On εbiased Generators in NC 0


 Anthony Tucker
 6 days ago
 Views:
Transcription
1 O εbiased Geerators i NC 0 Elchaa Mossel Amir Shpilka Luca Trevisa August 15, 2005 Abstract Crya ad Milterse [8] recetly cosidered the questio of whether there ca be a pseudoradom geerator i NC 0, that is, a pseudoradom geerator that maps bit strigs to mbit strigs such that every bit of the output depeds o a costat umber k of bits of the seed. They show that for k = 3, if m 4 + 1, there is a distiguisher; i fact, they show that i this case it is possible to break the geerator with a liear test, that is, there is a subset of bits of the output whose XOR has a oticeable bias. They leave the questio ope for k 4. I fact they ask whether every NC 0 geerator ca be broke by a statistical test that simply XORs some bits of the iput. Equivaletly, is it the case that o NC 0 geerator ca sample a εbiased space with egligible ε? We give a geerator for k = 5 that maps bits ito c bits, so that every bit of the output depeds o 5 bits of the seed, ad the XOR of every subset of the bits of the output has bias 2 Ω(/c4). For large values of k, we 1 costruct geerators that map bits to Ω( k) bits such that every XOR of outputs has bias 2 2 k. We also preset a polyomialtime distiguisher for k = 4, m 24 havig costat distiguishig probability. For large values of k we show that a liear distiguisher with a costat distiguishig probability exists oce m Ω(2 k k/2 ). Fially, we cosider a variat of the problem where each of the output bits is a degree k polyomial i the iputs. We show there exists a degree k = 2 pseudoradom geerator for which the XOR of every subset of the outputs has bias 2 Ω() ad which maps bits to Ω( 2 ) bits. 1 Itroductio A pseudoradom geerator is a efficiet determiistic procedure that maps a shorter radom iput ito a loger output that is idistiguishable from the uiform distributio by resourcebouded observers. A formalizatio of the above iformal defiitio is to cosider polyomialtime procedures G mappig bits ito m() > bits such that for every property P computable by a family of polyomialsize circuits we have that the quatity Pr [P(z) = 1] Pr z {0,1} m() x {0,1} [P(G(x))] Departmet of Statistics, U.C. Berkeley, CA Supported by a Miller fellowship i Statistics ad Computer Sciece, by a Sloa fellowship i Mathematics ad by NSF grat DMS Departmet of Computer Sciece ad Applied Mathematics, Weizma Istitute of Sciece, Rehovot, Israel. Supported by Natioal Security Agecy (NSA) ad Advaced Research ad Developmet Activity (ARDA) uder Research Office (ARO) cotract o. DAAD , ad by the Koshlad fellowship. Computer Sciece Divisio, U.C. Berkeley, CA Supported by NSF Grat CCR /CCR , USIsrael BSF grat , a Sloa Research Fellowship ad a Okawa Foudatio Grat. 1
2 goes to zero faster tha ay iverse polyomial i. The existece of such a procedure G is equivalet to the existece of oeway fuctios [15], pseudoradom fuctios [11] ad pseudoradom permutatios [23]. What are the miimal computatioal requiremets eeded to compute a pseudoradom geerator? Liial et al. [20] prove that pseudoradom fuctios caot be computed i AC 0 (costatdepth circuits with NOT gates ad ubouded fai AND ad OR gates). To be precise, the results i [20] oly rule out security agaist adversaries ruig i time O( (log )O(1) ). Their result does ot rule out the possibility that pseudoradom geerators could be computed i AC 0, sice the trasformatio of pseudoradom geerators ito pseudoradom fuctios does ot preserve boudeddepth. Kharitoov [19] shows that a pseudoradom geerator with superliear stretch ca be computed i NC 1, that is, it ca be computed by a circuit of polyomial size, logarithmic depth, ad gates of costat fai. (It is kow that NC 1 properly cotais AC 0.) Impagliazzo ad Naor [17] preset a cadidate pseudoradom geerator i AC 0. Goldreich [12] suggests a cadidate oeway fuctio i NC 0. Recall that NC 0 is the class of fuctios computed by boudeddepth circuits with NOT gates ad bouded fai AND ad OR gates. I a NC 0 fuctio, every bit of the output depeds o a costat umber of bits of the iputs. While it is easy to see that there ca be o oeway fuctio such that every bit of the output depeds o oly two bits of the iput (as fidig a iverse ca be formulated as a 2SAT problem) it still remais ope whether there ca be a oeway fuctio such that every bit of the output depeds o oly three bits of the iput. Applebaum et al. [1] have very recetly provided evidece that such oeway fuctios exist. Crya ad Milterse [8] cosider the questio of whether there ca be pseudoradom geerators i NC 0, that is, whether there ca be a pseudoradom geerator such that every bit of the output depeds oly o a costat k umber of bits of the iput. They preset a distiguisher i the case k = 3, m > 4, ad they observe that their distiguisher is a liear distiguisher, that is, it simply XORs a subset of the bits of the output. Crya ad Milterse ask whether there is ay pseudoradom geerator i NC 0 whe m is superliear i. Specifically, they ask whether the followig is the case: that for every costat k, ad for every geerator for which m is superliear i ad for which every output bit depeds o at most k bits of the iput, a liear distiguisher exists. I order to formulate a equivalet versio of this problem, we itroduce the otio of a εbiased distributio. Defiitio 1. For ε > 0, we say that a radom variable X = (X 1,...,X m ) ragig over {0, 1} m is εbiased if for every subset S [m] we have 1/2 ε Pr[ i S X i = 0] 1/2 + ε. It is kow [27, 3] that a εbiased distributio ca be sampled by usig oly O(log(m/ε)) radom bits, which is tight up to the costat i the bigoh. The problem of [8] ca therefore be formulated by askig whether there exists ay εbiased geerator i NC 0 that samples a mbit εbiased distributio startig from, say, o(m) radom bits ad a egligible ε. Our Results We first exted the result of Crya ad Milterse by givig a (o liear) distiguisher for the case k = 4, m 24. Theorem 2. Let G = (g 1,..., g m ) : {0, 1} {0, 1} m be a map such that each g i depeds o at most 4 coordiates of the iput ad m 24. The there exists a polyomial time algorithm which distiguishes betwee G ad a radom strig with costat distiguishig probability. More precisely, the algorithm will output yes for the output of the geerator G with probability Ω(1), ad for a radom strig with probability e Ω(m). Our distiguisher has a costat distiguishig probability, which we show to be impossible to achieve with liear distiguishers. Our distiguisher uses semidefiite programmig ad uses a idea similar to the correlatio attacks used i practice agaist stream ciphers. 2
3 ( For all k, it is trivial that a distiguisher exists for m 2 2k k) (the umber of fuctios o k bits), ad it is easy to see that a distiguisher exist whe m k ( k) (as there is a liear depedece amog the output bits i this case). We show usig a duality lemma prove i [25] that i fact, a distiguisher with a costat distiguishig probability exists oce m Ω(2 k k/2 ) by provig Theorem 3. For every iteger 0 < k ad ay 0 < ε < 2 2k 1, if G = (g 1,...,g m ) is a εbiased pseudoradom geerator, where each of the g i s deped o at most k bits, the k 2 ( ) ( ) m 2 2(k t) k2 2k t k 2. t=0 The we preset a εbiased geerator mappig bits ito c bits such that ε = 1/2 Ω(/c4) ad every bit of the output depeds oly o k = 5 bits of the seed, i.e., we prove Theorem 4. For every c ad sufficietly large, there is a geerator i NC 0 5 mappig bits ito c bits ad samplig a εbiased distributio, where ε = 2 /O(c4). The mai idea i the costructio is to develop a geerator with k = 3 that hadles well liear tests that XOR a small umber of bits, ad the develop a geerator with k = 2 that hadles well liear tests that XOR a large umber of bits. The fial geerator outputs the bitwise XOR of the outputs of the two geerators, o two idepedet seeds. The geerator uses a kid of uiqueeighbor expader graphs that are show to exist usig the probabilistic method, but that are ot kow to be efficietly costructible, so the geerator is i NC 0 but ot i uiform NC 0. Later we preset similar costructios for large values of k. We write f(, k) = O k (g()) if f(, k) h(k)g() for some fuctio h; similarly we will use the otatio o k. Theorem 5. Let k be a positive iteger. There exists a εbiased geerator i NC 0 k from bits to ( ) k 6 k 2 3 = k( 1 2 o k(1)) bits whose bias, ε, is at most exp ( 1 2 k 4 2 k ). Note the gap for large values of k betwee our costructios that output ( k/2)(1 o k (1)) bits, ad the bouds showig a distiguisher exists for geerators that output (k/2)(1+o k(1)) bits. Fially, we begi a study of the questio of whether there are pseudoradom geerators with superliear stretch such that each bit of the output is a fuctio of the seed expressible as a degreek polyomial over GF(2), where k is a costat. This is a geeralizatio of the mai questio addressed i this paper, sice a fuctio depedig o oly k iputs ca always be expressed as a degreek polyomial. Furthermore, lowdegree polyomials are a stadard class of low complexity fuctios from a algebraic perspective. I our NC 0 5 costructio of a εbiased geerator with expoetially small ε ad superliear stretch, every bit of the output is a degree2 polyomial. We show that Theorem 6. 1 m there exists a εbiased geerator G = (g 1,..., g t ) : {0, 1} {0, 1} t, t = 2 m, such that g i is a degree 2 polyomial, ad the bias of ay o trivial liear combiatio of the g i s is at most 2 2m 4. 3
4 Later Results ad Ope Questios Applebaum et al. [1] have recetly made substatial progress o the mai questios left ope by our work about the cases k = 3, 4. I the case k = 3, Applebaum et al. [1] preset a costructio of a εbiased geerator with m = (1 + α), where α > 0 is a absolute costat. They also show that uder relatively geeral assumptios, there are oeway fuctios such that every bit of the output depeds o oly 3 bits of the iput. I the case k = 4, Applebaum et al. [1] preset a costructio of a pseudoradom geerator with m = + α, where α ca be chose to be ay costat smaller tha 1. The geerator is secure uder the assumptio that there exists pseudoradom geerators i L/poly, which is a fairly geeral assumptio. It remais ope whether a cryptographically strog geerator ca be realized i the case k = 3, whether a cryptographically strog geerator with liear stretch ca be realized i the case k = 4, ad whether a cryptographically strog geerator with superliear stretch ca be realized i the case k = 5. Aother importat ope problem which may be more accessible is to uderstad the right asymptotic for εbiased geerators for large k. It is temptig to cojecture that either the upper boud O(k) or the lower boud Ω( k) is actually tight. Orgaizatio I sectio 2 we review the aalysis for the case k = 3 of [8]. I sectio 3 we give a distiguisher for the case k = 4. I sectio 4 we prove a upper boud o the legth of the output of a εbiased geerator i NC 0 k. I sectio 5 we costruct a εbiased geerator for the cases k = 4, 5. The results for larger k are discussed i sectio 6. I sectio 7 we explicitly costruct a εbiased geerator such that every bit of the output is a polyomial of degree 2. A exteded abstract reportig o the results here appeared i [26]. 2 Review of the Case k = 3 I this sectio we summarize the mai result of [8]. We also geeralize some of the argumets of [8] that are eeded for our results. 2.1 Prelimiaries We say that a fuctio g : {0, 1} {0, 1} is balaced if Pr[g(x) = 1] = 1/2. We say that a fuctio g : {0, 1} x {0, 1} is ubiased towards a fuctio f : {0, 1} {0, 1} if Pr[g(x) = f(x)] = 1/2, ad that it is biased towards x f (or correlated with f) otherwise. A fuctio g : {0, 1} {0, 1} is affie if there are values a 0,...,a {0, 1} such that g(x 1,...,x ) = a 0 a 1 x 1... a x, it is oaffie otherwise. The followig lemma was proved by case aalysis for k = 3 i [8], ad the case k = 4 could also be derived from a case aalysis appearig i [8] (but it is ot explicitly stated). The proof of the geeral case follows usig the Fourier represetatio of boolea fuctios. The Fourier represetatio is easier to work with whe cosiderig fuctios from {±1} {±1}. For a boolea fuctio f : {0, 1} k {0, 1} we write F for the fuctio F : {±1} k {±1} defied as F(( 1) x 1,..., ( 1) x k ) = ( 1) f(x 1,...,x k ). (1) 4
5 For the boolea fuctios f, g, h discussed i this sectio, the fuctios F, G, H will be the correspodig mappigs to {±1}. For a set S [k], we let U S : {±1} k {±1} be defied as U S (X) = i S X i, that is U S is the character correspodig to S. It is well kow that {U S } S [k] is a orthoormal basis for the space of fuctios from {±1} k to R with respect to the ier product < F, G >= 1 2 k x {0,1} k F(x) G(x). We write F(X) = S ˆF(S)U S (X) for the represetatio of F i the basis {U S }. Because of orthoormality, the coefficiets ˆF(S) satisfy the relatio ˆF =< F, U S >. Note that if f, g are boolea fuctios ad F, G are defied as i (1), the Pr[f(x) = g(x)] = Pr[F(x) = G(x)] = 1/2 + 1/2 < F, G >. I particular, f ad g are correlated if ad oly if < F, G > 0. Lemma 7. Let g : {0, 1} {0, 1} be a oaffie fuctio that depeds o oly k variables. The There exists a affie fuctio o at most k 2 variables that is correlated with g. Let l be the affie fuctio that is biased towards g ad that depeds o a miimal umber of variables. That is, for some d, l depeds o d variables, Pr[g(x) = l(x)] > 1/2, ad g is ubiased towards affie fuctios that x deped o less tha d variables. The Pr x [g(x) = l(x)] 1/2 + 2 d k. Proof. Let f : {0, 1} k {0, 1} be a oaffie fuctio. We prove that there exists a set S of size at most k 2 such that ˆF(S) 0. This implies that F is correlated with U S ad therefore that f is correlated with i S x i as eeded. Look at the fuctio h(x 1,...,x k ) = f(x 1,...,x k ) k i=1 x i. Sice f is oaffie, h is ot a costat fuctio. Let H be the {±1} represetatio of h. As the {±1} represetatio of k i=1 x i is U [k], we get that H has the Fourier represetatio H = U [k] F = U [k] ˆF(S)U S = ˆF(S)U [k]\s = ˆF([k] \ S)U S. S S [k] S [k] It therefore suffices to prove that U [k] F has a coefficiet ˆF(S) 0 with S 2. We will prove that ay fuctio which depeds o more tha oe bit, has a ozero coefficiet with S 2. This will prove the first part, sice if h depeds o at most oe bit the f is affie. Ideed, assume the cotradictio F = a 0 + i a i U {i} For a ± vector X, write X i for the vector where the i th coordiate of X is multiplied by 1. Note that for all i ad all X, it holds that 2a i = F(X) F(X i ) {0, ±2}, which implies that a i {0, ±1}. Parseval s iequality implies that a 2 i = 1. We therefore coclude that F(X) depeds o oe bit as eeded. This completes the proof of the first claim. Note that f is correlated with i S x i if ad oly if ˆF(S) 0. Moreover, Pr[f(x) = i S x i ] = 1 + ˆF(S). 2 5
6 The claim will therefore follow oce we prove that if F = S d ˆF(S)U S, ad ˆF(S) 0 for a set S of size d, the ˆF(S) 2 d+1 k. By lookig at U [k] F istead of F, it suffices to prove that if F = S k d ˆF(S)U S, (2) ad S is a set of size k d such that ˆF(S ) 0, the ˆF(S ) 2 d k+1. I order to prove the last claim, defie A(X) = T S ( 1) T F(X T ) = T S ( 1) T S [k] ˆF(S)U S (X T ) = S [k] ˆF(S) T S ( 1) T U S (X T ), where X T is X where the coordiates at T are flipped (multiplied by 1). It is the clear that A obtais a eve iteger value i the iterval [ 2 k d, 2 k d ]. O the other had, if S does ot cotai S ad j S \ S, the for all X T S ( 1) T U S (X T ) = = T S,j / T T S,j / T ( 1) T U S (X T ) + Sice ˆF(S) = 0 for all S strictly cotaiig S, it follows that A(X) = ˆF(S ) T S,j T ( 1) T U S (X T ) U S (X T )(( 1) T + ( 1) T +1 ) = 0. T S ( 1) T u S (X T ) = 2 k d ˆF(S )u S (X). We therefore coclude that ˆF(S ) is of the form 2i, for some iteger i [ 2 k d 1, 2 k d 1 ]. I particular, 2 k d sice ˆF(S ) 0, it follows that ˆF(S ) 2 d+k+1 as eeded. For example, for k = 3, a oaffie fuctio g is either ubalaced, or it is biased towards oe of its iputs; i the latter case it agrees with a iput bit (or with its complemet) with probability at least 3/4. For k = 4, a fuctio g either is affie, or it is ubalaced, or it has agreemet at least 5/8 with a affie fuctio that depeds o oly oe iput bit, or it has agreemet at least 3/4 with a affie fuctio that depeds o oly two iput bits. 2.2 The Case k = 3 Let G : {0, 1} {0, 1} m be a geerator ad let g i : {0, 1} {0, 1} be the ith bit of the output of the geerator. Suppose each g i depeds o oly three bits of the iput. Suppose that oe of the g i is ot a balaced fuctio. The we immediately have a distiguisher. Suppose that more tha of the g i are affie. The oe of them is liearly depedet o the others, ad we also have a distiguisher. It remais to cosider the case where at least m of the fuctios g i are balaced ad ot affie. Let I be the set of i for which g i is as above. The, by lemma 7, for each such g i there is a affie fuctio l i that depeds o 6
7 oly oe bit, such that g i agrees with l i o a 3/4 fractio of the iputs. By replacig g i with g i 1 whe eeded, we may assume that each such g i has correlatio at least 3/4 with oe of the bits of its iput. The followig lemma ow implies a costat distiguishig probability oce m While the above aalysis uses the same ideas as i [8], it is slightly better because we achieve costat bias istead of iverse polyomial bias. We first prove a very geeral lemma that will be also used i later sectios, ad the we derive the coclusio that we eed for the case of k = 3. Lemma 8. For every δ > 0 there are costats c δ ad ε δ 2 δ 2 δ 3δ2 4 such that the followig holds. Let G : {0, 1} {0, 1} m, ad let G(x) = (g 1 (x),...,g m (x)). Let L be a set of fuctios ad suppose that each fuctio g i (x) agrees with a elemet of L or with its complemet with probability at least 1/2 + δ. I other words, for every g i there exists f L such that Pr x [g i (x) = f(x)] δ or Pr x [g i (x) f(x)] δ. Assume that m 1 + c δ L. The there are i j such that g i g j has bias at least ε δ. Moreover, c 1/4 3 ad c 1/8 9. Proof. By the pigeohole priciple there is a fuctio f L ad a set of idices C [m], such that C m L, ad for every i C, g i or 1 g i is correlated with f. Assume w.l.o.g. that for every i C, g i is correlated with f (otherwise replace g i with 1 g i ). Defie the radom variable Z(x) = # {i C : g i (x) = 0} # {i C : g i (x) = 1}. Cosider the expectatio of Z(x) (where x is uiformly chose from {0, 1} ). We have that E[Z(x)] = E[ # {i C : g i (x) = f(x)} # {i C : g i (x) f(x)} ] (( ) ( )) 1 1 E [# {i C : g i (x) = f(x)}] E[# {i C : g i (x) f(x)}] C 2 + δ 2 δ = 2δ C. Note that the average value of Z over the uiform distributio is O( C ). We coclude that for C = αδ 2, for a sufficietly large α, the differece of expected values of Z uder the geerator ad uder the uiform distributio is Ω( C δ). This implies that the statistical distace betwee the output of the geerator ad the uiform distributio over C bits is Ω(δ). By the Vazirai XOR lemma [31] (see [10] for a excellet expositio of the XOR lemma), it also follows that the XOR of some subset of the bits of C has bias Ω(δ2 C ) = 2 O(δ 2). However we would like to obtai a better depedece betwee δ ad ε. For i, j C defie Z i,j (x) to be 1 if g i (x) = g j (x) ad 1 otherwise. Note that E[Z i,j ] equals twice the bias of g i g j. Clearly Z i,i = 1. We have that Z(x) 2 = i,j Z i,j. I particular we get that E i,j Z i,j (x) = E [ Z(x) 2] E[Z(x)] 2 4δ 2 C 2. Hece for C = 1 δ 2 we get that E i,j Z i,j (x) 4 C. 7
8 As E[ i Z i,i] = C, it follows that E[ i j Z i,j] 3 C, ad so there must be i j C such that I other words, g i g j has a 3δ2 4 E[Z i,j ] 3 C C ( C 1) 3δ2 2. bias. Thus takig m = 1 + L ( 1 δ 2 1) we obtai c δ = 1 δ 2 1. We ow cosider two special cases. Let C = 4, δ = 1 4. By the above argumet we get that E[Z(x)] C = 2. O the other had, for the uiform distributio o 4 bits the average of Z(x) is ( ( ) ( )) = < 2 = 2. Thus, if C = 4 we get by Vazirai s XOR lemma that some subset of the g i s has some costat bias, so we ca set c 1/4 = 3. Similarly, whe C = 10 the average of Z(x) for the uiform distributio is 2 4 ( ) (10 2i) = 2520 i 1024 < , so we ca set c 1/8 = 9. i=0 To coclude the case of k = 3 we ote that if m 1+4, ad the output of the geerator cotais at most affie fuctios the at least output bits that are ot affie ad so we ca apply Lemma 8, where L = {π 1,...,π } is the set of projectio fuctios π i () such that π i (x 1,...,x ) = x i. The cosequece of Lemma 8 is that two of the output bits are correlated. 3 Distiguisher for the Case k = 4 I this sectio we costruct a distiguisher for k = 4. We restate Theorem 2. Theorem. Let G = (g 1,...,g m ) : {0, 1} {0, 1} m be a map such that each g i depeds o at most 4 coordiates of the iput ad m 24. The there exists a polyomial time algorithm which distiguishes betwee G ad a radom strig with costat distiguishig probability. More precisely, the algorithm will output yes for the output of the geerator G with probability Ω(1), ad for a radom strig with probability e Ω(m). The first case we cosider is where there are more tha 0.001m of the g i that are ubalaced. Suppose that g 1,...,g p are ubalaced ad p 0.001m. The there exist fixed bits b 1,...,b p such that Pr[g i = b i ] 9/16. Thus by Markov s iequality: [ { i gi (z) = b i )} Pr z {0,1} 17 ] 1 p O the other had, if r 1,...,r p are chose uiformly at radom, the [ { i ri = b i )} Pr 17 ] e Ω(m) p 32 by Cheroff s iequality. 8
9 The secod case is where more tha m of the g i are liear. I this case we ca write at least 0.001m idepedet liear combiatios i the output bits of the geerator that hold with probability 1. The probability that these combiatios hold for truly radom bits is m. Thus the statemet of the theorem follows i this case as well. If oe of the g i is biased towards oe of the bits of its iput, the it follows from Lemma 7 that it must agree with that bit or its complemet with probability at least 5/8. Suppose that more tha c 1/8 = m of the fuctios g i have bias towards oe bit. The by the proof of Lemma 8, there exists at least p m disjoit sets S 1,...,S p of the g i s such that S r 10 ad i Sr g i has bias at least 2 10 bias towards a costat bit b r for all 1 r p. Thus, as i the first case, [ { r i Sr g i (z) = b r )} Pr z {0,1} 1 ] p ad from Cheroff s boud it follows that if r i are truly radom the [ { r i Sr r i = b r } Pr p ] e Ω(m). Thus, the proof follows i this case as well. It remais to cosider the case where at least 0.997m 10 of the fuctios are balaced, oliear, ad ubiased towards sigle bits. Followig [8], we call such fuctios problematic. It follows from Lemma 7 that for each problematic g there is a affie fuctio l of two variables that agrees with g o a 3/4 fractio of the iputs. Agai, by replacig g i by g i 1, whe eeded, we may assume that all the problematic g i s have 3/4 agreemet probability with some liear fuctio. Let P be the set of i such that g i is problematic. For each such i we deote by l i the liear fuctio of two iputs that agrees with g i o a 3/4 fractio of the iputs. I the ext sectio we show how if p = P 0.997m , the oe ca break the geerator usig correlatio attack. Correlatio attacks are ofte used i practice to break pseudoradom geerators. The distiguisher below is a iterestig example where oe ca actually prove that correlatio attack results i a polyomial time distiguisher. 3.1 The Distiguisher Based o Semidefiite Programmig Give a strig (r 1,...,r p ) {0, 1} p, cosider the followig liear system over GF(2) with two variables per equatio. i P l i (x) = r i. (3) We will argue that the fractio of satisfied equatios i the system (3) is distributed differetly if r 1,...,r p is uiform or if it is the output of G. Sice the expected umber of equatios (3) satisfied whe r i = g i is at least 3p/4, it follows by Markov s iequality that Lemma 9. If r 1,...,r p are the output of g 1,...,g p, respectively (where the g i s are problematic), the, for every ε > 0, there is a probability of at least ε that at least 3/4 ε fractio of the equatios i (3) are satisfiable. More formally [ { i gi (z) = l i (z))} Pr z {0,1} 3 ] p 4 ε ε. 9
10 Lemma 10. If r 1,..., r p are chose uiformly at radom from {0, 1} p, ad p > (1/2δ 2 )(l2)( + c), the the probability that there is a assigmet that satisfies more tha a 1/2 + δ fractio of the equatios of (3) is at most 2 c. Proof. Fix a assigmet z; the, by Cheroff s iequality, the probability that a fractio at least 1/2 + δ of the r i agree with l i (z) is at most e 2δ2p 2 c. By a uio boud, there is at most a probability 2 c that such a z exists. Give a system of liear equatios over GF(2) with two variables per equatio, it is NPhard to determie the largest umber of equatios that ca be satisfied, but the problem ca be approximated to withi a.878 factor usig semidefiite programmig [13]. We ow prove theorem 2. Proof of Theorem 2: Let δ =.158, ε = Thus,.878(3/4 ε) > 1/2+δ. The statemet of the theorem follows from the previous argumets uless there are p problematic fuctios where p > 0.997m 10. Give a strig (r 1,..., r p ), which is either radom i {0, 1} p or from the distributio G(z) restricted to problematic fuctios (where z is radom), we cosider the system (3). Usig semidefiite programmig [13] we get a polyomial time algorithm that is successful if a 3/4 ε fractio of the equatios hold, ad fails if o more tha 0.878(3/4 ε) > 1/2 + δ of the equatios hold. Let c = By lemma 10 if p > > (1/2δ 2 )(l2)( + c), the the probability that more tha 1/2 + δ of the equatios are satisfied, whe r 1,..., r p are chose radomly, is at most 2 c = exp( Ω()). O the other had, whe (r 1,..., r p ) is take from the geerator the the probability that at least 3/4 ε fractio of the equatios are satisfied is at least ε. The theorem follows. 3.2 Correlatio Attacks I this sectio we discuss how our distiguisher for the case k = 4 ca be see as a correlatio attack. Correlatio attacks are a class of attacks that are ofte attempted i practice agaist cadidate pseudoradom geerators. Pseudoradom geerators are called stream ciphers i the applied cryptography literature, see e.g. the itroductio of [18] for a overview. The basic idea is as follows. Give a cadidate geerator G : {0, 1} {0, 1} m, where G(x) = g 1 (x),...,g m (x), we first try ad fid liear relatios betwee iput bits ad output bits that are satisfied with otrivial probability. For example, suppose we fid coefficiets a i,j, b i,j ad c j such that each of the equatios is satisfied with probability bouded away from 1/2. i=1 a i,1x i + m i=1 b i,1g i (x) = c 1 (mod 2) i=1 a i,2x i + m i=1 b i,2g i (x) = c 2 (mod 2)... i=1 a i,tx i + m i=1 b i,tg i (x) = c t (mod 2) Now we wat to use this system of equatios i order to build a distiguisher. The distiguisher is give a sample z = (z 1,...,z m ) ad has to decide whether z is uiform or is the output of G. The distiguisher substitutes z i i place of g i (x) i (4) ad the tries to fid a x that maximizes the umber of satisfied equatios. The hope is that, if z = G(x), the we will fid x as a solutio of the optimizatio problem. Ufortuately, maximizig the umber of satisfied equatios i a liear system over GF(2) is a NPhard problem, ad, i fact, it is NPhard to achieve a approximatio factor better tha 1/2 [14]. I practice, oe uses beliefpropagatio algorithms that ofte work, although the method is typically ot ameable to a formal aalysis. (4) 10
11 I Sectio 3.1, we were able to derive a formal aalysis of a related method because we eded up with a system of equatios havig oly two variables per equatio, a class of istaces for which good approximatio algorithms are kow. Furthermore, we did ot try to argue that, whe the method is applied to the output of the geerator, we are likely to recover the seed; istead, we argued that just beig able to approximate the largest fractio of satisfiable equatios gives a way to distiguish samples of the geerators from radom strigs. 4 O( k/2 ) upper boud I this sectio we prove the followig theorem which gives a upper boud o the maximal stretch of a εbiased geerator i NC 0 k. We restate Theorem 3. Theorem. For every iteger 0 < k ad ay 0 ε < 2 2k 1, if G = (g 1,...,g m ) is a εbiased pseudoradom geerator, where each of the g i s deped o at most k bits, the k 2 ( ) ( ) m 2 2(k t) k2 2k t k 2. (5) t=0 The proof uses the followig lemma from [25]. Lemma 11 ([25]). Let f : {0, 1} k {0, 1} the for all r Either f is a polyomial of degree at most r over GF(2), or f is biased towards a affie fuctio of at most k r variables. Proof of Theorem 3: For 0 t, write B(t) = t i=0 ( i). Set s = k/2, r = k s. By Lemma 11 every gi is either a degree r polyomial, or is biased towards a affie fuctio of at most s variables. Let p be the umber of degree r polyomials amog the g i s, ad b t be the umber of g i s biased towards a affie fuctio of exactly t variables (but ot towards a affie fuctio with less tha t variables). Clearly, m p+ s t=0 b t. Note that the B(r) moomials of degree r o the variables x 1,...,x form a basis for the vector space of all degree r polyomials i x 1,...,x. Therefore if p > B(r), there is a liear depedecy betwee the g i s. We therefore coclude that p B(r). (6) O the other had, ote that by Lemma 7, if g is biased towards a affie fuctio of t s variables (but ot towards a affie fuctio with less tha t variables) the there exists a affie fuctio l of t variables such that Pr[g = l] 1/2 + 2 t k. Moreover, there are exactly ( t) liear fuctios o t variables. For t s let Lt be the set of liear fuctios o t variables. Lemma 8 implies that if b t 1 + L t c 2 t k = 1 + ( ) ( ) 2 2(k t) 1 t the there is a of two of the g i s that has at least a t 2k > 2 2k 1 bias. It therefore follows that ( ) b t (2 2(k t) 1). (7) t Combiig (7) ad (6) we obtai that k 2 m B(r) + t=0 ( ) k 2 (2 2(k t) 1) t 11 t=0 ( ) ( ) 2 2(k t) k2 2k t k 2
12 as eeded. 5 Costructios for k = 5 ad k = Overview I this sectio we prove Theorem 4. We will also give a costructio of a k = 4 geerator with iversepolyomial bias. I both cases, we will costruct a geerator mappig 2 bits ito c bits. It is helpful to thik of c as a large costat, although the results for k = 5 hold also if c is a fuctio of. We will costruct two geerators: oe will be good agaist liear tests that ivolve a small umber of output bits (we call them small tests), ad aother is good agaist liear tests that ivolve a large umber of output bits (we call them large tests). The fial geerator will be obtaied by computig the two geerators o idepedet seeds, ad the XORig their output bit by bit. I this way, we fool every possible test. The geerator that is good agaist large tests is such that every bit of the output is just the product of two bits of the seed. We argue that the sum (modulo 2) of t output bits of the geerator has bias expoetially small i t/c 2, where c, as above, is the stretch of the geerator. The we describe a geerator that completely fools liear tests of size up to about /c 2, ad such that every bit of the output is the sum of three bits of the seed. Combied with the geerator for large tests, we get a geerator i NC 0 5 such that every liear test has bias 2 O(/c4). 5.2 The Geerator for Large Tests Let us call the bits of the seed y 1,..., y. Let K be a udirected graph formed by /(2c + 1) disjoit cliques each with 2c + 1 vertices (we assume for simplicity that /(2c + 1) is a iteger). K has vertices that we idetify with the elemets of []. K has c = m edges. Fix some orderig of the edges of K, ad let (a j, b j ) be the jth edge of K. Defie the fuctios q 1,..., q m as q j (y 1,..., y ) = y aj y bj. Lemma 12. For every subset S [m], the fuctio q S (y) = j S q j(y) is such that Pr y [q S (y) = 0] 1 2 ( ) 1 1+ S /(2c 2 +c). 2 The proof relies o the followig two stadard lemmas. The first oe from [8] is a special case of the Schwartz Zippel lemma [29, 32]. Lemma 13 ([8]). Let p be a ocostat degree2 multiliear polyomial over GF(2). The 1/4 Pr[p(x) = 0] 3/4. It is well kow ad easy to prove by iductio that Lemma 14. Let X 1,..., X t be idepedet 0/1 radom variables, ad suppose that for every i we have δ Pr[X i = 0] 1 δ. The [ ] (1 2δ)t Pr X i = (1 2δ)t. i 12
13 We ca ow prove lemma 12. Proof of Lemma 12.: We ca thik of S as a subset of the edges of K. Each coected compoet of K has 2c 2 + c edges, so S cotais edges comig from at least S /(2c 2 + c) differet coected compoets. Let t be the umber of coected compoets. If we decompose the summatio j S q j(y 1,...,y ) ito terms depedig o each of the coected compoets, the each term is a otrivial degree2 polyomial, ad the t terms are idepedet radom variables whe y 1,..., y are picked at radom. We ca the apply lemma 14, where the X i are the values take by each of the t terms i the summatio, δ = 1/4, ad t S /(2c 2 + c). I particular it follows that if we defie G 1 (y 1,..., y ) = (q 1,..., q m ) the ay liear combiatio of at least Ω() coordiates of the output of G has a expoetially small bias. 5.3 The Geerator for Small Tests Let A {0, 1} m be a matrix such that every row is a vector i {0, 1} with exactly three ozero etries, ad also assume that every set of σ 1 rows of A is liearly idepedet. Let A 1,..., A m be the rows of A. We defie the liear fuctios l 1,..., l m as l i (x) = A i x. Note that each of these liear fuctios depeds o oly three bits of the iput. Propositio 15. For every subset S [m], S < σ, the fuctio l S (x) = j S l j(x) is balaced. Proof. We have l S (x) = ( j S A j) x, ad sice j S A j is a ozero elemet of {0, 1} (as {A i } i S are liearly idepedet), it follows that l S () is a otrivial liear fuctio, ad therefore it is balaced. Lemma 16. For every c = c() = o( /(log ) 3/4 ) ad for sufficietly large there is a 0/1 matrix A with c rows ad colums such that every row has exactly three ozero etries ad such that every set of σ 1 = /(4e 2 c 2 ()) 1 rows are liearly idepedet. Proof. We shall costruct the matrix A as the adjacecy matrix of a bipartite expader graph. We begi by showig a relatio betwee a expasio of bipartite graphs ad liear idepedece of related liear fuctios. Let G = (L, R, E) be a bipartite graph such that R =. G has the b  right uique eighbor property, if for ay set V L, V b there exists a vertex u R such that N(u) V = 1. Assig the iput variables to the differet vertices i R. For every vertex v L the correspodig output is the liear fuctio l v (X) = i N(v) Lemma 17. If G has the bright uique eighbor property the for ay set B such that B < b, the liear combiatio l = v B l v is ozero. x i Proof. We have that l = l v = x i. v B i: N(i) B =odd The right uique eighbor property guaratees that there is a iput variable that belogs to exactly oe output. Therefore l is ot zero. Note that we actually eed the oddeighbor property (i.e. that for ay set of size less tha b there is a eighbor with odd umber of eighbors i the set), but our calculatios show that the graphs that we use have the stroger uiqueeighbor property. The problem of costructig explicit expaders with the uique eighbor property was 13
14 extesively studied i recet years ad may ew costructios were foud [2, 7, 9, 22]. However, oe of these give the parameters we eed here. Thus we oly prove the existece of such a graph istead of givig a explicit costructio. Our proof actually show that if we pick a radom graph (with the correct parameters) the w.h.p. it will have the uiqueeighbor property. The existece of graphs with the uique eighbor property will follow from the existece of certai expaders. We say that a bipartite graph (L, R, E) is (σ, α)expadig if for every subset S L of vertices o the left, if S σ the N(S) > α S, where (as before) N(S), defied as is the eighborhood of S. N(S) = {v R : u S such that (u, v) E}, Lemma 18. Suppose that the degrees of all vertices i L are bouded by. If N(S) > S /2 for all sets S L of size at most σ, the G has the σright uique eighbor property. Proof. If there is o uique eighbor, the by coutig edges N(S) S /2. The followig lemma shows the existece of a bipartite expader graph with the required properties. Lemma 19. For every c() = o( /(log ) 3/4 ) ad sufficietly large there is a (σ, 3/2)expadig graph ([c() ], [], E) with σ = /(4e 4 c 2 ()) such that every vertex o the left has degree 3. Proof. We costruct the graph at radom by coectig each vertex o the left to three distict radomly chose vertices o the right. (For differet left vertices the radom choices are idepedet.) Fix a size s, 2 s /(2e 2 c), ad cosider the probability that there is a subset S [c] of s vertices o the right (i.e. S R) whose eighborhood is cotaied i a set T [] of 3s/2 vertices o the left. Clearly, this probability is less tha ( 3s 2 )3s. The umber of possible choices for S is ( ) c s ad the umber of possible choices for T is ( 3s/2). By a uio boud, the probability that the costructio fails to satisfy the required property is at most Usig the iequality ( ) ( k e ) k k we ca see that(8) is at most σ ( ec ) ( ) s 2e 3s/2 ( ) 3s 3s s 3s 2 s=2 ( ( ) c 2 ( ) c 3 = O + + σ ( ) ( )( ) c 3s 3s. (8) s 3s/2 2 s=2 σ s=2 ( 2e 3 c s ) s (9) ( c ) 4 (log ) 3 ) = o(1), (10) where the last lie ca be verified by breakig the secod sum i expressio (9) up ito the the term s = 2 which is O((c/ ) 2 ; s = 3, which is O((c/ ) 3 ); the terms s = 4,...,2log, each of which is at most O(c log / ) 4 ; ad the remaiig terms, each of which is at most 1/ 2. We ow fiish the proof of lemma 16. Cosider the graph G costructed i Lemma 19 ad let A be the L R matrix such that A v,u = 1 if ad oly if (v, u) is a edge of G. Note that every row of A has exactly 3 ozero etries. By Lemma 18, G has the σright uique eighbor property. Therefore by Lemma 17 the liear fuctios correspodig to ay subset of σ rows are liearly idepedet. I particular we get that if we defie G 2 (x) = (A 1 x,..., A m x) the ay liear combiatio of at most 2 /4e 2 c 2 1 coordiates of the output of G 2 is ubiased. The proof follows. 14
15 5.4 Puttig Everythig Together: Proof of theorem 4 I order to obtai the geerator, recall that m = c ad take G 1 : {0, 1} {0, 1} m, ad G 2 : {0, 1} {0, 1} m be the geerators defied above (with the parameter c). The we take G : {0, 1} 2 {0, 1} m defied by G(x, y) = G 1 (x) G 2 (y). We get that by lemma 12 ay combiatio of more tha σ outputs of G has bias at most 2 σ/(c2 +c), ad that by lemma 16, ay combiatio of at most σ = /(4e 2 c 2 ) of the outputs of G is ubiased. This completes the proof of the theorem. 5.5 Geerator for k = 4 Whe k = 4 we wat to replace the geerator for small sets by a geerator which depeds oly o two bits. The costructio is essetially the oe i [8]. Let H be a udirected graph with vertices, that we idetify with [], havig c edges ad girth γ. Fix some orderig of the edges of H, ad let (a j, b j ) be the jth edge of H. We defie the liear fuctios l 1,...,l m as l j (x 1,..., x ) = x aj + x bj. Propositio 20. For every subset S [m], S < γ, the fuctio l S (x) = j S l j(x) is balaced. Proof. Sice S < γ, the subgraph of H iduced by the edges of S is a forest. Therefore l S (x) is a ozero liear fuctio, ad hece balaced. The explicit costructio of expaders by LubotzkyPhillipsSarak [21] has high girth: Lemma 21 ([21]). For every c ad for sufficietly large there are explicitly costructible graphs H with vertices, c edges, ad girth Ω((log )/(log c)). We thus obtai. Theorem 22. For every c ad sufficietly large, there is a geerator i uiform NC 0 4 mappig bits ito c bits ad samplig a εbiased distributio, where ε = 1/O(c2 log c). 6 εbiased geerator for large k I this sectio we costruct a εbiased geerator i NC 0 k, for large k, that outputs Ω( k) bits. More precisely we prove Theorem 5: Theorem. Let k be a positive iteger. There exists a εbiased geerator i NC 0 k from bits to ( ) k 6 k 2 3 = k( 1 2 o k(1)) bits whose bias ε is at most exp ( 1 2 k 4 2 k ). 6.1 The Geerator for Large Tests I this sectio we prove the followig Lemma. 15
16 Lemma 23. Let = p 2 ad let d be a iteger. The there exists a geerator G 1 : (g 1,...,g m ) : {0, 1} {0, 1} m, where m = ( ) p d such that for all J [m] the bias of g = j J g j is at most ( ) exp J 1 d 2 d. (11) Proof. Cosider the followig bipartite graph G = (L, R, E) where L = p (left vertices), R = ( p d) (right vertices). Idetify the vertices of L with the umbers 1,..., p ad the vertices of R with ( [p]) d, the set of all subsets of [p] = {1,...,p} of size d. The edges of G are all pairs (i, S) such that i [p], S ( [p]) d ad i S. For a set of vertices, V, we deote with N(V ) the set of eighbors of V : For a vertex i let deg(i) = N({i}). N(V ) = {u L R : v V such that (u, v) E}. Propositio 24. For ay set of right vertices V R we have that N(V ) d V 1 d e. Proof. Note that for ay set of t left vertices, L, there are (exactly) ( t d) right vertices, R, such that N(R ) = L. The result follows from the iequality ( ) ( ) N(V ) e N(V ) d V. d d Our costructio will assig a moomial of degree d, i the iput variables, to each edge. We thik about the vertices of L as represetig disjoit subsets of the iput variables (each of size p) ad each edge leavig such iput set as correspodig to a moomial i its variables. The right vertices, R, correspod to the output bits. Each output is the sum of the moomials that label the edges that fa ito it. We ow give the formal costructio. Let X = p i=1 X i be a partitio of X = {x 1,..., x } ito p disjoit sets each of size p. We assig the set X i to the ith vertex of L. Let M i be the set of all multiliear moomials of degree d i the variables of X i. We have that M i = ( ) p d > ( ) p 1 d 1 = deg(i) Therefore we ca assig to each edge leavig i a differet moomial from M i. Deote by M e the moomial correspodig to the edge e. Each right vertex correspods to a output bit. For a right vertex j the j th output, which we deote by g j, is the sum of all moomials that were assiged to the edges adjacet to j: g j = M e. e:j e Thus each output is the sum of d moomials each of degree d. Hece each output depeds o d 2 iput variables. We ow show that ay large liear combiatio of the output bits has a small bias by provig (11). Let g = j J g j. The proof is essetially the same as the proof of lemma 12 ad follows from the followig easy propositios. Propositio 25. Let g = j J g j, the g ca be writte as the sum of at least N(J) polyomials of degree d, each i a differet set of variables. Proof. The set of outputs J, has N(J) left eighbors. The edges coectig the set J to a eighbor i N(J) are labeled with polyomials of degree d i X i. 16
17 From the SchwartzZippel lemma [29, 32] we get Propositio 26. For ay polyomial g of degree d we have 1 2 d Pr[g = 0] d. Thus accordig to lemma 14 we get that the bias of g is at most ( ) N(J) 2 2 d 1 ( ) ( ) 2N(J) 2 exp J 1 d 2 d exp 2 d This fiishes the proof of Lemma The Geerator for Small Tests Similar to the k = 4, 5 cases this geerator will output oly liear fuctios. We will have the property that ay small set of these liear fuctios is liearly idepedet. This is a stadard costructio that follows from uique eighbor property of expadig graphs. Lemma 27. Let t be positive iteger t ad = 10t. There exists a mappig from bits to t bits such that every output depeds liearly o iput variables, ad such that ay liear combiatio of at most outputs is ozero ad therefore ubiased. Proof. As i the proof of lemma 16, we shall costruct a liear mappig from a expader bipartite graph with the uique eighbor property. We first prove: Lemma 28. Let t be a positive iteger ad = 10t. The there exists a family of bipartite graphs G = (L, R, E) with L = t, R =, v L deg(v) =, such that G is a (σ =, 5t) expadig graph. Proof. Let R =, L = t. Coect every vertex i L to a radomly chose multi set of size of distict right vertices. We cotiue as i Lemma 19. Fix a size s, 2 s σ =, ad cosider the probability that there is a subset S [ t ] of s vertices o the right whose eighborhood is cotaied i a set T [] of s/2 vertices o the left. This probability is less tha ( s 2 ) s. The umber of possible choices for S is ( ) t s ad the umber of possible choices for T is ( s/2). Therefore applyig the uio boud ad recallig that = 10t the probability that the costructio fails to satisfy the required property is at most σ ( ) e t s s s=2 ( ) 2e s/2 s ( ) s s 2 ( ) σ (e s) s = o(1). s=2 4t We ow fiish the proof of lemma 27. Let G be the graph costructed i Lemma 28. Label each vertex o the right by oe of the variables x i ad each vertex o the left by the liear combiatio of the variables adjacet to it. By Lemma 18, G has the σright uique eighbor property. Therefore by Lemma 17 every set cosistig of σ 1 liear fuctios (correspodig to left vertices) is liearly idepedet. The proof follows. 17
18 6.3 Puttig thigs together: Proof of theorem 5 Let κ = ( k 5) 2, ν = 2 2. We have that k > κ + 10 κ, κ > k 12 k, 2 ν > 2 2. Let X = {x 1,..., x ν }, Y = {y 1,..., y ν }. Let f 1 (X),...,f ( p (X) be the outputs of the geerator agaist large tests d) with the parameters p = ν, d = κ. Let h 1 (Y ),...,h ν κ(y ) be the outputs of the geerator for small tests o Y, give the parameter t = κ. Note that ( ) ( ) ν p ν κ > =. κ d Our geerator G will output the fuctios 1 i ( ) p d g i (X, Y ) = f i (X) + h i (Y ). Notice that as we have more h i s tha f i s we do ot use most of the h i s. Clearly, each output of the geerator depeds o κ + 10 κ < k iput variables. From lemmas 23,27 we get that the bias of ay o trivial liear combiatio of the outputs is at most exp Our geerator takes 2ν iputs ad outputs as eeded. ( ) p d ( ν 1 d 2 d ( e 2 ) κ ν 2 κ ) exp ( 1 2 k ( ) k k ) k 2 3 = k( 1. 2 o k(1)) 7 A degree 2 geerator I this sectio we cosider a variat of the problem preseted i the paper. Suppose that we require that every output bit is a degree k polyomial i the iput bits. It is clear that if we wat the output to be εbiased, the the umber of output bits m is at most the dimesio of the space of degree k polyomials i variables, which is k ( i=0 i) = O( k ) (as otherwise there will be a liear depedece amog the output bits). Clearly this is a relaxatio of the problem described above. I particular ay upper boud here will imply a upper boud for NC 0 k. The problem is also of idepedet iterest, as low degree geerators are simple i a ituitive sese. We ow show how to costruct a geerator of εbiased set such that every output is a polyomial of degree 2 i the iput variables. We show that ulike the NC 2 0 case we ca output Ω(2 ) bits. I particular we prove Theorem 6: Theorem. 1 m there exists a εbiased geerator G = (g 1,..., g t ) : {0, 1} {0, 1} t, t = 2 m, such that g i is a degree 2 polyomial, ad the bias of ay o trivial liear combiatio of the g i s is at most 2 2m We begi by studyig the bias of a degree 2 polyomial, over GF(2). I this sectio we will oly cosider degree 2 polyomials P such that P(0) = 0. Below we deote with x T ad A T the traspose of the vector x ad the matrix A, respectively
19 7.1 The Bias of Degree 2 polyomials Let P(x 1,..., x ) be a degree 2 polyomial. P is also called a quadratic form over GF(2). We say that a matrix A represets P with respect to a basis of GF(2), {v i } i=1, if for every vector v = i=1 x i v i we have that P(v) = x T Ax. Notice that we ca always fid a upper triagular matrix that represets P ; let Defie P(a 1,..., a ) = A(P) i,j = 1 i j α i,j a i a j { αi,j i j 0 i > j Clearly P( i=1 e i x i ) = x T A(P)x ad A(P) represets P with respect to the stadard basis. The bias of a quadratic form is bouded by the rak of the matrix represetig it as follows. Theorem 29. The bias of a degree 2 polyomial P is at most for ay matrix A that represets P. ( ) 2 1+ rak(a+at ) 4 Theorem 29 shows that i order to output m polyomials of degree 2, such that ay o trivial liear combiatio of them is almost ubiased, it suffices to fid matrices A 1,..., A m such that for ay o trivial combiatio of them, B = m i=1 α ia i (α i GF(2)), we have that rak(b + B T ) is high Proof of theorem 29 The followig claim is trivial. Propositio 30. P 0 iff there exists a symmetric matrix that represets P w.r.t. some basis iff ay matrix that represets P is symmetric. The proof of theorem 29 will follow from the followig lemmas. Lemma 31. For ay quadratic form P o variables, there exists a basis of GF(2) e i, f i i = 1,..., r ad g j j = 1,..., s such that 2r + s = ad elemets i GF(2), a i, b i i = 1,..., r, c j j = 1,..., s, such that for v = r r s x i e i + x r+i f i + x 2r+j g j i=1 i=1 j=1 we have P(v) = r s (a i x 2 i + x i x r+i + b i x 2 r+i ) + c j x 2 2r+j = i=1 j=1 r s (a i x i + x i x r+i + b i x r+i ) + c j x 2r+j. (12) i=1 j=1 Such a basis is called a caoical basis for P. Proof. See the proof of theorem i [16]. 19
20 Lemma 32. Let P be a quadratic form o variables Let A represet P with respect to the stadard basis (i particular, A is upper triagular) ad D represet P with respect to the caoical basis. The rak(d) rak(a + AT ) 2 Proof. Let B be the matrix whose colums are e 1,..., e r, f 1,..., f r, g 1,..., g s writte w.r.t. the stadard basis. We have that x GF(2) x T Dx = x T B T ABx. I other words Therefore there exists a symmetric matrix S such that or x GF(2) x T (D B T AB)x = 0. D B T AB = S, D = B T (A + (B 1 ) T S(B 1 ))B. As (B 1 ) T S(B 1 ) is a symmetric matrix we get by the ext lemma (lemma 33) that rak(d) = rak(a + (B 1 ) T S(B 1 )) rak(a + AT ). 2 Lemma 33. For a upper triagular matrix A ad ay symmetric matrix S we have that rak(a + S) rak(a + AT ). 2 Proof. Let r = rak(a + S) = rak ( (A + S) T) = rak(a T + S). The rak(a + A T ) = rak(a + S + S + A T ) rak(a + S) + rak(a T + S) = 2r. PROOF OF THEOREM 29. Clearly the bias of P does ot chage if we calculate it w.r.t. to a caoical basis, {v i } i=1. Let v = i=1 x i v i, we have that P(v) = r s (a i x i + x i x r+i + b i x r+i ) + c j x 2r+j. i=1 j=1 Note that if for some 1 j s c j 0 the P is ubiased. Otherwise, we get by propositio 26 that for every i the bias of (a i x 2 i +x i x r+i +b i x 2 r+i ) is at most 1 4. Therefore accordig to Lemma 14 we get that the bias of P is at most ) r+1. As we assumed that j cj = 0 we see that ( 1 2 The theorem ow follows from lemma 32. r rak(d). 2 20