derandomized constructions of k -wise (almost) independent permutations
DESCRIPTION
Derandomized Constructions of k -Wise (Almost) Independent Permutations. Tel-Aviv University. Weizmann Institute of Science. Eyal Kaplan Moni Naor Omer Reingold. k- wise independent functions. a family of functions G = {g| g: {0,1} n → {0,1} n } - PowerPoint PPT PresentationTRANSCRIPT
Derandomized Constructions of k-Wise (Almost) Independent Permutations
Eyal Kaplan Moni Naor Omer Reingold
Weizmann Institute of ScienceTel-Aviv University
k-wise independent functionsa family of functions
G = {g| g: {0,1}n → {0,1}n } is called k-wise independent if:
g 2R G is indistinguishable from a random function f for any process that receives g(x) on at most k points
8 x1, x1, … xk 2 {0,1}n , 8A: {0,1}nk → {0,1}
Probg 2 G[A(g(x1), …, g(xk)) =‘1’]
= Probf[A(f(x1), … f(xk)) =‘1’]
A great success story
k-wise independent functionsSimple construction:• Let a G be the family of polynomials over
GF(2n) of degree at most k-1 Then • G is k-wise independent:
8 x1, x2, … xk, 8 y1, y2, … yk, there is a unique g 2 G such that g(xi)= yi
• The description of g 2 G is k¢n bits long• This is tight
– Cannot hope to get a shorter description
What about k-wise independent permutations?
Suppose that G = {g| g: {0,1}n → {0,1}n }
• Should be a family of permutations– 1-1 and length preserving
• g 2R G is indistinguishable from a random
permutation f for any process that receives g(x) on at most k points
Pair-wise independent permutations Simple construction:
G = {ga,b(x) = a∙x + b | a, b GF(2n), a ≠ 0 }
– for all• x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 and y1 ≠ y2
there is a unique ga,b 2 G such that • ga,b(x1) = ax1+b = y1
and• ga,b(x2) = ax2+b= y2
What about larger k?– For k=3 there is a similar algebraic construction– For k>3 no known construction of non-trivial size
Relaxation: k-wise almost independent permutations
Suppose that G = {g| g: {0,1}n → {0,1}n } • Should be a family of permutations
– 1-1 and length preserving
• g 2R G is at most -distinguishable from a random permutation f
for any process that receives g(x) on at most k points: the advantage of distinguishing g 2R G from a truly random
permutation is at most
8 x1, x1, … xk, the variation distance of • g(x1), …, g(xk) for g 2R G and • y1, y2, … yk a random k-tuple with no repetitions is at most
For =0 we have
k-wise independence
Should we allow adaptive queries?
Should we allow inverses?
Main Result• For any n, k and :There is an explicit construction of a family
G = {g| g: {0,1}n → {0,1}n } of k-wise -dependent permutations
where the description of each g 2 G is O(kn + log 1/) bits long
Can sample from the family and evaluate a permutation in time poly(k, n, log 1/)
Optimal up to the log 1/
Summary of Previous Work and ResultsFamily Description Length Range of Queries
Feistel“Luby-Rackoff”
nk+O(n)
O(nk ¢dlog(0 /)e)
k <2n/4, 0=k2/2n/2
k < 2n/2, · 0
Simple 3 bit Permutations
O(n2k(nk+log(1/)) k · 2n-2
Card ShufflingThorp Shuffle
O(n45klog(1/)) k · 2n
Non constructive O(nk + log(1/))
O(nk) sample space
k · 2n
This work O(nk + log(1/)) k · 2n
Good for small k and moderate
Techniques and Ideas• Let F = {f| f: {0,1}n → {0,1}n } be a family of
permutations– Each f 2 F described by w bits
• Denote by Ft the family of permutations obtained by composing f1, f2, … ft 2R F
• Suppose that Ft is k-wise -dependent – The description of f 2 Ft is w¢t bits
We will show a technique to derandomize such constructions and look at a much smaller subset G of the t-tuples of F
– The description of g 2 G would be roughly O(w+t) bits
Many known constructions can be described as such
Pseudo-randomness fooling bounded space machines
• A function h:{0,1}* {0,1}* such that – on random input the output is indistinguishable from a
string chosen uniformly at random • to any process using s bits of memory
– Branching program
– Expands the input
Is called a pseudo-random generator for space s machines
s…
b1 b2 bℓ
2s
01
h
b1 b2 … bℓ
First Idea: apply pseudo-random generators for fooling bounded space algorithm
The possible assignments to the input of h define the collection G
h
f1 f2 ft …
w bits
inputh is a generator that fools branching programs of width kn+w
Where is the bounded space coming from?• Suppose that G ½ Ft is not k-wise -dependent
– Then there are x1, x2, …, xk which witness it• How much space does the algorithm for evaluating
g=f1◦f2◦ … ◦ft2 G on these points require?– Scanning f1, f2, … ft from left to right and gradually evaluating g
on all x1, x2, … xk simultaneously – need only kn + w bits - As a branching program
• Therefore: if the w¢t bits describing them are generated by a process that fools all kn + w bit branching programs – Then the distribution of g(x1), g(x2), …, g(xk) for g 2R G is similar to – The distribution of f(x1), f(x2), …, f(xk) for f=f1◦f2◦ … ◦ft
for independent fi
Conclusion: G is k-wise -dependent
Parameters of space bounded generators
• For an ideal generator: this method takes O(kn + log 1/ + w +log t) bits
– No such explicit generator is known• No known good enough generator
all introduce extra polylog factors
• Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions– When space is not an explicit issue
Second idea: use pseudo-random generators for random walks
Generate f1, f2, … ft 2 F via a pseudo random generator for random walks Ones which are indistinguishable from random for any consistently
labeled graph
Such walk generators exist– Implicitly: Reingold’s SL=L– Explicitly: Reingold, Trevisan and Vadhan
• Show how to apply them in the context of k-wise independent permutations– Using previous constructions to define the graph
Pseudo-random generators for walks• Call a labeled graph H=(V,E) an (m,d,)-graph if
– |V| = m – Each node has d outgoing edges– The labeling is consistent – all incoming labels are distinct– the second eigenvalue in absolute value (H) ·
A pseudo-random generator for random walks on H=(V,E) is a mappingG:{0,1}* [d]ℓ
where for any starting node v 2 V the distributions of a walk starting from v
• chosen from G via a random inputand• truly random walk
are close
For long enough walks and for graphs with large spectral gaps a random walk ends in a random node
3 2 1
Defines a walk of length ℓ
The RTV Generator• For any m, d, and there is a pseudo-random
generator for all (m,d,1-)-graphs PRGm,d, ,:{0,1}r [d]ℓ
With the following parameters:– Seed length r 2 O(log (m ¢ d / ¢ ))– Walk length ℓ 2 O(poly(1/) log (m ¢ d / ))– Computable in space O( log (m ¢ d / ¢ )) and time
poly(1/, log (m ¢ d / ))
Such that – for any starting point v 2 V– a walk generated by PRGm,d, , walk yields an end point that is
close to uniform
For graphs with
• large enough spectral gap (1/polylog m)
• arbitrary degree
need only log m random bits to get to a random location
in polylog m steps
k-Companion graphLet
– N = 2n
– [N]k be set of all k-tuples of distinct n-bit strings
• Let F be a family of permutations. Then GF,k = (V,E) is the k-companion graph of F,
where:– V = [N]k
– E = {(z,(z)) | z 2 [N]k , 2 F)}• Each edge (z,(z)) 2 E is labeled by
z1, z2, … zk
(z1), (z2), … (zk)
Properties of the Companion Graph
• Let F be a family of permutations. If F – is closed under inverses and – contains the identity permutation. Then HF,k, the k-companion graph of F, is:
• An undirected |F|-regular graph • With self-loops• Consistently labeled
z1, z2, … zk
(z1), (z2), … (zk)
The analysis of k-wise independence is via showing a spectral gap of HF,k
k-wise independence and random walks
• If Ft yields a family of permutations that is k-wise -dependent, then in the companion graph HF,k
– for any node z 2 [N]k a random walk from z is -close to uniform
Otherwise this z is a witness to the non k-wise -dependence
The constructionGenerate f1, f2, … ft 2 F via a pseudo random generator
for random walks on HF,k , the k-companion graph of F• f1, f2, … ft are the labels of the walk.
– The resulting permutation is g=f1◦f2◦ … ◦ft
• Use PRGm,d, ,:{0,1}r [d]ℓ for– m = |[N]k| – d = |F|– r 2 O(log (2nk ¢ |F| / ¢ ))
comes from the analysis of the original construction Ft
gap(HF,k) ¸ is how close we want to be to a k-wise independent permutation
The resulting parametersThe resulting family G of permutations is:• A family of k-wise -dependent permutations• The description of each g 2 G is
O(nk + log |F| + log(1/ ) ) bits
• If the time to evaluate f(x) for f 2 F is (n,k), then the time complexity of evaluating g 2 G is
poly(1/, n, k, log (|F| / )) (n,k)– Need to ``open up” the description of f1, f2, … ft
Summary of Previous Work and ResultsFamily Description Length Range of Queries
Feistel“Luby-Rackoff”
nk+O(n)
O(nk ¢dlog(0 /)e)
k <2n/4, 0=k2/2n/2
k < 2n/2, · 0
Simple 3 bit Simple 3 bit PermutationsPermutations
O(n2k(nk+log(1/)) k · 2n-2
Card ShufflingThorp Shuffle
O(n45klog(1/)) k · 2n
Non constructive O(nk + log(1/))
O(nk) sample space
k · 2n
This work O(nk + log(1/)) k · 2n
Proposed and analyzed by•Gowers•Hoory, Magen, Myers and Rackoff•Brodsky and Hoory
Resulting Parameters with Simple 3-bit Permutation
Theorem [BH] There is a family of simple permutations F2
s.t. for all 2 · k · 2n-2 there is a t 2 O(n2 k(nk+log 1/)) where:– F2
t is k-wise -dependent
– gap(HF2,k) is (1/n2 k)
• Description of f 2 F2 is O(log(n3)) bits
Therefore: description of each g 2 G is O(nk + log(n3) + log(n2 k / )) bits
Open Problems
• Get rid of the dependency on – Come up with exact k-wise independent permutations of
reasonable sizeor– Show a reason why it is difficult to construct them
How about using permutation polynomials– Over fields – hard problem– Rivest: Simple characterization for mod 2n
– Is it useful?
Time complexity of the permutation
• The RTV Generator increases the length of the walk– The general space generator does not increase it
• Is it possible to get the best of both worlds?
Efficiency of evaluating k-wise independent permutations and functions
What about the time to evaluate g on a given point x• Want a representation where the evaluation does not involve reading
the entire description of g • Even for functions: in the simple construction need to read all the bits
– Siegel: Some lower and upper bounds for functions
Question: given either– k-wise independent functionor– k-wise independent permutation over larger rangeCome up with a good construction of k-wise independent permutation with a small
evaluation time and black-box calls to the given function/permutation
What if the domain size N is not a power of 2? Open only for small k
Using good extractors
The End
k-wise permutations over other domains
– What if the domain size N is not a power of 2 – The card shuffling approach are hard to adapt– Can use Feistel network to get some results– Can reduce size by fixed fraction
• Cycle walking• Need to take k’-wise for k’ 2 O(k+log 1/)
Problem if k is small
f
L1 R1
L2 R2
The credit card problem
• Find a simple reduction from permutations on large blocks to small blocks– Preserving the properties of the original permutation
• Time-wise• Security
Motivating example: permuting credit card numbers
To reduce fraud want to permute credit card numbers
Motivating example: permuting credit card numbersTo reduce fraud want to permute credit card numbers• Size of set: roughly 240 (ignoring the first 4 digits)• Only trusted servers will have access to the permutation• An adversary that sees only a limited number of permuted
cc numbers should not be able to obtain information on any other card– For which it sees only the permuted value
• Want a way to spread the permutation to the trusted serversNeed a succinct representation
No such construction known even based on cryptographic primitives
Block-Ciphers:• Shared-key encryption schemes where:
The encryption of every plaintext block is a ciphertext block of the same length.
Important Examples: DES, AES
How to go from block size 64 to block size 40?
Complexity based concept modeling them:Pseudo-Random Permutations
Key BC
Plaintext
Ciphertext
Block size: 64 bits
Block-ciphers and k-wise independent permutations
• The two notions are related • But some important differences
– Example: dynamic vs. static attacks
Pseudo-randomness fooling bounded space machines
• A function h:{0,1}* {0,1}* such that – on random input the output is indistinguishable from a
string chosen uniformly at random • to any process using s bits of memory
– Branching program
– Expands the inputIs called a pseudo-random generator for space s
machiness
…
b1 b2 bℓ
2s
01
h
b1 b2 … bℓ
First Idea: apply pseudo-random generators for fooling bounded space algorithm
The possible assignments to the input of h define G
h
f1 f2 ft …
w bits
input
Where is the bounded space coming from?• Suppose that G ½ Ft is not k-wise -dependent
– Then there are x1, x2, …, xk which witness it• How much space does the algorithm for evaluating
g=f1◦f2◦ … ◦ft2 G on these points require?– Scanning f1, f2, … ft from left to right and gradually evaluating g
on all x1, x2, … xk simultaneously – need only kn + w bits - As a branching program
• Therefore: if the w¢t bits describing them are generated by a process that fools all kn + w bit branching programs – Then the distribution of g(x1), g(x2), …, g(xk) for g 2R G is similar to – The distribution of f(x1), f(x2), …, f(xk) for f=f1◦f2◦ … ◦ft
for independent fi
Conclusion: G is k-wise -dependent
Parameters of space bounded generators
• For an ideal generator: this method takes O(kn + log 1/ + w +log t) bits
– No such explicit generator is known• Best known ones introduce additional polylog
factors
• Indyk, Sivakumar: previous proposals for using space generators for combinatorial constructions– When space is not an explicit issue
Simple 3 bit PermutationsAn approach for generating simple
permutations by changing a fixed number of bits in each round
Each permutation is defined by1. A small subset of the indices2. A permutation that maps the
subset of the bits to their new value
Proposed and analyzed by– Gowers– Hoory, Magen, Myers and Rackoff– Brodsky and Hoory
( )
Simple 3 bit PermutationsFor– Boolean function on c bits f:0,1c 0,1
– Subset S = {i0, i1, … ic} ½ [n] define a Permutation f,S:0,1n 0,1n where
f,S(x1, x2, …, xn)
= (x1, …, xi0-1, xi f(xi1
, …, xic), xi
0+1, …, xn)
Note that f,S is an involution: Inverse of itself
Let F2 ={f,S | f:0,12 0,1, S ½ [n], |S|=3}
Theorem [Brodsky-Hoory] For all 2 · k · 2n-2 there is a t 2 O(n2 k(nk+log 1/)) where:
– F2t is k-wise -dependent
– gap(HF2,k) is (1/n2 k)
The End