Multi-Party Protocols, Information Complexity and Privacy

We introduce the new measure of Public Information Complexity (PIC), as a tool for the study of multi-party computation protocols, and of quantities such as their communication complexity, or the amount of randomness they require in the context of information-theoretic private computations. We are able to use this measure directly in the natural asynchronous message-passing peer-to-peer model and show a number of interesting properties and applications of our new notion: the Public Information Complexity is a lower bound on the Communication Complexity and an upper bound on the Information Complexity; the difference between the Public Information Complexity and the Information Complexity provides a lower bound on the amount of randomness used in a protocol; any communication protocol can be compressed to its Public Information Cost; an explicit calculation of the zero-error Public Information Complexity of the k-party, n-bit Parity function, where a player outputs the bit-wise parity of the inputs. The latter result establishes that the amount of randomness needed for a private protocol that computes this function is Omega(n).


Introduction
Communication complexity, originally introduced by Yao [Yao79], is a prolific field of research in theoretical computer science that yielded many important results in various fields. Informally, it answers the question "How many bits must the players transmit to solve a distributed problem ?" The study of the two-party case has produced a large number of interesting and important results, upper and lower bounds, with many applications in other areas in theoretical computer science such as circuit complexity, data structures, streaming algorithms and distributed computation (see, e.g., [KN97, MNSW95, GG10, SHK + 10, FHW12]). BGPW13]). This line of research was followed by [CM15] which also uses information complexity to obtain tight bounds on the communication complexity of the function Tribes in the coordinator model. Information complexity is also used in [BO15] to study set-disjointness in the broadcast model.
A number of sub-models have been considered in the literature for the multiparty computation protocols setting: the number in hand model (NIH), where each player has a private input, is maybe the most natural one, while in the number on the forehead model (NOF), each player i knows all inputs x j , j = i, i.e., the "inputs" of all players except its own. As to the communication pattern, a number of variants exist as well: in the blackboard model, the players communicate by broadcasting messages (or writing them on a "blackboard"); in the message passing model, each pair of players is given a private channel to mutually communicate (for more details on different variants see [KN97]). Most of the results obtained in multi-party communication complexity were obtained for the NOF model and/or the blackboard model. The present paper studies, however, the NIH, message passing (peer to peer) model, which is also the most closely related to the work done on message passing protocols in the distributed computing and networking communities.

Our contributions
Our main goal is to introduce novel information-theoretical measures for the study of number in hand, message-passing multi-party protocols, coupled with a natural model that, among other things, allows private protocols (which is not the case for, e.g., the coordinator model) We define the new measure of Public Information Complexity (PIC), as a tool for the study of multi-party computation protocols, and of quantities such as their communication complexity, or the amount of randomness they require in the context of information-theoretic private computations. Intuitively, our new measure captures a combination of the amount of information about the inputs that the players leak to other players, and the amount of randomness that the protocol uses. By proving lower bounds on PIC for a given multi-party function f , we are able to give lower bounds on the communication complexity of f and on the amount of randomness needed to privately compute f . The crucial point is that the PIC of functions, in our multi-party model, is not always 0, unlike their IC.
Our new measure works in a model which is a slight restriction of the most general asynchronous model, where, for a given player at a given time, the set of players from which that player waits for a message can be determined by that player's own local view. This allows us to have the property that for any protocol, the information which is leaked during the execution of the protocol is at most the communication cost of the protocol. Note that in the multi-party case, the information cost of a protocol may be higher than its communication cost, because the identity of the player from which one receives a message might carry some information. This is another issue when trying to use IC in the peerto-peer multi-party setting. We are able to define our measure and use it directly in a natural asynchronous peer-to-peer model (and not, e.g., in the coordinator model used in most works studying the multi-party case, c.f. [DF89]). The latter point is particularly important when one is interested in privacy, since our model allows for private protocols, while this is not necessarily the case for other models, including the coordinator model. Furthermore, if one seeks to accurately understand the natural peer-to-peer model, suppressing polylogfactor inaccuracies, one has to study directly the peer-to-peer model (see the comparison of models in subsection 3.1).
We go on to show a number of interesting properties and applications of our new notion: • The Public Information Complexity is a lower bound on the Communication Complexity and an upper bound on the Information Complexity. In fact, it can be strictly larger than the Information Complexity.
• The difference between the Public Information Complexity and the Information Complexity provides a lower bound on the amount of randomness used in a protocol.
• We compress any communication protocol to their PIC (up to logarithmic factors), by extending to the multi-party setting the work of Brody et al.
• We show that one can approach the central question of direct sum in communication complexity by trying to prove a direct sum result for PIC. Indeed, we show that a direct sum property for PIC implies a certain direct sum property for communication complexity.
• We explicitly calculate the zero-error Public Information Complexity of the k-party, n-bit Parity function (Par), where a player outputs the bitwise parity of the inputs. We show that the PIC of this function is n(k − 1). This result is tight and it also establishes that the amount of randomness needed for a private protocol that computes this function is Ω(n). While this sounds a reasonable assertion no previous proof for such claim existed.

Organization
The paper is organized as follows. In section 2 we review several notations and information theory basics. In Section 3 we define the communication model and a number of traditional complexity measures. In Section 4 we define the new measure PIC that we introduce in the present paper, and in Section 5 we discuss its relation to randomness and multi-party private computation. In section 6 we discuss the existence of a direct sum property for PIC, and in Section 7 we give tight bounds for Par using PIC. We conclude the paper in Section 8.

Preliminaries
We start by defining a number of notations. We denote by k the number of players. We often use n to denote the size (in bits) of the input to each player. Calligraphic letters will be used to denote sets. Upper case letters will be used to denote random variables, and given two random variables A and B, we will denote by AB the joint random variable (A, B). Given a string (of bits) s, |s| denotes the length of s. Using parentheses we denote an ordered set (family) of items, e.g., (Y i ). Given a family (Y i ), Y −i denotes the sub-family which is the family (Y i ) without the element Y i . The letter X will usually denote the input to the players, and we thus use the shortened notation X for (X i ), i.e. the input to all players. π will be used to denote a protocol. We use the term entropy to talk about binary entropy. We give a reminder on basic information theory, as introduced in [Sha48].
Definition 2.1. The entropy of a (discrete) random variable X is The conditional entropy Definition 2.3. The mutual information between two random variables X, Y is

The conditional mutual information
The mutual information measures the change in the entropy of X when one learns the value of Y . It is non negative, and is symmetric:  Lemma 2.7 (Data processing inequality). For any X, Y , Z, and any function f , it holds: Proof.

The model
We now define a natural communication model which is a slight restriction of the most general asynchronous peer-to-peer model. Its restriction is that for a given player at a given time, the set of players from which that player waits for a message can be determined by that player's own local view. This allows us to define information theoretical tools that pertain to the transcripts of the protocols, and at the same time to use these tools as lower bounds for communication complexity. This restriction however does not exclude the existence of private protocols, as other special cases of the general asynchronous model do. We observe that without such restriction the information revealed by the execution of a protocol might be higher than the number of bits transmitted and that, on the other hand, practically all multi-party protocols in the literature are implicitly defined in our model. We also compare our model to the general one and to other restricted ones and explain the usefulness and logic of our specific model.

Definition of the model
We work in the multi-party number in hand peer-to-peer model. Each player has unbounded local computation power and, in addition to its input X i , has access to a source of private randomness R i . We will use the notation R for (R i ), i.e., the private randomness of all players. A source of public randomness R p is also available to all players. The system consists of k players and a family of the set of possible inputs of player l, and Y i denotes the set of possible outputs of player i. The players are given some input X i , and for every i, player i has to compute f i (x). Each player has a special write-only output tape.
We define the communication model as follows, which is the asynchronous setting, with some restrictions. To make the discussion simpler we assume a global time which is unknown to the players. Every pair of players is connected by a bidirectional communication link that allows them to send messages in both directions. There is no bound on the delivery time of a message, but every message is delivered in finite time, and the communication link maintains FIFO order in each of the two directions. Given a specific time we define the view of player i, denoted D i , as the input of that player, X i , its private randomness, R i , and the messages received so far by player i. The protocol of each player i runs in local rounds. In each round, player i sends messages to some subset of the other players. The identity of these players, as well as the content of these messages, depend on the current view of player i. The player also decides whether to write a (nonempty) string on its output tape. Then, the player waits for messages from a certain subset of the other players, where this subset is also determined by the current view of the player. Then the (local) round of player i terminates 1 . To make it possible for the player to identify the arrival of the 1 The fact that the receiving of the incoming messages comes as the last step of the (local) round comes only to emphasize that the sending of the messages and the writing on the output tape are a function of only the messages received in previous (local) rounds. complete message that it waits for, we require that each message sent by a player in the protocol is self-delimiting.
Denote by D j i the view of player i at the end of local round j, j ≥ 0, where the beginning of the protocol is considered round 0. Formally, a protocol π is defined by a sequence of functions for each player i, parametrized by the local round j, j ≥ 1: ..,k}\{i} , defining the set of players to which player i sends the messages.
, defining the content of the messages player i sends. Each such message has to be self-delimiting.
defining what the player writes on the output tape. Each player can write on its output tape a non-empty string only once. 2 ..,k}\{i} , defining the set of players from which player i waits for a message.
We note that the model does not impose "coherence" between the players. That is, the model does not preclude the possibility that a certain player waits indefinitely for a message that is never sent to it.
We define the transcript of the protocol of player i, denoted Π i , as the concatenation of the messages read by player i from the links of the sets S 1 i , S 2 i , . . ., ordered by local round number, and within each round by, say, the index of the player. We denote by ← → Π i the concatenation of Π i together with a similar concatenation of the messages sent by player i to the sets S 0 i , S 1 i , . . .. We denote by Π i→j the concatenation of the messages sent by player i to player j during the course of the protocol. The transcript of the (whole) protocol, denoted Π, is obtained by concatenating all the Π i ordered by, say, player index.
We will give most of the definitions for the case where all functions f i are the same function, that we denote by f . The definitions in the case of family of functions are similar.
Definition 3.1. For ǫ ≥ 0, a protocol π ǫ-computes a function f if for all (x 1 , . . . , x k ) ∈ X 1 × · · · × X k : 1. For all possible assignments for the random sources R i , 1 ≤ i ≤ k, and R p , every player eventually (i.e., in finite time) writes on its output tape (a non-empty string).
2. With probability at least 1 − ǫ (over all random sources) the following event occurs: each player i writes on its output tape the value f (x), i.e., the correct value of the function.
For simplicity we also assume that a protocol must eventually stop. That is, for all possible inputs and all possible assignments for the random sources, eventually (i.e., in finite time) there is no message in transit.

Comparison to other models
The somewhat restricted model (compared to the general asynchronous model) that we work with allows us to define a measure similar to information cost that we will later show to have desirable properties and to be of use. Notice that the general asynchronous model is problematic in this respect since one bit of communication can bring log(k) bits of information, as not only the content of the message but also the identity of the sender may reveal information. Thus, information cannot be used as a lower bound on communication. In our case, the sets S l i and S l i are determined by the current view of the player, (Π i ) contains only the content of the messages, and thus the desirable relation between the communication and the information is maintained. On the other hand, our restriction is natural, does not seem to be very restrictive (practically all protocols in the literature adhere to our model), and does not exclude the existence of private protocols.
To exemplify the above mentioned issue in the general asynchronous model consider the following simple example of a deterministic protocol, for 4 players A, B and C, D, which allows A to transmit to B its input bit x, but where all messages sent in the protocol are the bit 0, and the protocol generates only a single transcript over all possible inputs.
A: If x = 0 send 0 to C; after receiving 0 from C, send 0 to D. If x = 1 send 0 to D; after receiving 0 from D, send 0 to C B: After receiving 0 from a player, send 0 back to that player. C,D: After receiving 0 from A send 0 to B. After receiving 0 from B send 0 to A. It is easy to see that B learns the value of x from the order of the messages it gets.
There has been a long series of works about multi-party communication protocols in different variants of models, for example [CKS03,Gro09,Jay09,PVZ12,CRR14,CR15]. In [BEO + 13], Braverman et al. consider a restricted class of protocols working in the coordinator model : an additional player with no input can communicate privately with each player, and the players can only communicate with the coordinator.
We first note that the coordinator model does not yield exact bounds for the multi-party communication complexity in the peer-to-peer model (neither in our model nor in the most general one). Namely, a protocol in the peerto-peer model can be transformed into a protocol in the coordinator model with an O(log k) multiplicative factor in the communication complexity, by sending any message to the coordinator with a O(log k)-bit label indicating its destination. This factor is sometimes necessary, e.g., for the q-index function, where players P i , 0 ≤ i ≤ k − 1, each holds an input bit x i , player P k holds q indices 0 ≤ j ℓ ≤ k − 1, 1 ≤ ℓ ≤ q, and P k should learn the vector (x j1 , x j1 , . . . , x jq ): in the coordinator model the communication complexity of this function is Θ(min{k, q log k}), while in both peer-to-peer models there is a protocol for this function that sends only (at most) min{k, 2q} bits, where P k just queries the appropriate other players. But this multiplicative factor between the complexities in the two models is not always necessary: the communication complexity of the parity function Par is Θ(k) both in the peer-to-peer models and in the coordinator model.
Moreover, when studying private protocols in the peer-to-peer model, the coordinator model does not offer any insight. In the (asynchronous) coordinator model, described in [DF89] and used for instance in [BEO + 13], if there is no privacy requirement with respect to the coordinator, it is trivial to have a private protocol by all players sending their input to the coordinator, and the coordinator returning the results to the players. If there is a privacy requirement with respect to the coordinator, then if there is a random source shared by all the players (but not the coordinator), privacy is always possible using the protocol of [FKN94]. If no such source exists, privacy is impossible in general. This follows from the results of Braverman et al.
[BEO + 13] who show a non-zero lower bound on the total internal information complexity of all parties (including the coordinator) for the function Disjointness in that model. Note also that the private protocols described in [BOGW88,CCD88] (and further work) are defined in the synchronous setting, and thus can be adapted to our communication model (the sets S j i and S j i are always all the players and hence even independent of the current views).
In the sequel we also use a special case of our model, where the sets S j i and S j i are a function only of i and j, and not of the entire current view of the player. This is a natural special case for protocols which we call oblivious protocols, where the communication pattern is fixed and is not a function of the input or randomness. Clearly, the messages themselves remain a function of the view of the players. This model also allows for private protocols.

Communication complexity and information complexity
Communication complexity, introduced in [Yao79], measures how many bits of communication are needed in order for a set of players to compute with error ǫ a given function of their inputs. The allowed error ǫ, implicit in many of the contexts, will be written explicitly as a superscript when necessary.
Definition 3.2. The communication cost of a protocol π, CC(π), is the maximal length of the transcript of π over all possible inputs, private randomness and public randomness. Information complexity measures the amount of information that must be transmitted so that the players can compute a given function of their joint inputs. One of its main uses is to provide a lower bound on the communication complexity of the function. In the two-party setting, this measure led to interesting results on the communication complexity of various functions, such as AND and Disjointness. We now focus on designing an analogue to the information cost, for the multi-party setting. The notion of internal information cost for two-party protocols (c.f. [CSWY01,BYJKS02,Bra12]) can be easily generalized to any number of players: Definition 3.4. The internal information cost of a protocol π for k players, with respect to input distribution µ, is the sum of the information revealed to each player about the inputs of the other players: Intuitively, the information cost of a protocol is the amount of information each player learns about the inputs of the other players during the protocol. The definition we give above, when restricted to two players is the same as in [Bra12], even though they look slightly different. This is because we explicit the role of the randomness, which will allow us to later bound the amount of randomness needed for private protocols in the multi-party setting.
The internal information complexity of a function f with respect to input distribution µ, as well as the internal information complexity of a function f , can be defined for the multi-party case based on the information cost of a protocol, just as in the 2-party case.
Definition 3.5. The internal information complexity of a function f , with respect to input distribution µ is the infimum of the internal information cost over all protocols computing f on input distribution µ: Definition 3.6. The internal information complexity of a function f is the infimum, over all protocols π computing f , of the information cost of π when run on the worst input distribution for that protocol: Proposition 3.7 ( [BR11]). For any protocol π and input distribution µ, The information revealed to a given player by a protocol can be written in several ways: Proposition 3.8. For any protocol π, for any player i: Proof. We only prove the first statement, since the two statements have similar proofs. We first prove the equality I( . . b q of bits, and define Π <j i to be the set of bits with index less than j and received by player i. Similarly, − → Π i <j is defined to be the set of bits with index less than j and sent by player i.
For any j and any bit Fix j such that b j is received by player i. We now show that and applying lemma 2.8, We get: We now prove the equality I( We have: By proposition 2.4, it is equivalent to show that for each possible value of (X i , R p , ← → Π i <j ), the random variables X −i and R i are independent. To do this, we fix a value (x i , r, ← → π i <j ) of , and prove that for any possible value We define the set function ρ : , the set of possible values for r i , such that inputs x i , x −i , public randomness r and private randomness r i , r −i will lead to a transcript of player i beginning by ← → π i <j .
We prove that the function ρ( and from the fact that the action of the players are based their current view. Thus . We have shown that the random variables X −i and R i are independent conditioned on (X i , R p , ← → Π i <j ), and thus I(X −i ; R i | X i R p ← → Π i <j ) = 0. By lemma 2.9, this implies A similar reasoning, along with lemma 2.8, leads to We have:

Information complexity and privacy
The definition of a private protocol as defined in [BOGW88,CCD88] is the following.
Definition 3.9. A k-player protocol π for computing a family of functions , for all pair of inputs x = (x 1 , . . . , x k ) and i , for all possible private random tapes r i of player i, and all possible public random tapes r p , it holds that for any transcript T where the probability is over the randomness R −i .
The notion of privacy has an equivalent formulation in terms of information.
Proposition 3.10. A protocol π is private if and only if for all input distributions µ, Proof. By proposition 2.4, definition 3.9 is equivalent to the following: Since I is non-negative, this is equivalent to It is well known that in the multi-party number-in-the-hand peer-to-peer setting (for k ≥ 3), unlike in the two-party case, any function can be privately computed.
Theorem 3.11 ([BOGW88], [CCD88]). Any family of functions of more than two variables can be computed by a private protocol.
Using the above theorem, we can give the following lemma.
Lemma 3.12. For any family of functions (f i ) of more than two variables and any µ, Proof. Let π be a k-player private protocol computing (f i ). Fix a distribution µ on the inputs.
This lemma shows that IC cannot be used in the multi-party setting for any meaningful lower bounds on the communication complexity, since its value is always upper bounded by the entropies of the functions. Our goal is to get lower bounds tight in both k and n. For this reason, we introduce a new information theoretic quantity for the multi-party setting.

The new measure: Public Information Cost
We now introduce a new information theoretic quantity which can be used instead of IC in the multi-party setting. The notion we define will be suitable for studying multi-party communication in a model which is only a slight restriction on the general asynchronous model, and which allows for private protocols. This means that while IC will be at most the entropies of the functions, our new notion remains a strong lower bound for communication.
Definition 4.1. For any k-player protocol π and any input distribution µ, we define the public information cost of π: The difference between PIC and IC is the presence of the other parties private coins, R −i , in the formula. If π is a protocol using only public randomness, then for any input distribution µ, PIC µ (π) = IC µ (π), and hence the name public information cost.
The public information cost measures both the information about the inputs learned by the players and the information that is hidden by the use of private coins. It can be decomposed, using the chain rule, into two terms, making explicit the contribution of the internal information cost and of the private randomness of the players.
Proposition 4.2. For any k-player protocol π and any input distribution µ, The meaning of the second term is the following. At the end of the protocol, player i knows its input X i , its private coins R i , the public coins R p and its transcript Π i . Suppose that the private randomness R −i of the other players is now revealed to player i. This brings to it some new information We also define the public information complexity of a function.  The public information cost is a lower bound for the communication complexity.
I(X −i ; Π i | X i RR p ) (since the first term was 0 by proposition 2.4) H(Π i ) (by proposition 2.5.) Using proposition 2.2, for each i, H(Π i ) is upper bounded by the expected size of Π i . As the expected size of Π is upper bounded by the sum over i of the expected size of Π i , we get CC(π) ≥ PIC µ (π).
In fact, as we show below, the public information cost of a function is equal to its internal information cost in a setting where only public randomness is allowed. The role of private coins in communication protocol has been studied for example in [BG14, BBK + 13, Koz15]. In the next section we will see that the difference between the public information cost and the information cost is related to the private coins used during the protocol. and PIC(f ) = inf π computing f , using only public coins sup µ IC µ (π).
Proof. It suffices to show than one can turn any protocol π into a public coin protocol π ′ such that for all input distributions µ, PIC µ (π ′ ) = PIC µ (π). Fix a protocol π and an input distribution µ. Let R i denote the private randomness of player i in π, and R = (R i ). Define π ′ , where the players act as they do in π, but use public randomness instead of their private randomness whenever they need to use it. For this, split the random tape into two sub-tapes R = (R i ), to be used instead of the private randomness of each player, and R p , to be used as public randomness. We have The following property of the public information cost will be useful for zeroerror protocols.
Proof. Let π be a zero-error protocol for f . By theorem 4.6, one can assume that π has no private randomness.
Let r 0 be a value of the public random tape minimizing the function t, and define π 0 as the protocol behaving like π on the random tape r 0 . Note that π 0 is a deterministic zero-error protocol computing f . We now prove that IC µ (π 0 ) ≤ IC µ (π), which concludes the proof, by using the definition of π 0 .
PIC and IC are strictly different even in the two party case. We prove below that for the AND function, the public information cost is log 3 ≃ 1.58, while, as shown in [BGPW13], IC 0 (AND) ≃ 1.49. This implies that the protocol that achieves the optimal information cost for AND must use private coins. We remark also that in [BGPW13] it is shown that the external information cost of AND, that we do not consider here, is log(3). Proof. Let π be a zero-error protocol for AND. By proposition 4.7, we can assume that π is deterministic. Suppose player 1 is speaking first. π being deterministic, player 1 is either sending his bit x or sending 1 − x. Player 2 is then able to compute the value of AND, and as player 1 must be able to compute AND at the end of the protocol, the optimal protocol consists in player 2 sending back the value of AND to player 1. We compute the value of PIC µ (π), for µ defined as follows: X ∼ Ber(α, 1 − α) and Y ∼ Ber(β, 1 − β). When X = 1, player 1 will learn the value of Y , as AND(X, Y ) = Y . Thus PIC µ (π) = H(X) + (1 − α)H(Y ). For any α, this quantity is maximal for β = 1 2 . Thus we study the function f (α) = log(α) + (α − 1) log(1 − α) + 1 − α for α ∈ [0, 1]. f is continuous on [0, 1] and differentiable on ]0, 1[. We have: f ′ is continuous and decreasing on ]0, 1[, and admits the unique root 1 3 . PIC µ (π) is thus maximized for α = 1 3 , its value being f (α) = log(3).

Private computation, randomness, and PIC
We have seen that the public information cost of a function is equal to the information cost of the function when we only consider public coin protocols, and that in order to decrease the information cost even further, the players must use private randomness. We will see now that the difference between the public information cost of a protocol and its information cost can provide a lower bound on the amount of private randomness the players use during the protocol. The entropy of the transcript of the protocol, conditioned on the inputs and the public coins, is defined as H(Π | XR p ). Once the input and the public coins are fixed, the entropy of the transcript of the protocol comes solely from the private randomness. Thus it provides a lower bound on the entropy of the private randomness used by the players.
Theorem 5.1. Let f = (f i ) be a family of functions of k variables. Let π be a protocol for f . For any input distribution µ, it holds: Thus running a protocol for f with information cost I µ requires entropy Proof. Fix µ a distribution on inputs.
For any i, ≤ IC µ (π) + (k − 1)I(R; ΠX | R p ) (by lemma 2.9) Using lemma 3.12, we can bound the randomness required to run a private protocol.
Corollary 5.2. Let f = (f i ) be a family of functions of k variables. Let π be a k-party private protocol for f . For any distribution µ on inputs,

A direct sum for PIC ?
The direct sum property is a fundamental question in complexity theory, and has been studied for many computation models. A direct sum theorem affirms that the amount of resources needed to perform t independent tasks is at least the sum of the resources needed to perform each of the t tasks. In this section we show that a direct sum property for PIC implies a direct sum property for CC. For this, we prove a compression result by extending [BBK + 13, Pan15] to the multi-party case. Note that information complexity has a direct sum property in the multi-party case. For PIC, it is easy to prove the following inequality.
Theorem 6.1. For any k-variable functions f and g, for any distribution µ on inputs of f , for any distribution η on inputs of g, we have In order to understand whether the opposite inequality holds, i.e., whether a direct sum property holds for PIC, we first need to study the problem of compressing communication. Definition 6.2. The average-case communication complexity of a protocol π with respect to the input distribution µ, denoted ACC µ (π), is the expected number of bits that are transmitted in an execution of π for inputs distributed according to µ and uniform randomness. Theorem 6.3. Suppose there exists a protocol π to compute a k-variable function f over the distribution µ with error probability ǫ. Then there exists a public-coin protocol ρ that computes f over µ with error ǫ + δ, and with average communication complexity ACC µ (ρ) = O k 2 PIC µ (π) log(CC(π)) log(kCC(π)) + log k 2 PIC µ (π) log(CC(π)) δ .

Relation between PIC and CC: A compression result
The proof of the above theorem will follow from extending the compression result presented in [BBK + 13, Pan15] to the case of k > 2 players.
Theorems 6.4 and 4.6, which make the link between the public information cost of general protocols and the information cost of public coins protocol, imply theorem 6.3.
In the two-party compression scheme of [BBK + 13, Pan15], the two players, given their own input, try to guess the transcript π(x 1 , x 2 ) of the protocol π. For this, player 1 picks a candidate t 1 from the set Im(π(x 1 , ·)) of possible transcripts knowing that it has input x 1 , while player 2 picks a candidate t 2 from the set Im(π(·, x 2 )). The two players then communicate in order to find the first bit on which t 1 and t 2 disagree. The general structure of protocols ensures that the common prefix of t 1 and t 2 (until the first bit of disagreement) is identical to the beginning of the correct transcript on inputs x 1 and x 2 , i.e., identical to π(x 1 , x 2 ). Starting from this correct prefix, the players then pick new candidates for the transcript of the protocol π(x 1 , x 2 ), and so on, until they agree on the full transcript π(x 1 , x 2 ). Clever choices of the candidates, along with an efficient technique to find the first bit which differs between the candidates, lead to a protocol with little communication.
In extending the proof in [BBK + 13, Pan15] to the multi-party case, new difficulties occur. The players can no longer try to guess the full transcript, as they have little information about the conversation between the other players, but can only try to guess their partial transcripts, according to their own input. Then, in order to find the first disagreement in the global transcript, every pair of players needs to find and communicate the place of the first disagreement in their partial transcripts. This induces the k 2 factor in our compression scheme. It is unclear if this is necessary. Moreover, the players lack a common reference time.
To solve this, we will introduce, as a technical tool in the proof, a coordinator, whose role is to introduce a round structure in the protocol π. Note that this is only in the proof, and that the stated results hold in the model we define in Section 3.
We will use a black box, call it lcp box (for largest common prefix ), which can be used by two players A and B in the following way: A puts a string x in the box, B puts a string y in the box, and the box gives them back the first index j such that x j = y j if x = y, or tells them that x = y otherwise. The price to pay for using this black box is log n bits of communication, where n = max(|x|, |y|).
This box can be efficiently simulated if we allow error: Lemma 6.5 ( [FRPU94]). There is a randomized public coin protocol such that on input two n-bits strings x and y, it outputs the first index j such that x j = y j with probability at least 1 − ǫ if such a j exists, and otherwise outputs that the two strings are equal, with worst case communication complexity O(log(n/ǫ)).
Corollary 6.6 ([BBK + 13]). Any protocolρ that uses an lcp box l times on average can be simulated with error δ by a protocol ρ that does not use an lcp box, and communicates an average of O(l log( l δ )) extra bits. We will use the lcp box in the proof, and use corollary 6.6 to perform the analysis at the end.
Proof of theorem 6.4. Starting from protocol π, we build a protocol π ′ which introduces a new player, called coordinator. In the beginning, the coordinator sends a signal message to each player. When a player i 1 receives the signal from the coordinator, if he wants to send a bit m to some player i 2 in π, in π ′ player i 1 sends instead (m, i 2 ) to the coordinator (he can send messages to different players). If a player does not want to send any bit to the other players, he sends a "no" signal to the coordinator. When the coordinator has received an answer from all the players, he forwards the messages: if the coordinator has received some message (m, i 2 ) from i 1 , he sends (m, i 1 ) to player i 2 . If the coordinator has no message to send to a player, he sends him a "no" signal. This was the first round. Each player can now either send messages to be forwarded by the coordinator, either a "no" signal, and so on. Thus, in π ′ each player communicates only with the coordinator. π ′ computes the same function as π with the same error ratio, and CC(π ′ ) = O(kCC(π)). Just as π, π ′ uses only public randomness.
We can now define the protocolρ (in which there is no coordinator). The players start by picking the shared randomness r as in protocol π ′ . For each i, define the set X i to be the set of possible inputs of player i, and the set Π (i) (x i ) the set of possible transcripts of the communication between player i and the coordinator, knowing that player i has input x i : We define a canonical way to write down the transcripts. A transcript t i has the form t 1 i #t 2 i # . . . where t m i is a description of the partial transcript of player i of the m th round of the protocol. We now define the partial transcripts. Formally, for i < j, denoting by t m i the partial transcript of player i of the transcript and by t m j the partial transcript of player j of the transcript within the m th round, the messages sent by player i come before those sent by player j in t m i and t m j , and if j 1 < j 2 , the messages sent to or received from player j 1 come before the messages sent to or received from to j 2 in t m i for i = j 1 , i = j 2 . t m j is a sequence of messages of the form (b, i) where b is a bit and i is the index of the other player involved, and of # which mark the separation between the messages exchanged with player i and the messages exchanged with player i + 1 and the separation between messages sent to player i and messages received from player i.
For example, the transcript of the m th round by player 2 in a protocol with three players is of the form t m 2 = (messages by 1 to 2)#(messages by 2 to 1)#(messages by 2 to 3)#(messages by 3 to 2).
Note that for any t ∈ Π (i) (x i ), thanks to the # messages, it is easy to associate to each message the round it has been sent or received.
Each player i represents Π (i) (x i ) by a ternary tree T i as follows.
1. The root is the largest common prefix (lcp) of the transcripts in Π (i) (x i ), and the remaining nodes are defined inductively.
2. If we have node τ , then • the first child of τ is the lcp of the transcripts in Π (i) (x i ) beginning with τ • (0, j), i.e. τ concatenated with the message (0, j), where j is the next player to communicate with according to τ (this j is determined by the number of # in τ ).
• the second child of τ is the lcp of the transcripts in Π (i) (x i ) beginning with τ • (1, j), where j is the next player to communicate with according to τ .
3. The leaves are labelled by the possible transcripts of player i, i.e. the elements of Π (i) (x i ). We impose that each transcript ends with a "end" signal, thus a transcript cannot be the prefix of another transcript. The leaf f with label t i has weight The weight of a non-leaf node is defined by induction as the sum of the weights of its children. By construction, the weight of the root is 1.
We now show how the players can collaborate to find efficiently this coherent profile, that is how each player i can find ← → π i ′ (x 1 , . . . , x k , r). The players will proceed in stages s = 1, 2 . . .
2. Each player i picks a candidate leaf t i (s) in the tree T i , such that t i (s) is a successor of τ i (s). We describe later how each player chooses his candidate leaf.
3. Each pair of players (i, j) will use an lcp box to find the first occurrence where t i (s) is not coherent with t j (s), that is one of the players is supposed to send some message m in some round but the other is not supposed to receive it during this round, or one of the players is not supposed to send some message m in some round but the other is supposed to receive it during this round. If for all pairs of players there is no such occurrence, it means that (t 1 (s), . . . , t k (s)) is a coherent profile, each player i has found ← → π i ′ (x 1 , . . . , x k , r), and the protocol terminates.
4. Denote by z i the earliest round where player i disagrees with some other player. Then player i sends a signal to the first player (i.e. with the lowest index) he disagrees with during round z i . 5. For any (i, j) such that each one has sent a signal to the other (note than there is at least one such pair (i, j): each player receiving a signal also sends a signal, and the signals cannot form a cycle of length more than 2), players i and j exchange information about the first occurrence they found using the lcp box: each player tells the other what he wanted to send, or what he expected to receive. The player who has the sender role is always correct: for instance, if player i wanted to send 0 but player j expected to receive 1, or nothing (as encoded by ♯), then i is right, because what player i sent in the protocol π is based on the previous rounds (which are correct by hypothesis). Thus the player j having the receiver role is wrong. Player j updates his τ j : in T j , starting from t j (s), he goes up toward τ j (s), until he reaches a nodeτ j which is correct (according to the result of the lcp box). Then, he defines τ j (s + 1) as the correct child ofτ j , which he infers from the information exchanged with player i.
6. The players who have not updated their τ i yet define τ i (s + 1) = τ i (s).
First, note that the property of item (1) has been preserved for all players. This property ensures that the players will eventually agree on ← → π i ′ (x 1 , . . . , x k , r). We now specify how each player i chooses his candidate leaf at each stage. Player i picks the leaf t i (s) which corresponds to the transcript with highest probability conditioned on the prefix specified by the node the player is at. Formally, at stage s, player i defines τ 1 = τ i (s), and then defines inductively τ j+1 to be the child of τ j which has higher weight (breaking ties arbitrarily), until he reaches a leaf : this is the candidate t i (s).
Suppose that during round s, player i has participated in step (5) and has made the wrong choice (there must be at least one such player per round). We show that w(τ i (s + 1)) ≤ 1 2 w(τ i (s)). We look at the sequence (τ j ) defined by player i when he chose his candidate leaf t i (s + 1) at step s. Let τ j be the first common ancestor of t i and τ i (s + 1). By construction, τ i (s + 1) is a direct child of τ j , and t i is (a descendant of) another child of τ j . By the candidate leaf's construction process, w(τ i (s + 1)) ≤ 1 2 w(τ j ) ≤ 1 2 w(τ i (s)). We conclude the analysis. On inputs (x 1 , . . . , x k ), let (t 1 , . . . , t k ) denote the coherent profile. Each player will correct his τ i no more than log 1 w(t i ) times, because the weight of the node τ i halves with each correction, as noticed before, and given that the root has weight 1. Hence, the total number of corrections, and thus the number of stages S, is bounded by . We take the average over inputs and shared randomness: We have shown that the average number of stages is bounded by IC µ (π ′ ) ≤ IC µ (π) log(CC(π)) as the only additional information players get in π ′ is the round of each message. At each stage, the communication consists of k(k−1) 2 calls to the lcp box on strings of length at most O(kCC(π)) (one call for each pair of players), plus the k signals of step (4) and the exchange of information of step (5) (there are at most k 2 pairs getting to step (5)). Hence = O k 2 IC µ (π) log(kCC(π)) log(CC(π)) .
6.2 A direct sum for PIC implies a direct sum for CC Theorem 6.7. Given a k-variable function f and a distribution µ on inputs of f , if the existence of a protocol π computing f ⊗t with error ǫ ≥ 0 implies that there exists a protocol π ′ computing f with error ǫ and verifying Note that the result of this theorem is meaningful when t is large with respect to k.
To prove this result, we first need the following fact. We can generalize this fact to k party-protocols.
Lemma 6.9. Any k-party protocol with error ǫ 2 and average communication complexity C can be turned into a protocol with distributional error ǫ and worst case communication complexity 4C log(k) ǫ .
Proof. Use one of the players as a relay. This increase the communication from C to 2C log(k). We can then control the communication of the protocol just using fact 6.8.
Proof of theorem 6.7. Let µ be a distribution on inputs of f . Consider a protocol π computing f ⊗t with error ǫ By hypothesis, there exist π ′ computing f with error ǫ and verifying PIC µ (π ′ ) ≤ 1 t PIC µ ⊗t (π), CC(π ′ ) ≤ CC(π). By theorem 4.6, we can impose π ′ to use only public randomness.
As this reasoning is valid for any distribution µ, Yao's minimax lemma implies as wanted.

Tight lower bounds for the parity function Par
We now show how one can indeed use PIC to study multi-party communication protocols and to prove tight bounds. We study one of the canonical problems for zero-error multi-party computation, the parity function. The k-party parity problem with n-bit inputs Par n k is defined as follows. Each player i receives n bits (x p i ) p∈[[1,n]] and Player 1 has to output the bitwise XOR of the inputs x n i . There is a simple private protocol for Par n k that uses n bits of private randomness. Player 1 uses a private random n-bit string r and sends to Player 2 the string x 1 ⊕ r. Then, Player 2 computes the bit-wise parity of its input with the message and sends x 2 ⊕ x 1 ⊕ r to Player 3. The players continue until Player 1 receives back the message x k ⊕ . . . ⊕ x 1 ⊕ r. Player 1 then takes the bit-wise parity of this message with the private string r to compute the value of the parity function. It is easy to see that this protocol has information cost equal to n, since Player 1 just learns the value of the function and all other players learn nothing. We thus see that information cost cannot provide here lower bounds that scale with k.
We now prove tight lower bounds for this problem using the measure of PIC. For this, we study a restricted class of protocols: we only consider protocols such that for any player i, the sets (S l i ) l and (S l i ) l do not depend on the input x or on the randomness. In other words, the structure of the protocol is fixed and independent of the input and randomness. Note that the private protocol we described above fits in this model.
Our bound for Par n k is in fact proved for a wider class of protocols, where we allow the player outputting ⊕ k i=1 x p i to be different for each coordinate p and to depend on the input.
Proof. We use the uniform distribution µ throughout the proof. Since we are looking at zero-error protocols, the public information cost is equal to the information cost of deterministic protocols. Let π be a protocol solving Par n k for k players and n bits per player. For any i, we define ← → Π i to be the transcript of player i, i.e. all messages he sends and receives. We split this transcript into the messages he sends and the messages he receives. Denote by (M i . We also define a function l ′ (i, l) such that every message M − → l l i sent by player i is received by player j(i, l) as M ← − l l ′ j where l ′ is a shortcut for l ′ (i, l) and j for j(i, l). Our first goal is to prove that Intuitively, this means that PIC at least takes into account the information each player leaks about his input to someone who has access to all messages that involve this player.
We show that ∀ i, H(X i | ← → Π i = ← → π i (x)) ≤ n − c i (x). Assume towards a contradiction that for some i, H(X i | ← → Π i = ← → π i (x)) > n − c i (x). This implies that the number of possible values for X i consistent with ← → Π i = ← → π i (x) is more than 2 n−ci(x) , and thus the number of coordinates of the input of the i-th player that are fixed by the transcript is strictly less than c i (x). Then there must exists x ′ such that • ∃ p ∈ C i (x) such that x ′p i = x p i . Note that ← → π i (x ′ ) = ← → π i (x) implies (as a general property of communication protocols) that ← → π i (x) = ← → π i (x ′ i , x −i ). As q p (x) = i, this is a contradiction, since then player q p (x) would output the same answer on x and ( Summing over all i, we get and since i c i (x) = n(k − 1) for any x, we get [n(k − 1)] = n(k − 1).
We can now lower bound the amount of randomness in any private computation of Par n k . Theorem 7.2. The entropy in the private randomness of a private protocol for Par n k is at least Proof. For Par n k , where one player outputs the parity for each coordinate, we have i H(f i ) = n. Applying corollary 5.2, we get: H(Π | XR p ) ≥ n k − 2 k − 1 .
Using Theorem 5.1 we can also give a lower bound on the randomness one needs for protocols that are allowed to leak some limited amount of information about the inputs of the players.

Conclusions
In this paper we introduce a new information-theoretic measure, that we call PIC, for the study of multi-party computation protocols in the number-in-hand, peer-to-peer model. This is probably the most natural (distributed) computation model, and also closely related to the models used in the distributed algorithms community. Previous information-theoretic measures that were used successfully for the study of two-party computation protocols do not extend immediately to the multi-party case due to the fact that private protocols exist for any function in the multi-party setting [BOGW88,CCD88]. Our notion of PIC provides an alternative way of studying multi-party protocols, especially when one is interested in notions of privacy. Furthermore, PIC may yield tight results for certain functions, for which using other models, such as the coordinator model, would imply a loss of a logarithmic factor.
We define this measure in a slightly restricted computation model which however still allows private protocols, and applies to almost any protocol in the literature. We prove a number of properties of our new measure, PIC, and a number of connections to other complexity notions, e.g., the amount of randomness needed for private computation or the central question of direct sum (in communication complexity).
Our work opens the way to interesting directions for further work. A challenging direction would be to prove a tight lower bound for Disjointness in the message passing peer-to-peer model (without the loss of a logarithmic factor). An even more ambitious goal would be to use our result from Section 6 to try and prove the direct sum property for communication complexity, in either the two-party or multi-party setting, via our measure of PIC.

A Technical statements
Lemma A.1. In the conditions of the proof of theorem 5.1, Proof.
Thus we just need to prove that I(R i ; Π | XR p R −i ) ≤ I(R i ; Π | XR p ). From now on the proof is similar to the proof that the internal IC of a protocol is lower than its external IC (cf. [Bra12]).
Using the chain rule, I(R i ; Π | XR p R −i ) =