Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University

k- wise independent functions a family of functions G = {g| g: {0,1} n → {0,1} n } is called k -wise independent if: g 2 R G is indistinguishable from a random function f for any process that receives g(x) on at most k points 8 x 1, x 1, … x k 2 {0,1} n, 8 A: {0,1} nk → {0,1} Prob g 2 G [A(g(x 1 ), …, g(x k )) =‘1’] = Prob f [A(f(x 1 ), … f(x k )) =‘1’] A great success story

k- wise independent functions Simple construction: Let a G be the family of polynomials over GF(2 n ) of degree at most k-1 Then G is k- wise independent : 8 x 1, x 2, … x k, 8 y 1, y 2, … y k, there is a unique g 2 G such that g(x i )= y i The description of g 2 G is k ¢ n bits long This is tight –Cannot hope to get a shorter description

What about k- wise independent permutations ? Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is indistinguishable from a random permutation f for any process that receives g(x) on at most k points

Pair-wise independent permutations Simple construction: G = {g a,b (x) = a∙x + b | a, b  GF(2 n ), a ≠ 0 } – for all x 1, x 2  {0,1} n and y 1, y 2  {0,1} n where x 1 ≠ x 2 and y 1 ≠ y 2 there is a unique g a,b 2 G such that g a,b (x 1 ) = ax 1 +b = y 1 and g a,b (x 2 ) = ax 2 +b= y 2 What about larger k ? –For k=3 there is a similar algebraic construction –For k>3 no known construction of non-trivial size

Relaxation: k- wise almost independent permutations Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is at most  -distinguishable from a random permutation f for any process that receives g(x) on at most k points: the advantage of distinguishing g 2 R G from a truly random permutation is at most  8 x 1, x 1, … x k, the variation distance of g(x 1 ), …, g(x k ) for g 2 R G and y 1, y 2, … y k a random k -tuple with no repetitions is at most  For  =0 we have k -wise independence Should we allow adaptive queries? Should we allow inverses?

Main Result For any n, k and  : There is an explicit construction of a family G = {g| g: {0,1} n → {0,1} n } of k -wise  -dependent permutations where the description of each g 2 G is O(kn + log 1/  ) bits long Can sample from the family and evaluate a permutation in time poly(k, n, log 1/  ) Optimal up to the log 1/ 

Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Good for small k and moderate 

Techniques and Ideas Let F = {f| f: {0,1} n → {0,1} n } be a family of permutations –Each f 2 F described by w bits Denote by F t the family of permutations obtained by composing f 1, f 2, … f t 2 R F Suppose that F t is k -wise  -dependent – The description of f 2 F t is w ¢ t bits We will show a technique to derandomize such constructions and look at a much smaller subset G of the t -tuples of F –The description of g 2 G would be roughly O(w+t) bits Many known constructions can be described as such

Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program –Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define the collection G h f1f1 f2f2 ftft … w bits input h is a generator that fools branching programs of width kn+w

Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known No known good enough generator all introduce extra polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

Second idea: use pseudo-random generators for random walks Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks Ones which are indistinguishable from random for any consistently labeled graph Such walk generators exist –Implicitly: Reingold’s SL=L –Explicitly: Reingold, Trevisan and Vadhan Show how to apply them in the context of k -wise independent permutations –Using previous constructions to define the graph

Graphs Let H = (V,E) be a d -regular graph on m nodes Normalized adjacency matrix – divide each entry by d Eigenvalues: 1= 1 ¸ 2 ¸  ¸ n Let (H) be the second eigenvalue in absolute value. (H) = max { | 2 |, | n |} The spectral gap of H is gap(H) = 1- (H) (H) governs the mixing rate of a random walk on H

Pseudo-random generators for walks Call a labeled graph H=(V,E) an (m,d, )- graph if –|V| = m –Each node has d outgoing edges –The labeling is consistent – all incoming labels are distinct –the second eigenvalue in absolute value (H) · A pseudo-random generator for random walks on H=(V,E) is a mapping G:{0,1} *  [d] ℓ where for any starting node v 2 V the distributions of a walk starting from v chosen from G via a random input and truly random walk are  close For long enough walks and for graphs with large spectral gaps a random walk ends in a random node 32 1 Defines a walk of length ℓ

The RTV Generator For any m, d,  and  there is a pseudo-random generator for all (m,d,1-  )- graphs PRG m,d, ,  :{0,1} r  [d] ℓ With the following parameters: – Seed length r 2 O(log (m ¢ d /  ¢  )) – Walk length ℓ 2 O(poly(1/  ) log (m ¢ d /  )) – Computable in space O( log (m ¢ d /  ¢  )) and time poly(1/ , log (m ¢ d /  )) Such that –for any starting point v 2 V –a walk generated by PRG m,d, ,  walk yields an end point that is  close to uniform For graphs with large enough spectral gap  (1/polylog m) arbitrary degree need only log m random bits to get to a random location in polylog m steps

k- Companion graph Let –N = 2 n –[N] k be set of all k -tuples of distinct n -bit strings Let F be a family of permutations. Then G F,k = (V,E) is the k -companion graph of F, where: –V = [N] k –E = {(z,  (z)) | z 2 [N] k,  2 F)} Each edge (z,  (z)) 2 E is labeled by  z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k ) 

Properties of the Companion Graph Let F be a family of permutations. If F – is closed under inverses and –contains the identity permutation. Then H F,k, the k -companion graph of F, is: An undirected |F|- regular graph With self-loops Consistently labeled z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k )  The analysis of k -wise independence is via showing a spectral gap of H F,k

k-wise independence and random walks If F t yields a family of permutations that is k-wise  - dependent, then in the companion graph H F,k –for any node z 2 [N] k a random walk from z is  -close to uniform Otherwise this z is a witness to the non k -wise  -dependence

The construction Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks on H F,k, the k -companion graph of F f 1, f 2, … f t are the labels of the walk. –The resulting permutation is g=f 1 ◦f 2 ◦ … ◦f t Use PRG m,d, ,  :{0,1} r  [d] ℓ for –m = |[N] k | –d = |F| –r 2 O(log (2 nk ¢ |F| /  ¢  ))  comes from the analysis of the original construction F t gap(H F,k ) ¸   is how close we want to be to a k -wise independent permutation

The resulting parameters The resulting family G of permutations is: A family of k -wise  -dependent permutations The description of each g 2 G is O(nk + log |F| + log(1/   ) ) bits If the time to evaluate f(x) for f 2 F is  (n,k), then the time complexity of evaluating g 2 G is poly(1/ , n, k, log (|F| /  ))  (n,k) –Need to ``open up” the description of f 1, f 2, … f t

Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Proposed and analyzed by Gowers Hoory, Magen, Myers and Rackoff Brodsky and Hoory

Resulting Parameters with Simple 3-bit Permutation Theorem [BH] There is a family of simple permutations F 2 s.t. for all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k-wise  -dependent –gap(H F 2,k) is  (1/n 2 k) Description of f 2 F 2 is O(log(n 3 )) bits Therefore: description of each g 2 G is O(nk + log(n 3 ) + log( n 2 k /  )) bits

Open Problems Get rid of the dependency on  –Come up with exact k -wise independent permutations of reasonable size or –Show a reason why it is difficult to construct them How about using permutation polynomials –Over fields – hard problem –Rivest: Simple characterization for mod 2 n –Is it useful?

Time complexity of the permutation The RTV Generator increases the length of the walk –The general space generator does not increase it Is it possible to get the best of both worlds?

Efficiency of evaluating k-wise independent permutations and functions What about the time to evaluate g on a given point x Want a representation where the evaluation does not involve reading the entire description of g Even for functions: in the simple construction need to read all the bits –Siegel: Some lower and upper bounds for functions Question: given either –k -wise independent function or –k -wise independent permutation over larger range Come up with a good construction of k -wise independent permutation with a small evaluation time and black-box calls to the given function/permutation What if the domain size N is not a power of 2? Open only for small k Using good extractors

The End

Simulating Random Objects Want to simulate a large random object using a succinct one –Capturing essential properties of the random object Prominent example: simulating a random function f:{0,1} n → {0,1} n Want to come up with a small family of functions G so that g 2 R G simulates a truly random f:{0,1} n → {0,1} n Natural way to phrase simulation : limited access

The spectral gap of a companion graph Observation: In many cases the analysis of a k-wise independent permutation is via showing a spectral gap of H F,k In some sense necessary

Consistent Labeling A labeling of a d regular graph is consistent if all incoming labels are distinct –Relevant for both directed and undirected graphs For directed graphs: want biregularity 321

k -wise permutations over other domains –What if the domain size N is not a power of 2 –The card shuffling approach are hard to adapt –Can use Feistel network to get some results –Can reduce size by fixed fraction Cycle walking Need to take k’ -wise for k’ 2 O(k+log 1/  ) Problem if k is small f L1L1 R1R1 L2L2 R2R2

The credit card problem Find a simple reduction from permutations on large blocks to small blocks –Preserving the properties of the original permutation Time-wise Security

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers Size of set: roughly 2 40 (ignoring the first 4 digits) Only trusted servers will have access to the permutation An adversary that sees only a limited number of permuted cc numbers should not be able to obtain information on any other card –For which it sees only the permuted value Want a way to spread the permutation to the trusted servers Need a succinct representation No such construction known even based on cryptographic primitives

Block-Ciphers : Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, AES How to go from block size 64 to block size 40? Complexity based concept modeling them: Pseudo-Random Permutations Key BC Plaintext Ciphertext Block size: 64 bits

Block-ciphers and k-wise independent permutations The two notions are related But some important differences –Example: dynamic vs. static attacks

Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program – Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define G h f1f1 f2f2 ftft … w bits input

Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known Best known ones introduce additional polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

Simple 3 bit Permutations An approach for generating simple permutations by changing a fixed number of bits in each round Each permutation is defined by 1.A small subset of the indices 2.A permutation  that maps the subset of the bits to their new value Proposed and analyzed by – Gowers – Hoory, Magen, Myers and Rackoff – Brodsky and Hoory  ( )

Simple 3 bit Permutations For – Boolean function on c bits f:  0,1  c   0,1  – Subset S = {i 0, i 1, … i c } ½ [n] define a Permutation  f,S :  0,1  n   0,1  n where  f,S (x 1, x 2, …, x n ) = (x 1, …, x i 0 -1, x i  f(x i 1, …, x i c ), x i 0 +1, …, x n ) Note that  f,S is an involution: Inverse of itself Let F 2 ={  f,S | f:  0,1  2   0,1 , S ½ [n], |S|=3} Theorem [ Brodsky-Hoory ] For all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k -wise  -dependent –gap(H F 2,k) is  (1/n 2 k)

The End