Towards a Reverse Newman’s Theorem in Interactive Information Complexity

Newman’s theorem states that we can take any public-coin communication protocol and convert it into one that uses only private randomness with but a little increase in communication complexity. We consider a reversed scenario in the context of information complexity: can we take a protocol that uses private randomness and convert it into one that only uses public randomness while preserving the information revealed to each player? We prove that the answer is yes, at least for protocols that use a bounded number of rounds. As an application, we prove new direct-sum theorems through the compression of interactive communication in the bounded-round setting. To obtain this application, we prove a new one-shot variant of the Slepian–Wolf coding theorem, interesting in its own right. Furthermore, we show that if a Reverse Newman’s Theorem can be proven in full generality, then full compression of interactive communication and fully-general direct-sum theorems will result.

revealed to each player? We prove that the answer is yes, at least for protocols that use

Introduction
Information cost was introduced by a series of papers [1,6,8,9,13] as a complexity measure for two-player communication protocols. Internal information cost measures the amount of information that each player learns about the input of the other player while executing a given protocol. In the usual setting of communication complexity we have two players, Alice and Bob, each having an input x and y, respectively. Their goal is to determine the value f (x, y) for some predetermined function f . They achieve the goal by communicating to each other some amount of information about their inputs according to some protocol.
The usual measure considered in this setting is the number of bits exchanged by Alice and Bob, whereas the internal information cost measures the amount of information transferred between the players during the communication. Clearly, the amount of information is upper bounded by the number of bits exchanged but not vice versa. There might be a lengthy protocol (say even of exponential size) that reveals very little information about the players' inputs.
In recent years, a substantial research effort was devoted to proving the converse relationship between the information cost and the length of protocols, i.e., to proving that a protocol which reveals only I bits of information can be simulated by a different protocol which communicates only (roughly) I bits. Such results are known as compression theorems. Barak et al. [1] prove that a protocol that communicates C bits and has internal information cost I can be replaced by another protocol that communicates O( √ I · C log C) bits. For the case when the inputs of Alice and Bob are sampled from independent distributions they also obtain a protocol that communicates O(I · polylog C) bits. These conversions do not preserve the number of rounds. In a follow up paper [6] consider a bounded round setting and give a technique that converts the original q-round protocol into a protocol with O(q · log I ) rounds that communicates O(I + q log q ε ) bits with additional error ε. All known compression theorems are in the randomized setting. We distinguish two types of randomness-public and private. Public random bits are seen by both communicating players, and both players can take actions based on these bits. Private random bits are seen only by one of the parties, either Alice or Bob. We use publiccoin (private-coin) to denote protocols that use only public (private) randomness. If a protocol uses both public and private randomness, we call it a mixed-coin protocol.
Simulating a private-coin protocol using public randomness is straightforward: Alice views a part of the public random bits as her private random bits, Bob does the same using some other portion of the public bits, and they communicate according to the original private-coin protocol. This new protocol communicates the same number of bits as the original protocol and computes the same function. In the other direction, an efficient simulation of a public-coin protocol using private randomness is provided by Newman's Theorem [16]. Sending over Alice's private random bits to make them public could in general be costly as they may need, e.g., polynomially many public random bits, but Newman showed that it suffices for Alice to transfer only O(log n + log 1 δ ) random bits to be able to simulate the original public-coin protocol, up to an additional error of δ.
In the setting of information cost the situation is quite the opposite. Simulating public randomness by private randomness is straightforward: one of the players sends a part of his private random bits to the other player and then they run the original protocol using these bits as the public randomness. Since the random bits contain no information about either input, this simulation reveals no additional information about the inputs; thus the information cost of the protocol stays the same. This is despite the fact that the new protocol may communicate many more bits than the original one.
However, the conversion of a private-randomness protocol into a public-randomness protocol seems significantly harder. For instance, consider a protocol in which in the first round Alice sends to Bob her input x bit-wise XOR-ed with her private randomness. Such a message does not reveal any information to Bob about Alice's input-as from Bob's perspective he observes a random string-but were Alice to reveal her private randomness to Bob, he would learn her complete input x. This illustrates the difficulty in converting private randomness into public.
We will generally call "Reverse Newman's Theorem" (RNT) a result that makes randomness public in an interactive protocol without revealing more information. This paper is devoted to attacking the following:

RNT Question Can we take a private-coin protocol with information cost I and convert it into a public-coin protocol with the same behavior and information costÕ(I )?
Interestingly, the known compression theorems [1,6,12] give compressed protocols that use only public randomness, and hence as a by-product they give a conversion of private-randomness protocols into public-randomness equivalents. However, the parameters of this conversion are far from the desired ones. 1 In Sect. 4 we show that the RNT question represents the core difficulty in proving full compression theorems; namely, we will prove that any public-coin protocol that reveals I bits of information can already be compressed to a protocol that usesÕ(I ) bits of communication, and hence a fully general RNT would result in fully general compression results, together with the direct-sum results that would follow as a consequence. This was discovered independently by Denis Pankratov, who in his MSc thesis [17] extended the analysis of the [1] compression schemes to show that they achieve full compression in the 1 We discuss the differences in more detail in Sect. 5. 123 case when only public randomness is used. Our compression scheme is similar but slightly different: we discovered it originally while studying the compression problem in a Kolmogorov complexity setting (as in [4]), and our proof for the Shannon setting arises from the proper "translation" of this proof; we include it for completeness and because we think it makes for a more elementary proof.
Main contributions Our main contribution is a Reverse Newman's Theorem in the bounded-round scenario. We will show that any q-round private-coin protocol can be converted to an O(q)-round public-coin protocol that reveals only additional O(q) bits of information (Theorem 1). Our techniques are new and interesting. Our main technical tool is a conversion of one round private-randomness protocols into one round public-randomness protocols. This conversion proceeds in two main steps. After discretizing the protocol so that the private randomness is sampled uniformly from some finite domain, we convert the protocol into what we call a 1-1 protocol, which is a protocol having the property that for each input and each message there is at most one choice of private random bits that will lead the players to send that message. We show that such a conversion can be done without revealing too much extra information. In the second step we take any 1-1 protocol and convert it into a public-coin protocol while leaking only a small additional amount of information about the input. This part relies on constructing special bipartite graphs that contain a large matching between the right partition and any large subset of left vertices.
Furthermore, we will prove two compression results for public-randomness protocols: a round-preserving compression scheme to be used in the bounded-round case, and a general (not round-preserving) compression scheme which can be used with a fully general RNT. Either of these protocols achieves much better parameters than those currently available for general protocols (that make use of private randomness as well as public). The round-preserving compression scheme is essentially a constantround average-case one-shot version of the Slepian-Wolf coding theorem [19], and is interesting in its own right.
As a result of our RNT and our round-preserving compression scheme, we will get a new compression result for general (mixed-coin) bounded-round protocols. Whereas previous results for the bounded-round scenario [6] gave compression schemes with communication complexity similar to our own result, their protocols were not roundpreserving. We prove that a q-round protocol that reveals I bits of information can be compressed to an O(q)-round protocol that communicates O(I + 1) + q log( qn δ ) bits, with additional error δ. As a consequence we will also improve the bounded-round direct-sum theorem of [6].
Subsequent work Since the publication of the conference version of the paper [2], the following papers have extended or made use of our results: -Braverman et al. [7] have shown direct-product theorems for constant-round randomized communication complexity, which is an improvement of our direct-sum results. -Braverman and Garg [3] have devised a shorter proof of a Reverse Newman's Theorem for constant-round protocols, and with tighter bounds. They show that a private-coin single-round protocol revealing I bits of information can be made public-coin by revealing only log I additional bits (a better bound than our O(log 2n ) of Theorem 2). -Kozachinsky [14] has shown a general Reverse Newman's Theorem, proving that a private-coin protocol revealing I bits of information and using C bits of communication can be converted into a public-coin protocol revealing O( √ I C) bits of information. Together with our and (independently) Pankratov's compression result for general protocols (Theorem 3), this gives the best-known direct-sum result for general protocols of (Braverman et al).
-Bauer et al. [5] show how to compress a protocol with internal entropy H int and worst-case communication C into a protocol with communication ( H int ε ) 2 log log C incurring extra error ε; in the case of public-coin protocols, H int is exactly the information cost, and hence this gives an exponential improvement for the dependence on C, compared to any of our schemes. -Kozachinsky [15] has also provided a simpler proof of the one-shot Slepian-Wolf theorem, with smaller constants.
Differences from the conference version The paper has been substantially altered since its conference version. We provide a new lower bound on the degree of matching graphs, and a lower bound against any improvement to our strategy for proving a singleround Reverse Newman's Theorem. Furthermore, besides improvements in overall readability, the paper includes new proofs for: -Theorem 7 (Constant-round average-case one-shot Slepian-Wolf), the proof in the conference submission was wrong. -Lemma 2 (Making protocols 1-1 without losing information), the new proof is one-third the size and much simpler. -Lemma 1 (Existence of matching graphs), we have a shorter, more elegant proof with slightly worse bounds, that are nonetheless good enough for our applications.
Organization of the paper In Sect. 3 we discuss our Reverse Newman's Theorem. In Sect. 4 we will prove compression results. Section 5 will give applications to direct-sum theorems. Finally, Sect. 6 is dedicated to showing alternatives to the constructions we have presented, as well as bounds that prevent further improvement to our techniques.

Preliminaries
We use capital letters to denote random variables, calligraphic letters to denote sets, and lower-case letters to denote elements in the corresponding sets. So typically A is a random variable distributed over the set A, and a is an element of A. We will also use capital and lower-case letters to denote integers numbering or indexing certain sequences. We use Δ A, A to denote the statistical distance between the probability distributions of two random variables A and A :

Information Theory
For a given probability random variable A distributed over the support A, its entropy is where p a = Pr[A = a]. Given a second random variable B that has a joint distribution with A, the conditional entropy H (A|B) equals In this paper, and when clear from the context, we denote a conditional distribution A|B = b more succinctly by A|b.   Here A 1 , . . . , A k stands for a random variable in the set of k-tuples and A i stands for its ith projection.  From Fano's inequality the following easily follows: Fact 8 For any two random variables A, B over the same universe U, it holds that

Two-Player Protocols
We will be dealing with protocols that have both public and private randomness; this is not very common, so we will give the full definitions, which are essentially those of [1,6]. We will be working exclusively in the distributional setting. From here onwards, we will assume that the input is given to two players, Alice and Bob, by way of two random variables X, Y sampled from a possibly correlated distribution μ over the support X × Y.
A private-coin protocol π with output set Z is defined as a rooted tree, called the protocol tree, in the following way: 1. Each non-leaf node is owned by either Alice or Bob. 2. If v is a non-leaf node belonging to Alice, then: (a) The children of v are owned by Bob; each child is labeled with a binary string, and the set C(v) of labels of v's children is prefix-free.
3. The situation is analogous for Bob's nodes. 4. With each leaf we associate an output value in Z.
On input x, y the protocol is executed as follows: 1. Set v to be the root of the protocol tree. 2. If v is a leaf, the protocol ends and outputs the value associated with v. 3. If v is owned by Alice, she picks a string r uniformly at random from R v and sends the label of M v (x, r ) to Bob, they both set v := M v (x, r ), and return to the previous step. Bob proceeds analogously on the nodes he owns.
A general, or mixed-coin, protocol is given by a distribution over private-coin protocols. The players run such a protocol by using shared randomness to pick an index r (independently of X and Y ) and then executing the corresponding private-coin protocol 123 π r . A protocol is called public-coin if every R v has size 1, i.e., no private randomness is used.
We let π(x, y, r, r A , r B ) denote the messages exchanged during the execution of π , for given inputs x, y, and random choices r, r A and r B , and Out π (x, y, r, r A , r B ) be the output of π for said execution. The random variable R is the public randomness, R A is Alice's private randomness, and R B is Bob's private randomness; we use Π to denote the random variable π(X, Y, R, R A , R B ). We assume without loss of generality that R, R A , and R B are uniformly distributed.

Definition 1
The worst-case communication complexity of a protocol π , CC(π ), is the maximum number of bits that can be transmitted in a run of π on any given input and choice of random strings. The average communication complexity of a protocol π , with respect to the input distribution μ, denoted ACC μ (π ), is the average number of bits that are transmitted in an execution of π , for inputs drawn from μ. The worst-case number of rounds of π , RC(π ), is the maximum depth reached in the protocol tree by a run of π on any given input. The average number of rounds of π , w.r.t. μ, denoted ARC μ (π ), is the average depth reached in the protocol tree by an execution of π on input distribution μ.

Definition 2
The (internal) information cost of protocol π with respect to μ is: Here the term I (Y : R, Π, R A |X ) stands for the amount of information Alice learns about Bob's input after the execution of the protocol (and the meaning of the second term is similar). This term can be re-written in several different ways: Here the first equality holds, as Bob's input Y is independent from randomness R, R A conditional to X , which is obvious (see Fact 6 from the preliminaries). The second equality holds, since Y is independent from randomness R conditional to X, R A , which is also obvious.
The third equality holds, as Y is independent from R A conditional to Π, X, R (Fact 7). This independence follows from the rectangle property of protocols: for every fixed Π, X, R the set of all pairs ((Y, R B ), R A ) producing the transcript Π is a rectangle and thus the pair (Y, R B ) (and hence Y ) is independent from R A conditional to Π, X, R. The fourth equality is proven similarly to the first and the second ones.
The expressions I (Y : Π, R|X ) and I (Y : Π |X, R) for the information revealed to Alice are the most convenient ones and we will use them throughout the paper. Similar transformations can be applied to the second term in Definition 2.
Many of our technical results require that the protocol uses a limited amount of randomness at each step. This should not be surprising-this is also a requirement of Newman's theorem. This motivates the following definition.

Definition 4
A protocol π is an -discrete protocol 2 if |R v | = 2 at every node of the protocol tree.
When a protocol is -discrete, we say that it uses bits of randomness for each message; when is clear from context, we omit it. While the standard communication model allows players to use an infinite amount of randomness at each step, this is almost never an issue, since one may always "round the message probabilities" to a finite precision. This intuition is captured in the following observation.

Observation 1
Suppose π is a private-coin protocol. Then, there exists an -discrete Furthermore, for any input distribution μ, the error of π is at most the error of π plus 2 − . Equally small differences hold between ACC μ (π ), ARC μ (π ), and their π equivalents, and IC μ (π ) is within an additive constant of IC μ (π ).
Hence, while working exclusively with discretized protocols, our theorems will also hold for non-discretized protocols, except with an additional exponentially small error term. We consider this error negligible, and hence avoid discussing it beyond this point; the reader should bear in mind, though, that when we say that we are able to simulate a discretized protocol exactly, this will imply that we can simulate any protocol with sub-inverse-exponential 2 −Ω( ) error.
We are particularly interested in the case of one-way protocols, where Alice sends a single message to Bob. A one-way protocol π is given by a function M π : X × R → M; on input x Alice randomly generates r and sends M π (x, r ). Note that if π is private-coin, then IC μ (π ) = I (X : M(X, R A )|Y ), and similarly, if π is public-coin, Finally, we close this section with a further restriction on protocols, which we call 1-1. Proving an RNT result for 1-1 protocols will be a useful intermediate step in the general RNT proof.

Towards a Reverse Newman's Theorem
Our main result is the following: Theorem 1 (Reverse Newman's Theorem, bounded-round version) Let π be an arbitrary, -discrete, mixed-coin, q-round protocol, and let C = CC(π ), n = max{log |X |, log |Y|}. Suppose that π 's public randomness R is chosen from the uniform distribution over the set R, and π 's private randomness R A and R B is chosen from uniform distributions over the sets R A and R B , respectively.
Then there exists a public-coin, q-round protocolπ , whose public randomness R is drawn uniformly from R × R A × R B , and that has the exact same transcript distribution, i.e., for any input pair x, y and any message transcript t, and for any distribution μ giving the input (X, Y ), We conjecture, furthermore, that a fully general RNT holds: whereÕ(·) suppresses terms and factors logarithmic in IC μ (π ) and CC(π ).
In Sects. 4 and 5, we show that RNTs imply fully general compression of interactive communication, and hence the resulting direct-sum theorems in information complexity. This results in new compression and direct-sum theorems for the bounded-round case. We believe that attacking Conjecture 1, perhaps with an improvement of our techniques, is a sound and new approach to proving these theorems.
Before proving Theorem 1 let us first remark that it suffices to show it only for protocols π without public randomness (with an absolute constant in the O-notation). To see this, fix any outcome r of the random variable R, and look at the protocol π conditioned on R = r . This is a protocol without public randomness, let us denote it by π r . Using the expression for information cost of π , we see that it equals the average information cost of the protocol π r . Therefore, assuming that we are able to convert π r into a public-coin protocolπ r , as in Theorem 1, we can let the protocolπ pick a random r and then runπ r . As the information cost of the resulting protocolπ again equals the average information cost ofπ r , the inequality (1) follows from similar inequalities for π r and π r . For this reason, the theorems below will be proven for private-coin-rather than mixed-coin-protocols.
As suggested by the O(q log(2n ))-term of (1), Theorem 1 will be derived from its one-way version.

RNT for One-Way Protocols
Theorem 2 (RNT for one-way protocols) For any one-way private-coin -discrete protocol π there exists a one-way public-coin -discrete protocol π such that π and π generate the same message distributions, and for any input distribution (X, Y ) ∼ μ, we have Proof We first sketch the proof. The public randomness R used by the new protocol π will be the very same randomness R used by π . So we seem to have very little room for changing π , but actually there is one change that we are allowed to make. Let M π : X × R → M be the function Alice uses to generate her message. It will be helpful to think of M π as a table, with rows corresponding to possible inputs x, columns corresponding to possible choices of the private random string r , and the (x, r ) entry being the message M π (x, r ). Noticing that r is picked uniformly, Alice might instead send message M(x, φ x (r )), where φ x is some permutation of R. In other words, she may permute each row in the table using a permutation φ x for the row x. The permutation φ x will "scramble" the formerly-private now-public randomness R into some new stringr = φ x (r ) about which Bob hopefully knows nothing. This "scrambling" keeps the message distribution exactly as it was, changing only which R results in which message. We will see that this can be done in such a way that, in spite of knowing r , Bob has no hope of knowingr = φ x (r ), unless he already knows x to begin with.
To understand what permutation φ x we need, we first note the following. Let M = M π (X, R) denote the message that the protocol π we have to design sends for input X and public randomness R. Then the information cost of π is The information cost of the original protocol π is where the equality holds as the distributions of the triples (M, X, Y ) and (M , X, Y ) are identical (regardless of the chosen permutations φ x ). Thus the difference between information costs of π and π equals which is at most H (R|M , Y ). If we permute each row of the table in such a way that every message m appears in at most d = (n · ) O(1) columns, then 123 as the entropy of any random variable with at most d outcomes does not exceed log d. Unfortunately, it may happen that there are no such permutations. For instance, this is the case when a row has the same message m in every column.
We will show that if this is not the case, and, moreover, each row has pairwise different messages, then we can "almost" achieve the goal: one can permute each row in such a way that with probability at least 1 − 1/n 2 the message M = M π (X, R) appears in at most d = (n · ) O(1) columns. Thus we first prove Theorem 2 for the special case of 1-1 protocols, i.e. for protocols where each row has pairwise different messages.
The proof of Theorem 2 for 1-1 protocols. We first will construct a special bipartite graph G, which we call a matching graph. Its left nodes will be all possible messages m and its right nodes will be all random strings r . Our strategy will be to find a way of permuting each row of our table so that for every row x and most columns r (in row x) the message M π (x, r ) in the cell (x, r ) of the table is connected by an edge to r in the graph G.
To gain some intuition about what is happening, suppose we had the following fictional object: an (m, , n, 0)-matching graph-i.e., we have a degree-n graph with the property that any left-set of size |R| will have a perfect matching with R that uses only edges in the graph. Now let M x = M π (x, R) be the set of messages that π can send on input x; then in the new protocol π , M π (x, r ) is the message that is matched with r in the perfect matching between M x and R (see Fig. 1). It should be clear that π gives each message exactly the same probability mass.
To see that, in this new protocol π , R reveals little information about X when M is known, notice that if we know the message m = M π (x, r ), then in order to specify r we only need to say which edge in the graph must be followed; this is specified with log n bits because our graph has degree n. Hence I (X : R|M) ≤ H (R|M) ≤ log n.
In truth, matching graphs with such good parameters do not exist. But we can have good-enough approximations, and we can show that this is enough for our purposes. These graphs are obtained through the Probabilistic Method. Proof Hall's theorem [11] states that if in a bipartite graph every left subset of cardinality i ≤ L has at least i neighbors then every left subset of cardinality i ≤ L has a matching in the graph. Now the proof of Theorem 2 for 1-1 protocols proceeds as follows. Let n = log |X | and = log |R|. Assume without loss of generality that M = M(X , R); then |M| ≤ 2 n+ . Now let G be an (n + , , d, δ)-matching graph having M as a subset of its left set and R as its right set, for δ = 1 n 2 . For these parameters, we are assured by Lemma 1 that such a matching graph exists having left-degree d = O((n + )n 2 ). 3 For each left vertex, we pick each of the d neighbors independently and uniformly from the right-set.

123
We construct the new protocol π as follows. For each x ∈ X let M x = M(x, R) be the set of messages that might be sent on input x. Noticing that |M x | = 2 , consider a partial G-matching between M x and R pairing all but a δ-fraction of M x ; then define a bijection M x : R → M x by setting M x (r ) = m if (m, r ) is an edge in the matching, and pairing the unmatched m and r 's arbitrarily (possibly using edges not in G). Finally, set M (x, r ) = M x (r ).
Since M (x, r ) = M x (r ) for some bijection M x between R and M x , it is clear that M and M generate the same transcript distribution for any input x. Now we prove that M does not reveal much more information than M. We have seen that the difference between the information costs of π and π is at most H (R|M , Y ).
for every y. While proving this inequality, we will drop the condition Y = y to simplify notation.
Let us introduce a new random variable K , which is a function of X, R, M and takes the value 1 if (M , R) is an edge of the matching graph and is equal to 0 otherwise. Recall that for every x the pair (M (x, R), R) is an edge of the matching graph with probability at least 1 − 1/n 2 . Therefore, K = 0 with probability at most 1/n 2 . Call a message m bad if the probability that K = 0 conditional to M = m (that is, the fraction of rows x, among all rows containing m, such that m was not matched within the graph in the row x) is more than 1/n. Then M is bad with probability less than 1/n, otherwise K = 0 would happen with probability greater than 1/n 2 .
The The former term is at most log d, because when K = 1 and M = m we can specify R by the number of the edge (m, R) in the matching graph. The latter term is at most n, however its weight is at most 1/n, since m is good. This completes the proof of Theorem 2 for 1-1 protocols.
The proof of Theorem 2 in general case. The general case follows naturally from 1-1-case and the following lemma, which makes a protocol 1-1 by adding a small amount of communication.
Lemma 2 (A 1-1 conversion which reveals little information) Given a one-round -discrete private-coin protocol π , there is a one-round 1-1 -discrete private-coin protocol π whose message is of the form 4 M π (x, r ) = (M π (x, r ), J (x, r )), and such that, for any input distribution μ, Proof We think of M(·, ·) as a table, where the inputs x ∈ X are the rows and the random choices r ∈ R are the columns, and fix some ordering r 1 < r 2 < . . . of R.
Now we are able to finish the proof of Theorem 2 in the general case. Suppose π is a given one-way private-coin -discrete protocol. Let π 2 be the 1-1 protocol guaranteed by Lemma 2, and let π 3 be the protocol constructed from π 2 in the proof of Theorem 2 for 1-1 case. Note that π 3 's message is of the form M π 3 (X, R) = (M π (X, R), J (X, R)), since it is equidistributed with M π 2 . Furthermore, we have Now, create a protocol π 4 , which is identical to π 3 , except that Alice omits J (X, R). Since for each x the message M π 4 (x, r ) sent by π 4 equals M(x, φ x (r )) for some permutation φ x of R, it is clear that M and M generate the same transcript distribution for any input x. And, by the information-processing inequality, This completes the proof of Theorem 2.

RNT for Many-Round Protocols
Let us prove Theorem 1 as a consequence of Theorem 2.
Proof (Proof of Theorem 1) Let c be the constant hidden in O-notation in Theorem 2 so that every one round private-coin -discrete protocol π with |X |, |Y| ≤ 2 n can be converted into one round public-coin protocol π generating the same distribution on transcripts with IC(π ) ≤ IC(π ) + c log 2n .
We are given a q-round private-coin protocol ρ and will simulate it by a public-coin protocol ρ with IC(ρ ) ≤ IC(ρ) + 2qc log 2n .
The transformation of ρ into ρ is as one can expect: in each node v of the protocol tree ρ we use a permutation of messages that depends on the input of the player communicating in that node. More specifically, let m < j denote the concatenation of messages sent by ρ up to round j. In jth round of ρ we apply the protocol ρ m < j , which is obtained by the transformation of Theorem 2 from the 1-round sub-protocol ρ m < j of ρ rooted from the node m < j of the protocol tree of ρ. This change does not affect the probability distribution over messages sent in each node and hence the resulting protocol ρ generates exactly the same distribution on transcripts. The protocol ρ uses the same randomness as ρ; however, unlike ρ it uses public and not private randomness.
We have to relate now the information cost of ρ to that of ρ. To this end we split the information cost of ρ into the sum of information costs of each round of ρ . Specifically, by the Chain rule (Fact 4) the amount of information revealed by ρ to Bob (say) equals where R j denotes randomness used in the jth round of ρ and M j = ρ M < j (X, R j ) denotes the message sent in the jth round of ρ .
From I (R < j : M j , R j |Y, M < j ) = 0, we conclude from Theorem 2-using Facts 5 and 6 from the preliminaries-that The similar inequality for the amount of information revealed by ρ and ρ to Alice is proved in a similar way.

4 Compression for Public-Coin Protocols
We present in this section two results of the following general form: we will take a public-coin protocol π that reveals little information, and "compress" it into a protocol ρ that uses little communication to perform the same task with about the same error probability. It turns out that the results in this setting are simpler and give stronger compression than in the case where Alice and Bob have private randomness (such as in [1,6]). We present two bounds, one that is dependent on the number of rounds of π , but which is also round-efficient, in the sense that ρ will not use many more rounds than π ; and one that is independent of the number of rounds of π , but where the compression is not as good when the number of rounds of π is small. We begin with the latter.
Proof Our compression scheme is similar, but not identical, to that of [1]-the absence of private randomness allows for a more elementary proof.
It suffices to prove the theorem only for deterministic protocols-the case for publiccoin protocols can be proved as follows. By fixing any outcome r of randomness R of a public-coin protocol π , we obtain a protocol π r without public randomness and can apply Theorem 3 to π r . The average communication length of the resulting deterministic protocol ρ r is at most O(I (π r ) · log(2Cn/δ)). Thus the average communication of the public-coin protocol ρ that chooses a random r and runs ρ r will be at most O(I · log(2Cn/δ)).
Thus we have to show that any deterministic protocol π can be simulated with communication roughly: (the equality follows because H (Π |X, Y ) = 0, since the transcript Π is a function of X and Y ). As we do not relate the round complexity of ρ to that of π in this theorem, we may assume that in the protocol π every message is just a bit (and the turn to communicate does not necessarily alternate). In other words, the protocol tree has binary branching.
Given her input x, Alice knows the distribution of Π |x, and she can hence compute the conditional probability Pr[π(X, Y ) = t|X = x] for each leaf t of the protocol tree. We will use the notation w a (t|x) for this conditional probability. Likewise Bob computes w b (t|y) = Pr[π(X, Y ) = t|Y = y]. Now it must hold that π(x, y) is the unique leaf such that both w a (t|x), w b (t|y) are positive. Alice and Bob then proceed in stages to find that leaf: at a given stage they have agreed that a certain partial transcript, which is a node in the protocol tree of π , is a prefix of π(x, y). Then each of them chooses a candidate transcript, which is a leaf extending their partial transcript (the candidate transcripts of Alice and Bob may be different). Then they find the largest common prefix (lcp) of their two candidate transcripts, i.e., find the first bit at which their candidate transcripts disagree. Now, because one of the players actually knows what that bit should be (that bit depends either on x or on y), the player who got it wrong can change her/his bit to its correct value, and this will give the new partial transcripts they agree upon. They proceed this way until they both know π(x, y).
It will be seen that the candidate leaf can be chosen in such a way that the total probability mass under the nodes they have agreed upon halves at every correction, and this will be enough to show that Alice will only need to correct her candidate transcript H (Π |X ) times (and Bob H (Π |Y ) times) on average. Efficient protocols for finding the lcp of two strings will then give us the required bounds.
We first construct an interactive protocol that makes use of a special device, which we call lcp box. This is a conceptual interactive device with the following behavior: Alice takes a string u and puts it in the lcp box, Bob takes a string v and puts it in the lcp box, then a button is pressed, and Alice and Bob both learn the largest common prefix of u and v. Using an lcp box will allow us to ignore error events until the very end of the proof, avoiding an annoying technicality that offers no additional insight.

Lemma 3 For any given probability distribution μ over input pairs and for every deterministic protocol π with information cost I (w.r.t. μ) and worst case communication C there is a deterministic protocolρ with zero communication computing the same function with the same error probability (w.r.t. μ) as π , and using lcp box for C-bitstrings at most I times on average (w.r.t. μ).
Proof On inputs x and y, in the new protocolρ Alice and Bob compute weights w a (t|x), w b (t|y) of every leaf of the protocol tree of π , as explained above. Furthermore, for every binary string s let w a (s|x) denote the sum of weights w a (t|x) over all leaves t under s. Define w b (s|y) in a similar way.
The protocolρ runs in stages: before each stage i Alice and Bob have agreed on a binary string s = s i−1 , which is a prefix of π(x, y). Initially s = s 0 is empty.
On stage i Alice defines the candidate transcript t a as follows: she appends 0 to s = s i−1 if w a (s0|x) > w a (s1|x) and she appends 1 to s otherwise. Let s denote the resulting string. Again, she appends 0 to s if w a (s 0|x) > w a (s 1|x) and she appends 1 to s otherwise. She proceeds in this way until she gets a leaf of the tree (by construction its weight is positive). Bob defines his candidate transcript t b in a similar way. Then they put t a and t b in the lcp box and they learn the largest common prefix s * of t a and t b . By construction both w a (s * |x) and w b (s * |y) are positive and hence s * is a prefix of π(x, y). 6 Recall that no leaf of the protocol tree is a prefix of another leaf. Therefore either s * = t a = t b , in which case they stop the protocol, as they both know π(x, y). Or s * is a proper prefix of both t a and t b . If the node s * of the protocol tree belongs to Alice, then Bob's next bit is incorrect, and otherwise Alice's next bit is incorrect. They both add the correct bit to s * and let s i be the resulting string.
Each time Alice's bit is incorrect w a (s|x) decreases by a factor of 1/2, and similarly each time Bob's bit is incorrect w b (s|y) decreases by a factor of 1/2. At the start we have w a (s|x) = w b (s|y) = 1 and at the end we have w a (s|x) = w a (π(x, y)|x) and w b (s|y) = w b (π(x, y)|y). Hence they use the lcp box at most log 1/w a (π(x, y)|x) + log 1/w b (π(x, y)|y) times. By definition of the conditional entropy the average of log 1/w a (π(X, Y )|X ) is equal to H (Π |X ) and the average of log 1/w b (π(X, Y )|Y ) equals H (Π |Y ). Thus Alice and Bob use lcp box at most I times on average. Now we have to transform the protocol of Lemma 3 to a randomized public-coin protocol computing f that does not use an lcp box, with additional error δ. The use of an lcp box can be simulated with an error-prone implementation: Lemma 4 ([10]) For every positive ε and every natural C there is a randomized public-coin protocol such that on input two C-bit strings x, y, it outputs the largest common prefix of x, y with probability at least 1 − ε; its worst-case communication complexity is O(log(C/ε)).
The lemma is proven by hashing (as in the randomized protocol for equality) and binary search. From this lemma we obtain the following corollary.
protocol of Lemma 3. The average communication of the resulting protocol ρ is at most O(I · log(2Cn/δ)).
The proof of Theorem 3 offers no guarantee on the number of rounds of the compressed protocol ρ. It is possible to compress a public-coin protocol on a roundby-round basis while preserving, up to a multiplicative constant, the total number of rounds used.
Proof Again it suffices to prove the theorem for deterministic protocols π . The idea of the proof is to show the result one round at a time. In round i, Alice, say, must send a certain message m i to Bob. From Bob's point of view, this message is drawn according to the random variable M i = M i (X , y, m 1 , . . . , m i−1 ) whereX is Alice's input conditioned on Bob's input being y and on the messages m 1 , . . . , m i−1 that were previously exchanged. We will show that there is a sub-protocol σ i that can simulate round i with small error by using constantly-many rounds and with bits of communication on average. Then putting these sub-protocols together, and truncating the resulting protocol whenever the communication is excessive, we obtain the protocol ρ which simulates π .
The procedure to compress each round is achieved through an interactive variant of the Slepian-Wolf theorem [4,18,19]. We could not apply the known theorems directly, however, since they were made to work in different settings.
In a similar fashion to the proof of Theorem 3, we will make use of a special interactive device, which we call a transmission μ-box, where μ is a probability distribution over input pairs (X, Y ). Its behavior is as follows: one player takes a string x and puts it in the transmission box, the other player takes a string y and puts it in the box, a button is pressed, and then the second player knows x. The usage of a transmission μ-box is charged in such a way that the average cost when the input pair (X, Y ) is drawn at random with respect to μ is O(H (X |Y ) + 1) bits of communication and O(1) rounds.

Lemma 6
Let π be any deterministic q-round protocol, and let μ be the distribution of the inputs (X, Y ). Then there exists a deterministic protocolρ that makes use of the transmission box (each time for a different distribution) to achieve the following properties.

Afterρ is run on the inputs x, y, both players know π(x, y).
Proof Let π < j (x, y) denote the sequence of messages sent by π in the first j − 1 rounds for inputs x, y. The protocolρ simulates π on a round-per-round basis.
Assume that in the new protocol j − 1 rounds were played. Let m < j denote the sequence of j − 1 messages sent earlier and let x, y stand for inputs. Assume further that in jth round of π Alice has to communicate. Her message is a function M of the sequence m < j and her input x. Let ν denote the probability distribution on pairs (m, y) where In round j of protocolρ, Alice puts the string M(x, m < j ) into the transmission νbox and Bob puts his input y there and they press the button. If it is Bob's turn to communicate, then they reverse their positions. Items 2, 3 and 4 from the statement of the Lemma follow from construction of ρ and from the description of the transmission box. It remains to bound the average communication length ofρ. Again by assumption on transmission box, the average communication in round j is at most O(I j + 1) where if it is Alice's turn to communicate and otherwise. From the chain rule (Fact 4) it follows that the sum of I j over all j of the first type is equal to I (Π : X |Y ), while that the sum of I j over all j of the second type is equal to I (Π : Y |X ).
To proceed we need a protocol simulating the transmission box. Proof Let y be Bob's given input. For a given x in the support of X , let p(x) = Pr[X = x|Y = y], and for a given subset X of the same support, let p(X ) = Pr[X ∈ X |Y = y]. Then Bob begins by arranging the x's in the support of X by decreasing order of the probability p(x). He then defines the two sets where i(1) is the minimal index which makes p(X 1 ) ≥ 1/2. Inductively, while Z k does not contain the entire support of X , he then defines: I.e. X k+1 is the smallest set which takes the remaining highest-probability x's so that they total at least half of the remaining probability mass.
Because at least one new x i is added at every step, this inductive procedure gives Bob a finite number of sets Z 1 , . . . , Z K = X . Then the protocol consists of applying the protocol of the following lemma, which will be proved later.

Lemma 8
For every natural m and every positive ε there exists a randomized publiccoin protocol with the following behavior. Suppose that Bob is given a family of finite sets Z 1 ⊆ · · · ⊆ Z K ⊂ {0, 1} m and Alice is given a string z ∈ Z K . Then the protocol transmits z to Bob, except with a failure probability of at most ε. For k the smallest index for which z ∈ Z k , the run of this protocol uses at most 2k + 1 rounds and 2 log |Z k | + log 1 ε + 4k bits of communication. Now let us bound the average number of rounds and communication complexity. First notice that p(X k ) ≤ 2 1−k , and hence, taking the average over Alice's inputs, we find that K k=1 p(X k )4k = O (1) must upper bound the average number of rounds, as well as the contribution of the 4k term to the average communication. To upper-bound the contribution of the 2 log |Z k | term, we first settle that: , which can be seen by summing two inequalities that follow from the minimality of i(k) in the definition of X k : after which we get for any x ∈ X k+1 ∪ {x i(k) }, which follows since every x ∈ Z k has a higher-or-equal probability than the x's in X k+1 ∪ {x i(k) }, but the sum of all the p(x ) still adds up to less than 1. Now we are ready to bound the remaining term in the average communication: above, the first inequality follows from (i), and the second from (ii).

Proof of Lemma 8
The protocol is divided into stages and works as follows. On the first stage, Bob begins by sending the number 1 = log |Z 1 | in unary to Alice, and Alice responds by picking L 1 = 1 + log 1 ε + 1 random linear functions f L 1 : Z m 2 → Z 2 using public randomness, and sending Bob the hash values Bob then looks for a string z ∈ Z 1 that has the same hash values he just received; if there is such a string, then Bob says so, and the protocol is finished with Bob assuming that z = z.
Otherwise, the protocol continues. At stage k, Bob computes the number k = log |Z k |, and sends the number k − k−1 in unary to Alice; Alice responds by picking L k = k − k−1 + 1 random linear functions f (k) 1 , . . . , f (k) L k , whose evaluation on z she sends over to Bob. Bob then looks for a string z ∈ Z k that has the same hash values for all the hash functions which were picked in this and previous stages; if there is such a string, then Bob says so, and the protocol is finished with Bob assuming that z = z. If the protocol has not halted in K rounds, Alice just sends her input to Bob.
An error will occur whenever a z = z is found that has the same fingerprint as z. The probability that this happens at stage k for a specific z ∈ Z k is 2 −L , where L = k + k + log 1 ε is the total number of hash functions picked up to this stage. By a union bound, the probability that such a z exists is at most |Z k |2 − k ε 2 k ≤ ε 2 k . Again by a union bound, summing over all stages k we get a total error probability of ε.
To bound the communication for z ∈ Z k , notice that sending all 1 . . . . , k costs Bob at most log |Z k | + k bits of total communication, 8 that the total number of hash values sent by Alice is at most log |Z k | + 2k + log 1 ε , and that Bob's reply (saying whether the protocol should continue) costs him k bits. From Lemma 7 we get an analogue of Lemma 5.

Lemma 9
For every positive δ ≤ 1/3 any protocolρ to compute f : {0, 1} n × {0, 1} n → Z that uses transmission boxes q times can be simulated with error δ by a protocol ρ that does not use transmission boxes, and communicates q log( qn δ ) + 1 bits more.
Proof The protocol ρ simulatesρ by replacing each use of a transmission box with the protocol given by Lemma 7 with some error parameter ε (to be specified later). The simulation continues while the total communication is less than n. Once it becomes n, we stop the simulation and the players exchange their inputs.
The additional error probability introduced by the failure of the protocol of Lemma 7 is at most qε. Assuming that ε ≤ δ/q, the error probability introduced by a transmission box failure is at most δ.
Each call of a transmission box costs log(1/ε) bits of communication more than we have charged the protocolρ. Thus the communication of ρ is at most longer than that ofρ. Set ε = δ/qn, so that the communication of ρ is at most q log(qn/δ) + 2δ ≤ q log(qn/δ) + 1 more than that ofρ.
The desired protocol that establishes Theorem 4 is obtained by applying Lemma 9 to the protocol of Lemma 6.

Applications
From the combination of Theorems 1 and 4, and Observation 1, we can obtain a new compression result for general protocols.

Corollary 1
Suppose there exists a mixed-coin, q-round protocol π to compute f over the input distribution μ with error probability ε, and let C = CC(π ), I = IC μ (π ), n = log |X | + log |Y|. Then there exists a public-coin, O(q)-average-round protocol ρ that computes f over μ with error ε + δ, and with As we will see in the following sub-section, this will result in a new direct-sum theorem for bounded-round protocols. In general, given that we have already proven Theorem 3, and given that this approach shows promise in the bounded-round case, it becomes worthwhile to investigate whether we can prove Conjecture 1 with similar techniques.

Direct-Sum Theorems for the Bounded-Round Case
The following theorem was proven in [1]: Theorem 12) Suppose that there is a q-round protocol π k that computes k copies of f with communication complexity C and error ε, over the k-fold 123 distribution μ k . Then there exists a q-round mixed-coin protocol π that computes a single copy of f with communication complexity C and the same error probability ε, but with information cost IC μ (π ) ≤ 2C k for any input distribution μ. As a consequence of this theorem, and of Corollary 1, we will be able to prove a direct-sum theorem. The proof is a simple application of Theorem 5, and Corollary 1.
Theorem 6 (Direct-sum theorem for the bounded-round case) There is some constant d such that, for any input distribution μ and any 0 < ε < δ < 1, if f requires, on average, bits of communication to be computed over μ with error δ in dq (average) rounds, then f ⊗k requires kC bits of communication, in the worst case, to be computed over μ ⊗k with error ε in q rounds.

Comparison with Previous Results
We may compare Corollary 1 with the results of [6]. In that paper, the nC factor is missing inside the log of equation (3), but the number of rounds of the compressed protocol is O(q log I ) instead of O(q). A similar difference appears in the resulting direct-sum theorems. We remark that the compression of Jain et al. [12] is also achieved with a roundby-round proof. Our direct-sum theorem is incomparable with their more ambitious direct-product result. It is no surprise, then, that the communication complexity of their compression scheme is O( q I δ ), i.e., it incurs a factor of q, whereas we pay only an additive term ofÕ(q). However, their direct-product result also preserves the number of rounds in the protocol, whereas in our result the number of rounds is only preserved within a constant factor. Next, we bound Pr[E A ]. Let A = {u 1 , . . . , u L } be any set of L left nodes. Let N (u) denote the neighborhood of a vertex u. Consider the following procedure for generating a matching for G A ∪B : In terms of X 1 , . . . , X L the event E A happens if and only if X 1 + · · · + X L < (1 − δ)L.
Proof We prove this using the coupling method. We claim that there is a joint distribution of Y and Z such that the marginal distributions are as defined above, and with probability 1 it holds that Z i ≤ Y i for all i. This joint distribution is defined by the following process: we pick L independent reals r 1 , . . . , r L ∈ [0; 1] and let where the first inequality holds, since E is downward closed and thus Y ∈ E implies Z ∈ E. The set of Boolean vectors b ∈ {0, 1} L of Hamming weight less than (1 − δ)L is downward closed hence the statement. where the final inequality uses d = (2 + ln M/L)/δ 2 + ln(1/δ)/δ.

A Lower Bound on the Degree of Matching Graphs
Lemma 11 An (m, , d, δ)-matching graph must have Proof We will prove that in such a bipartite graph there must exist a left-set A of size 2 m (1 − 4δ) d whose neighbors are contained in a right-set B of size (1 − 2δ)2 . If the graph is a matching graph with said parameters, it must then follow that |A| ≤ 2 , hence d ≥ (m − )/ log(1 − 4δ) = Ω((m − )/δ). We show this through the probabilistic method. Let us pick a random right-set B of size (1 − 2δ)2 . For a given left-node a, the probability that all its neighbors fall into B is at least Under the assumption that d ≤ δ2 , the left-hand side is at least (1 − 4δ) d . It must then hold that for such random B, the expected number of left-nodes that map into B is 2 m (1 − 4δ). Hence, for some choice of B, there will exist a left-set A of the same size whose neighbors are all in B.

A Lower Bound for Eq. (2) of the Proof of Lemma 2
Lemma 12 There is an -discrete private-coin one-way protocol π , and a message m sent by π , such that for J defined as in Lemma 2, it holds that I (J : X |M π = m) = Ω(log ).
Proof Suppose Alice is given an input X uniformly distributed over {x 1 , . . . , x N }, and private randomness uniformly distributed over {r 1 , . . . , r N }, so that = log N . Let π be a one-way protocol given by M π (x j , r k ) = 0 if k ≤ N j+1 , 1 otherwise.

123
Then conditioned on M π = 0, we will have J (x j , r k ) = k. Let M = N i=1 N i+1 be the size of M −1 π (0). Finally, let m denote the event M π = 0. Then I (X : J |m) = H (X |m) − H (X |m, J ) which is ≥ U if and only if: Let us denote the left-hand side with A and the right-hand side with B. Because N x is monotonically decreasing for x ≥ 1, then: We denote this last quantity by A . Good bounds for M are: 9 Let B := N ln N − 3N , so that B ≥ B (log B − U ). Then we will show that for an appropriate choice of U , and hence A ≤ B and also I (X : J |m) ≥ U . Equivalently, For convenience, let α = ln(N +1) ln N (which goes to 1 as N goes to ∞). Then A = 1 ln 2 N (ln N ) 2 (2α − α 2 ) and B log B = 1 ln 2 N (ln N ) 2 + 1 ln 2 N ln N ln ln N + O (N ln N ). Now the proof follows from the following: Because under this claim, the dominant negative term in (5) is 1 ln 2 N ln N ln ln N , and thus all we need to do is set U to be c ln ln N for some c < 1 ln 2 , and this ensures (5) is negative. For such a choice of U , it will hold that I (X : J |m) ≥ U = c ln ln N = Ω(log ).
Unfortunately, l'Hopital's rule does not seem to help us, as the terms become too complicated. Instead we estimate how fast (2α − α 2 − 1) approaches 0 as N goes to infinity. For this, let β = ln( 1 x +1) ln 1 x and let us estimate β as x approaches 0. For x close to, but different than, 0, we have: (the last equality is by the Taylor expansion of ln(x + 1) around 0). We also have Hence, From this we can conclude that for x = 1/N , we have and our claim follows.