P)\). Hence, with 12:

$$\begin{aligned} \mathrm {PRIV}_{\mu }^{int}(f,P) \le \mathrm {IC}^{int}_{\mu }(P) \le \mathrm {IC}^{ext}_{\mu }(P) \le \mathrm {PRIV}_{\mu }^{ext}(f,P) + \log (|\mathcal {Z}|). \end{aligned}$$

Moreover, we show that internal PAR is smaller than external one for deterministic protocols:

Theorem 15

For any deterministic protocol \(P\) computing \(f\):

$$\begin{aligned} \mathrm {PAR}_{\mu }^{int}(f, P) \le 2 \cdot \mathrm {PAR}_{\mu }^{ext}(f, P). \end{aligned}$$

The proof will appear in the full version of the article [17].

However, Theorem 15 does not hold in general for \(\epsilon \)-error randomized protocols. For instance, consider that Alice receives an \(s\)-bit string \(x\), and Bob receives \(x\) plus an \(n\)-bit string \(y\), such that \(x\) and \(y\) are independent, and they want to compute the function that reveals \(x\): \(f(x,y) = x\). The protocol they use, where only Bob sends messages, is the following: if \(x=0^s\) then Bob sends \(y\), otherwise he sends a random \(n\)-bit string (independent of \(x\) and \(y\)). Then:

$$\begin{aligned} \mathrm {PAR}_{\mu }^{int}(f, P)&= \mathbb {E}_{x,y,t}\left[ \frac{\mathbb {P}(XY=xy|T=t,X=x)}{\mathbb {P}(XY=xy|X=x)} \right] + 1\\&= \sum _{x,y,t}\mathbb {P}(X=x,Y=y,T=t)\frac{\mathbb {P}(Y=y|T=t,X=x)}{\mathbb {P}(Y=y|X=x)} + 1 \\&= 2^n\sum _{x,y,t} \mathbb {P}(X=x,Y=y,T=t)\mathbb {P}(Y=y|X=x,T=t) + 1\\&= 2^n\left( \sum _{x\ne 0, y,t} \frac{1}{2^{2n+s}}\frac{1}{2^n} + \sum _{x=0,y=t}\frac{1}{2^{n+s}} \cdot 1\right) + 1 = 2^{n-s} + o(1) \end{aligned}$$

and:

$$\begin{aligned} \mathrm {PAR}_{\mu }^{ext}(f,P)&= \mathbb {E}_{x,y,t}\left[ \frac{\mathbb {P}(X=x, XY=xy|T=t)}{\mathbb {P}(X=x, XY=xy|f(X,Y)=f(x,y))}\right] \\&= \sum _{x,y,t}\mathbb {P}(X=x,Y=y,T=t)\frac{\mathbb {P}(X=x, Y=y|T=t)}{\mathbb {P}(Y=y)}\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad (\text {since} f(x,y)=x)\\&= 2^n \sum _{x,y,t}\mathbb {P}(X=x,Y=y,T=t)\mathbb {P}(X=x,Y=y|T=t)\\&= 2^n\left( \sum _{x \ne 0, y,t} \frac{1}{2^{2n+s}}\frac{1}{2^{n+s}} + \sum _{x = 0, y=t} \frac{1}{2^{n+s}}\frac{1}{2^{s}} \right) = 2^n + o(1) \end{aligned}$$

Hence, if \(x\) is of length \(s = n/2\), then \(\mathrm {PAR}_{\mu }^{int}(f, P) = 2^{n/2} + o(1)\) is exponentially bigger than \(\mathrm {PAR}_{\mu }^{ext}(f,P) = o(1)\).

1.3 A.3 Omitted Proofs for Sect. 4

Relation with Partition Linear Program. It is also possible to lower bound \(\mathrm {PAR}_{\mu }^{ext}(f)\) by \(\frac{1}{|\mathcal {Z}|} \cdot \mathrm {prt}(f)\), where \(\mathrm {prt}(f)\) is defined in [14]. The details of this fact wille appear in the full version of the article [17].

Rank Argument Fails for Non-boolean Functions. For instance, consider the following function that take three values: let \(\mathrm {EQ}': \{1,\dots ,m\}^2 \rightarrow \{0,1,2\}\) be the function defined by:

$$\begin{aligned} \mathrm {EQ}'(x, y) = {\left\{ \begin{array}{ll} 0 \!\!&{}\text{ if } x \ne y \text{ and } x < m \text{ or } y < m\\ 1 \!\!&{}\text{ if } x = y \text{ and } x < m \text{ or } y < m\\ 2 \!\!&{}\text{ otherwise } \text{( }x = m \text{ or } y = m\text{). } \end{array}\right. }\!\!\! \quad \text{ whose } \text{ matrix } \text{ is: }\quad \!\!\!\!\! \begin{pmatrix} 1 &{} 0 &{} \cdots &{} 0 &{} 2\\ 0 &{} 1 &{} \cdots &{} 0 &{} 2\\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ 0 &{} 0 &{} \cdots &{} 1 &{} 2 \\ 2 &{} 2 &{} \cdots &{} 2 &{} 2 \end{pmatrix}. \end{aligned}$$

Then, for any (zero-error) protocol \(P\) solving \(\mathrm {EQ}'\), the number of 0-rectangles and the number of \(1\)-rectangles are at least the minimum number of such rectangles for \(\mathrm {EQ}_{m-1}\):

$$\begin{aligned} \mathrm {EQ}_{m-1} : \{1,\dots ,m-1\}^2 \rightarrow \{0,1\}, \ (x,y) \mapsto 1 \text{ iff } x=y. \end{aligned}$$

But the number of 2-rectangles can be only 2. Now, if we pick a distribution \(\mu \) and \(\delta \) satisfying \(\left| {\mathrm {EQ}'^{-1}(0)}\right| _{\mu } = \left| {\mathrm {EQ}'^{-1}(1)}\right| _{\mu } = \delta /2 < 2^{-(2m-2)}\) and \(\left| {\mathrm {EQ}'^{-1}(2)}\right| _{\mu } = 1-\delta \), then one can see that \(\mathrm {PAR}_{\mu }^{ext}(\mathrm {EQ}') \le 3\). Hence for this function \(\mathrm {EQ}'\) and this distribution \(\mu \): \(\mathrm {PAR}_{\mu }^{ext}(\mathrm {EQ}',P) \le 3\) whereas : \(\mathrm {rank}\left( \mathcal {M}_{\mathrm {EQ}'}\right) \ge \mathrm {rank}\left( \mathcal {M}_{\mathrm {EQ}_{n-1}}\right) = 2^{n-1}.\)

Proofs of Applications. An advantage of our techniques is that they give bounds for any distribution of input \(\mu \), and not only for a uniform distribution as in [13]. Since any of these problems can be solved by sending Alice’s entire input (\(n\) bits), the communication complexity is always upper-bounded by \(n\), hence so \(\mathrm {PAR}\) is always upper-bounded by \(2^n\). The lower bounds stated in Table 1 can be proved using Theorem 1.

Now we explain briefly how to obtain the results of Theorem 7 (see the full version of the article ([17]) for the details). For the lower bounds for \(\mathrm {EQ}, \mathrm {DISJ}, \mathrm {GT}\), we can apply Corollary 2 using an appropriate fooling set, followed by the relationship between \(\mathrm {IC}\) and \(\mathrm {PRIV}\) given in Theorem 12. For \(\mathrm {IP}\) it is possible to use the well-known fact that all 0-monochromatic rectangles of the \(\mathrm {IP}\) function contain at most \(2^n\) elements.

1.4 A.4 Privacy for Deterministic Protocols

Robustness Over the Input Distribution. We show that \(\mathrm {PAR}\) is not robust over the input distribution \(\mu \). More precisely, we give an example of a function and of two distributions with exponentially small statistical distance, but whose privacy-approximation ratio is constant for one and exponential for the other.

Proposition 1

There exists a function \(f\) and two input distributions \(\mu _1, \mu _2\) satisfying \(|\mu _1 - \mu _2| \le 2^{-n/2}\) in statistical distance, and yet such that \(\mathrm {PAR}^{ext}_{\mu _1}(f)=\varTheta (1)\) and \(\mathrm {PAR}^{ext}_{\mu _2}(f)=\varOmega (2^{n/2})\).

Proof

Let \(m = 2^n\) and \(f: \{0,\ldots ,m\}^2 \rightarrow \{0,1,2\}\) be the function defined by:

$$\begin{aligned} f(x, y) = {\left\{ \begin{array}{ll} 0 &{}\text{ if } x \ne y \text{ and } x \ne m \text{ and } y \ne m\\ 1 &{}\text{ if } x = y \text{ and } x \ne m \text{ and } y \ne m\\ 2 &{}\text{ otherwise }\ (x = m\ \text{ or }\ y = m). \end{array}\right. } \quad \!\!\!\!\!\text{ whose } \text{ matrix } \text{ is: }\quad \!\!\!\! \begin{pmatrix} 1 &{} 0 &{} \cdots &{} 0 &{} 2\\ 0 &{} 1 &{} \cdots &{} 0 &{} 2\\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ 0 &{} 0 &{} \cdots &{} 1 &{} 2 \\ 2 &{} 2 &{} \cdots &{} 2 &{} 2 \end{pmatrix}. \end{aligned}$$

Let \(\mu _1\) be the following distribution: with probability \(2^{-n}\) pick a random element of \(f^{-1}(0) \cup f^{-1}(1)\), and with probability \(1-2^{-n}\) pick a random element of \(f^{-1}(2)\).

Set \(\epsilon = 2^{-n/2}\) and let \(\mu _2\) be the following distribution: with probability \(2^{-n} + \epsilon \) pick a random element of \(f^{-1}(0) \cup f^{-1}(1)\), and with probability \(1-2^{-n} - \epsilon \) pick a random element of \(f^{-1}(2)\).

Consider now the protocol \(P\), where first Alice and Bob exchange a single bit to check whether \(x=m\) or \(y=m\) and if they are both different than \(m\), Alice and Bob solve Equality (by having Alice send her entire input to Bob).

Then we have:

$$\begin{aligned} \mathrm {PAR}_{\mu _1}^{ext}(f)&\le \mathrm {PAR}_{\mu _1}^{ext}(f,P) = \left| {f^{-1}(0)}\right| _{\mu _1}\cdot n_0 + \left| {f^{-1}(1)}\right| _{\mu _1}\cdot n_1 + \left| {f^{-1}(2)}\right| _{\mu _1}\cdot n_2\\&\le ( \left| {f^{-1}(0)}\right| _{\mu }+ \left| {f^{-1}(1)}\right| _{\mu _1} ) \cdot 2^n + \left| {f^{-1}(2)}\right| _{\mu _1}\cdot 3 = \varTheta (1) \end{aligned}$$

On the other hand, any protocol for this function must solve Equality so \(n_0\) and \(n_1\) must be at least \(2^n\), since they have to be larger than the rank of the matrix. Consider the optimal protocol \(P\) for \(f\)

$$\begin{aligned} \mathrm {PAR}_{\mu _2}^{ext}(f)&= \mathrm {PAR}_{\mu _2}^{ext}(f,P) = \left| {f^{-1}(0)}\right| _{\mu _2}\cdot n_0 + \left| {f^{-1}(1)}\right| _{\mu _2}\cdot n_1 + \left| {f^{-1}(2)}\right| _{\mu _2}\cdot n_2\\&\ge ( \left| {f^{-1}(0)}\right| _{\mu _2}+ \left| {f^{-1}(1)}\right| _{\mu _2} ) \cdot 2^n = ( \frac{1}{2^n}+\epsilon ) \cdot 2^n = \varOmega (2^{n/2}). \end{aligned}$$

One can finally verify that \(|\mu _1 - \mu _2| = \epsilon = 2^{-n/2}\).

In fact, the right way to look at the robustness of \(\mathrm {PAR}\) is to talk about \(\log \mathrm {PAR}_{\mu }^{ext}(f)\). Even in this case, we see that an exponentially small change to the input distribution can change the \(\log \mathrm {PAR}_{\mu }^{ext}(f)\) from constant to \(\varOmega (n)\).

On the other hand, we can prove that when the statistical distance of the input distributions is \(\epsilon \), then the \(\mathrm {PRIV}\) changes by at most \(O(\epsilon n)\). This implies that in our previous example, \(\mathrm {PRIV}\) changes only by an exponentially small amount.

Theorem 16

For any protocol \(P\) and any two input distributions \(\mu , \mu '\) with statistical distance \(|\mu - \mu '| \le \epsilon \), it holds that : \(|\mathrm {PRIV}_{\mu }^{ext}(P) - \mathrm {PRIV}_{\mu '}^{ext}(P)| \le O(\epsilon n)\) and \(|\mathrm {PRIV}_{\mu }^{int}(P) - \mathrm {PRIV}_{\mu '}^{int}(P)| \le O(\epsilon n).\)

Proof

The proof is a consequence of the fact that two statistically close joint distributions must have similar mutual information. To prove this formally we use the following lemma:

Lemma 3

(Lemma 3.15 of [19]) For any random variables \(XY, X'Y'\) such that \(|XY - X'Y'| \le \epsilon \) and where \(X, X'\) take value in \(\{0,1\}^n\), it holds that

$$\begin{aligned} |H(X \mid Y) - H(X' \mid Y')| \le 4(H(\epsilon ) + \epsilon n). \end{aligned}$$

The details of this proof will appear in the full version of the article [17].

Relationship Between Communication and Privacy. A natural methodology for studying privacy is to measure the amount of information revealed by the transcript above and beyond what is supposed to be revealed. We believe that both \(\mathrm {PRIV}\) and \(\mathrm {PAR}\) were designed with this methodology in mind.

One intuitive bound that “natural” measures of information should satisfy is the following: a transcript of length \(c\) can reveal at most \(c\) bits of information. As a consequence, the privacy loss should also be bounded by the communication (appropriately normalized of course: for example in the case of \(\mathrm {PAR}\), one would compare \(\log \mathrm {PAR}\) to communication).

When taking an expectation over randomized protocols, as one does for instance when measuring the complexity of zero-error randomized protocols, one would therefore also expect that the privacy loss revealed should be bounded by the expected communication. While \(\mathrm {PRIV}\) does indeed satisfy this property, we observe that \(\mathrm {PAR}\) does not:

Remark 3

For the Greater Than function \(\mathrm {GT}\) under the uniform input distribution \(\mathcal {U}\), the following holds:

1. 1.

   For all zero-error protocols \(P\) solving \(\mathrm {GT}\), \(\mathrm {PAR}^{ext}_\mathcal {U}(P) \ge 2^n - 1\).

2. 2.

   There exist a zero-error protocol for \(\mathrm {GT}\) where the expected communication is constant.

The first point was proved in Theorem 1. The second point follows from the trivial protocol that exchanges their inputs bit-by-bit starting with the highest order bits until the players find a difference, at which point they terminate because they know which player has the greater value. Then clearly under uniform inputs, for each \(i \ge 1\) the probability of terminating after \(2i\) bits is \(1 - 2^{-i}\), and so the expected communication is \(2 \sum _{i=1}^\infty i \cdot 2^{-i} = 4\) regardless of the size of the inputs.

Thus, the above remark shows that \(\mathrm {PAR}\) can tend to infinity even though the expected communication is constant, which violates the “natural” property that \(c\) bits of communication can reveal at most \(c\) bits of information.

On the other hand, one could argue that \(\mathrm {PAR}\) captures a “risk-averse” notion of privacy, where one does not want the expected privacy loss but rather the privacy loss with higher weights assigned to high-privacy-loss events. In this case one may also want to look at worst-case choices of inputs and random coins; worst-case inputs were defined in [1, 13], although they did not study worst-case random coins since they focused on deterministic protocols.

Error in Appendix of [13]. An example was given in the appendix of [13] that claimed to exhibit a function \(f\) and two protocols \(P, Q\) such that \(\mathrm {PAR}^{ext}_\mathcal {U}(P) = O(1)\) and \(\mathrm {PAR}^{ext}_\mathcal {U}(Q) = 2^{\varOmega (n)}\), whereas it was claimed that \(\mathrm {PRIV}^{ext}_\mathcal {U}(P) = \mathrm {PRIV}^{ext}_\mathcal {U}(Q) = \varTheta (n)\). This was interpreted to mean that \(\mathrm {PRIV}\) was not sufficiently precise enough to capture the difference between these two protocols.

However the second claim is incorrect as a calculation reveals that \(\mathrm {PRIV}^{ext}_\mathcal {U}(P) = O(1)\) and so \(\mathrm {PRIV}\) does indeed distinguish between the two protocols. The flaw in their argument was in using the geometric interpretation of \(\mathrm {PRIV}\): the characterization of [9] that they use only applies to the worst distribution for a function (which for the function they give is not uniform), whereas they explicitly want to study the uniform distribution. For the worst distribution \(\mu \) it is indeed the case that \(\mathrm {PRIV}^{ext}_\mu (P) = \varTheta (n)\), but not for the uniform distribution. Therefore, for their example, \(\mathrm {PRIV}\) is actually just as capable as \(\mathrm {PAR}\) in distinguishing the two protocols \(P, Q\).