We analyze the mixing time of a natural local Markov Chain (Gibbs sampler) for two commonly studied models of random surfaces: (i) discrete monotone surfaces with "almost planar" boundary conditions and(ii) the one-dimensional discrete Solid-on-Solid (SOS)model. In both cases we prove the first almost optimal bounds. Our proof is inspired by the so-called "meancurvature" heuristic: on a large scale, the dynamics should approximate a deterministic motion in which each point of the surface moves according to a drift proportional to the local inverse mean curvature radius. Key technical ingredients are monotonicity, coupling and an argument due to D. Wilson [17] in the framework of lozenge tiling Markov Chains. The novelty of our approach with respect to previous results consists in proving that, with high probability, the dynamics is dominated by a deterministic evolution which follows the mean curvature prescription. Our method works equally well for both models despite the fact that their equilibrium maximal deviations from the average height profile occur on very different scales.
{"title":"Sharp Mixing Time Bounds for Sampling Random Surfaces","authors":"P. Caputo, F. Martinelli, F. Toninelli","doi":"10.1109/FOCS.2011.47","DOIUrl":"https://doi.org/10.1109/FOCS.2011.47","url":null,"abstract":"We analyze the mixing time of a natural local Markov Chain (Gibbs sampler) for two commonly studied models of random surfaces: (i) discrete monotone surfaces with \"almost planar\" boundary conditions and(ii) the one-dimensional discrete Solid-on-Solid (SOS)model. In both cases we prove the first almost optimal bounds. Our proof is inspired by the so-called \"meancurvature\" heuristic: on a large scale, the dynamics should approximate a deterministic motion in which each point of the surface moves according to a drift proportional to the local inverse mean curvature radius. Key technical ingredients are monotonicity, coupling and an argument due to D. Wilson [17] in the framework of lozenge tiling Markov Chains. The novelty of our approach with respect to previous results consists in proving that, with high probability, the dynamics is dominated by a deterministic evolution which follows the mean curvature prescription. Our method works equally well for both models despite the fact that their equilibrium maximal deviations from the average height profile occur on very different scales.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"51 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120976289","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Consider the problem of laying out a set of $n$ images that match a query onto the nodes of a $sqrt{n}timessqrt{n}$ grid. We are given a score for each image, as well as the distribution of patterns by which a user's eye scans the nodes of the grid and we wish to maximize the expected total score of images selected by the user. This is a special case of the emph{Markov layout} problem, in which we are given a Markov chain $M$ together with a set of objects to be placed at the states of the Markov chain. Each object has a utility to the user if viewed, as well as a stopping probability with which the user ceases to look further at objects. This layout problem is prototypical in a number of applications in web search and advertising, particularly in an emerging genre of search results pages from major engines. In a different class of applications, the states of the Markov chain are web pages at a publishers website and the objects are advertisements. We study the approximability of the Markov layout problem. Our main result is an $O(log n)$ approximation algorithm for the most general version of the problem. The core idea is to transform an optimization problem over partial permutations into an optimization problem over sets by losing a logarithmic factor in approximation, the latter problem is then shown to be sub modular with two matroid constraints, which admits a constant-factor approximation. In contrast, we also show the problem is APX-hard via a reduction from {sc Cubic Max-Bisection}. We then study harder variants of greater practical interest of the problem in which no emph{gaps} -- states of $M$ with no object placed on them -- are allowed. By exploiting the geometry, we obtain an $O(log^{3/2} n)$ approximation algorithm when the digraph underlying $M$ is a grid and an $O(log n)$ approximation algorithm when it is a tree. These special cases are especially appropriate for our applications.
{"title":"Markov Layout","authors":"Flavio Chierichetti, Ravi Kumar, P. Raghavan","doi":"10.1109/FOCS.2011.71","DOIUrl":"https://doi.org/10.1109/FOCS.2011.71","url":null,"abstract":"Consider the problem of laying out a set of $n$ images that match a query onto the nodes of a $sqrt{n}timessqrt{n}$ grid. We are given a score for each image, as well as the distribution of patterns by which a user's eye scans the nodes of the grid and we wish to maximize the expected total score of images selected by the user. This is a special case of the emph{Markov layout} problem, in which we are given a Markov chain $M$ together with a set of objects to be placed at the states of the Markov chain. Each object has a utility to the user if viewed, as well as a stopping probability with which the user ceases to look further at objects. This layout problem is prototypical in a number of applications in web search and advertising, particularly in an emerging genre of search results pages from major engines. In a different class of applications, the states of the Markov chain are web pages at a publishers website and the objects are advertisements. We study the approximability of the Markov layout problem. Our main result is an $O(log n)$ approximation algorithm for the most general version of the problem. The core idea is to transform an optimization problem over partial permutations into an optimization problem over sets by losing a logarithmic factor in approximation, the latter problem is then shown to be sub modular with two matroid constraints, which admits a constant-factor approximation. In contrast, we also show the problem is APX-hard via a reduction from {sc Cubic Max-Bisection}. We then study harder variants of greater practical interest of the problem in which no emph{gaps} -- states of $M$ with no object placed on them -- are allowed. By exploiting the geometry, we obtain an $O(log^{3/2} n)$ approximation algorithm when the digraph underlying $M$ is a grid and an $O(log n)$ approximation algorithm when it is a tree. These special cases are especially appropriate for our applications.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126742976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Andrej Bogdanov, Periklis A. Papakonstantinou, Andrew Wan
We give an explicit construction of a pseudorandom generator for read-once formulas whose inputs can be read in arbitrary order. For formulas in n inputs and arbitrary gates of fan-in at most d = O(n/ log n), the pseudorandom generator uses (1 - O(1))n bits of randomness and produces an output that looks 2-O(n)-pseudorandom to all such formulas. Our analysis is based on the following lemma. Let P=M z + e, where M is the parity-check matrix of a sufficiently good binary error-correcting code of constant rate, z is a random string, e is a small-bias distribution, and all operations are modulo 2. Then for every pair of functions f, g : {0, 1}n/2?{0, 1} and every equipartition (I,J) of [n], the distribution P is pseudorandom for the pair (f (x|I ), g(x|J )), where x|I and x|J denote the restriction of x to the coordinates in I and J, respectively. More generally, our result applies to read-once branching programs of bounded width with arbitrary ordering of the inputs. We show that such branching programs are more powerful distinguishers than those that read their inputs in sequential order: There exist (explicit) pseudorandom distributions that separate these two types of branching programs.
{"title":"Pseudorandomness for Read-Once Formulas","authors":"Andrej Bogdanov, Periklis A. Papakonstantinou, Andrew Wan","doi":"10.1109/FOCS.2011.57","DOIUrl":"https://doi.org/10.1109/FOCS.2011.57","url":null,"abstract":"We give an explicit construction of a pseudorandom generator for read-once formulas whose inputs can be read in arbitrary order. For formulas in n inputs and arbitrary gates of fan-in at most d = O(n/ log n), the pseudorandom generator uses (1 - O(1))n bits of randomness and produces an output that looks 2-O(n)-pseudorandom to all such formulas. Our analysis is based on the following lemma. Let P=M z + e, where M is the parity-check matrix of a sufficiently good binary error-correcting code of constant rate, z is a random string, e is a small-bias distribution, and all operations are modulo 2. Then for every pair of functions f, g : {0, 1}n/2?{0, 1} and every equipartition (I,J) of [n], the distribution P is pseudorandom for the pair (f (x|I ), g(x|J )), where x|I and x|J denote the restriction of x to the coordinates in I and J, respectively. More generally, our result applies to read-once branching programs of bounded width with arbitrary ordering of the inputs. We show that such branching programs are more powerful distinguishers than those that read their inputs in sequential order: There exist (explicit) pseudorandom distributions that separate these two types of branching programs.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126596132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Czumaj, M. Monemizadeh, Krzysztof Onak, C. Sohler
We initiate the study of the testability of properties inemph{arbitrary planar graphs}. We prove that emph{bipartiteness}can be tested in constant time. The previous bound for this class of graphs was $tilde{O}(sqrt{n})$, and the constant-time testability was only known for planar graphs with emph{bounded degree}. Previously used transformations of unbounded-degree sparse graphs into bounded-degree sparse graphs cannot be used to reduce the problem to the testability of bounded-degree planar graphs. Our approach extends to arbitrary minor-free graphs. Our algorithm is based on random walks. The challenge here is to analyze random walks for a class of graphs that has good separators, i.e., bad expansion. Standard techniques that use a fast convergence to a uniform distribution do not work in this case. Roughly speaking, our analysis technique self-reduces the problem of finding an odd-length cycle in a autograph $G$ induced by a collection of cycles to another multigraph $G'$ induced by a set of shorter odd-length cycles, in such a way that when a random walks finds a cycle in $G'$ with probability $p >, 0$, then it does so with probability $lambda(p)>0$ in $G$. This reduction is applied until the cycles collapse to self-loops that can be easily detected.
{"title":"Planar Graphs: Random Walks and Bipartiteness Testing","authors":"A. Czumaj, M. Monemizadeh, Krzysztof Onak, C. Sohler","doi":"10.1002/rsa.20826","DOIUrl":"https://doi.org/10.1002/rsa.20826","url":null,"abstract":"We initiate the study of the testability of properties inemph{arbitrary planar graphs}. We prove that emph{bipartiteness}can be tested in constant time. The previous bound for this class of graphs was $tilde{O}(sqrt{n})$, and the constant-time testability was only known for planar graphs with emph{bounded degree}. Previously used transformations of unbounded-degree sparse graphs into bounded-degree sparse graphs cannot be used to reduce the problem to the testability of bounded-degree planar graphs. Our approach extends to arbitrary minor-free graphs. Our algorithm is based on random walks. The challenge here is to analyze random walks for a class of graphs that has good separators, i.e., bad expansion. Standard techniques that use a fast convergence to a uniform distribution do not work in this case. Roughly speaking, our analysis technique self-reduces the problem of finding an odd-length cycle in a autograph $G$ induced by a collection of cycles to another multigraph $G'$ induced by a set of shorter odd-length cycles, in such a way that when a random walks finds a cycle in $G'$ with probability $p >, 0$, then it does so with probability $lambda(p)>0$ in $G$. This reduction is applied until the cycles collapse to self-loops that can be easily detected.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"124 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131229322","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
It is well known (cf., Impagliazzo and Luby [FOCS '89]) that the existence of almost all ``interesting" cryptographic applications, i.e., ones that cannot hold information theoretically, implies one-way functions. An important exception where the above implication is not known, however, is the case of coin-flipping protocols. Such protocols allow honest parties to mutually flip an unbiased coin, while guaranteeing that even a cheating (efficient) party cannot bias the output of the protocol by much. Impagliazzo and Luby proved that coin-flipping protocols that are safe against negligible bias do imply one-way functions, and, very recently, Maji, Prabhakaran, and Sahai [FOCS '10] proved the same for constant-round protocols (with any non-trivial bias). For the general case, however, no such implication was known. We make progress towards answering the above fundamental question, showing that (strong) coin-flipping protocols safe against a constant bias (concretely, $frac{sqrt2 -1}2 - o(1)$) imply one-way functions.
{"title":"Coin Flipping with Constant Bias Implies One-Way Functions","authors":"Iftach Haitner, Eran Omri","doi":"10.1137/120887631","DOIUrl":"https://doi.org/10.1137/120887631","url":null,"abstract":"It is well known (cf., Impagliazzo and Luby [FOCS '89]) that the existence of almost all ``interesting\" cryptographic applications, i.e., ones that cannot hold information theoretically, implies one-way functions. An important exception where the above implication is not known, however, is the case of coin-flipping protocols. Such protocols allow honest parties to mutually flip an unbiased coin, while guaranteeing that even a cheating (efficient) party cannot bias the output of the protocol by much. Impagliazzo and Luby proved that coin-flipping protocols that are safe against negligible bias do imply one-way functions, and, very recently, Maji, Prabhakaran, and Sahai [FOCS '10] proved the same for constant-round protocols (with any non-trivial bias). For the general case, however, no such implication was known. We make progress towards answering the above fundamental question, showing that (strong) coin-flipping protocols safe against a constant bias (concretely, $frac{sqrt2 -1}2 - o(1)$) imply one-way functions.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128978021","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We obtain the first deterministic extractors for sources generated (or sampled) by small circuits of bounded depth. Our main results are:(1) We extract k poly( k / n d ) bits with exponentially small error from n-bit sources of min-entropy k that are generated by functions that are d-local, i.e., each output bit depends on at most d input bits. In particular, we extract from NC-zero sources, corresponding to d = O(1).(2) We extract k poly( k / n^(1.001) ) bits with super-polynomially small error from n-bit sources of min-entropy k that are generated by poly(n)-size AC-zero circuits. As our starting point, we revisit the connection by Trevisan and Vadhan (FOCS 2000) between circuit lower bounds and extractors for sources generated by circuits. We note that such extractors (with very weak parameters) are equivalent to lower bounds for generating distributions (FOCS 2010; with Lovett, CCC 2011). Building on those bounds, we prove that the sources in (1) and (2) are (close to) a convex combination of high-entropy "bit-block"sources. Introduced here, such sources are a special case of affine ones. As extractors for (1) and (2) one can use the extractor for low-weight affine sources by Rao (CCC 2009). Along the way, we exhibit an explicit n-bit boolean function bsuch that poly(n)-size AC-zero circuits cannot generate the distribution(X,b(X)), solving a problem about the complexity of distributions. Independently, De and Watson (RANDOM 2011) obtain a result similar to (1) in the special case d = o(log n).
{"title":"Extractors for Circuit Sources","authors":"Emanuele Viola","doi":"10.1137/11085983X","DOIUrl":"https://doi.org/10.1137/11085983X","url":null,"abstract":"We obtain the first deterministic extractors for sources generated (or sampled) by small circuits of bounded depth. Our main results are:(1) We extract k poly( k / n d ) bits with exponentially small error from n-bit sources of min-entropy k that are generated by functions that are d-local, i.e., each output bit depends on at most d input bits. In particular, we extract from NC-zero sources, corresponding to d = O(1).(2) We extract k poly( k / n^(1.001) ) bits with super-polynomially small error from n-bit sources of min-entropy k that are generated by poly(n)-size AC-zero circuits. As our starting point, we revisit the connection by Trevisan and Vadhan (FOCS 2000) between circuit lower bounds and extractors for sources generated by circuits. We note that such extractors (with very weak parameters) are equivalent to lower bounds for generating distributions (FOCS 2010; with Lovett, CCC 2011). Building on those bounds, we prove that the sources in (1) and (2) are (close to) a convex combination of high-entropy \"bit-block\"sources. Introduced here, such sources are a special case of affine ones. As extractors for (1) and (2) one can use the extractor for low-weight affine sources by Rao (CCC 2009). Along the way, we exhibit an explicit n-bit boolean function bsuch that poly(n)-size AC-zero circuits cannot generate the distribution(X,b(X)), solving a problem about the complexity of distributions. Independently, De and Watson (RANDOM 2011) obtain a result similar to (1) in the special case d = o(log n).","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126674628","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Secure computation protocols inherently involve multiple rounds of interaction among the parties where, typically a party has to keep a state about what has happened in the protocol so far and then emph{wait} for the other party to respond. We study if this is inherent. In particular, we study the possibility of designing cryptographic protocols where the parties can be completely stateless and compute the outgoing message by applying a single fixed function to the incoming message (independent of any state). The problem of designing stateless secure computation protocols can be reduced to the problem of designing protocols satisfying the notion of reset table computation introduced by Canetti, Goldreich, Gold wasser and Micali (FOCS'01) and widely studied thereafter. The current start of art in reset table computation allows for construction of protocols which provide security only when a emph{single predetermined} party is reset table cite{GoyalSa09}. An exception is for the case of the zero-knowledge functionality for which a protocol in which both parties are reset table was recently obtained by Deng, Goyal and Sahai (FOCS'09). The fundamental question left open in this sequence of works is, whether fully-reset table computation is possible, when:begin{enumerate}item An adversary can corrupt any number of parties, anditem The adversary can reset any party to its original state during the execution of the protocol and can restart the protocol. end{enumerate}In this paper, we resolve the above problem by constructing secure protocols realizing emph{any} efficiently computable multi-party functionality in the plain model under standard cryptographic assumptions. First, we construct a Fully-Reset table Simulation Sound Zero-Knowledge (ss-rs-rZK) protocol. Next, based on these ss-rs-rZK protocols, we show how to compile any semi-honest secure protocol into a protocol secure against fully resetting adversaries. Next, we study a seemingly unrelated open question: ``Does there exist a functionality which, in the concurrent setting, is impossible to securely realize using BB simulation but can be realized using NBB simulation ? & quot;. We resolve the above question in the affirmative by giving an example of such a (reactive) functionality. Somewhat surprisingly, this is done by making a connection to the existence of a fully reset table simulation sound zero-knowledge protocol.
{"title":"Stateless Cryptographic Protocols","authors":"Vipul Goyal, H. K. Maji","doi":"10.1109/FOCS.2011.74","DOIUrl":"https://doi.org/10.1109/FOCS.2011.74","url":null,"abstract":"Secure computation protocols inherently involve multiple rounds of interaction among the parties where, typically a party has to keep a state about what has happened in the protocol so far and then emph{wait} for the other party to respond. We study if this is inherent. In particular, we study the possibility of designing cryptographic protocols where the parties can be completely stateless and compute the outgoing message by applying a single fixed function to the incoming message (independent of any state). The problem of designing stateless secure computation protocols can be reduced to the problem of designing protocols satisfying the notion of reset table computation introduced by Canetti, Goldreich, Gold wasser and Micali (FOCS'01) and widely studied thereafter. The current start of art in reset table computation allows for construction of protocols which provide security only when a emph{single predetermined} party is reset table cite{GoyalSa09}. An exception is for the case of the zero-knowledge functionality for which a protocol in which both parties are reset table was recently obtained by Deng, Goyal and Sahai (FOCS'09). The fundamental question left open in this sequence of works is, whether fully-reset table computation is possible, when:begin{enumerate}item An adversary can corrupt any number of parties, anditem The adversary can reset any party to its original state during the execution of the protocol and can restart the protocol. end{enumerate}In this paper, we resolve the above problem by constructing secure protocols realizing emph{any} efficiently computable multi-party functionality in the plain model under standard cryptographic assumptions. First, we construct a Fully-Reset table Simulation Sound Zero-Knowledge (ss-rs-rZK) protocol. Next, based on these ss-rs-rZK protocols, we show how to compile any semi-honest secure protocol into a protocol secure against fully resetting adversaries. Next, we study a seemingly unrelated open question: ``Does there exist a functionality which, in the concurrent setting, is impossible to securely realize using BB simulation but can be realized using NBB simulation ? & quot;. We resolve the above question in the affirmative by giving an example of such a (reactive) functionality. Somewhat surprisingly, this is done by making a connection to the existence of a fully reset table simulation sound zero-knowledge protocol.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134449816","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography's prized "holy grail" - extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead.
{"title":"Computing Blindfolded: New Developments in Fully Homomorphic Encryption","authors":"V. Vaikuntanathan","doi":"10.1109/FOCS.2011.98","DOIUrl":"https://doi.org/10.1109/FOCS.2011.98","url":null,"abstract":"A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography's prized \"holy grail\" - extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115541113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yao's garbled circuit construction transforms a boolean circuit $C:{0,1}^nto{0,1}^m$ into a ``garbled circuit'' $hat{C}$ along with $n$ pairs of $k$-bit keys, one for each input bit, such that $hat{C}$ together with the $n$ keys corresponding to an input $x$ reveal $C(x)$ and no additional information about $x$. The garbled circuit construction is a central tool for constant-round secure computation and has several other applications. Motivated by these applications, we suggest an efficient arithmetic variant of Yao's original construction. Our construction transforms an arithmetic circuit $C : Z^ntoZ^m$ over integers from a bounded (but possibly exponential)range into a garbled circuit $hat{C}$ along with $n$ affine functions $L_i : Zto Z^k$ such that $hat{C}$ together with the $n$ integer vectors $L_i(x_i)$ reveal $C(x)$ and no additional information about $x$. The security of our construction relies on the intractability of the learning with errors (LWE) problem.
{"title":"How to Garble Arithmetic Circuits","authors":"B. Applebaum, Y. Ishai, E. Kushilevitz","doi":"10.1137/120875193","DOIUrl":"https://doi.org/10.1137/120875193","url":null,"abstract":"Yao's garbled circuit construction transforms a boolean circuit $C:{0,1}^nto{0,1}^m$ into a ``garbled circuit'' $hat{C}$ along with $n$ pairs of $k$-bit keys, one for each input bit, such that $hat{C}$ together with the $n$ keys corresponding to an input $x$ reveal $C(x)$ and no additional information about $x$. The garbled circuit construction is a central tool for constant-round secure computation and has several other applications. Motivated by these applications, we suggest an efficient arithmetic variant of Yao's original construction. Our construction transforms an arithmetic circuit $C : Z^ntoZ^m$ over integers from a bounded (but possibly exponential)range into a garbled circuit $hat{C}$ along with $n$ affine functions $L_i : Zto Z^k$ such that $hat{C}$ together with the $n$ integer vectors $L_i(x_i)$ reveal $C(x)$ and no additional information about $x$. The security of our construction relies on the intractability of the learning with errors (LWE) problem.","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128059515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We obtain the first online algorithms for the node-weighted Steiner tree, Steiner forest and group Steiner tree problems that achieve a poly-logarithmic competitive ratio. Our algorithm for the Steiner tree problem runs in polynomial time, while those for the other two problems take quasi-polynomial time. Our algorithms can be viewed as online LP rounding algorithms in the framework of Buchbinder and Naor (Foundations and Trends in Theoretical Computer Science, 2009); however, while the natural LP formulation of these problems do lead to fractional algorithms with a poly-logarithmic competitive ratio, we are unable to round these LPs online without losing a polynomial factor. Therefore, we design new LP formulations for these problems drawing on a combination of paradigms such as spider decompositions, low-depth Steiner trees, generalized group Steiner problems, etc. and use the additional structure provided by these to round the more sophisticated LPs losing only a poly-logarithmic factor in the competitive ratio. As further applications of our techniques, we also design polynomial-time online algorithms with poly-logarithmic competitive ratios for two fundamental network design problems in edge-weighted graphs: the group Steiner forest problem (thereby resolving an open question raised by Chekuri et. al. (SODA 2008)) and the single source ℓ-vertex connectivity problem (which complements similar results for the corresponding edge-connectivity problem due to Gupta et. al. (STOC 2009)).
{"title":"Online Node-Weighted Steiner Tree and Related Problems","authors":"J. Naor, Debmalya Panigrahi, Mohit Singh","doi":"10.1109/FOCS.2011.65","DOIUrl":"https://doi.org/10.1109/FOCS.2011.65","url":null,"abstract":"We obtain the first online algorithms for the node-weighted Steiner tree, Steiner forest and group Steiner tree problems that achieve a poly-logarithmic competitive ratio. Our algorithm for the Steiner tree problem runs in polynomial time, while those for the other two problems take quasi-polynomial time. Our algorithms can be viewed as online LP rounding algorithms in the framework of Buchbinder and Naor (Foundations and Trends in Theoretical Computer Science, 2009); however, while the natural LP formulation of these problems do lead to fractional algorithms with a poly-logarithmic competitive ratio, we are unable to round these LPs online without losing a polynomial factor. Therefore, we design new LP formulations for these problems drawing on a combination of paradigms such as spider decompositions, low-depth Steiner trees, generalized group Steiner problems, etc. and use the additional structure provided by these to round the more sophisticated LPs losing only a poly-logarithmic factor in the competitive ratio. As further applications of our techniques, we also design polynomial-time online algorithms with poly-logarithmic competitive ratios for two fundamental network design problems in edge-weighted graphs: the group Steiner forest problem (thereby resolving an open question raised by Chekuri et. al. (SODA 2008)) and the single source ℓ-vertex connectivity problem (which complements similar results for the corresponding edge-connectivity problem due to Gupta et. al. (STOC 2009)).","PeriodicalId":326048,"journal":{"name":"2011 IEEE 52nd Annual Symposium on Foundations of Computer Science","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128888427","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}