Gate Elimination for Linear Functions and New Feebly Secure Constructions (original) (raw)
Threshold circuit lower bounds on cryptographic functions
2005
In this work, we are interested in non-trivial upper bounds on the spectral norm of binary matrices M from {−1, 1} N×N . It is known that the distributed Boolean function represented by M is hard to compute in various restricted models of computation if the spectral norm is bounded from above by N 1−ε , where ε > 0 denotes a fixed constant. For instance, the size of a two-layer threshold circuit (with polynomially bounded weights for the gates in the hidden layer, but unbounded weights for the output gate) grows exponentially fast with n := log N . We prove sufficient conditions on M that imply small spectral norms (and thus high computational complexity in restricted models). Our general results cover specific cases, where the matrix M represents a bit (the least significant bit or other fixed bits) of fundamental functions. Functions like the discrete multiplication and division, as well as cryptographic functions such as the Diffie-Hellman function (IEEE Trans. Inform. Theory 22(6) (1976) 644-654) and the decryption functions of the Pointcheval (Advances in can be addressed by our technique. In order to obtain our results, we make a detour on exponential sums and on spectral norms of matrices with complex entries. This method might be considered interesting in its own right.
International journal on advances in intelligent systems, 2013
Two very important NP-hard problems in the area of computational complexity are the problems of Matrix Multiplication (MM) and Circuit Optimization. Solving particular cases of such problems yield to improvements in many other problems as they are core sub-routines implemented in many other algorithms. However, obtaining optimal solutions is an intractable problem since the space to explore for each problem is exponentially large. All suggested methodologies rely on wellchosen heuristics, selected according to the topology of the specific problem. Such heuristics may yield to efficient and acceptable solutions but they do not guarantee that no better can be done. In this paper, we suggest a general framework for obtaining solutions to such problems. We have developed a 2-step methodology, where in the first place we describe algebraically the problem and then we convert it to a SAT-CNF problem, which we solve using SAT-solvers. By running the same procedure for different values of k...
Block ciphers, pseudorandom functions, and Natural Proofs
This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterpart: block ciphers. This gap is both quantitative, because block-ciphers are more efficient than PRF in various ways, and methodological, because block-ciphers usually fit in the substitution-permutation network paradigm (SPN) which has no counterpart in PRF. We give several candidate PRF F i that are inspired by the SPN paradigm. This paradigm involves a "substitution function" (S-box). Our main candidates are: F 1 : {0, 1} n → {0, 1} n is an SPN whose S-box is a random function on b = O(lg n) bits, given as part of the seed. We prove unconditionally that F 1 resists attacks that run in time ≤ 2 ǫb. Setting b = ω(lg n) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm. F 2 : {0, 1} n → {0, 1} n is an SPN where the S-box is (patched) field inversion, a common choice in block ciphers. F 2 is computable with Boolean circuits of size n•log O(1) n, and in particular with seed length n•log O(1) n. We prove that this candidate has exponential security 2 Ω(n) against linear and differential cryptanalysis. F 3 : {0, 1} n → {0, 1} is a non-standard variant on the SPN paradigm, where "states" grow in length. F 3 is computable with size n 1+ǫ , for any ǫ > 0, in the restricted circuit class TC 0 of unbounded fan-in majority circuits of constant-depth. We prove that F 3 is almost 3-wise independent. F 4 : {0, 1} n → {0, 1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate is a small-bias generator (for tests of weight up to 2 0.9n). Assuming the security of our candidates, our work also narrows the gap between the"Natural Proofs barrier" [Razborov & Rudich; JCSS '97] and existing lower bounds, in three models: unbounded-depth circuits, TC 0 circuits, and Turing machines. In particular, the efficiency of the circuits computing F 3 is related to a result by Allender and Koucky [JACM '10] who show that a lower bound for such circuits would imply a lower bound for TC 0 .
Algebraic Immunity for Cryptographically Significant Boolean Functions: Analysis and Construction
IEEE Transactions on Information Theory, 2006
Recently, algebraic attacks have received a lot of attention in the cryptographic literature. It has been observed that a Boolean function used as a cryptographic primitive, and interpreted as a multivariate polynomial over 2 , should not have low degree multiples obtained by multiplication with low degree nonzero functions. In this paper, we show that a Boolean function having low nonlinearity is (also) weak against algebraic attacks, and we extend this result to higher order nonlinearities. Next, we present enumeration results on linearly independent annihilators. We also study certain classes of highly nonlinear resilient Boolean functions for their algebraic immunity. We identify that functions having low-degree subfunctions are weak in terms of algebraic immunity, and we analyze some existing constructions from this viewpoint. Further, we present a construction method to generate Boolean functions on variables with highest possible algebraic immunity 2 (this construction, first presented at the 2005 Workshop on Fast Software Encryption (FSE 2005), has been the first one producing such functions). These functions are obtained through a doubly indexed recursive relation. We calculate their Hamming weights and deduce their nonlinearities; we show that they have very high algebraic degrees. We express them as the sums of two functions which can be obtained from simple symmetric functions by a transformation which can be implemented with an algorithm whose complexity is linear in the number of variables. We deduce a very fast way of computing the output to these functions, given their input.
New Techniques for Efficient Trapdoor Functions and Applications
Advances in Cryptology – EUROCRYPT 2019, 2019
We develop techniques for constructing trapdoor functions (TDFs) with short image size and advanced security properties. Our approach builds on the recent framework of Garg and Hajiabadi [CRYPTO 2018]. As applications of our techniques, we obtain • The first construction of deterministic-encryption schemes for block-source inputs (both for the CPA and CCA cases) based on the Computational Diffie-Hellman (CDH) assumption. Moreover, by applying our efficiency-enhancing techniques, we obtain CDH-based schemes with ciphertext size linear in plaintext size. • The first construction of lossy TDFs based on the Decisional Diffie-Hellman (DDH) assumption with image size linear in input size, while retaining the lossiness rate of [Peikert-Waters STOC 2008]. Prior to our work, all constructions of deterministic encryption based even on the stronger DDH assumption incurred a quadratic gap between the ciphertext and plaintext sizes. Moreover, all DDH-based constructions of lossy TDFs had image size quadratic in the input size. At a high level, we break the previous quadratic barriers by introducing a novel technique for encoding input bits via hardcore output bits with the use of erasure-resilient codes. All previous schemes used group elements for encoding input bits, resulting in quadratic expansions.
Satisfiability and Derandomization for Small Polynomial Threshold Circuits
Electron. Colloquium Comput. Complex., 2018
A polynomial threshold function (PTF) is defined as the sign of a polynomial p : {0, 1} → R. A PTF circuit is a Boolean circuit whose gates are PTFs. We study the problems of exact and (promise) approximate counting for PTF circuits of constant depth. Satisfiability (#SAT). We give the first zero-error randomized algorithm faster than exhaustive search that counts the number of satisfying assignments of a given constant-depth circuit with a super-linear number of wires whose gates are s-sparse PTFs, for s almost quadratic in the input size of the circuit; here a PTF is called s-sparse if its underlying polynomial has at most s monomials. More specifically, we show that, for any large enough constant c, given a depth-d circuit with (n2−1/c)-sparse PTF gates that has at most n1+εd wires, where εd depends only on c and d, the number of satisfying assignments of the circuit can be computed in randomized time 2n−nε with zero error. This generalizes the result by Chen, Santhanam and Srini...
The Polynomial Method in Circuit Complexity Applied to Algorithm Design (Invited Talk)
In circuit complexity, the polynomial method is a general approach to proving circuit lower bounds in restricted settings. One shows that functions computed by sufficiently restricted circuits are "correlated" in some way with a low-complexity polynomial, where complexity may be measured by the degree of the polynomial or the number of monomials. Then, results limiting the capabilities of low-complexity polynomials are extended to the restricted circuits. Old theorems proved by this method have recently found interesting applications to the design of algorithms for basic problems in the theory of computing. This paper surveys some of these applications, and gives a few new ones.
Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits
Advances in Cryptology – EUROCRYPT 2014, 2014
We construct the first (key-policy) attribute-based encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fan-in gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. All previous constructions incurred a multiplicative poly(λ) blowup. We construct our ABE using a new mechanism we call fully keyhomomorphic encryption, a public-key system that lets anyone translate a ciphertext encrypted under a public-key x into a ciphertext encrypted under the public-key (f (x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security of our construction relies on the subexponential hardness of the learning with errors problem. We also present a second (key-policy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the garbled input is short. This paper is the result of merging two works [GGH + ] and [BNS].