Results 1  10
of
37
Cube Testers and Key Recovery Attacks On Reducedround MD6 and Trivium
"... CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 w ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27, improving on the original 767round cube attack.
Discrepancy and the power of bottom fanin in depththree circuits
 In Proc. of the 48th Symposium on Foundations of Computer Science (FOCS
, 2007
"... We develop a new technique of proving lower bounds for the randomized communication complexity of boolean functions in the multiparty ‘Number on the Forehead ’ model. Our method is based on the notion of voting polynomial degree of functions and extends the DegreeDiscrepancy Lemma in the recent wor ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
We develop a new technique of proving lower bounds for the randomized communication complexity of boolean functions in the multiparty ‘Number on the Forehead ’ model. Our method is based on the notion of voting polynomial degree of functions and extends the DegreeDiscrepancy Lemma in the recent work of Sherstov [24]. Using this we prove that depth three circuits consisting of a MAJORITY gate at the output, gates computing arbitrary symmetric function at the second layer and arbitrary gates of bounded fanin at the base layer i.e. circuits of type MAJ ◦ SYMM ◦ ANY O(1) cannot simulate the circuit class AC 0 in subexponential size. Further, even if the fanin of the bottom ANY gates are increased to o(log log n), such circuits cannot simulate AC 0 in quasipolynomial size. This is in contrast to the classical result of Yao and BeigelTarui that shows that such circuits, having only MAJORITY gates, can simulate the class ACC 0 in quasipolynomial size when the bottom fanin is increased to polylogarithmic size. In the second part, we simplify the arguments in the breakthrough work of Bourgain [7] for obtaining exponentially small upper bounds on the correlation between the boolean function MODq and functions represented by polynomials of small degree over Zm, when m, q ≥ 2 are coprime integers. Our calculation also shows similarity with techniques used to estimate discrepancy of functions in the multiparty communication setting. This results in a slight improvement of the estimates of [7, 14]. It is known that such estimates imply that circuits of type MAJ ◦ MODm ◦ ANDɛ log n cannot compute the MODq function in subexponential size. It remains a major open question to determine if such circuits can simulate ACC 0 in polynomial size when the bottom fanin is increased to polylogarithmic size. 1
The sum of d smallbias generators fools polynomials of degree d
 In IEEE Conference on Computational Complexity
, 2007
"... We prove that the sum of d smallbias generators L: F s → F n fools degreed polynomials in n variables over a prime field F, for any fixed degree d and field F, including F = F2 = {0, 1}. Our result improves on both the work by Bogdanov and Viola (FOCS ’07) and the beautiful followup by Lovett (ST ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
We prove that the sum of d smallbias generators L: F s → F n fools degreed polynomials in n variables over a prime field F, for any fixed degree d and field F, including F = F2 = {0, 1}. Our result improves on both the work by Bogdanov and Viola (FOCS ’07) and the beautiful followup by Lovett (STOC ’08). The first relies on a conjecture that turned out to be true only for some degrees and fields, while the latter considers the sum of 2 d smallbias generators (as opposed to d in our result). Our proof builds on and somewhat simplifies the arguments by Bogdanov and Viola (FOCS ’07) and by Lovett (STOC ’08). Its core is a case analysis based on the bias of the polynomial to be fooled. 1
Unconditional pseudorandom generators for low degree polynomials
, 2007
"... We give an explicit construction of pseudorandom generators against low degree polynomials over finite fields. We show that the sum of 2d smallbiased generators with error ɛ2O(d) is a pseudorandom generator against degree d polynomials with error ɛ. This gives a generator with seed length 2O(d) log ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
We give an explicit construction of pseudorandom generators against low degree polynomials over finite fields. We show that the sum of 2d smallbiased generators with error ɛ2O(d) is a pseudorandom generator against degree d polynomials with error ɛ. This gives a generator with seed length 2O(d) log (n/ɛ). Our construction follows the recent breakthrough result of Bogadnov and Viola [BV07]. Their work shows that the sum of d smallbiased generators is a pseudorandom generator against degree d polynomials, assuming the Inverse Gowers Conjecture. However, this conjecture is only proven for d = 2, 3. The main advantage of our work is that it does not rely on any unproven conjectures. 1
Inverse Conjecture for the Gowers norm is false
 In Proceedings of the 40th Annual ACM Symposium on the Theory of Computing (STOC
, 2007
"... Let p be a fixed prime number, and N be a large integer. The ’Inverse Conjecture for the Gowers norm ’ states that if the ”dth Gowers norm ” of a function f: F N p → F is nonnegligible, that is larger than a constant independent of N, then f can be nontrivially approximated by a degree d − 1 poly ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Let p be a fixed prime number, and N be a large integer. The ’Inverse Conjecture for the Gowers norm ’ states that if the ”dth Gowers norm ” of a function f: F N p → F is nonnegligible, that is larger than a constant independent of N, then f can be nontrivially approximated by a degree d − 1 polynomial. The conjecture is known to hold for d = 2, 3 and for any prime p. In this paper we show the conjecture to be false for p = 2 and for d = 4, by presenting an explicit function whose 4th Gowers norm is nonnegligible, but whose correlation any polynomial of degree 3 is exponentially small. Essentially the same result (with different correlation bounds) was independently obtained by Green and Tao [5]. Their analysis uses a modification of a Ramseytype argument of Alon and Beigel [1] to show inapproximability of certain functions by lowdegree polynomials. We observe that a combination of our results with the argument of Alon and Beigel implies the inverse conjecture to be false for any prime p, for d = p 2.
Limits on the rate of locally testable affineinvariant codes
, 2009
"... Despite its many applications, to program checking, probabilistically checkable proofs, locally testable and locally decodable codes, and cryptography, “algebraic property testing ” is not wellunderstood. A significant obstacle to a better understanding, was a lack of a concrete definition that abst ..."
Abstract

Cited by 12 (8 self)
 Add to MetaCart
Despite its many applications, to program checking, probabilistically checkable proofs, locally testable and locally decodable codes, and cryptography, “algebraic property testing ” is not wellunderstood. A significant obstacle to a better understanding, was a lack of a concrete definition that abstracted known testable algebraic properties and reflected their testability. This obstacle was removed by [Kaufman and Sudan, STOC 2008] who considered (linear) “affineinvariant properties”, i.e., properties that are closed under summation, and under affine transformations of the domain. Kaufman and Sudan showed that these two features (linearity of the property and its affineinvariance) play a central role in the testability of many known algebraic properties. However their work does not give a complete characterization of the testability of affineinvariant properties, and several technical obstacles need to be overcome to obtain such a characterization. Indeed, their work left open the tantalizing possibility that locally testable codes of rate dramatically better than that of the family of ReedMuller codes (the most popular form of locally testable codes, which also happen to be affineinvariant) could be found by systematically exploring the space of affineinvariant properties.
ListDecoding ReedMuller codes over small fields
 IN PROC. 40 TH ACM SYMP. ON THEORY OF COMPUTING (STOC’08)
, 2008
"... We present the first local listdecoding algorithm for the r th order ReedMuller code RM(r, m) over F2 for r ≥ 2. Given an oracle for a received word R: F m 2 → F2, our randomized local listdecoding algorithm produces a list containing all degree r polynomials within relative distance (2 −r − ε) f ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
We present the first local listdecoding algorithm for the r th order ReedMuller code RM(r, m) over F2 for r ≥ 2. Given an oracle for a received word R: F m 2 → F2, our randomized local listdecoding algorithm produces a list containing all degree r polynomials within relative distance (2 −r − ε) from R for any ε> 0 in time poly(m r, ε −r). The list size could be exponential in m at radius 2 −r, so our bound is optimal in the local setting. Since RM(r, m) has relative distance 2 −r, our algorithm beats the Johnson bound for r ≥ 2. In the setting where we are allowed runningtime polynomial in the blocklength, we show that listdecoding is possible up to even larger radii, beyond the minimum distance. We give a deterministic listdecoder that works at error rate below J(2 1−r), where J(δ) denotes the Johnson radius for minimum distance δ. This shows that RM(2, m) codes are listdecodable up to radius η for any constant η < 1 in time 2 polynomial in the blocklength. Over small fields Fq, we present listdecoding algorithms in both the global and local settings that work up to the listdecoding radius. We conjecture that the listdecoding radius approaches the minimum distance (like over F2), and prove this holds true when the degree is divisible by q − 1.
A unified framework for testing linearinvariant properties
 In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science
, 2010
"... In the history of property testing, a particularly important role has been played by linearinvariant properties, i.e., properties of Boolean functions on the hypercube which are closed under linear transformations of the domain. Examples of such properties include linearity, ReedMuller codes, and F ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
In the history of property testing, a particularly important role has been played by linearinvariant properties, i.e., properties of Boolean functions on the hypercube which are closed under linear transformations of the domain. Examples of such properties include linearity, ReedMuller codes, and Fourier sparsity. In this work, we describe a framework that can lead to a unified analysis of the testability of all linearinvariant properties, drawing on techniques from additive combinatorics and from graph theory. Our main contributions here are the following: 1. We introduce a simple combinatorial condition, which we call subspaceheredity, and conjecture that any property of Boolean functions satisfying it can be efficiently tested. Verifying this conjecture will unify many individual results in this area. 2. We show that if our conjecture holds, then one can obtain a simple combinatorial characterization of properties of Boolean functions that can be efficiently tested with onesided error, thus addressing a challenge posed by Sudan recently. 3. We introduce a new technique for proving the testability of Boolean functions. Using it, we verify a special case of the conjecture. Our approach here is motivated by techniques that proved to be very successful previously in studying the testability of graph properties.
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
Selected Results in Additive Combinatorics: An Exposition
, 2007
"... We give a selfcontained exposition of selected results in additive combinatorics over the group GF (2) n = {0, 1} n. In particular, we prove the celebrated theorems known as the BalogSzemerediGowers theorem (’94 and ’98) and the FreimanRuzsa theorem (’73 and ’99), leading to the remarkable resul ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
We give a selfcontained exposition of selected results in additive combinatorics over the group GF (2) n = {0, 1} n. In particular, we prove the celebrated theorems known as the BalogSzemerediGowers theorem (’94 and ’98) and the FreimanRuzsa theorem (’73 and ’99), leading to the remarkable result by Samorodnitsky (’07) that linear transformations are efficiently testable. No new result is proved here. However, we strip down the available proofs to the bare minimum needed to derive the efficient testability of linear transformations over {0, 1} n, thus hoping to provide a computer sciencefriendly introduction to the marvelous field of additive combinatorics.