Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University.

Slides:



Advertisements
Similar presentations
Walk the Walk: On Pseudorandomness, Expansion, and Connectivity Omer Reingold Weizmann Institute Based on join works with Michael Capalbo, Kai-Min Chung,
Advertisements

Estimating Distinct Elements, Optimally
Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Extracting Randomness David Zuckerman University of Texas at Austin.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Noga Alon Institute for Advanced Study and Tel Aviv University
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
(Omer Reingold, 2005) Speaker: Roii Werner TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AA A A A A AA A.
Constant Degree, Lossless Expanders Omer Reingold AT&T joint work with Michael Capalbo (IAS), Salil Vadhan (Harvard), and Avi Wigderson (Hebrew U., IAS)
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Michael Bender - SUNY Stony Brook Dana Ron - Tel Aviv University Testing Acyclicity of Directed Graphs in Sublinear Time.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
Derandomizing LOGSPACE Based on a paper by Russell Impagliazo, Noam Nissan and Avi Wigderson Presented by Amir Rosenfeld.
1 On the Benefits of Adaptivity in Property Testing of Dense Graphs Joint work with Mira Gonen Dana Ron Tel-Aviv University.
1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
Lower Bounds for Property Testing Luca Trevisan U C Berkeley.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Ramanujan Graphs of Every Degree Adam Marcus (Crisply, Yale) Daniel Spielman (Yale) Nikhil Srivastava (MSR India)
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
Dana Moshkovitz, MIT Joint work with Subhash Khot, NYU.
1 Entropy Waves, The Zigzag Graph Product, and New Constant-Degree Expanders Omer Reingold Salil Vadhan Avi Wigderson Lecturer: Oded Levy.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Cryptographic hash functions from expander graphs Denis Charles, Microsoft Research Eyal Goren, McGill University Kristin Lauter, Microsoft Research ECC.
Relations, Functions, and Matrices Mathematical Structures for Computer Science Chapter 4 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesFunctions.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Alternative Wide Block Encryption For Discussion Only.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
RANDOMNESS VS. MEMORY: Prospects and Barriers Omer Reingold, Microsoft Research and Weizmann With insights courtesy of Moni Naor, Ran Raz, Luca Trevisan,
Pseudo-random generators Talk for Amnon ’ s seminar.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Fine Grained Hardness in Cryptography Omer Reingold SRA.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
1 Entropy Waves, The Zigzag Graph Product, and New Constant-Degree Expanders Omer Reingold Salil Vadhan Avi Wigderson Lecturer: Oded Levy.
Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.
Relations, Functions, and Matrices
Coding, Complexity and Sparsity workshop
Modern symmetric-key Encryption
From dense to sparse and back again: On testing graph properties (and some properties of Oded)
Background: Lattices and the Learning-with-Errors problem
Complexity of Expander-Based Reasoning and the Power of Monotone Proofs Sam Buss (UCSD), Valentine Kabanets (SFU), Antonina Kolokolova.
B504/I538: Introduction to Cryptography
On the Efficiency of 2 Generic Cryptographic Constructions
Cryptography Lecture 5.
Cryptography Lecture 8.
The Zig-Zag Product and Expansion Close to the Degree
The Weizmann Institute
Cryptography Lecture 16.
Florida State University
Presentation transcript:

Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University

k- wise independent functions a family of functions G = {g| g: {0,1} n → {0,1} n } is called k -wise independent if: g 2 R G is indistinguishable from a random function f for any process that receives g(x) on at most k points 8 x 1, x 1, … x k 2 {0,1} n, 8 A: {0,1} nk → {0,1} Prob g 2 G [A(g(x 1 ), …, g(x k )) =‘1’] = Prob f [A(f(x 1 ), … f(x k )) =‘1’] A great success story

k- wise independent functions Simple construction: Let a G be the family of polynomials over GF(2 n ) of degree at most k-1 Then G is k- wise independent : 8 x 1, x 2, … x k, 8 y 1, y 2, … y k, there is a unique g 2 G such that g(x i )= y i The description of g 2 G is k ¢ n bits long This is tight –Cannot hope to get a shorter description

What about k- wise independent permutations ? Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is indistinguishable from a random permutation f for any process that receives g(x) on at most k points

Pair-wise independent permutations Simple construction: G = {g a,b (x) = a∙x + b | a, b  GF(2 n ), a ≠ 0 } – for all x 1, x 2  {0,1} n and y 1, y 2  {0,1} n where x 1 ≠ x 2 and y 1 ≠ y 2 there is a unique g a,b 2 G such that g a,b (x 1 ) = ax 1 +b = y 1 and g a,b (x 2 ) = ax 2 +b= y 2 What about larger k ? –For k=3 there is a similar algebraic construction –For k>3 no known construction of non-trivial size

Relaxation: k- wise almost independent permutations Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is at most  -distinguishable from a random permutation f for any process that receives g(x) on at most k points: the advantage of distinguishing g 2 R G from a truly random permutation is at most  8 x 1, x 1, … x k, the variation distance of g(x 1 ), …, g(x k ) for g 2 R G and y 1, y 2, … y k a random k -tuple with no repetitions is at most  For  =0 we have k -wise independence Should we allow adaptive queries? Should we allow inverses?

Main Result For any n, k and  : There is an explicit construction of a family G = {g| g: {0,1} n → {0,1} n } of k -wise  -dependent permutations where the description of each g 2 G is O(kn + log 1/  ) bits long Can sample from the family and evaluate a permutation in time poly(k, n, log 1/  ) Optimal up to the log 1/ 

Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Good for small k and moderate 

Techniques and Ideas Let F = {f| f: {0,1} n → {0,1} n } be a family of permutations –Each f 2 F described by w bits Denote by F t the family of permutations obtained by composing f 1, f 2, … f t 2 R F Suppose that F t is k -wise  -dependent – The description of f 2 F t is w ¢ t bits We will show a technique to derandomize such constructions and look at a much smaller subset G of the t -tuples of F –The description of g 2 G would be roughly O(w+t) bits Many known constructions can be described as such

Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program –Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define the collection G h f1f1 f2f2 ftft … w bits input h is a generator that fools branching programs of width kn+w

Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known No known good enough generator all introduce extra polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

Second idea: use pseudo-random generators for random walks Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks Ones which are indistinguishable from random for any consistently labeled graph Such walk generators exist –Implicitly: Reingold’s SL=L –Explicitly: Reingold, Trevisan and Vadhan Show how to apply them in the context of k -wise independent permutations –Using previous constructions to define the graph

Graphs Let H = (V,E) be a d -regular graph on m nodes Normalized adjacency matrix – divide each entry by d Eigenvalues: 1= 1 ¸ 2 ¸  ¸ n Let (H) be the second eigenvalue in absolute value. (H) = max { | 2 |, | n |} The spectral gap of H is gap(H) = 1- (H) (H) governs the mixing rate of a random walk on H

Pseudo-random generators for walks Call a labeled graph H=(V,E) an (m,d, )- graph if –|V| = m –Each node has d outgoing edges –The labeling is consistent – all incoming labels are distinct –the second eigenvalue in absolute value (H) · A pseudo-random generator for random walks on H=(V,E) is a mapping G:{0,1} *  [d] ℓ where for any starting node v 2 V the distributions of a walk starting from v chosen from G via a random input and truly random walk are  close For long enough walks and for graphs with large spectral gaps a random walk ends in a random node 32 1 Defines a walk of length ℓ

The RTV Generator For any m, d,  and  there is a pseudo-random generator for all (m,d,1-  )- graphs PRG m,d, ,  :{0,1} r  [d] ℓ With the following parameters: – Seed length r 2 O(log (m ¢ d /  ¢  )) – Walk length ℓ 2 O(poly(1/  ) log (m ¢ d /  )) – Computable in space O( log (m ¢ d /  ¢  )) and time poly(1/ , log (m ¢ d /  )) Such that –for any starting point v 2 V –a walk generated by PRG m,d, ,  walk yields an end point that is  close to uniform For graphs with large enough spectral gap  (1/polylog m) arbitrary degree need only log m random bits to get to a random location in polylog m steps

k- Companion graph Let –N = 2 n –[N] k be set of all k -tuples of distinct n -bit strings Let F be a family of permutations. Then G F,k = (V,E) is the k -companion graph of F, where: –V = [N] k –E = {(z,  (z)) | z 2 [N] k,  2 F)} Each edge (z,  (z)) 2 E is labeled by  z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k ) 

Properties of the Companion Graph Let F be a family of permutations. If F – is closed under inverses and –contains the identity permutation. Then H F,k, the k -companion graph of F, is: An undirected |F|- regular graph With self-loops Consistently labeled z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k )  The analysis of k -wise independence is via showing a spectral gap of H F,k

k-wise independence and random walks If F t yields a family of permutations that is k-wise  - dependent, then in the companion graph H F,k –for any node z 2 [N] k a random walk from z is  -close to uniform Otherwise this z is a witness to the non k -wise  -dependence

The construction Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks on H F,k, the k -companion graph of F f 1, f 2, … f t are the labels of the walk. –The resulting permutation is g=f 1 ◦f 2 ◦ … ◦f t Use PRG m,d, ,  :{0,1} r  [d] ℓ for –m = |[N] k | –d = |F| –r 2 O(log (2 nk ¢ |F| /  ¢  ))  comes from the analysis of the original construction F t gap(H F,k ) ¸   is how close we want to be to a k -wise independent permutation

The resulting parameters The resulting family G of permutations is: A family of k -wise  -dependent permutations The description of each g 2 G is O(nk + log |F| + log(1/   ) ) bits If the time to evaluate f(x) for f 2 F is  (n,k), then the time complexity of evaluating g 2 G is poly(1/ , n, k, log (|F| /  ))  (n,k) –Need to ``open up” the description of f 1, f 2, … f t

Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Proposed and analyzed by Gowers Hoory, Magen, Myers and Rackoff Brodsky and Hoory

Resulting Parameters with Simple 3-bit Permutation Theorem [BH] There is a family of simple permutations F 2 s.t. for all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k-wise  -dependent –gap(H F 2,k) is  (1/n 2 k) Description of f 2 F 2 is O(log(n 3 )) bits Therefore: description of each g 2 G is O(nk + log(n 3 ) + log( n 2 k /  )) bits

Open Problems Get rid of the dependency on  –Come up with exact k -wise independent permutations of reasonable size or –Show a reason why it is difficult to construct them How about using permutation polynomials –Over fields – hard problem –Rivest: Simple characterization for mod 2 n –Is it useful?

Time complexity of the permutation The RTV Generator increases the length of the walk –The general space generator does not increase it Is it possible to get the best of both worlds?

Efficiency of evaluating k-wise independent permutations and functions What about the time to evaluate g on a given point x Want a representation where the evaluation does not involve reading the entire description of g Even for functions: in the simple construction need to read all the bits –Siegel: Some lower and upper bounds for functions Question: given either –k -wise independent function or –k -wise independent permutation over larger range Come up with a good construction of k -wise independent permutation with a small evaluation time and black-box calls to the given function/permutation What if the domain size N is not a power of 2? Open only for small k Using good extractors

The End

Simulating Random Objects Want to simulate a large random object using a succinct one –Capturing essential properties of the random object Prominent example: simulating a random function f:{0,1} n → {0,1} n Want to come up with a small family of functions G so that g 2 R G simulates a truly random f:{0,1} n → {0,1} n Natural way to phrase simulation : limited access

The spectral gap of a companion graph Observation: In many cases the analysis of a k-wise independent permutation is via showing a spectral gap of H F,k In some sense necessary

Consistent Labeling A labeling of a d regular graph is consistent if all incoming labels are distinct –Relevant for both directed and undirected graphs For directed graphs: want biregularity 321

k -wise permutations over other domains –What if the domain size N is not a power of 2 –The card shuffling approach are hard to adapt –Can use Feistel network to get some results –Can reduce size by fixed fraction Cycle walking Need to take k’ -wise for k’ 2 O(k+log 1/  ) Problem if k is small f L1L1 R1R1 L2L2 R2R2

The credit card problem Find a simple reduction from permutations on large blocks to small blocks –Preserving the properties of the original permutation Time-wise Security

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers Size of set: roughly 2 40 (ignoring the first 4 digits) Only trusted servers will have access to the permutation An adversary that sees only a limited number of permuted cc numbers should not be able to obtain information on any other card –For which it sees only the permuted value Want a way to spread the permutation to the trusted servers Need a succinct representation No such construction known even based on cryptographic primitives

Block-Ciphers : Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, AES How to go from block size 64 to block size 40? Complexity based concept modeling them: Pseudo-Random Permutations Key BC Plaintext Ciphertext Block size: 64 bits

Block-ciphers and k-wise independent permutations The two notions are related But some important differences –Example: dynamic vs. static attacks

Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program – Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define G h f1f1 f2f2 ftft … w bits input

Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known Best known ones introduce additional polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

Simple 3 bit Permutations An approach for generating simple permutations by changing a fixed number of bits in each round Each permutation is defined by 1.A small subset of the indices 2.A permutation  that maps the subset of the bits to their new value Proposed and analyzed by – Gowers – Hoory, Magen, Myers and Rackoff – Brodsky and Hoory  ( )

Simple 3 bit Permutations For – Boolean function on c bits f:  0,1  c   0,1  – Subset S = {i 0, i 1, … i c } ½ [n] define a Permutation  f,S :  0,1  n   0,1  n where  f,S (x 1, x 2, …, x n ) = (x 1, …, x i 0 -1, x i  f(x i 1, …, x i c ), x i 0 +1, …, x n ) Note that  f,S is an involution: Inverse of itself Let F 2 ={  f,S | f:  0,1  2   0,1 , S ½ [n], |S|=3} Theorem [ Brodsky-Hoory ] For all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k -wise  -dependent –gap(H F 2,k) is  (1/n 2 k)

The End