-
Competitive Policies for Online Collateral Maintenance
Authors:
Ghada Almashaqbeh,
Sixia Chen,
Alexander Russell
Abstract:
Layer-two blockchain protocols emerged to address scalability issues related to fees, storage cost, and confirmation delay of on-chain transactions. They aggregate off-chain transactions into a fewer on-chain ones, thus offering immediate settlement and reduced transaction fees. To preserve security of the underlying ledger, layer-two protocols often work in a collateralized model; resources are c…
▽ More
Layer-two blockchain protocols emerged to address scalability issues related to fees, storage cost, and confirmation delay of on-chain transactions. They aggregate off-chain transactions into a fewer on-chain ones, thus offering immediate settlement and reduced transaction fees. To preserve security of the underlying ledger, layer-two protocols often work in a collateralized model; resources are committed on-chain to backup off-chain activities. A fundamental challenge that arises in this setup is determining a policy for establishing, committing, and replenishing the collateral in a way that maximizes the value of settled transactions.
In this paper, we study this problem under two settings that model collateralized layer-two protocols. The first is a general model in which a party has an on-chain collateral C with a policy to decide on whether to settle or discard each incoming transaction. The policy also specifies when to replenish C based on the remaining collateral value. The second model considers a discrete setup in which C is divided among k wallets, each of which is of size C/k, such that when a wallet is full, and so cannot settle any incoming transactions, it will be replenished. We devise several online policies for these models, and show how competitive they are compared to optimal (offline) policies that have full knowledge of the incoming transaction stream. To the best of our knowledge, we are the first to study and formulate online competitive policies for collateral and wallet management in the blockchain setting.
△ Less
Submitted 24 June, 2024;
originally announced June 2024.
-
Crooked indifferentiability of the Feistel Construction
Authors:
Alexander Russell,
Qiang Tang,
Jiadong Zhu
Abstract:
The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/ε)$ rounds ca…
▽ More
The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/ε)$ rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by $ε$) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than $2n/\log(1/ε)$ rounds to achieve crooked-indifferentiable security.
△ Less
Submitted 15 April, 2024;
originally announced April 2024.
-
Correcting Subverted Random Oracles
Authors:
Alexander Russell,
Qiang Tang,
Moti Yung,
Hong-Sheng Zhou,
Jiadong Zhu
Abstract:
The random oracle methodology has proven to be a powerful tool for designing and reasoning about cryptographic schemes. In this paper, we focus on the basic problem of correcting faulty or adversarially corrupted random oracles, so that they can be confidently applied for such cryptographic purposes.
We prove that a simple construction can transform a "subverted" random oracle which disagrees wi…
▽ More
The random oracle methodology has proven to be a powerful tool for designing and reasoning about cryptographic schemes. In this paper, we focus on the basic problem of correcting faulty or adversarially corrupted random oracles, so that they can be confidently applied for such cryptographic purposes.
We prove that a simple construction can transform a "subverted" random oracle which disagrees with the original one at a small fraction of inputs into an object that is indifferentiable from a random function, even if the adversary is made aware of all randomness used in the transformation. Our results permit future designers of cryptographic primitives in typical kleptographic settings (i.e., those permitting adversaries that subvert or replace basic cryptographic algorithms) to use random oracles as a trusted black box.
△ Less
Submitted 15 April, 2024;
originally announced April 2024.
-
Synthetic Medical Imaging Generation with Generative Adversarial Networks For Plain Radiographs
Authors:
John R. McNulty,
Lee Kho,
Alexandria L. Case,
Charlie Fornaca,
Drew Johnston,
David Slater,
Joshua M. Abzug,
Sybil A. Russell
Abstract:
In medical imaging, access to data is commonly limited due to patient privacy restrictions and the issue that it can be difficult to acquire enough data in the case of rare diseases.[1] The purpose of this investigation was to develop a reusable open-source synthetic image generation pipeline, the GAN Image Synthesis Tool (GIST), that is easy to use as well as easy to deploy. The pipeline helps to…
▽ More
In medical imaging, access to data is commonly limited due to patient privacy restrictions and the issue that it can be difficult to acquire enough data in the case of rare diseases.[1] The purpose of this investigation was to develop a reusable open-source synthetic image generation pipeline, the GAN Image Synthesis Tool (GIST), that is easy to use as well as easy to deploy. The pipeline helps to improve and standardize AI algorithms in the digital health space by generating high quality synthetic image data that is not linked to specific patients. Its image generation capabilities include the ability to generate imaging of pathologies or injuries with low incidence rates. This improvement of digital health AI algorithms could improve diagnostic accuracy, aid in patient care, decrease medicolegal claims, and ultimately decrease the overall cost of healthcare. The pipeline builds on existing Generative Adversarial Networks (GANs) algorithms, and preprocessing and evaluation steps were included for completeness. For this work, we focused on ensuring the pipeline supports radiography, with a focus on synthetic knee and elbow x-ray images. In designing the pipeline, we evaluated the performance of current GAN architectures, studying the performance on available x-ray data. We show that the pipeline is capable of generating high quality and clinically relevant images based on a lay person's evaluation and the Fréchet Inception Distance (FID) metric.
△ Less
Submitted 27 March, 2024;
originally announced March 2024.
-
Operational Collective Intelligence of Humans and Machines
Authors:
Nikolos Gurney,
Fred Morstatter,
David V. Pynadath,
Adam Russell,
Gleb Satyukov
Abstract:
We explore the use of aggregative crowdsourced forecasting (ACF) as a mechanism to help operationalize ``collective intelligence'' of human-machine teams for coordinated actions. We adopt the definition for Collective Intelligence as: ``A property of groups that emerges from synergies among data-information-knowledge, software-hardware, and individuals (those with new insights as well as recognize…
▽ More
We explore the use of aggregative crowdsourced forecasting (ACF) as a mechanism to help operationalize ``collective intelligence'' of human-machine teams for coordinated actions. We adopt the definition for Collective Intelligence as: ``A property of groups that emerges from synergies among data-information-knowledge, software-hardware, and individuals (those with new insights as well as recognized authorities) that enables just-in-time knowledge for better decisions than these three elements acting alone.'' Collective Intelligence emerges from new ways of connecting humans and AI to enable decision-advantage, in part by creating and leveraging additional sources of information that might otherwise not be included. Aggregative crowdsourced forecasting (ACF) is a recent key advancement towards Collective Intelligence wherein predictions (X\% probability that Y will happen) and rationales (why I believe it is this probability that X will happen) are elicited independently from a diverse crowd, aggregated, and then used to inform higher-level decision-making. This research asks whether ACF, as a key way to enable Operational Collective Intelligence, could be brought to bear on operational scenarios (i.e., sequences of events with defined agents, components, and interactions) and decision-making, and considers whether such a capability could provide novel operational capabilities to enable new forms of decision-advantage.
△ Less
Submitted 16 February, 2024;
originally announced February 2024.
-
The Decisive Power of Indecision: Low-Variance Risk-Limiting Audits and Election Contestation via Marginal Mark Recording
Authors:
Benjamin Fuller,
Rashmi Pai,
Alexander Russell
Abstract:
Risk-limiting audits (RLAs) are techniques for verifying the outcomes of large elections. While they provide rigorous guarantees of correctness, widespread adoption has been impeded by both efficiency concerns and the fact they offer statistical, rather than absolute, conclusions. We attend to both of these difficulties, defining new families of audits that improve efficiency and offer qualitative…
▽ More
Risk-limiting audits (RLAs) are techniques for verifying the outcomes of large elections. While they provide rigorous guarantees of correctness, widespread adoption has been impeded by both efficiency concerns and the fact they offer statistical, rather than absolute, conclusions. We attend to both of these difficulties, defining new families of audits that improve efficiency and offer qualitative advances in statistical power.
Our new audits are enabled by revisiting the standard notion of a cast-vote record so that it can declare multiple possible mark interpretations rather than a single decision; this can reflect the presence of marginal marks, which appear regularly on hand-marked ballots. We show that this simple expedient can offer significant efficiency improvements with only minor changes to existing auditing infrastructure. We consider two ways of representing these marks, both yield risk-limiting comparison audits in the formal sense of Fuller, Harrison, and Russell (IEEE Security & Privacy 2023).
We then define a new type of post-election audit we call a contested audit. These permit each candidate to provide a cast-vote record table advancing their own claim to victory. We prove that these audits offer remarkable sample efficiency, yielding control of risk with a constant number of samples (that is independent of margin). This is a first for an audit with provable soundness. These results are formulated in a game-based security model that specify quantitative soundness and completeness guarantees. These audits provide a means to handle contestation of election results affirmed by conventional RLAs.
△ Less
Submitted 17 June, 2024; v1 submitted 9 February, 2024;
originally announced February 2024.
-
The Promise and Peril of Artificial Intelligence -- Violet Teaming Offers a Balanced Path Forward
Authors:
Alexander J. Titus,
Adam H. Russell
Abstract:
Artificial intelligence (AI) promises immense benefits across sectors, yet also poses risks from dual-use potentials, biases, and unintended behaviors. This paper reviews emerging issues with opaque and uncontrollable AI systems and proposes an integrative framework called violet teaming to develop reliable and responsible AI. Violet teaming combines adversarial vulnerability probing (red teaming)…
▽ More
Artificial intelligence (AI) promises immense benefits across sectors, yet also poses risks from dual-use potentials, biases, and unintended behaviors. This paper reviews emerging issues with opaque and uncontrollable AI systems and proposes an integrative framework called violet teaming to develop reliable and responsible AI. Violet teaming combines adversarial vulnerability probing (red teaming) with solutions for safety and security (blue teaming) while prioritizing ethics and social benefit. It emerged from AI safety research to manage risks proactively by design. The paper traces the evolution of red, blue, and purple teaming toward violet teaming, and then discusses applying violet techniques to address biosecurity risks of AI in biotechnology. Additional sections review key perspectives across law, ethics, cybersecurity, macrostrategy, and industry best practices essential for operationalizing responsible AI through holistic technical and social considerations. Violet teaming provides both philosophy and method for steering AI trajectories toward societal good. With conscience and wisdom, the extraordinary capabilities of AI can enrich humanity. But without adequate precaution, the risks could prove catastrophic. Violet teaming aims to empower moral technology for the common welfare.
△ Less
Submitted 27 August, 2023;
originally announced August 2023.
-
MDACE: MIMIC Documents Annotated with Code Evidence
Authors:
Hua Cheng,
Rana Jafari,
April Russell,
Russell Klopfer,
Edmond Lu,
Benjamin Striner,
Matthew R. Gormley
Abstract:
We introduce a dataset for evidence/rationale extraction on an extreme multi-label classification task over long medical documents. One such task is Computer-Assisted Coding (CAC) which has improved significantly in recent years, thanks to advances in machine learning technologies. Yet simply predicting a set of final codes for a patient encounter is insufficient as CAC systems are required to pro…
▽ More
We introduce a dataset for evidence/rationale extraction on an extreme multi-label classification task over long medical documents. One such task is Computer-Assisted Coding (CAC) which has improved significantly in recent years, thanks to advances in machine learning technologies. Yet simply predicting a set of final codes for a patient encounter is insufficient as CAC systems are required to provide supporting textual evidence to justify the billing codes. A model able to produce accurate and reliable supporting evidence for each code would be a tremendous benefit. However, a human annotated code evidence corpus is extremely difficult to create because it requires specialized knowledge. In this paper, we introduce MDACE, the first publicly available code evidence dataset, which is built on a subset of the MIMIC-III clinical records. The dataset -- annotated by professional medical coders -- consists of 302 Inpatient charts with 3,934 evidence spans and 52 Profee charts with 5,563 evidence spans. We implemented several evidence extraction methods based on the EffectiveCAN model (Liu et al., 2021) to establish baseline performance on this dataset. MDACE can be used to evaluate code evidence extraction methods for CAC systems, as well as the accuracy and interpretability of deep learning models for multi-label classification. We believe that the release of MDACE will greatly improve the understanding and application of deep learning technologies for medical coding and document classification.
△ Less
Submitted 7 July, 2023;
originally announced July 2023.
-
EEGLog: Lifelogging EEG Data When You Listen to Music
Authors:
Jiyang Li,
Ann Gina Konnayil,
Adam Russell,
Dingran Wang,
Yincheng **,
Seokmin Choi,
Zhanpeng **
Abstract:
Self-tracking has been long discussed, which can monitor daily activities and help users to recall previous experiences. Such data-capturing technique is no longer limited to photos, text messages, or personal diaries in recent years. With the development of wearable EEG devices, we introduce a novel modality of logging EEG data while listening to music, and bring up the idea of the neural-centric…
▽ More
Self-tracking has been long discussed, which can monitor daily activities and help users to recall previous experiences. Such data-capturing technique is no longer limited to photos, text messages, or personal diaries in recent years. With the development of wearable EEG devices, we introduce a novel modality of logging EEG data while listening to music, and bring up the idea of the neural-centric way of life with the designed data analysis application named EEGLog. Four consumer-grade wearable EEG devices are explored by collecting EEG data from 24 participants. Three modules are introduced in EEGLog, including the summary module of EEG data, emotion reports, music listening activities, and memorial moments, the emotion detection module, and the music recommendation module. Feedback from interviews about using EEG devices and EEGLog were obtained and analyzed for future EEG logging development.
△ Less
Submitted 26 November, 2022;
originally announced November 2022.
-
Adaptive Risk-Limiting Ballot Comparison Audits
Authors:
Benjamin Fuller,
Abigail Harrison,
Alexander Russell
Abstract:
Risk-limiting audits (RLAs) are rigorous statistical procedures meant to detect invalid election results. RLAs examine paper ballots cast during the election to statistically assess the possibility of a disagreement between the winner determined by the ballots and the winner reported by tabulation. The most ballot efficient approaches proceed by "ballot comparison." However, ballot comparison requ…
▽ More
Risk-limiting audits (RLAs) are rigorous statistical procedures meant to detect invalid election results. RLAs examine paper ballots cast during the election to statistically assess the possibility of a disagreement between the winner determined by the ballots and the winner reported by tabulation. The most ballot efficient approaches proceed by "ballot comparison." However, ballot comparison requires an untrusted declaration of the contents of each cast ballot, rather than a simple tabulation of vote totals. This "cast-vote record table" (CVR) is then spot-checked against ballots for consistency. In many practical settings, the cost of generating a suitable CVR dominates the cost of conducting the audit, preventing widespread adoption of these sample-efficient techniques.
We introduce a new RLA procedure: an "adaptive ballot comparison" audit. In this audit, a global CVR is never produced; instead, a three-stage procedure is iterated:
1) a batch is selected,
2) a CVR is produced for that batch, and
3) a ballot within the batch is sampled, inspected by auditors, and compared with the CVR.
We prove that such an audit can achieve risk commensurate with standard comparison audits while generating a fraction of the CVR. We present three main contributions:
1) a formal adversarial model for RLAs;
2) definition and analysis of an adaptive audit procedure with rigorous risk limits and an associated correctness analysis accounting for the incidental errors arising in typical audits; and
3) an analysis of practical efficiency.
This method can be organized in rounds (as is typical for comparison audits) where sampled CVRs are produced in parallel. Using data from Florida's 2020 presidential election with 5% risk and 1% margin, only 22% of the CVR is generated; at 10% margin, only 2% is generated.
△ Less
Submitted 22 December, 2022; v1 submitted 5 February, 2022;
originally announced February 2022.
-
Mathematical Analysis of Redistricting in Utah
Authors:
Annika King,
Jacob Murri,
Jake Callahan,
Adrienne Russell,
Tyler J. Jarvis
Abstract:
We discuss difficulties of evaluating partisan gerrymandering in the congressional districts in Utah and the failure of many common metrics in Utah. We explain why the Republican vote share in the least-Republican district (LRVS) is a good indicator of the advantage or disadvantage each party has in the Utah congressional districts. Although the LRVS only makes sense in settings with at most one c…
▽ More
We discuss difficulties of evaluating partisan gerrymandering in the congressional districts in Utah and the failure of many common metrics in Utah. We explain why the Republican vote share in the least-Republican district (LRVS) is a good indicator of the advantage or disadvantage each party has in the Utah congressional districts. Although the LRVS only makes sense in settings with at most one competitive district, in that setting it directly captures the extent to which a given redistricting plan gives advantage or disadvantage to the Republican and Democratic parties. We use the LRVS to evaluate the most common measures of partisan gerrymandering in the context of Utah's 2011 congressional districts. We do this by generating large ensembles of alternative redistricting plans using Markov chain Monte Carlo methods. We also discuss the implications of this new metric and our results on the question of whether the 2011 Utah congressional plan was gerrymandered.
△ Less
Submitted 19 July, 2022; v1 submitted 12 July, 2021;
originally announced July 2021.
-
Consistency of Proof-of-Stake Blockchains with Concurrent Honest Slot Leaders
Authors:
Aggelos Kiayias,
Saad Quader,
Alexander Russell
Abstract:
We improve the fundamental security threshold of eventual consensus Proof-of-Stake (PoS) blockchain protocols under the longest-chain rule by showing, for the first time, the positive effect of rounds with concurrent honest leaders.
Current security analyses reduce consistency to the dynamics of an abstract, round-based block creation process that is determined by three events associated with a…
▽ More
We improve the fundamental security threshold of eventual consensus Proof-of-Stake (PoS) blockchain protocols under the longest-chain rule by showing, for the first time, the positive effect of rounds with concurrent honest leaders.
Current security analyses reduce consistency to the dynamics of an abstract, round-based block creation process that is determined by three events associated with a round: (i) event $A$: at least one adversarial leader, (ii) event $S$: a single honest leader, and (iii) event $M$: multiple, but honest, leaders. We present an asymptotically optimal consistency analysis assuming that an honest round is more likely than an adversarial round (i.e., $\Pr[S] + \Pr[M] > \Pr[A]$); this threshold is optimal. This is a first in the literature and can be applied to both the simple synchronous communication as well as communication with bounded delays.
In all existing consistency analyses, event $M$ is either penalized or treated neutrally. Specifically, the consistency analyses in Ouroboros Praos (Eurocrypt 2018) and Genesis (CCS 2018) assume that $\Pr[S] - \Pr[M] > \Pr[A]$; the analyses in Sleepy Consensus (Asiacrypt 2017) and Snow White (Fin. Crypto 2019) assume that $\Pr[S] > \Pr[A]$. Moreover, all existing analyses completely break down when $\Pr[S] < \Pr[A]$. These thresholds determine the critical trade-off between the honest majority, network delays, and consistency error.
Our new results can be directly applied to improve the security guarantees of the existing protocols. We also provide an efficient algorithm to explicitly calculate these error probabilities in the synchronous setting. Furthermore, we complement these results by analyzing the setting where $S$ is rare, even allowing $\Pr[S] = 0$, under the added assumption that honest players adopt a consistent chain selection rule.
△ Less
Submitted 28 July, 2020; v1 submitted 14 January, 2020;
originally announced January 2020.
-
Linear Consistency for Proof-of-Stake Blockchains
Authors:
Erica Blum,
Aggelos Kiayias,
Cristopher Moore,
Saad Quader,
Alexander Russell
Abstract:
The blockchain data structure maintained via the longest-chain rule---popularized by Bitcoin---is a powerful algorithmic tool for consensus algorithms. Such algorithms achieve consistency for blocks in the chain as a function of their depth from the end of the chain. While the analysis of Bitcoin guarantees consistency with error $2^{-k}$ for blocks of depth $O(k)$, the state-of-the-art of proof-o…
▽ More
The blockchain data structure maintained via the longest-chain rule---popularized by Bitcoin---is a powerful algorithmic tool for consensus algorithms. Such algorithms achieve consistency for blocks in the chain as a function of their depth from the end of the chain. While the analysis of Bitcoin guarantees consistency with error $2^{-k}$ for blocks of depth $O(k)$, the state-of-the-art of proof-of-stake (PoS) blockchains suffers from a quadratic dependence on $k$: these protocols, exemplified by Ouroboros (Crypto 2017), Ouroboros Praos (Eurocrypt 2018) and Sleepy Consensus (Asiacrypt 2017), can only establish that depth $Θ(k^2)$ is sufficient. Whether this quadratic gap is an intrinsic limitation of PoS---due to issues such as the nothing-at-stake problem---has been an urgent open question, as deployed PoS blockchains further rely on consistency for protocol correctness.
We give an axiomatic theory of blockchain dynamics that permits rigorous reasoning about the longest-chain rule and achieve, in broad generality, $Θ(k)$ dependence on depth in order to achieve consistency error $2^{-k}$. In particular, for the first time, we show that PoS protocols can match proof-of-work protocols for linear consistency. We analyze the associated stochastic process, give a recursive relation for the critical functionals of this process, and derive tail bounds in both i.i.d. and martingale settings via associated generating functions.
△ Less
Submitted 22 November, 2019;
originally announced November 2019.
-
Efficient simulation of random states and random unitaries
Authors:
Gorjan Alagic,
Christian Majenz,
Alexander Russell
Abstract:
We consider the problem of efficiently simulating random quantum states and random unitary operators, in a manner which is convincing to unbounded adversaries with black-box oracle access.
This problem has previously only been considered for restricted adversaries. Against adversaries with an a priori bound on the number of queries, it is well-known that $t$-designs suffice. Against polynomial-t…
▽ More
We consider the problem of efficiently simulating random quantum states and random unitary operators, in a manner which is convincing to unbounded adversaries with black-box oracle access.
This problem has previously only been considered for restricted adversaries. Against adversaries with an a priori bound on the number of queries, it is well-known that $t$-designs suffice. Against polynomial-time adversaries, one can use pseudorandom states (PRS) and pseudorandom unitaries (PRU), as defined in a recent work of Ji, Liu, and Song; unfortunately, no provably secure construction is known for PRUs.
In our setting, we are concerned with unbounded adversaries. Nonetheless, we are able to give stateful quantum algorithms which simulate the ideal object in both settings of interest. In the case of Haar-random states, our simulator is polynomial-time, has negligible error, and can also simulate verification and reflection through the simulated state. This yields an immediate application to quantum money: a money scheme which is information-theoretically unforgeable and untraceable. In the case of Haar-random unitaries, our simulator takes polynomial space, but simulates both forward and inverse access with zero error.
These results can be seen as the first significant steps in develo** a theory of lazy sampling for random quantum objects.
△ Less
Submitted 13 October, 2019;
originally announced October 2019.
-
How to Realize a Graph on Random Points
Authors:
Saad Quader,
Alexander Russell
Abstract:
We are given an integer $d$, a graph $G=(V,E)$, and a uniformly random embedding $f : V \rightarrow \{0,1\}^d$ of the vertices. We are interested in the probability that $G$ can be "realized" by a scaled Euclidean norm on $\mathbb{R}^d$, in the sense that there exists a non-negative scaling $w \in \mathbb{R}^d$ and a real threshold $θ> 0$ so that \[
(u,v) \in E \qquad \text{if and only if} \qqua…
▽ More
We are given an integer $d$, a graph $G=(V,E)$, and a uniformly random embedding $f : V \rightarrow \{0,1\}^d$ of the vertices. We are interested in the probability that $G$ can be "realized" by a scaled Euclidean norm on $\mathbb{R}^d$, in the sense that there exists a non-negative scaling $w \in \mathbb{R}^d$ and a real threshold $θ> 0$ so that \[
(u,v) \in E \qquad \text{if and only if} \qquad \Vert f(u) - f(v) \Vert_w^2 < θ\,, \] where $\| x \|_w^2 = \sum_i w_i x_i^2$.
These constraints are similar to those found in the Euclidean minimum spanning tree (EMST) realization problem. A crucial difference is that the realization map is (partially) determined by the random variable $f$.
In this paper, we consider embeddings $f : V \rightarrow \{ x, y\}^d$ for arbitrary $x, y \in \mathbb{R}$. We prove that arbitrary trees can be realized with high probability when $d = Ω(n \log n)$. We prove an analogous result for graphs parametrized by the arboricity: specifically, we show that an arbitrary graph $G$ with arboricity $a$ can be realized with high probability when $d = Ω(n a^2 \log n)$. Additionally, if $r$ is the minimum effective resistance of the edges, $G$ can be realized with high probability when $d=Ω\left((n/r^2)\log n\right)$. Next, we show that it is necessary to have $d \geq \binom{n}{2}/6$ to realize random graphs, or $d \geq n/2$ to realize random spanning trees of the complete graph. This is true even if we permit an arbitrary embedding $f : V \rightarrow \{ x, y\}^d$ for any $x, y \in \mathbb{R}$ or negative weights. Along the way, we prove a probabilistic analog of Radon's theorem for convex sets in $\{0,1\}^d$.
Our tree-realization result can complement existing results on statistical inference for gene expression data which involves realizing a tree, such as [GJP15].
△ Less
Submitted 23 April, 2018;
originally announced April 2018.
-
Quantum-secure message authentication via blind-unforgeability
Authors:
Gorjan Alagic,
Christian Majenz,
Alexander Russell,
Fang Song
Abstract:
Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can q…
▽ More
Formulating and designing authentication of classical messages in the presence of adversaries with quantum query access has been a longstanding challenge, as the familiar classical notions of unforgeability do not directly translate into meaningful notions in the quantum setting. A particular difficulty is how to fairly capture the notion of "predicting an unqueried value" when the adversary can query in quantum superposition.
We propose a natural definition of unforgeability against quantum adversaries called blind unforgeability. This notion defines a function to be predictable if there exists an adversary who can use "partially blinded" oracle access to predict values in the blinded region. We support the proposal with a number of technical results. We begin by establishing that the notion coincides with EUF-CMA in the classical setting and go on to demonstrate that the notion is satisfied by a number of simple guiding examples, such as random functions and quantum-query-secure pseudorandom functions. We then show the suitability of blind unforgeability for supporting canonical constructions and reductions. We prove that the "hash-and-MAC" paradigm and the Lamport one-time digital signature scheme are indeed unforgeable according to the definition. To support our analysis, we additionally define and study a new variety of quantum-secure hash functions called Bernoulli-preserving.
Finally, we demonstrate that blind unforgeability is stronger than a previous definition of Boneh and Zhandry [EUROCRYPT '13, CRYPTO '13] in the sense that we can construct an explicit function family which is forgeable by an attack that is recognized by blind-unforgeability, yet satisfies the definition by Boneh and Zhandry.
△ Less
Submitted 20 April, 2023; v1 submitted 10 March, 2018;
originally announced March 2018.
-
Quantum-Secure Symmetric-Key Cryptography Based on Hidden Shifts
Authors:
Gorjan Alagic,
Alexander Russell
Abstract:
Recent results of Kaplan et al., building on previous work by Kuwakado and Morii, have shown that a wide variety of classically-secure symmetric-key cryptosystems can be completely broken by quantum chosen-plaintext attacks (qCPA). In such an attack, the quantum adversary has the ability to query the cryptographic functionality in superposition. The vulnerable cryptosystems include the Even-Mansou…
▽ More
Recent results of Kaplan et al., building on previous work by Kuwakado and Morii, have shown that a wide variety of classically-secure symmetric-key cryptosystems can be completely broken by quantum chosen-plaintext attacks (qCPA). In such an attack, the quantum adversary has the ability to query the cryptographic functionality in superposition. The vulnerable cryptosystems include the Even-Mansour block cipher, the three-round Feistel network, the Encrypted-CBC-MAC, and many others. In this work, we study simple algebraic adaptations of such schemes that replace $(\mathbb Z/2)^n$ addition with operations over alternate finite groups--such as $\mathbb Z/{2^n}$--and provide evidence that these adaptations are qCPA-secure. These adaptations furthermore retain the classical security properties (and basic structural features) enjoyed by the original schemes.
We establish security by treating the (quantum) hardness of the well-studied Hidden Shift problem as a basic cryptographic assumption. We observe that this problem has a number of attractive features in this cryptographic context, including random self-reducibility, hardness amplification, and--in many cases of interest--a reduction from the "search version" to the "decisional version." We then establish, under this assumption, the qCPA-security of several such Hidden Shift adaptations of symmetric-key constructions. We show that a Hidden Shift version of the Even-Mansour block cipher yields a quantum-secure pseudorandom function, and that a Hidden Shift version of the Encrypted CBC-MAC yields a collision-resistant hash function. Finally, we observe that such adaptations frustrate the direct Simon's algorithm-based attacks in more general circumstances, e.g., Feistel networks and slide attacks.
△ Less
Submitted 10 March, 2017; v1 submitted 4 October, 2016;
originally announced October 2016.
-
Codes, Lower Bounds, and Phase Transitions in the Symmetric Rendezvous Problem
Authors:
Varsha Dani,
Thomas P. Hayes,
Cristopher Moore,
Alexander Russell
Abstract:
In the rendezvous problem, two parties with different labelings of the vertices of a complete graph are trying to meet at some vertex at the same time. It is well-known that if the parties have predetermined roles, then the strategy where one of them waits at one vertex, while the other visits all $n$ vertices in random order is optimal, taking at most $n$ steps and averaging about $n/2$. Anderson…
▽ More
In the rendezvous problem, two parties with different labelings of the vertices of a complete graph are trying to meet at some vertex at the same time. It is well-known that if the parties have predetermined roles, then the strategy where one of them waits at one vertex, while the other visits all $n$ vertices in random order is optimal, taking at most $n$ steps and averaging about $n/2$. Anderson and Weber considered the symmetric rendezvous problem, where both parties must use the same randomized strategy. They analyzed strategies where the parties repeatedly play the optimal asymmetric strategy, determining their role independently each time by a biased coin-flip. By tuning the bias, Anderson and Weber achieved an expected meeting time of about $0.829 n$, which they conjectured to be asymptotically optimal.
We change perspective slightly: instead of minimizing the expected meeting time, we seek to maximize the probability of meeting within a specified time $T$. The Anderson-Weber strategy, which fails with constant probability when $T= Θ(n)$, is not asymptotically optimal for large $T$ in this setting. Specifically, we exhibit a symmetric strategy that succeeds with probability $1-o(1)$ in $T=4n$ steps. This is tight: for any $α< 4$, any symmetric strategy with $T = αn$ fails with constant probability. Our strategy uses a new combinatorial object that we dub a "rendezvous code," which may be of independent interest.
When $T \le n$, we show that the probability of meeting within $T$ steps is indeed asymptotically maximized by the Anderson-Weber strategy. Our results imply new lower bounds, showing that the best symmetric strategy takes at least $0.638 n$ steps in expectation. We also present some partial results for the symmetric rendezvous problem on other vertex-transitive graphs.
△ Less
Submitted 6 September, 2016;
originally announced September 2016.
-
Heat and Noise on Cubes and Spheres: The Sensitivity of Randomly Rotated Polynomial Threshold Functions
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
We establish a precise relationship between spherical harmonics and Fourier basis functions over a hypercube randomly embedded in the sphere. In particular, we give a bound on the expected Boolean noise sensitivity of a randomly rotated function in terms of its "spherical sensitivity," which we define according to its evolution under the spherical heat equation. As an application, we prove an aver…
▽ More
We establish a precise relationship between spherical harmonics and Fourier basis functions over a hypercube randomly embedded in the sphere. In particular, we give a bound on the expected Boolean noise sensitivity of a randomly rotated function in terms of its "spherical sensitivity," which we define according to its evolution under the spherical heat equation. As an application, we prove an average case of the Gotsman-Linial conjecture, bounding the sensitivity of polynomial threshold functions subjected to a random rotation.
△ Less
Submitted 22 August, 2014;
originally announced August 2014.
-
Technical Report: Dealing with Undependable Workers in Decentralized Network Supercomputing
Authors:
Seda Davtyan,
Kishori M. Konwar,
Alexander Russell,
Alexander A. Shvartsman
Abstract:
Internet supercomputing is an approach to solving partitionable, computation-intensive problems by harnessing the power of a vast number of interconnected computers. This paper presents a new algorithm for the problem of using network supercomputing to perform a large collection of independent tasks, while dealing with undependable processors. The adversary may cause the processors to return bogus…
▽ More
Internet supercomputing is an approach to solving partitionable, computation-intensive problems by harnessing the power of a vast number of interconnected computers. This paper presents a new algorithm for the problem of using network supercomputing to perform a large collection of independent tasks, while dealing with undependable processors. The adversary may cause the processors to return bogus results for tasks with certain probabilities, and may cause a subset $F$ of the initial set of processors $P$ to crash. The adversary is constrained in two ways. First, for the set of non-crashed processors $P-F$, the \emph{average} probability of a processor returning a bogus result is inferior to $\frac{1}{2}$. Second, the adversary may crash a subset of processors $F$, provided the size of $P-F$ is bounded from below. We consider two models: the first bounds the size of $P-F$ by a fractional polynomial, the second bounds this size by a poly-logarithm. Both models yield adversaries that are much stronger than previously studied. Our randomized synchronous algorithm is formulated for $n$ processors and $t$ tasks, with $n\le t$, where depending on the number of crashes each live processor is able to terminate dynamically with the knowledge that the problem is solved with high probability. For the adversary constrained by a fractional polynomial, the round complexity of the algorithm is $O(\frac{t}{n^\varepsilon}\log{n}\log{\log{n}})$, its work is $O(t\log{n} \log{\log{n}})$ and message complexity is $O(n\log{n}\log{\log{n}})$. For the poly-log constrained adversary, the round complexity is $O(t)$, work is $O(t n^{\varepsilon})$, %$O(t \, poly \log{n})$, and message complexity is $O(n^{1+\varepsilon})$ %$O(n \, poly \log{n})$. All bounds are shown to hold with high probability.
△ Less
Submitted 1 July, 2014;
originally announced July 2014.
-
Deterministic Blind Rendezvous in Cognitive Radio Networks
Authors:
Sixia Chen,
Alexander Russell,
Abhishek Samanta,
Ravi Sundaram
Abstract:
Blind rendezvous is a fundamental problem in cognitive radio networks. The problem involves a collection of agents (radios) that wish to discover each other in the blind setting where there is no shared infrastructure and they initially have no knowledge of each other. Time is divided into discrete slots; spectrum is divided into discrete channels, $\{1,2,..., n\}$. Each agent may access a single…
▽ More
Blind rendezvous is a fundamental problem in cognitive radio networks. The problem involves a collection of agents (radios) that wish to discover each other in the blind setting where there is no shared infrastructure and they initially have no knowledge of each other. Time is divided into discrete slots; spectrum is divided into discrete channels, $\{1,2,..., n\}$. Each agent may access a single channel in a single time slot and we say that two agents rendezvous when they access the same channel in the same time slot. The model is asymmetric: each agent $A_i$ may only use a particular subset $S_i$ of the channels and different agents may have access to different subsets of channels. The goal is to design deterministic channel hop** schedules for each agent so as to guarantee rendezvous between any pair of agents with overlap** channel sets.
Two independent sets of authors, Shin et al. and Lin et al., gave the first constructions guaranteeing asynchronous blind rendezvous in $O(n^2)$ and $O(n^3)$ time, respectively. We present a substantially improved construction guaranteeing that any two agents, $A_i$, $A_j$, will rendezvous in $O(|S_i| |S_j| \log\log n)$ time. Our results are the first that achieve nontrivial dependence on $|S_i|$, the size of the set of available channels. This allows us, for example, to save roughly a quadratic factor over the best previous results in the important case when channel subsets have constant size. We also achieve the best possible bound of $O(1)$ time for the symmetric situation; previous works could do no better than $O(n)$. Using the probabilistic method and Ramsey theory we provide evidence in support of our suspicion that our construction is asymptotically optimal for small size channel subsets: we show both a $c |S_i||S_j|$ lower bound and a $c \log\log n$ lower bound when $|S_i|, |S_j| \leq n/2$.
△ Less
Submitted 28 January, 2014;
originally announced January 2014.
-
Small-Bias Sets for Nonabelian Groups: Derandomizing the Alon-Roichman Theorem
Authors:
Sixia Chen,
Cristopher Moore,
Alexander Russell
Abstract:
In analogy with epsilon-biased sets over Z_2^n, we construct explicit epsilon-biased sets over nonabelian finite groups G. That is, we find sets S subset G such that | Exp_{x in S} rho(x)| <= epsilon for any nontrivial irreducible representation rho. Equivalently, such sets make G's Cayley graph an expander with eigenvalue |lambda| <= epsilon. The Alon-Roichman theorem shows that random sets of si…
▽ More
In analogy with epsilon-biased sets over Z_2^n, we construct explicit epsilon-biased sets over nonabelian finite groups G. That is, we find sets S subset G such that | Exp_{x in S} rho(x)| <= epsilon for any nontrivial irreducible representation rho. Equivalently, such sets make G's Cayley graph an expander with eigenvalue |lambda| <= epsilon. The Alon-Roichman theorem shows that random sets of size O(log |G| / epsilon^2) suffice. For groups of the form G = G_1 x ... x G_n, our construction has size poly(max_i |G_i|, n, epsilon^{-1}), and we show that a set S \subset G^n considered by Meka and Zuckerman that fools read-once branching programs over G is also epsilon-biased in this sense. For solvable groups whose abelian quotients have constant exponent, we obtain epsilon-biased sets of size (log |G|)^{1+o(1)} poly(epsilon^{-1}). Our techniques include derandomized squaring (in both the matrix product and tensor product senses) and a Chernoff-like bound on the expected norm of the product of independently random operators that may be of independent interest.
△ Less
Submitted 30 April, 2013; v1 submitted 17 April, 2013;
originally announced April 2013.
-
Quantum Fourier Transforms and the Complexity of Link Invariants for Quantum Doubles of Finite Groups
Authors:
Hari Krovi,
Alexander Russell
Abstract:
Knot and link invariants naturally arise from any braided Hopf algebra. We consider the computational complexity of the invariants arising from an elementary family of finite-dimensional Hopf algebras: quantum doubles of finite groups (denoted D(G), for a group G). Regarding algorithms for these invariants, we develop quantum circuits for the quantum Fourier transform over D(G); in general, we sho…
▽ More
Knot and link invariants naturally arise from any braided Hopf algebra. We consider the computational complexity of the invariants arising from an elementary family of finite-dimensional Hopf algebras: quantum doubles of finite groups (denoted D(G), for a group G). Regarding algorithms for these invariants, we develop quantum circuits for the quantum Fourier transform over D(G); in general, we show that when one can uniformly and efficiently carry out the quantum Fourier transform over the centralizers Z(g) of the elements of G, one can efficiently carry out the quantum Fourier transform over D(G). We apply these results to the symmetric groups to yield efficient circuits for the quantum Fourier transform over D(S_n). With such a Fourier transform, it is straightforward to obtain additive approximation algorithms for the related link invariant. Additionally, we show that certain D(G) invariants (such as D(A_n) invariants) are BPP-hard to additively approximate, SBP-hard to multiplicatively approximate, and #P-hard to exactly evaluate. Finally, we make partial progress on the question of simulating anyonic computation in groups uniformly as a function of the group size. In this direction, we provide efficient quantum circuits for the Clebsch-Gordan transform over D(G) for "fluxon" irreps, i.e., irreps of D(G) characterized by a conjugacy class of G. For general irreps, i.e., those which are associated with a conjugacy class of G and an irrep of a centralizer, we present an efficient implementation under certain conditions such as when there is an efficient Clebsch-Gordan transform over the centralizers. We remark that this also provides a simulation of certain anyonic models of quantum computation, even in circumstances where the group may have size exponential in the size of the circuit.
△ Less
Submitted 24 July, 2013; v1 submitted 4 October, 2012;
originally announced October 2012.
-
Optimal epsilon-biased sets with just a little randomness
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
Subsets of F_2^n that are eps-biased, meaning that the parity of any set of bits is even or odd with probability eps close to 1/2, are powerful tools for derandomization. A simple randomized construction shows that such sets exist of size O(n/eps^2), and known deterministic constructions achieve sets of size O(n/eps^3), O(n^2/eps^2), and O((n/eps^2)^{5/4}). Rather than derandomizing these sets com…
▽ More
Subsets of F_2^n that are eps-biased, meaning that the parity of any set of bits is even or odd with probability eps close to 1/2, are powerful tools for derandomization. A simple randomized construction shows that such sets exist of size O(n/eps^2), and known deterministic constructions achieve sets of size O(n/eps^3), O(n^2/eps^2), and O((n/eps^2)^{5/4}). Rather than derandomizing these sets completely in exchange for making them larger, we attempt a partial derandomization while kee** them small, constructing sets of size O(n/eps^2) with as few random bits as possible. The naive randomized construction requires O(n^2/eps^2) random bits. We give two constructions. The first uses Nisan's space-bounded pseudorandom generator to partly derandomize a folklore probabilistic construction of an error-correcting code, and requires O(n log (1/eps)) bits. Our second construction requires O(n log (n/eps)) bits, but is more elementary; it adds randomness to a Legendre symbol construction on Alon, Goldreich, Håstad, and Peralta, and uses Weil sums to bound high moments of the bias.
△ Less
Submitted 17 April, 2013; v1 submitted 28 May, 2012;
originally announced May 2012.
-
An Entropic Proof of Chang's Inequality
Authors:
Russell Impagliazzo,
Cristopher Moore,
Alexander Russell
Abstract:
Chang's lemma is a useful tool in additive combinatorics and the analysis of Boolean functions. Here we give an elementary proof using entropy. The constant we obtain is tight, and we give a slight improvement in the case where the variables are highly biased.
Chang's lemma is a useful tool in additive combinatorics and the analysis of Boolean functions. Here we give an elementary proof using entropy. The constant we obtain is tight, and we give a slight improvement in the case where the variables are highly biased.
△ Less
Submitted 16 May, 2012; v1 submitted 1 May, 2012;
originally announced May 2012.
-
Quantum Fourier sampling, Code Equivalence, and the quantum security of the McEliece and Sidelnikov cryptosystems
Authors:
Hang Dinh,
Cristopher Moore,
Alexander Russell
Abstract:
The Code Equivalence problem is that of determining whether two given linear codes are equivalent to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian hidden subgroup problem (HSP), suggesting a possible quantum algorithm analogous to Shor's algorithms for factoring or discrete log. However, we recently showed that in many cases of interest---in…
▽ More
The Code Equivalence problem is that of determining whether two given linear codes are equivalent to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian hidden subgroup problem (HSP), suggesting a possible quantum algorithm analogous to Shor's algorithms for factoring or discrete log. However, we recently showed that in many cases of interest---including Goppa codes---solving this case of the HSP requires rich, entangled measurements. Thus, solving these cases of Code Equivalence via Fourier sampling appears to be out of reach of current families of quantum algorithms.
Code equivalence is directly related to the security of McEliece-type cryptosystems in the case where the private code is known to the adversary. However, for many codes the support splitting algorithm of Sendrier provides a classical attack in this case. We revisit the claims of our previous article in the light of these classical attacks, and discuss the particular case of the Sidelnikov cryptosystem, which is based on Reed-Muller codes.
△ Less
Submitted 18 November, 2011;
originally announced November 2011.
-
Approximate Representations and Approximate Homomorphisms
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
Approximate algebraic structures play a defining role in arithmetic combinatorics and have found remarkable applications to basic questions in number theory and pseudorandomness. Here we study approximate representations of finite groups: functions f:G -> U_d such that Pr[f(xy) = f(x) f(y)] is large, or more generally Exp_{x,y} ||f(xy) - f(x)f(y)||^2$ is small, where x and y are uniformly random e…
▽ More
Approximate algebraic structures play a defining role in arithmetic combinatorics and have found remarkable applications to basic questions in number theory and pseudorandomness. Here we study approximate representations of finite groups: functions f:G -> U_d such that Pr[f(xy) = f(x) f(y)] is large, or more generally Exp_{x,y} ||f(xy) - f(x)f(y)||^2$ is small, where x and y are uniformly random elements of the group G and U_d denotes the unitary group of degree d. We bound these quantities in terms of the ratio d / d_min where d_min is the dimension of the smallest nontrivial representation of G. As an application, we bound the extent to which a function f : G -> H can be an approximate homomorphism where H is another finite group. We show that if H's representations are significantly smaller than G's, no such f can be much more homomorphic than a random function.
We interpret these results as showing that if G is quasirandom, that is, if d_min is large, then G cannot be embedded in a small number of dimensions, or in a less-quasirandom group, without significant distortion of G's multiplicative structure. We also prove that our bounds are tight by showing that minors of genuine representations and their polar decompositions are essentially optimal approximate representations.
△ Less
Submitted 30 September, 2010;
originally announced September 2010.
-
Regarding a Representation-Theoretic Conjecture of Wigderson
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
We show that there exists a family of irreducible representations R_i (of finite groups G_i) such that, for any constant t, the average of R_i over t uniformly random elements g_1, ..., g_t of G_i has operator norm 1 with probability approaching 1 as i limits to infinity. This settles a conjecture of Wigderson in the negative.
We show that there exists a family of irreducible representations R_i (of finite groups G_i) such that, for any constant t, the average of R_i over t uniformly random elements g_1, ..., g_t of G_i has operator norm 1 with probability approaching 1 as i limits to infinity. This settles a conjecture of Wigderson in the negative.
△ Less
Submitted 21 September, 2010;
originally announced September 2010.
-
The McEliece Cryptosystem Resists Quantum Fourier Sampling Attacks
Authors:
Hang Dinh,
Cristopher Moore,
Alexander Russell
Abstract:
Quantum computers can break the RSA and El Gamal public-key cryptosystems, since they can factor integers and extract discrete logarithms. If we believe that quantum computers will someday become a reality, we would like to have \emph{post-quantum} cryptosystems which can be implemented today with classical computers, but which will remain secure even in the presence of quantum attacks.
In this…
▽ More
Quantum computers can break the RSA and El Gamal public-key cryptosystems, since they can factor integers and extract discrete logarithms. If we believe that quantum computers will someday become a reality, we would like to have \emph{post-quantum} cryptosystems which can be implemented today with classical computers, but which will remain secure even in the presence of quantum attacks.
In this article we show that the McEliece cryptosystem over \emph{well-permuted, well-scrambled} linear codes resists precisely the attacks to which the RSA and El Gamal cryptosystems are vulnerable---namely, those based on generating and measuring coset states. This eliminates the approach of strong Fourier sampling on which almost all known exponential speedups by quantum algorithms are based. Specifically, we show that the natural case of the Hidden Subgroup Problem to which the McEliece cryptosystem reduces cannot be solved by strong Fourier sampling, or by any measurement of a coset state. We start with recent negative results on quantum algorithms for Graph Isomorphism, which are based on particular subgroups of size two, and extend them to subgroups of arbitrary structure, including the automorphism groups of linear codes. This allows us to obtain the first rigorous results on the security of the McEliece cryptosystem in the face of quantum adversaries, strengthening its candidacy for post-quantum cryptography.
△ Less
Submitted 15 October, 2010; v1 submitted 13 August, 2010;
originally announced August 2010.
-
How close can we come to a parity function when there isn't one?
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
Consider a group G such that there is no homomorphism f:G to {+1,-1}. In that case, how close can we come to such a homomorphism? We show that if f has zero expectation, then the probability that f(xy) = f(x) f(y), where x, y are chosen uniformly and independently from G, is at most 1/2(1+1/sqrt{d}), where d is the dimension of G's smallest nontrivial irreducible representation. For the alternatin…
▽ More
Consider a group G such that there is no homomorphism f:G to {+1,-1}. In that case, how close can we come to such a homomorphism? We show that if f has zero expectation, then the probability that f(xy) = f(x) f(y), where x, y are chosen uniformly and independently from G, is at most 1/2(1+1/sqrt{d}), where d is the dimension of G's smallest nontrivial irreducible representation. For the alternating group A_n, for instance, d=n-1. On the other hand, A_n contains a subgroup isomorphic to S_{n-2}, whose parity function we can extend to obtain an f for which this probability is 1/2(1+1/{n \choose 2}). Thus the extent to which f can be "more homomorphic" than a random function from A_n to {+1,-1} lies between O(n^{-1/2}) and Omega(n^{-2}).
△ Less
Submitted 26 May, 2010;
originally announced May 2010.
-
Circuit partitions and #P-complete products of inner products
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
We present a simple, natural #P-complete problem. Let G be a directed graph, and let k be a positive integer. We define q(G;k) as follows. At each vertex v, we place a k-dimensional complex vector x_v. We take the product, over all edges (u,v), of the inner product <x_u,x_v>. Finally, q(G;k) is the expectation of this product, where the x_v are chosen uniformly and independently from all vectors…
▽ More
We present a simple, natural #P-complete problem. Let G be a directed graph, and let k be a positive integer. We define q(G;k) as follows. At each vertex v, we place a k-dimensional complex vector x_v. We take the product, over all edges (u,v), of the inner product <x_u,x_v>. Finally, q(G;k) is the expectation of this product, where the x_v are chosen uniformly and independently from all vectors of norm 1 (or, alternately, from the Gaussian distribution). We show that q(G;k) is proportional to G's cycle partition polynomial, and therefore that it is #P-complete for any k>1.
△ Less
Submitted 13 January, 2010;
originally announced January 2010.
-
Randomness Efficient Steganography
Authors:
Aggelos Kiayias,
Alexander Russell,
Narasimha Shashidhar
Abstract:
Steganographic protocols enable one to embed covert messages into inconspicuous data over a public communication channel in such a way that no one, aside from the sender and the intended receiver, can even detect the presence of the secret message. In this paper, we provide a new provably-secure, private-key steganographic encryption protocol secure in the framework of Hopper et al. We first prese…
▽ More
Steganographic protocols enable one to embed covert messages into inconspicuous data over a public communication channel in such a way that no one, aside from the sender and the intended receiver, can even detect the presence of the secret message. In this paper, we provide a new provably-secure, private-key steganographic encryption protocol secure in the framework of Hopper et al. We first present a "one-time stegosystem" that allows two parties to transmit messages of length at most that of the shared key with information-theoretic security guarantees. The employment of a pseudorandom generator (PRG) permits secure transmission of longer messages in the same way that such a generator allows the use of one-time pad encryption for messages longer than the key in symmetric encryption. The advantage of our construction, compared to all previous work is randomness efficiency: in the information theoretic setting our protocol embeds a message of length n bits using a shared secret key of length (1+o(1))n bits while achieving security 2^{-n/log^{O(1)}n}; simply put this gives a rate of key over message that is 1 as n tends to infinity (the previous best result achieved a constant rate greater than 1 regardless of the security offered). In this sense, our protocol is the first truly randomness efficient steganographic system. Furthermore, in our protocol, we can permit a portion of the shared secret key to be public while retaining precisely n private key bits. In this setting, by separating the public and the private randomness of the shared key, we achieve security of 2^{-n}. Our result comes as an effect of the application of randomness extractors to stegosystem design. To the best of our knowledge this is the first time extractors have been applied in steganography.
△ Less
Submitted 3 February, 2012; v1 submitted 24 September, 2009;
originally announced September 2009.
-
Efficient Steganography with Provable Security Guarantees
Authors:
Aggelos Kiayias,
Yona Raekow,
Alexander Russell,
Narasimha Shashidhar
Abstract:
We provide a new provably-secure steganographic encryption protocol that is proven secure in the complexity-theoretic framework of Hopper et al. The fundamental building block of our steganographic encryption protocol is a "one-time stegosystem" that allows two parties to transmit messages of length shorter than the shared key with information-theoretic security guarantees. The employment of a p…
▽ More
We provide a new provably-secure steganographic encryption protocol that is proven secure in the complexity-theoretic framework of Hopper et al. The fundamental building block of our steganographic encryption protocol is a "one-time stegosystem" that allows two parties to transmit messages of length shorter than the shared key with information-theoretic security guarantees. The employment of a pseudorandom generator (PRG) permits secure transmission of longer messages in the same way that such a generator allows the use of one-time pad encryption for messages longer than the key in symmetric encryption. The advantage of our construction, compared to that of Hopper et al., is that it avoids the use of a pseudorandom function family and instead relies (directly) on a pseudorandom generator in a way that provides linear improvement in the number of applications of the underlying one-way permutation per transmitted bit. This advantageous trade-off is achieved by substituting the pseudorandom function family employed in the previous construction with an appropriate combinatorial construction that has been used extensively in derandomization, namely almost t-wise independent function families.
△ Less
Submitted 20 September, 2009;
originally announced September 2009.
-
Bounds on the quantum satisfiability threshold
Authors:
Sergey Bravyi,
Cristopher Moore,
Alexander Russell
Abstract:
Quantum k-SAT is the problem of deciding whether there is a n-qubit state which is perpendicular to a set of vectors, each of which lies in the Hilbert space of k qubits. Equivalently, the problem is to decide whether a particular type of local Hamiltonian has a ground state with zero energy. We consider random quantum k-SAT formulas with n variables and m = αn clauses, and ask at what value of αt…
▽ More
Quantum k-SAT is the problem of deciding whether there is a n-qubit state which is perpendicular to a set of vectors, each of which lies in the Hilbert space of k qubits. Equivalently, the problem is to decide whether a particular type of local Hamiltonian has a ground state with zero energy. We consider random quantum k-SAT formulas with n variables and m = αn clauses, and ask at what value of αthese formulas cease to be satisfiable. We show that the threshold for random quantum 3-SAT is at most 3.594. For comparison, convincing arguments from statistical physics suggest that the classical 3-SAT threshold is α\approx 4.267. For larger k, we show that the quantum threshold is a constant factor smaller than the classical one. Our bounds work by determining the generic rank of the satisfying subspace for certain gadgets, and then using the technique of differential equations to analyze various algorithms that partition the hypergraph into a collection of these gadgets. Our use of differential equation to establish upper bounds on a satisfiability threshold appears to be novel, and our techniques may apply to various classical problems as well.
△ Less
Submitted 18 September, 2014; v1 submitted 7 July, 2009;
originally announced July 2009.
-
Approximating the Permanent via Nonabelian Determinants
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
Celebrated work of Jerrum, Sinclair, and Vigoda has established that the permanent of a {0,1} matrix can be approximated in randomized polynomial time by using a rapidly mixing Markov chain. A separate strand of the literature has pursued the possibility of an alternate, purely algebraic, polynomial-time approximation scheme. These schemes work by replacing each 1 with a random element of an alg…
▽ More
Celebrated work of Jerrum, Sinclair, and Vigoda has established that the permanent of a {0,1} matrix can be approximated in randomized polynomial time by using a rapidly mixing Markov chain. A separate strand of the literature has pursued the possibility of an alternate, purely algebraic, polynomial-time approximation scheme. These schemes work by replacing each 1 with a random element of an algebra A, and considering the determinant of the resulting matrix. When A is noncommutative, this determinant can be defined in several ways. We show that for estimators based on the conventional determinant, the critical ratio of the second moment to the square of the first--and therefore the number of trials we need to obtain a good estimate of the permanent--is (1 + O(1/d))^n when A is the algebra of d by d matrices. These results can be extended to group algebras, and semi-simple algebras in general. We also study the symmetrized determinant of Barvinok, showing that the resulting estimator has small variance when d is large enough. However, for constant d--the only case in which an efficient algorithm is known--we show that the critical ratio exceeds 2^{n} / n^{O(d)}. Thus our results do not provide a new polynomial-time approximation scheme for the permanent. Indeed, they suggest that the algebraic approach to approximating the permanent faces significant obstacles.
We obtain these results using diagrammatic techniques in which we express matrix products as contractions of tensor products. When these matrices are random, in either the Haar measure or the Gaussian measure, we can evaluate the trace of these products in terms of the cycle structure of a suitably random permutation. In the symmetrized case, our estimates are then derived by a connection with the character theory of the symmetric group.
△ Less
Submitted 9 June, 2009;
originally announced June 2009.
-
The One-Way Communication Complexity of Group Membership
Authors:
Scott Aaronson,
François Le Gall,
Alexander Russell,
Seiichiro Tani
Abstract:
This paper studies the one-way communication complexity of the subgroup membership problem, a classical problem closely related to basic questions in quantum computing. Here Alice receives, as input, a subgroup $H$ of a finite group $G$; Bob receives an element $x \in G$. Alice is permitted to send a single message to Bob, after which he must decide if his input $x$ is an element of $H$. We prov…
▽ More
This paper studies the one-way communication complexity of the subgroup membership problem, a classical problem closely related to basic questions in quantum computing. Here Alice receives, as input, a subgroup $H$ of a finite group $G$; Bob receives an element $x \in G$. Alice is permitted to send a single message to Bob, after which he must decide if his input $x$ is an element of $H$. We prove the following upper bounds on the classical communication complexity of this problem in the bounded-error setting: (1) The problem can be solved with $O(\log |G|)$ communication, provided the subgroup $H$ is normal; (2) The problem can be solved with $O(d_{\max} \cdot \log |G|)$ communication, where $d_{\max}$ is the maximum of the dimensions of the irreducible complex representations of $G$; (3) For any prime $p$ not dividing $|G|$, the problem can be solved with $O(d_{\max} \cdot \log p)$ communication, where $d_{\max}$ is the maximum of the dimensions of the irreducible $\F_p$-representations of $G$.
△ Less
Submitted 21 February, 2009; v1 submitted 18 February, 2009;
originally announced February 2009.
-
A simple constant-probability RP reduction from NP to Parity P
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
The proof of Toda's celebrated theorem that the polynomial hierarchy is contained in $¶^{# P}$ relies on the fact that, under mild technical conditions on the complexity class $C$, we have $\exists C \subset BP \cdot \oplus C$. More concretely, there is a randomized reduction which transforms nonempty sets and the empty set, respectively, into sets of odd or even size. The customary method is to…
▽ More
The proof of Toda's celebrated theorem that the polynomial hierarchy is contained in $¶^{# P}$ relies on the fact that, under mild technical conditions on the complexity class $C$, we have $\exists C \subset BP \cdot \oplus C$. More concretely, there is a randomized reduction which transforms nonempty sets and the empty set, respectively, into sets of odd or even size. The customary method is to invoke Valiant's and Vazirani's randomized reduction from NP to UP, followed by amplification of the resulting success probability from $1/\poly(n)$ to a constant by combining the parities of $\poly(n)$ trials. Here we give a direct algebraic reduction which achieves constant success probability without the need for amplification. Our reduction is very simple, and its analysis relies on well-known properties of the Legendre symbol in finite fields.
△ Less
Submitted 6 October, 2008;
originally announced October 2008.
-
Quantum and Randomized Lower Bounds for Local Search on Vertex-Transitive Graphs
Authors:
Hang Dinh,
Alexander Russell
Abstract:
We study the problem of \emph{local search} on a graph. Given a real-valued black-box function f on the graph's vertices, this is the problem of determining a local minimum of f--a vertex v for which f(v) is no more than f evaluated at any of v's neighbors. In 1983, Aldous gave the first strong lower bounds for the problem, showing that any randomized algorithm requires $Ω(2^{n/2 - o(1)})$ queri…
▽ More
We study the problem of \emph{local search} on a graph. Given a real-valued black-box function f on the graph's vertices, this is the problem of determining a local minimum of f--a vertex v for which f(v) is no more than f evaluated at any of v's neighbors. In 1983, Aldous gave the first strong lower bounds for the problem, showing that any randomized algorithm requires $Ω(2^{n/2 - o(1)})$ queries to determine a local minima on the n-dimensional hypercube. The next major step forward was not until 2004 when Aaronson, introducing a new method for query complexity bounds, both strengthened this lower bound to $Ω(2^{n/2}/n^2)$ and gave an analogous lower bound on the quantum query complexity. While these bounds are very strong, they are known only for narrow families of graphs (hypercubes and grids). We show how to generalize Aaronson's techniques in order to give randomized (and quantum) lower bounds on the query complexity of local search for the family of vertex-transitive graphs. In particular, we show that for any vertex-transitive graph G of N vertices and diameter d, the randomized and quantum query complexities for local search on G are $Ω(N^{1/2}/d\log N)$ and $Ω(N^{1/4}/\sqrt{d\log N})$, respectively.
△ Less
Submitted 20 June, 2008;
originally announced June 2008.
-
Randomized Work-Competitive Scheduling for Cooperative Computing on $k$-partite Task Graphs
Authors:
Chadi Kari,
Alexander Russell,
Narasimha Shashidhar
Abstract:
A fundamental problem in distributed computing is the task of cooperatively executing a given set of $t$ tasks by $p$ processors where the communication medium is dynamic and subject to failures. The dynamics of the communication medium lead to groups of processors being disconnected and possibly reconnected during the entire course of the computation furthermore tasks can have dependencies among…
▽ More
A fundamental problem in distributed computing is the task of cooperatively executing a given set of $t$ tasks by $p$ processors where the communication medium is dynamic and subject to failures. The dynamics of the communication medium lead to groups of processors being disconnected and possibly reconnected during the entire course of the computation furthermore tasks can have dependencies among them. In this paper, we present a randomized algorithm whose competitive ratio is dependent on the dynamics of the communication medium and also on the nature of the dependencies among the tasks.
△ Less
Submitted 24 March, 2012; v1 submitted 8 May, 2008;
originally announced May 2008.
-
On the Impossibility of a Quantum Sieve Algorithm for Graph Isomorphism
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
It is known that any quantum algorithm for Graph Isomorphism that works within the framework of the hidden subgroup problem (HSP) must perform highly entangled measurements across Omega(n log n) coset states. One of the only known models for how such a measurement could be carried out efficiently is Kuperberg's algorithm for the HSP in the dihedral group, in which quantum states are adaptively c…
▽ More
It is known that any quantum algorithm for Graph Isomorphism that works within the framework of the hidden subgroup problem (HSP) must perform highly entangled measurements across Omega(n log n) coset states. One of the only known models for how such a measurement could be carried out efficiently is Kuperberg's algorithm for the HSP in the dihedral group, in which quantum states are adaptively combined and measured according to the decomposition of tensor products into irreducible representations. This ``quantum sieve'' starts with coset states, and works its way down towards representations whose probabilities differ depending on, for example, whether the hidden subgroup is trivial or nontrivial.
In this paper we give strong evidence that no such approach can succeed for Graph Isomorphism. Specifically, we consider the natural reduction of Graph Isomorphism to the HSP over the the wreath product S_n \wr Z_2. We show, modulo a group-theoretic conjecture regarding the asymptotic characters of the symmetric group, that no matter what rule we use to adaptively combine quantum states, there is a constant b > 0 such that no algorithm in this family can solve Graph Isomorphism in e^{b sqrt{n}} time. In particular, such algorithms are essentially no better than the best known classical algorithms, whose running time is e^{O(sqrt{n \log n})}.
△ Less
Submitted 18 September, 2006;
originally announced September 2006.
-
The Symmetric Group Defies Strong Fourier Sampling: Part II
Authors:
Cristopher Moore,
Alexander Russell
Abstract:
Part I of this paper showed that the hidden subgroup problem over the symmetric group--including the special case relevant to Graph Isomorphism--cannot be efficiently solved by strong Fourier sampling, even if one may perform an arbitrary POVM on the coset state. In this paper, we extend these results to entangled measurements. Specifically, we show that the hidden subgroup problem on the symmet…
▽ More
Part I of this paper showed that the hidden subgroup problem over the symmetric group--including the special case relevant to Graph Isomorphism--cannot be efficiently solved by strong Fourier sampling, even if one may perform an arbitrary POVM on the coset state. In this paper, we extend these results to entangled measurements. Specifically, we show that the hidden subgroup problem on the symmetric group cannot be solved by any POVM applied to pairs of coset states. In particular, these hidden subgroups cannot be determined by any polynomial number of one- or two-register experiments on coset states.
△ Less
Submitted 30 September, 2005; v1 submitted 12 January, 2005;
originally announced January 2005.
-
The Symmetric Group Defies Strong Fourier Sampling: Part I
Authors:
Cristopher Moore,
Alexander Russell,
Leonard J. Schulman
Abstract:
We resolve the question of whether Fourier sampling can efficiently solve the hidden subgroup problem. Specifically, we show that the hidden subgroup problem over the symmetric group cannot be efficiently solved by strong Fourier sampling, even if one may perform an arbitrary POVM on the coset state. Our results apply to the special case relevant to the Graph Isomorphism problem.
We resolve the question of whether Fourier sampling can efficiently solve the hidden subgroup problem. Specifically, we show that the hidden subgroup problem over the symmetric group cannot be efficiently solved by strong Fourier sampling, even if one may perform an arbitrary POVM on the coset state. Our results apply to the special case relevant to the Graph Isomorphism problem.
△ Less
Submitted 14 October, 2005; v1 submitted 12 January, 2005;
originally announced January 2005.
-
Approximation Algorithms for Minimum PCR Primer Set Selection with Amplification Length and Uniqueness Constraints
Authors:
K. Konwar,
I. Mandoiu,
A. Russell,
A. Shvartsman
Abstract:
A critical problem in the emerging high-throughput genoty** protocols is to minimize the number of polymerase chain reaction (PCR) primers required to amplify the single nucleotide polymorphism loci of interest. In this paper we study PCR primer set selection with amplification length and uniqueness constraints from both theoretical and practical perspectives. We give a greedy algorithm that a…
▽ More
A critical problem in the emerging high-throughput genoty** protocols is to minimize the number of polymerase chain reaction (PCR) primers required to amplify the single nucleotide polymorphism loci of interest. In this paper we study PCR primer set selection with amplification length and uniqueness constraints from both theoretical and practical perspectives. We give a greedy algorithm that achieves a logarithmic approximation factor for the problem of minimizing the number of primers subject to a given upperbound on the length of PCR amplification products. We also give, using randomized rounding, the first non-trivial approximation algorithm for a version of the problem that requires unique amplification of each amplification target. Empirical results on randomly generated testcases as well as testcases extracted from the from the National Center for Biotechnology Information's genomic databases show that our algorithms are highly scalable and produce better results compared to previous heuristics.
△ Less
Submitted 27 July, 2004; v1 submitted 28 June, 2004;
originally announced June 2004.
-
Ideological and Policy Origins of the Internet, 1957-1969
Authors:
Andrew L. Russell
Abstract:
This paper examines the ideological and policy consensus that shaped computing research funded by the Information Processing Techniques Office (IPTO) within the Department of Defense's Advanced Research Projects Agency (ARPA). This historical case study of the period between Sputnik and the creation of the ARPANET shows how military, scientific, and academic values shaped the institutions and re…
▽ More
This paper examines the ideological and policy consensus that shaped computing research funded by the Information Processing Techniques Office (IPTO) within the Department of Defense's Advanced Research Projects Agency (ARPA). This historical case study of the period between Sputnik and the creation of the ARPANET shows how military, scientific, and academic values shaped the institutions and relations of a foundational period in the creation of the Internet.
The paper probes three areas: the ideology of the science policy consensus, the institutional philosophy of IPTO under J. C. R. Licklider, and the ways that this consensus and philosophy shaped IPTO research in the period leading to the creation of the ARPANET. By examining the intellectual, cultural, and institutional details of the consensus that governed IPTO research between 1957 and 1969, we can understand the ways that these values defined the range of possibilities for network computing.
The influence of the social values expressed by these actors was decisive: that government had an obligation to support a broad base of scientific research to promote both the public good and the national defense; that IPTO-sponsored computing research would accomplish both military and scientific objectives; and that IPTO could leverage its power within this consensus to create a network to share resources and unite researchers over geographical distance. A greater awareness of the ways that "consensus" worked in this period -- the "pre-history" of the Internet -- provides a richer context for evaluating the unique features of the Internet, such as its open architecture, collegial culture, and standards-based governance.
△ Less
Submitted 24 October, 2001; v1 submitted 24 September, 2001;
originally announced September 2001.