215 research outputs found
On the Streaming Indistinguishability of a Random Permutation and a Random Function
An adversary with bits of
memory obtains a stream of elements that are uniformly drawn from the set , either with or without replacement. This corresponds to sampling elements using either a random function or a random permutation. The adversary\u27s goal is to distinguish between these two cases.
This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary\u27s advantage is upper bounded by . Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of if . However, the bound\u27s proof assumed an unproven combinatorial conjecture. Moreover,
if there is a gap between the upper bound of and the advantage obtained by known attacks.
In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of on the adversary\u27s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming
Streaming Approximation Resistance of Every Ordering CSP
An ordering constraint satisfaction problem (OCSP) is given by a positive
integer and a constraint predicate mapping permutations on
to . Given an instance of OCSP on
variables and constraints, the goal is to find an ordering of the
variables that maximizes the number of constraints that are satisfied, where a
constraint specifies a sequence of distinct variables and the constraint is
satisfied by an ordering on the variables if the ordering induced on the
variables in the constraint satisfies . OCSPs capture natural problems
including "Maximum acyclic subgraph (MAS)" and "Betweenness".
In this work we consider the task of approximating the maximum number of
satisfiable constraints in the (single-pass) streaming setting, where an
instance is presented as a stream of constraints. We show that for every ,
OCSP is approximation-resistant to -space streaming algorithms.
This space bound is tight up to polylogarithmic factors. In the case of MAS our
result shows that for every , MAS is not
-approximable in space. The previous best
inapproximability result only ruled out a -approximation in
space.
Our results build on recent works of Chou, Golovnev, Sudan, Velingker, and
Velusamy who show tight, linear-space inapproximability results for a broad
class of (non-ordering) constraint satisfaction problems over arbitrary
(finite) alphabets. We design a family of appropriate CSPs (one for every )
from any given OCSP, and apply their work to this family of CSPs. We show that
the hard instances from this earlier work have a particular "small-set
expansion" property. By exploiting this combinatorial property, in combination
with the hardness results of the resulting families of CSPs, we give optimal
inapproximability results for all OCSPs.Comment: 23 pages, 1 figure. Replaces earlier version with lower
bound, using new bounds from arXiv:2106.13078. To appear in APPROX'2
An Information-Theoretic Proof of the Streaming Switching Lemma for Symmetric Encryption
Motivated by a fundamental paradigm in cryptography, we consider a recent
variant of the classic problem of bounding the distinguishing advantage between
a random function and a random permutation. Specifically, we consider the
problem of deciding whether a sequence of values was sampled uniformly with
or without replacement from , where the decision is made by a streaming
algorithm restricted to using at most bits of internal memory. In this
work, the distinguishing advantage of such an algorithm is measured by the KL
divergence between the distributions of its output as induced under the two
cases. We show that for any the distinguishing advantage is
upper bounded by , and even by when
for any constant where it is nearly
tight with respect to the KL divergence
Welfare Maximization with Limited Interaction
We continue the study of welfare maximization in unit-demand (matching)
markets, in a distributed information model where agent's valuations are
unknown to the central planner, and therefore communication is required to
determine an efficient allocation. Dobzinski, Nisan and Oren (STOC'14) showed
that if the market size is , then rounds of interaction (with
logarithmic bandwidth) suffice to obtain an -approximation to the
optimal social welfare. In particular, this implies that such markets converge
to a stable state (constant approximation) in time logarithmic in the market
size.
We obtain the first multi-round lower bound for this setup. We show that even
if the allowable per-round bandwidth of each agent is , the
approximation ratio of any -round (randomized) protocol is no better than
, implying an lower bound on the
rate of convergence of the market to equilibrium.
Our construction and technique may be of interest to round-communication
tradeoffs in the more general setting of combinatorial auctions, for which the
only known lower bound is for simultaneous () protocols [DNO14]
Two-step orthogonal-state-based protocol of quantum secure direct communication with the help of order-rearrangement technique
The Goldenberg-Vaidman (GV) protocol for quantum key distribution (QKD) uses
orthogonal encoding states of a particle. Its security arises because
operations accessible to Eve are insufficient to distinguish the two states
encoding the secret bit. We propose a two-particle cryptographic protocol for
quantum secure direct communication, wherein orthogonal states encode the
secret, and security arises from restricting Eve from accessing any
two-particle operations. However, there is a non-trivial difference between the
two cases. While the encoding states are perfectly indistinguishable in GV,
they are partially distinguishable in the bi-partite case, leading to a
qualitatively different kind of information-vs-disturbance trade-off and also
options for Eve in the two cases.Comment: 9 pages, 4 figures, LaTex, Accepted for publication in Quantum
Information Processing (2014
Data-Oblivious Graph Algorithms in Outsourced External Memory
Motivated by privacy preservation for outsourced data, data-oblivious
external memory is a computational framework where a client performs
computations on data stored at a semi-trusted server in a way that does not
reveal her data to the server. This approach facilitates collaboration and
reliability over traditional frameworks, and it provides privacy protection,
even though the server has full access to the data and he can monitor how it is
accessed by the client. The challenge is that even if data is encrypted, the
server can learn information based on the client data access pattern; hence,
access patterns must also be obfuscated. We investigate privacy-preserving
algorithms for outsourced external memory that are based on the use of
data-oblivious algorithms, that is, algorithms where each possible sequence of
data accesses is independent of the data values. We give new efficient
data-oblivious algorithms in the outsourced external memory model for a number
of fundamental graph problems. Our results include new data-oblivious
external-memory methods for constructing minimum spanning trees, performing
various traversals on rooted trees, answering least common ancestor queries on
trees, computing biconnected components, and forming open ear decompositions.
None of our algorithms make use of constant-time random oracles.Comment: 20 page
Tight Time-Memory Trade-offs for Symmetric Encryption
Concrete security proofs give upper bounds on the attacker\u27s advantage as a function of its time/query complexity. Cryptanalysis suggests however that other resource limitations - most notably, the attacker\u27s memory - could make the achievable advantage smaller, and thus these proven bounds too pessimistic. Yet, handling memory limitations has eluded existing security proofs.
This paper initiates the study of time-memory trade-offs for basic symmetric cryptography. We show that schemes like counter-mode encryption, which are affected by the Birthday Bound, become more secure (in terms of time complexity) as the attacker\u27s memory is reduced.
One key step of this work is a generalization of the Switching Lemma: For adversaries with bits of memory issuing distinct queries, we prove an -to- bit random function indistinguishable from a permutation as long as . This result assumes a combinatorial conjecture, which we discuss, and implies right away trade-offs for deterministic, stateful versions of CTR and OFB encryption.
We also show an unconditional time-memory trade-off for the security of randomized CTR based on a secure PRF. Via the aforementioned conjecture, we extend the result to assuming a PRP instead, assuming only one-block messages are encrypted.
Our results solely rely on standard PRF/PRP security of an underlying block cipher. We frame the core of our proofs within a general framework of indistinguishability for streaming algorithms which may be of independent interest
Super-Linear Time-Memory Trade-Offs for Symmetric Encryption
We build symmetric encryption schemes from a pseudorandom
function/permutation with domain size which have very high
security -- in terms of the amount of messages they can securely
encrypt -- assuming the adversary has bits of memory. We aim
to minimize the number of calls we make to the underlying
primitive to achieve a certain , or equivalently, to maximize the
achievable for a given . We target in
particular , in contrast to recent works (Jaeger and
Tessaro, EUROCRYPT \u2719; Dinur, EUROCRYPT \u2720) which aim to beat the
birthday barrier with one call when .
Our first result gives new and explicit bounds for the
Sample-then-Extract paradigm by Tessaro and Thiruvengadam (TCC
\u2718). We show instantiations for which .
If , Thiruvengadam and Tessaro\u27s weaker bounds
only guarantee when . In contrast, here,
we show this is true already for .
We also consider a scheme by Bellare, Goldreich and Krawczyk (CRYPTO
\u2799) which evaluates the primitive on independent random
strings, and masks the message with the XOR of the outputs. Here, we
show , using new combinatorial bounds
on the list-decodability of XOR codes which are of independent
interest. We also study best-possible attacks against this
construction
- …