Pseudorandom Bits for Oblivious Branching Programs

We construct a pseudorandom generator that fools known-order read-k oblivious branching programs and, more generally, any linear length oblivious branching program. For polynomial width branching programs, the seed lengths in our constructions are O(n^(1−1/2^(k−1))) (for the read-k case) and O(n/log log n) (for the linear length case). Previously, the best construction for these models required seed length (1 − Ω(1))n

Randomized Search of Graphs in Log Space and Probabilistic Computation

Reingold has shown that L = SL, that s-t connectivity in a poly-mixing digraph is complete for promise-RL, and that s-t connectivity for a poly-mixing out-regular digraph with known stationary distribution is in L. Several properties that bound the mixing times of random walks on digraphs have been identified, including the digraph conductance and the digraph spectral expansion. However, rapidly mixing digraphs can still have exponential cover time, thus it is important to specifically identify structural properties of digraphs that effect cover times. We examine the complexity of random walks on a basic parameterized family of unbalanced digraphs called Strong Chains (which model weakly symmetric logspace computations), and a special family of Strong Chains called Harps. We show that the worst case hitting times of Strong Chain families vary smoothly with the number of asymmetric vertices and identify the necessary condition for non-polynomial cover time. This analysis also yields bounds on the cover times of general digraphs. Next we relate random walks on graphs to the random walks that arise in Monte Carlo methods applied to optimization problems. We introduce the notion of the asymmetric states of Markov chains and use this definition to obtain some results about Markov chains. We also obtain some results on the mixing times for Markov Chain Monte Carlo Methods. Finally, we consider the question of whether a single long random walk or many short walks is a better strategy for exploration. These are walks which reset to the start after a fixed number of steps. We exhibit digraph families for which a few short walks are far superior to a single long walk. We introduce an iterative deepening random search. We use this strategy estimate the cover time for poly-mixing subgraphs. Finally we discuss complexity theoretic implications and future work

Bounded Independence Plus Noise Fools Products

Let D be a b-wise independent distribution over {0,1}^m. Let E be the "noise" distribution over {0,1}^m where the bits are independent and each bit is 1 with probability eta/2. We study which tests f: {0,1}^m -> [-1,1] are epsilon-fooled by D+E, i.e., |E[f(D+E)] - E[f(U)]| <= epsilon where U is the uniform distribution. We show that D+E epsilon-fools product tests f: ({0,1}^n)^k -> [-1,1] given by the product of k bounded functions on disjoint n-bit inputs with error epsilon = k(1-eta)^{Omega(b^2/m)}, where m = nk and b >= n. This bound is tight when b = Omega(m) and eta >= (log k)/m. For b >= m^{2/3} log m and any constant eta the distribution D+E also 0.1-fools log-space algorithms. We develop two applications of this type of results. First, we prove communication lower bounds for decoding noisy codewords of length m split among k parties. For Reed-Solomon codes of dimension m/k where k = O(1), communication Omega(eta m) - O(log m) is required to decode one message symbol from a codeword with eta m errors, and communication O(eta m log m) suffices. Second, we obtain pseudorandom generators. We can epsilon-fool product tests f: ({0,1}^n)^k -> [-1,1] under any permutation of the bits with seed lengths 2n + O~(k^2 log(1/epsilon)) and O(n) + O~(sqrt{nk log 1/epsilon}). Previous generators have seed lengths >= nk/2 or >= n sqrt{n k}. For the special case where the k bounded functions have range {0,1} the previous generators have seed length >= (n+log k)log(1/epsilon)

Hardness of KT Characterizes Parallel Cryptography

A recent breakthrough of Liu and Pass (FOCS'20) shows that one-way functions exist if and only if the (polynomial-)time-bounded Kolmogorov complexity, K^t, is bounded-error hard on average to compute. In this paper, we strengthen this result and extend it to other complexity measures: - We show, perhaps surprisingly, that the KT complexity is bounded-error average-case hard if and only if there exist one-way functions in constant parallel time (i.e. NC⁰). This result crucially relies on the idea of randomized encodings. Previously, a seminal work of Applebaum, Ishai, and Kushilevitz (FOCS'04; SICOMP'06) used the same idea to show that NC⁰-computable one-way functions exist if and only if logspace-computable one-way functions exist. - Inspired by the above result, we present randomized average-case reductions among the NC¹-versions and logspace-versions of K^t complexity, and the KT complexity. Our reductions preserve both bounded-error average-case hardness and zero-error average-case hardness. To the best of our knowledge, this is the first reduction between the KT complexity and a variant of K^t complexity. - We prove tight connections between the hardness of K^t complexity and the hardness of (the hardest) one-way functions. In analogy with the Exponential-Time Hypothesis and its variants, we define and motivate the Perebor Hypotheses for complexity measures such as K^t and KT. We show that a Strong Perebor Hypothesis for K^t implies the existence of (weak) one-way functions of near-optimal hardness 2^{n-o(n)}. To the best of our knowledge, this is the first construction of one-way functions of near-optimal hardness based on a natural complexity assumption about a search problem. - We show that a Weak Perebor Hypothesis for MCSP implies the existence of one-way functions, and establish a partial converse. This is the first unconditional construction of one-way functions from the hardness of MCSP over a natural distribution. - Finally, we study the average-case hardness of MKtP. We show that it characterizes cryptographic pseudorandomness in one natural regime of parameters, and complexity-theoretic pseudorandomness in another natural regime.</p

Optimizing Cryptographic Obfuscation

Cryptographic obfuscation is a powerful tool that makes programs “unintelligible” yet still runnable. It essentially gives programs the ability to keep secrets. The practical applications of obfuscation range from keeping secrets in banking applications to preventing software theft to providing secure messaging applications. The cryptographic applications of obfuscation are also vast – a tool that hides secrets in programs essentially enables all other cryptographic constructions. Despite (or perhaps due to) its power, obfuscation is currently wildly inefficient and on shaky theoretical ground. Its shaky theoretical ground in particular has resulted in a lack of engineering effort at making it more efficient. In this work, we focus largely on efficiency. We explore the concrete efficiency of multilinear maps, which are the basis of many cryptographic obfuscation constructions. Multilinear maps are mathematical objects that allow oblivious addition and multiplication of encrypted values. Using multilinear maps, we give the first ever implementations of obfuscation and multi-input functional encryption (MIFE: a variant of obfuscation) for branching programs. Along the way, we create the 5Gen framework for implementations of multilinear map-based applications. We apply the 5Gen framework to experiment with obfuscating point functions and MIFE of order-revealing encryption. We also explore efficiency in the context of obfuscators and MIFE for circuits. Circuits are more efficient than branching programs for many functions. We give the first MIFE construction for circuits and prove its security in an ideal model. Our scheme is efficient. To compare, we implement all known circuit obfuscation schemes using the 5Gen framework, and experiment with obfuscating a PRF. This results in the most complex PRF obfuscated to date – with 12 bits of security. Finally, recently Bishop et al. showed an obfuscation scheme for the specific functionality of wildcard pattern-matching [BKM+18]. This is a simple type of string matching where strings must match a pattern exactly except where there are wildcards. This obfuscation scheme simply relies on the generic group model, with no multilinear maps. Inspired by their work, and the deep connection of functional encryption to obfuscation, we give a function-private, public-key functional encryption scheme for the same wildcard pattern-matching functionality. Our scheme is the first such scheme and we prove its security in a generic model