Derandomized Constructions of k-Wise (Almost) Independent Permutations

1
Derandomized Constructions of k-Wise (Almost)
Independent Permutations

• Eyal Kaplan Moni Naor Omer Reingold

Weizmann Institute of Science
Tel-Aviv University
2
k-wise independent functions

• a family of functions
• G g g 0,1n ? 0,1n
• is called k-wise independent if
• g 2R G is indistinguishable from a random
  function f
• for any process that receives g(x) on at most k
  points
• 8 x1, x1, xk 2 0,1n ,
• 8A 0,1nk ? 0,1
• Probg 2 GA(g(x1), , g(xk)) 1
• ProbfA(f(x1), f(xk)) 1

A great success story
3
k-wise independent functions

• Simple construction
• Let a G be the family of polynomials over GF(2n)
  of degree at most k-1
• Then
• G is k-wise independent
• 8 x1, x2, xk, 8 y1, y2, yk, there is a unique
  g 2 G such that g(xi) yi
• The description of g 2 G is kn bits long
• This is tight
• Cannot hope to get a shorter description

4
What about k-wise independent permutations?

• Suppose that G g g 0,1n ? 0,1n
• Should be a family of permutations
• 1-1 and length preserving
• g 2R G is indistinguishable from a random
  permutation f
• for any process that receives g(x) on at most k
  points

5
Pair-wise independent permutations

• Simple construction
• G ga,b(x) ax b a, b ? GF(2n), a ? 0
• for all
• x1, x2 ?0,1n and y1, y2 ?0,1n where x1 ? x2
  and y1 ? y2
• there is a unique ga,b 2 G such that
• ga,b(x1) ax1b y1
• and
• ga,b(x2) ax2b y2
• What about larger k?
• For k3 there is a similar algebraic construction
• For kgt3 no known construction of non-trivial size

6
Relaxation k-wise almost independent permutations

• Suppose that G g g 0,1n ? 0,1n
• Should be a family of permutations
• 1-1 and length preserving
• g 2R G is at most ?-distinguishable from a random
  permutation f
• for any process that receives g(x) on at most
  k points
• the advantage of distinguishing g 2R G from a
  truly random permutation is at most ?
• 8 x1, x1, xk, the variation distance of
• g(x1), , g(xk) for g 2R G
• and
• y1, y2, yk a random k-tuple with no repetitions
  
• is at most ?

For ?0 we have k-wise independence
Should we allow inverses?
Should we allow adaptive queries?
7
Main Result

• For any n, k and ?
• There is an explicit construction of a family
• G g g 0,1n ? 0,1n
• of k-wise ?-dependent permutations
• where the description of each g 2 G is
• O(kn log 1/?) bits long
• Can sample from the family and evaluate a
  permutation in time poly(k, n, log 1/?)

Optimal up to the log 1/?
8
Summary of Previous Work and Results
Good for small k and moderate ?
Family Description Length Range of Queries
Feistel Luby-Rackoff nkO(n) O(nk dlog(?0 /?)e) k lt2n/4, ?0k2/2n/2 k lt 2n/2, ? ?0
Simple 3 bit Permutations O(n2k(nklog(1/?)) k 2n-2
Card Shuffling Thorp Shuffle O(n45klog(1/?)) k 2n
Non constructive O(nk log(1/?)) O(nk) sample space k 2n
This work O(nk log(1/?)) k 2n
9
Techniques and Ideas

• Let F f f 0,1n ? 0,1n be a family of
  permutations
• Each f 2 F described by w bits
• Denote by Ft the family of permutations obtained
  by composing f1, f2, ft 2R F
• Suppose that Ft is k-wise ?-dependent
• The description of f 2 Ft is wt bits
• We will show a technique to derandomize such
  constructions and look at a much smaller subset G
  of the t-tuples of F
• The description of g 2 G would be roughly O(wt)
  bits

Many known constructions can be described as
such
10
Pseudo-randomness fooling bounded space machines

• A function h0,1 ? 0,1 such that
• on random input the output is indistinguishable
  from a string chosen uniformly at random
• to any process using s bits of memory
• Branching program
• Expands the input
• Is called a pseudo-random generator for space s
  machines

h
b2
bl
b1
s

2s
0
1
b1
b2
bl
11
First Idea apply pseudo-random generators for
fooling bounded space algorithm
h is a generator that fools branching programs of
width knw
input
h

f2
ft
f1
w bits

• The possible assignments to the input of h define
  the collection G

12
Where is the bounded space coming from?

• Suppose that G ½ Ft is not k-wise ?-dependent
• Then there are x1, x2, , xk which witness it
• How much space does the algorithm for evaluating
  gf1?f2? ?ft2 G on these points
  require?
• Scanning f1, f2, ft from left to right and
  gradually evaluating g on all x1, x2, xk
  simultaneously
• need only kn w bits - As a branching program
• Therefore if the wt bits describing them are
  generated by a process that fools all kn w bit
  branching programs
• Then the distribution of g(x1), g(x2), , g(xk)
  for g 2R G
• is similar to
• The distribution of f(x1), f(x2), , f(xk) for
  ff1?f2? ?ft for independent fi
• Conclusion G is k-wise ?-dependent

13
Parameters of space bounded generators

• For an ideal generator this method takes
• O(kn log 1/? w log t) bits
• No such explicit generator is known
• No known good enough generator
• all introduce extra polylog factors
• Indyk, Sivakumar previous proposals for using
  space generators for combinatorial constructions
• When space is not an explicit issue

14
Second idea use pseudo-random generators for
random walks

• Generate f1, f2, ft 2 F via a pseudo random
  generator for random walks
• Ones which are indistinguishable from random for
  any consistently labeled graph
• Such walk generators exist
• Implicitly Reingolds SLL
• Explicitly Reingold, Trevisan and Vadhan
• Show how to apply them in the context of k-wise
  independent permutations
• Using previous constructions to define the graph

15
Graphs

• Let H (V,E) be a d-regular graph on m nodes
• Normalized adjacency matrix divide each entry
  by d
• Eigenvalues 1 ?1 ?2 ? ?n
• Let ?(H) be the second eigenvalue in absolute
  value.
• ?(H) max ?2 , ?n
• The spectral gap of H is gap(H) 1- ?(H)
• ?(H) governs the mixing rate of a random walk on
  H

16
Pseudo-random generators for walks

• Call a labeled graph H(V,E) an (m,d,?)-graph if
• V m
• Each node has d outgoing edges
• The labeling is consistent all incoming labels
  are distinct
• the second eigenvalue in absolute value ?(H)
  ?
• A pseudo-random generator for random walks on
  H(V,E) is a mapping
• G0,1 ? dl
• where for any starting node v 2 V the
  distributions of a walk starting from v
• chosen from G via a random input
• and
• truly random walk
• are ? close
• For long enough walks and for graphs with large
  spectral gaps a random walk ends in a random node

3
2
1
Defines a walk of length l
17
The RTV Generator

• For any m, d, ? and ? there is a pseudo-random
  generator for all (m,d,1-?)-graphs
• PRGm,d, ?,?0,1r ? dl
• With the following parameters
• Seed length r 2 O(log (m d / ? ? ))
• Walk length l 2 O(poly(1/?) log (m d / ? ))
• Computable in space O( log (m d / ? ? )) and
  time poly(1/?, log (m d / ? ))
• Such that
• for any starting point v 2 V
• a walk generated by PRGm,d, ?,? walk yields an
  end point that is ? close to uniform

• For graphs with
• large enough spectral gap ?(1/polylog m)
• arbitrary degree
• need only log m random bits to get to a random
  location
• in polylog m steps

18
k-Companion graph

• Let
• N 2n
• Nk be set of all k-tuples of distinct n-bit
  strings
• Let F be a family of permutations.
• Then GF,k (V,E) is the k-companion graph of F,
  where
• V Nk
• E (z,?(z)) z 2 Nk , ? 2 F)
• Each edge (z,?(z)) 2 E is labeled by ?

z1, z2, zk
?
?(z1), ?(z2), ?(zk)
19
Properties of the Companion Graph

• Let F be a family of permutations. If F
• is closed under inverses
• and
• contains the identity permutation.
• Then HF,k, the k-companion graph of F, is
• An undirected F-regular graph
• With self-loops
• Consistently labeled

z1, z2, zk
?
The analysis of k-wise independence is via
showing a spectral gap of HF,k
?(z1), ?(z2), ?(zk)
20
k-wise independence and random walks

• If Ft yields a family of permutations that is
  k-wise ?-dependent, then in the companion graph
  HF,k
• for any node z 2 Nk a random walk from z is
  ?-close to uniform
• Otherwise this z is a witness to the non k-wise
  ?-dependence

21
The construction

• Generate f1, f2, ft 2 F via a pseudo random
  generator for random walks on HF,k , the
  k-companion graph of F
• f1, f2, ft are the labels of the walk.
• The resulting permutation is gf1?f2? ?ft
• Use PRGm,d, ?,?0,1r ? dl for
• m Nk
• d F
• r 2 O(log (2nk F / ? ? ))
• ? comes from the analysis of the original
  construction Ft
• gap(HF,k) ?
• ? is how close we want to be to a k-wise
  independent permutation

22
The resulting parameters

• The resulting family G of permutations is
• A family of k-wise ?-dependent permutations
• The description of each g 2 G is
• O(nk log F log(1/? ?) ) bits
• If the time to evaluate f(x) for f 2 F is ?(n,k),
  
• then the time complexity of evaluating g 2 G is
• poly(1/?, n, k, log (F / ? )) ?(n,k)
• Need to open up the description of f1, f2,
  ft

23
Summary of Previous Work and Results
Family Description Length Range of Queries
Feistel Luby-Rackoff nkO(n) O(nk dlog(?0 /?)e) k lt2n/4, ?0k2/2n/2 k lt 2n/2, ? ?0
Simple 3 bit Permutations O(n2k(nklog(1/?)) k 2n-2
Card Shuffling Thorp Shuffle O(n45klog(1/?)) k 2n
Non constructive O(nk log(1/?)) O(nk) sample space k 2n
This work O(nk log(1/?)) k 2n

• Proposed and analyzed by
• Gowers
• Hoory, Magen, Myers and Rackoff
• Brodsky and Hoory

24
Resulting Parameters with Simple 3-bit Permutation

• Theorem BH There is a family of simple
  permutations F2
• s.t. for all 2 k 2n-2 there is a t 2 O(n2
  k(nklog 1/?)) where
• F2t is k-wise ?-dependent
• gap(HF2,k) is ?(1/n2 k)
• Description of f 2 F2 is O(log(n3)) bits
• Therefore description of each g 2 G is
• O(nk log(n3) log(n2 k / ?)) bits

25
Open Problems

• Get rid of the dependency on ?
• Come up with exact k-wise independent
  permutations of reasonable size
• or
• Show a reason why it is difficult to construct
  them
• How about using permutation polynomials
• Over fields hard problem
• Rivest Simple characterization for mod 2n
• Is it useful?

26
Time complexity of the permutation

• The RTV Generator increases the length of the
  walk
• The general space generator does not increase it
• Is it possible to get the best of both worlds?

27
Efficiency of evaluating k-wise independent
permutations and functions

• What about the time to evaluate g on a given
  point x
• Want a representation where the evaluation does
  not involve reading the entire description of g
• Even for functions in the simple construction
  need to read all the bits
• Siegel Some lower and upper bounds for functions
• Question given either
• k-wise independent function
• or
• k-wise independent permutation over larger range
• Come up with a good construction of k-wise
  independent permutation with a small evaluation
  time and black-box calls to the given
  function/permutation
• What if the domain size N is not a power of 2?
• Open only for small k

Using good extractors
28
The End
29
Simulating Random Objects

• Want to simulate a large random object using a
  succinct one
• Capturing essential properties of the random
  object
• Prominent example simulating a random function
• f0,1n ? 0,1n
• Want to come up with a small family of functions
  G
• so that g 2R G simulates a truly random f0,1n
  ? 0,1n
• Natural way to phrase simulation limited access

30
The spectral gap of a companion graph

• Observation
• In many cases the analysis of a k-wise
  independent permutation is via showing a spectral
  gap of HF,k
• In some sense necessary

31
Consistent Labeling

• A labeling of a d regular graph is consistent if
  all incoming labels are distinct
• Relevant for both directed and undirected graphs
• For directed graphs want biregularity

3
2
1
32
k-wise permutations over other domains

• What if the domain size N is not a power of 2
• The card shuffling approach are hard to adapt
• Can use Feistel network to get some results
• Can reduce size by fixed fraction
• Cycle walking
• Need to take k-wise for
• k 2 O(klog 1/?)
• Problem if k is small

33
The credit card problem

• Find a simple reduction from permutations on
  large blocks to small blocks
• Preserving the properties of the original
  permutation
• Time-wise
• Security

34
Motivating example permuting credit card numbers

• To reduce fraud want to permute credit card
  numbers

35
Motivating example permuting credit card numbers

• To reduce fraud want to permute credit card
  numbers
• Size of set roughly 240 (ignoring the first 4
  digits)
• Only trusted servers will have access to the
  permutation
• An adversary that sees only a limited number of
  permuted cc numbers should not be able to obtain
  information on any other card
• For which it sees only the permuted value
• Want a way to spread the permutation to the
  trusted servers
• Need a succinct representation
• No such construction known
• even based on cryptographic primitives

36
Block-Ciphers

• Shared-key encryption schemes where
• The encryption of every plaintext block is a
  ciphertext block of the same length.
• Important Examples DES, AES
• How to go from block size 64 to block size 40?
• Complexity based concept modeling them
• Pseudo-Random Permutations

Block size 64 bits
37
Block-ciphers and k-wise independent permutations

• The two notions are related
• But some important differences
• Example dynamic vs. static attacks

38
Pseudo-randomness fooling bounded space machines

• A function h0,1 ? 0,1 such that
• on random input the output is indistinguishable
  from a string chosen uniformly at random
• to any process using s bits of memory
• Branching program
• Expands the input
• Is called a pseudo-random generator for space s
  machines

h
b2
bl
b1
s

2s
0
1
b1
b2
bl
39
First Idea apply pseudo-random generators for
fooling bounded space algorithm
input
h

f2
ft
f1
w bits

• The possible assignments to the input of h define
  G

40
Where is the bounded space coming from?

• Suppose that G ½ Ft is not k-wise ?-dependent
• Then there are x1, x2, , xk which witness it
• How much space does the algorithm for evaluating
  gf1?f2? ?ft2 G on these points
  require?
• Scanning f1, f2, ft from left to right and
  gradually evaluating g on all x1, x2, xk
  simultaneously
• need only kn w bits - As a branching program
• Therefore if the wt bits describing them are
  generated by a process that fools all kn w bit
  branching programs
• Then the distribution of g(x1), g(x2), , g(xk)
  for g 2R G
• is similar to
• The distribution of f(x1), f(x2), , f(xk) for
  ff1?f2? ?ft for independent fi
• Conclusion G is k-wise ?-dependent

41
Parameters of space bounded generators

• For an ideal generator this method takes
• O(kn log 1/? w log t) bits
• No such explicit generator is known
• Best known ones introduce additional polylog
  factors
• Indyk, Sivakumar previous proposals for using
  space generators for combinatorial constructions
• When space is not an explicit issue

42
Simple 3 bit Permutations

• An approach for generating simple permutations by
  changing a fixed number of bits in each round
• Each permutation is defined by
• A small subset of the indices
• A permutation ? that maps the subset of the bits
  to their new value
• Proposed and analyzed by
• Gowers
• Hoory, Magen, Myers and Rackoff
• Brodsky and Hoory

?( )
43
Simple 3 bit Permutations

• For
• Boolean function on c bits f?0,1?c ? ?0,1?
• Subset S i0, i1, ic ½ n
• define a Permutation ?f,S?0,1?n ? ?0,1?n where
  
• ?f,S(x1, x2, , xn)
• (x1, , xi0-1, xi ? f(xi1, , xic), xi01, ,
  xn)
• Note that ?f,S is an involution Inverse of
  itself
• Let F2 ?f,S f?0,1?2 ? ?0,1?, S ½ n,
  S3
• Theorem Brodsky-Hoory
• For all 2 k 2n-2 there is a t 2 O(n2 k(nklog
  1/?)) where
• F2t is k-wise ?-dependent
• gap(HF2,k) is ?(1/n2 k)

44
The End