Results 1  10
of
48
Cube Testers and Key Recovery Attacks On ReducedRound MD6 and Trivium
 In In Fast Software Encryption
, 2009
"... Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14 ..."
Abstract

Cited by 38 (7 self)
 Add to MetaCart
(Show Context)
Abstract. CRYPTO 2008 saw the introduction of the hash function MD6 and of cube attacks, a type of algebraic attack applicable to cryptographic functions having a lowdegree algebraic normal form over GF(2). This paper applies cube attacks to reduced round MD6, finding the full 128bit key of a 14round MD6 with complexity 2 22 (which takes less than a minute on a single PC). This is the best key recovery attack announced so far for MD6. We then introduce a new class of attacks called cube testers, based on efficient propertytesting algorithms, and apply them to MD6 and to the stream cipher Trivium. Unlike the standard cube attacks, cube testers detect nonrandom behavior rather than performing key extraction, but they can also attack cryptographic schemes described by nonrandom polynomials of relatively high degree. Applied to MD6, cube testers detect nonrandomness over 18 rounds in 2 17 complexity; applied to a slightly modified version of the MD6 compression function, they can distinguish 66 rounds from random in 2 24 complexity. Cube testers give distinguishers on Trivium reduced to 790 rounds from random with 2 30 complexity and detect nonrandomness over 885 rounds in 2 27 , improving on the original 767round cube attack.
The sum of d smallbias generators fools polynomials of degree d
 In IEEE Conference on Computational Complexity
, 2007
"... We prove that the sum of d smallbias generators L: F s → F n fools degreed polynomials in n variables over a prime field F, for any fixed degree d and field F, including F = F2 = {0, 1}. Our result improves on both the work by Bogdanov and Viola (FOCS ’07) and the beautiful followup by Lovett (ST ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
We prove that the sum of d smallbias generators L: F s → F n fools degreed polynomials in n variables over a prime field F, for any fixed degree d and field F, including F = F2 = {0, 1}. Our result improves on both the work by Bogdanov and Viola (FOCS ’07) and the beautiful followup by Lovett (STOC ’08). The first relies on a conjecture that turned out to be true only for some degrees and fields, while the latter considers the sum of 2 d smallbias generators (as opposed to d in our result). Our proof builds on and somewhat simplifies the arguments by Bogdanov and Viola (FOCS ’07) and by Lovett (STOC ’08). Its core is a case analysis based on the bias of the polynomial to be fooled. 1
Discrepancy and the power of bottom fanin in depththree circuits
 In Proc. of the 48th Symposium on Foundations of Computer Science (FOCS
, 2007
"... We develop a new technique of proving lower bounds for the randomized communication complexity of boolean functions in the multiparty ‘Number on the Forehead ’ model. Our method is based on the notion of voting polynomial degree of functions and extends the DegreeDiscrepancy Lemma in the recent wor ..."
Abstract

Cited by 26 (2 self)
 Add to MetaCart
(Show Context)
We develop a new technique of proving lower bounds for the randomized communication complexity of boolean functions in the multiparty ‘Number on the Forehead ’ model. Our method is based on the notion of voting polynomial degree of functions and extends the DegreeDiscrepancy Lemma in the recent work of Sherstov [24]. Using this we prove that depth three circuits consisting of a MAJORITY gate at the output, gates computing arbitrary symmetric function at the second layer and arbitrary gates of bounded fanin at the base layer i.e. circuits of type MAJ ◦ SYMM ◦ ANY O(1) cannot simulate the circuit class AC 0 in subexponential size. Further, even if the fanin of the bottom ANY gates are increased to o(log log n), such circuits cannot simulate AC 0 in quasipolynomial size. This is in contrast to the classical result of Yao and BeigelTarui that shows that such circuits, having only MAJORITY gates, can simulate the class ACC 0 in quasipolynomial size when the bottom fanin is increased to polylogarithmic size. In the second part, we simplify the arguments in the breakthrough work of Bourgain [7] for obtaining exponentially small upper bounds on the correlation between the boolean function MODq and functions represented by polynomials of small degree over Zm, when m, q ≥ 2 are coprime integers. Our calculation also shows similarity with techniques used to estimate discrepancy of functions in the multiparty communication setting. This results in a slight improvement of the estimates of [7, 14]. It is known that such estimates imply that circuits of type MAJ ◦ MODm ◦ ANDɛ log n cannot compute the MODq function in subexponential size. It remains a major open question to determine if such circuits can simulate ACC 0 in polynomial size when the bottom fanin is increased to polylogarithmic size. 1
Testing Fourier dimensionality and sparsity
"... We present a range of new results for testing properties of Boolean functions that are defined in terms of the Fourier spectrum. Broadly speaking, our results show that the property of a Boolean function having a concise Fourier representation is locally testable. We first give an efficient algori ..."
Abstract

Cited by 23 (6 self)
 Add to MetaCart
(Show Context)
We present a range of new results for testing properties of Boolean functions that are defined in terms of the Fourier spectrum. Broadly speaking, our results show that the property of a Boolean function having a concise Fourier representation is locally testable. We first give an efficient algorithm for testing whether the Fourier spectrum of a Boolean function is supported in a lowdimensional subspace of F n 2 (equivalently, for testing whether f is a junta over a small number of parities). We next give an efficient algorithm for testing whether a Boolean function has a sparse Fourier spectrum (small number of nonzero coefficients). In both cases we also prove lower bounds showing that any testing algorithm — even an adaptive one — must have query complexity within a polynomial factor of our algorithms, which are nonadaptive. Finally, we give an “implicit learning ” algorithm that lets us test any subproperty of Fourier concision. Our technical contributions include new structural results about sparse Boolean functions and new analysis of the pairwise independent hashing of Fourier coefficients from [13].
ListDecoding ReedMuller codes over small fields
 IN PROC. 40 TH ACM SYMP. ON THEORY OF COMPUTING (STOC’08)
, 2008
"... We present the first local listdecoding algorithm for the r th order ReedMuller code RM(r, m) over F2 for r ≥ 2. Given an oracle for a received word R: F m 2 → F2, our randomized local listdecoding algorithm produces a list containing all degree r polynomials within relative distance (2 −r − ε) f ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We present the first local listdecoding algorithm for the r th order ReedMuller code RM(r, m) over F2 for r ≥ 2. Given an oracle for a received word R: F m 2 → F2, our randomized local listdecoding algorithm produces a list containing all degree r polynomials within relative distance (2 −r − ε) from R for any ε> 0 in time poly(m r, ε −r). The list size could be exponential in m at radius 2 −r, so our bound is optimal in the local setting. Since RM(r, m) has relative distance 2 −r, our algorithm beats the Johnson bound for r ≥ 2. In the setting where we are allowed runningtime polynomial in the blocklength, we show that listdecoding is possible up to even larger radii, beyond the minimum distance. We give a deterministic listdecoder that works at error rate below J(2 1−r), where J(δ) denotes the Johnson radius for minimum distance δ. This shows that RM(2, m) codes are listdecodable up to radius η for any constant η < 1 in time 2 polynomial in the blocklength. Over small fields Fq, we present listdecoding algorithms in both the global and local settings that work up to the listdecoding radius. We conjecture that the listdecoding radius approaches the minimum distance (like over F2), and prove this holds true when the degree is divisible by q − 1.
Unconditional pseudorandom generators for low degree polynomials
 ELECTRONIC COLLOQUIUM ON COMPUTATIONAL COMPLEXITY, REPORT NO. 75 (2007)
, 2007
"... We give an explicit construction of pseudorandom generators against low degree polynomials over finite fields. We show that the sum of 2d smallbiased generators with error ɛ2O(d) is a pseudorandom generator against degree d polynomials with error ɛ. This gives a generator with seed length 2O(d) log ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
(Show Context)
We give an explicit construction of pseudorandom generators against low degree polynomials over finite fields. We show that the sum of 2d smallbiased generators with error ɛ2O(d) is a pseudorandom generator against degree d polynomials with error ɛ. This gives a generator with seed length 2O(d) log (n/ɛ). Our construction follows the recent breakthrough result of Bogadnov and Viola [BV07]. Their work shows that the sum of d smallbiased generators is a pseudorandom generator against degree d polynomials, assuming the Inverse Gowers Conjecture. However, this conjecture is only proven for d = 2,3. The main advantage of our work is that it does not rely on any unproven conjectures.
Inverse Conjecture for the Gowers norm is false
 In Proceedings of the 40th Annual ACM Symposium on the Theory of Computing (STOC
, 2007
"... Let p be a fixed prime number, and N be a large integer. The ’Inverse Conjecture for the Gowers norm ’ states that if the ”dth Gowers norm ” of a function f: F N p → F is nonnegligible, that is larger than a constant independent of N, then f can be nontrivially approximated by a degree d − 1 poly ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
(Show Context)
Let p be a fixed prime number, and N be a large integer. The ’Inverse Conjecture for the Gowers norm ’ states that if the ”dth Gowers norm ” of a function f: F N p → F is nonnegligible, that is larger than a constant independent of N, then f can be nontrivially approximated by a degree d − 1 polynomial. The conjecture is known to hold for d = 2, 3 and for any prime p. In this paper we show the conjecture to be false for p = 2 and for d = 4, by presenting an explicit function whose 4th Gowers norm is nonnegligible, but whose correlation any polynomial of degree 3 is exponentially small. Essentially the same result (with different correlation bounds) was independently obtained by Green and Tao [5]. Their analysis uses a modification of a Ramseytype argument of Alon and Beigel [1] to show inapproximability of certain functions by lowdegree polynomials. We observe that a combination of our results with the argument of Alon and Beigel implies the inverse conjecture to be false for any prime p, for d = p 2.
Nonmalleable Codes from Additive Combinatorics
, 2013
"... Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
Nonmalleable codes provide a useful and meaningful security guarantee in situations where traditional errorcorrection (and even errordetection) is impossible; for example, when the attacker can completely overwrite the encoded message. Informally, a code is nonmalleable if the message contained in a modified codeword is either the original message, or a completely unrelated value. Although such codes do not exist if the family of “tampering functions ” F is completely unrestricted, they are known to exist for many broad tampering families F. One such natural family is the family of tampering functions in the so called splitstate model. Here the message m is encoded into two shares L and R, and the attacker is allowed to arbitrarily tamper with L and R individually. The splitstate tampering arises in many realistic applications, such as the design of nonmalleable secret sharing schemes, motivating the question of designing efficient nonmalleable codes in this model. Prior to this work, nonmalleable codes in the splitstate model received considerable attention in the literature, but were constructed either (1) in the random oracle model [14], or (2) relied on advanced cryptographic assumptions (such as noninteractive zeroknowledge proofs and leakageresilient
A unified framework for testing linearinvariant properties
 In Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science
, 2010
"... In the history of property testing, a particularly important role has been played by linearinvariant properties, i.e., properties of Boolean functions on the hypercube which are closed under linear transformations of the domain. Examples of such properties include linearity, ReedMuller codes, and F ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
In the history of property testing, a particularly important role has been played by linearinvariant properties, i.e., properties of Boolean functions on the hypercube which are closed under linear transformations of the domain. Examples of such properties include linearity, ReedMuller codes, and Fourier sparsity. In this work, we describe a framework that can lead to a unified analysis of the testability of all linearinvariant properties, drawing on techniques from additive combinatorics and from graph theory. Our main contributions here are the following: 1. We introduce a simple combinatorial condition, which we call subspaceheredity, and conjecture that any property of Boolean functions satisfying it can be efficiently tested. Verifying this conjecture will unify many individual results in this area. 2. We show that if our conjecture holds, then one can obtain a simple combinatorial characterization of properties of Boolean functions that can be efficiently tested with onesided error, thus addressing a challenge posed by Sudan recently. 3. We introduce a new technique for proving the testability of Boolean functions. Using it, we verify a special case of the conjecture. Our approach here is motivated by techniques that proved to be very successful previously in studying the testability of graph properties.