Jekyll2023-07-26T06:59:10-04:00https://geoffroycouteau.github.io/feed.xmlGeoffroy CouteauPersonal website of Geoffroy Couteau, CNRS research scientist at IRIFGeoffroy CouteauBasic LaTeX Template for Writing Crypto Papers2021-03-05T00:00:00-05:002021-03-05T00:00:00-05:00https://geoffroycouteau.github.io/crypto-latex<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<p>The aim of this post is to provide a simple, ready-for-use LaTeX article template for writing research papers on cryptography. This is the setup I generally use in my papers, and I figured it could be useful, e.g. for PhD student in crypto. This templates contains:</p>
<ul>
<li>My default main file, for conference versions or full versions of my research papers;</li>
<li>My default header file;</li>
<li>The basic additional files which are usually needed, such as the llncs class file, which is the (typically mandatory) class for articles submitted to IACR conferences.</li>
</ul>
<p>This is not a post about how to install LaTeX, or how to setup a work environment; I assume that you already have a working LaTeX distribution, together with a text editor (I personally use Sublime Text) and a pdf reader (I use Skim). Also, I’m not the author of the template; I probably got it from <a href="https://www.di.ens.fr/david.pointcheval/index.php">David Pointcheval</a> or <a href="https://www.normalesup.org/~fbenhamo/">Fabrice Benhamouda</a> (they also likely got it from somewhere else themselves), and made a bunch of modifications here and there.</p>
<h2 id="the-template">The template</h2>
<p>You can download the basic template <a href="/assets/other/Template_Latex.zip">here</a>. To start using it, you will also need the crypto.bib file (not included directly since it’s a bit heavy), which contains bib references for most standard crypto conferences, journals, and for ePrint papers. To get the file, just go to <a href="https://cryptobib.di.ens.fr/">cryptobib.di.ens.fr</a> and download the crypto.bib file (on the left) inside the cryptobib folder of the template.</p>
<h2 id="how-to-use-it">How to use it</h2>
<p>Most of it is self-explanatory. The main file is main.tex. Setting \fullversion to 1 will switch to a format with smaller margins, while setting it to 0 recovers the default margins which are mandatory for submissions to most IACR conferences, such as CRYPTO and EUROCRYPT. Other toggles control whether the submission is anonymous, or whether todos should be shown.</p>
<p>I usually put all other LaTeX files in the directory tex_files. All standard packages and macro are in the file ZZ_header.tex, in the tex_files folder. If you plan to use the template, take a few minutes to scroll it to get a grasp of the many useful shortcuts (with standard crypto notations such as \Enc, \Dec, or useful math notations such as \F for $\mathbb{F}$, \bit for $\{0,1\}$, etc).</p>
<p>I usually create a new LaTeX file for each new section, and input it directly in the main, like that:</p>
<div class="language-latex highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">\section</span><span class="p">{</span>Introduction<span class="p">}</span>
<span class="k">\label</span><span class="p">{</span>sec:introduction<span class="p">}</span>
<span class="k">\input</span><span class="p">{</span>tex<span class="p">_</span>files/01<span class="p">_</span>introduction<span class="p">}</span>
</code></pre></div></div>
<h2 id="using-cryptobib">Using cryptobib</h2>
<p>Most references you will need can be found in the crypto.bib file. In many situations, downloading the file will suffice for your need, but sometimes the project might run for a longer time, and involve more people, in which case you might want the crypto.bib updates to be added automatically to your project. This can be done using submodules on git, or externals on svn. This is all well explained in the <a href="https://cryptobib.di.ens.fr/manual">manual</a>.</p>
<p>I usually add all missing citations in add.bib. To get them, I look for the paper on <a href="https://scholar.google.com/">Google Scholar</a>. The bibtex can be found under the “cite” icon (a quote sign).</p>
<p>The default template for citations is the following:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[venue_acronym]:[author_initials][year]
</code></pre></div></div>
<p>where:</p>
<ul>
<li>venue_acronym is the standard shortcut for the name of the crypto conference or journal, e.g. EC for Eurocrypt, AC for Asiacrypt, EPRINT for ePrint, JoC for the Journal of Cryptology…</li>
<li>author_initials is the full author last name for papers with a single author (e.g. EC:Couteau19), the first three letters of each names for papers with two or three authors (e.g. C:CouHar20) and the first letter of each name for papers with four or more authors (e.g. CCS:BCGIKRS19).</li>
<li>year is the last two digits of the year (e.g. 21 for 2021).</li>
</ul>Geoffroy CouteauThe aim of this post is to provide a simple, ready-for-use LaTeX article template for writing research papers on cryptography. This is the setup I generally use in my papers, and I figured it could be useful, e.g. for PhD student in crypto. This templates contains: My default main file, for conference versions or full versions of my research papers; My default header file; The basic additional files which are usually needed, such as the llncs class file, which is the (typically mandatory) class for articles submitted to IACR conferences. This is not a post about how to install LaTeX, or how to setup a work environment; I assume that you already have a working LaTeX distribution, together with a text editor (I personally use Sublime Text) and a pdf reader (I use Skim). Also, I’m not the author of the template; I probably got it from David Pointcheval or Fabrice Benhamouda (they also likely got it from somewhere else themselves), and made a bunch of modifications here and there. The template You can download the basic template here. To start using it, you will also need the crypto.bib file (not included directly since it’s a bit heavy), which contains bib references for most standard crypto conferences, journals, and for ePrint papers. To get the file, just go to cryptobib.di.ens.fr and download the crypto.bib file (on the left) inside the cryptobib folder of the template. How to use it Most of it is self-explanatory. The main file is main.tex. Setting \fullversion to 1 will switch to a format with smaller margins, while setting it to 0 recovers the default margins which are mandatory for submissions to most IACR conferences, such as CRYPTO and EUROCRYPT. Other toggles control whether the submission is anonymous, or whether todos should be shown. I usually put all other LaTeX files in the directory tex_files. All standard packages and macro are in the file ZZ_header.tex, in the tex_files folder. If you plan to use the template, take a few minutes to scroll it to get a grasp of the many useful shortcuts (with standard crypto notations such as \Enc, \Dec, or useful math notations such as \F for $\mathbb{F}$, \bit for $\{0,1\}$, etc). I usually create a new LaTeX file for each new section, and input it directly in the main, like that: \section{Introduction} \label{sec:introduction} \input{tex_files/01_introduction} Using cryptobib Most references you will need can be found in the crypto.bib file. In many situations, downloading the file will suffice for your need, but sometimes the project might run for a longer time, and involve more people, in which case you might want the crypto.bib updates to be added automatically to your project. This can be done using submodules on git, or externals on svn. This is all well explained in the manual. I usually add all missing citations in add.bib. To get them, I look for the paper on Google Scholar. The bibtex can be found under the “cite” icon (a quote sign). The default template for citations is the following: [venue_acronym]:[author_initials][year] where: venue_acronym is the standard shortcut for the name of the crypto conference or journal, e.g. EC for Eurocrypt, AC for Asiacrypt, EPRINT for ePrint, JoC for the Journal of Cryptology… author_initials is the full author last name for papers with a single author (e.g. EC:Couteau19), the first three letters of each names for papers with two or three authors (e.g. C:CouHar20) and the first letter of each name for papers with four or more authors (e.g. CCS:BCGIKRS19). year is the last two digits of the year (e.g. 21 for 2021).Questions and Answers2020-11-12T00:00:00-05:002020-11-12T00:00:00-05:00https://geoffroycouteau.github.io/QA<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<p>In the years I spent browsing the stackexchange network, I devoted quite an amount of time answering questions about cryptography, from the most basic questions such as solving homeworks or understanding fundamental concepts, to more advanced questions about recent works, state of the art, and general summaries of what is known on a specific subject. Since some of these answers could possibly be helpful to others, I decided to select the most useful and detailed ones, and I organized them by categories.</p>
<ul>
<li><a href="/QA-ZK/">Q&A about Zero-Knowledge Proofs</a></li>
<li><a href="/QA-primitives/">Q&A about Cryptographic Primitives and Assumptions</a></li>
<li><a href="/QA-SC/">Q&A about Secure Computation</a></li>
<li><a href="/QA-foundations/">Q&A about Foundations of Cryptography</a></li>
</ul>Geoffroy CouteauIn the years I spent browsing the stackexchange network, I devoted quite an amount of time answering questions about cryptography, from the most basic questions such as solving homeworks or understanding fundamental concepts, to more advanced questions about recent works, state of the art, and general summaries of what is known on a specific subject. Since some of these answers could possibly be helpful to others, I decided to select the most useful and detailed ones, and I organized them by categories. Q&A about Zero-Knowledge Proofs Q&A about Cryptographic Primitives and Assumptions Q&A about Secure Computation Q&A about Foundations of CryptographyLearning Parity with Noise versus Linear Tests2020-11-06T00:00:00-05:002020-11-06T00:00:00-05:00https://geoffroycouteau.github.io/posts/LPN-linear-tests<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<p>The learning parity with noise assumption (LPN) is one of the most fundamental assumptions of cryptography. It states that given a random secret vector $\vec s$ over $\mathbb{F}_2$, and given access to (an arbitrary polynomial number of) samples of the form $(\vec a, \langle \vec a, \vec s\rangle + e)$, where $\vec a$ is a random vector and $e$ is a random Bernoulli noise (i.e., $e$ is $1$ with some probability $p$, and $1$ otherwise), it is infeasible to recover $\vec s$. In other terms: while linear systems of equations are easy to solve (using Gaussian elimination), it becomes infeasible to solve them as soon as you add a bit of noise to the equations.</p>
<p>LPN has been widely used in cryptography, and exists in many different variants: for different noise distributions, for bounded number of samples (where it becomes equivalent to the syndrome decoding problem), for a different distribution over the $\vec a$, over a different field $\mathbb{F}$, etc. The goal of this post is not to cover variants and applications of LPN. Rather, I would like to state a very useful and folklore result regarding the security of LPN. While this result is folklore (and has been likely known for decades), I’ve not seen it stated explicitely until very recently (my coauthors and I stated it in our CRYPTO’21 paper on silent OT extension from structured LDPC codes, see my <a href="/publications">publication page</a>). Since I believe it’s a useful observation and guiding principle when analyzing the security of LPN variants, I decided to make a post about it. What follows is essentially taken from our CRYPTO’21 paper.</p>
<h4 id="a-generalized-lpn-assumption">A Generalized LPN Assumption</h4>
<p>we define the LPN assumption over a ring $\mathcal{R}$ with dimension $k$, number of samples $n$, w.r.t. a code generation algorithm $\mathsf{CodeGen}$, and a noise distribution $\mathcal{D}$:</p>
<p>Let $\mathcal{D}(\mathcal{R}) = \{\mathcal{D}_{k,n}(\mathcal{R})\}_{k,n\in\mathbb{N}}$ denote a family of efficiently sampleable distributions over a ring $\mathcal{R}$, such that for any $k,n\in\mathbb{N}$, $\mathsf{Image}(\mathcal{D}_{k,n}(\mathcal{R}))\subseteq\mathcal{R}^n$. Let $\mathsf{CodeGen}$ be a probabilistic code generation algorithm such that $\mathsf{CodeGen}(k,n,\mathcal{R})$ outputs a matrix $A\in \mathcal{R}^{n\times k}$. For dimension $k=k(\lambda)$, number of samples (or block length) $n=n(\lambda)$, and ring $\mathcal{R} = \mathcal{R}(\lambda)$, the (primal) $(\mathcal{D},\mathsf{CodeGen},\mathcal{R})\text{-}LPN(k,n)$ assumption states that</p>
<p>$\{(A, \vec{b}) \;|\; A\gets_r\mathsf{CodeGen}(k,n,\mathcal{R}),
\vec{e}\gets_r\mathcal{D}_{k,n}(\mathcal{R}), \vec{s}\gets_r\mathbb{R}^k, \vec{b}\gets A\cdot\vec{s} + \vec{e}\}$</p>
\[\approx \{(A, \vec{b}) \;|\; A\gets_r\mathsf{CodeGen}(k,n,\mathcal{R}), \vec{b}\gets_r\mathcal{R}^n\}.\]
<p>The above definition is very general, and captures in particular not only the standard LPN assumption and its variants, but also assumptions such as LWE or the multivariate quadratic assumption. However, we will typically restrict our attention to assumptions where the noise distribution outputs sparse vectors with high probability. The standard LPN assumption with dimension $k$, noise rate $r$, and $n$ samples is obtained by setting $A$ to be a uniformly random matrix over $\mathbb{F}_2^{n\times k}$, and the noise distribution to be the Bernoulli distribution $\mathsf{Ber}^n_r(\mathbb{F}_2)$, where each coordinate of $\vec e$ is independently set to $1$ with probability $r$ and to $0$ with probability $1-r$. The term <em>primal</em> in the above definition comes from the fact that the assumption can come in two equivalent form: the primal form as above, but also a <em>dual form</em>: viewing $A$ as the transpose of the parity check matrix $H$ of a linear code generated by $G$ a matrix, i.e. $A=H^\intercal$, the hardness of distinguishing $H^\intercal \cdot \vec x + \vec e$ from random is equivalent to the hardness of distinguishing $G\cdot (H^\intercal \cdot \vec x + \vec e) = G \cdot \vec e=\vec e\cdot G^\intercal$ from random (since $G^\intercal \cdot H = 0$).</p>
<h4 id="core-observation">Core Observation</h4>
<p>Over the past few decades, a tremendous number of attacks against LPN have been proposed. These attacks include, but are not limited to, attacks based on Gaussian elimination and the BKW algorithm (and variants based on covering codes), information set decoding attacks, statistical decoding attacks, generalized birthday attacks, linearization attacks, attacks based on finding low weight code vectors, or on finding correlations with low-degree polynomials.</p>
<p><a href="/assets/images/linear_tests.png"><img src="/assets/images/linear_tests.png" /></a></p>
<p>In light of this situation, it would be excessively cumbersome, when introducing a new variant of LPN, to go over the entire literature of existing attacks and analyze their potential impact on the new variant. The crucial observation, however, is that this is not necessary, as <em>all the above attacks</em> (and more generally, essentially all known attacks against LPN and its variants) fit in a common framework, usually denoted the <em>linear test framework</em>. Furthermore, the asymptotic resistance of any LPN variant against any attack from the linear test framework can be deduced from two simple properties of the underlying code ensemble and noise distribution. Informally, if</p>
<ul>
<li>the code generated by $G$ has high minimum distance, and</li>
<li>for any large enough subset $S$ of coordinates, with high probability over the choice of $\vec e \gets \mathcal{D}$, at least one of the coordinates in $S$ of $\vec e$ will be nonzero,</li>
</ul>
<p>then the LPN assumption with code matrix $G$ and noise distribution $\mathcal{D}$ cannot be broken by any attack from the linear test framework.</p>
<h3 id="the-linear-test-framework">The Linear Test Framework</h3>
<p>The common feature of essentially all known attacks against LPN and its variants is that the distinguisher can be implemented as a (nonzero) <em>linear function of the samples</em> (the linear test), where the coefficients of the linear combination can depend arbitrarily on the code matrix. Therefore, all these attacks can be formulated as distinguishing LPN samples from random samples by checking whether the output of some linear test (with coefficients depending arbitrarily on the code matrix) is biased away from the uniform distribution. Formally,</p>
<p><strong>Security Against Linear Tests.</strong> Let $\mathbb{F}$ be an arbitrary finite field, and let $\mathcal{D} = \{\mathcal{D}_{m,n}\}_{m,n\in\mathbb{N}}$ denote a family of noise distributions over $\mathbb{F}^n$. Let $\mathsf{CodeGen}$ be a probabilistic code generation algorithm such that $\mathsf{CodeGen}(m,n)$ outputs a matrix $A\in \mathbb{F}^{n\times m}$. Let $\varepsilon, \delta: \mathbb{N} \mapsto [0,1]$ be two functions. We say that the $(\mathcal{D},\mathsf{CodeGen},\mathbb{F})\text{-}LPN(m,n)$ assumption with dimension $m = m(\lambda)$ and $n = n(\lambda)$ samples is <em>$(\varepsilon,\delta)$-secure against linear tests</em> if for any (possibly inefficient) adversary $\mathcal{A}$ which, on input a matrix $A\in \mathbb{F}^{n\times m}$, outputs a nonzero $\vec v \in \mathbb{F}^n$, it holds that</p>
<p>$\Pr[A \gets_r \mathsf{CodeGen}(m,n), \vec v \gets_r \mathcal{A}(A)\;:\; \mathsf{bias}_{\vec v}(\mathcal{D}_{A}) \geq \varepsilon(\lambda) ] \leq \delta(\lambda),$</p>
<p>where $\mathsf{bias}$ denotes the <em>bias</em> of the distribution (the bias of a distribution is defined as $\mathsf{bias}(\mathcal{D}) = \max_{\vec u \neq \vec 0} |\mathbb{E}_{\vec x \sim \mathcal{D}}[\vec u^\intercal \cdot \vec x] - \mathbb{E}_{\vec x \sim \mathcal{U}_n}[\vec u^\intercal \cdot \vec x]|$), and $\mathcal{D}_{A}$ denotes the distribution induced by sampling $\vec s \gets_r \mathbb{F}_2^m$, $\vec e \gets \mathcal{D}_{m,n}$, and outputting the LPN samples $A\cdot \vec s + \vec e$.</p>
<p>Now, define the <em>dual distance</em> of a matrix $M$, written $\mathsf{dd}(M)$, to be the largest integer $d$ such that every subset of $d$ rows of $M$ is linearly independent. The name dual distance stems from the fact that the $\mathsf{dd}(M)$ is also the minimum distance of the dual of the code generated by $M$ (i.e., the code generated by the left null space of $M$). The following lemma is folklore:</p>
<p><strong>Lemma:</strong> For any $d\in \mathbb{N}$, the $(\mathcal{D},\mathsf{CodeGen},\mathbb{F})\text{-}LPN(m,n)$ assumption with dimension $m = m(\lambda)$ and $n = n(\lambda)$ samples is $(\varepsilon_d,\delta_d)$-secure against linear tests, where</p>
<ul>
<li>$\varepsilon_d = \max_{\mathsf{HW}(\vec v) > d}\mathsf{bias}_{\vec v}(\mathcal{D}_{m,n})$, and</li>
<li>$\delta_d = \Pr_{A \gets_r \mathsf{CodeGen}(m,n)}[\mathsf{dd}(A) \geq d]$.</li>
</ul>
<p>($\mathsf{HW}(\vec v)$ denotes the Hamming weight of $\vec v$)</p>
<p><strong>Proof :</strong> The proof is straightforward: fix any integer $d$. Then with probability at least $\delta_d$, $\mathbb{dd}(A) \geq d$. Consider any (possibly unbounded) adversary $\mathcal{A}$ outputting $\vec v$. Two cases can occur:</p>
<ul>
<li>Either $\mathsf{HW}(\vec v) \leq d \leq \mathsf{dd}(A)$. In this case, the bias with respect to $\vec v$ of the distribution $\{A \cdot \vec s \;|\; \vec s \gets_r \mathbb{F}^m\}$ is $0$ (since this distribution is $d$-wise independent). Since the bias of the XOR of two distribution is at most the smallest bias among them, we get $\mathsf{bias}(\mathcal{D}_{A}) = 0$.</li>
<li>Or $\mathsf{HW}(\vec v) > d$; in which case $\mathsf{bias}(\mathcal{D}_A) \leq \mathsf{bias}(\mathcal{D}_{m,n})$.</li>
</ul>
<p>The above follows directly from simple lemmas on bias, which are recalled in my <a href="/cheat-sheet">cheat sheet</a>.</p>
<h3 id="example-standard-lpn-with-random-code-and-bernoulli-noise">Example: Standard LPN with Random Code and Bernoulli Noise</h3>
<p>An instructive example is to consider the case of LPN with a uniformly random code matrix over $\mathbb{F}_2$, and a Bernoulli noise distribution $\mathcal{D}_{m,n} = \mathsf{Ber}^n_r(\mathbb{F}_2)$, for some noise rate $r$. The probability that $d$ random vectors over $\mathbb{F}_2^m$ are linearly independent is at least</p>
\[\prod_{i=0}^{d-1} \frac{2^m - 2^i}{2^m} \geq (1-2^{d-1-m})^d \geq 1 - 2^{2d - m}.\]
<p>Therefore, by a union bound, the probability that a random matrix $A \gets_r \mathbb{F}_2^{n\times m}$ satisfies $\mathsf{dd}(A) \geq d$ is at least $1 - {n \choose d}\cdot 2^{2d - m} \geq 1 - 2^{(2+\log n)d - m}$. On the other hand, for any $d$ and any $\vec v$ with $\mathsf{HW}(\vec v) > d$, we have by the piling-up lemma (see the <a href="/cheat-sheet">cheat sheet</a>):</p>
\[\Pr[\vec e \gets \mathsf{Ber}^n_r(\mathbb{F}_2)\; : \; \vec v^\intercal \cdot \vec e = 1] = \frac{1 - (1-2r)^d}{2},\]
<p>hence $\mathsf{bias}_{\vec v}(\mathsf{Ber}^n_r(\mathbb{F}_2)) = (1-2r)^d \leq e^{-2rd}$. In particular, setting $d = O(m/\log n)$ suffices to guarantee that with probability at least $\delta_d = 1 - 2^{-O(m)}$, the LPN samples will have bias (with respect to any possible nonzero vector $\vec v$) $\varepsilon_d$ at most $e^{-O(rm/\log n)}$. Hence, any attack that fits in the linear test framework against the standard LPN assumption with dimension $m$ and noise rate $r$ requires of the order of $e^{O(rm/\log n)}$ iterations. Note that this lower bound still leaves a gap with respect to the best known linear attacks, which require time of the order of $e^{O(rm)}$, $e^{O(rm/\log \log m)}$, and $e^{O(rm/\log m)}$ when $n = O(m)$, $n = \mathsf{poly}(m)$, and $n = 2^{O(m/\log m)}$ respectively.</p>
<p>It is straightforward to extend the above to general fields, but I’ll leave that as an exercise to the reader ;)</p>Geoffroy CouteauThe learning parity with noise assumption (LPN) is one of the most fundamental assumptions of cryptography. It states that given a random secret vector $\vec s$ over $\mathbb{F}_2$, and given access to (an arbitrary polynomial number of) samples of the form $(\vec a, \langle \vec a, \vec s\rangle + e)$, where $\vec a$ is a random vector and $e$ is a random Bernoulli noise (i.e., $e$ is $1$ with some probability $p$, and $1$ otherwise), it is infeasible to recover $\vec s$. In other terms: while linear systems of equations are easy to solve (using Gaussian elimination), it becomes infeasible to solve them as soon as you add a bit of noise to the equations. LPN has been widely used in cryptography, and exists in many different variants: for different noise distributions, for bounded number of samples (where it becomes equivalent to the syndrome decoding problem), for a different distribution over the $\vec a$, over a different field $\mathbb{F}$, etc. The goal of this post is not to cover variants and applications of LPN. Rather, I would like to state a very useful and folklore result regarding the security of LPN. While this result is folklore (and has been likely known for decades), I’ve not seen it stated explicitely until very recently (my coauthors and I stated it in our CRYPTO’21 paper on silent OT extension from structured LDPC codes, see my publication page). Since I believe it’s a useful observation and guiding principle when analyzing the security of LPN variants, I decided to make a post about it. What follows is essentially taken from our CRYPTO’21 paper. A Generalized LPN Assumption we define the LPN assumption over a ring $\mathcal{R}$ with dimension $k$, number of samples $n$, w.r.t. a code generation algorithm $\mathsf{CodeGen}$, and a noise distribution $\mathcal{D}$: Let $\mathcal{D}(\mathcal{R}) = \{\mathcal{D}_{k,n}(\mathcal{R})\}_{k,n\in\mathbb{N}}$ denote a family of efficiently sampleable distributions over a ring $\mathcal{R}$, such that for any $k,n\in\mathbb{N}$, $\mathsf{Image}(\mathcal{D}_{k,n}(\mathcal{R}))\subseteq\mathcal{R}^n$. Let $\mathsf{CodeGen}$ be a probabilistic code generation algorithm such that $\mathsf{CodeGen}(k,n,\mathcal{R})$ outputs a matrix $A\in \mathcal{R}^{n\times k}$. For dimension $k=k(\lambda)$, number of samples (or block length) $n=n(\lambda)$, and ring $\mathcal{R} = \mathcal{R}(\lambda)$, the (primal) $(\mathcal{D},\mathsf{CodeGen},\mathcal{R})\text{-}LPN(k,n)$ assumption states that $\{(A, \vec{b}) \;|\; A\gets_r\mathsf{CodeGen}(k,n,\mathcal{R}), \vec{e}\gets_r\mathcal{D}_{k,n}(\mathcal{R}), \vec{s}\gets_r\mathbb{R}^k, \vec{b}\gets A\cdot\vec{s} + \vec{e}\}$ \[\approx \{(A, \vec{b}) \;|\; A\gets_r\mathsf{CodeGen}(k,n,\mathcal{R}), \vec{b}\gets_r\mathcal{R}^n\}.\] The above definition is very general, and captures in particular not only the standard LPN assumption and its variants, but also assumptions such as LWE or the multivariate quadratic assumption. However, we will typically restrict our attention to assumptions where the noise distribution outputs sparse vectors with high probability. The standard LPN assumption with dimension $k$, noise rate $r$, and $n$ samples is obtained by setting $A$ to be a uniformly random matrix over $\mathbb{F}_2^{n\times k}$, and the noise distribution to be the Bernoulli distribution $\mathsf{Ber}^n_r(\mathbb{F}_2)$, where each coordinate of $\vec e$ is independently set to $1$ with probability $r$ and to $0$ with probability $1-r$. The term primal in the above definition comes from the fact that the assumption can come in two equivalent form: the primal form as above, but also a dual form: viewing $A$ as the transpose of the parity check matrix $H$ of a linear code generated by $G$ a matrix, i.e. $A=H^\intercal$, the hardness of distinguishing $H^\intercal \cdot \vec x + \vec e$ from random is equivalent to the hardness of distinguishing $G\cdot (H^\intercal \cdot \vec x + \vec e) = G \cdot \vec e=\vec e\cdot G^\intercal$ from random (since $G^\intercal \cdot H = 0$). Core Observation Over the past few decades, a tremendous number of attacks against LPN have been proposed. These attacks include, but are not limited to, attacks based on Gaussian elimination and the BKW algorithm (and variants based on covering codes), information set decoding attacks, statistical decoding attacks, generalized birthday attacks, linearization attacks, attacks based on finding low weight code vectors, or on finding correlations with low-degree polynomials. In light of this situation, it would be excessively cumbersome, when introducing a new variant of LPN, to go over the entire literature of existing attacks and analyze their potential impact on the new variant. The crucial observation, however, is that this is not necessary, as all the above attacks (and more generally, essentially all known attacks against LPN and its variants) fit in a common framework, usually denoted the linear test framework. Furthermore, the asymptotic resistance of any LPN variant against any attack from the linear test framework can be deduced from two simple properties of the underlying code ensemble and noise distribution. Informally, if the code generated by $G$ has high minimum distance, and for any large enough subset $S$ of coordinates, with high probability over the choice of $\vec e \gets \mathcal{D}$, at least one of the coordinates in $S$ of $\vec e$ will be nonzero, then the LPN assumption with code matrix $G$ and noise distribution $\mathcal{D}$ cannot be broken by any attack from the linear test framework. The Linear Test Framework The common feature of essentially all known attacks against LPN and its variants is that the distinguisher can be implemented as a (nonzero) linear function of the samples (the linear test), where the coefficients of the linear combination can depend arbitrarily on the code matrix. Therefore, all these attacks can be formulated as distinguishing LPN samples from random samples by checking whether the output of some linear test (with coefficients depending arbitrarily on the code matrix) is biased away from the uniform distribution. Formally, Security Against Linear Tests. Let $\mathbb{F}$ be an arbitrary finite field, and let $\mathcal{D} = \{\mathcal{D}_{m,n}\}_{m,n\in\mathbb{N}}$ denote a family of noise distributions over $\mathbb{F}^n$. Let $\mathsf{CodeGen}$ be a probabilistic code generation algorithm such that $\mathsf{CodeGen}(m,n)$ outputs a matrix $A\in \mathbb{F}^{n\times m}$. Let $\varepsilon, \delta: \mathbb{N} \mapsto [0,1]$ be two functions. We say that the $(\mathcal{D},\mathsf{CodeGen},\mathbb{F})\text{-}LPN(m,n)$ assumption with dimension $m = m(\lambda)$ and $n = n(\lambda)$ samples is $(\varepsilon,\delta)$-secure against linear tests if for any (possibly inefficient) adversary $\mathcal{A}$ which, on input a matrix $A\in \mathbb{F}^{n\times m}$, outputs a nonzero $\vec v \in \mathbb{F}^n$, it holds that $\Pr[A \gets_r \mathsf{CodeGen}(m,n), \vec v \gets_r \mathcal{A}(A)\;:\; \mathsf{bias}_{\vec v}(\mathcal{D}_{A}) \geq \varepsilon(\lambda) ] \leq \delta(\lambda),$ where $\mathsf{bias}$ denotes the bias of the distribution (the bias of a distribution is defined as $\mathsf{bias}(\mathcal{D}) = \max_{\vec u \neq \vec 0} |\mathbb{E}_{\vec x \sim \mathcal{D}}[\vec u^\intercal \cdot \vec x] - \mathbb{E}_{\vec x \sim \mathcal{U}_n}[\vec u^\intercal \cdot \vec x]|$), and $\mathcal{D}_{A}$ denotes the distribution induced by sampling $\vec s \gets_r \mathbb{F}_2^m$, $\vec e \gets \mathcal{D}_{m,n}$, and outputting the LPN samples $A\cdot \vec s + \vec e$. Now, define the dual distance of a matrix $M$, written $\mathsf{dd}(M)$, to be the largest integer $d$ such that every subset of $d$ rows of $M$ is linearly independent. The name dual distance stems from the fact that the $\mathsf{dd}(M)$ is also the minimum distance of the dual of the code generated by $M$ (i.e., the code generated by the left null space of $M$). The following lemma is folklore: Lemma: For any $d\in \mathbb{N}$, the $(\mathcal{D},\mathsf{CodeGen},\mathbb{F})\text{-}LPN(m,n)$ assumption with dimension $m = m(\lambda)$ and $n = n(\lambda)$ samples is $(\varepsilon_d,\delta_d)$-secure against linear tests, where $\varepsilon_d = \max_{\mathsf{HW}(\vec v) > d}\mathsf{bias}_{\vec v}(\mathcal{D}_{m,n})$, and $\delta_d = \Pr_{A \gets_r \mathsf{CodeGen}(m,n)}[\mathsf{dd}(A) \geq d]$. ($\mathsf{HW}(\vec v)$ denotes the Hamming weight of $\vec v$) Proof : The proof is straightforward: fix any integer $d$. Then with probability at least $\delta_d$, $\mathbb{dd}(A) \geq d$. Consider any (possibly unbounded) adversary $\mathcal{A}$ outputting $\vec v$. Two cases can occur: Either $\mathsf{HW}(\vec v) \leq d \leq \mathsf{dd}(A)$. In this case, the bias with respect to $\vec v$ of the distribution $\{A \cdot \vec s \;|\; \vec s \gets_r \mathbb{F}^m\}$ is $0$ (since this distribution is $d$-wise independent). Since the bias of the XOR of two distribution is at most the smallest bias among them, we get $\mathsf{bias}(\mathcal{D}_{A}) = 0$. Or $\mathsf{HW}(\vec v) > d$; in which case $\mathsf{bias}(\mathcal{D}_A) \leq \mathsf{bias}(\mathcal{D}_{m,n})$. The above follows directly from simple lemmas on bias, which are recalled in my cheat sheet. Example: Standard LPN with Random Code and Bernoulli Noise An instructive example is to consider the case of LPN with a uniformly random code matrix over $\mathbb{F}_2$, and a Bernoulli noise distribution $\mathcal{D}_{m,n} = \mathsf{Ber}^n_r(\mathbb{F}_2)$, for some noise rate $r$. The probability that $d$ random vectors over $\mathbb{F}_2^m$ are linearly independent is at least \[\prod_{i=0}^{d-1} \frac{2^m - 2^i}{2^m} \geq (1-2^{d-1-m})^d \geq 1 - 2^{2d - m}.\] Therefore, by a union bound, the probability that a random matrix $A \gets_r \mathbb{F}_2^{n\times m}$ satisfies $\mathsf{dd}(A) \geq d$ is at least $1 - {n \choose d}\cdot 2^{2d - m} \geq 1 - 2^{(2+\log n)d - m}$. On the other hand, for any $d$ and any $\vec v$ with $\mathsf{HW}(\vec v) > d$, we have by the piling-up lemma (see the cheat sheet): \[\Pr[\vec e \gets \mathsf{Ber}^n_r(\mathbb{F}_2)\; : \; \vec v^\intercal \cdot \vec e = 1] = \frac{1 - (1-2r)^d}{2},\] hence $\mathsf{bias}_{\vec v}(\mathsf{Ber}^n_r(\mathbb{F}_2)) = (1-2r)^d \leq e^{-2rd}$. In particular, setting $d = O(m/\log n)$ suffices to guarantee that with probability at least $\delta_d = 1 - 2^{-O(m)}$, the LPN samples will have bias (with respect to any possible nonzero vector $\vec v$) $\varepsilon_d$ at most $e^{-O(rm/\log n)}$. Hence, any attack that fits in the linear test framework against the standard LPN assumption with dimension $m$ and noise rate $r$ requires of the order of $e^{O(rm/\log n)}$ iterations. Note that this lower bound still leaves a gap with respect to the best known linear attacks, which require time of the order of $e^{O(rm)}$, $e^{O(rm/\log \log m)}$, and $e^{O(rm/\log m)}$ when $n = O(m)$, $n = \mathsf{poly}(m)$, and $n = 2^{O(m/\log m)}$ respectively. It is straightforward to extend the above to general fields, but I’ll leave that as an exercise to the reader ;)[Q&A] Cryptographic Primitives and Assumptions2020-11-06T00:00:00-05:002020-11-06T00:00:00-05:00https://geoffroycouteau.github.io/QA-crypto-primitives<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<h3 id="public-key-encryption">Public-Key Encryption</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/64684/is-rsa-provably-secure-in-the-sense-of-douglas-stinsons-provable-security/64685#64685">Is the RSA cryptosystem provably secure?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/54263/are-there-any-asymmetric-cryptographic-primitives-not-relying-on-arithmetic-ov/54265#54265">Are there public-key cryptosystems not relying on arithmetic over finite fields?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/44403/is-there-any-knapsack-based-cryptosystem-that-has-not-yet-been-broken/44410#44410">Are there knapsack-based cryptosystems which have not been broken?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/83908/has-anyone-implemented-a-public-key-encryption-scheme-using-a-universal-one-way/83929#83929">Are there practical universal PKE schemes?</a> (short answer: no)</li>
<li><a href="https://crypto.stackexchange.com/questions/77113/is-there-any-encryption-system-where-the-sender-cannot-prove-that-a-specific-cip/77261#77261">Are there encryption schemes where the sender cannot prove that a given plaintext was encrypted?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/54805/can-i-use-modulo-n2-arithmetic-where-n-p-cdot-q-for-elgamal-encryption/54826#54826">Can we use ElGamal over $\mathbb{Z}_{n^2}$?</a> (short answer: not directly)</li>
</ul>
<h3 id="homomorphic-encryption">Homomorphic Encryption</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/57714/can-fully-homomorphic-encryption-do-comparisons/57716#57716">Can FHE compute comparisons?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/55596/homomorphic-encryption-for-deep-learning/55598#55598">Are there FHE schemes for deep learning operations?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/67403/what-is-the-shortest-ciphertext-size-output-by-fhe/67421#67421">How short can be an FHE ciphertext?</a> (short answer: almost as short as the message it encrypts)</li>
<li><a href="https://crypto.stackexchange.com/questions/84419/are-all-homomorphic-encryption-schemes-based-on-latticed-based-schemes/84421#84421">Are all homomorphic encryption schemes based on lattices?</a> (short answer: it depends)</li>
<li><a href="https://crypto.stackexchange.com/questions/67513/bgn-encryption-scheme-with-unbounded-message-space/67536#67536">Is there a BGN-like encryption scheme without restriction on the plaintext space?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/32830/is-there-an-additive-homomorphic-encryption-that-supports-exponentation/33059#33059">Are there additive homomorphic encryption schemes that support exponentiation?</a></li>
</ul>
<h3 id="obfuscation">Obfuscation</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/43527/why-do-we-use-multilinear-maps-for-obfuscation/43530#43530">Why do we use multilinear maps in obfuscation schemes?</a> (short answer: they are essentially necessary in a well defined sense – though that does not mean constructions must explicitely go through them!)</li>
<li><a href="https://crypto.stackexchange.com/questions/67696/obfuscating-functions-that-are-mostly-zero/67741#67741">Can we obfuscate functions that are mostly zero?</a> (short answer: there is a gradation of increasingly complex obfuscation schemes from increasingly stronger assumptions for increasingly larger subclasses of mostly zero function; the linked answer provide a detailed overview.)</li>
</ul>
<h3 id="symmetric-primitives">Symmetric Primitives</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/44386/are-cryptographic-hash-functions-quantum-secure/44390#44390">Why is it plausible that hash functions are quantum secure?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/45189/does-ind-cpa-imply-prf/45195#45195">Does IND-CPA security imply PRFs?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/72880/is-an-invulnerable-code-possible-including-brute-force-attack/72928#72928">Is it possible to build a symmetric encryption scheme with beyond-brute-force security?</a> (short answer: yes, but only if the messages come from a specific distribution)</li>
<li><a href="https://crypto.stackexchange.com/questions/33279/difference-left-or-right-cpa-security-ind-cpa-security/33281#33281">What are the differences between the various notions of CPA security?</a></li>
</ul>
<h3 id="cryptographic-assumptions">Cryptographic Assumptions</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/68403/is-it-hard-to-compute-gab-when-given-g-ga-gb-fracab/68419#68419">Is it hard to compute $(g^{ab})$ given $(g^a, g^b, a/b)$?</a> (short answer: yes, under the square Diffie-Hellman assumption)</li>
<li><a href="https://crypto.stackexchange.com/questions/33144/why-do-the-subexponential-algoriths-for-the-dlp-not-work-for-the-ecdlp/33145#33145">Why do subexponential attacks on the DLP not work for ECDLP?</a> (short answer: you don’t have small prime values over elliptic curves in general)</li>
<li><a href="https://crypto.stackexchange.com/questions/65999/are-lpn-and-lwe-problems-equivalent/66003#66003">What relation is known between LWE and LPN?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/84122/mlwe-and-rlwe-to-lwe-reductions-proof/84124#84124">Are there known reductions from LWE to MLWE or RLWE?</a> (short answer: no)</li>
<li><a href="https://crypto.stackexchange.com/questions/78011/decisional-discrete-logarithm-problem/78012#78012">Are there decisional variants of the discrete logarithm problem?</a> (short answer: yes)</li>
</ul>
<h3 id="others">Others</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/44870/what-is-a-smooth-projective-hash-function/44871#44871">What are smooth projective hash functions?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/56400/why-pairings-on-elliptic-curve-are-used/56421#56421">Why do we use pairing-based cryptography?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/44371/is-there-any-srp-like-key-exchange-only-using-standard-cryptographic-primitive/44434#44434">Is there a password-authenticated key-exchange making only a blackbox use of standard cryptographic primitives?</a> (short answer: this seems open, and it is a great question)</li>
<li><a href="https://crypto.stackexchange.com/questions/55955/using-pedersen-commitment-for-a-vector/55970#55970">Why are generalized Pedersen commitments secure?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/60457/space-complexity-and-cryptography/60551#60551">Are there results on the space complexity of cryptographic primitives?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/71564/verifiable-delay-functions-vs-proof-of-sequential-work/71567#71567">Why are VDFs preferred to proofs of sequential work?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/34221/what-is-the-advantage-of-pseudosquare/34225#34225">What are the cryptographic advantages of using the subgroup of pseudosquares?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/70083/constructions-of-prf-pseudo-random-function/70085#70085">What are the standard constructions of PRFs from well-known assumptions?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/54156/is-discrete-logarithmic-assumption-enough-to-design-a-secure-searchable-encrypti/54159#54159">Can you build searchable encryption from the discrete logarithm problem?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/43751/is-it-possible-to-prove-the-age-of-a-document/43761#43761">Is it possible to prove that a document was generated long ago?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/78007/sigma-protocol-with-pedersen-commitment-and-hash-function/78010#78010">Can Pedersen commitments be made deterministic?</a> (short answer: only if you have high min-entropy plaintexts and settle for a weaker security notion)</li>
</ul>Geoffroy CouteauPublic-Key Encryption Is the RSA cryptosystem provably secure? Are there public-key cryptosystems not relying on arithmetic over finite fields? (short answer: yes) Are there knapsack-based cryptosystems which have not been broken? (short answer: yes) Are there practical universal PKE schemes? (short answer: no) Are there encryption schemes where the sender cannot prove that a given plaintext was encrypted? Can we use ElGamal over $\mathbb{Z}_{n^2}$? (short answer: not directly) Homomorphic Encryption Can FHE compute comparisons? (short answer: yes) Are there FHE schemes for deep learning operations? (short answer: yes) How short can be an FHE ciphertext? (short answer: almost as short as the message it encrypts) Are all homomorphic encryption schemes based on lattices? (short answer: it depends) Is there a BGN-like encryption scheme without restriction on the plaintext space? (short answer: yes) Are there additive homomorphic encryption schemes that support exponentiation? Obfuscation Why do we use multilinear maps in obfuscation schemes? (short answer: they are essentially necessary in a well defined sense – though that does not mean constructions must explicitely go through them!) Can we obfuscate functions that are mostly zero? (short answer: there is a gradation of increasingly complex obfuscation schemes from increasingly stronger assumptions for increasingly larger subclasses of mostly zero function; the linked answer provide a detailed overview.) Symmetric Primitives Why is it plausible that hash functions are quantum secure? Does IND-CPA security imply PRFs? (short answer: yes) Is it possible to build a symmetric encryption scheme with beyond-brute-force security? (short answer: yes, but only if the messages come from a specific distribution) What are the differences between the various notions of CPA security? Cryptographic Assumptions Is it hard to compute $(g^{ab})$ given $(g^a, g^b, a/b)$? (short answer: yes, under the square Diffie-Hellman assumption) Why do subexponential attacks on the DLP not work for ECDLP? (short answer: you don’t have small prime values over elliptic curves in general) What relation is known between LWE and LPN? Are there known reductions from LWE to MLWE or RLWE? (short answer: no) Are there decisional variants of the discrete logarithm problem? (short answer: yes) Others What are smooth projective hash functions? Why do we use pairing-based cryptography? Is there a password-authenticated key-exchange making only a blackbox use of standard cryptographic primitives? (short answer: this seems open, and it is a great question) Why are generalized Pedersen commitments secure? Are there results on the space complexity of cryptographic primitives? (short answer: yes) Why are VDFs preferred to proofs of sequential work? What are the cryptographic advantages of using the subgroup of pseudosquares? What are the standard constructions of PRFs from well-known assumptions? Can you build searchable encryption from the discrete logarithm problem? Is it possible to prove that a document was generated long ago? Can Pedersen commitments be made deterministic? (short answer: only if you have high min-entropy plaintexts and settle for a weaker security notion)[Q&A] Foundations of cryptography2020-11-06T00:00:00-05:002020-11-06T00:00:00-05:00https://geoffroycouteau.github.io/QA-foundations<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/65937/one-way-functions-and-p-np/65938#65938">Do OWF imply $\mathsf{P} \neq \mathsf{NP}?$</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/70971/how-does-the-random-oracle-model-simplify-proofs-versus-using-the-standard-model/71021#71021">How does the random oracle model help with constructing secure cryptographic primitives?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/56025/could-you-list-all-of-the-security-models-in-cryptography/56026#56026">What are the common idealized models in cryptography?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/70676/symmetric-encryption-in-the-p-np-world/70685#70685">Can we have cryptography in a world where $\mathsf{P} = \mathsf{NP}?$?</a> (short answer: possibly!)</li>
<li><a href="https://crypto.stackexchange.com/questions/14601/what-informal-indicators-exist-for-estimating-the-computational-infeasibility-of/56424#56424">How do we estimate that an assumption is sufficiently safe?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/52828/is-it-possible-to-construct-an-encryption-scheme-for-which-breaking-is-np-comple/52833#52833">Can the hardness of “breaking a cryptosystem” be based on an NP-complete problem?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/42656/are-there-simple-cryptographically-safe-one-way-hashing-functions/42747#42747">Are there good candidate OWFs with a very simple structure (like, “4 lines of code”-simple)?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/67026/how-to-prove-that-weak-one-way-functions-cannot-have-polynomial-sized-ranges/67030#67030">How to prove that weak OWFs cannot have a polysize range?</a></li>
</ul>Geoffroy CouteauDo OWF imply $\mathsf{P} \neq \mathsf{NP}?$ (short answer: yes) How does the random oracle model help with constructing secure cryptographic primitives? What are the common idealized models in cryptography? Can we have cryptography in a world where $\mathsf{P} = \mathsf{NP}?$? (short answer: possibly!) How do we estimate that an assumption is sufficiently safe? Can the hardness of “breaking a cryptosystem” be based on an NP-complete problem? Are there good candidate OWFs with a very simple structure (like, “4 lines of code”-simple)? (short answer: yes) How to prove that weak OWFs cannot have a polysize range?[Q&A] Secure Computations2020-11-06T00:00:00-05:002020-11-06T00:00:00-05:00https://geoffroycouteau.github.io/QA-secure-computation<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<h3 id="constructing-mpc-protocols">Constructing MPC Protocols</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/35379/multiplying-two-additively-shared-values/35381#35381">How to multiply two additively shared values?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/54405/secret-sharing-with-3-parties-under-constraint/54410#54410">How can two parties conditionally disclose a secret to a third party?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/41651/what-are-the-ways-to-generate-beaver-triples-for-multiplication-gate/41660#41660">How to generate Beaver triples?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/34621/two-party-equality-computation/34629#34629">Can two parties securely check whether they hold the same value?</a> (keyword: socialist millionaires problem)</li>
<li><a href="https://crypto.stackexchange.com/questions/84178/silent-oblivious-transfer-question/84206#84206">How is silent oblivious transfer constructed?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/43674/most-efficient-way-to-perform-secure-bitwise-multiplication/43680#43680">How to do secure bitwise mutliplication?</a></li>
</ul>
<h3 id="general-questions">General Questions</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/46746/boolean-circuits-vs-arithmetic-circuits/46753#46753">What is the difference between boolean circuits and arithmetic circuits?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/80764/is-there-a-secure-multi-party-computation-smpc-scheme-that-doesnt-use-secret/80831#80831">Are there MPC schemes that do not use secret sharing?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/55164/is-it-possible-to-find-the-product-of-two-numbers-without-knowing-the-two-number/55201#55201">Can Charlie privately compute $ab$ using a single message from Alice (who knows $a$) and Bob (who knows $b$)?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/71517/mpc-and-secret-sharing-in-not-fully-connected-network/71542#71542">Can we do secure computation over incomplete networks?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/43524/why-is-garbled-circuit-a-randomized-encoding/43526#43526">Why are garbled circuits randomized encodings?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/37224/importance-of-round-complexity-in-determining-the-efficiency-of-an-mpc-protocol/37257#37257">How important is round complexity in MPC?</a></li>
</ul>Geoffroy CouteauConstructing MPC Protocols How to multiply two additively shared values? How can two parties conditionally disclose a secret to a third party? How to generate Beaver triples? Can two parties securely check whether they hold the same value? (keyword: socialist millionaires problem) How is silent oblivious transfer constructed? How to do secure bitwise mutliplication? General Questions What is the difference between boolean circuits and arithmetic circuits? Are there MPC schemes that do not use secret sharing? Can Charlie privately compute $ab$ using a single message from Alice (who knows $a$) and Bob (who knows $b$)? Can we do secure computation over incomplete networks? Why are garbled circuits randomized encodings? How important is round complexity in MPC?[Q&A] Zero-Knowledge Proofs2020-11-06T00:00:00-05:002020-11-06T00:00:00-05:00https://geoffroycouteau.github.io/QA-zero-knowledge<style>
div {
text-align: justify;
text-justify: inter-word;
}
</style>
<h3 id="general-questions">General questions</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/57674/how-do-i-explain-zero-knowledge-proof-to-my-7-year-old-cousin/57678#57678">How to explain ZK proofs to a 7 year old?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/76929/minimizing-exchanges-for-zk-proof-of-a-message-with-given-sha-256/76983#76983">Are there lower bounds on the size and interaction of a ZK proof with a given soundness error?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/58461/zero-knowledge-proofs-in-bpp/58463#58463">Can we do zero-knowledge proofs for BPP statements?</a> (short answer: just send the witness!)</li>
<li><a href="https://crypto.stackexchange.com/questions/68785/what-is-difference-between-zero-knowledge-proof-and-zero-knowledge-proof-of-know/68786#68786">What is the difference between ZK proofs and ZK proofs of knowledge?</a> (short answer: in ZK proof of knowledge, an extractor can recover the witness)</li>
<li><a href="https://crypto.stackexchange.com/questions/59481/why-is-computational-zero-knowledge-the-most-generic-notion-of-zero-knowledge/59492#59492">Why is computational ZK the most general notion of zero-knowledge?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/64650/is-there-a-rule-of-thumb-for-zk-protocols/64652#64652">How to choose the security parameter for a ZK proof?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/76929/minimizing-exchanges-for-zk-proof-of-a-message-with-given-sha-256/76983#76983">Are there lower bounds on the round complexity and communication of ZK proofs?</a> (and also: how far are existing ZK proofs from these bounds)</li>
<li><a href="https://crypto.stackexchange.com/questions/71104/why-is-a-common-reference-string-needed-in-zero-knowledge-proofs/71109#71109">How do common reference strings help in ZK proofs?</a> (short answer: they help reducing round complexity)</li>
<li><a href="https://crypto.stackexchange.com/questions/57747/what-is-the-link-if-any-between-zero-knowledge-proof-zkp-and-homomorphic-enc/57759#57759">What are the links between ZK proofs and homomorphic encryption?</a> (short answer: there are many links.)</li>
</ul>
<h3 id="understanding-zk-proofs">Understanding ZK proofs</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/70877/is-a-hash-a-zero-knowledge-proof/70883#70883">Why is “sending a hash of the witness” not a valid ZK proof of knowledge of the witness?</a> (also includes a walkthrough of why Schnorr’s proof is a honest-verifier ZK proof)</li>
<li><a href="https://crypto.stackexchange.com/questions/70074/could-diffie-hellman-protocol-serve-as-a-zero-knowledge-proof-of-knowledge-of-di/70084#70084">Why is the Diffie-Hellman key-exchange protocol not a proof of knowledge of a discrete logarithm?</a> (also includes a discussion about knowledge-of-exponent assumptions, and public-coin versus private coin proofs)</li>
</ul>
<h3 id="building-zk-proofs">Building ZK proofs</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/64476/how-to-prove-that-a-committed-value-is-the-square-of-other/66005#66005">How to prove that a committed value is the square of the other?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/53745/is-it-possible-to-create-a-zero-knowledge-proof-that-a-number-is-more-than-zero/53762#53762">How to prove that a committed number belongs to a certain range?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/42019/zero-knowledge-proof-for-sign-of-message-value/42029#42029">What are the different techniques to build a range proof?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/59441/complexity-of-boudots-zero-knowledge-range-proof-scheme/59446#59446">Where did the four square decomposition technique originate?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/71057/how-would-i-prove-a-number-is-not-within-a-range/71080#71080">How to prove that a number is not within a range?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/71252/given-a-b-g-h-prove-the-i-know-x-s-t-a-xg-and-b-xh/71388#71388">How to prove knowledge of a witness for a DDH tuple?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/55721/can-we-prove-possession-of-an-aes-256-key-without-showing-it/55723#55723">Is it possible to prove knowledge of an AES key without showing it?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/53793/how-can-i-prove-the-result-of-a-long-computation-with-a-short-string/53830#53830">How to prove correctness of a long computation with a short proof?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/64862/can-we-use-phe-or-swhe-instead-of-bilinear-pairings-in-zk-snarks/64864#64864">Can we replace pairings by homomorphic encryption in SNARGs/SNARKs?</a> (short answer: yes, but it becomes designated-verifier)</li>
<li><a href="https://crypto.stackexchange.com/questions/76893/sigma-protocol-when-order-is-unknown/76991#76991">How to prove soundness of $\Sigma$-protocols in unknown-order groups?</a></li>
</ul>
<h3 id="others">Others</h3>
<ul>
<li><a href="https://crypto.stackexchange.com/questions/77371/randomizable-zero-knowledge-proofs/77378#77378">Is it possible to randomize a non-interactive ZK proof?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/71416/are-interactive-proofs-more-secure-their-non-interactive-counterpart/71444#71444">What are the security issues of making ZK proofs non-interactive with Fiat-Shamir?</a> (short answer: transferability, computational soundness)</li>
<li><a href="https://crypto.stackexchange.com/questions/57813/verifying-signature-of-plaintext-using-encrypted-message-only/57900#57900">How to verify a signature on an encrypted message?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/56317/schnorr-protocol-proof-or-argument/56325#56325">Why is Schnorr’s proof not an argument?</a> (short answer: recovering the discrete log in unbounded time does not contradict soundness)</li>
<li><a href="https://crypto.stackexchange.com/questions/68077/transparent-setup-of-snarks/68130#68130">Why is a transparent setup desirable for SNARKs?</a></li>
<li><a href="https://crypto.stackexchange.com/questions/57751/can-we-construct-a-simulation-sound-nizk-non-interactive-zero-knowledge-proof/57758#57758">Do NIZKs imply simulation-sound NIZKs?</a> (short answer: yes)</li>
<li><a href="https://crypto.stackexchange.com/questions/63839/post-quantum-snargs-with-near-constant-verification/64023#64023">Are there post-quantum SNARGs?</a></li>
</ul>Geoffroy CouteauGeneral questions How to explain ZK proofs to a 7 year old? Are there lower bounds on the size and interaction of a ZK proof with a given soundness error? Can we do zero-knowledge proofs for BPP statements? (short answer: just send the witness!) What is the difference between ZK proofs and ZK proofs of knowledge? (short answer: in ZK proof of knowledge, an extractor can recover the witness) Why is computational ZK the most general notion of zero-knowledge? How to choose the security parameter for a ZK proof? Are there lower bounds on the round complexity and communication of ZK proofs? (and also: how far are existing ZK proofs from these bounds) How do common reference strings help in ZK proofs? (short answer: they help reducing round complexity) What are the links between ZK proofs and homomorphic encryption? (short answer: there are many links.) Understanding ZK proofs Why is “sending a hash of the witness” not a valid ZK proof of knowledge of the witness? (also includes a walkthrough of why Schnorr’s proof is a honest-verifier ZK proof) Why is the Diffie-Hellman key-exchange protocol not a proof of knowledge of a discrete logarithm? (also includes a discussion about knowledge-of-exponent assumptions, and public-coin versus private coin proofs) Building ZK proofs How to prove that a committed value is the square of the other? How to prove that a committed number belongs to a certain range? What are the different techniques to build a range proof? Where did the four square decomposition technique originate? How to prove that a number is not within a range? How to prove knowledge of a witness for a DDH tuple? Is it possible to prove knowledge of an AES key without showing it? (short answer: yes) How to prove correctness of a long computation with a short proof? Can we replace pairings by homomorphic encryption in SNARGs/SNARKs? (short answer: yes, but it becomes designated-verifier) How to prove soundness of $\Sigma$-protocols in unknown-order groups? Others Is it possible to randomize a non-interactive ZK proof? (short answer: yes) What are the security issues of making ZK proofs non-interactive with Fiat-Shamir? (short answer: transferability, computational soundness) How to verify a signature on an encrypted message? Why is Schnorr’s proof not an argument? (short answer: recovering the discrete log in unbounded time does not contradict soundness) Why is a transparent setup desirable for SNARKs? Do NIZKs imply simulation-sound NIZKs? (short answer: yes) Are there post-quantum SNARGs?Probabilities and Counting – Cheat Sheet2020-11-05T00:00:00-05:002020-11-05T00:00:00-05:00https://geoffroycouteau.github.io/cheat-sheet<style>
div {
text-align: justify;
text-justify: inter-word;
}
h5 {
display:inline
}
</style>
<p style="text-align: justify;">In the course of working on various projects, I found myself spending an excessive amount of time skimming through textbooks and Wikipedia pages to be reminded of the exact statement of various simple probability facts and lemmas. In some cases, this was to check that I was getting the constants right, or not forgetting a condition – in others, this was just out of laziness. To simplify future searches, I decided to centralize in a cheat sheet a bunch of standard probability lemmas, starting from the most basic facts, but also including some slightly more advanced lemmas. These lemmas showed up several times in my work, and are likely to be useful to cryptographers and theoretical computer scientists. An outdated PDF version of this cheat sheet, in a compact two-column format, is also available <a href="/assets/pdf/cheat_sheet.pdf">here</a>.</p>
<!--more-->
<!-- <aside class="sidebar__right">
<nav class="toc" markdown="1">
<header><h4 class="nav__title"><i class="fas fa-."></i> Contents</h4></header>
* Auto generated table of contents
{:toc .toc__menu}
</nav>
</aside> -->
<h3 id="notations">Notations</h3>
<p>Let $\mathsf{Ber}_p$ denote the Bernouilli distribution with probability $p$. $\mathsf{SD}(X,Y)$ denotes the statistical distance between random variables $(X,Y)$ over a set $S$, defined as</p>
<p>\begin{align}
\mathsf{SD}(X,Y) &= \frac{1}{2} \cdot \sum_{x\in S} |\Pr[X = x] - \Pr[Y = x]|\\<br />
&= \max_{f:S\mapsto{0,1}} |\Pr[f(X)=1] - \Pr[f(Y) = 1]|\\<br />
&= \max_{Z\subseteq S} |\Pr[X \in Z] - \Pr[Y \in Z]|.
\end{align}</p>
<h3 id="basic-probabilities">Basic Probabilities</h3>
<p><a name="union"></a><strong>Union Bound:</strong> $\Pr[A \cup B] \leq \Pr[A] + \Pr[B].$</p>
<p><a name="bayes"></a><strong>Bayes’ Rule:</strong> $\Pr[A | B] = \frac{\Pr[B | A]\cdot \Pr[A]}{\Pr[B]}.$</p>
<p><a name="others"></a><strong>Others:</strong></p>
<p>\begin{align}
\Pr[A \cap B] &\leq \min\{\Pr[A],\Pr[B],\Pr[A|B], \Pr[B|A]\}\\
\Pr[A] + \Pr[B] - 1 &\leq \Pr[A \cup B]
\end{align}</p>
<h3 id="expectations">Expectations</h3>
<p>If $X$ is a random variable taking nonnegative integer values, then</p>
\[\mathbb{E}[X] = \sum_{k=1}^{\infty} \Pr[X \geq k].\]
<p>For nonnegative $X$ and differentiable $f$,</p>
\[\mathbb{E}[f(X)] = f(0) + \int_{0}^{\infty} f'(x)\Pr[X \geq x]dx.\]
<p><a name="cauchy"></a><strong>Cauchy-Schwarz:</strong> $|\mathbb{E}[XY]| \leq \mathbb{E}[|XY|] \leq \sqrt{\mathbb{E}[|X|^2]\mathbb{E}[|Y|^2]}.$</p>
<p><a name="jensen"></a><strong>Jensen:</strong> $\text{For }\phi \text{ convex, } \phi(\mathbb{E}[X]) \leq \mathbb{E}[\phi(X)].$</p>
<h3 id="bias">Bias</h3>
<p>Given a distribution $\mathcal{D}$ over $\mathbb{F}^n$ and a vector $\vec u \in \mathbb{F}^n$, the bias of $\mathcal{D}$ with respect to $\vec u$, denoted $\mathsf{bias}_{\vec u}(\mathcal{D})$, is equal to</p>
\[\mathsf{bias}_{\vec u}(\mathcal{D}) = \left|\mathbb{E}_{\vec x \sim \mathcal{D}}[\vec u^\intercal \cdot \vec x] - \mathbb{E}_{\vec x \sim \mathbb{U}_n}[\vec u^\intercal \cdot \vec x] \right| = \left|\mathbb{E}_{\vec x \sim \mathcal{D}}[\vec u^\intercal \cdot \vec x] - \frac{1}{|\mathbb{F}|} \right|,\]
<p>where $\mathbb{U}_n$ denotes the uniform distribution over $\mathbb{F}^n$.
The bias of $\mathcal{D}$, denoted $\mathsf{bias}(\mathcal{D})$, is the maximum bias of $\mathcal{D}$ with respect to any nonzero vector $\vec u$.</p>
<p>Given $t$ distributions $(\mathcal{D}_1, \cdots, \mathcal{D}_t)$ over $\mathbb{F}_2^n$, we denote by $\bigoplus_{i\leq t} \mathcal{D}_i$ the distribution obtained by independently sampling $\vec v_i \gets_r \mathcal{D}_i$ for $i=1$ to $t$ and outputting $ \vec v \gets\vec v_1 \oplus \cdots \oplus \vec v_t$. Then $\mathsf{bias}( \bigoplus_{i\leq t} \mathcal{D}_i ) \leq 2^{t-1}\cdot \prod_{i=1}^t \mathsf{bias}(\mathcal{D}_i) \leq \min_{i \leq t} \mathsf{bias}(\mathcal{D}_i)$. Note that the piling up lemma (given below) can provide a tighter bound if needed.</p>
<h3 id="concentration-bounds">Concentration Bounds</h3>
<p><a name="markov"></a><strong>Markov Inequality:</strong> Let $X$ be a positive random variable with finite expected value $\mu$. Then for any $k > 0$,</p>
\[\Pr[X \geq k] \leq \frac{\mu}{k}.\]
<p><a name="chebyshev"></a><strong>Bienaymé-Chebyshev Inequality:</strong> Let $X$ be a random variable with finite expected value $\mu$ and finite nonzero variance $\sigma^2$. Then for any $k > 0$,</p>
\[\Pr[|X - \mu| \leq k\sigma] \leq \frac{1}{k^2}.\]
<p><a name="chernoff"></a><strong>Chernoff Inequality:</strong> Let $n\in\mathbb{N}$ and let $(X_1, \cdots, X_n)$ be independent random variables taking values in ${0,1}$. Let $X$ denote their sum and $\mu \gets \mathbb{E}[X]$. Then for any $\delta \in [0,1]$,</p>
\[\Pr[X \geq (1+\delta)\mu] \leq \exp\left(-\frac{\delta^2\mu}{3}\right)\text{ and } \Pr[X \leq (1-\delta)\mu] \leq \exp\left(-\frac{\delta^2\mu}{2}\right).\]
<p>Furthermore, for any $\delta \geq 0$,</p>
\[\Pr[X \geq (1+\delta)\mu] \leq \exp\left(-\frac{\delta^2\mu}{2+\delta}\right).\]
<p>Note also the tighter, but dirtier bounds:</p>
\[\Pr[X \geq (1+\delta)\mu] \leq \left(\frac{e^\delta}{(1+\delta)^{1+\delta}}\right)^{\mu}\text{ and } \Pr[X \leq (1-\delta)\mu] \leq \left(\frac{e^{-\delta}}{(1-\delta)^{1-\delta}}\right)^{\mu}.\]
<p><a name="gen-chernoff"></a><strong>Generalized Chernoff Inequality (<a href="https://epubs.siam.org/doi/abs/10.1137/S0097539793250767?journalCode=smjcat">here</a>):</strong> Let $n\in\mathbb{N}$ be an integer and let $(X_1, \cdots, X_n)$ be boolean random variables such that, for some $\delta\in [0,1]$, it holds that for every subset $S \subset [n]$, $\Pr[\wedge_{i\in S} X_i] \leq \delta^{|S|}.$ Then for any $\gamma \in [\delta, 1]$,</p>
\[\Pr\left[\sum_{i=1}^nX_i \geq \gamma n\right] \leq \exp\left(-n D(\gamma||\delta)\right),\]
<p>where $D(\gamma||\delta)$ denotes the relative entropy function, satisfying $D(\gamma||\delta) \geq 2(\gamma-\delta)^2$. For more discussions and a constructive proof of the generalized Chernoff bound, see <a href="https://link.springer.com/chapter/10.1007/978-3-642-15369-3_46">Impagliazzo and Kabanets</a>.</p>
<p><a name="bernstein"></a><strong>Bernstein Inequality:</strong> Let $X_1, \cdots, X_m$ be independent zero-mean random variables, and let $M$ be a bound such that $|X_i| \leq M$ almost surely for $i=1$ to $m$. Let $X$ denote the random variable $\sum_{i=1}^m X_i$. It holds that</p>
\[\Pr[X > B] \leq \exp\left(- \frac{B^2}{2\sum_{i=1}^m \mathbb{E}[X_i^2] + \frac{2}{3}MB}\right).\]
<p><a name="bdi"></a><strong>Bounded Difference Inequality:</strong> First proved by <a href="https://www.ime.usp.br/~tassio/TMP/ler/McDiarmid-on-the-method-of-bounded-differences-89.pdf">McDiarmid</a>, in a more general form than below. Special case of <a href="https://www.jstage.jst.go.jp/article/tmj1949/19/3/19_3_357/_pdf">Azuma inequality</a>. Let $(n,m)\in\mathbb{N}^2$ be two integers. We say that a function $\Phi:[n]^m\mapsto \mathbb{R}$ satisfies the <em>Lipschitz property with constant $d$</em> if for every $\vec x, \vec x’ \in [n]^m$ which differ in a single coordinate, it holds that $|\Phi(\vec x) - \Phi(\vec x’)| \leq d.$ Then, the statement of the bounded difference inequality is as follows: let $\Phi:[n]^m\mapsto \mathbb{R}$ be a function satisfying the Lipschitz property with constant $d$, and let $(X_1, \cdots, X_m)$ be independent random variables over $[n]$. It holds that</p>
\[\Pr[\Phi(X_1, \cdots, X_m) < \mathbb{E}[\Phi(X_1, \cdots, X_m)] - t] \leq \exp\left(-\frac{2t^2}{m\cdot d^2}\right).\]
<h3 id="entropy-notions">Entropy Notions</h3>
<p>Let $\mathsf{H}(x) = x\log(1/x) + (1-x)\log(1/(1-x))$ be the binary entropy function. We let</p>
\[\mathsf{H}_1(X),\; \mathsf{H}_\infty(X),\; \mathsf{H}_\infty(X\;|\; Z),\; \mathsf{H}^{\varepsilon}_\infty(X)\]
<p>denote respectively the Shannon entropy, min-entropy, average min-entropy conditioned on $Z$, and $\varepsilon$-smooth min-entropy of a random variable $X$, defined as</p>
<p>\begin{align}
\mathsf{H}_1(X) &= - \sum_{x = 1}\Pr[X= x]\cdot \log\Pr[X= x]\\<br />
\mathsf{H}_\infty(X\;|\; Z) &= - \log\mathbb{E}_{z\gets Z}[2^{-\mathsf{H}_\infty(X\;|\;Z=z)}]\\<br />
\mathsf{H}^{\varepsilon}_\infty(X) &= \max_{\mathsf{SD}(X,Y)\leq \varepsilon} \mathsf{H}_\infty(Y)\\<br />
\mathsf{H}_1(X) &= - \sum_{x\in \mathsf{Supp}(X)}\Pr[X= x]\cdot \log\Pr[X= x]
\end{align}</p>
<p>Note that $\mathsf{H}_1(\mathsf{Ber}_p) = \mathsf{H}(p)$.</p>
<h4 id="some-lemmas-on-entropy">Some lemmas on entropy</h4>
<p><strong><a href="https://www.iacr.org/archive/eurocrypt2004/30270518/DRS-ec2004-final.pdf">Dodis et al.</a>, Lemma 2.2a:</strong> For any $\delta > 0$, $\mathsf{H}_\infty(X|Z = z)$ is at least $\mathsf{H}_\infty(X\;|\; Z) - \log(1/\delta)$ with probability at least $1-\delta$ over the choice of $z$.</p>
<p><strong><a href="https://www.iacr.org/archive/eurocrypt2004/30270518/DRS-ec2004-final.pdf">Dodis et al.</a>, Lemma 2.2b:</strong> Conditioning on $Z$ that has $b$ bits of information reduces the entropy of $X$ by at most $b$: $\mathsf{H}_\infty(X\;|\; Z_1,Z_2) \geq \mathsf{H}_\infty(X, Z_1\;|\; Z_2) - \log |\mathsf{Supp}(Z_1)|$.</p>
<h3 id="binomial-coefficients">Binomial Coefficients</h3>
<p><a name="sbc"></a><strong>Sums of Binomial Coefficients:</strong> For any $0 < \mu < 1/2$ and $m\in\mathbb{N}$,</p>
\[\sum_{i=0}^{\mu m} {m \choose i} = 2^{m\mathsf{H}(\mu) - \frac{\log m}{2} + O(1)}.\]
<p>Alternatively, writing</p>
\[\sum_{i=1}^{\mu m} {m \choose i} = {m \choose \mu m} \left [ 1 + \frac{\mu m}{m-\mu m +1} + \frac{\mu m (\mu m - 1)}{(m-\mu m +1)(m - \mu m + 2)} + \cdots \right ],\]
<p>we get, bounding the above by a geometric series:</p>
\[\sum_{i=1}^{\mu m} {m \choose i} \leq {m \choose \mu m} \cdot \frac{1-\mu}{1-2\mu}.\]
<p><a name="stirling-approximation"></a><strong>Stirling’s Approximation:</strong></p>
\[\frac{1}{\sqrt{2\pi n \delta (1-\delta)}} \exp\left(n\cdot\mathsf{H}(\delta) - \frac{1}{12 n \delta (1-\delta)} \right) \leq {n \choose \delta n} \leq \frac{1}{\sqrt{2\pi n \delta(1-\delta)}}\exp\left(n\cdot \mathsf{H}(\delta)\right).\]
<p><a name="bin-others"></a><strong>Others:</strong></p>
<ul>
<li>For $k = o(n)$, $\log {n\choose k} = (1+o(1))k \log \frac{n}{k}$.</li>
<li>For any $(k,n)$, $\left(\frac{n}{k}\right)^k \leq {n \choose k} \leq \frac{n^k}{k!} < \left(\frac{ne}{k}\right)^k$.</li>
</ul>
<h3 id="useful-inequalities">Useful Inequalities</h3>
<ul>
<li>$\forall x > 0$, $\exp(-x) > 1-x$.</li>
<li>$\forall\; 0 < x < \frac{2-\sqrt{2}}{2}$, $1-x > 2^{- \frac{2+\sqrt{2}}{2} x}$.</li>
<li>$\forall n\geq 1$, $\left(1-\frac{1}{n}\right)^{n} \leq \exp\left(-1\right)$, and $\exp(-1) \leq \left(1-\frac{1}{n}\right)^{n-1}$.</li>
<li>$\forall \delta > 0$, $\frac{2\delta}{2+\delta} \leq \log(1+\delta)$.</li>
</ul>
<h3 id="useful-lemmas">Useful Lemmas</h3>
<h4 id="splitting-lemma">Splitting Lemma</h4>
<p>Let $A\subset X \times Y$ such that $\Pr[(x,y) \in A] \leq \varepsilon$. For any $\varepsilon’ < \varepsilon$, defining $B$ as $B = {(x, y) \in X \times Y \;|\; \Pr_{y’\gets_r Y}[(x, y’) \in A] \geq \varepsilon - \varepsilon’}$, it holds that</p>
<p>\begin{align}
\Pr[B]\geq \varepsilon’ &&\forall (x,y)\in B, \Pr_{y’}[(x,y’)\in A]\geq \varepsilon - \varepsilon’ &&\Pr[B|A] \geq \varepsilon’/\varepsilon.
\end{align}</p>
<h4 id="forking-lemma">Forking Lemma</h4>
<p>For any $q\geq 1$, any set $H$ with $|H| \geq 2$, and randomized PPT algorithm $\mathcal{A}$ which, on input $(x, h_1, \cdots, h_q)$ returns a pair $(J,\sigma) \in [q]\times {0,1}^{*}$, and input distribution $\mathcal{D}$, let</p>
\[\mathsf{acc} \gets \Pr[x \gets_r \mathcal{D}, (h_1, \cdots, h_q) \gets_r H, (J,\sigma) \gets_r \mathcal{A}(x, h_1, \cdots, h_q) : J \geq 1].\]
<p>Then define the following algorithm $F_{\mathcal{A}}$: on input $x \in \mathsf{Supp}(\mathcal{D})$, $F_{\mathcal{A}}(x)$ picks coins $r$, $(h_1, \cdots, h_q) \gets_r H$, and runs $(I, \sigma) \gets \mathcal{A}(x, h_1, \cdots, h_q; r)$. If $I=0$, it returns $(0, \varepsilon, \varepsilon)$. Else, it picks $(h’_1, \cdots, h’_q) \gets_r H$, and runs $(I’, \sigma’) \gets \mathcal{A}(x, h_1, \cdots, h_{I-1}, h’_I, \cdots, h’_q; r)$. If $I=I’$ and $h_I \neq h_{I’}$, it returns $(1, \sigma, \sigma’)$; else, it returns $(0,\varepsilon, \varepsilon)$. Let</p>
\[\mathsf{frk} \gets \Pr[x \gets_r \mathcal{D}, (b,\sigma, \sigma') \gets_r F_{\mathcal{A}}(x) : b = 1].\]
<p>Then</p>
\[\mathsf{acc} \leq \frac{q}{h} + \sqrt{q\cdot \mathsf{frk}}.\]
<h4 id="leftover-hash-lemma">Leftover Hash Lemma</h4>
<p>To be added later.</p>
<h4 id="piling-up-lemma">Piling-Up Lemma</h4>
<p>For $0 < \mu < 1/2$ and random variables $(X_1, \cdots, X_t)$ i.i.d. to $\mathsf{Ber}_\mu$, it holds that</p>
\[\Pr\left[\bigoplus_{i=1}^t X_i = 0\right] = \frac{1}{2}\cdot\left(1 + (1-2\mu)^t\right) = \frac{1}{2} + 2^{-c_\mu t-1},\]
<p>where $c_\mu = \log \frac{1}{1-2\mu}$. In other terms, for any $0 < \mu \leq \mu’ < 1/2$, it holds that</p>
\[\mathsf{Ber}_\mu \oplus \mathsf{Ber}_{\frac{\mu'-\mu}{1-2\mu}} \approx \mathsf{Ber}_{\mu'}.\]
<h3 id="hashing">Hashing</h3>
<p>To come: universal hashing, pairwise independent hashing</p>Geoffroy CouteauIn the course of working on various projects, I found myself spending an excessive amount of time skimming through textbooks and Wikipedia pages to be reminded of the exact statement of various simple probability facts and lemmas. In some cases, this was to check that I was getting the constants right, or not forgetting a condition – in others, this was just out of laziness. To simplify future searches, I decided to centralize in a cheat sheet a bunch of standard probability lemmas, starting from the most basic facts, but also including some slightly more advanced lemmas. These lemmas showed up several times in my work, and are likely to be useful to cryptographers and theoretical computer scientists. An outdated PDF version of this cheat sheet, in a compact two-column format, is also available here.