-
Locality-Preserving Hashing for Shifts with Connections to Cryptography
Authors:
Elette Boyle,
Itai Dinur,
Niv Gilboa,
Yuval Ishai,
Nathan Keller,
Ohad Klein
Abstract:
Can we sense our location in an unfamiliar environment by taking a sublinear-size sample of our surroundings? Can we efficiently encrypt a message that only someone physically close to us can decrypt? To solve this kind of problems, we introduce and study a new type of hash functions for finding shifts in sublinear time. A function $h:\{0,1\}^n\to \mathbb{Z}_n$ is a $(d,δ)$ {\em locality-preservin…
▽ More
Can we sense our location in an unfamiliar environment by taking a sublinear-size sample of our surroundings? Can we efficiently encrypt a message that only someone physically close to us can decrypt? To solve this kind of problems, we introduce and study a new type of hash functions for finding shifts in sublinear time. A function $h:\{0,1\}^n\to \mathbb{Z}_n$ is a $(d,δ)$ {\em locality-preserving hash function for shifts} (LPHS) if: (1) $h$ can be computed by (adaptively) querying $d$ bits of its input, and (2) $\Pr [ h(x) \neq h(x \ll 1) + 1 ] \leq δ$, where $x$ is random and $\ll 1$ denotes a cyclic shift by one bit to the left. We make the following contributions.
* Near-optimal LPHS via Distributed Discrete Log: We establish a general two-way connection between LPHS and algorithms for distributed discrete logarithm in the generic group model. Using such an algorithm of Dinur et al. (Crypto 2018), we get LPHS with near-optimal error of $δ=\tilde O(1/d^2)$. This gives an unusual example for the usefulness of group-based cryptography in a post-quantum world. We extend the positive result to non-cyclic and worst-case variants of LPHS.
* Multidimensional LPHS: We obtain positive and negative results for a multidimensional extension of LPHS, making progress towards an optimal 2-dimensional LPHS.
* Applications: We demonstrate the usefulness of LPHS by presenting cryptographic and algorithmic applications. In particular, we apply multidimensional LPHS to obtain an efficient "packed" implementation of homomorphic secret sharing and a sublinear-time implementation of location-sensitive encryption whose decryption requires a significantly overlap** view.
△ Less
Submitted 9 January, 2022;
originally announced January 2022.
-
Fine-Grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR
Authors:
Itai Dinur,
Nathan Keller,
Ohad Klein
Abstract:
An average-case variant of the $k$-SUM conjecture asserts that finding $k$ numbers that sum to 0 in a list of $r$ random numbers, each of the order $r^k$, cannot be done in much less than $r^{\lceil k/2 \rceil}$ time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improv…
▽ More
An average-case variant of the $k$-SUM conjecture asserts that finding $k$ numbers that sum to 0 in a list of $r$ random numbers, each of the order $r^k$, cannot be done in much less than $r^{\lceil k/2 \rceil}$ time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner's $k$-tree algorithm. Such algorithms for $k$-SUM in the dense regime have many applications, notably in cryptanalysis.
In this paper, assuming the average-case $k$-SUM conjecture, we prove that known algorithms are essentially optimal for $k= 3,4,5$. For $k>5$, we prove the optimality of the $k$-tree algorithm for a limited range of parameters. We also prove similar results for $k$-XOR, where the sum is replaced with exclusive or.
Our results are obtained by a self-reduction that, given an instance of $k$-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense $k$-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle's solutions, even though its inputs are highly correlated.
△ Less
Submitted 13 March, 2024; v1 submitted 31 October, 2021;
originally announced November 2021.
-
Consistent High Dimensional Rounding with Side Information
Authors:
Orr Dunkelman,
Zeev Geyzel,
Chaya Keller,
Nathan Keller,
Eyal Ronen,
Adi Shamir,
Ran J. Tessler
Abstract:
In standard rounding, we want to map each value $X$ in a large continuous space (e.g., $R$) to a nearby point $P$ from a discrete subset (e.g., $Z$). This process seems to be inherently discontinuous in the sense that two consecutive noisy measurements $X_1$ and $X_2$ of the same value may be extremely close to each other and yet they can be rounded to different points $P_1\ne P_2$, which is undes…
▽ More
In standard rounding, we want to map each value $X$ in a large continuous space (e.g., $R$) to a nearby point $P$ from a discrete subset (e.g., $Z$). This process seems to be inherently discontinuous in the sense that two consecutive noisy measurements $X_1$ and $X_2$ of the same value may be extremely close to each other and yet they can be rounded to different points $P_1\ne P_2$, which is undesirable in many applications. In this paper we show how to make the rounding process perfectly continuous in the sense that it maps any pair of sufficiently close measurements to the same point. We call such a process consistent rounding, and make it possible by allowing a small amount of information about the first measurement $X_1$ to be unidirectionally communicated to and used by the rounding process of $X_2$.
The fault tolerance of a consistent rounding scheme is defined by the maximum distance between pairs of measurements which guarantees that they are always rounded to the same point, and our goal is to study the possible tradeoffs between the amount of information provided and the achievable fault tolerance for various types of spaces. When the measurements $X_i$ are arbitrary vectors in $R^d$, we show that communicating $\log_2(d+1)$ bits of information is both sufficient and necessary (in the worst case) in order to achieve consistent rounding for some positive fault tolerance, and when d=3 we obtain a tight upper and lower asymptotic bound of $(0.561+o(1))k^{1/3}$ on the achievable fault tolerance when we reveal $\log_2(k)$ bits of information about how $X_1$ was rounded. We analyze the problem by considering the possible colored tilings of the space with $k$ available colors, and obtain our upper and lower bounds with a variety of mathematical techniques including isoperimetric inequalities, the Brunn-Minkowski theorem, sphere packing bounds, and Čech cohomology.
△ Less
Submitted 9 August, 2020;
originally announced August 2020.
-
Quantum speedups need structure
Authors:
Nathan Keller,
Ohad Klein
Abstract:
We prove the following conjecture, raised by Aaronson and Ambainis in 2008: Let $f:\{-1,1\}^n \rightarrow [-1,1]$ be a multilinear polynomial of degree $d$. Then there exists a variable $x_i$ whose influence on $f$ is at least $\mathrm{poly}(\mathrm{Var}(f)/d)$.
As was shown by Aaronson and Ambainis, this result implies the following well-known conjecture on the power of quantum computing, datin…
▽ More
We prove the following conjecture, raised by Aaronson and Ambainis in 2008: Let $f:\{-1,1\}^n \rightarrow [-1,1]$ be a multilinear polynomial of degree $d$. Then there exists a variable $x_i$ whose influence on $f$ is at least $\mathrm{poly}(\mathrm{Var}(f)/d)$.
As was shown by Aaronson and Ambainis, this result implies the following well-known conjecture on the power of quantum computing, dating back to 1999: Let $Q$ be a quantum algorithm that makes $T$ queries to a Boolean input and let $ε,δ> 0$. Then there exists a deterministic classical algorithm that makes $\mathrm{poly}(T,1/ε,1/δ)$ queries to the input and that approximates $Q$'s acceptance probability to within an additive error $ε$ on a $1-δ$ fraction of inputs. In other words, any quantum algorithm can be simulated on most inputs by a classical algorithm which is only polynomially slower, in terms of query complexity.
△ Less
Submitted 1 December, 2019; v1 submitted 9 November, 2019;
originally announced November 2019.
-
A structure theorem for almost low-degree functions on the slice
Authors:
Nathan Keller,
Ohad Klein
Abstract:
The Fourier-Walsh expansion of a Boolean function $f \colon \{0,1\}^n \rightarrow \{0,1\}$ is its unique representation as a multilinear polynomial. The Kindler-Safra theorem (2002) asserts that if in the expansion of $f$, the total weight on coefficients beyond degree $k$ is very small, then $f$ can be approximated by a Boolean-valued function depending on at most $O(2^k)$ variables.
In this pa…
▽ More
The Fourier-Walsh expansion of a Boolean function $f \colon \{0,1\}^n \rightarrow \{0,1\}$ is its unique representation as a multilinear polynomial. The Kindler-Safra theorem (2002) asserts that if in the expansion of $f$, the total weight on coefficients beyond degree $k$ is very small, then $f$ can be approximated by a Boolean-valued function depending on at most $O(2^k)$ variables.
In this paper we prove a similar theorem for Boolean functions whose domain is the `slice' ${{[n]}\choose{pn}} = \{x \in \{0,1\}^n\colon \sum_i x_i = pn\}$, where $0 \ll p \ll 1$, with respect to their unique representation as harmonic multilinear polynomials. We show that if in the representation of $f\colon {{[n]}\choose{pn}} \rightarrow \{0,1\}$, the total weight beyond degree $k$ is at most $ε$, where $ε= \min(p, 1-p)^{O(k)}$, then $f$ can be $O(ε)$-approximated by a degree-$k$ Boolean function on the slice, which in turn depends on $O(2^{k})$ coordinates. This proves a conjecture of Filmus, Kindler, Mossel, and Wimmer (2015). Our proof relies on hypercontractivity, along with a novel kind of a shifting procedure.
In addition, we show that the approximation rate in the Kindler-Safra theorem can be improved from $ε+ \exp(O(k)) ε^{1/4}$ to $ε+ε^2 (2\ln(1/ε))^k/k!$, which is tight in terms of the dependence on $ε$ and misses at most a factor of $2^{O(k)}$ in the lower-order term.
△ Less
Submitted 25 January, 2019;
originally announced January 2019.
-
Biased halfspaces, noise sensitivity, and local Chernoff inequalities
Authors:
Nathan Keller,
Ohad Klein
Abstract:
A halfspace is a function $f\colon\{-1,1\}^n \rightarrow \{0,1\}$ of the form $f(x)=\mathbb{1}(a\cdot x>t)$, where $\sum_i a_i^2=1$.
We show that if $f$ is a halfspace with $\mathbb{E}[f]=ε$ and $a'=\max_i |a_i|$, then the degree-1 Fourier weight of $f$ is
$W^1(f)=Θ(ε^2 \log(1/ε))$, and the maximal influence of $f$ is $I_{\max}(f)=Θ(ε\min(1,a' \sqrt{\log(1/ε)}))$.
These results, which determ…
▽ More
A halfspace is a function $f\colon\{-1,1\}^n \rightarrow \{0,1\}$ of the form $f(x)=\mathbb{1}(a\cdot x>t)$, where $\sum_i a_i^2=1$.
We show that if $f$ is a halfspace with $\mathbb{E}[f]=ε$ and $a'=\max_i |a_i|$, then the degree-1 Fourier weight of $f$ is
$W^1(f)=Θ(ε^2 \log(1/ε))$, and the maximal influence of $f$ is $I_{\max}(f)=Θ(ε\min(1,a' \sqrt{\log(1/ε)}))$.
These results, which determine the exact asymptotic order of $W^1(f)$ and $I_{\max}(f)$, provide sharp generalizations of theorems proved by Matulef, O'Donnell, Rubinfeld, and Servedio, and settle a conjecture posed by Kalai, Keller and Mossel.
In addition, we present a refinement of the definition of noise sensitivity which takes into consideration the bias of the function, and show that (like in the unbiased case) halfspaces are noise resistant, and, in the other direction, any noise resistant function is well correlated with a halfspace.
Our main tools are 'local' forms of the classical Chernoff inequality, like the following one proved by Devroye and Lugosi (2008):
Let $\{ x_i \}$ be independent random variables uniformly distributed in $\{-1,1\}$, and let $a_i\in\mathbb{R}_+$ be such that $\sum_i a_{i}^{2}=1$.
If for some $t\geq 0$ we have $\Pr[\sum_{i} a_i x_i > t]=ε$, then $\Pr[\sum_{i} a_i x_i>t+δ]\leq \fracε{2}$ holds for $δ\leq c/\sqrt{\log(1/ε)}$, where $c$ is a universal constant.
△ Less
Submitted 25 September, 2019; v1 submitted 20 October, 2017;
originally announced October 2017.
-
Tight Bounds on Online Checkpointing Algorithms
Authors:
Achiya Bar-On,
Itai Dinur,
Orr Dunkelman,
Rani Hod,
Nathan Keller,
Eyal Ronen,
Adi Shamir
Abstract:
The problem of online checkpointing is a classical problem with numerous applications which had been studied in various forms for almost 50 years. In the simplest version of this problem, a user has to maintain $k$ memorized checkpoints during a long computation, where the only allowed operation is to move one of the checkpoints from its old time to the current time, and his goal is to keep the ch…
▽ More
The problem of online checkpointing is a classical problem with numerous applications which had been studied in various forms for almost 50 years. In the simplest version of this problem, a user has to maintain $k$ memorized checkpoints during a long computation, where the only allowed operation is to move one of the checkpoints from its old time to the current time, and his goal is to keep the checkpoints as evenly spread out as possible at all times.
Bringmann et al. studied this problem as a special case of an online/offline optimization problem in which the deviation from uniformity is measured by the natural discrepancy metric of the worst case ratio between real and ideal segment lengths. They showed this discrepancy is smaller than $1.59-o(1)$ for all $k$, and smaller than $\ln4-o(1)\approx1.39$ for the sparse subset of $k$'s which are powers of 2. In addition, they obtained upper bounds on the achievable discrepancy for some small values of $k$.
In this paper we solve the main problems left open in the above-mentioned paper by proving that $\ln4$ is a tight upper and lower bound on the asymptotic discrepancy for all large $k$, and by providing tight upper and lower bounds (in the form of provably optimal checkpointing algorithms, some of which are in fact better than those of Bringmann et al.) for all the small values of $k \leq 10$.
In the last part of the paper we describe some new applications of this online checkpointing problem.
△ Less
Submitted 19 June, 2019; v1 submitted 9 April, 2017;
originally announced April 2017.
-
Approximation of biased Boolean functions of small total influence by DNF's
Authors:
Nathan Keller,
Noam Lifshitz
Abstract:
The influence of the $k$'th coordinate on a Boolean function $f:\{0,1\}^n \rightarrow \{0,1\}$ is the probability that flip** $x_k$ changes the value $f(x)$. The total influence $I(f)$ is the sum of influences of the coordinates. The well-known `Junta Theorem' of Friedgut (1998) asserts that if $I(f) \leq M$, then $f$ can be $ε$-approximated by a function that depends on $O(2^{M/ε})$ coordinates…
▽ More
The influence of the $k$'th coordinate on a Boolean function $f:\{0,1\}^n \rightarrow \{0,1\}$ is the probability that flip** $x_k$ changes the value $f(x)$. The total influence $I(f)$ is the sum of influences of the coordinates. The well-known `Junta Theorem' of Friedgut (1998) asserts that if $I(f) \leq M$, then $f$ can be $ε$-approximated by a function that depends on $O(2^{M/ε})$ coordinates. Friedgut's theorem has a wide variety of applications in mathematics and theoretical computer science.
For a biased function with $E[f]=μ$, the edge isoperimetric inequality on the cube implies that $I(f) \geq 2μ\log(1/μ)$. Kahn and Kalai (2006) asked, in the spirit of the Junta theorem, whether any $f$ such that $I(f)$ is within a constant factor of the minimum, can be $εμ$-approximated by a DNF of a `small' size (i.e., a union of a small number of sub-cubes). We answer the question by proving the following structure theorem: If $I(f) \leq 2μ(\log(1/μ)+M)$, then $f$ can be $εμ$-approximated by a DNF of size $2^{2^{O(M/ε)}}$. The dependence on $M$ is sharp up to the constant factor in the double exponent.
△ Less
Submitted 29 March, 2017;
originally announced March 2017.
-
On the sum of the L1 influences of bounded functions
Authors:
Yuval Filmus,
Hamed Hatami,
Nathan Keller,
Noam Lifshitz
Abstract:
Let $f\colon \{-1,1\}^n \to [-1,1]$ have degree $d$ as a multilinear polynomial. It is well-known that the total influence of $f$ is at most $d$. Aaronson and Ambainis asked whether the total $L_1$ influence of $f$ can also be bounded as a function of $d$. Bačkurs and Bavarian answered this question in the affirmative, providing a bound of $O(d^3)$ for general functions and $O(d^2)$ for homogeneou…
▽ More
Let $f\colon \{-1,1\}^n \to [-1,1]$ have degree $d$ as a multilinear polynomial. It is well-known that the total influence of $f$ is at most $d$. Aaronson and Ambainis asked whether the total $L_1$ influence of $f$ can also be bounded as a function of $d$. Bačkurs and Bavarian answered this question in the affirmative, providing a bound of $O(d^3)$ for general functions and $O(d^2)$ for homogeneous functions. We improve on their results by providing a bound of $d^2$ for general functions and $O(d\log d)$ for homogeneous functions. In addition, we prove a bound of $d/(2 π)+o(d)$ for monotone functions, and provide a matching example.
△ Less
Submitted 28 March, 2015; v1 submitted 13 April, 2014;
originally announced April 2014.
-
A Quantitative Version of the Gibbard-Satterthwaite Theorem for Three Alternatives
Authors:
Ehud Friedgut,
Gil Kalai,
Nathan Keller,
Noam Nisan
Abstract:
The Gibbard-Satterthwaite theorem states that every non-dictatorial election rule among at least three alternatives can be strategically manipulated. We prove a quantitative version of the Gibbard-Satterthwaite theorem: a random manipulation by a single random voter will succeed with a non-negligible probability for any election rule among three alternatives that is far from being a dictatorship a…
▽ More
The Gibbard-Satterthwaite theorem states that every non-dictatorial election rule among at least three alternatives can be strategically manipulated. We prove a quantitative version of the Gibbard-Satterthwaite theorem: a random manipulation by a single random voter will succeed with a non-negligible probability for any election rule among three alternatives that is far from being a dictatorship and from having only two alternatives in its range.
△ Less
Submitted 25 May, 2011;
originally announced May 2011.
-
A Note on the Entropy/Influence Conjecture
Authors:
Nathan Keller,
Elchanan Mossel,
Tomer Schlank
Abstract:
The entropy/influence conjecture, raised by Friedgut and Kalai in 1996, seeks to relate two different measures of concentration of the Fourier coefficients of a Boolean function. Roughly saying, it claims that if the Fourier spectrum is "smeared out", then the Fourier coefficients are concentrated on "high" levels. In this note we generalize the conjecture to biased product measures on the discret…
▽ More
The entropy/influence conjecture, raised by Friedgut and Kalai in 1996, seeks to relate two different measures of concentration of the Fourier coefficients of a Boolean function. Roughly saying, it claims that if the Fourier spectrum is "smeared out", then the Fourier coefficients are concentrated on "high" levels. In this note we generalize the conjecture to biased product measures on the discrete cube, and prove a variant of the conjecture for functions with an extremely low Fourier weight on the "high" levels.
△ Less
Submitted 13 May, 2011;
originally announced May 2011.
-
A tight quantitative version of Arrow's impossibility theorem
Authors:
Nathan Keller
Abstract:
The well-known Impossibility Theorem of Arrow asserts that any Generalized Social Welfare Function (GSWF) with at least three alternatives, which satisfies Independence of Irrelevant Alternatives (IIA) and Unanimity and is not a dictatorship, is necessarily non-transitive. In 2002, Kalai asked whether one can obtain the following quantitative version of the theorem: For any $ε>0$, there exists…
▽ More
The well-known Impossibility Theorem of Arrow asserts that any Generalized Social Welfare Function (GSWF) with at least three alternatives, which satisfies Independence of Irrelevant Alternatives (IIA) and Unanimity and is not a dictatorship, is necessarily non-transitive. In 2002, Kalai asked whether one can obtain the following quantitative version of the theorem: For any $ε>0$, there exists $δ=δ(ε)$ such that if a GSWF on three alternatives satisfies the IIA condition and its probability of non-transitive outcome is at most $δ$, then the GSWF is at most $ε$-far from being a dictatorship or from breaching the Unanimity condition. In 2009, Mossel proved such quantitative version, with $δ(ε)=\exp(-C/ε^{21})$, and generalized it to GSWFs with $k$ alternatives, for all $k \geq 3$. In this paper we show that the quantitative version holds with $δ(ε)=C \cdot ε^3$, and that this result is tight up to logarithmic factors. Furthermore, our result (like Mossel's) generalizes to GSWFs with $k$ alternatives. Our proof is based on the works of Kalai and Mossel, but uses also an additional ingredient: a combination of the Bonami-Beckner hypercontractive inequality with a reverse hypercontractive inequality due to Borell, applied to find simultaneously upper bounds and lower bounds on the "noise correlation" between Boolean functions on the discrete cube.
△ Less
Submitted 20 March, 2010;
originally announced March 2010.
-
MV3: A new word based stream cipher using rapid mixing and revolving buffers
Authors:
Nathan Keller,
Stephen D. Miller,
Ilya Mironov,
Ramarathnam Venkatesan
Abstract:
MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random w…
▽ More
MV3 is a new word based stream cipher for encrypting long streams of data. A direct adaptation of a byte based cipher such as RC4 into a 32- or 64-bit word version will obviously need vast amounts of memory. This scaling issue necessitates a look for new components and principles, as well as mathematical analysis to justify their use. Our approach, like RC4's, is based on rapidly mixing random walks on directed graphs (that is, walks which reach a random state quickly, from any starting point). We begin with some well understood walks, and then introduce nonlinearity in their steps in order to improve security and show long term statistical correlations are negligible. To minimize the short term correlations, as well as to deter attacks using equations involving successive outputs, we provide a method for sequencing the outputs derived from the walk using three revolving buffers. The cipher is fast -- it runs at a speed of less than 5 cycles per byte on a Pentium IV processor. A word based cipher needs to output more bits per step, which exposes more correlations for attacks. Moreover we seek simplicity of construction and transparent analysis. To meet these requirements, we use a larger state and claim security corresponding to only a fraction of it. Our design is for an adequately secure word-based cipher; our very preliminary estimate puts the security close to exhaustive search for keys of size < 256 bits.
△ Less
Submitted 9 October, 2006;
originally announced October 2006.