On the Complexity of Simulating Auxiliary Input Yi-Hsiu Chen 1 - - PowerPoint PPT Presentation

On the Complexity of Simulating Auxiliary Input

Yi-Hsiu Chen 1 Kai-Min Chung 2 Jyun-Jie Liao 2

1Harvard University, Cambridge, USA 2Academia Sinica, Taipei, Taiwan 1 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable?

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for?

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for? (X, h(X)) and (X, Z) are statistically close

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for? (X, h(X)) and (X, Z) are statistically close

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for? (X, h(X)) and (X, Z) are statistically close nc-size simulator against poly(n) distinguishers

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for? (X, h(X)) and (X, Z) are statistically close nc-size simulator against poly(n) distinguishers ([TTV09])

2 / 18

Simulating Auxiliary Input [JP14]

Consider random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ. Z - short leakage of X Z = g(X) for (probabilstic) function g, but g might not be efficient

Problem

∃? efficiently computable simulator h : {0, 1}n → {0, 1}ℓ such that (X, h(X)) and (X, Z) are indistinguishable? What is the best we can hope for? (X, h(X)) and (X, Z) are statistically close nc-size simulator against poly(n) distinguishers ([TTV09]) Ω(s) simulator which fools every distinguisher of size s

2 / 18

Leakage Simulation Lemma

Theorem [JP14]

For any random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ, ǫ > 0 and s ∈ N, there exists a (probabilistic) simulator h with complexity sh(ǫ, s, ℓ) := s · poly(ǫ−1, 2ℓ) which is ǫ-indistinguishable by every distinguisher f of size s, i.e. | Pr[f (X, Z) = 1] − Pr[f (X, h(X)) = 1]| < ǫ

3 / 18

Leakage Simulation Lemma

Theorem [JP14]

For any random variables (X, Z) ∈ {0, 1}n × {0, 1}ℓ, ǫ > 0 and s ∈ N, there exists a (probabilistic) simulator h with complexity sh(ǫ, s, ℓ) := s · poly(ǫ−1, 2ℓ)=? which is ǫ-indistinguishable by every distinguisher f of size s, i.e. | Pr[f (X, Z) = 1] − Pr[f (X, h(X)) = 1]| < ǫ

3 / 18

Applications

Complexity Regularity Lemma [TTV09] Hardcore Lemma [Imp95] Dense Model Theorem [GT04, TZ06, RTTV08] Weak Szemer´ edi Regularity Lemma [FK99] Cryptography Leakage Resilient Cryptography Black-box Separation for SNARGs [GW11] Chain Rule for HILL-Entropy [GW11, Rey11] Zero-Knowledge [CLP15]

4 / 18

Main Results

sh =?

5 / 18

Main Results

sh =? Upper Bound: JP14 O(24ℓǫ−4 · s) VZ13 O(ℓ · 2ℓǫ−2 · s + 2ℓǫ−4) Sk´

• 16

O(25ℓǫ−2 · s) This work O(ℓ · 2ℓǫ−2 · s)

5 / 18

Main Results

sh =? Upper Bound: JP14 O(24ℓǫ−4 · s) VZ13 O(ℓ · 2ℓǫ−2 · s + 2ℓǫ−4) Sk´

• 16

O(25ℓǫ−2 · s) This work O(ℓ · 2ℓǫ−2 · s) Lower Bound: Ω(2ℓǫ−2) queries to distinguishers

Black-box simulation Query on the same input

5 / 18

Applications: Leakage-Resilient Stream Cipher [DP08]

Stream cipher: (Si, Xi) := SC(Si−1) S0 S1 S2 Si Sq−1 X1 X2 Xi Xq−1 Xq Λ1 Λ2 Λi Λq−1

6 / 18

Applications: Leakage-Resilient Stream Cipher [DP08]

Stream cipher: (Si, Xi) := SC(Si−1) S0 S1 S2 Si Sq−1 X1 X2 Xi Xq−1 Xq Λ1 Λ2 Λi Λq−1

6 / 18

Applications: Leakage-Resilient Stream Cipher [DP08]

Stream cipher: (Si, Xi) := SC(Si−1) (ǫ, s, ℓ, q) leakage-resilient stream cipher: Xq is (ǫ, s) pseudorandom given (X1, . . . , Xq−1, Λ1, . . . , Λq−1) S0 S1 S2 Si Sq−1 X1 X2 Xi Xq−1 Xq Λ1 Λ2 Λi Λq−1

6 / 18

Applications: Leakage-Resilient Stream Cipher [DP08]

Stream cipher: (Si, Xi) := SC(Si−1) (ǫ, s, ℓ, q) leakage-resilient stream cipher: Xq is (ǫ, s) pseudorandom given (X1, . . . , Xq−1, Λ1, . . . , Λq−1)

“Only computation leaks”: Λi = fi(Si−1) fi can be adaptively chosen, but |Λi| ≤ ℓ ≪ |S0|

S0 S1 S2 Si Sq−1 X1 X2 Xi Xq−1 Xq Λ1 Λ2 Λi Λq−1

6 / 18

Applications: Leakage-Resilient Stream Cipher

Leakage Resilient Stream Cipher [Pie09, JP14]

Given (ǫF, sF) wPRF F, the following stream cipher is (ǫ, s) secure in q rounds even when given ℓ bits of leakage per round. ǫ = 4q

• ǫF2ℓ

s = max{s : sh(ǫ′, s, ℓ) < sF}, where ǫ′ =

• ǫF2ℓ

Figure: leakage resilient stream cipher [Pie09]

7 / 18

Applications: Leakage-Resilient Stream Cipher

Leakage Resilient Stream Cipher [Pie09, JP14]

Given (ǫF, sF) wPRF F, the following stream cipher is (ǫ, s) secure in q rounds even when given ℓ bits of leakage per round. ǫ = 4q

• ǫF2ℓ

s = max{s : sh(ǫ′, s, ℓ) < sF}, where ǫ′ =

• ǫF2ℓ

Consider the setting in [Sk´

• 16]:

Security of F: sF/ǫF = 2256 Target stream cipher: q = 16, ℓ = 3, ǫ = 2−40 JP14 VZ13 Sk´

• 16

this work s 266 276

7 / 18

Applications: Leakage-Resilient Stream Cipher

Leakage Resilient Stream Cipher [Pie09, JP14]

Given (ǫF, sF) wPRF F, the following stream cipher is (ǫ, s) secure in q rounds even when given ℓ bits of leakage per round. ǫ = 4q

• ǫF2ℓ

s = max{s : sh(ǫ′, s, ℓ) < sF}, where ǫ′ =

• ǫF2ℓ

Consider the setting in [Sk´

• 16]:

Security of F: sF/ǫF = 2256 Target stream cipher: q = 16, ℓ = 8, ǫ = 2−40 JP14 VZ13 Sk´

• 16

this work s 236 265

7 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Simulator Distinguisher

h0 f1

Pr[f1(X, h0(X)) = 1] − Pr[f1(X, Z) = 1] > ǫ

h1=update(h0, f1) h1 fi

Pr[fi(X, h1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

hi=update(hi−1, fi) hi hT=update(hT−1, fT) hT success Output hT

8 / 18

Boosting

Update h0 with f1, . . . , fT to get hT

9 / 18

Boosting

Update h0 with f1, . . . , fT to get hT How to update?

9 / 18

Boosting

Update h0 with f1, . . . , fT to get hT How to update?

Ad-hoc variant of gradient descent [JP14,Sk´

• 16]

Multiplicative weight update [VZ13, this work]

9 / 18

Boosting

Update h0 with f1, . . . , fT to get hT How to update?

Ad-hoc variant of gradient descent [JP14,Sk´

• 16]

Multiplicative weight update [VZ13, this work]

Number of iterations: T = O(ℓ/ǫ2) (less than [JP14], [Sk´

• 16])

Additional computation: ˜ O(2ℓǫ−4)

9 / 18

Boosting

Update h0 with f1, . . . , fT to get hT How to update?

Ad-hoc variant of gradient descent [JP14,Sk´

• 16]

Multiplicative weight update [VZ13, this work]

Number of iterations: T = O(ℓ/ǫ2) (less than [JP14], [Sk´

• 16])

Additional computation: ˜ O(2ℓǫ−4) ˜ O(2ℓǫ−2)

9 / 18

Before the Boosting

Goal: Learn a simulator / conditional distribution h s.t. ∀f : | Pr[f (X, h(X)) = 1] − Pr[f (X, Z) = 1]| < ǫ ⇔∀f : Pr[f (X, h(X)) = 1] − Pr[f (X, Z) = 1] < ǫ Principle of update: minimize f (X, h(X))

If f (x, z) = 1, make Pr[h(x) = z] smaller If f (x, z) = 0, make Pr[h(x) = z] larger

10 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Warmup: |Supp(X)| = 1

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Multiplicative Weight Update

Simulator Distinguisher

wx,z = 1 h0(x) : Pr[h0(x) = z] ∝ wx,z f1

Pr[f1(x, h0(x)) = 1] − Pr[f1(x, Z|X=x) = 1] > ǫ

wx,z = (1 − η)f1(x,z) h1(x) : Pr[h1(x) = z] ∝ wx,z wx,z = (1 − η)

T

i=1 fi(x,z)

hT−1(x) : Pr[hT−1(x) = z] ∝ wx,z fT

Pr[fT(x, hT−1(x)) = 1] − Pr[fT(x, Z|X=x) = 1] > ǫ

Contradiction

hi−1 : Pr[hi−1(x) = z] ∝ wx,z fi

Pr[fi(X, hi−1(X)) = 1] − Pr[fi(X, Z) = 1] > ǫ

No-regret Property

If T > O(ℓ/η2), ∀D : 1

T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, D) = 1]) ≤ O(η)

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(x, hi−1(x)) = 1] − Pr [fi(x, Z|X=x) = 1]) ≤ ǫ

If T > O(ℓ/ǫ2),

1 T

T

i=1 (Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ 11 / 18

Analysis

If T > O(ℓ/ǫ2):

By no-regret property of MWU: 1 T

T

• i=1

(Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ Adversary always reply with good response: 1 T

T

• i=1

(Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) > ǫ

12 / 18

Analysis

If T > O(ℓ/ǫ2):

By no-regret property of MWU: 1 T

T

• i=1

(Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) ≤ ǫ Adversary always reply with good response: 1 T

T

• i=1

(Pr [fi(X, hi−1(X)) = 1] − Pr [fi(X, Z) = 1]) > ǫ

“Average-case” application of no-regret online learning algorithm

12 / 18

Precision Issue

Consider the weight function wx,z = (1 − η)

• i fi(x,z)

After T rounds, we need T log(1/ǫ) bits to store wx,z

13 / 18

Precision Issue

Consider the weight function wx,z = (1 − η)

• i fi(x,z)

After T rounds, we need T log(1/ǫ) bits to store wx,z Previous Solution: 2ℓT 2poly(log(1/ǫ)) = ˜ O(2ℓǫ−4) ([VZ13])

13 / 18

Precision Issue

Consider the weight function wx,z = (1 − η)

• i fi(x,z)

After T rounds, we need T log(1/ǫ) bits to store wx,z Previous Solution: 2ℓT 2poly(log(1/ǫ)) = ˜ O(2ℓǫ−4) ([VZ13]) Idea: truncate wx,z down to ⌊2kwx,z⌋2−k for proper k If we take k = O(ℓ + log(1/ǫ)) − log(

z wx,z), the error is O(ǫ),

which is affordable

13 / 18

Implementaton

1 Evaluate fi(x, z) for every i ∈ [T], z ∈ {0, 1}ℓ 2 Compute ez :=

i fi(x, z) for every z

3 Shift ez to make minz(ez) = 0: ez := ez − minz(ez) 4 Compute the first O(ℓ + log(1/ǫ)) bits of (1 − ǫ)ez for every z

(weights wx,z after truncation) with a lookup table

5 Apply sampling and get h(x) 14 / 18

Implementaton

1 Evaluate fi(x, z) for every i ∈ [T], z ∈ {0, 1}ℓ 2 Compute ez :=

i fi(x, z) for every z

3 Shift ez to make minz(ez) = 0: ez := ez − minz(ez) 4 Compute the first O(ℓ + log(1/ǫ)) bits of (1 − ǫ)ez for every z

(weights wx,z after truncation) with a lookup table

5 Apply sampling and get h(x)

Circuit complexity of h: Step 1: O(ℓ · 2ℓǫ−2 · s) Step 2-5: ˜ O(2ℓǫ−2)

14 / 18

Black-box Simulation

All known simulations are of the following form: Pick some distinguishers {f1, . . . , fT} ⊂ F Compute h(x) = D(f1(x, ·), . . . , fT(x, ·)) with decision function D Complexity of h is O(s · 2ℓT + sD)

15 / 18

Black-box Simulation

All known simulations are of the following form: Pick some distinguishers {f1, . . . , fT} ⊂ F Compute h(x) = D(f1(x, ·), . . . , fT(x, ·)) with decision function D Complexity of h is O(s · 2ℓT + sD) MWU: O(ℓ · 2ℓ/ǫ2)

15 / 18

Black-box Simulation

All known simulations are of the following form: Pick some distinguishers {f1, . . . , fT} ⊂ F Compute h(x) = D(f1(x, ·), . . . , fT(x, ·)) with decision function D Complexity of h is O(s · 2ℓT + sD) MWU: O(ℓ · 2ℓ/ǫ2) Can we do better?

15 / 18

Lower Bound

Black-box Simulation

A simulation process is black-box if given any (X, Z), F it generates an efficient simulator h(·) which makes at most q oracle queries to F.

Theorem

Any black-box simulation process which satisfies the same-input restriction has query complexity q = Ω(2ℓǫ−2). Same-input restriction: output simulator h can only query in the form f (x, z) when computing h(x)

16 / 18

Lower Bound

Black-box Simulation

A simulation process is black-box if given any (X, Z), F it generates an efficient simulator h(·) which makes at most q oracle queries to F.

Theorem

Any black-box simulation process which satisfies the same-input restriction has query complexity q = Ω(2ℓǫ−2). Same-input restriction: output simulator h can only query in the form f (x, z) when computing h(x) f , z can be chosen adaptively

16 / 18

Lower Bound

Black-box Simulation

A simulation process is black-box if given any (X, Z), F it generates an efficient simulator h(·) which makes at most q oracle queries to F.

Theorem

Any black-box simulation process which satisfies the same-input restriction has query complexity q = Ω(2ℓǫ−2). Same-input restriction: output simulator h can only query in the form f (x, z) when computing h(x) f , z can be chosen adaptively Open: how to remove the same-input restriction?

16 / 18

Conclusions

Leakage Simulation Lemma

∀(X, Z) ∈ {0, 1}n × {0, 1}ℓ, ∃ simulator h of size ˜ O(2ℓǫ−2 · s) such that (X, h(X)) ≈ǫ,s (X, Z). Many applications in complexity and cryptography We settle the complexity of black-box leakage simulation

Improve the complexity for leakage-resilient stream cipher

Open: remove the same-input restriction in the lower bound

17 / 18

Thank you for listening!

18 / 18