Derandomized Constructions of k-Wise (Almost) Independent Permutations - PowerPoint PPT Presentation

About This Presentation
Title:

Derandomized Constructions of k-Wise (Almost) Independent Permutations

Description:

Title: Foundations of Cryptography Lecture 2 Author: Administrator Last modified by: Admin Created Date: 10/31/2003 10:32:22 AM Document presentation format – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 41
Provided by: wisdomWei2
Category:

less

Transcript and Presenter's Notes

Title: Derandomized Constructions of k-Wise (Almost) Independent Permutations


1
Derandomized Constructions of k-Wise (Almost)
Independent Permutations
  • Eyal Kaplan Moni Naor Omer Reingold

Weizmann Institute of Science
Tel-Aviv University
2
k-wise independent functions
  • a family of functions
  • G g g 0,1n ? 0,1n
  • is called k-wise independent if
  • g 2R G is indistinguishable from a random
    function f
  • for any process that receives g(x) on at most k
    points
  • 8 x1, x1, xk 2 0,1n ,
  • 8A 0,1nk ? 0,1
  • Probg 2 GA(g(x1), , g(xk)) 1
  • ProbfA(f(x1), f(xk)) 1

A great success story
3
k-wise independent functions
  • Simple construction
  • Let a G be the family of polynomials over GF(2n)
    of degree at most k-1
  • Then
  • G is k-wise independent
  • 8 x1, x2, xk, 8 y1, y2, yk, there is a unique
    g 2 G such that g(xi) yi
  • The description of g 2 G is kn bits long
  • This is tight
  • Cannot hope to get a shorter description

4
What about k-wise independent permutations?
  • Suppose that G g g 0,1n ? 0,1n
  • Should be a family of permutations
  • 1-1 and length preserving
  • g 2R G is indistinguishable from a random
    permutation f
  • for any process that receives g(x) on at most k
    points

5
Pair-wise independent permutations
  • Simple construction
  • G ga,b(x) ax b a, b ? GF(2n), a ? 0
  • for all
  • x1, x2 ?0,1n and y1, y2 ?0,1n where x1 ? x2
    and y1 ? y2
  • there is a unique ga,b 2 G such that
  • ga,b(x1) ax1b y1
  • and
  • ga,b(x2) ax2b y2
  • What about larger k?
  • For k3 there is a similar algebraic construction
  • For kgt3 no known construction of non-trivial size

6
Relaxation k-wise almost independent permutations
  • Suppose that G g g 0,1n ? 0,1n
  • Should be a family of permutations
  • 1-1 and length preserving
  • g 2R G is at most ?-distinguishable from a random
    permutation f
  • for any process that receives g(x) on at most
    k points
  • the advantage of distinguishing g 2R G from a
    truly random permutation is at most ?
  • 8 x1, x1, xk, the variation distance of
  • g(x1), , g(xk) for g 2R G
  • and
  • y1, y2, yk a random k-tuple with no repetitions
  • is at most ?

For ?0 we have k-wise independence
Should we allow inverses?
Should we allow adaptive queries?
7
Main Result
  • For any n, k and ?
  • There is an explicit construction of a family
  • G g g 0,1n ? 0,1n
  • of k-wise ?-dependent permutations
  • where the description of each g 2 G is
  • O(kn log 1/?) bits long
  • Can sample from the family and evaluate a
    permutation in time poly(k, n, log 1/?)

Optimal up to the log 1/?
8
Summary of Previous Work and Results
Good for small k and moderate ?
Family Description Length Range of Queries
Feistel Luby-Rackoff nkO(n) O(nk dlog(?0 /?)e) k lt2n/4, ?0k2/2n/2 k lt 2n/2, ? ?0
Simple 3 bit Permutations O(n2k(nklog(1/?)) k 2n-2
Card Shuffling Thorp Shuffle O(n45klog(1/?)) k 2n
Non constructive O(nk log(1/?)) O(nk) sample space k 2n
This work O(nk log(1/?)) k 2n
9
Techniques and Ideas
  • Let F f f 0,1n ? 0,1n be a family of
    permutations
  • Each f 2 F described by w bits
  • Denote by Ft the family of permutations obtained
    by composing f1, f2, ft 2R F
  • Suppose that Ft is k-wise ?-dependent
  • The description of f 2 Ft is wt bits
  • We will show a technique to derandomize such
    constructions and look at a much smaller subset G
    of the t-tuples of F
  • The description of g 2 G would be roughly O(wt)
    bits

Many known constructions can be described as
such
10
Pseudo-randomness fooling bounded space machines
  • A function h0,1 ? 0,1 such that
  • on random input the output is indistinguishable
    from a string chosen uniformly at random
  • to any process using s bits of memory
  • Branching program
  • Expands the input
  • Is called a pseudo-random generator for space s
    machines

h
b2
bl
b1
s

2s
0
1
b1
b2
bl
11
First Idea apply pseudo-random generators for
fooling bounded space algorithm
h is a generator that fools branching programs of
width knw
input
h

f2
ft
f1
w bits
  • The possible assignments to the input of h define
    the collection G

12
Where is the bounded space coming from?
  • Suppose that G ½ Ft is not k-wise ?-dependent
  • Then there are x1, x2, , xk which witness it
  • How much space does the algorithm for evaluating
    gf1?f2? ?ft2 G on these points
    require?
  • Scanning f1, f2, ft from left to right and
    gradually evaluating g on all x1, x2, xk
    simultaneously
  • need only kn w bits - As a branching program
  • Therefore if the wt bits describing them are
    generated by a process that fools all kn w bit
    branching programs
  • Then the distribution of g(x1), g(x2), , g(xk)
    for g 2R G
  • is similar to
  • The distribution of f(x1), f(x2), , f(xk) for
    ff1?f2? ?ft for independent fi
  • Conclusion G is k-wise ?-dependent

13
Parameters of space bounded generators
  • For an ideal generator this method takes
  • O(kn log 1/? w log t) bits
  • No such explicit generator is known
  • No known good enough generator
  • all introduce extra polylog factors
  • Indyk, Sivakumar previous proposals for using
    space generators for combinatorial constructions
  • When space is not an explicit issue

14
Second idea use pseudo-random generators for
random walks
  • Generate f1, f2, ft 2 F via a pseudo random
    generator for random walks
  • Ones which are indistinguishable from random for
    any consistently labeled graph
  • Such walk generators exist
  • Implicitly Reingolds SLL
  • Explicitly Reingold, Trevisan and Vadhan
  • Show how to apply them in the context of k-wise
    independent permutations
  • Using previous constructions to define the graph

15
Graphs
  • Let H (V,E) be a d-regular graph on m nodes
  • Normalized adjacency matrix divide each entry
    by d
  • Eigenvalues 1 ?1 ?2 ? ?n
  • Let ?(H) be the second eigenvalue in absolute
    value.
  • ?(H) max ?2 , ?n
  • The spectral gap of H is gap(H) 1- ?(H)
  • ?(H) governs the mixing rate of a random walk on
    H

16
Pseudo-random generators for walks
  • Call a labeled graph H(V,E) an (m,d,?)-graph if
  • V m
  • Each node has d outgoing edges
  • The labeling is consistent all incoming labels
    are distinct
  • the second eigenvalue in absolute value ?(H)
    ?
  • A pseudo-random generator for random walks on
    H(V,E) is a mapping
  • G0,1 ? dl
  • where for any starting node v 2 V the
    distributions of a walk starting from v
  • chosen from G via a random input
  • and
  • truly random walk
  • are ? close
  • For long enough walks and for graphs with large
    spectral gaps a random walk ends in a random node

3
2
1
Defines a walk of length l
17
The RTV Generator
  • For any m, d, ? and ? there is a pseudo-random
    generator for all (m,d,1-?)-graphs
  • PRGm,d, ?,?0,1r ? dl
  • With the following parameters
  • Seed length r 2 O(log (m d / ? ? ))
  • Walk length l 2 O(poly(1/?) log (m d / ? ))
  • Computable in space O( log (m d / ? ? )) and
    time poly(1/?, log (m d / ? ))
  • Such that
  • for any starting point v 2 V
  • a walk generated by PRGm,d, ?,? walk yields an
    end point that is ? close to uniform
  • For graphs with
  • large enough spectral gap ?(1/polylog m)
  • arbitrary degree
  • need only log m random bits to get to a random
    location
  • in polylog m steps

18
k-Companion graph
  • Let
  • N 2n
  • Nk be set of all k-tuples of distinct n-bit
    strings
  • Let F be a family of permutations.
  • Then GF,k (V,E) is the k-companion graph of F,
    where
  • V Nk
  • E (z,?(z)) z 2 Nk , ? 2 F)
  • Each edge (z,?(z)) 2 E is labeled by ?

z1, z2, zk
?
?(z1), ?(z2), ?(zk)
19
Properties of the Companion Graph
  • Let F be a family of permutations. If F
  • is closed under inverses
  • and
  • contains the identity permutation.
  • Then HF,k, the k-companion graph of F, is
  • An undirected F-regular graph
  • With self-loops
  • Consistently labeled

z1, z2, zk
?
The analysis of k-wise independence is via
showing a spectral gap of HF,k
?(z1), ?(z2), ?(zk)
20
k-wise independence and random walks
  • If Ft yields a family of permutations that is
    k-wise ?-dependent, then in the companion graph
    HF,k
  • for any node z 2 Nk a random walk from z is
    ?-close to uniform
  • Otherwise this z is a witness to the non k-wise
    ?-dependence

21
The construction
  • Generate f1, f2, ft 2 F via a pseudo random
    generator for random walks on HF,k , the
    k-companion graph of F
  • f1, f2, ft are the labels of the walk.
  • The resulting permutation is gf1?f2? ?ft
  • Use PRGm,d, ?,?0,1r ? dl for
  • m Nk
  • d F
  • r 2 O(log (2nk F / ? ? ))
  • ? comes from the analysis of the original
    construction Ft
  • gap(HF,k) ?
  • ? is how close we want to be to a k-wise
    independent permutation

22
The resulting parameters
  • The resulting family G of permutations is
  • A family of k-wise ?-dependent permutations
  • The description of each g 2 G is
  • O(nk log F log(1/? ?) ) bits
  • If the time to evaluate f(x) for f 2 F is ?(n,k),
  • then the time complexity of evaluating g 2 G is
  • poly(1/?, n, k, log (F / ? )) ?(n,k)
  • Need to open up the description of f1, f2,
    ft

23
Summary of Previous Work and Results
Family Description Length Range of Queries
Feistel Luby-Rackoff nkO(n) O(nk dlog(?0 /?)e) k lt2n/4, ?0k2/2n/2 k lt 2n/2, ? ?0
Simple 3 bit Permutations O(n2k(nklog(1/?)) k 2n-2
Card Shuffling Thorp Shuffle O(n45klog(1/?)) k 2n
Non constructive O(nk log(1/?)) O(nk) sample space k 2n
This work O(nk log(1/?)) k 2n
  • Proposed and analyzed by
  • Gowers
  • Hoory, Magen, Myers and Rackoff
  • Brodsky and Hoory

24
Resulting Parameters with Simple 3-bit Permutation
  • Theorem BH There is a family of simple
    permutations F2
  • s.t. for all 2 k 2n-2 there is a t 2 O(n2
    k(nklog 1/?)) where
  • F2t is k-wise ?-dependent
  • gap(HF2,k) is ?(1/n2 k)
  • Description of f 2 F2 is O(log(n3)) bits
  • Therefore description of each g 2 G is
  • O(nk log(n3) log(n2 k / ?)) bits

25
Open Problems
  • Get rid of the dependency on ?
  • Come up with exact k-wise independent
    permutations of reasonable size
  • or
  • Show a reason why it is difficult to construct
    them
  • How about using permutation polynomials
  • Over fields hard problem
  • Rivest Simple characterization for mod 2n
  • Is it useful?

26
Time complexity of the permutation
  • The RTV Generator increases the length of the
    walk
  • The general space generator does not increase it
  • Is it possible to get the best of both worlds?

27
Efficiency of evaluating k-wise independent
permutations and functions
  • What about the time to evaluate g on a given
    point x
  • Want a representation where the evaluation does
    not involve reading the entire description of g
  • Even for functions in the simple construction
    need to read all the bits
  • Siegel Some lower and upper bounds for functions
  • Question given either
  • k-wise independent function
  • or
  • k-wise independent permutation over larger range
  • Come up with a good construction of k-wise
    independent permutation with a small evaluation
    time and black-box calls to the given
    function/permutation
  • What if the domain size N is not a power of 2?
  • Open only for small k

Using good extractors
28
The End
29
Simulating Random Objects
  • Want to simulate a large random object using a
    succinct one
  • Capturing essential properties of the random
    object
  • Prominent example simulating a random function
  • f0,1n ? 0,1n
  • Want to come up with a small family of functions
    G
  • so that g 2R G simulates a truly random f0,1n
    ? 0,1n
  • Natural way to phrase simulation limited access

30
The spectral gap of a companion graph
  • Observation
  • In many cases the analysis of a k-wise
    independent permutation is via showing a spectral
    gap of HF,k
  • In some sense necessary

31
Consistent Labeling
  • A labeling of a d regular graph is consistent if
    all incoming labels are distinct
  • Relevant for both directed and undirected graphs
  • For directed graphs want biregularity

3
2
1
32
k-wise permutations over other domains
  • What if the domain size N is not a power of 2
  • The card shuffling approach are hard to adapt
  • Can use Feistel network to get some results
  • Can reduce size by fixed fraction
  • Cycle walking
  • Need to take k-wise for
  • k 2 O(klog 1/?)
  • Problem if k is small

33
The credit card problem
  • Find a simple reduction from permutations on
    large blocks to small blocks
  • Preserving the properties of the original
    permutation
  • Time-wise
  • Security

34
Motivating example permuting credit card numbers
  • To reduce fraud want to permute credit card
    numbers

35
Motivating example permuting credit card numbers
  • To reduce fraud want to permute credit card
    numbers
  • Size of set roughly 240 (ignoring the first 4
    digits)
  • Only trusted servers will have access to the
    permutation
  • An adversary that sees only a limited number of
    permuted cc numbers should not be able to obtain
    information on any other card
  • For which it sees only the permuted value
  • Want a way to spread the permutation to the
    trusted servers
  • Need a succinct representation
  • No such construction known
  • even based on cryptographic primitives

36
Block-Ciphers
  • Shared-key encryption schemes where
  • The encryption of every plaintext block is a
    ciphertext block of the same length.
  • Important Examples DES, AES
  • How to go from block size 64 to block size 40?
  • Complexity based concept modeling them
  • Pseudo-Random Permutations

Block size 64 bits
37
Block-ciphers and k-wise independent permutations
  • The two notions are related
  • But some important differences
  • Example dynamic vs. static attacks

38
Pseudo-randomness fooling bounded space machines
  • A function h0,1 ? 0,1 such that
  • on random input the output is indistinguishable
    from a string chosen uniformly at random
  • to any process using s bits of memory
  • Branching program
  • Expands the input
  • Is called a pseudo-random generator for space s
    machines

h
b2
bl
b1
s

2s
0
1
b1
b2
bl
39
First Idea apply pseudo-random generators for
fooling bounded space algorithm
input
h

f2
ft
f1
w bits
  • The possible assignments to the input of h define
    G

40
Where is the bounded space coming from?
  • Suppose that G ½ Ft is not k-wise ?-dependent
  • Then there are x1, x2, , xk which witness it
  • How much space does the algorithm for evaluating
    gf1?f2? ?ft2 G on these points
    require?
  • Scanning f1, f2, ft from left to right and
    gradually evaluating g on all x1, x2, xk
    simultaneously
  • need only kn w bits - As a branching program
  • Therefore if the wt bits describing them are
    generated by a process that fools all kn w bit
    branching programs
  • Then the distribution of g(x1), g(x2), , g(xk)
    for g 2R G
  • is similar to
  • The distribution of f(x1), f(x2), , f(xk) for
    ff1?f2? ?ft for independent fi
  • Conclusion G is k-wise ?-dependent

41
Parameters of space bounded generators
  • For an ideal generator this method takes
  • O(kn log 1/? w log t) bits
  • No such explicit generator is known
  • Best known ones introduce additional polylog
    factors
  • Indyk, Sivakumar previous proposals for using
    space generators for combinatorial constructions
  • When space is not an explicit issue

42
Simple 3 bit Permutations
  • An approach for generating simple permutations by
    changing a fixed number of bits in each round
  • Each permutation is defined by
  • A small subset of the indices
  • A permutation ? that maps the subset of the bits
    to their new value
  • Proposed and analyzed by
  • Gowers
  • Hoory, Magen, Myers and Rackoff
  • Brodsky and Hoory

?( )
43
Simple 3 bit Permutations
  • For
  • Boolean function on c bits f?0,1?c ? ?0,1?
  • Subset S i0, i1, ic ½ n
  • define a Permutation ?f,S?0,1?n ? ?0,1?n where
  • ?f,S(x1, x2, , xn)
  • (x1, , xi0-1, xi ? f(xi1, , xic), xi01, ,
    xn)
  • Note that ?f,S is an involution Inverse of
    itself
  • Let F2 ?f,S f?0,1?2 ? ?0,1?, S ½ n,
    S3
  • Theorem Brodsky-Hoory
  • For all 2 k 2n-2 there is a t 2 O(n2 k(nklog
    1/?)) where
  • F2t is k-wise ?-dependent
  • gap(HF2,k) is ?(1/n2 k)

44
The End
Write a Comment
User Comments (0)
About PowerShow.com