Shachar Lovett

On cryptography with auxiliary input

We study the question of designing cryptographic schemes which are secure even if an arbitrary function f(sk) of the secret key is leaked, as long as the secret key sk is still (exponentially) hard to compute from this auxiliary input. This setting of auxiliary input is more general than the more traditional setting, which assumes that some of information about the secret key sk may be leaked, but sk still has high min-entropy left. In particular, we deal with situations where f(sk) information-theoretically determines the entire secret key sk. As our main result, we construct CPA/CCA secure symmetric encryption schemes that remain secure with exponentially hard-to-invert auxiliary input. We give several applications of such schemes. * We construct an average-case obfuscator for the class of point functions, which remains secure with exponentially hard-to-invert auxiliary input, and is reusable. * We construct a reusable and robust extractor that remains secure with exponentially hard-to-invert auxiliary input. Our results rely on a new cryptographic assumption, Learning Subspace-with-Noise (LSN), which is related to the well known Learning Parity-with-Noise (LPN) assumption.

Unconditional pseudorandom generators for low degree polynomials

We give an explicit construction of pseudorandom generators against low degree polynomials over finite fields. We show that the sum of 2d small-biased generators with error ε2O(d) is a pseudorandom generator against degree d polynomials with error ε. This gives a generator with seed length 2O(d) log(n/ε). Our construction follows the recent breakthrough result of Bogadnov and Viola. Their work shows that the sum of d small-biased generators is a pseudo-random generator against degree d polynomials, assuming the Inverse Gowers Conjecture. However, this conjecture is only proven for d=2,3. The main advantage of our work is that it does not rely on any unproven conjectures.

Worst Case to Average Case Reductions for Polynomials

A degree-d polynomial p in n variables over a field F is equidistributed if it takes on each of its |F| values close to equally often, and biased otherwise. We say that p has low rank if it can be expressed as a function of a small number of lower degree polynomials. Green and Tao [GT07] have shown that over large fields (i.e when d <|F|) a biased polynomial must have low rank. They have also conjectured that bias implies low rank over general fields, but their proof technique fails to show that. In this work we affirmatively answer their conjecture. Using this result we obtain a general worst case to average case reductions for polynomials. That is, we show that a polynomial that can be approximated by a few polynomials of bounded degree (i.e. a polynomial with non negligible correlation with a function of few bounded degree polynomials), can be computed by a few polynomials of bounded degree. We derive some relations between our results to the construction of pseudorandom generators. Our work provides another evidence to the structure vs. randomness dichotomy.

Subspace evasive sets

We construct explicit subspace-evasive sets. These are subsets of Fn of size |F|(1-ε)n whose intersection with any k-dimensional subspace is bounded by a constant c(k,ε). This problem was raised by Guruswami (CCC 2011) as it leads to optimal rate list-decodable codes of constant list size. The main technical ingredient is the construction of k low-degree polynomials whose common set of zeros has small intersection with any k-dimensional subspace.

Weight Distribution and List-Decoding Size of Reed–Muller Codes

The weight distribution and list-decoding size of Reed-Muller codes are studied in this work. Given a weight parameter, we are interested in bounding the number of Reed-Muller codewords with weight up to the given parameter; and given a received word and a distance parameter, we are interested in bounding the size of the list of Reed-Muller codewords that are within that distance from the received word. Obtaining tight bounds for the weight distribution of Reed-Muller codes has been a long standing open problem in coding theory, dating back to 1976. In this work, we make a new connection between computer science techniques used to study low-degree polynomials and these coding theory questions. This allows us to resolve the weight distribution and list-decoding size of Reed-Muller codes for all distances. Previous results could only handle bounded distances: Azumi, Kasami, and Tokura gave bounds on the weight distribution which hold up to 2.5 times the minimal distance of the code; and Gopalan, Klivans, and Zuckerman gave bounds on the list-decoding size which hold up to the Johnson bound.

Pseudorandom Bit Generators That Fool Modular Sums

We consider the following problem: for given n ,M , produce a sequence X 1 ,X 2 ,...,X n of bits that fools every linear test modulo M . We present two constructions of generators for such sequences. For every constant prime power M , the first construction has seed length O M (log(n /*** )), which is optimal up to the hidden constant. (A similar construction was independently discovered by Meka and Zuckerman [MZ]). The second construction works for every M ,n , and has seed length O (logn + log(M /*** )log(M log(1/*** ))). The problem we study is a generalization of the problem of constructing small bias distributions [NN], which are solutions to the M = 2 case. We note that even for the case M = 3 the best previously known constructions were generators fooling general bounded-space computations, and required O (log2 n ) seed length. For our first construction, we show how to employ recently constructed generators for sequences of elements of that fool small-degree polynomials (modulo M ). The most interesting technical component of our second construction is a variant of the derandomized graph squaring operation of [RV]. Our generalization handles a product of two distinct graphs with distinct bounds on their expansion. This is then used to produce pseudorandom-walks where each step is taken on a different regular directed graph (rather than pseudorandom walks on a single regular directed graph as in [RTV, RV]).

Every locally characterized affine-invariant property is testable

Set F = Fp for any fixed prime p ≥ 2. An affine-invariant property is a property of functions over Fn that is closed under taking affine transformations of the domain. We prove that all affine-invariant properties having local characterizations are testable. In fact, we show a proximity-oblivious test for any such property cP, meaning that given an input function f, we make a constant number of queries to f, always accept if f satisfies cP, and otherwise reject with probability larger than a positive number that depends only on the distance between f and cP. More generally, we show that any affine-invariant property that is closed under taking restrictions to subspaces and has bounded complexity is testable. We also prove that any property that can be described as the property of decomposing into a known structure of low-degree polynomials is locally characterized and is, hence, testable. For example, whether a function is a product of two degree-

Communication is bounded by root of rank

d

Probabilistic existence of rigid combinatorial structures

polynomials, whether a function splits into a product of d linear polynomials, and whether a function has low rank are all examples of degree-structural properties and are therefore locally characterized. Our results depend on a new Gowers inverse theorem by Tao and Ziegler for low characteristic fields that decomposes any polynomial with large Gowers norm into a function of a small number of low-degree non-classical polynomials. We establish a new equidistribution result for high rank non-classical polynomials that drives the proofs of both the testability results and the local characterization of degree-structural properties.

New Extension of the Weil Bound for Character Sums with Applications to Coding

We prove that any total boolean function of rank r can be computed by a deterministic communication protocol of complexity O(√r · log(r)). Similarly, any graph whose adjacency matrix has rank r has chromatic number at most 2O(√r · log(r)). This gives a nearly quadratic improvement in the dependence on the rank over previous results.