Results 1  10
of
268
Leakageresilient cryptography
 In Proceedings of the 49th IEEE Symposium on Foundation of Computer Science
, 2008
"... We construct a streamcipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked during computation. This captures all possible sidechannel attacks on S where the amount of information leaked in a given peri ..."
Abstract

Cited by 143 (9 self)
 Add to MetaCart
(Show Context)
We construct a streamcipher S whose implementation is secure even if a bounded amount of arbitrary (adversarially chosen) information on the internal state of S is leaked during computation. This captures all possible sidechannel attacks on S where the amount of information leaked in a given period is bounded, but overall can be arbitrary large. The only other assumption we make on the implementation of S is that only data that is accessed during computation leaks information. The streamcipher S generates its output in chunks K1,K2,..., and arbitrary but bounded information leakage is modeled by allowing the adversary to adaptively chose a function fℓ: {0, 1} ∗ → {0, 1}λ before Kℓ is computed, she then gets fℓ(τℓ) where τℓ is the internal state of S that is accessed during the computation of Kℓ. One notion of security we prove for S is that Kℓ is indistinguishable from random when given K1,...,Kℓ−1, f1(τ1),..., fℓ−1(τℓ−1) and also the complete internal state of S after Kℓ has been computed (i.e. S is forwardsecure). The construction is based on alternating extraction (used in the intrusionresilient secretsharing scheme from FOCS’07). We move this concept to the computational setting by proving a lemma that states that the output of any PRG has high HILL pseudoentropy (i.e. is indistinguishable from some distribution with high minentropy) even if arbitrary information about the seed is leaked. The amount of leakage λ that we can tolerate in each step depends on the strength of the underlying PRG, it is at least logarithmic, but can be as large as a constant fraction of the internal state of S if the PRG is exponentially hard. 1.
UNIVERSAL CHARACTERISTIC FACTORS AND FURSTENBERG AVERAGES
, 2004
"... Let X = (X 0, B, µ, T) be an ergodic probability measure preserving system. For a natural number k we consider the averages N ∑ k ∏ 1 fj(T ..."
Abstract

Cited by 91 (6 self)
 Add to MetaCart
Let X = (X 0, B, µ, T) be an ergodic probability measure preserving system. For a natural number k we consider the averages N ∑ k ∏ 1 fj(T
Norm convergence of multiple ergodic averages for commuting transformations
, 2007
"... Let T1,..., Tl: X → X be commuting measurepreserving transformations on a probability space (X, X, µ). We show that the multiple ergodic averages 1 PN−1 N n=0 f1(T n 1 x)... fl(T n l x) are convergent in L2 (X, X, µ) as N → ∞ for all f1,..., fl ∈ L ∞ (X, X, µ); this was previously established fo ..."
Abstract

Cited by 81 (4 self)
 Add to MetaCart
(Show Context)
Let T1,..., Tl: X → X be commuting measurepreserving transformations on a probability space (X, X, µ). We show that the multiple ergodic averages 1 PN−1 N n=0 f1(T n 1 x)... fl(T n l x) are convergent in L2 (X, X, µ) as N → ∞ for all f1,..., fl ∈ L ∞ (X, X, µ); this was previously established for l = 2 by Conze and Lesigne [2] and for general l assuming some additional ergodicity hypotheses on the maps Ti and TiT −1 j by Frantzikinakis and Kra [3] (with the l = 3 case of this result established earlier in [29]). Our approach is combinatorial and finitary in nature, inspired by recent developments regarding the hypergraph regularity and removal lemmas, although we will not need the full strength of those lemmas. In particular, the l = 2 case of our arguments are a finitary analogue of those in [2].
Linear equations in primes
 ANNALS OF MATHEMATICS
, 2006
"... Consider a system Ψ of nonconstant affinelinear forms ψ1,..., ψt: Z d → Z, no two of which are linearly dependent. Let N be a large integer, and let K ⊆ [−N, N] d be convex. A generalisation of a famous and difficult open conjecture of Hardy and Littlewood predicts an asymptotic, as N → ∞, for th ..."
Abstract

Cited by 79 (3 self)
 Add to MetaCart
(Show Context)
Consider a system Ψ of nonconstant affinelinear forms ψ1,..., ψt: Z d → Z, no two of which are linearly dependent. Let N be a large integer, and let K ⊆ [−N, N] d be convex. A generalisation of a famous and difficult open conjecture of Hardy and Littlewood predicts an asymptotic, as N → ∞, for the number of integer points n ∈ Z d ∩ K for which the integers ψ1(n),..., ψt(n) are simultaneously prime. This implies many other wellknown conjectures, such as the twin prime conjecture and the (weak) Goldbach conjecture. It also allows one to count the number of solutions in a convex range to any simultaneous linear system of equations, in which all unknowns are required to be prime. In this paper we (conditionally) verify this asymptotic under the assumption that no two of the affinelinear forms ψ1,..., ψt are affinely related; this excludes the important “binary ” cases such as the twin prime or Goldbach conjectures, but does allow one to count “nondegenerate ” configurations such as arithmetic progressions. Our result assumes two families of conjectures, which we term the inverse Gowersnorm conjecture (GI(s)) and the Möbius and nilsequences conjecture (MN(s)), where s ∈ {1, 2,...} is
A variant of the hypergraph removal lemma
, 2006
"... Abstract. Recent work of Gowers [10] and Nagle, Rödl, Schacht, and Skokan [15], [19], [20] has established a hypergraph removal lemma, which in turn implies some results of Szemerédi [26] and FurstenbergKatznelson [7] concerning onedimensional and multidimensional arithmetic progressions respecti ..."
Abstract

Cited by 75 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Recent work of Gowers [10] and Nagle, Rödl, Schacht, and Skokan [15], [19], [20] has established a hypergraph removal lemma, which in turn implies some results of Szemerédi [26] and FurstenbergKatznelson [7] concerning onedimensional and multidimensional arithmetic progressions respectively. In this paper we shall give a selfcontained proof of this hypergraph removal lemma. In fact we prove a slight strengthening of the result, which we will use in a subsequent paper [29] to establish (among other things) infinitely many constellations of a prescribed shape in the Gaussian primes. 1.
Gowers uniformity, influence of variables, and PCPs
 In Proceedings of the 38th Annual ACM Symposium on Theory of Computing
, 2006
"... Gowers [Gow98, Gow01] introduced, for d ≥ 1, the notion of dimensiond uniformity U d (f) of a function f: G → C, where G is a finite abelian group. Roughly speaking, if a function has small Gowers uniformity of dimension d, then it “looks random ” on certain structured subsets of the inputs. We pro ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Gowers [Gow98, Gow01] introduced, for d ≥ 1, the notion of dimensiond uniformity U d (f) of a function f: G → C, where G is a finite abelian group. Roughly speaking, if a function has small Gowers uniformity of dimension d, then it “looks random ” on certain structured subsets of the inputs. We prove the following inverse theorem. Write G = G1 × · · · × Gn as a product of groups. If a bounded balanced function f: G1 × · · · Gn → C is such that U d (f) ≥ ε, then one of the coordinates of f has influence at least ε/2 O(d). Other inverse theorems are known [Gow98, Gow01, GT05, Sam05], and U 3 is especially well understood, but the properties of functions f with large U d (f), d ≥ 4, are not yet well characterized. The dimensiond Gowers inner product 〈{fS} 〉 U d of a collection {fS} S⊆[d] of functions is a related measure of pseudorandomness. The definition is such that if all the functions fS are equal to the same fixed function f, then 〈{fS} 〉 U d = U d (f). We prove that if fS: G1 × · · · × Gn → C is a collection of bounded functions such that 〈{fS} 〉 U d  ≥ ε and at least one of the fS is balanced, then there is a variable that has influence at least ε 2 /2 O(d) for at least four functions in the collection. Finally, we relate the acceptance probability of the “hypergraph longcode test ” proposed by Samorodnitsky and Trevisan to the Gowers inner product of the functions being tested and we deduce the following result: if the Unique Games Conjecture is true, then for every q ≥ 3 there is a PCP characterization of NP where the verifier makes q queries, has almost perfect completeness, and soundness at most 2q/2 q. For infinitely many q, the soundness is (q + 1)/2 q, which might be a tight result. Two applications of this results are that, assuming that the unique games conjecture is true, it is hard to approximate Max kCSP within a factor 2k/2 k ((k + 1)/2 k for infinitely many k), and it is hard to approximate Independent Set in graphs of degree D within a factor (log D) O(1) /D. 1
A quantitative ergodic theory proof of Szemerédi’s theorem
, 2004
"... A famous theorem of Szemerédi asserts that given any density 0 < δ ≤ 1 and any integer k ≥ 3, any set of integers with density δ will contain infinitely many proper arithmetic progressions of length k. For general k there are essentially four known proofs of this fact; Szemerédi’s original combin ..."
Abstract

Cited by 55 (15 self)
 Add to MetaCart
(Show Context)
A famous theorem of Szemerédi asserts that given any density 0 < δ ≤ 1 and any integer k ≥ 3, any set of integers with density δ will contain infinitely many proper arithmetic progressions of length k. For general k there are essentially four known proofs of this fact; Szemerédi’s original combinatorial proof using the Szemerédi regularity lemma and van der Waerden’s theorem, Furstenberg’s proof using ergodic theory, Gowers’ proof using Fourier analysis and the inverse theory of additive combinatorics, and Gowers’ more recent proof using a hypergraph regularity lemma. Of these four, the ergodic theory proof is arguably the shortest, but also the least elementary, requiring in particular the use of transfinite induction (and thus the axiom of choice), decomposing a general ergodic system as the weakly mixing extension of a transfinite tower of compact extensions. Here we present a quantitative, selfcontained version of this ergodic theory proof, and which is “elementary ” in the sense that it does not require the axiom of choice, the use of infinite sets or measures, or the use of the Fourier transform or inverse theorems from additive combinatorics. It also gives explicit (but extremely poor) quantitative bounds.
Lowdegree tests at large distances
, 2006
"... We define tests of boolean functions which distinguish between linear (or quadratic)polynomials, and functions which are very far, in an appropriate sense, from these polynomials. The tests have optimal or nearly optimal tradeoffs between soundness and the number of queries. In particular, we show ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
(Show Context)
We define tests of boolean functions which distinguish between linear (or quadratic)polynomials, and functions which are very far, in an appropriate sense, from these polynomials. The tests have optimal or nearly optimal tradeoffs between soundness and the number of queries. In particular, we show that functions with small Gowers uniformity norms behave "randomly" with respect to hypergraph linearity tests. A central step in our analysis of quadraticity tests is the proof of an inverse theorem for the third Gowers uniformity norm of boolean functions. The last result has also a coding theory application. It is possible to estimate efficiently the distance from the secondorder ReedMuller code on inputs lying far beyond its listdecoding radius.
The primes contain arbitrarily long polynomial progressions
 ACTA MATH
, 2006
"... We establish the existence of infinitely many polynomial progressions in the primes; more precisely, given any integervalued polynomials P1,..., Pk ∈ Z[m] in one unknown m with P1(0) =... = Pk(0) = 0 and any ε> 0, we show that there are infinitely many integers x, m with 1 ≤ m ≤ x ε such tha ..."
Abstract

Cited by 48 (7 self)
 Add to MetaCart
(Show Context)
We establish the existence of infinitely many polynomial progressions in the primes; more precisely, given any integervalued polynomials P1,..., Pk ∈ Z[m] in one unknown m with P1(0) =... = Pk(0) = 0 and any ε> 0, we show that there are infinitely many integers x, m with 1 ≤ m ≤ x ε such that x+P1(m),..., x+Pk(m) are simultaneously prime. The arguments are based on those in [18], which treated the linear case Pi = (i − 1)m and ε = 1; the main new features are a localization of the shift parameters (and the attendant Gowers norm objects) to both coarse and fine scales, the use of PET induction to linearize the polynomial averaging, and some elementary estimates for the number of points over finite fields in certain algebraic varieties.
Higher correlations of divisor sums related to primes, II: Variations of the error term in the prime number theorem
, 2007
"... We calculate the triple correlations for the truncated divisor sum λR(n). The λR(n) behave over certain averages just as the prime counting von Mangoldt function Λ(n) does or is conjectured to do. We also calculate the mixed (with a factor of Λ(n)) correlations. The results for the moments up to the ..."
Abstract

Cited by 45 (8 self)
 Add to MetaCart
We calculate the triple correlations for the truncated divisor sum λR(n). The λR(n) behave over certain averages just as the prime counting von Mangoldt function Λ(n) does or is conjectured to do. We also calculate the mixed (with a factor of Λ(n)) correlations. The results for the moments up to the third degree, and therefore the implications for the distribution of primes in short intervals, are the same as those we obtained (in the first paper with this title) by using the simpler approximation ΛR(n). However, when λR(n) is used, the error in the singular series approximation is often much smaller than what ΛR(n) allows. Assuming the Generalized Riemann Hypothesis (GRH) for Dirichlet Lfunctions, we obtain an Ω±result for the variation of the error term in the prime number theorem. Formerly, our knowledge under GRH was restricted to Ωresults for the absolute value of this variation. An important ingredient in the last part of this work is a recent result due to Montgomery and Soundararajan which makes it possible for us to dispense with a large error term in the evaluation of a certain singular series average. We believe that our results on the sums λR(n) and ΛR(n) can be employed in diverse problems concerning primes.