the learning with rounding problem reductions and
play

The Learning with Rounding Problem: Reductions and Applications - PowerPoint PPT Presentation

Nov 04, 2023 •399 likes •1.3k views

The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 } k D

  1. The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20

  2. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) (Images courtesy xkcd.org) 2 / 20

  3. Pseudorandom Functions [GGM’84] ◮ A family F = { F s : { 0 , 1 } k → D } s.t. given adaptive query access, c F s ← F random func U ≈ x i x i F s ( x i ) U ( x i ) ?? (The “seed” or “secret key” for F s is s .) ◮ Many applications in symmetric cryptography: (efficient) encryption, identification, authentication, . . . (Images courtesy xkcd.org) 2 / 20

  4. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) 3 / 20

  5. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 3 / 20

  6. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) 3 / 20

  7. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 / 20

  8. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] 3 / 20

  9. How to Construct PRFs 1 Heuristically: AES, Blowfish. ✔ Fast! ✔ Withstand known cryptanalytic techniques (linear, differential, . . . ) ✗ PRF security is subtle: want provable (reduction) guarantees 2 Goldreich-Goldwasser-Micali [GGM’84] ✔ Based on any (doubling) PRG. F s ( x 1 · · · x k ) = G x k ( · · · G x 1 ( s ) · · · ) ✗ Inherently sequential: ≥ k iterations (circuit depth) 3 Naor-Reingold [NR’95,NR’97,NRR’00] ✔ Based on “synthesizers” or number theory (DDH, factoring) ✔ Low-depth: NC 2 , NC 1 or even TC 0 [ O (1) depth w/ threshold gates] ✗ Large circuits that need much preprocessing ✗ No “post-quantum” construction under standard assumptions 3 / 20

  10. Why Not Try Lattices? ?? = ⇒ F s ← F 4 / 20

  11. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] 4 / 20

  12. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) 4 / 20

  13. Why Not Try Lattices? ?? = ⇒ F s ← F Advantages of Lattice Crypto Schemes ◮ Simple & efficient: linear, highly parallel operations ◮ Resist quantum attacks (so far) ◮ Secure under worst-case hardness assumptions [Ajtai’96,. . . ] Disadvantages ✗ Only known PRF is generic GGM (not parallel or efficient) ✗✗ We don’t even have practical PRGs from lattices: biased errors 4 / 20

  14. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE 5 / 20

  15. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 5 / 20

  16. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors 5 / 20

  17. PRFs From Lattices [Banerjee, Peikert, Rosen’12] 1 Low-depth, relatively small-circuit PRFs from lattices / (ring-)LWE ⋆ Synthesizer-based PRF in TC 1 ⊆ NC 2 a la [NR’95] ⋆ Direct construction in TC 0 ⊆ NC 1 analogous to [NR’97,NRR’00] 2 Main technique: Learning With Rounding (LWR) “derandomization” of LWE: deterministic errors Also gives more practical PRGs, GGM-type PRFs, encryption, . . . 5 / 20

  18. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } 6 / 20

  19. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . 6 / 20

  20. Synthesizers and PRFs [NaorReingold’95] Synthesizer ◮ A deterministic function S : D × D → D s.t. for any m = poly: for a 1 , . . . , a m , b 1 , . . . , b m ← D , c ≈ Unif ( D m × m ) . { S ( a i , b j ) } b 1 b 2 · · · a 1 S ( a 1 , b 1 ) S ( a 1 , b 2 ) · · · U 1 , 1 U 1 , 2 · · · vs. a 2 S ( a 2 , b 1 ) S ( a 2 , b 2 ) · · · U 2 , 1 U 2 , 2 · · · . ... ... . . ◮ Alternative view: an (almost) length-squaring PRG with locality: maps D 2 m → D m 2 , and each output depends on only 2 inputs. 6 / 20

  21. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } 7 / 20

  22. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ 7 / 20

  23. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . 7 / 20

  24. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 7 / 20

  25. Synthesizers and PRFs [NaorReingold’95] PRF from Synthesizer, Recursively c ≈ Unif ( D m × m ) . ◮ Synthesizer S : D × D → D , where { S ( a i , b j ) } ◮ Base case: “one-bit” PRF F s 0 ,s 1 ( x ) := s x ∈ D . ✔ ◮ Input doubling: given k -bit PRF family F = { F : { 0 , 1 } k → D } , define a { 0 , 1 } 2 k → D function with seed F ℓ , F r ← F : � � F ( F ℓ ,F r ) ( x ℓ , x r ) = S F ℓ ( x ℓ ) , F r ( x r ) . s 1 , 0 , s 1 , 1 s 1 ,x 1 S s 2 , 0 , s 2 , 1 s 2 ,x 2 F { s i,b } ( x 1 · · · x 4 ) S s 3 , 0 , s 3 , 1 s 3 ,x 3 S s 4 , 0 , s 4 , 1 s 4 ,x 4 ◮ Security: the queries F ℓ ( x ℓ ) and F r ( x r ) define (pseudo)random inputs a 1 , a 2 , . . . ∈ D and b 1 , b 2 , . . . ∈ D to synthesizer S . 7 / 20

  26. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 8 / 20

  27. Learning With Errors [Regev’05] ◮ Dimension n (security param), modulus q ≥ 2 ◮ Search: find s ∈ Z n q given ‘noisy random inner products’ a 1 ← Z n q , b 1 = � s , a 1 � + e 1 a 2 ← Z n q , b 2 = � s , a 2 � + e 2 . . . 8 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions are a way of saying, If problem B can be solved, then problem A can as well 2 / 17 Reductions Reductions are a way of saying, If problem B

640 views • 28 slides
The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of

The Entropy Rounding Method in Approximation Algorithms Thomas Rothvo Department of Mathematics, M.I.T. Carg` ese 2011 A general rounding problem Problem: Given: A R n m , fractional solution x [0 , 1] m Find: y { 0 ,

1.55k views • 126 slides
Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal explanation of reductions: We have two problems, X and Y. Suppose we have a black-box solving problem X in polynomial-time. Can we use the black-box

1.38k views • 32 slides
Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel

Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel

Theory of Computer Science D7. Halting Problem and Reductions Malte Helmert University of Basel May 10, 2017 Introduction TMs as Words Special Halting Problem Type-0 Languages Reductions Summary Overview: Computability Theory

780 views • 60 slides
Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 9, 2016 D7. Halting Problem and Reductions D7.1 Introduction Theory of Computer Science D7. Halting Problem and Reductions D7.2 Turing Machines as Words D7.3 Special Halting Problem Malte Helmert D7.4

420 views • 8 slides
Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction

Theory of Computer Science May 10, 2017 D7. Halting Problem and Reductions D7.1 Introduction Theory of Computer Science D7. Halting Problem and Reductions D7.2 Turing Machines as Words D7.3 Special Halting Problem Malte Helmert D7.4

227 views • 8 slides
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions

Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem (SAT) 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of boolean variables x 1 , x 2 , . . .

355 views • 12 slides
CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games

CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games

CS 170 Section 9 Zero-Sum Games, Reductions Owen Jow | owenjow@berkeley.edu Zero-Sum Games The professors have been busy lately... Reductions Transform problem P into problem Q Solve problem Q Transform solution for Q into

123 views • 11 slides
CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor:

CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor:

CSE 105Theory of Computability Fall, 2006 Lecture 16November 14 Reductions Instructor: Neil Rhodes Reductions We have an algorithm that converts instances of problem P 1 to instances of problem P 2 where the answer to P 2 can be used to

102 views • 6 slides
Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or

Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or

Rounding When we are rounding numbers to the nearest 10, how do we know whether to round up or down? 5 is the golden number. 3 6 5 0 10 If the ones digit is less than 5, we round down. If the ones digit is 5 or greater, we round up.

281 views • 10 slides
Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional

Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional

Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules Conventional Rounding Rules 1 Rounding to one decimal Rounding to one decimal place place - if a fraction is > 5, if a fraction is > 5, - round

271 views • 5 slides
Reductions Example 0 We want to compare the complexity of different problems. How do we solve

Reductions Example 0 We want to compare the complexity of different problems. How do we solve

CS500 CS500 Reductions Example 0 We want to compare the complexity of different problems. How do we solve IntervalScheduling ? (Given a set of intervals and a number k > 0 , is there a A reduction from problem X to problem Y means that

452 views • 5 slides
Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus Advanced Programming Languages expression: Andrew Myers ( x e ) ( x e { x / x }) (if x FV e ) Cornell University

358 views • 3 slides
Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

T79.4201 Search Problems and Algorithms T79.4201 Search Problems and Algorithms Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5: Constraint satisfaction: formalisms problem B by developing a

212 views • 9 slides
Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5:

T79.4201 Search Problems and Algorithms T79.4201 Search Problems and Algorithms Exploiting Reductions Given an efficient algorithm for a problem A we can solve a Lecture 5: Constraint satisfaction: formalisms problem B by developing a

343 views • 10 slides
\ Context and motivation (half) A New Probabilistic Rounding Error Analysis 2/18 the rise of

\ Context and motivation (half) A New Probabilistic Rounding Error Analysis 2/18 the rise of

A New Approach to Probabilistic Rounding Error Analysis Theo Mary, joint work with Nick Higham University of Manchester, School of Mathematics Manchester, 4 December 2018 \ Context and motivation (half) A New Probabilistic Rounding Error

580 views • 35 slides
Summary of the 2015 NIST Language Recognition i-Vector Machine Learning Challenge Craig Greenberg

Summary of the 2015 NIST Language Recognition i-Vector Machine Learning Challenge Craig Greenberg

Summary of the 2015 NIST Language Recognition i-Vector Machine Learning Challenge Craig Greenberg Audrey Tong, Alvin Martin, George Doddington National Institute of Standards and Technology Douglas Reynolds, Elliot Singer MIT Lincoln

609 views • 19 slides
Defining a Learning Problem } Suppose we have three basic components: Set of tasks, T 1. A

Defining a Learning Problem } Suppose we have three basic components: Set of tasks, T 1. A

Defining a Learning Problem } Suppose we have three basic components: Set of tasks, T 1. A performance measure, P 2. Data describing some experience, E 3. A computer program learns if its performance at tasks in Class #02: Types of Learning; T

283 views • 6 slides
Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin

Attacks on Ring Learning with Errors Kristin E. Lauter ** joint work with Yara Elias, Ekin Ozman, and Katherine Stange UC Irvine, August 31, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork: public-key crypto based

500 views • 27 slides
MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is

MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is

0. MACHINE LEARNING Liviu Ciortuz Department of CS, University of Ia si, Rom ania 1. What is Machine Learning? ML studies algorithms that improve with experience. learn from Tom Mitchells Definition of the [

358 views • 25 slides
Multi-armed bandit problem and its applications in reinforcement learning Pietro Lovato Ph.D.

Multi-armed bandit problem and its applications in reinforcement learning Pietro Lovato Ph.D.

University of Verona 28/01/2013 Multi-armed bandit problem and its applications in reinforcement learning Pietro Lovato Ph.D. Course on Special Topics in AI: Intelligent Agents and Multi-Agent Systems Overview Introduction: Reinforcement

628 views • 25 slides
Software Effort Estimation as a Multi-objective Learning Problem Leandro Minku (

Software Effort Estimation as a Multi-objective Learning Problem Leandro Minku (

Software Effort Estimation as a Multi-objective Learning Problem Leandro Minku ( www.cs.bham.ac.uk/~minkull ) CERCIA, School of Computer Science, The University of Birmingham January 31, 2013 Leandro Minku ( www.cs.bham.ac.uk/~minkull ) SEE as a

501 views • 33 slides
Apr/28/09 Feng, Chi wei Supervised by Prof. Ching Tsan Huang, PhD 1 41% of the world's

Apr/28/09 Feng, Chi wei Supervised by Prof. Ching Tsan Huang, PhD 1 41% of the world's

Nature Chemical Biology 4 , 238 240 (2008) Faustin Kamena, Marco Tamborrini, Xinyu Liu, Yong Uk Kwon, Fiona Thompson, Gerd Pluschke &Peter H Seeberger Apr/28/09 Feng, Chi wei Supervised by Prof. Ching Tsan Huang, PhD 1 41%

464 views • 24 slides
Last class... 1. Sequence - {Folding} - Structure - Dynamics - Function paradigm: perspective for

Last class... 1. Sequence - {Folding} - Structure - Dynamics - Function paradigm: perspective for

Last class... 1. Sequence - {Folding} - Structure - Dynamics - Function paradigm: perspective for the course 2. Molecular structure: representation, conformational changes, conformational ensembles,

527 views • 34 slides

More recommend