the learning with rounding problem reductions and
play

The Learning with Rounding Problem: Reductions and Applications - PowerPoint PPT Presentation

Nov 04, 2023 •399 likes •1.3k views

The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 } k D

  1. The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20

  2. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) 2 / 20

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Many applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . . (Images courtesy xkcd.org) 2 / 20

  4. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) 3 / 20

  5. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 3 / 20

  6. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) 3 / 20

  7. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 / 20

  8. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] 3 / 20

  9. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] ✗ Large circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions 3 / 20

  10. Why Not Try Lattices? ?? = ⇒ F s ← F 4 / 20

  11. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] 4 / 20

  12. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) 4 / 20

  13. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors 4 / 20

  14. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE 5 / 20

  15. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 5 / 20

  16. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors 5 / 20

  17. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors Also gives more practical PRGs, GGM-type PRFs, encryption, . . . 5 / 20

  18. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } 6 / 20

  19. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . 6 / 20

  20. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. 6 / 20

  21. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } 7 / 20

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ 7 / 20

  23. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . 7 / 20

  24. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 7 / 20

  25. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 ◮ Security: the queries F ℓ ( x ℓ ) and F r ( x r ) define (pseudo)random inputs a 1 , a 2 , . . . ∈ D and b 1 , b 2 , . . . ∈ D to synthesizer S . 7 / 20

  26. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 8 / 20

  27. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . 8 / 20

Recommend

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions are a way of saying, If problem B can be solved, then problem A can as well 2 / 17 Reductions Reductions are a way of saying, If problem B

640 views • 28 slides
The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of Mathematics, M.I.T. Carg` ese 2011 A general rounding problem Problem: Given: A R n m , fractional solution x [0 , 1] m Find: y { 0 ,

1.55k views • 126 slides
Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal explanation of reductions: We have two problems, X and Y. Suppose we have a black-box solving problem X in polynomial-time. Can we use the black-box

1.38k views • 32 slides
Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel

Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel

Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel May 10, 2017 Introduction TMs as Words Special Halting Problem Type-0 Languages Reductions Summary Overview: Computability Theory

780 views • 60 slides
Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction Theory of Computer Science D7. Halting Problem and Reductions D7.2 Turing Machines as Words D7.3 Special Halting Problem Malte Helmert D7.4

420 views • 8 slides
Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction Theory of Computer Science D7. Halting Problem and Reductions D7.2 Turing Machines as Words D7.3 Special Halting Problem Malte Helmert D7.4

227 views • 8 slides
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem (SAT) 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of boolean variables x 1 , x 2 , . . .

355 views • 12 slides
CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games

CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games

CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games The professors have been busy lately... Reductions Transform problem P into problem Q Solve problem Q Transform solution for Q into

123 views • 11 slides
CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor:

CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor:

CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor: Neil Rhodes Reductions We have an algorithm that converts instances of problem P 1 to instances of problem P 2 where the answer to P 2 can be used to

102 views • 6 slides
Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or

Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or

Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or down? 5 is the golden number. 3 6 5 0 10 If the ones digit is less than 5, we round down. If the ones digit is 5 or greater, we round up.

281 views • 10 slides
Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional

Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional

Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules 1 Rounding to one decimal Rounding to one decimal place place - if a fraction is > 5, if a fraction is > 5, - round

271 views • 5 slides
Reductions Example 0 We want to compare the complexity of different problems. How do we solve

Reductions Example 0 We want to compare the complexity of different problems. How do we solve

CS500 CS500 Reductions Example 0 We want to compare the complexity of different problems. How do we solve IntervalScheduling ? (Given a set of intervals and a number k > 0 , is there a A reduction from problem X to problem Y means that

452 views • 5 slides
Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus Advanced Programming Languages expression: Andrew Myers ( x e ) ( x e { x / x }) (if x FV e ) Cornell University

359 views • 3 slides
Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

T79.4201 Search Problems and Algorithms T79.4201 Search Problems and Algorithms Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5: Constraint satisfaction: formalisms problem B by developing a

212 views • 9 slides
Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

T79.4201 Search Problems and Algorithms T79.4201 Search Problems and Algorithms Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5: Constraint satisfaction: formalisms problem B by developing a

343 views • 10 slides
\ Context and motivation (half) A New Probabilistic Rounding Error Analysis 2/18 the rise of

\ Context and motivation (half) A New Probabilistic Rounding Error Analysis 2/18 the rise of

A New Approach to Probabilistic Rounding Error Analysis Theo Mary, joint work with Nick Higham University of Manchester, School of Mathematics Manchester, 4 December 2018 \ Context and motivation (half) A New Probabilistic Rounding Error

580 views • 35 slides
18. Rounding and relaxation Decision problems Easy and hard examples Performance and

18. Rounding and relaxation Decision problems Easy and hard examples Performance and

CS/ECE/ISyE 524 Introduction to Optimization Spring 201718 18. Rounding and relaxation Decision problems Easy and hard examples Performance and the future Rounding Convex relaxation Convex hull Laurent Lessard

639 views • 26 slides
NP-completeness reductions Matvey Soloviev (Cornell University) CS 4820, Summer 2020 1 NP

NP-completeness reductions Matvey Soloviev (Cornell University) CS 4820, Summer 2020 1 NP

NP-completeness reductions Matvey Soloviev (Cornell University) CS 4820, Summer 2020 1 NP that is, if NP contains any problems Last time We showed that the CNF-SAT problem is NP-complete, that is, problem in NP. In particular, if P that

1.94k views • 150 slides
Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With

Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors ( LWE ) public: integers n, q secret small error from a known

505 views • 24 slides
CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Graph Problems Number Problem Wheeler

CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Graph Problems Number Problem Wheeler

CS 758/858: Algorithms http://www.cs.unh.edu/~ruml/cs758 Graph Problems Number Problem Wheeler Ruml (UNH) Class 22, CS 758 1 / 13 Graph Problems Reductions Clique Vertex Cover Break Number Problem Reductions to Graph

986 views • 14 slides
Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank

Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank

Efficient Algorithms and Problem Complexity Techniques for Constructing Reductions Frank Drewes Department of Computing Science Ume a University Frank Drewes (Ume a University) Efficient Algorithms and Problem Complexity Lecture

307 views • 20 slides
Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant

Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant

2020-2021 Staffing and Budget Proposal Personnel/BOCES Personnel Reductions Personnel Reductions Assistant Superintendent for School Administration Supervisor of Special Programs HS English positions due to retirement BOCES

595 views • 13 slides
PROBLEM BASED LEARNING IN MATHEMATICS BLACKWOOD HIGH SCHOOL PROBLEM BASED LEARNING WOMBATS

PROBLEM BASED LEARNING IN MATHEMATICS BLACKWOOD HIGH SCHOOL PROBLEM BASED LEARNING WOMBATS

PROBLEM BASED LEARNING IN MATHEMATICS BLACKWOOD HIGH SCHOOL PROBLEM BASED LEARNING WOMBATS PELICANS HAIGHS CHOLCOLATE COOLING CUPS SOLAR PANELS PROBLEM BASED LEARNING WOMBATS ISSUE: WOMBATS WERE PROPOSING THREATS ON FARM

321 views • 18 slides
NV-Group: Link-Efficient Reductions for Distributed Deep Learning on Modern Dense GPU Systems

NV-Group: Link-Efficient Reductions for Distributed Deep Learning on Modern Dense GPU Systems

NV-Group: Link-Efficient Reductions for Distributed Deep Learning on Modern Dense GPU Systems Ching-Hsiang Chu , Pouya Kousha, Ammar A. Awan, Kawthar Shafie Khorassani, Hari Subramoni, and Dhabaleswar K. (DK) Panda {chu.368, kousha.2, awan.10,

496 views • 25 slides

More recommend