Mixing in Non-Quasirandom Groups

We initiate a systematic study of mixing in non-quasirandom groups. Let A and B be two independent, high-entropy distributions over a group G. We show that the product distribution AB is statistically close to the distribution F(AB) for several choices of G and F, including: 1) G is the affine group of 2x2 matrices, and F sets the top-right matrix entry to a uniform value, 2) G is the lamplighter group, that is the wreath product of ?? and ?_{n}, and F is multiplication by a certain subgroup, 3) G is H? where H is non-abelian, and F selects a uniform coordinate and takes a uniform conjugate of it. The obtained bounds for (1) and (2) are tight. This work is motivated by and applied to problems in communication complexity. We consider the 3-party communication problem of deciding if the product of three group elements multiplies to the identity. We prove lower bounds for the groups above, which are tight for the affine and the lamplighter groups

INTERLEAVED GROUP PRODUCTS

Let $G$ be the special linear group $\mathrm{SL}(2,q)$. We show that if $(a_1,\ldots,a_t)$ and $(b_1,\ldots,b_t)$ are sampled uniformly from large subsets $A$ and $B$ of $G^t$ then their interleaved product $a_1 b_1 a_2 b_2 \cdots a_t b_t$ is nearly uniform over $G$. This extends a result of the first author, which corresponds to the independent case where $A$ and $B$ are product sets. We obtain a number of other results. For example, we show that if $X$ is a probability distribution on $G^m$ such that any two coordinates are uniform in $G^2$, then a pointwise product of $s$ independent copies of $X$ is nearly uniform in $G^m$, where $s$ depends on $m$ only. Extensions to other groups are also discussed. We obtain closely related results in communication complexity, which is the setting where some of these questions were first asked by Miles and Viola. For example, suppose party $A_i$ of $k$ parties $A_1,\dots,A_k$ receives on its forehead a $t$-tuple $(a_{i1},\dots,a_{it})$ of elements from $G$. The parties are promised that the interleaved product $a_{11}\dots a_{k1}a_{12}\dots a_{k2}\dots a_{1t}\dots a_{kt}$ is equal either to the identity $e$ or to some other fixed element $g\in G$, and their goal is to determine which of the two the product is equal to. We show that for all fixed $k$ and all sufficiently large $t$ the communication is $\Omega(t \log |G|)$, which is tight. Even for $k=2$ the previous best lower bound was $\Omega(t)$. As an application, we establish the security of the leakage-resilient circuits studied by Miles and Viola in the "only computation leaks" model

Unconditionally Secure Computation Against Low-Complexity Leakage

We consider the problem of constructing leakage-resilient circuit compilers that are secure against global leakage functions with bounded output length. By global, we mean that the leakage can depend on all circuit wires and output a low-complexity function (represented as a multi-output Boolean circuit) applied on these wires. In this work, we design compilers both in the stateless (a.k.a. single-shot leakage) setting and the stateful (a.k.a. continuous leakage) setting that are unconditionally secure against AC0 leakage and similar low-complexity classes. In the stateless case, we show that the original private circuits construction of Ishai, Sahai, and Wagner (Crypto 2003) is actually secure against AC0 leakage. In the stateful case, we modify the construction of Rothblum (Crypto 2012), obtaining a simple construction with unconditional security. Prior works that designed leakage-resilient circuit compilers against AC0 leakage had to rely either on secure hardware components (Faust et al., Eurocrypt 2010, Miles-Viola, STOC 2013) or on (unproven) complexity-theoretic assumptions (Rothblum, Crypto 2012)

A Survey of Leakage-Resilient Cryptography

In the past 15 years, cryptography has made considerable progress in expanding the adversarial attack model to cover side-channel attacks, and has built schemes to provably defend against some of them. This survey covers the main models and results in this so-called leakage-resilient cryptography