 Hello, everyone. Welcome to my talk. I am Zigao from University of Virginia. Today, I will present our paper, polynomial time targeted attack on coin tossing for any number of corruptions. This is a joint work with Amid et Sami, Said Mahalojifar, and Muhammad Mahmoudi. Let's start. A collective coin tossing protocol is a protocol where several parties try to decide a bit by each sending out a message. In the figure, we show that there are n parties, each of them send out a message, omega 1, omega 2 to omega n. And the protocol takes all these n messages and returns the output bit B. The output bit B is either 0 or 1, and it can be biased. That is, it is not always 50-50, but it can be any probability mu. Note that there is also a more general case when the parties can send more than one message, but in our research, we focus on the simple case, which we will see is already very general and have a lot of applications. Now, imagine an adversary want to bias the output to the result it deserves in the figure B equals 1. The adversary is allowed to make K replacements. The budget K is the parameter of the adversary. The adversary in the figure chose to modify the messages omega 1 and omega n. And with such modification, the adversary successfully increase the probability that output B equals 1 to mu prime. We call this type of attack as targeted attack, because it target to increase a specific output B equals 1. On the other hand, a targeted attack does want to mess up with the output, but doesn't care which direction it goes. So clearly targeted attack is more powerful. Here, we give a formal definition of our setting. In our protocol pi, we have n parties p1 to pn, and at run i, the party pi sends out a single message of omega i that can depend on previous messages. The protocol returns up B, which is a function over all the messages. For our adversary, we consider a targeted K replacing adversary that aims to increase the probability that B equals 1, which of course is symmetric to increase the probability B equals 0. The adversary at each round sees all the previous messages, omega 1 to omega i minus 1, and also the current message, omega i. The adversary can then replace omega i with omega i prime, which is why we call this replacing adversary. Such adversary is also called strong adaptive adversary by Goldmoss at all. The adversary has a budget K, which is a total number of replacements allowed. As an illustration, our K replacing adversary acts like the following. The adversary wants to pass the output 1. So at round 1, party 1 sends out a message, omega 1, and the adversary decides whether to replace it or not. In this case, adversary chooses to replace the message to omega 1 prime. At round 2, party 2 sends out a message, omega 2, which will depend on omega 1, and adversary chooses whether to replace it. In this case, adversary does not make replacement. And finally, at round n, party n sends out a message, which could depend on all the previous messages. The adversary then successfully buys the output B to 1. This is an online adversary, which is the focus of this work. On the contrary, an offline adversary sees all the messages at first and then make changes. Recall that B prime is the output after adversary. Let mu prime be the probability B prime equals 1, and mu be the probability of B equals 1. We define an adversary's gain to be mu prime minus mu. That is how much adversary increases the probability that the output becomes 1. We can now ask the question. Assuming we have a mu particle pi where the number of parties is n, and the original probability of B equals 1 before adversary is mu, then with a fixed budget k, how much gain can the adversary achieve? We consider two cases. In the first case, message is uniform binary. For each omega i, probability of omega i equals 0 and omega i equals 1 are both 50%. On the second case, the message is arbitrarily long. Clearly, the first one is a special case of the second one. These two cases are connected, but also very different. Now, let's see what our question means by going over a simple protocol, that is, threshold protocol. The output bit of the protocol follows the threshold majority function. That is, the output of the protocol equals 1 if and only if the summation of all the messages of omega i is larger than t. We suppose it takes only uniform binary messages, and the number of all the inputs whose summation of omega i larger than t is the size of a hammy ball. Now, this simple protocol is robust. Why? Because with budget k, the summation can only change by k. So, adversary can succeed if the summation is larger than t minus k, which is a bigger hammy ball. This holds even if the adversary is offline and can do the changes at the end. We will come back to it later. Now, our goal is to answer the question that whether the threshold protocol is optimal and can the adversary runs online in polynomial time. In this paper, we show that in the case of uniform binary messages, the threshold protocol is indeed optimal. We show that beta tn be the probability of b equals 1 for the threshold t on the n-party setting. For mu equals to beta tn, a polynomial time online attack can achieve mu prime equals to beta t minus kn on any protocol, which matches the majority's upper bound even for offline attacks. And then, for the case with any message length, the threshold is optimal up to a constant for mu equals to omega 1. We have a polynomial time attack that achieves mu prime equals to mu plus omega mu k over square root of n. Here is an outline of this talk. Before we go to the details of our method, let me introduce some related work and also applications of our method. On the uniform binary messages, leach testing until 1989 shows that thresholds functions are optimal, that an attack can achieve probability beta t minus kn minus k on their weaker adversary model that cannot see the message before making changes. Our attack, on the other hand, can see the current message before making replacements, which is much stronger. So, we achieve the bound beta t minus kn, which is larger compared to leach testing paper. On the same adversary, Kalei et al. 2018 proposes a polynomial time attack that works for large k, which is omega root n, and it's optimal up to a constant. On arbitrary message lengths, Mahalojifa, Mahamudi, R19, and at Semi et al. 2020 proposes a polynomial time adversary that with budget k equals to omega root n can increase probability to approximately 1. However, their result only works for large k, where what we want is to have universal solution on every k. Interestingly, praise work has built a connection between the targeted attacks on coin tossing protocols and targeted poisoning attack on machine learning model. In the two figures below, I will show why the targeted poisoning attack can be reduced to an attack defined on coin tossing. The left figure is the same figure as the attack on the coin tossing, and the right figure, although looks similar, is a learning problem. A machine learner takes a data set as input and returns a model. Suppose the data set has n examples and adversary inspect it and make some modifications and make the learner produce a bad model. We can then use the attack defined on the left scenario to write by defining a collective coin tossing protocol based on the learner and let b equals 1 if the learner outputs a bad model. Then an attack defined on the left figure can be directly applied to the right figure. Our attack on the coin tossing with any budget can translate to targeted poisoning attack on machine learning models of the same budget. Now we briefly talk about the connection to the isoprimetric problem in product space on the hamming distance. In the isoprimetric problem, what we want is to find a set with fixed size that has minimum boundary. See the figure at the right side? Suppose we have a set marked as red that is subset of this green set. I define the boundary as a set of all the elements that has hamming distance at most k with elements in the red set. Then the isoprimetric problem asks the question, what shape of the red set has the minimum boundary? Boundary is shown as the brown region in the figure. We now connect the coin tossing with the isoprimetric problem. On the left side, we see the coin tossing protocol sometimes returns 1 and sometimes returns 0. On the right side, we define an element as the input, which is a combination of n messages. Roughly speaking, we can think there are three type of the inputs. There are good ones that need to be equals to 0, which is showing the large green circle. And there are also inputs that lead to output 1, represented in the red circle. There are vulnerable ones that originally output 0, but they are too close to the case output 1. So an adversary can make them bad with at most k replacements. In the figure, the brown circle is the set of vulnerable ones. As you'll be clear from the picture, we are asking, what is the probability of being red or brown? Given we already have the probability of being red is the given probability mu. Proving lower bound of the probability measure of the brown set is exactly what we want, proving a lower bound on our risk scheme. Now in the case of previous methods from two previous papers, the budget is large, and the probability of a vulnerable brown circle becomes closed 1. Essentially, they are asking how much inputs are not close to the bad inputs. Then by the concentration of measure, the whole measure space is concentrated. That is close to the bad inputs. Therefore, only an illegible fraction of the space are still far away from the bad inputs. Then the polynomial time attacks proposed by those works provide a computational version of the concentration of measure. So we can call their result computational concentration. On the other hand, for the scenario we work on, the budget can be small, and the probability of the vulnerable brown circle can also be small. In the offline setting, when the adversary gets to see all the messages, our problem becomes exactly the same with the isoprimetric problem. But we want to pursue an online algorithm, which is polynomial time and achieve the same bound, which further gives a computational version of the isoprimetric inequality. So we can call our goal computational isoprimetry. So this is the major difference between our work and previous works. In the next part, we will talk about the attack on any message levels. We first give a high level description of our attack. Suppose adversary is defined with the parameter lambda, which we will explain later, and also a budget k. Adversary strategy is to make a replacement, if first have not make already k replacements, and the second, the k is large. Namely, at round i plus one, let alpha be the probability b equals one, that is defined over all the sequences following this omega one to the omega i plus one. And we let alpha prime be the maximum possible probability among all the possible messages at this step, omega star i plus one, which is also defined over all the sequences follow that. So, if alpha prime minus alpha, larger or equal to lambda, and then our adversary has not make k replacements yet, the adversary will replace omega i plus one to omega star i plus one. So the attack is similar to the attack in Mahalo G5-Mahamudy R19 at time at also the 2020, but also with key differences. The main difference is that these two papers use the analysis that only applies to large k, which is omega root n. What we want is to find universal solution, especially for small k. We are also in the Mahalo G5-Mahamudy R19 paper, they suppose alpha bar is the probability b equals one before the current step, then if alpha bar minus alpha larger or equal to lambda, it will reset the input message. Otherwise, if alpha prime minus alpha is larger or equal to lambda, it will do the replacement. So our attack has one fewer ks and leads to a sharper one, even for large k. So when we add some and all paper, they use the ratio alpha prime over alpha instead of alpha prime minus alpha, which leads to a sharper bond. But it only works for large k, omega root n. So why all this paper all choose large k? There's a reason behind that. These three papers share a similar core, which makes them all rely on this omega root n budget. Let's go through the following two steps. First, they show a specific attack with unlimited budget can fix output one. Second, by relying the first step, they show that this attacks budget is indeed the data root n. So it can be shown that fixing the output one could require this budget root n, so you cannot improve with the same analysis. We need a new analysis. So how our attack work, we start on the case when k equals one, know that even k equals one is previously an open question. We can then separate all those inputs into two cases. The first one is the case when the adversary with budget one make replacements, and the second is the adversary with budget one doesn't make a replacement. We can show that in both cases, essentially the adversary will have large gain. So first show that each replacement made by this one replacing attack immediately achieve this lambda gain. See the past mark by orange, which is originally getting out to zero, but adversary make a replacement to divert it to this new past mark with red. We know that adversary only make replacement when the probability of all three one is increased by lambda. So suppose the probability of going on the original path is p, the adversary has at least gains p times lambda. Similarly, if let p one be the probability of this one replacing attack happens and the new one be the expectation of vehicles one after one replacing attack, we then have new one larger or equal to new plus p one times lambda. So we only need to lower bound this p one here. However, now we see that when p one is small the adversary still get large probability that be prime equals one. For example, the green pass does not change. So K for the one doesn't change. And because K equals to infinity is based on this K equals one attack, you already have the same result and it doesn't make any change. From previous literature we know that when K equals infinity the probability should go close to one, which means for this part when K equals one, it already closed one. So let this ERR function be the arrow of the infinity replacing attack. Then we have p one larger or equal to one minus mu minus this ERR function. Then combining with the case one, we have mu one larger or equal to mu plus lambda times the one minus mu minus this error term. And finally, when let lambda be the theta mu over root n, we get this bias omega mu over root n. And then our K equals one result to any K. The first approach is to recursively apply the analysis that we can apply the one replacing attack for K times. However, it is only polynomial time when K equals to 01. Now there's approach to that achieve slightly weaker but polynomial time bound is to carefully applying induction. So the attack be the infinity replacing attack that is cut after K replacements. A generalization of the idea of one replacing attack show that mu K is larger or equal to mu K minus one plus lambda times one minus mu K minus one times this error term. So solving this recursion above gives this desire bound. And the attack can be made polynomial time using the same trick as the in Mahalojifa Mahamudi out 19 paper. So the first case on arbitrary list messages, we now turn out to the second case when the attack is applied to uniform binary messages. We start by recalling the result on the stress of functions, assuming each message Omega is uniform binary. The other bit of the protocol follows the stress of majority function that is the output of particle equals one if and only if the submission of all the messages on me guys larger than T. And beta T be the probability of that summation larger than T, a K replacing offline adversary which by offline we mean that adversaries sees all the messages and then make replacements can only achieve beta T minus K, which is the size of a larger hamming ball. We asked a question how much gain can only adversaries achieve. What we care is the online expansion function, which is the optimal gain under the best possible K replacing attack. Similarly, we can define offline expansion function which is the optimal game of the offline adversary. The online expansion function can be computed by induction and and the corresponding optimal attack can also be implemented in polynomial time if one is given oracle access to the values of online expansion function, but we do not have it. It is because the online expansion function is in general very hard to compute. So we propose a piecewise linear function L. The L function is the equals to the offline expansion function at each hamming ball sizes beta T. And otherwise, it is linearly extended on all the other points. The piecewise linear function is inspired by a similar function from for scanning at all 2021 paper, but the induction of proving the lower bound is quite different in our setting. Here is a figure of the three functions we describe in the figure x axis is the new value ranges from zero to one. The blue curve is the online expansion, which we want to bond and the red curve is the online expansion, which is easy to solve, because we know that threshold is optimal. Then we define this L function as the green curve here, which is lower bound of the red curve. At the high level, there exists a recursive relation of both online expansion and L function. And because of concavity, we then show that L is also a lower bound for the blue curve online expansion. And because the L function achieved the same result on each hamming ball sizes with red curve, the online expansion function also achieved this gain. The conclusion is that both L and online expansion is off by at most one step compared to the online offline expansion. That is, the online adversary with one more budget can achieve at least same result as the offline adversary with the same budget. Then we conclude that the threshold is optimal in this case. Now that the optimal attack can be implemented in the polynomial time if one is given oracle access to the values of online expansion, but we do not have access to that. To achieve a polynomial time attack, we define an adversary that approximates and uses L instead of online expansion mu. The induction proof still shows that using L instead of online expansion works. Finally, we summarize our findings in conclusion. For uniform binary protocols, threshold majority protocol is optimal for online offline K replacing attacks and for any K. And this result can be viewed as a computational version of Harper's isoparametric inequality. For protocols with any message length, the majority protocol is still optimal up to a constant factor. This result can be used to obtain generic targeted poisoning attacks on learners with small budget K, where A is the size of training set. Thank you. I appreciate any questions and comments from you.