in theory http://lucatrevisan.wordpress.com "Marge, I agree with you - in theory. In theory, communism works. In theory." -- Homer Simpson Mon, 29 Jun 2009 22:42:43 +0000 http://wordpress.com/ en hourly 1 http://www.gravatar.com/blavatar/ac34e0fe40cb09c540b1a1c57ceb343b?s=96&d=http://s.wordpress.com/i/buttonw-com.png in theory http://lucatrevisan.wordpress.com Sadness http://lucatrevisan.wordpress.com/2009/06/25/sadness/ http://lucatrevisan.wordpress.com/2009/06/25/sadness/#comments Fri, 26 Jun 2009 00:08:58 +0000 luca http://lucatrevisan.wordpress.com/?p=1439 ]]>

]]> http://lucatrevisan.wordpress.com/2009/06/25/sadness/feed/ 5 luca The end of UC Berkeley as we know it http://lucatrevisan.wordpress.com/2009/06/18/the-end-of-uc-berkeley-as-we-know-it/ http://lucatrevisan.wordpress.com/2009/06/18/the-end-of-uc-berkeley-as-we-know-it/#comments Thu, 18 Jun 2009 21:21:19 +0000 luca http://lucatrevisan.wordpress.com/?p=1427 ]]>

There are two qualities that together make UC Berkeley unique among worldwide institutions of higher education.

One is that our several academic departments cover nearly all fields of scholarship, and that nearly every department is at the very top of its field. Very few places have this phenomenal combination of breadth and depth, although, admittedly, there are some.

The other is the diversity of the student body. Not ethnic diversity, because the passage of Proposition 209 made black and (to a lesser extent) Latino students almost disappear from campus. But, at least, UC Berkeley has been an engine of upward social mobility for a lot (and, being a big campus, it is really a lot) of white and Asian Californians from middle and working class families. To be sure, the top East Coast private universities do admit several students who are not from privileged families, and they do provide generous financial aid, but one has to be off-the-charts brilliant to get in based on raw talent alone. The merely very smart students can get in only if they have the kind of expensive resume-padding extracurricular activities that are out of reach for most students. At Berkeley, the merely very smart student has a good chance to get in by simply doing well in high school. And then, tuition is low for everybody who is from California, and the state used to give additional grants (80% of tuition) to everybody with a 3.0 GPA; plus the UC system has its own financial aid program.

Two days ago, the Chancellor announced that because of the cuts expected as a consequence of the state-wide budget crisis, UC Berkeley needs to cut about $100 millions. Next year, we should expect a complete freeze on hiring, layoffs of administrative staff, strong cuts to student aid, increased tuition, and salary cuts of 8%. For 2010-2011, rumors are that the sun will go dark, it will rain blood from the sky, and then the locusts will come and eat us alive. Unfortunately, 2011-2012 will be much worse.

It is unclear how this will affect breadth and depth of research at Berkeley. The idea of closing academic departments seems to be completely off-limits. (It is not even mentioned for the sake of ruling it out.) The hiring freeze, however, will inevitably affect changing areas and new interdisciplinary activities.

I am, however, very pessimistic on how the cuts will affect the diversity of the student body, and the Harvard/Princeton/Yale quality of their education. The tuition increase and reduced financial aid, together with the state cutting its own student grants, will make it harder for many students to come to Berkeley. And for those who come, fewer TAs, larger classes, and overworked administrative staff will make for a much less rewarding experience.

Of course, deep cuts are being made to all state activities, and the Berkeley students won’t have it as badly as the 930,000 children who are going to lose health coverage or the 35,000 AIDS patients who are going to lose access to their life-saving medications. There are also plans to close prisons, cut costs in law enforcement, close firefighter stations, reduce road maintenance work, and so on.

To external observers, it may seem incomprehensible that California, which remains a very rich state, cannot afford to take care of its students, its sick, its roads, its burning homes, and so on. The culprit is Proposition 13, which I see as a reduction ad absurdum showing that direct democracy does not work. Proposition 13 made property taxes work like TCP/IP: they can be reduced arbitrarily when property values go down, but can only go up very slowly when property values go up; in addition, it makes it all but impossible to raise income taxes. To be sure, nobody likes to pay taxes, but the only way to not pay taxes is to not have a state, and, as Somalis can tell you, not having a state is a bad thing. Perhaps, when we’ll have pirates off the coast of California, there will be a movement to overturn Prop 13.

]]> http://lucatrevisan.wordpress.com/2009/06/18/the-end-of-uc-berkeley-as-we-know-it/feed/ 8 luca So this is what “FOCS” stands for http://lucatrevisan.wordpress.com/2009/06/09/so-this-is-what-focs-stands-for/ http://lucatrevisan.wordpress.com/2009/06/09/so-this-is-what-focs-stands-for/#comments Tue, 09 Jun 2009 23:22:09 +0000 luca http://lucatrevisan.wordpress.com/?p=1422 ]]>

At the STOC 2009 business meeting, Silvio Micali announced a new conference, Innovations in Computer Science (ICS), whose first edition will be in Beijing in January, 2010.

This is a conference that aims to be the venue for the first papers in new areas. This prompted people to ask me afterward if we shouldn’t start a new conference devoted to second papers. I thought this was an appealing ideas, and perhaps the conference could be called Follows-up in Computer Science; a snarky colleague, however, suggested that we already have two such conferences and they are called STOC and FOCS.

ICS has a steering committee entirely composed of past and future Turing Award winners, so surely they know what they are doing. A common complaint I heard, however, was that it isn’t clear exactly what the motivations and the goals of this conference are, what papers are being sought (surely you cannot fill up a 30-paper conference with first papers, each opening up a new area), and so on.

Helpfully, Oded Goldreich, one of the promoters of ICS, has written a statement about the goals ICS, as well as a longer essay on What is wrong with STOC and FOCS. The arguments made in the essay are Oded’s motivations for the new conference.

As I have said before, I agree with the importance of conceptual innovations, and of simplicity, but I disagree with the claim that our current review system undervalues such points. Hence, I think that initiatives such as the “letter on conceptual contributions” and now ICS will not correct an imbalance, but rather will create an imbalance, penalizing the necessary, hard, and unglamorous technical work by which we understand new ideas, exploit and simplify their applications, and create the conditions such that the next new ideas are “in the air” and the right person at the right time can get them, and so on.

]]> http://lucatrevisan.wordpress.com/2009/06/09/so-this-is-what-focs-stands-for/feed/ 20 luca LaTeX2WP minor update http://lucatrevisan.wordpress.com/2009/05/20/latex2wp-minor-update/ http://lucatrevisan.wordpress.com/2009/05/20/latex2wp-minor-update/#comments Wed, 20 May 2009 16:48:20 +0000 luca http://lucatrevisan.wordpress.com/?p=1417 ]]>

LaTeX2WP is a program that converts a LaTeX file into something that is ready to be cut and pasted into the WordPress online editor. It makes it easier to write mathematical posts, to post lecture notes on WordPress, and so on.

A new version is now available, which fixes a couple of bugs:

  • WordPress has trouble if a mathematical expression containing < is followed by a mathematical expression containing >. This is prevented by converting the inequality symbols to their HTML “character codes.”
  • The previous version of LaTeX2WP had trouble with long sentences in square brackets; this is fixed.

In addition, \S for § and \v{C} for Č (as “in Stone–Čech compactification”) now work.

]]> http://lucatrevisan.wordpress.com/2009/05/20/latex2wp-minor-update/feed/ 0 luca CS276 Lecture 27: Computational Zero Knowledge http://lucatrevisan.wordpress.com/2009/05/16/cs276-lecture-27/ http://lucatrevisan.wordpress.com/2009/05/16/cs276-lecture-27/#comments Sun, 17 May 2009 01:45:40 +0000 luca http://lucatrevisan.wordpress.com/?p=1408 ]]>

Scribed by Madhur Tulsiani

Summary

In this lecture we begin the construction and analysis of a zero-knowledge protocol for the 3-coloring problem. Via reductions, this extends to a protocol for any problem in NP. We will only be able to establish a weak form of zero knowledge, called “computational zero knowledge” in which the output of the simulator and the interaction in the protocol are computationally indistinguishable (instead of identical). It is considered unlikely that NP-complete problem can have zero-knowledge protocols of the strong type we defined in the previous lectures.

As a first step, we will introduce the notion of a commitment scheme and provide a construction based on any one-way permutation.

1. Commitment Scheme

A commitment scheme is a two-phase protocol between a Sender and a Receiver. The Sender holds a message {m} and, in the first phase, it picks a random key {K} and then “encodes” the message using the key and sends the encoding (a commitment to {m}) to the Receiver. In the second phase, the Sender sends the key {K} to the Receiver can open the commitment and find out the content of the message {m}.

A commitment scheme should satisfy two security properties:

  • Hiding. Receiving a commitment to a message {m} should give no information to the Receiver about {m};
  • Binding. The Sender cannot “cheat” in the second phase and send a different key {K'} that causes the commitment to open to a different message {m'}.

It is impossible to satisfy both properties against computationally unbounded adversaries. It is possible, however, to have schemes in which the Hiding property holds against computationally unbounded Receivers and the Binding property holds (under appropriate assumptions on the primitive used in the construction) for bounded-complexity Senders; and it is possible to have schemes in which the Hiding property holds (under assumptions) for bounded-complexity Receivers while the Binding property holds against any Sender. We shall describe a protocol of the second type, based on one-way permutations. The following definition applies to one-round implementations of each phase, although a more general definition could be given in which each phase is allowed to involve multiple interactions.

Definition 1 (Computationally Hiding, Perfectly Binding, Commitment Scheme) A Perfectly Binding and {(t,\epsilon)}-Hiding Commitment Scheme for messages of length {\ell} is a pair of algorithms {(C,O)} such that

  • Correctness. For every message {m} and key {K},

    \displaystyle O(K,C(K,m)) = m

  • {(t,\epsilon)}-Hiding. For every two messages {m,m' \in \{ 0,1 \}^\ell}, the distributions {C(K,m)} and {C(K,m')} are {(t,\epsilon)}-indistinguishable, where {K} is a random key, that is, for every algorithm {A} of complexity {\leq t},

    \displaystyle | \mathop{\mathbb P} [ A(C(K,m))=1] - \mathop{\mathbb P} [ A(C(K,m'))=1] | \leq \epsilon

  • Perfectly Binding. For every message {m} and every two keys {K,K'},

    \displaystyle O(K',C(K,m)) \in \{ m, FAIL \}

In the following we shall refer to such a scheme {(C,O)} as simply a {(t,\epsilon)}-secure commitment scheme.

Given a one-way permutation {f: \{ 0,1 \}^n \rightarrow \{ 0,1 \}^n} and a hard-core predicate {P}, we consider the following construction of a one-bit commitment scheme:

  • {C(K,m):= f(K) , m \oplus P(K)}
  • {O(K,(c_1,c_2))} equals {FAIL} if {f(K) \neq c_1}, and {P(K) \oplus c_2} otherwise.

Theorem 2 If {P} is a {(t,\epsilon)}-secure hard core predicate for {f}, then the above construction is a {(t-O(1),2\epsilon)}-secure commitment scheme.

Proof: The binding property of the commitment scheme is easy to argue as the commitment is a permutation of the key and the message. In particular, given {C(K,m) = (x,y)}, we can find the unique {K} and {m} that generate it as

\displaystyle K = f^{-1}(x) ~~~~\mbox{and}~~~~ m = y \oplus P(K) = y\oplus P(f^{-1}(x))

To prove the hiding property in the contrapositive, we want to take an algorithm which distinguishes the commitments of two messages and convert it to an algorithm which computes the predicate {P} with probability better than {1/2 + \epsilon}. Let {A} be such an algorithm which distinguishes two different messages (one of which must be 0 and the other must be 1). Then, we have that for {A}

\displaystyle \begin{array}{rcl} &&\left\lvert \mathop{\mathbb P}[A(C(K,m)) = 1] - \mathop{\mathbb P}[A(C(K,m) = 1]\right\rvert > 2\epsilon \\ \implies && \left\lvert \mathop{\mathbb P}[A(f(K), P(K)\oplus 0) = 1] - \mathop{\mathbb P}[A(f(K), P(K)\oplus 1) = 1]\right\rvert > 2\epsilon \end{array}

Assume without loss of generality that the quantity in the absolute value is positive i.e.

\displaystyle \mathop{\mathbb P}[A(f(K), P(K)) = 1] - \mathop{\mathbb P}[A(f(K), P(K)\oplus 1) = 1] > 2\epsilon

Hence, {A} outputs 1 significantly more often when given the correct value of {P(K)}. As seen in previous lectures, we can convert this into an algorithm {A'} that predicts the value of {P(K)}. Algorithm {A'} takes {f(K)} as input and generates a random bit {b} as a guess for {P(K)}. It then runs {A(f(K),b)}. Since {A} is correct more often on the correct value of {P(K)}, {A'} outputs {b} if {A(f(K),b) = 1} and outputs {b \oplus 1} otherwise. We can analyze its success probability as below

\displaystyle \begin{array}{rcl} && \mathop{\mathbb P}[A'(f(K)) = P(K)] = \mathop{\mathbb P}[b = P(K)] \cdot \mathop{\mathbb P}[A(f(K),P(K)) = 1] \\ &&+ \mathop{\mathbb P}[b \neq P(K)] \cdot \mathop{\mathbb P}[A(f(K),P(K)\oplus1) = 0] \\ &=& \frac12 \cdot \mathop{\mathbb P}[A(f(K),P(K)) = 1] \\ &&+ \frac12 \cdot \left( 1- \mathop{\mathbb P}[A(f(K),P(K)\oplus1) = 1]\right) \\ &=& \frac12 + \frac12 \cdot \left(\mathop{\mathbb P}[A(f(K),P(K)) = 1] - \mathop{\mathbb P}[A(f(K),P(K)\oplus1) = 1]\right)\\ &\geq& \frac12 + \epsilon \end{array}

Thus, {A'} predicts {P} with probability {1/2 + \epsilon} and has complexity only {O(1)} more than {A} (for generating the random bit) which contradicts the fact that {P} is {(t, \epsilon)}-secure. \Box

There is a generic way to turn a one-bit commitment scheme into a commitment scheme for messages of length {\ell} (just concatenate the commitments of each bit of the message, using independent keys).

Theorem 3 Let {(O,C)} be a {(t,\epsilon)}-secure commitment scheme for messages of length {k} such that {O(\cdot,\cdot)} is computable in time {r}. Then the following scheme {(\overline C, \overline O)} is a {t-O(r\cdot \ell), \epsilon \cdot l)}-secure commitment scheme for message of length {k\cdot \ell}:

  • {\overline C (K_1,\ldots,K_\ell,m):= C(K_1,m_1),\ldots, C(K_\ell,m_\ell)}
  • {\overline O (K_1,\ldots,K_\ell,c_1,\ldots,c_\ell)} equals {FAIL} if at least one of {O(K_i,c_i)} outputs {FAIL}; otherwise it equals {O(K_1,c_1),\ldots,O(K_\ell,c_\ell)}.

Proof: The commitment to {m} is easily seen to be binding since the commitments to each bit of {m} are binding. The soundness can be proven by a hybrid argument.

Suppose there is an {A} algorithm distinguishing {\overline C(K_1, \ldots, K_\ell,m)} and {C(K_1, \ldots, K_\ell, m)} with probability more than {\epsilon \cdot \ell}. We then consider “hybrid messages” {m^{(0)}, \ldots, m^{(\ell)}}, where {m^{(i)} = m_1' \ldots m_i' m_{i+1}, \ldots, m_{\ell}}. By a hybrid argument, there is some {i} such that

\displaystyle \left\lvert\mathop{\mathbb P}[A(K_1, \ldots, K_\ell, m^{(i)}) = 1] - \mathop{\mathbb P}[A(K_1, \ldots, K_\ell, m^{(i+1)}) = 1] \right\rvert > \epsilon

But since {m^{(i)}} and {m^{(i+1)}} differ in only one bit, we can get an algorithm {A'} that breaks the hiding property of the one bit commitment scheme {C(\cdot,\cdot)}. {A'}, given a commitment {c}, outputs

\displaystyle A'(c) ~=~ A(C(K_1,m_1), \ldots, C(K_i,m_i), c, C(K_{i+2}, m_{i+2}'), \ldots, C(K_\ell, m_\ell'))

Hence, {A'} has complexity at most {t + O(r\cdot l)} and distinguishes {C(K_{i+1}, m_{i+1})} from {C(K_{i+1}, m_{i+1}')}. \Box

There is also a construction based on one-way permutations that is better in terms of key length.

2. A Protocol for 3-Coloring

We assume we have a {(t,\epsilon)}-secure commitment scheme {(C,O)} for messages in the set {\{1,2,3\}}.

The prover {P} takes in input a 3-coloring graph {G=([n],E)} (we assume that the set of vertices is the set {\{1,\ldots,n\}} and use the notation {[n] := \{1,\ldots,n\}}) and a proper 3-coloring {\alpha : [n] \rightarrow \{ 1,2,3\}} of {G} (that is, {\alpha} is such that for every edge {(u,v)\in E} we have {\alpha (u) \neq \alpha(v)}). The verifier {V} takes in input {G}. The protocol, in which the prover attempts to convince the verifier that the graph is 3-colorable, proceeds as follows:

  • The prover picks a random permutation {\pi: \{1,2,3\} \rightarrow \{1,2,3\}} of the set of colors, and defines the 3-coloring {\beta(v) := \pi(\alpha(v))}. The prover picks {n} keys {K_1,\ldots,K_n} for {(C,O)}, constructs the commitments {c_v := C(K_v,\beta(v))} and sends {(c_1,\ldots,c_n)} to the verifier;
  • The verifier picks an edge {(u,v) \in E} uniformly at random, and sends {(u,v)} to the prover;
  • The prover sends back the keys {K_u,K_v};
  • If {O(K_u,c_u)} and {O(K_v,c_v)} are the same color, or if at least one of them is equal to {FAIL}, then the verifier rejects, otherwise it accepts

Theorem 4 The protocol is complete and it has soundness error at most {(1-1/|E|)}.

Proof: The protocol is easily seen to be complete, since if the prover sends a valid 3-coloring, the colors on endpoints of every edge will be different.

To prove the soundness, we first note that if any commitment sent by the prover opens to an invalid color, then the protocol will fail with probability at least {1/|E|} when querying an edge adjacent to the corresponding vertex (assuming the graph has no isolated vertices – which can be rivially removed). If all commitments open to valid colos, then the commitments define a 3-coloring of the graph. If the graph is not 3-colorable, then there must be at least one edge {e} both of whose end points receive the same color. Then the probability of the verifier rejecting is at least the probability of choosing {e}, which is {1/|E|}. \Box

Repeating the protocol {k} times sequentially reduces the soundness error to {(1-1/|E|)^k}; after about {27\cdot |E|} repetitions the error is at most about {2^{-40}}.

3. Simulability

We now describe, for every verifier algorithm {V^*}, a simulator {S^*} of the interaction between {V^*} and the prover algorithm.

The basic simulator is as follows:

Algorithm {S_{1round}^*}

  • Input: graph {G=([n],E)}
  • Pick random coloring {\gamma : [n] \rightarrow \{1,2,3\}}.
  • Pick {n} random keys {K_1,\ldots,K_n}
  • Define the commitments {c_i := C(K_i, \gamma(i))}
  • Let {(u,v)} be the 2nd-round output of {V^*} given {G} as input and {c_1,\ldots,c_n} as first-round message
  • If {\gamma(u) = \gamma(v)}, then output FAIL
  • Else output {((c_1,\ldots,c_n),(u,v),(K_u,K_v))}

And the procedure {S^*(G)} simply repeats {S^*_{1round} (G)} until it provides an output different from {FAIL}.

It is easy to see that the output distribution of {S^*(G)} is always different from the actual distribution of interactions between {P} and {V^*}: in the former, the first round is almost always a commitment to an invalid 3-coloring, in the latter, the first round is always a valid 3-coloring.

We shall prove, however, that the output of {S^*(G)} and the actual interaction of {P} and {V^*} have computationally indistinguishable distributions provided that the running time of {V^*} is bounded and that the security of {(C,O)} is strong enough.

For now, we prove that {S^*(G)} has efficiency comparable to {V^*} provided that security of {(C,O)} is strong enough.

Theorem 5 Suppose that {(C,O)} is {(t+O(nr),\epsilon/(n\cdot |E|))}-secure and {C} is computable in time {\leq r} and that {V^*} is a verifier algorithm of complexity {\leq t}.

Then the algorithm {S^*_{1round}} as defined above has probability at most {\frac 13 + \epsilon} of outputting {FAIL}.

The proof of Theorem 5 relies on the following result.

Lemma 6 Fix a graph {G} and a verifier algorithm {V^*} of complexity {\leq t}.

Define {p(u,v,\alpha)} to be the probability that {V^*} asks the edge {(u,v)} at the second round in an interaction in which the input graph is {G} and the first round is a commitment to the coloring {\alpha}.

Suppose that {(C,O)} is {(t + O(nr) ,\epsilon/n)}-secure, and {C} is computable in time {\leq r}.

Then for every two colorings {\alpha,\beta} and every edge {(u,v)} we have

\displaystyle | p(u,v,\alpha) - p(u,v,\beta) | \leq \epsilon

Proof: If {p(u,v,\alpha)} and {p(u,v,\beta)} differ by more than {\epsilon} for any edge {(u,v)}, then we can define an algorithm which distinguishes the {n} commitments corresponding to {\alpha} from the {n} commitments corresponding to {\beta}. {A} simply runs the verifier given commitments for {n} colors and outputs 1 if the verifier selects the edge {(u,v)} in the second round.

Then, by assumption, {A} {\epsilon}-distinguishes the {n} commitments corresponding to {\alpha} from the {n} commitments corresponding to {\beta} in time {t + O(nr)}. However, by Theorem 3, this means that {(C,O)} is not {(t + O(nr), \epsilon/n)}-secure which is a contradiction. \Box

Given the lemma, we can now easily prove the theorem.

Proof: (of Theorem 5) The probability that {S^*_{1round}} outputs {FAIL} is given by

\displaystyle \mathop{\mathbb P}\left[ S^*_{1round} ~=~ FAIL\right] ~=~ \frac{1}{3^n} \cdot \sum_{c \in \{1,2,3\}^n} \sum_{(u,v) \in E \atop c(u) \neq c(v)} p(u,v,c)

Let {{\bf 1}} denote the coloring which assigns the color 1 to every vertex. Then using Lemma 6 we bound the above as

\displaystyle \begin{array}{rcl} \mathop{\mathbb P}\left[ S^*_{1round} = FAIL\right] &\leq& \frac{1}{3^n} \cdot \sum_{c \in \{1,2,3\}^n} \sum_{(u,v) \in E \atop c(u) \neq c(v)} (p(u,v,{\bf 1}) + \epsilon)\\ &=& \sum_{(u,v) \in E} p(u,v,{\bf 1}) \left(\sum_{c:c(u) \neq c(v)} \frac{1}{3^n}\right) ~+~ \epsilon\\ &=& \frac{1}{3} \sum_{(u,v) \in E} p(u,v,{\bf 1}) + ~\epsilon~\\ &=& \frac{1}{3} + \epsilon \end{array}

where in the second step we used the fact that {c(u) \neq c(v)} for a {1/3} fraction of all the colorings and the last step used that the probability of {V^*} selecting some edge given the coloring {{\bf 1}} is 1. \Box

]]> http://lucatrevisan.wordpress.com/2009/05/16/cs276-lecture-27/feed/ 0 luca The Loser Gets Pregnant First http://lucatrevisan.wordpress.com/2009/05/14/the-loser-gets-pregnant-first/ http://lucatrevisan.wordpress.com/2009/05/14/the-loser-gets-pregnant-first/#comments Thu, 14 May 2009 20:48:43 +0000 luca http://lucatrevisan.wordpress.com/?p=1402 ]]>

After reading the mouseover text of today’s dinosaur comic:

I couldn’t help looking up the Pseudobiceros hancockanus flatworm, and here is a PBS video of two of them engaged in penis fencing. (direct link)

]]> http://lucatrevisan.wordpress.com/2009/05/14/the-loser-gets-pregnant-first/feed/ 3 luca The Triangle Removal Lemma http://lucatrevisan.wordpress.com/2009/05/13/the-triangle-removal-lemma/ http://lucatrevisan.wordpress.com/2009/05/13/the-triangle-removal-lemma/#comments Thu, 14 May 2009 02:02:52 +0000 luca http://lucatrevisan.wordpress.com/?p=1394 ]]>

[At the end of a survey paper on additive combinatorics and computational complexity which is to appear in SIGACT News, I list three major open questions in additive combinatorics which might be amenable to a "computer science proof." They are all extremely well studied questions, by very smart people, for the past several years, so they are all very long shots. I don't recommend anybody to start working on them, but I think it is good that as many people as possible know about these questions, because when the right technique comes along its applicability can be more quickly realized.]

The first question is to improve the Triangle Removal Lemma. I have talked here about what the triangle removal lemma is, how one can prove it from the Szemerédi Regularity Lemma, and how it implies the length-3 case of Szemerédi’s Theorem.

As a short recap, the Triangle Removal Lemma states that if {G} is an {n}-vertex graph with {o(n^3)} triangles, then there is a set of {o(n^2)} edges such that the removal of those edges eliminates all the triangles. Equivalently, it says that if a graph has {\Omega(n^2)} triangles which are all pair-wise edge-disjoint, then there must be {\Omega(n^3)} triangles overall.

The connection with Szemerédi’s Theorem is that if {H} is an abelian group with {n} elements, and {A} is a subset of {H} with no length-3 arithmetic progressions (i.e., {A} is such that there are no three distinct elements {a,b,c} in {A} such that {b-a = c-b}), then we can construct a graph {G=(V,E)} that has {3n} vertices, {|A| \cdot n} pair-wise edge-disjoint triangles, and no other triangles. This contradicts the triangle removal lemma if {|A| = \Omega(n)}, and so we must have {|A| = o(n)}.

This is great, until we start looking at the relationships between the constants hidden by the {o(\cdot )} notation. Quantitatively, the Triangle Removal Lemma states that for every {\epsilon} there is a {\delta = \delta(\epsilon)} such that if a graph has at least {\epsilon \cdot n^2} pair-wise edge-disjoint triangles, then it has at least {\delta \cdot n^3} triangles. The only known proof, however, has {\delta} incredibly small: {1/\delta} grows like a tower of exponentials of height polynomial in {1/\epsilon}. The proof uses the Szemerédi Regularity Lemma, and the Regularity Lemma is known to require such very bad dependencies.

63 years ago, Behrend showed that {{\mathbb Z}/N{\mathbb Z}}, {N} prime, has a subset {A} that contains no length-3 arithmetic progression and whose size is {N/2^{O(\sqrt {\log N})}}. (Last year, Elkin gave the first improvement in 62 years to Behrend’s bound, but the improvement is only a multiplicative polylog {N} factor.) Combined with the graph construction mentioned above, this gives a graph with {3N} vertices, {N^2/^{O(\sqrt {\log N})}} edge-disjoint triangles, and no other triangle. Thus, the graph has {\leq \delta N^3} triangles where {\delta < 1/N}, but one needs to remove {> \epsilon N^2} edges to make it triangle-free, where {\epsilon > 2^{-O(\sqrt{\log N})}}. This shows that, in the Triangle Removal Lemma, {1/\delta} must grow super-polynomially in {1/\epsilon}, and be at least {1/\epsilon^{\log 1/\epsilon}}.

The question is to shorten the gap between the tower-of-exponential relationship between {1/\delta} and {1/\epsilon} coming from the proof via the Szemerédi Regularity Lemma and the mildly super-polynomial lower bound coming from the above argument.

Gowers has constructed graphs showing that the tower-of-exponentials bounds in the Szemerédi Regularity are necessary. One idea on improving the lower bound could be to look at Gowers’s examples and show that with similar techniques one can construct stronger lower bound examples for the Triangle Removal Lemma. Gowers, however, has given a lot of thought to the Triangle Removal Lemma, and it is safe to assume that he knows his own construction well, so I think that this direction is completely hopeless.

In terms of improving the upper bound, one could first consider a direct proof of the Triangle Removal Lemma via iterative partitioning, instead of proving the Regularity Lemma from iterative partitioning and proving the Triangle Removal Lemma by reduction. When one considers the direct proof (which is straightforward), one sees that at every step there are many choices of sets to use to refine the partition. One may hope that, among those choices, one could find one that makes the partition grow polynomially or sub-exponentially instead of exponentially. For example, if one could show that the energy can be increased while only increasing the number of atoms in the partition by a polynomial, in the end we would get a double-exponential relationship between {1/\delta} and {1/\epsilon}, which would be quite amazing. (It would recover the bounds of Roth’s original proof for arithmetic progressions of length 3.) Again, people with a lot of experience on iterative partitioning methods have thought about this problem, so this approach is also likely to be hopeless.

So maybe one needs to think of something completely different, and put the problem in a context in which fresh techniques can be applied. Here are some observations I made about two years ago. Unfortunately, they circle back to problems that people have thought about for 40+ years. An equivalent way of stating the Triangle Removal Lemma is to say that there is a function {c(\delta)} which tends to infinity when {\delta} tends to zero such that if a graph has {\leq \delta n^3} triangles then they can all be removed by removing {\leq n^2/c(\delta)} edges. This means, in particular, that if the graph contains exactly {\delta n^3} triangles, then there is an edge that belongs to at least {\delta n\cdot c(\delta)} triangles.

Theorem 1 There is a function {c(\delta)} such that {\lim_{\delta \rightarrow 0} c(\delta) = \infty} and such that in any {n}-vertex graph with exactly {\delta n^3} triangles there is an edge that belongs to at least {\delta n\cdot c(\delta)} triangles.

Can we find a different proof of this fact?

Note that Theorem 1 is enough to establish Szemerédi’s Theorem for progressions of length 3: take a graph with {\alpha n^2} edge-disjoing triangles and no other triangle; we need to reach a contradiction if {n} is large enough compared with {\alpha}. Applying Theorem 1, we find that there is an edge that belongs to at least {\alpha \cdot c(\alpha/n)} triangles, and this is more than {1} if {n} is large enough, contradicting the assumption that all the triangles in the graph are edge-disjoint.

Now, label each edge (indeed, every pair of vertices) in a graph by the number of triangles it belongs to, and ignore multiplicative constant factors (so we don’t need to worry whether we are counting triangles as ordered 3-tuples or unordered ones and so on). To prove Theorem 1 we need to argue that the labels are “irregularly distributed,” so it is natural to look at their variance. Consider then the average, for a random “edge” (or, rather, for a random pair of vertices, which may or may not be an edge), of the square of the number of triangles it belongs to.

If the graph has exactly {\delta n^3} triangles, then by Cauchy-Schwarz it is easy to see that the above quantity is at least {\delta^2 n^2}. If all triangles can be removed by removing {n^2/c(\delta)} edges, then a more careful Cauchy-Schwarz argument shows that the average square label is at least {\delta^2 n^2 c(\delta)}. If one can show that this average square is at least {\delta^2 n^2} times a term that goes to infinity, then in particular some label must be at least {\delta n} times a term that goes to infinity, which proves Theorem 1. The following statement, then, is “intermediate” between the full Triangle Removal Lemma and Theorem 1, and it might be the right question to think about:

Theorem 2 There is a function {c'(\delta)} such that {\lim_{\delta \rightarrow 0} c'(\delta) = \infty} and such that in any {n}-vertex graph {G=(V,E)} with exactly {\delta n^3} triangles, if we label each vertex pair {(u,v)} by the number {t(u,v)} of triangles involving {u} and {v}, then

\displaystyle \mathop{\mathbb E}_{(u,v) \in V^2} t^2(u,v) \geq \delta^2 \cdot n^2 \cdot c'(\delta)

Terry Tao observed that, up to normalization, the average of {(t(u,v))^2} counts the number of diamonds of the graph, that is, the number of patterns made of four vertices, and looking like two triangles with an edge in common. So Theorem 2 can be stated equivalently as

Theorem 3 There is a function {c'(\delta)} such that {\lim_{\delta \rightarrow 0} c'(\delta) = \infty} and such that any {n}-vertex graph {G=(V,E)} with exactly {\delta n^3} triangles has at least {\delta n^4 c'(\delta)} diamonds.

Terry wrote a fascinating post putting this question in the broad context of extremal questions about “local patterns” in graphs. In the comments to that post, Vlado Nikiforov points out the notion of “book with {k} pages” (a pattern consisting of {k} triangles sharing a common edge — a diamond is a “book with 2 pages”) about which Erdös and others considered many questions since the 1960s. (Although I am not sure whether a statement exactly equivalent to Theorem 3 has been formulated before, related conjectures have been around for more than 40 years. Note that Theorem 3 is true; the question is how good a function {c'(\cdot)} we can get, and whether we can find a proof that does not go through the Szemerédi Regularity Lemma.)

]]> http://lucatrevisan.wordpress.com/2009/05/13/the-triangle-removal-lemma/feed/ 4 luca CS276 Lecture 24: Zero Knowledge Protocols http://lucatrevisan.wordpress.com/2009/05/11/cs276-lecture-24/ http://lucatrevisan.wordpress.com/2009/05/11/cs276-lecture-24/#comments Tue, 12 May 2009 02:49:54 +0000 luca http://lucatrevisan.wordpress.com/?p=1389 ]]>

Scribed by Milosh Drezgich

Summary

Today we introduce the notion of zero knowledge proof and design a zero knowledge protocol for the graph isomorphism problem.

1. Intuition

A zero knowledge proof is an interactive protocol between two parties, a prover and a verifier. Both parties have in input a statement that may or may not be true, for example, the description of a graph {G} and the statement that {G} is 3-colorable, or integers {N,r} and the statement that there is an integer {x} such that {x^{2}\bmod N=r}. The goal of the prover is to convince the verifier that the statement is true, and, at the same time, make sure that no information other than the truth of the statement is leaked through the protocol.

A related concept, from the computational viewpoint, is that of a zero knowledge proof of knowledge, in which the two parties share an input to an {NP}-type problem, and the prover wants to convince the verifier that he, the prover, knows a valid solution for the problem on that input, while again making sure that no information leaks. For example, the common input may be a graph {G}, and the prover may want to prove that he knows a valid {3}-coloring of {G}, or the common input may be {N,r} and the prover may want to prove that he knows an {x} such that {x^{2}\bmod N=r}.

If a prover “proves knowledge” of a 3-coloring of a graph {G}, then he also proves the statement that {G} is 3-coloring; in general, a proof of knowledge is also a proof of the statement that the given instance admits a witness. In some cases, however, proving that an NP statement is true, and hence proving existence of a witness, does not imply a proof of knowledge of the witness. Consider, for example, the case in which common input is an integer {N}, and the prover wants to prove that he knows a non-trivial factor {N}. (Here the corresponding \textquotedblleft statement\textquotedblright would be that {N} is composite, but this can easily be checked by the verifier offline, without the need for an interaction.)

Identification schemes are a natural application of zero knowledge. Suppose that a user wants to log in into a server. In a typical Unix setup, the user has a password {x}, and the server keeps a hash {f(x)} of the user’s password. In order to log in, the user sends the password {x} to the server, which is insecure because an eavesdropper can learn {x} and later impersonate the user.

In a secure identification scheme, instead, the user generates a public-key/ secret key pair {(pk,sk)}, the server knows only the public key {pk}, and the user “convinces” the server of his identity without revealing the secret key. (In SSH, for example, {(pk,sk)} are the public key/ secret key pair of a signature scheme, and the user signs a message containing a random session identifier in order to “convince” the server.)

If {f} is a one-way function, then a secure identification scheme could work as follows: the user picks a random secret key {x} and lets its public key be {f\left( x\right)}. To prove its identity, the user engages in a zero knowledge proof of knowledge with the server, in which the user plays the prover, the server plays the verifier, and the protocol establishes that the user knows an inverse of {f(x)}. Hence, the server would be convinced that only the actual person would be able to log in, and moreover from the point of view of the user he/she will not be giving away any information the server might maliciously utilize after the authentication.

This example is important to keep in mind as every feature in the definition of the protocol has something desirable in the protocol of this model.

The main application of zero knowledge proofs is in the theory of multi party protocols in which multiple parties want to compute a function that satisfies certain security and privacy property. One such example would be a protocol that allow several players to play online poker with no trusted server. By such a protocol, players exchange messages to get the local view of the game and also at the end of the game to be able to know what is the final view of the game. We would like that this protocol stays secure even in the presence of malicious players. One approach to construct such a secure protocol is to first come up with a protocol that is secure against “honest but curious” players. According to this relaxed notion of security, nobody gains extra information provided that everybody follows the protocol. Then one provides a generic transformation from security against “honest but curious” to security against malicious user. This is achieved by each user providing a {ZKP} at each round that in the previous round he/she followed the protocol. This would on one side convince the other players that no one is cheating and on the other side the player presenting the protocol would provide no information about his own cards. This forces apparent malicious players to act honestly, as only they can do is to analyze their own data. At at the same time this is also not a problem for the honest players.

2. The Graph Non-Isomorphism Protocol

We say that two graphs {G_1 = (V,E_1)} and {G_2 = (V,E_2)} are isomorphic if there is a bijective relabeling {\pi : V \rightarrow V} of the vertices such that the relabeling of {G_1} is the same graph as {G_2}, that is, if

\displaystyle (u,v) \in E_1 \Leftrightarrow (\pi(u),\pi(v)) \in E_2

We call {\pi (G_1)} the graph that as an edge {(\pi(u),\pi(v))} for every edge {(u,v)} of {E_1}.

The graph isomorphism problem is, given two graphs, to check if they are isomorphic.

It is believed that this problem is not {NP}-complete however algorithm that would run faster than {\mathcal{O}\left( 2^{\sqrt{N}}\right) } is not known.

Here we describe an interactive protocol in which a prover can \textquotedblleft convince\textquotedblright a verifier that two given graphs are not isomorphic, and in which the verifier only makes questions for which he already knows an answer, so that, intuitively, he gains no new knowledge from the interaction. (We will give a precise definition later, but we will not prove anything formal about this protocol, which is presented only for intuition.) For the prover, unfortunately, we only know how to provide an exponential time implementation. However the verifier algorithm, is very efficient.

  • Common input: two graphs {G_1=(V,E_1)}, {G_2= (V,E_2)}; the prover wants to convince the verifier that they are not isomorphic

  • The verifier picks a random {b\in \{1,2\}} and a permutation {\pi :V\rightarrow V} and sends {G=\pi (G_{b})} to the prover
  • The prover finds the bit {a\in \{1,2\}} such that {G_{a}} and {G} are isomorphic sends {a} to the verifier

  • The verifier checks that {a=b}, and, if so, accepts

Theorem 1 Let {P} be the prover algorithm and {V} be the verifier algorithm in the above protocol. Then

  1. If {G_1,G_2} are not isomorphic, then the interaction {P(x) \leftrightarrow V(x)} ends with the verifier accepting with probability 1

  2. If {G_1,G_2} are isomorphic, then for every alternative prover strategy {P^*}, of arbitrary complexity, the interaction {P^*(x) \leftrightarrow V(x)} ends with the verifier accepting with probability {1/2}

The first part of the theorem is true as for every permutation {\pi (G_{1})} is not isomorphic to {G_{2}} and similarly for every permutation {\pi (G_{2}) } is not isomorphic to {G_{2}}, therefore if {G_{1}} and {G_{2}} are not isomorphic no relabeling of {G_{1}} can make it isomorphic to {G_{2}.} Since the prover runs in exponential time he can always find out which graph the verifier has started from and therefore the prover always gives the right answer.

The second part of the theorem is true as there exist permutation {\pi ^{\ast }} such that {\pi ^{\ast }(G_{2})=G_{1}.} Then if verifier picks a random permutation {\pi _{R}} then the distribution we obtain by {\pi _{R}\left( \pi ^{\ast }\left( G_{2}\right) \right) } and the distribution { \pi _{R}\left( G_{1}\right) } are exactly the same as both are just random relabelling of, say, {G_{1}.} This fact is analogous to the fact that if we add a random element from the group to some other group element we get again the random element of the group. Therefore here the answer of the prover is independent on {b} and the prover succeeds with probability half. This probability of {\frac{1}{2}} can be reduced to {2^{-k}} by repeating the protocol {k} times. It is important to notice that this protocol is {ZK} since the verifier already knows the answer so he learns nothing at the end of interaction. The reason why the verifier is convinced is because the prover would need to do something that is information theoretically impossible if the graphs are isomorphic. Therefore, it is not the answers themselves that convince the prover but the fact that prover can give those answers without knowing the isomorphism.

3. The Graph Isomorphism Protocol

Suppose now that the prover wants to prove that two given graphs { G_{1},G_{2} } are isomorphic, and that he, in fact, knows an isomorphism. We shall present a protocol for this problem in which both the prover and the verifier are efficient.

  • Verifier’s input: two graphs {G_1=(V,E_1)}, {G_2= (V,E_2)};

  • Prover’s input: {G_1,G_2} and permutation {\pi^*} such that { \pi^*(G_1) = G_2}; the prover wants to convince the verifier that the graphs are isomorphic
  • The prover picks a random permutation {\pi_R:V\rightarrow V} and sends the graph {G:= \pi_R(G_2)}
  • The verifier picks at random {b\in \{1,2\}} and sends {b} to the prover
  • The prover sends back {\pi _{R}} if {b=1}, and {\pi _{R}(\pi ^{\ast }(\cdot ))} otherwise

  • The verifier checks that the permutation {\pi } received at the previous round is such that {\pi (G_{b})=G}, and accepts if so

Theorem 2 Let {P} be the prover algorithm and {V} be the verifier algorithm in the above protocol. Then

  1. If {G_1,G_2} are isomorphic, then the interaction {P(x) \leftrightarrow V(x)} ends with the verifier accepting with probability 1

  2. If {G_1,G_2} are not isomorphic, then for every alternative prover strategy {P^*}, of arbitrary complexity, the interaction {P^*(x) \leftrightarrow V(x)} ends with the verifier accepting with probability {1/2}

The first part is clear from the construction.

What happens if {G_{1}} and {G_{2}} are not isomorphic and the prover is not following the protocol and is trying to cheat a verifier? Since in the first round the prover sends a graph {G}, and {G_{1}} and {G_{2}} are not isomorphic, then {G} can not be isomorphic to both {G_{1}} and {G_{2}}. So in second round with probability at least half the verifier is going to pick {G_{b}} that is not isomorphic to {G}. When this happens there is nothing that the prover can send in the third round to make the verifier accept, since the verifier accepts only if what prover sends in the third round is the isomorphism between {G} and {G_{b}}. Hence the prover will fail with probability a half at each round and if we do the same protocol for several rounds the prover will be able to cheat only with exponentially small probability.

Definition 3 A protocol defined by two algorithms {P} and {V} is an interactive proof with efficient prover, for a decision problem if:

  • (Completeness) for every input {x} for which the correct answer is YES, there is a witness {w} such that {P(x,w)\leftrightarrows V\left( x\right) } interaction ends with {V} accepting with probability one.

  • (Soundness) for every input {x} for which answer is NO, for algorithm {P^{\ast }} of arbitrary complexity {P^{\ast }(x,w)\leftrightarrows V\left( x\right) } interaction ends with {V} rejecting with probability at least half (or at least {1-\frac{1}{2^{k}}} if protocol repeated {k} times)

So the graph isomorphism protocol described above is an interactive proof with efficient prover for the graph isomorphism protocol.

We now formalize what we mean by the verifier gaining zero knowledge by participating in the protocol. The interaction is ZK if the verifier could simulate the whole interaction by himself without talking to the prover.

Definition 4 (Honest Verifier Perfect Zero Knowledge) A protocol {(P,V)} is Honest Verifier Perfect Zero Knowledge with simulation complexity {s} for a decision problem if there is an algorithm {S(\cdot )} that has complexity at most {s}, such that {\forall x} for which the answer is YES, {S\left( x\right) } samples the distribution of {P(x,w)\leftrightarrows V\left( x\right) } interactions for every valid {w}.

Therefore the simulator does not know the witness but it is able to replicate the interaction between the prover and the verifier. One consequence of this is, the protocol is able to simulate all possible interactions regardless of what particular witness the prover is using. Hence the protocol does the same regardless of witness. This witness indistinguishability property is useful on its own.

Now consider an application in which the user is the prover and the server is the verifier. For this application of {ZKP} it is not sufficient that honest {V} does not learn anything following the protocol but also that if the verifier is not honest and does not follow the protocol he will still not be able learn anything from the prover.

Therefore the full definition of zero knowledge is the following.

Definition 5 (Perfect Zero Knowledge) A prover algorithm {P} is (general) Perfect Zero Knowledge with simulation overhead {so(\cdot)} for a decision problem if

  • for every algorithm {V^{\prime }} of complexity at most {t} there is a simulator algorithm {S^{\prime }} of complexity at most {so\left( t\right) ,}

  • such that for every {x} for which the answer is YES, and every valid witness {w}, {S^{\prime }(x)} samples {P(x,w)\leftrightarrows V^{\prime }\left(x\right) }.

(In an asymptotic setting, we would want {so(t)} to be polynomial in {t}. Typically, we have {so(t) \leq O(t) + n^{O(1)}}.)

So from the prover’s viewpoint the protocol is always safe, since even if the verifier does not follow the protocol he would be able to gain only the information that he (the verifier) would gain otherwise anyway, by running the simulator himself.

The zero knowledge property is purely the property of the prover algorithm since it is quantified of over all witnesses, all inputs, and all verifier algorithms. Symmetrically the soundness property was the property of the verifier algorithm since the verifier would get convinced with high probability only if the property is really true, regardless whether the prover is malicious or not.

In the next class we will establish the fact that the prover algorithm in the graph isomorphism protocol described above is (general) perfect zero knowledge.

]]> http://lucatrevisan.wordpress.com/2009/05/11/cs276-lecture-24/feed/ 0 luca CS276 Lecture 28: the CZK 3-Coloring Protocol http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-28/ http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-28/#comments Thu, 07 May 2009 00:54:44 +0000 luca http://lucatrevisan.wordpress.com/?p=1380 ]]>

Summary

Today we define the notion of computational zero knowledge and show that the simulator we described in the last lecture establishes the computational zero knowledge property of the 3-coloring protocol.

1. The Protocol and the Simulator

Recall that we use a commitment scheme {(C,O)} for messages in {\{1,2,3\}}, and that the common input to the prover and the verifier is a graph {G=([n],E)}, where {[n]:= \{1,2,\ldots,n\}}. The prover, in addition, is given a valid 3-coloring {\alpha : [n] \rightarrow \{1,2,3\}} of {G}.

The protocol is defined as follows:

  • The prover picks a random permutation {\pi: \{1,2,3\} \rightarrow \{1,2,3\}} of the set of colors, and defines the 3-coloring {\beta(v) := \pi(\alpha(v))}. The prover picks {n} keys {K_1,\ldots,K_n} for {(C,O)}, constructs the commitments {c_v := C(K_v,\beta(v))} and sends {(c_1,\ldots,c_n)} to the verifier;
  • The verifier picks an edge {(u,v) \in E} uniformly at random, and sends {(u,v)} to the prover;
  • The prover sends back the keys {K_u,K_v};
  • If {O(K_u,c_u)} and {O(K_v,c_v)} are the same color, or if at least one of them is equal to {FAIL}, then the verifier rejects, otherwise it accepts

For every verifier algorithm {V^*}, we defined a simulator algorithm {S^*} which repeats the following procedure until the output is different from {FAIL}:

Algorithm {S_{1round}^*}

  • Input: graph {G=([n],E)}
  • Pick random coloring {\gamma : [n] \rightarrow \{1,2,3\}}.
  • Pick {n} random keys {K_1,\ldots,K_n}
  • Define the commitments {c_i := C(K_i, \gamma(i))}
  • Let {(u,v)} be the 2nd-round output of {V^*} given {G} as input and {c_1,\ldots,c_n} as first-round message
  • If {\gamma(u) = \gamma(v)}, then output FAIL
  • Else output {((c_1,\ldots,c_n),(u,v),(K_u,K_v))}

We want to show that this simulator construction establishes the computational zero knowledge property of the protocol, assuming that {(C,O)} is secure. We give the definition of computational zero knowledge below.

Definition 1 (Computational Zero Knowledge) We say that a protocol {(P,V)} for 3-coloring is {(t,\epsilon)} computational zero knowledge with simulator overhead {so(\cdot)} if for every verifier algorithm {V^*} of complexity {\leq t} there is a simulator {S^*} of complexity {\leq so(t)} on average such that for every algorithm {D} of complexity {\leq t}, every graph {G} and every valid 3-coloring {\alpha} we have

\displaystyle | \mathop{\mathbb P} [ D(P(G,\alpha) \leftrightarrow V^*(G)) =1] - \mathop{\mathbb P} [ D(S^*(G)) =1] | \leq \epsilon

Theorem 2 Suppose that {(C,O)} is {(2t+O(nr),\epsilon/(4\cdot |E|\cdot n))}-secure and that {C} is computable in time {\leq r}.

Then the protocol defined above is {(t,\epsilon)} computational zero knowledge with simulator overhead at most {1.6 \cdot t+O(nr)}.

2. Proving that the Simulation is Indistinguishable

In this section we prove Theorem 2.

Suppose that the Theorem is false. Then there is a graph {G}, a 3-coloring {\alpha}, a verifier algorithm {V^*} of complexity {\leq t}, and a distinguishing algorithm {D} also of complexity {\leq t} such that

\displaystyle | \mathop{\mathbb P} [ D(P(G,\alpha) \leftrightarrow V^*(G)) =1 - \mathop{\mathbb P} [ D(S^*(G))=1] | \geq \epsilon

Let {2R_{u,v}} be the event that the edge {(u,v)} is selected in the second round; then

\displaystyle \begin{array}{rcl} \epsilon &\leq & | \mathop{\mathbb P} [ D(P(G,\alpha) \leftrightarrow V^*(G)) =1 ] - \mathop{\mathbb P} [ D(S^*(G))=1] | \\ & = & \left| \sum_{(u,v) \in E} \mathop{\mathbb P} [ D(P(G,\alpha) \leftrightarrow V^*(G)) =1 \wedge 2R_{u,v} ]\right. \\ && - \left. \sum_{(u,v) \in E} \mathop{\mathbb P} [ D(S^*(G))=1 \wedge 2R_{u,v} ] \right| \\ & \leq & \sum_{(u,v) \in E} | \mathop{\mathbb P} [ D(P(G,\alpha) \leftrightarrow V^*(G)) =1 \wedge 2R_{u,v} ]\\ && - \mathop{\mathbb P} [ D(S^*(G))=1 \wedge 2R_{u,v} ] | \end{array}

So there must exist an edge {(u^*,v^*)\in E} such that

\displaystyle | \mathop{\mathbb P} [ D(P \leftrightarrow V^*) =1 \wedge 2R_{u^*,v^*} ] - \mathop{\mathbb P} [ D(S^*)=1 \wedge 2R_{u^*,v^*} ] | \geq \frac \epsilon {|E|} \ \ \ \ \ (1)

(We have omitted references to {G,\alpha}, which are fixed for the rest of this section.)

Now we show that there is an algorithm {A} of complexity {2t + O(nr)} that is able to distinguish between the following two distributions over commitments to {3n} colors:

  • Distribution (1) commitments to the {3n} colors {1,2,3,1,2,3,\ldots,1,2,3};
  • Distribution (2) commitments to {3n} random colors

Algorithm {A}:

  • Input: 3n commitments {d_{a,i}} where {a\in \{1,2,3\}} and {i\in \{1,\ldots,n\}};
  • Pick a random permutation {\pi: \{1,2,3\} \rightarrow \{1,2,3\}}
  • Pick random keys {K_{u^*}}, {K_{v^*}}
  • Construct the sequence of commitments {c_1,\ldots,c_n} by setting:

    • {c_{u^*} := C(K_{u^*} , \pi(\alpha(u^*))}
    • {c_{v^*} := C(K_{v^*} , \pi(\alpha(v^*))}
    • for every {w\in [n] - \{u^*,v^*\}}, {c_w := d_{\pi(\alpha(w)),w}}
  • If the 2nd round output of {V^*} given {G} and {c_1,\ldots,c_n} is different from {(u^*,v^*)} output 0
  • Else output {D((c_1,\ldots,c_n),(u^*,v^*),(K_{u^*},K_{v^*}))}

First, we claim that

\displaystyle \mathop{\mathbb P} [ A( \mbox{Distribution 1} ) = 1 ] = \mathop{\mathbb P} [ D(P \leftrightarrow V^*) =1 \wedge 2R_{u^*,v^*} ] \ \ \ \ \ (2)

This follows by observing that {A} on input Distribution (1) behaves exactly like the prover given the coloring {\alpha}, and that {A} accepts if and only if the event {2R_{u^*,v^*}} happens and {D} accepts the resulting transcript.

Next, we claim that

\displaystyle | \mathop{\mathbb P} [ A( \mbox{Distribution 2} ) = 1 ] - \mathop{\mathbb P} [ D(S^*)=1 \wedge 2R_{u^*,v^*} ] | \leq \frac \epsilon {2|E|} \ \ \ \ \ (3)

To prove this second claim, we introduce, for a coloring {\gamma}, the quantity {DA(\gamma)}, defined as the probability that the following probabilistic process outputs 1:

  • Pick random keys {K_1,\ldots,K_n}
  • Define commitments {c_u:= C(K_u,\gamma(u))}
  • Let {(u,v)} be the 2nd round output of {V^*} given the input graph {G} and first round message {c_1,\ldots,c_n}
  • Output 1 iff {(u,v) = (u^*,v^*)}, {\gamma(u^*) \neq \gamma(v^*)}, and

    \displaystyle D((c_1,\ldots,c_n),(u^*,v^*),(K_{u^*}, K_{v^*})) = 1

Then we have

\displaystyle \mathop{\mathbb P} [ A( \mbox{Distribution 2} ) = 1 ] = \sum_{\gamma: \gamma(u^*) \neq \gamma(v^*)} \frac 32 \cdot \frac 1 {3^n} \cdot DA(\gamma) \ \ \ \ \ (4)

Because {A}, on input Distribution 2, first prepares commitments to a coloring chosen uniformly at random among all {1/(6 \cdot 3^{n-2})} colorings such that {\gamma(u^*) \neq \gamma(v^*)} and then outputs 1 if and only if, given such commitments as first message, {V^*} replies with {(u^*,v^*)} and the resulting transcript is accepted by {D}.

We also have

\displaystyle \mathop{\mathbb P} [ D(S^*)=1 \wedge 2R_{u^*,v^*} ]

\displaystyle = \frac {1}{\mathop{\mathbb P} [ S^*_{1Round} \neq FAIL]} \cdot \sum_{\gamma: \gamma(u^*) \neq \gamma(v^*)} \frac 1 {3^n} \cdot DA(\gamma) \ \ \ \ \ (5)

To see why Equation (5) is true, consider that the probability that {S^*} outputs a particular transcript is exactly {1/\mathop{\mathbb P} [ S^*_{1Round} \neq FAIL]} times the probability that {S^*_{1Round}} outputs that transcript. Also, the probability that {S^*_{1Round}} outputs a transcript which involves {(u^*,v^*)} at the second round and which is accepted by {D()} conditioned on {\gamma} being the coloring selected at the beginning is {DA(\gamma)} if {\gamma} is a coloring such that {\gamma(u^*) \neq \gamma(v^*)}, and it is zero otherwise. Finally, {S^*_{1Round}} selects the initial coloring uniformly at random among all possible {3^n} coloring.

From our security assumption on {(C,O)} and from Lemma 6 in Lecture 27 we have

\displaystyle \left| \mathop{\mathbb P} [ S^*_{1Round} \neq FAIL] - \frac 23 \right| \leq \frac{\epsilon}{4|E|} \ \ \ \ \ (6)

and so the claim we made in Equation (3) follows from Equation (4), Equation (5), Equation (6) and the fact that if {p,q} are quantities such that {\frac 32 p \leq 1}, {\frac 1q \cdot p \leq 1}, and {\left|q - \frac 23 \right| \leq \delta \leq \frac 16} (so that {q \geq 1/2}), then

\displaystyle \left| \frac 32 p - \frac 1q p \right| = \frac 32 \cdot p \cdot \frac 1q \cdot \left| q- \frac 23 \right| \leq 2 \delta

(We use the above inequality with {q = \mathop{\mathbb P} [ S^*_{1Round} \neq FAIL]}, {\delta = \epsilon/4|E|}, and {p = \sum_{\gamma: \gamma(u^*) \neq\gamma(v^*)}\frac 1 {3^n} DA(\gamma)}.)

Having proved that Equation (3) holds, we get

\displaystyle | \mathop{\mathbb P} [ A( \mbox{Distribution 1} ) = 1 ] - \mathop{\mathbb P} [ A( \mbox{Distribution 2} ) = 1 ] | \geq \frac \epsilon {2|E|}

where {A} is an algorithm of complexity at most {2t + O(nr)}. Now by a proof similar to that of Theorem 3 in Lecture 27, we have that {(C,O)} is not {(2t +O(nr), \epsilon/(2|E|n))} secure.

]]> http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-28/feed/ 0 luca CS276 Lecture 22: Signatures in the Random Oracle Model http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-22/ http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-22/#comments Thu, 07 May 2009 00:03:10 +0000 luca http://lucatrevisan.wordpress.com/?p=1374 ]]>

Summary

In the last lecture we described a very complex signature scheme based on one-time signatures and pseudorandom functions. Unfortunately there is no known simple and efficient signature scheme which is existentially unforgeable under a chosen message attack under general assumptions.

Today we shall see a very simple scheme based on RSA which is secure in the random oracle model. In this model, all parties have oracle access to a random function {H : \{ 0,1 \}^n \rightarrow \{ 0,1 \}^m}. In implementations, this random function is replaced by a cryptographic hash function. Unfortunately, the proof of security we shall see today breaks down when the random oracle is replaced by hash function, but at least the security in the random oracle model gives some heuristic confidence in the design soundness of the construction.

1. The Hash-and-Sign Scheme

Our starting point is the “textbook RSA” signature scheme, in which a message {M} is signed as {M^d \bmod N} and an alleged signature {S} for a message {M} is verified by checking that {S^e \bmod N = M}.

We discussed various ways in which this scheme is insecure, including the fact that

  1. It is easy to generate random message/ signature pairs {M,S} by first picking a random {S} and then setting {M:= S^e \bmod N};
  2. If {S_1} is the signature of message {M_1} and {S_2} is the signature of {M_2}, then {S_1\cdot S_2 \bmod N} is the signature of {M_1 \cdot M_2 \bmod N}.

Suppose now that all parties have access to a good cryptographic hash function, which we will model as a completely random function {H : \{ 0,1 \}^m \rightarrow {\mathbb Z}_N}, mapping every possible message {M} to an random integer {H(M) \in {\mathbb Z}_N}, and define a signature scheme {(Gen,Sign,Verify)} as follows:

  • Key generation: as in RSA
  • Signature: the signature of a message {M} with secret key {N,d} is {H(M)^d \bmod N}
  • Verification: given an alleged signature {S}, a message {M}, and a public key {N,e}, check that {S^e \bmod N = H(M)}.

That is, we use the textbook RSA method to sign {H(M)}.

Now it is not clear any more how to employ the previously mentioned attacks. If we first select a random {S}, for example, then to find a message of which {S} is a signature we need to compute {h := S^e \bmod N} and then find a message {M} such that {H(M)=h}. This, however, requires exponential time if {H} is a random functions. Similarly, if we have two messages {M_1,M_2} and know their signatures {S_1,S_2}, the number {S_1 \cdot S_2 \bmod N} is a signature for any document {M} such that {H(M) = H(M_1) \cdot H(M_2) \bmod N}. Finding such an {M} is, however, again very hard.

2. Analysis

We provide a formal analysis of the signature scheme defined in the previous section, in the random oracle model.

Theorem 1 Suppose that {(Gen,Sign,Verify)}, as defined in the previous section, is not {(t,\epsilon)} existentially unforgeable under a chosen message attack in the random oracle model.

Then RSA, with the key size used in the construction, is not a {(t\cdot O(r), \epsilon\cdot \frac{1}{t})}-secure family of trapdoor permutations, where {r} is the time taken by RSA computation with the selected key size.

Proof: We will prove that, if {A} is an algorithm of complexity at most {t} that breaks existential unforgeability under chosen message attack with probability {\geq \epsilon}, then there is an algorithm {A'} that breaks RSA (finds {X} given {X^e} mod {N}) with probability {\geq \frac{\epsilon}{t}} and complexity {\leq t\cdot O(r)}.

\displaystyle Pr[A^{H,Sign(N,d,\cdot)}(N,e)=(M,S) : (H(M)) = S^e] \geq \epsilon

Without the loss of generality we assume that:

  • {A} never makes the same random oracle query twice.
  • {A} queries {H(M)} before it requests a signature on a message {M}.
  • If {A} outputs {(M,S)} then it had previously queried {H(M)}

We construct an algorithm {A'} which on input {(N,e,y)} where {y=X^e} mod {N}, finds {X}.

Algorithm {A'} is defined as:

  • Pick {i \leftarrow \{1,...,t\}} randomly.
  • Initialise datastructure that stores triples, initially empty.
  • Simulate {A}:

    • When {A} makes its {j}th random oracle query {H(M_j)}

      • If {j=i}, answer the oracle query with {y}.
      • Otherwise, randomly pick {X_j}, compute {{X_j}^e} mod {N}, store {(M_j,X_j,{X_j}^e} mod {N)} in the datastructure and answer the oracle query with {y_j={X_j}^e} mod {N}
    • When {A} requests {Sign(M_k)}
      • If {k = i} abort.
      • If {k \neq i} look for {(M_k,X_k,{X_k}^e} mod {N)} in the datastructure and answer the oracle query with {X_k}.

        (Note that we had made the assumption that {A} queries {H(M)} before it requests a signature on a message {M}.)

  • After {A} finishes, it outputs {(M,S)}. If {M=M_i} and {S^e = y} mod {N}, then output {S} as the required output {X}.

For each random oracle query, we are doing a RSA exponentiation operation of complexity {r}. So the complexity of {A'} would be at most complexity of {A } multiplied by {O(r)} i.e. {t\cdot O(r)}.

The index {i} chosen by {A'} in the first step represents a guess as to which oracle query of {A} will correspond to the eventual forgery output by {A}. When the guess is correct, view of {A} as part of {A'} is distributed identically to the view of {A} alone. When {A'} guesses correctly and {A} outputs a forgery, then {A'} solves the given instance of RSA problem (because {S^e = y} mod {N} and thus {S} is {inverse} of {y}). Since {A'} guesses correctly with probability {1/t} and {A} outputs a forgery with probability {\geq \epsilon}. So, Probability with which {A'} breaks RSA {\geq \epsilon \cdot \frac{1}{t}}, which is what we intended to prove. \Box

]]> http://lucatrevisan.wordpress.com/2009/05/06/cs276-lecture-22/feed/ 0 luca