Derandomized Constructions of k -Wise (Almost) Independent Permutations

Derandomized Constructions of k-Wise (Almost) Independent Permutations Tel-Aviv University Weizmann Institute of Science Eyal Kaplan Moni Naor Omer Reingold

k-wise independent functions a family of functions G = {g| g: {0,1}n → {0,1}n } is called k-wise independent if: g 2R G is indistinguishable from a random functionf for any process that receives g(x)on at most k points 8x1, x1, … xk 2 {0,1}n, 8A: {0,1}nk →{0,1} Probg 2 G[A(g(x1), …, g(xk)) =‘1’] = Probf[A(f(x1), … f(xk)) =‘1’] A great success story

k-wise independent functions Simple construction: • Let a G be the family of polynomials over GF(2n)of degree at most k-1 Then • G is k-wise independent: 8x1, x2, … xk, 8y1, y2, … yk, there is a uniqueg 2 G such that g(xi)= yi • The description of g 2 G is k¢n bits long • This is tight • Cannot hope to get a shorter description

What about k-wise independent permutations? Suppose that G = {g| g: {0,1}n → {0,1}n } • Should be a family of permutations • 1-1 and length preserving • g 2R G is indistinguishable from a random permutationf for any process that receives g(x)on at most k points

Pair-wise independent permutations Simple construction: G = {ga,b(x) = a∙x + b | a, b  GF(2n), a ≠0} • for all • x1, x2 {0,1}nand y1, y2 {0,1}nwhere x1 ≠x2 and y1 ≠y2 there is a uniquega,b2 G such that • ga,b(x1) = ax1+b = y1 and • ga,b(x2) = ax2+b= y2 What about larger k? • For k=3 there is a similar algebraic construction • For k>3 no known construction of non-trivial size

Relaxation: k-wise almost independent permutations Suppose that G = {g| g: {0,1}n → {0,1}n } • Should be a family of permutations • 1-1 and length preserving • g 2R G is at most-distinguishable from a random permutationf for any process that receives g(x)on at most k points: the advantage of distinguishing g 2R G from a truly random permutation is at most 8x1, x1, … xk, the variation distance of • g(x1), …, g(xk) for g 2R G and • y1, y2, … yk a random k-tuple with no repetitions is at most  For =0 we have k-wise independence Should we allow inverses? Should we allow adaptive queries?

Main Result • For anyn, k and : There is an explicit construction of a family G = {g| g: {0,1}n → {0,1}n } of k-wise -dependent permutations where the description of each g 2 G is O(kn + log 1/) bits long Can sample from the family and evaluate a permutation in time poly(k, n, log 1/) Optimal up to the log 1/

Good for small k and moderate  Summary of Previous Work and Results

Techniques and Ideas • Let F = {f| f: {0,1}n → {0,1}n } be a family of permutations • Each f 2 F described by w bits • Denote by Ftthe family of permutations obtained by composing f1, f2, … ft2R F • Suppose that Ftis k-wise -dependent • The description of f 2 Ft is w¢t bits We will show a technique to derandomize such constructions and look at a much smaller subset G of the t-tuples of F • The description of g 2 G would be roughly O(w+t) bits Many known constructions can be described as such

Pseudo-randomness fooling bounded space machines • A function h:{0,1}* {0,1}* such that • on random input the output is indistinguishable from a string chosen uniformly at random • to any process using s bits of memory • Branching program • Expands the input Is called a pseudo-random generator for spaces machines h b2 … bℓ b1 s … 2s 0 1 b1 b2 bℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define the collection G h is a generator that fools branching programs of width kn+w input h … f2 ft f1 w bits

Where is the bounded space coming from? • Suppose that G ½Ft is notk-wise -dependent • Then there are x1, x2, …, xk which witness it • How much space does the algorithm for evaluating g=f1◦f2◦ … ◦ft2 Gon these points require? • Scanning f1, f2, … ftfrom left to right and gradually evaluating g on all x1, x2, … xk simultaneously • need only kn + w bits - As a branching program • Therefore: if the w¢t bits describing them are generated by a process that fools all kn + w bit branching programs • Then the distribution of g(x1), g(x2), …, g(xk) for g 2R G is similar to • The distribution of f(x1), f(x2), …, f(xk) for f=f1◦f2◦ … ◦ftfor independent fi Conclusion: G is k-wise -dependent

Parameters of space bounded generators • For an ideal generator: this method takes O(kn + log 1/ + w +log t) bits • No such explicit generator is known • No known good enough generator all introduce extra polylog factors • Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions • When space is not an explicit issue

Second idea: use pseudo-random generators for random walks Generate f1, f2, … ft2 F via a pseudo random generator for random walks Ones which are indistinguishable from random for any consistently labeled graph Such walk generators exist • Implicitly: Reingold’s SL=L • Explicitly: Reingold, Trevisan and Vadhan • Show how to apply them in the context of k-wise independent permutations • Using previous constructions to define the graph

Pseudo-random generators for walks • Call a labeled graph H=(V,E) an (m,d,)-graph if • |V| = m • Each node has d outgoing edges • The labeling is consistent – all incoming labels are distinct • the second eigenvalue in absolute value (H) · A pseudo-random generator for random walks on H=(V,E) is a mapping G:{0,1}*[d]ℓ where for any starting node v 2 V the distributions of a walk starting from v • chosen from G via a random input and • truly random walk are  close For long enough walks and for graphs with large spectral gaps a random walk ends in a random node 1 3 2 Defines a walk of length ℓ

The RTV Generator • For any m, d,  and  there is a pseudo-random generator for all (m,d,1-)-graphs PRGm,d, ,:{0,1}r [d]ℓ With the following parameters: • Seed lengthr 2 O(log (m ¢ d / ¢ )) • Walk length ℓ 2 O(poly(1/) log (m ¢ d /  )) • Computable in space O( log (m ¢ d / ¢ )) and time poly(1/, log (m ¢ d /  )) Such that • for any starting point v 2 V • a walk generated by PRGm,d, , walk yields an end point that is  close to uniform • For graphs with • large enough spectral gap (1/polylog m) • arbitrary degree • need only log m random bits to get to a random location • in polylog m steps

k-Companion graph Let • N = 2n • [N]k be set of all k-tuples of distinctn-bit strings • Let F be a family of permutations. Then GF,k = (V,E) is the k-companion graph of F, where: • V =[N]k • E = {(z,(z)) | z 2 [N]k , 2 F)} • Each edge (z,(z)) 2 E is labeled by  z1, z2, … zk  (z1), (z2), … (zk)

Properties of the Companion Graph • Let F be a family of permutations. If F • is closed under inverses and • contains the identity permutation. Then HF,k, the k-companion graph of F, is: • An undirected |F|-regular graph • With self-loops • Consistently labeled z1, z2, … zk  • The analysis of k-wise independence is via showing a spectral gap of HF,k (z1), (z2), … (zk)

k-wise independence and random walks • If Ftyields a family of permutations that is k-wise -dependent, then in the companion graph HF,k • for any node z2 [N]ka random walk from z is -close to uniform Otherwise this zis a witness to the non k-wise -dependence

The construction Generate f1, f2, … ft2 F via a pseudo random generator for random walks on HF,k , the k-companion graph of F • f1, f2, … ftare the labels of the walk. • The resulting permutation is g=f1◦f2◦ … ◦ft • Use PRGm,d, ,:{0,1}r [d]ℓfor • m = |[N]k| • d = |F| • r 2 O(log (2nk¢ |F| / ¢ ))  comes from the analysis of the original construction Ft gap(HF,k) ¸  is how close we want to be to a k-wise independent permutation

The resulting parameters The resulting family G of permutations is: • A family of k-wise -dependent permutations • The description of each g 2 G is O(nk + log |F| + log(1/ ) ) bits • If the time to evaluate f(x) for f 2 F is (n,k), then the time complexity of evaluating g 2 G is poly(1/, n, k, log (|F| /  ))(n,k) • Need to ``open up” the description of f1, f2, … ft

Summary of Previous Work and Results • Proposed and analyzed by • Gowers • Hoory, Magen, MyersandRackoff • BrodskyandHoory

Resulting Parameters with Simple 3-bit Permutation Theorem [BH] There is a family of simple permutationsF2 s.t. for all 2 · k · 2n-2 there is a t 2 O(n2 k(nk+log 1/)) where: • F2t is k-wise -dependent • gap(HF2,k) is (1/n2 k) • Description of f 2F2is O(log(n3)) bits Therefore: description of each g 2 G is O(nk + log(n3) + log(n2 k / )) bits

Open Problems • Get rid of the dependency on  • Come up with exactk-wise independent permutations of reasonable size or • Show a reason why it is difficult to construct them How about using permutation polynomials • Over fields – hard problem • Rivest: Simple characterization for mod 2n • Is it useful?

Time complexity of the permutation • The RTV Generator increases the length of the walk • The general space generator does not increase it • Is it possible to get the best of both worlds?

Efficiency of evaluating k-wise independent permutations and functions What about the time to evaluate g on a given point x • Want a representation where the evaluation does not involve reading the entire description of g • Even for functions: in the simple construction need to read all the bits • Siegel: Some lower and upper bounds for functions Question: given either • k-wise independent function or • k-wise independent permutation over larger range Come up with a good construction of k-wise independent permutation with a small evaluation time and black-box calls to the given function/permutation What if the domain size N is not a power of 2? Open only for small k Using good extractors

The End

L1 R1 f L2 R2 k-wise permutations over other domains • What if the domain size N is not a power of 2 • The card shuffling approach are hard to adapt • Can use Feistel network to get some results • Can reduce size by fixed fraction • Cycle walking • Need to take k’-wise for k’ 2 O(k+log 1/) Problem if k is small

The credit card problem • Find a simple reduction from permutations on large blocks to small blocks • Preserving the properties of the original permutation • Time-wise • Security

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers

Motivating example: permuting credit card numbers To reduce fraud want to permute credit card numbers • Size of set: roughly 240 (ignoring the first 4 digits) • Only trusted servers will have access to the permutation • An adversary that sees only a limited number of permuted cc numbers should not be able to obtain information on any other card • For which it sees only the permuted value • Want a way to spread the permutation to the trusted servers Need a succinct representation No such construction known even based on cryptographic primitives

Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, AES How to go from block size 64 to block size 40? Complexity based concept modeling them: Pseudo-Random Permutations Plaintext Key BC Ciphertext Block-Ciphers: Block size: 64 bits

Block-ciphers and k-wise independent permutations • The two notions are related • But some important differences • Example: dynamic vs. static attacks

Pseudo-randomness fooling bounded space machines • A function h:{0,1}* {0,1}* such that • on random input the output is indistinguishable from a string chosen uniformly at random • to any process using s bits of memory • Branching program • Expands the input Is called a pseudo-random generator for spaces machines h b2 … bℓ b1 s … 2s 0 1 b1 b2 bℓ

First Idea: apply pseudo-random generators for fooling bounded space algorithm The possible assignments to the input of h define G input h … f2 ft f1 w bits

Where is the bounded space coming from? • Suppose that G ½Ft is notk-wise -dependent • Then there are x1, x2, …, xk which witness it • How much space does the algorithm for evaluating g=f1◦f2◦ … ◦ft2 Gon these points require? • Scanning f1, f2, … ftfrom left to right and gradually evaluating g on all x1, x2, … xk simultaneously • need only kn + w bits - As a branching program • Therefore: if the w¢t bits describing them are generated by a process that fools all kn + w bit branching programs • Then the distribution of g(x1), g(x2), …, g(xk) for g 2R G is similar to • The distribution of f(x1), f(x2), …, f(xk) for f=f1◦f2◦ … ◦ftfor independent fi Conclusion: G is k-wise -dependent

Parameters of space bounded generators • For an ideal generator: this method takes O(kn + log 1/ + w +log t) bits • No such explicit generator is known • Best known ones introduce additional polylog factors • Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions • When space is not an explicit issue

Simple 3 bit Permutations An approach for generating simple permutations by changing a fixed number of bits in each round Each permutation is defined by • A small subset of the indices • A permutation  that maps the subset of the bits to their new value Proposed and analyzed by • Gowers • Hoory, Magen, MyersandRackoff • BrodskyandHoory ( )

Simple 3 bit Permutations For • Boolean function on c bits f:0,1c  0,1 • Subset S = {i0, i1, … ic} ½ [n] define a Permutation f,S:0,1n  0,1nwhere f,S(x1, x2, …, xn) = (x1, …, xi0-1, xi  f(xi1, …, xic), xi0+1, …, xn) Note that f,S is an involution: Inverse of itself Let F2 ={f,S | f:0,12  0,1, S ½ [n], |S|=3} Theorem [Brodsky-Hoory] For all 2 · k · 2n-2 there is a t 2 O(n2 k(nk+log 1/)) where: • F2t is k-wise -dependent • gap(HF2,k) is (1/n2 k)

The End

Derandomized Constructions of k -Wise (Almost) Independent Permutations

Derandomized Constructions of k -Wise (Almost) Independent Permutations

Presentation Transcript

Social Constructions of Difference

Constructions

Constructions

Constructions

TITLE: Being a Wise Negotiator

Special K Cereal Vs. Waffles

Constructions

Constructions

Constructions

Constructions

Constructions

Constructions

Constructions

Constructions

ALMOST

Derandomized DP

Constructions

R K Jain Constructions

Constructions of National Identities

Wise Dental-Dental Equipment

Types of constructions

WISE