Presentation is loading. Please wait.

Presentation is loading. Please wait.

Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University.

Published byDarlene Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University."— Presentation transcript:

1 Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University

2 k- wise independent functions a family of functions G = {g| g: {0,1} n → {0,1} n } is called k -wise independent if: g 2 R G is indistinguishable from a random function f for any process that receives g(x) on at most k points 8 x 1, x 1, … x k 2 {0,1} n, 8 A: {0,1} nk → {0,1} Prob g 2 G [A(g(x 1 ), …, g(x k )) =‘1’] = Prob f [A(f(x 1 ), … f(x k )) =‘1’] A great success story

3 k- wise independent functions Simple construction: Let a G be the family of polynomials over GF(2 n ) of degree at most k-1 Then G is k- wise independent : 8 x 1, x 2, … x k, 8 y 1, y 2, … y k, there is a unique g 2 G such that g(x i )= y i The description of g 2 G is k ¢ n bits long This is tight –Cannot hope to get a shorter description

4 What about k- wise independent permutations ? Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is indistinguishable from a random permutation f for any process that receives g(x) on at most k points

5 Pair-wise independent permutations Simple construction: G = {g a,b (x) = a∙x + b | a, b  GF(2 n ), a ≠ 0 } – for all x 1, x 2  {0,1} n and y 1, y 2  {0,1} n where x 1 ≠ x 2 and y 1 ≠ y 2 there is a unique g a,b 2 G such that g a,b (x 1 ) = ax 1 +b = y 1 and g a,b (x 2 ) = ax 2 +b= y 2 What about larger k ? –For k=3 there is a similar algebraic construction –For k>3 no known construction of non-trivial size

6 Relaxation: k- wise almost independent permutations Suppose that G = {g| g: {0,1} n → {0,1} n } Should be a family of permutations –1-1 and length preserving g 2 R G is at most  -distinguishable from a random permutation f for any process that receives g(x) on at most k points: the advantage of distinguishing g 2 R G from a truly random permutation is at most  8 x 1, x 1, … x k, the variation distance of g(x 1 ), …, g(x k ) for g 2 R G and y 1, y 2, … y k a random k -tuple with no repetitions is at most  For  =0 we have k -wise independence Should we allow adaptive queries? Should we allow inverses?

7 Main Result For any n, k and  : There is an explicit construction of a family G = {g| g: {0,1} n → {0,1} n } of k -wise  -dependent permutations where the description of each g 2 G is O(kn + log 1/  ) bits long Can sample from the family and evaluate a permutation in time poly(k, n, log 1/  ) Optimal up to the log 1/ 

8 Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Good for small k and moderate 

9 Techniques and Ideas Let F = {f| f: {0,1} n → {0,1} n } be a family of permutations –Each f 2 F described by w bits Denote by F t the family of permutations obtained by composing f 1, f 2, … f t 2 R F Suppose that F t is k -wise  -dependent – The description of f 2 F t is w ¢ t bits We will show a technique to derandomize such constructions and look at a much smaller subset G of the t -tuples of F –The description of g 2 G would be roughly O(w+t) bits Many known constructions can be described as such

10 Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program –Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

11 First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define the collection G h f1f1 f2f2 ftft … w bits input h is a generator that fools branching programs of width kn+w

12 Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

13 Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known No known good enough generator all introduce extra polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

14 Second idea: use pseudo-random generators for random walks Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks Ones which are indistinguishable from random for any consistently labeled graph Such walk generators exist –Implicitly: Reingold’s SL=L –Explicitly: Reingold, Trevisan and Vadhan Show how to apply them in the context of k -wise independent permutations –Using previous constructions to define the graph

15 Graphs Let H = (V,E) be a d -regular graph on m nodes Normalized adjacency matrix – divide each entry by d Eigenvalues: 1= 1 ¸ 2 ¸  ¸ n Let (H) be the second eigenvalue in absolute value. (H) = max { | 2 |, | n |} The spectral gap of H is gap(H) = 1- (H) (H) governs the mixing rate of a random walk on H

16 Pseudo-random generators for walks Call a labeled graph H=(V,E) an (m,d, )- graph if –|V| = m –Each node has d outgoing edges –The labeling is consistent – all incoming labels are distinct –the second eigenvalue in absolute value (H) · A pseudo-random generator for random walks on H=(V,E) is a mapping G:{0,1} *  [d] ℓ where for any starting node v 2 V the distributions of a walk starting from v chosen from G via a random input and truly random walk are  close For long enough walks and for graphs with large spectral gaps a random walk ends in a random node 32 1 Defines a walk of length ℓ

17 The RTV Generator For any m, d,  and  there is a pseudo-random generator for all (m,d,1-  )- graphs PRG m,d, ,  :{0,1} r  [d] ℓ With the following parameters: – Seed length r 2 O(log (m ¢ d /  ¢  )) – Walk length ℓ 2 O(poly(1/  ) log (m ¢ d /  )) – Computable in space O( log (m ¢ d /  ¢  )) and time poly(1/ , log (m ¢ d /  )) Such that –for any starting point v 2 V –a walk generated by PRG m,d, ,  walk yields an end point that is  close to uniform For graphs with large enough spectral gap  (1/polylog m) arbitrary degree need only log m random bits to get to a random location in polylog m steps

18 k- Companion graph Let –N = 2 n –[N] k be set of all k -tuples of distinct n -bit strings Let F be a family of permutations. Then G F,k = (V,E) is the k -companion graph of F, where: –V = [N] k –E = {(z,  (z)) | z 2 [N] k,  2 F)} Each edge (z,  (z)) 2 E is labeled by  z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k ) 

19 Properties of the Companion Graph Let F be a family of permutations. If F – is closed under inverses and –contains the identity permutation. Then H F,k, the k -companion graph of F, is: An undirected |F|- regular graph With self-loops Consistently labeled z 1, z 2, … z k  (z 1 ),  (z 2 ), …  (z k )  The analysis of k -wise independence is via showing a spectral gap of H F,k

20 k-wise independence and random walks If F t yields a family of permutations that is k-wise  - dependent, then in the companion graph H F,k –for any node z 2 [N] k a random walk from z is  -close to uniform Otherwise this z is a witness to the non k -wise  -dependence

21 The construction Generate f 1, f 2, … f t 2 F via a pseudo random generator for random walks on H F,k, the k -companion graph of F f 1, f 2, … f t are the labels of the walk. –The resulting permutation is g=f 1 ◦f 2 ◦ … ◦f t Use PRG m,d, ,  :{0,1} r  [d] ℓ for –m = |[N] k | –d = |F| –r 2 O(log (2 nk ¢ |F| /  ¢  ))  comes from the analysis of the original construction F t gap(H F,k ) ¸   is how close we want to be to a k -wise independent permutation

22 The resulting parameters The resulting family G of permutations is: A family of k -wise  -dependent permutations The description of each g 2 G is O(nk + log |F| + log(1/   ) ) bits If the time to evaluate f(x) for f 2 F is  (n,k), then the time complexity of evaluating g 2 G is poly(1/ , n, k, log (|F| /  ))  (n,k) –Need to ``open up” the description of f 1, f 2, … f t

23 Summary of Previous Work and Results FamilyDescription LengthRange of Queries Feistel “Luby-Rackoff” nk+O(n) O(nk ¢ d log(  0 /  ) e ) k <2 n/4,  0 =k 2 /2 n/2 k < 2 n/2,  ·  0 Simple 3 bit Permutations O(n 2 k(nk+ log(1/  )) k · 2 n -2 Card Shuffling Thorp Shuffle O(n 45 k log(1/  )) k · 2 n Non constructive O(nk + log(1/  )) O(nk) sample space k · 2 n This work O(nk + log(1/  )) k · 2 n Proposed and analyzed by Gowers Hoory, Magen, Myers and Rackoff Brodsky and Hoory

24 Resulting Parameters with Simple 3-bit Permutation Theorem [BH] There is a family of simple permutations F 2 s.t. for all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k-wise  -dependent –gap(H F 2,k) is  (1/n 2 k) Description of f 2 F 2 is O(log(n 3 )) bits Therefore: description of each g 2 G is O(nk + log(n 3 ) + log( n 2 k /  )) bits

25 Open Problems Get rid of the dependency on  –Come up with exact k -wise independent permutations of reasonable size or –Show a reason why it is difficult to construct them How about using permutation polynomials –Over fields – hard problem –Rivest: Simple characterization for mod 2 n –Is it useful?

26 Time complexity of the permutation The RTV Generator increases the length of the walk –The general space generator does not increase it Is it possible to get the best of both worlds?

27 Efficiency of evaluating k-wise independent permutations and functions What about the time to evaluate g on a given point x Want a representation where the evaluation does not involve reading the entire description of g Even for functions: in the simple construction need to read all the bits –Siegel: Some lower and upper bounds for functions Question: given either –k -wise independent function or –k -wise independent permutation over larger range Come up with a good construction of k -wise independent permutation with a small evaluation time and black-box calls to the given function/permutation What if the domain size N is not a power of 2? Open only for small k Using good extractors

28 The End

29 Simulating Random Objects Want to simulate a large random object using a succinct one –Capturing essential properties of the random object Prominent example: simulating a random function f:{0,1} n → {0,1} n Want to come up with a small family of functions G so that g 2 R G simulates a truly random f:{0,1} n → {0,1} n Natural way to phrase simulation : limited access

30 The spectral gap of a companion graph Observation: In many cases the analysis of a k-wise independent permutation is via showing a spectral gap of H F,k In some sense necessary

31 Consistent Labeling A labeling of a d regular graph is consistent if all incoming labels are distinct –Relevant for both directed and undirected graphs For directed graphs: want biregularity 321

32 k -wise permutations over other domains –What if the domain size N is not a power of 2 –The card shuffling approach are hard to adapt –Can use Feistel network to get some results –Can reduce size by fixed fraction Cycle walking Need to take k’ -wise for k’ 2 O(k+log 1/  ) Problem if k is small f L1L1 R1R1 L2L2 R2R2

33 The credit card problem Find a simple reduction from permutations on large blocks to small blocks –Preserving the properties of the original permutation Time-wise Security

34 Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers

35 Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers Size of set: roughly 2 40 (ignoring the first 4 digits) Only trusted servers will have access to the permutation An adversary that sees only a limited number of permuted cc numbers should not be able to obtain information on any other card –For which it sees only the permuted value Want a way to spread the permutation to the trusted servers Need a succinct representation No such construction known even based on cryptographic primitives

36 Block-Ciphers : Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, AES How to go from block size 64 to block size 40? Complexity based concept modeling them: Pseudo-Random Permutations Key BC Plaintext Ciphertext Block size: 64 bits

37 Block-ciphers and k-wise independent permutations The two notions are related But some important differences –Example: dynamic vs. static attacks

38 Pseudo-randomness fooling bounded space machines A function h:{0,1} *  {0,1} * such that –on random input the output is indistinguishable from a string chosen uniformly at random to any process using s bits of memory –Branching program – Expands the input Is called a pseudo-random generator for space s machines s … b1b1 b2b2 bℓbℓ 2s2s 0 1 h b1b1 b 2 …bℓbℓ

39 First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define G h f1f1 f2f2 ftft … w bits input

40 Where is the bounded space coming from? Suppose that G ½ F t is not k -wise  -dependent –Then there are x 1, x 2, …, x k which witness it How much space does the algorithm for evaluating g=f 1 ◦f 2 ◦ … ◦f t 2 G on these points require? –Scanning f 1, f 2, … f t from left to right and gradually evaluating g on all x 1, x 2, … x k simultaneously –need only kn + w bits - As a branching program Therefore: if the w ¢ t bits describing them are generated by a process that fools all kn + w bit branching programs –Then the distribution of g(x 1 ), g(x 2 ), …, g(x k ) for g 2 R G is similar to –The distribution of f(x 1 ), f(x 2 ), …, f(x k ) for f=f 1 ◦f 2 ◦ … ◦f t for independent f i Conclusion: G is k -wise  -dependent

41 Parameters of space bounded generators For an ideal generator: this method takes O(kn + log 1/  + w +log t) bits –No such explicit generator is known Best known ones introduce additional polylog factors Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions –When space is not an explicit issue

42 Simple 3 bit Permutations An approach for generating simple permutations by changing a fixed number of bits in each round Each permutation is defined by 1.A small subset of the indices 2.A permutation  that maps the subset of the bits to their new value Proposed and analyzed by – Gowers – Hoory, Magen, Myers and Rackoff – Brodsky and Hoory  ( )

43 Simple 3 bit Permutations For – Boolean function on c bits f:  0,1  c   0,1  – Subset S = {i 0, i 1, … i c } ½ [n] define a Permutation  f,S :  0,1  n   0,1  n where  f,S (x 1, x 2, …, x n ) = (x 1, …, x i 0 -1, x i  f(x i 1, …, x i c ), x i 0 +1, …, x n ) Note that  f,S is an involution: Inverse of itself Let F 2 ={  f,S | f:  0,1  2   0,1 , S ½ [n], |S|=3} Theorem [ Brodsky-Hoory ] For all 2 · k · 2 n -2 there is a t 2 O(n 2 k(nk+log 1/  )) where: –F 2 t is k -wise  -dependent –gap(H F 2,k) is  (1/n 2 k)

44 The End

Download ppt "Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University."

Similar presentations

Walk the Walk: On Pseudorandomness, Expansion, and Connectivity Omer Reingold Weizmann Institute Based on join works with Michael Capalbo, Kai-Min Chung,

Walk the Walk: On Pseudorandomness, Expansion, and Connectivity Omer Reingold Weizmann Institute Based on join works with Michael Capalbo, Kai-Min Chung,
Estimating Distinct Elements, Optimally

Estimating Distinct Elements, Optimally
Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.

Routing Complexity of Faulty Networks Omer Angel Itai Benjamini Eran Ofek Udi Wieder The Weizmann Institute of Science.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.

Multicut Lower Bounds via Network Coding Anna Blasiak Cornell University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Noga Alon Institute for Advanced Study and Tel Aviv University

Noga Alon Institute for Advanced Study and Tel Aviv University
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
(Omer Reingold, 2005) Speaker: Roii Werner TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AA A A A A AA A.

(Omer Reingold, 2005) Speaker: Roii Werner TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AA A A A A AA A.
Constant Degree, Lossless Expanders Omer Reingold AT&T joint work with Michael Capalbo (IAS), Salil Vadhan (Harvard), and Avi Wigderson (Hebrew U., IAS)

Constant Degree, Lossless Expanders Omer Reingold AT&T joint work with Michael Capalbo (IAS), Salil Vadhan (Harvard), and Avi Wigderson (Hebrew U., IAS)
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.

Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

Similar presentations

Ads by Google