research-article

Open access

Fine-grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR

Authors:

Itai Dinur,

Nathan Keller, and

Ohad KleinAuthors Info & Claims

Journal of the ACM, Volume 71, Issue 3

Article No.: 23, Pages 1 - 41

https://doi.org/10.1145/3653014

Published: 11 June 2024 Publication History

PDF eReader

Abstract

An average-case variant of the k-SUM conjecture asserts that finding k numbers that sum to 0 in a list of r random numbers, each of the order r^k, cannot be done in much less than $r^{\lceil k/2 \rceil }$ time. However, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner’s k-tree algorithm. Such algorithms for k-SUM in the dense regime have many applications, notably in cryptanalysis.

In this article, assuming the average-case k-SUM conjecture, we prove that known algorithms are essentially optimal for k= 3,4,5. For k> 5, we prove the optimality of the k-tree algorithm for a limited range of parameters. We also prove similar results for k-XOR, where the sum is replaced with exclusive or.

Our results are obtained by a self-reduction that, given an instance of k-SUM that has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense k-SUM oracle and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle’s solutions, even though its inputs are highly correlated.

1 Introduction

1.1 Background

The k-SUM problem. For parameters $k = O(1),r$ , the classical worst-case search variant of the k-SUM problem asks: Given a list of r numbers, find (with high probability) k of them whose SUM is zero, assuming such numbers exist.¹ Given that a solution exists, a simple sort-and-match (or meet-in-the-middle) algorithm finds it in time $T=\tilde{O}(r^{\lceil k/2 \rceil })$ (the notation $\tilde{O}$ hides logarithmic factors in r), and the well-known k-SUM conjecture (that generalizes the 3-SUM conjecture [18]) states that no algorithm can do substantially better in standard computational models (such as the word RAM model).

In this article, we consider average-case variants of the k-SUM problem.

Definition 1.1 (Average-case k-SUM Problem)

In the $(k,N,r)$ -SUM problem, the input consists of r elements $z_1,\ldots ,z_r$ , each of them chosen independently and uniformly at random from $\lbrace -N,\ldots ,N\rbrace$ . The goal is to find a k-tuple (an ordered set of distinct indices) $K = \lbrace i_1,\ldots ,i_k\rbrace$ , such that $\sum _{j \in K} z_j = 0$ , where the sum is over $\mathbb {Z}$ .

In a sparse regime of parameters only a few solutions exist on average, i.e., $r^k \approx N$ . It is considered folklore that the uniform distribution is a hard distribution for k-SUM under a standard model of computation (see References [24] and [34] for a formulation for $k=3$ ):

Conjecture 1.2 (Sparse Average-case k-SUM Conjecture)

Any algorithm that solves the $(k,N,r)$ -SUM problem where $r = N^{1/k}$ with probability $\Omega _k(1)$ has expected running time of at least $T= \Omega _k(r^{\lceil k/2 \rceil - o(1)})$ .

We note that for constant k and $N = \omega (r^k)$ , a solution exists with probability $o(1)$ , hence the problem cannot be solved with probability $\Omega _k(1)$ , regardless of the running time.

In the dense regime where many solutions exist on average (namely, when $r^k \gg N$ ), one can do much better.

For $k=3$ , there is a simple algorithm that filters the input by keeping only numbers that are smaller than some threshold in absolute value. This gives a smaller sparse instance to which the standard algorithm is applied to solve the problem in time $T = \tilde{O}(N/r)$ (for $N^{1/3} \le r \le N^{1/2}$ ). For $k \gt 3$ , improvements are obtained via the celebrated Wagner’s k-tree algorithm [36] discussed below.

The k-XOR problem. The discussion above equally applies to the average-case k-XOR problem.

Definition 1.3 (Average-case k-XOR Problem)

In the $(k,2^n,r)$ -XOR problem, the input consists of r vectors $z_1,\ldots ,z_r$ , each chosen independently and uniformly at random from $\lbrace 0,1\rbrace ^n$ . The goal is to find a k-tuple, $K = \lbrace i_1,\ldots ,i_k\rbrace$ , such that $\bigoplus _{j \in K} z_j = 0_n$ .

Similarly to k-SUM, the following conjecture is considered folklore:

Conjecture 1.4 (Sparse Average-case k-XOR Conjecture)

Any algorithm that solves the $(k,N = 2^n,r)$ -XOR problem where $r = N^{1/k}$ with probability $\Omega _k(1)$ has expected running time of at least $T= \Omega _k(r^{\lceil k/2 \rceil - o(1)})$ .

In the dense 3-XOR problem, the input consists of $r \gg 2^{n/3}$ uniform vectors. Similarly to 3-SUM, a simple filtering algorithm has complexity $T = \tilde{O}(N/r)$ for $N^{1/3} \le r \le N^{1/2}$ . The dense 3-XOR problem has various applications in cryptography and cryptanalysis [10, 15, 23, 25, 32]. While mild (logarithmic in N) improvements to the simple filtering algorithm are known [23, 25, 32], any substantial (i.e., polynomial in N) improvement would be considered a breakthrough.

Wagner’s k-tree algorithm. For $k \gt 3$ , the k-tree algorithm of Wagner [36] allows finding a solution to k-XOR in time $T= \tilde{O}(N^{1/(1+\lfloor \log _2 k \rfloor)})$ , when r is of similar size. The generalized algorithm of Minder and Sinclair [30] provides a tradeoff between r and T, for all $N^{1/k} \le r \le N^{1/(1+\lfloor \log _2 k \rfloor)}$ . For the most basic case of $k=4$ , the tradeoff curve is $T=\tilde{O}(N/r^2)$ for $N^{1/4} \le r \le N^{1/3}$ . As was noted in Reference [36], the algorithm is also applicable to the modular k-SUM problem in $\mathbb {Z}_N$ . Similarly, it can be easily modified to work for the average-case variant of k-SUM stated above. For the sake of completeness, we give a high-level overview of the k-tree algorithm and its generalization in Appendix A.

In the 20 years since its introduction, the k-tree algorithm (notably for small k values) has become a central tool in cryptanalysis for solving both dense k-SUM and k-XOR problems (see Reference [23]). Specifically, it is used in breaking hash functions [29, 36], stream ciphers [27], block ciphers [16], signature schemes [7] (where the optimal value of k depends on the amount of available data), and so on. Furthermore, it has found multiple applications that are not directly related to cryptanalysis. Notably, the representation technique [20] crucially relies on variants of the algorithm for small values of k to find one out of many representations of a solution to a problem. This technique gave rise to breakthrough algorithms for solving subset-sum [20, 31] and related problems such as decoding binary linear codes [6].

Finally, the k-tree algorithm is closely related to the Blum-Kalai-Wasserman (BKW) algorithm for solving the LPN (learning parity with noise) problem [8] and its extensions, such as Lyubashevsky’s algorithm [28] (although these use $k = \omega (1)$ ).

In this article, we address the question: Are the best-known algorithms for dense $\mathbf {k}$ -SUM and $\mathbf {k}$ -XOR optimal?

1.2 Our Results

We show that in some of the most basic cases, $k=3,4,5$ , as well as in other settings, the best-known algorithms for k-SUM (respectively, k-XOR) in the dense regime are optimal up to logarithmic factors in the input list size, unless the sparse average-case k-SUM (respectively, k-XOR) conjecture fails.

Informal statement of the main results. Our main theorem for k-SUM is as follows:

Theorem 1.5 (Conditional Dense k-SUM Hardness, Informal)

Assume that any algorithm that solves $(k,N,N^{1/k})$ -SUM with probability $\Omega _k(1)/(\log N)^2$ has expected running time of at least $T = T(N,k)$ .

Then, there is $C=C(k)$ such that for any $0 \le \epsilon \le 1/2$ , any algorithm that solves $(k,N^{\prime },(N^{\prime })^{(1 + \epsilon)/k})$ -SUM with probability $1/2$ has expected running time of at least $C \cdot T((N^{\prime })^{1 + \epsilon }, k) \cdot (N^{\prime })^{- \epsilon }$ .

Remark 1.6.

We make several related remarks about the theorem.

—

While the success probability in the hardness assumption of Theorem 1.5 is slightly smaller than the constant success probability in Conjecture 1.2, disproving this stronger assumption with the same time complexity would be considered a breakthrough (e.g., for cryptanalytic applications).

—

It is possible to amplify the success probability in the hardness assumption from $\Omega _k(1)/(\log N)^2$ to $1/2$ (or any constant) at the cost of increasing the number of input elements r and the expected running time of the algorithm by a factor of $(\log N)^2 \cdot O_k(1)$ . The amplification is obtained by partitioning the elements into disjoint groups of size $N^{1/k}$ and running the algorithm for $(k,N,N^{1/k})$ -SUM on each group independently.

—

The input size of $N^{1/k}$ in the conditional hardness assumption can be adjusted to $C_1 \cdot N^{1/k}$ for any constant $C_1 \gt 0$ . This only requires adjusting the hidden constant behind the success probability $\Omega _k(1)/(\log N)^2$ .

We obtain similar results for k-XOR (with constant success probability in the hardness assumption, as in Conjecture 1.4). Our main theorem for k-XOR is as follows:

Theorem 1.7 (Conditional Dense k-XOR Hardness, Informal)

Assume that any algorithm that solves $(k,N,N^{1/k})$ -XOR with probability $\Omega _k(1)$ has expected running time of at least $T = T(N,k)$ .

Then, there is $C=C(k)$ such that for any $0 \le \epsilon \le 1/2$ , any algorithm that solves $(k,N^{\prime },(N^{\prime })^{(1 + \epsilon)/k})$ -XOR with probability $1/2$ has expected running time of at least $C \cdot T((N^{\prime })^{1 + \epsilon }, k) \cdot (N^{\prime })^{- \epsilon }$ .

Discussion. To better understand the tradeoff obtained by the theorem, set $N^{\prime } = N$ and $T(N,k) = \Omega (N^{\alpha (k) -o(1)})$ (for some function $\alpha (k)$ ). The theorem implies that any algorithm for $(k,N,r)$ -SUM with $r \approx N^{(1 + \epsilon)/k}$ (for $0 \le \epsilon \le 1/2$ ) that succeeds with probability $1/2$ has expected running time of

$\begin{align*} \Omega (N^{(\alpha (k) - o(1))(1 + \epsilon) - \epsilon }) &= \Omega (N^{1 - o(1)} \cdot N^{-1 + \alpha (k) + \epsilon \cdot \alpha (k) - \epsilon }) \\ &= \Omega (N^{1 - o(1)} \cdot N^{(1+\epsilon)(\alpha (k) - 1)}) \\ &= \Omega (N^{1 - o(1)} \cdot r^{k \cdot (\alpha (k) - 1)}). \end{align*}$

Assuming Conjecture 1.2, we plug in $\alpha (k) = \lceil k/2 \rceil / k$ and derive the conditional lower bound

$\begin{equation*} T = \Omega (N^{1 - o(1)} / r^{\lfloor k/2 \rfloor }). \end{equation*}$

Specifically, for $k=3$ , by a slightly stronger variant of the sparse average-case k-SUM conjecture (with the success probability in the hardness assumption adjusted to $\Omega _k(1)/(\log N)^2$ ), we deduce that any algorithm for $(3,N,r)$ -SUM that succeeds with probability $1/2$ has expected running time of $\Omega ({N^{1-o(1)}}/r)$ . We conclude that the tradeoff $T = \tilde{O}(N/r)$ for $N^{1/3} \le r \le N^{1/2}$ obtained by the simple (filtering) sort-and-match algorithm is essentially optimal. Similar tightness holds for the 3-XOR problem.

By a similar calculation for $k=4$ , the (extended) k-tree algorithm (obtaining the tradeoff $T=\tilde{O}(N/r^2)$ ) is essentially optimal, under the sparse average-case k-SUM (respectively, k-XOR) conjecture. Theorems 1.5 and 1.7 yield optimality of the best-known algorithm also for $k=5$ and for part of the range for other values of k. In particular, for even values of k, we conclude that any algorithm for $(k,N,r)$ -SUM (respectively, XOR) that succeeds with probability $1/2$ has expected running time of $T = \Omega (N^{1 - o(1)} / r^{k/2})$ . This essentially matches the extended k-tree algorithm for k values divisible by 4 in the range $N^{1/k} \le r \le N^{4/3k}$ .

We further note that the loss in the reduction provided by the above theorems is almost linear, i.e., a $O_k(1)$ factor for k-XOR and logarithmic in N for k-SUM. This means that for $k = 3,4,5$ any improvement of known algorithms, even by a sufficiently large logarithmic factor in N, can be leveraged through the theorem to obtain a similar improvement in the algorithms for the sparse average-case k-SUM (respectively, k-XOR) problem.

Figure 1 shows our k-SUM and k-XOR density-complexity tradeoff lower bounds compared to the best-known upper bounds for $k = 3,4,8$ (ignoring logarithmic factors).

Fig. 1.

1.3 Our Methods

We achieve our results by a self-reduction from the average-case k-SUM (k-XOR) problem in the sparse regime to the average-case k-SUM (k-XOR) problem in the dense regime. In the following description, we focus on k-XOR, as technical details are simpler for this problem. We then summarize the main different ingredients for k-SUM.

The reduction for k-XOR. The basic observation is that we can generate a dense instance with r input vectors from a sparse instance with r input vectors by truncating the n-bit input vectors to obtain shorter m-bit input vectors for $m \lt n$ . This increases the effective input list size (relative to the vector length) and the number of solutions.

We rewrite our main result in a more convenient form based on this observation by a change of variables for the dense regime:

Theorem 1.8 (Conditional Dense k-XOR Hardness, Informal, Reformulated)

Assume that any algorithm that solves $(k,N=2^n,N^{1/k} = 2^{n/k})$ -XOR with probability $\Omega _k(1)$ has expected running time of at least $T = T(N,k)$ .

Then, there is $C=C(k)$ such that for any $n/2 \le m \le n$ , any algorithm that solves $(k,M = 2^m, 2^{n/k})$ -XOR with probability $1/2$ has expected running time of at least $C \cdot T(2^m,k) \cdot 2^{m - n}$ .

Observe that this is indeed a reformulation of Theorem 1.7, obtained by setting $n^{\prime }=m$ and $n = (1 + \epsilon)m$ (hence, $(N^{\prime })^{- \epsilon } = 2^{- \epsilon n^{\prime } } = 2^{- \epsilon m} = 2^{m - n}$ ).

The basic idea of the reduction is to take the sparse input of r uniform n-bit vectors, generate from it many dense k-XOR inputs of r uniform m-bit vectors, and solve each one using a black-box algorithm B. We then check whether each solution yields a k-XOR solution for the original n-bit vectors. If we could make the input sets of m-bit vectors completely independent, then $O(2^{n-m})$ calls to B would be sufficient (as the probability that a solution for m-bit vectors corresponds to a solution for n-bit vectors is $2^{m-n}$ ), and the assertion of Theorem 1.8 would be achieved. In fact, it is easy to show that pairwise independence suffices. However, one cannot make these input sets pairwise-independent and maintain their relation to the original n-bit vectors at the same time (unless $m \le n/2$ , which is not useful in our case). Thus, even though it is called about $2^{n-m}$ times, B could potentially repeatedly output solutions to dense k-XOR instances that reside in a small set that does not contain any solution to the sparse instance.

We overcome this obstacle by an obfuscation process, which applies to the input vectors two different types of noise consecutively and allows us to achieve almost pairwise independence of B’s outputs even though its inputs are significantly correlated. In the reduction, we are given a sequence $z_1, \ldots , z_r \in \lbrace 0,1\rbrace ^n$ for which we wish to solve the k-XOR problem. We apply the following procedure:

(1)

Draw a uniformly random matrix $T \in \lbrace 0,1\rbrace ^{m \times n}$ of full rank m and a uniformly random permutation P on r elements.

(2)

Let $x_{i} = T(z_{P(i)})$ for all $i \in [r]$ .

(3)

Feed B with $x_1, \ldots , x_r$ . In case it outputs a k-tuple K with $\bigoplus _{i \in K} x_i = 0_m$ , test whether $\mathcal {K} = P(K)$ satisfies $\bigoplus _{j \in \mathcal {K}} z_{j} = 0_n$ , and if so—output the k-tuple $\mathcal {K}$ . Otherwise, repeat.

We prove that after $2^{n-m}$ trials, with probability of $\Omega _k(1)$ , the process outputs a solution of the sparse k-XOR problem. We use discrete Fourier analysis to bound the correlation between B’s outputs.

Remark 1.9.

If we hash down a hard sparse instance to get a dense instance, then clearly any procedure that enumerates all solutions to the dense instance (if there are not too many) is hard as well. However, our reduction does not follow this standard paradigm, as the oracle for the dense instance can only produce a single solution. Thus, we hash the sparse instance down in many different ways and repeatedly invoke the oracle to force it to produce many different potential solutions to the sparse instance.

The reduction for k-SUM. The reduction for k-SUM follows the same general strategy (with modified obfuscation), but its proof is more involved. In particular, in addition to discrete Fourier-analytic techniques, it uses tools from Littlewood-Offord theory [17].

Concisely, the reason for further complexity in the k-SUM case is that there are only a few group-homomorphisms from $\mathbb {Z}_{N}$ to $\mathbb {Z}_{M}$ (that may be used to obfuscate the input), while group-homomorphisms from $\mathbb {F}_2^n$ to $\mathbb {F}_2^m$ are abundant. We now elaborate on this point.

Both k-XOR and k-SUM reductions employ an obfuscation procedure to the input of the sparse problem. For k-XOR, we hash r elements of $\left\lbrace 0,1\right\rbrace ^n$ to r elements of $\left\lbrace 0,1\right\rbrace ^m$ ( $m \lt n$ ), while for k-SUM, we hash r elements of $\mathbb {Z}_{N}$ to r elements of $\mathbb {Z}_{M}$ . Since we are required to pull-back linear information from the output of the process (i.e., a solution to a dense problem) to its input (i.e., solve the sparse problem), it is important that the obfuscation would be linear. However, the class of obfuscation functions must be rich enough to mask additional information that can be exploited by the dense algorithm to output correlated solutions. In the k-XOR case, we make use of a random, rank-m, linear map from $\mathbb {F}_2^n$ to $\mathbb {F}_2^m$ . There are $2^{\Theta (mn)}$ options to choose this linear map. In the k-SUM problem, if we would insist on a (surjective) linear map from $\mathbb {Z}_N$ to $\mathbb {Z}_M$ , then there would be at most M such functions, which gives insufficient obfuscation (in particular, any $x \in \mathbb {Z}_N$ that is divisible by M, would be mapped to 0). Hence, we must settle for a somewhat-linear obfuscation. We choose a function ${\phi }:{\mathbb {Z}_N} \rightarrow {\mathbb {Z}_M}$ of the form

$\begin{equation*} \phi (x) = \gamma \lfloor \alpha \cdot x \cdot M/N \rceil \bmod M, \end{equation*}$

where $\alpha \in \mathbb {Z}_{N}^\ast$ , $\gamma \in \mathbb {Z}_{M}^\ast$ are chosen uniformly at random and $\lfloor \cdot \rceil$ denotes rounding to the nearest integer. This new class of non-strictly-linear obfuscation functions still enables us to pull back a solution from a dense problem to the sparse problem. Moreover, it turns out that this class is rich enough to allow obfuscation. However, proving this latter point is more involved, since the non-linearity of the obfuscation makes the use of Fourier-analytic tools more complex.

1.4 Related Work

Our result is naturally related to three lines of work.

Algorithms for dense k-SUM and k-XOR. The first line of work is the quest for designing better algorithms for generalized birthday problems, where the goal is to find a single k-SUM or k-XOR solution out of many. The systematic analysis of this problem was initiated by Wagner [36] in his k-tree algorithm² and has led to numerous refined algorithms and applications thereof [14, 23, 25, 30, 32].

In this respect, we show that—perhaps surprisingly—the best-known algorithms are essentially optimal for $k=3,4,5$ , unless a standard conjecture in computational complexity fails. Moreover, under similar conjectures, the best-known algorithms for any $k \gt 5$ are essentially optimal for some range of parameters.

Fine-grained complexity. The second related line of work deals with complexity reductions to the k-SUM problem and its variants, which has become a flourishing field of research in the past decade, as part of the fine-grained complexity research direction [35]. Reductions to k-SUM or to k-XOR were shown for problems in computational geometry [4, 18], dynamic algorithms [1, 33], graph algorithms [22, 37], pattern matching [2], and more. In the past few years, such reductions were shown also for several cryptographic problems [5, 19, 24], as part of the emerging fine-grained cryptography research area [13].

Our work provides yet another reduction for a cryptography-related problem, however, the context of reduction in our case is somewhat different. While previous works prove security of (mainly theoretical) classes of cryptographic primitives, based on well-founded hardness assumptions, our work shows a bound on the possible effectiveness of an important class of cryptanalytic algorithms that are widely used for breaking cryptosystems. Thus, our results also have more practical significance.

Asymptotic hardness for dense k-SUM. Finally, a recent work related to ours is the paper cited in Reference [11] by Brakerski, Stephens-Davidowitz, and Vaikuntanathan, which proves asymptotic optimality of the k-tree algorithm for average-case k-SUM (whose complexity is $N^{O(1/\log k)}$ ) by reducing it from worst-case complexity of lattice problems. While Reference [11] is related to our work, the results of the two papers are complementary due to several important differences, which we summarize below.

First, Reference [11] yields asymptotic bounds as $k \rightarrow \infty$ , while our work concentrates on small values of k, which appear in applications of the k-tree algorithm to a different type of cryptanalytic problem. In this respect, our result resolves an open problem stated in Reference [11, Section 1.3], yet our reduction is not from a worst-case problem (due to various technical differences, it is not clear how to combine our techniques with the ones of Reference [11] to obtain a reduction from a worst-case problem). Second, while the bounds of Reference [11] are tight up to a constant multiplicative factor in the exponent, our reduction is tight up to constant (or logarithmic) factors for certain parameter ranges such as $k=3,4,5$ . Third, while the reduction of Reference [11] is from a different problem, involving lattices, our reduction is from a conjecture in the sparse regime to the dense regime of the same problem (i.e., a self-reduction). We note that the density (or size) of the instance also plays a role in Reference [11], as a faster algorithm for sparser k-SUM instances yields a faster algorithm for the corresponding lattice problem. Fourth, in addition to k-SUM, we also obtain conditional hardness results for the k-XOR problem.

In terms of techniques, both papers aim at obtaining “sufficiently different” variants of the same input sample z. However, in Reference [11] these are obtained by re-randomization (repeatedly generating almost independent inputs to the k-SUM algorithm from the same list of vectors), and their independence is proved via the leftover hash lemma [21]. However, our variants are obtained via the obfuscation method described above in which the inputs to the k-SUM algorithm are highly correlated, unlike the setting of Reference [11]. We prove the low correlation of the algorithm’s outputs via discrete Fourier analytic methods.

1.5 Additional Application and Open Problems

Additional application. The security proof of the hash construction T5, recently proposed by Dodis et al. [15], is based on dense 3-XOR and 4-XOR assumptions. Our results directly imply that the security of the construction can be based on standard sparse 3-XOR and 4-XOR assumptions instead of non-standard dense ones. In this sense, our work (in combination with the original security proof of Reference [15]) allows to prove security for a cryptosystem, similarly to References [5, 19, 24], yet this proof is obtained for a practical cryptosystem.

Open problems. The main remaining open problem is to improve our lower bound in the setting of a large k and a large number of solutions, or alternatively, to improve the k-tree algorithm in this range.

The structure of the article. Next, we summarize our notations and conventions. In Section 3, we prove our main result for k-XOR, while in Section 4, we prove our main result for k-SUM.

2 Notations and Conventions

In this section, we introduce notations and conventions that will be used throughout the article.

Notations.

—

$x \sim S$ means that x is a random variable uniformly distributed in the set S.

—

We interchangeably write $\left\lbrace 0,1\right\rbrace$ and $\mathbb {F}_2$ , where $0=1 \oplus 1$ .

—

When $z\in \mathbb {F}_2^{r \times n}$ , $z_{ij}$ denotes the $(i,j)$ ’th entry of z, and $z_i\mathrel {\mathop :}=(z_{i1}, \ldots , z_{in})$ .

—

For $x \in \mathbb {F}_2^{r \times m}$ and a permutation $P \in S_r$ , we denote by $P(x)$ the value $y \in \mathbb {F}_2^{r \times m}$ satisfying $y_{P(i)}=x_i$ for all i.

—

For a linear map ${T}:{\mathbb {F}_2^n} \rightarrow {\mathbb {F}_2^m}$ and for $z\in \mathbb {F}_2^{r \times n}$ , we denote by $T(z)$ the value $x \in \mathbb {F}_2^{r \times m}$ satisfying $x_{i}=T(z_i)$ for all i.

—

$\mathbb {Z}_L$ is the group whose elements are $\lbrace 0,1,\ldots ,L-1\rbrace$ and whose operation is addition modulo L.

—

$a \,\%\,b$ (or $a \bmod b$ ) stands for the single element in $(a + b\mathbb {Z}) \cap [0, b)$ . We switch to this shorter notation in Section 4.3, as it is more convenient to use inside long arithmetic expressions.

—

For a real number u, the rounded value $\lfloor u\rceil$ is the unique integer in $u+(-1/2, 1/2]$ .

—

For functions $f,g: \mathbb {N} \rightarrow \mathbb {R}_+$ and a fixed parameter k, $f=O(g)$ means that $\forall n: f(n) \le Cg(n)$ for an absolute constant C, $f=\tilde{O}(g)$ means that $\forall n: f(n) \le C_1 \cdot (\log n)^{C_2} \cdot g(n)$ for absolute constants $C_1,C_2$ , and $f=O_k(g)$ means that $\forall n: f(n) \le h(k) \cdot g(n)$ for some function $h:\mathbb {N} \rightarrow \mathbb {R}_+$ .

Conventions.

—

Operations within domains. Throughout the article, we consider variables in various domains. For example, when analyzing k-XOR, we consider variables in $\lbrace 0,1\rbrace ^{\ell }$ and $\lbrace 0,1\rbrace ^{r \times \ell }$ for different values of $\ell ,r$ , while for k-SUM, we consider variables in $\mathbb {Z}_L$ and $\mathbb {Z}_L^r$ for different values of $L,r$ . Whenever an operation is applied on two elements of the same domain, the result belongs to the same domain. For example, addition between two elements of $\mathbb {Z}_L$ is always performed modulo L.

—

Names of variables. In the reductions presented in the article, we begin with vectors that belong to a “large” space— $\lbrace 0,1\rbrace ^{r \times n}$ for k-XOR ( $\mathbb {Z}_N^r$ for k-SUM)—and use them to define vectors that belong to a “smaller” space— $\lbrace 0,1\rbrace ^{r \times m}$ for k-XOR ( $\mathbb {Z}_M^r$ for k-SUM).

Throughout the article, vectors that belong to a “large” space are denoted by z, while vectors that belong to a “small” space are denoted by x or y. Auxiliary vectors denoted by u or v may belong to an arbitrary domain, which will be explicitly defined.

—

Inner products. All inner products in Section 3 are between functions $f,g:\lbrace 0,1\rbrace ^{r \times m} \rightarrow \mathbb {R}$ (for a particular choice of m), and consequently, their results belong to $\mathbb {R}$ . Most inner products in Section 4 are between vectors in $\mathbb {Z}_p^r$ (for a particular choice of p), and consequently, their results belong to $\mathbb {Z}_p$ .

3 Hardness of Dense K-XOR

In this section, we prove Theorem 1.7 (or equivalently, Theorem 1.8). The precise formulation of the main theorem is as follows:

Theorem 3.1 (Sparse to Dense k-XOR Reduction)

Let $m,n$ be integers such that $n/2 \le m \le n$ . Assume there is an algorithm for $(k,2^m, 2^{n/k})$ -XOR with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k, 2^n, 2^{n/k})$ -XOR with success probability $\frac{\beta ^4}{(16k)^{k+2}}$ and expected running time at most $2^{n-m} \cdot (\mathcal {T}+ \tilde{O}_k(2^{n/k}))$ .

We make a few remarks. First, we work in the standard word RAM computational model, where an operation on each vector (of size $O(n)$ ) takes unit time. However, our results do not change substantially in other standard computational models (e.g., in a model that counts the number of bit operations). Second, when applying the contrapositive of this theorem to prove hardness results for dense k-XOR with $k=O(1)$ and $\beta = 1/2$ to obtain the theorems 1.7 and 1.8, the factor $\tilde{O}_k(2^{n/k})$ in this theorem is bounded by $O_k(\mathcal {T})$ (and hence consumed by the factor $C = C(k)$ of theorems 1.7 and 1.8). Indeed, the input in the $(k,M = 2^m, 2^{n/k})$ -XOR problem already contains $2^{n/k}$ vectors. Finally, the loss factor $\tfrac{\beta ^4}{(16k)^{k+2}}$ in the success probability can be significantly improved by a more refined analysis.

The proof of the theorem is based on two reductions: the main sparse to dense k-XOR reduction and the simple (but inefficient) sparse to dense reduction, which is required for parameter ranges where the main reduction is not applicable. We summarize these reductions in the two lemmas below and prove the simpler lemma first.

Lemma 3.2 (Main k-XOR Reduction)

Let $m,n,r$ satisfy $n/2 \le m \le n \le \log _2 \binom{r}{k}$ . Assume there is an algorithm for $(k,2^m, r)$ -XOR with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k, 2^n, r)$ -XOR with success probability

$\begin{equation*} \frac{\beta ^4}{128} \cdot \Big (2^n/\binom{r}{k}\Big)^2 \end{equation*}$

and expected running time at most $2^{n-m} \cdot (\mathcal {T}+ \tilde{O}(r))$ .

Lemma 3.3 (Simple Reduction).

Let $d \gt 0$ by an integer. Assume there is an algorithm for $(k,2^n, d \cdot r)$ -XOR with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k, 2^n, r)$ -XOR with success probability at least $\tfrac{\beta }{(2d)^k}$ and expected running time at most $\mathcal {T} + \tilde{O}_k(d \cdot r)$ .

Proof of Lemma 3.3.

Let B be an algorithm for $(k, 2^n, d \cdot r)$ -XOR. We construct an algorithm for $(k, 2^n, r)$ -XOR as follows: Given an instance $z_1,\ldots ,z_r$ , pick $(d-1) \cdot r$ vectors in $\lbrace 0,1\rbrace ^n$ uniformly at random and append them the original instance. Then, apply a uniform permutation to the $d \cdot r$ vectors and run B on this instance. If B succeeds to return a k-XOR, and this k-tuple is included in $z_1,\ldots ,z_r$ , then the algorithm returns it. Otherwise, it fails.

As the input to B is uniformly permuted, the events (1) B succeeds, and (2) the returned k-tuple is included in $z_1,\ldots ,z_r$ , are independent. By assumption, the probability of the first event is $\beta$ . Note that we may assume $r \ge 2k$ , as otherwise, a trivial algorithm for $(k,2^n,r)$ -XOR that goes over all possible k-tuples of input vectors runs in time $O_k(1) \le \mathcal {T}+\tilde{O}_k(d \cdot r)$ . Given that $r \ge 2k$ , the probability of the second event is at least $((r-k)/(d \cdot r - k))^k \ge (2d)^{-k}$ . Thus, the algorithm succeeds with probability at least $\beta /(2d)^k$ . □

We now prove that Theorem 3.1 follows from the lemmas.

Proof of Theorem 3.1.

Our goal is to devise an algorithm for $(k, 2^n, 2^{n/k})$ -XOR given an algorithm B for $(k, 2^m, 2^{n/k})$ -XOR with success probability $\beta$ and expected running time $\mathcal {T}$ .

We first construct an algorithm for $(k, 2^n, 2^{n/k} \cdot k)$ -XOR and then use Lemma 3.3 to sparsify the input.

Clearly, B is also applicable to $(k, 2^m, 2^{n/k} \cdot k)$ -XOR with similar success probability and complexity (by ignoring all but the first $2^{n/k}$ input vectors). Denote $r = 2^{n/k} \cdot k$ and note that as $k! \gt (k/e)^k$ for all k, we have

$\begin{equation*} e^{-k}\binom{r}{k} \le 2^n = (r/k)^k \le \binom{r}{k}. \end{equation*}$

Therefore, based on algorithm B for $(k, 2^m, 2^{n/k} \cdot k)$ -XOR, by Lemma 3.2, there is an algorithm $B_1$ for $(k, 2^n, 2^{n/k} \cdot k)$ -XOR with success probability

$\begin{equation*} \beta _1 = \frac{\beta ^4}{128} \cdot \left(\frac{2^n}{\binom{r}{k}}\right)^2 \ge \frac{\beta ^4}{128 e^{2k}} \end{equation*}$

and expected running time at most $2^{n-m} \cdot (\mathcal {T}+ \tilde{O}_k(2^{n/k}))$ .

Using algorithm $B_1$ for $(k, 2^n, r = 2^{n/k} \cdot k)$ -XOR, Lemma 3.3 (applied with $d = k$ ) implies that there is an algorithm for $(k, 2^n, 2^{n/k})$ -XOR with success probability at least

$\begin{equation*} \frac{\beta _1}{(2d)^k} \ge \frac{\beta ^4}{(16k)^{k+2}} \end{equation*}$

and expected running time at most $2^{n-m} \cdot (\mathcal {T}+ \tilde{O}_k(2^{n/k})) + \tilde{O}_k(k \cdot 2^{n/k}) = 2^{n-m} \cdot (\mathcal {T}+ \tilde{O}_k(2^{n/k}))$ , as claimed. □

3.1 Overview of the Main Reduction Lemma

The proof of the main reduction lemma (Lemma 3.2) is constructive—namely, we construct an algorithm and show that it satisfies the assertion of the lemma. A natural way to solve the sparse k-XOR problem using an oracle for the dense k-XOR problem is to truncate some of the bits. That is, given r vectors, $z_1, \ldots , z_r \in \left\lbrace 0,1\right\rbrace ^n$ , with $2^n \approx r^k$ (so we expect only $\Theta (1)$ solutions), we may feed the oracle with $x_1, \ldots , x_r \in \left\lbrace 0,1\right\rbrace ^m$ , where $x_i$ is obtained from $z_i$ by truncating the last $t\mathrel {\mathop :}=n-m$ bits. In the new problem corresponding to $x_1, \ldots , x_r$ , we expect to have $\Theta (2^t)$ (i.e., many) solutions, and hence the oracle is applicable. A k-tuple output by the dense k-XOR oracle has a probability of $2^{-t}$ to be a solution to the original z-problem (since we truncated exactly t bits, and z is uniformly distributed). Thus, it seems that if we feed the oracle $\Theta (2^t)$ times with truncated inputs, then we expect $\Theta (1)$ out of the $\Theta (2^t)$ output k-tuples to solve the original z-problem, and consequently, solving the x-problem is at most $2^t$ times easier than solving the z-problem.

The flaw in this argument is that we cannot expect the oracle to output a newly forged k-tuple in every application (especially if the oracle is deterministic and is fed with the same inputs in all applications). Hence, although the expected number of solutions we find is $\Theta (1)$ , it might be that we solve the z-problem only with a small probability (e.g., it might be that with a high probability the oracle outputs many identical solutions).

Therefore, we have to trick the oracle so the k-tuples it outputs in the different applications will be pairwise-independent of each other—almost as if we feed it with a fresh uniformly chosen input every time.

For this purpose, we devise a method that receives r vectors in $\left\lbrace 0,1\right\rbrace ^n$ (denoted $z_1,\ldots ,z_r$ ) and randomly obfuscates them, returning r vectors in $\left\lbrace 0,1\right\rbrace ^m$ (denoted $x_1,\ldots ,x_r$ ). This obfuscation meets two criteria:

(1)

A solution to the k-XOR x-problem gives rise to a solution to the k-XOR z-problem with good probability (i.e., $p \approx 2^{-t}$ ).

(2)

The obfuscation is powerful enough to disguise the fact all the x’s are generated from the same z, so each application of the oracle (pairwise) independently has a chance to solve the z-problem.

As we show below, this obfuscation method guarantees that after applying the oracle sufficiently many times on obfuscated x-problems, with a high probability a solution of the original z-problem will be obtained.

Remark 3.4.

The proof crucially relies on the strength of the obfuscation—specifically, on the fact that the probability of outputting the same k-tuple in an iteration pair is $O(2^{-2t})$ . This is the motivation behind using the obfuscation we propose, as weaker obfuscations, such as truncating t randomly chosen bits, have oracles that output the same k-tuple in an iteration pair with probability much higher than $2^{-2t}$ , even if we apply an invertible linear transformation after truncation.

In detail, consider a k-tuple of vectors whose XOR is $v \in \left\lbrace 0,1\right\rbrace ^n$ ( $v \ne 0$ ). Then, the probability that after randomly truncating bits from this k-tuple, they would XOR to 0 is higher for v of low Hamming weight. Now, suppose that there is a vector in the x-problem that belongs to several k-tuples whose XOR has low (non-zero) Hamming weight. Then, the corresponding vector in the z-problem is expected to belong to more k-XORs than the average vector. This vector can thus be singled out by the oracle, which would repeatedly output one of the k-XORs it belongs to (with relatively high probability).

Structure of the proof. First, we present the obfuscation algorithm and the lemma that asserts that it indeed satisfies the aforementioned properties. Then, we prove the main reduction lemma, assuming the obfuscation lemma. Finally, we prove the obfuscation lemma, which is the most complex part of the conditional k-XOR hardness proof.

3.2 The Obfuscation Algorithm

Let $m,n,r$ satisfy $n/2 \le m \le n \le \log _2 \binom{r}{k}$ , and let L be a parameter to be specified below. Let B be an algorithm for $(k,2^m, r)$ -XOR. The algorithm A for $(k,2^n, r)$ -XOR, which receives as input an r-tuple of n-bit vectors $(z_1,\ldots ,z_n) \in \lbrace 0,1\rbrace ^{r \times n}$ , is defined as follows:

Algorithm 3.5.

$\phantom{}$

(1)

Repeat L times:

(2)

Draw a uniformly random full-rank matrix $T \in \mathbb {F}_2^{m \times n}$ (rank $= m$ ) and a uniformly random permutation $P \in S_r$ .

(3)

Let $x_{i} = T(z_{P(i)})$ for all $i \in [r]$ .

(4)

Feed B with $(x_1, \ldots , x_r)$ . In case it outputs a k-tuple K with $\bigoplus _{i \in K} x_i = 0_m$ , test whether $\mathcal {K} = P(K)$ satisfies $\bigoplus _{i \in \mathcal {K}} z_{i} = 0_n$ , and if it does—then output the k-tuple $\mathcal {K}$ . Otherwise, continue.

Thus, we try to solve A’s problem by considering many derived problems (in which we consider only m-bit vectors, instead of n-bit ones), trying to solve these using B, and in case its output solves A’s problem, we output the result. Each of these trials succeeds with some probability, and only one success is required. Repeating this procedure enough times, we are expected to find a solution with reasonable probability—unless failures are correlated. This is where the obfuscation lemma comes into play—it shows the trials are sufficiently independent for A to succeed.

The obfuscation lemma. The heart of the proof is the following lemma:

Lemma 3.6.

Let $(z_1,\ldots ,z_r) \in \lbrace 0,1\rbrace ^{r \times n}$ be chosen uniformly at random. Let $(x_1^{(1)},\ldots ,x_r^{(1)}) \in \lbrace 0,1\rbrace ^{r \times m}$ and $(x_1^{(2)},\ldots ,x_r^{(2)}) \in \lbrace 0,1\rbrace ^{r \times m}$ be obtained from it by the procedure described above (in two out of the L iterations). Let $\mathcal {K}_1, \mathcal {K}_2$ be the two corresponding $\mathcal {K}$ ’s obtained in the process. Then, assuming $t \mathrel {\mathop :}=n-m \le m \le n \le \log _2 \binom{r}{k}$ , we have

$\begin{equation} \Pr [\mathcal {K}_1 = \mathcal {K}_2] \le 2^{2-2t}, \end{equation}$

(1)

where the probability is taken over $z,x^{(1)}, x^{(2)}$ , and B’s randomness.

Note that cases where at least one of $\mathcal {K}_1,\mathcal {K}_2$ is not obtained (that is, when in at least one of the two iterations, Algorithm B fails to find a solution to the $(k,2^m, r)$ -XOR problem) are not counted as equality between $\mathcal {K}_1$ and $\mathcal {K}_2$ .

We note that each of $(x_1^{(1)},\ldots ,x_r^{(1)})$ and $(x_1^{(2)},\ldots ,x_r^{(2)})$ is likely to have about $2^{t}$ solutions to k-XOR, but only $O(1)$ of these are common to both and typically correspond to k-XOR solutions for $(z_1,\ldots ,z_r)$ . Therefore, the lemma essentially asserts that B cannot do much better than output a uniform solution to each x-problem.

3.3 Proof of the Main Reduction Lemma

We prove now that the assertion of Lemma 3.2 follows from Lemma 3.6. The proof is a rather standard probabilistic argument. Afterwards, we present the considerably more complex proof of Lemma 3.6.

Proof of Lemma 3.2, assuming Lemma 3.6

Consider a slightly tweaked obfuscation process that has exactly L iterations (and may output multiple solutions). Clearly, the success probability of the tweaked obfuscation process is identical to the original one, and thus we analyze it instead. For any $1 \le l \le L$ , let $\mathcal {K}_l$ be the k-tuple obtained in the l’s iteration ( $\mathcal {K}_l$ exists only when B succeeds, i.e., with probability $\beta$ ). Denote by $S_l$ the event that $\mathcal {K}_l$ admits a solution to the $(k, 2^n, r)$ -XOR problem. We have $\Pr [S_l]= 2^{m-n}\beta$ for each $l = 1,\ldots ,L$ , since z is uniformly random, and m out of the n dimensions of $\bigoplus _{i \in \mathcal {K}_l} z_i$ are known to nullify, independently of the other, beforehand-erased, $n - m$ dimensions. (In other words, we know that $\bigoplus _{i \in \mathcal {K}_l} z_i$ belongs to the kernel of a randomly chosen full-rank linear transformation $T:\mathbb {F}_2^{n} \rightarrow \mathbb {F}_2^m$ , and hence, $\Pr [\bigoplus _{i \in \mathcal {K}_l} z_i=0_n]=2^{m-n}$ .)

Define the random variables

$\begin{equation*} Z^{\prime } \mathrel {\mathop :}=\sum _{l=1}^{L} \mathbb {1}\lbrace S_l\rbrace -\sum _{1 \le l \lt l^{\prime } \le L} \mathbb {1}\lbrace \mathcal {K}_l = \mathcal {K}_{l^{\prime }}\rbrace , \qquad Z \mathrel {\mathop :}=\max (Z^{\prime }, 0), \end{equation*}$

where $\mathbb {1}\lbrace E\rbrace$ is the indicator of the event E. A simple inclusion-exclusion-like principle shows that $Z^{\prime }$ lower bounds the number of distinct solutions found for the $(k, 2^n, r)$ -XOR problem in (tweaked) Algorithm 3.5. As the number of solutions is non-negative, Z lower bounds it as well. The Paley-Zygmund inequality [9, chapter 2], applied for the non-negative random variable Z, implies

$\begin{equation*} \Pr [Z \gt 0] \ge \frac{{\mathbb {E}}[Z]^2}{{\mathbb {E}}[Z^2]}. \end{equation*}$

Since $\Pr [Z \gt 0]$ lower bounds the probability that (tweaked) Algorithm 3.5 solves the $(k, 2^n, r)$ -XOR problem, our task is reduced to lower bounding ${\mathbb {E}}[Z]^2$ and upper bounding ${\mathbb {E}}[Z^2]$ . The value of ${\mathbb {E}}[Z]$ is easily bounded as

$\begin{equation*} {\mathbb {E}}[Z] \ge {\mathbb {E}}[Z^{\prime }] = \sum _{l=1}^{L} \Pr [S_l] - \sum _{1 \le l \lt l^{\prime } \le L} \Pr [\mathcal {K}_l = \mathcal {K}_{l^{\prime }}]. \end{equation*}$

Using ${\mathbb {E}}[S_l] = 2^{m-n} \beta$ and Lemma 3.6, we obtain ${\mathbb {E}}[Z] \ge L\cdot 2^{m-n}\beta - \binom{L}{2} 2^{2(1+m-n)}$ . We choose $L=\beta \cdot 2^{n-m-2}$ and obtain

$\begin{equation*} {\mathbb {E}}[Z]\ge \beta ^2/8. \end{equation*}$

We henceforth upper bound ${\mathbb {E}}[Z^2]$ . Let D be the number of distinct k-tuples $T\subseteq [r]$ with $\bigoplus _{i \in T} z_i = 0_n$ (that is, the number of actual solutions for the $(k, 2^n, r)$ -XOR problem in the set $\lbrace z_1,\ldots ,z_r\rbrace$ ). Since Z is not larger than the number of solutions found in (tweaked) Algorithm 3.5, we have $Z \le D$ , and in particular, ${\mathbb {E}}[Z^2] \le {\mathbb {E}}[D^2]$ .

Note that for different k-tuples $T, T^{\prime }$ , the events $\bigoplus _{i \in T} z_i = 0_n$ and $\bigoplus _{i \in T^{\prime }} z_i = 0_n$ are independent, and each of them has probability $2^{-n}$ . Hence,

$\begin{equation*} {\mathbb {E}}[D^2] = \binom{r}{k}2^{-n} + \binom{r}{k} \left(\binom{r}{k} - 1 \right) 2^{-2n} \le \binom{r}{k}^2 2^{1-2n}, \end{equation*}$

where the ultimate inequality holds, since $\binom{r}{k} \ge 2^n$ by assumption. Therefore, the algorithm succeeds with probability at least

$\begin{equation*} \Pr [Z \gt 0] \ge \frac{{\mathbb {E}}[Z]^2}{{\mathbb {E}}[D^2]} \ge \frac{\beta ^4}{128 \binom{r}{k}^2 2^{-2n}}. \end{equation*}$

The running time of Algorithm 3.5 (including the $\widetilde{O}(r)$ additional overhead of each iteration) is

$\begin{equation*} L \cdot \left(\mathcal {T} + \widetilde{O}(r)\right) \le 2^{n-m} \cdot \left(\mathcal {T}+\widetilde{O}(r)\right). \end{equation*}$

This completes the proof of the lemma. □

3.4 Proof of the Obfuscation Lemma

In this section, we prove Lemma 3.6. We start by introducing a distribution that models two independent outputs of the obfuscation process and restate the obfuscation lemma.

Definition 3.7.

We say that a pair of random variables $(x^{(1)},x^{(2)})$ , each taking values in $\mathbb {F}_2^{r \times m}$ , has an $(m,r,t)$ -distribution if there exist random variables $z,\, T^{(j)}$ for $j \in \lbrace 1,2\rbrace$ where:

(1)

$z,\, T^{(1)},\, T^{(2)}$ , are independent random variables.

(2)

$z\sim \mathbb {F}_2^{r \times (m+t)}$ is uniformly distributed.

(3)

${T^{(j)}}:{\mathbb {F}_2^{m+t}} \rightarrow {\mathbb {F}_2^m}$ is a uniformly random, full-rank (i.e., rank $=m$ ), linear transformation.

(4)

$x^{(j)}_i = T^{(j)}(z_i)$ .

Lemma 3.8.

Let B be an algorithm that receives as input a list of r vectors, each of length m bits, and outputs the indices of $k\gt 0$ vectors among them whose XOR is $0_m$ (or a failure string). If $(x,y)$ has an $(m,r,t)$ -distribution, and $P,Q\sim S_r$ are two uniformly random and independent permutations, then

$\begin{equation} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))] \le 2^{-2t} + \frac{2^{m-t}}{\binom{r}{k}} + 2^{-t+1-m}, \end{equation}$

(2)

where the probability is taken over B’s randomness, $x,y$ and $P,Q$ (the event on the left-hand side is contained in the event that both executions $B(P(x))$ , $B(Q(y))$ succeed).

Notice that Lemma 3.6 immediately follows from Lemma 3.8 (compare Equation (1) with Equation (2)).

3.4.1 Proof Outline.

The proof of Lemma 3.8 uses techniques from discrete Fourier analysis and consists of several steps.

(1)

Transformation to real-valued functions. We show that instead of analyzing the obfuscation on a tuple-valued function, it is sufficient to analyze its action on the simpler class of real-valued functions. We utilize the fact that our obfuscation randomly permutes the input vectors, so any oracle ${B}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\binom{[r]}{k}}$ must, informally, treat all candidate output k-tuples in the same way. Hence, it suffices to analyze the modified, real-valued, oracle ${B^{\prime }}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {[0,1]}$ , which indicates the probability that B outputs the specific k-tuple $K \mathrel {\mathop :}=\lbrace 1,\ldots ,k\rbrace$ when applied on its input. Specifically, our task is reduced to showing that

$\begin{equation} {\mathbb {E}}[B^{\prime }(y) B^{\prime }(y^{\prime })] \le O_k(2^{-2t} / r^k), \end{equation}$

(3)

where $y, y^{\prime }$ are two independent obfuscations of a common, random, $z\in \left\lbrace 0,1\right\rbrace ^{r\times n}$ .

(2)

Bounding the correlation using discrete Fourier analysis. To prove Equation (3), we consider the Fourier expansion of $B^{\prime }$ , namely,

$\begin{equation*} B^{\prime }=\sum \widehat{B}^{\prime }(S) \chi _S, \qquad \mbox{where} \qquad \chi _S(v) = (-1)^{\sum _{i \in S}v_i}. \end{equation*}$

We divide the Fourier expansion into two parts—the Cartesian part

$\begin{equation*} (B^{\prime })^C = \sum _{\lbrace S = U \times V: U \subseteq [r], V \subseteq [m]\rbrace } \widehat{B^{\prime }}(S)\chi _S, \end{equation*}$

and the non-Cartesian part $(B^{\prime })^{\perp }=B^{\prime }-(B^{\prime })^C$ (which is orthogonal to $(B^{\prime })^C$ ). Informally, the contribution of the Cartesian part to the correlation corresponds to the information on aligned XORs of variables (such as $(z_{1,2} \oplus z_{1,3}) \oplus (z_{4,2} \oplus z_{4,3})$ ) preserved between the two obfuscations, while the contribution of the non-Cartesian part carries the rest of the information. Then, we handle each part of the correlation separately:

(a)

Obfuscation hides everything but aligned XORs. We show that for any function $B^{\prime }$ , the obfuscation reduces the contribution to the left-hand side of Equation (3), associated with the non-Cartesian part, to at most $2^{-2t}$ . This argument depends only on the obfuscation and does not rely on the specific problem we try to solve.

(b)

Aligned XORs do not reveal much. We show that in the case of the k-XOR problem, the contribution of the Cartesian part is also small. Here, we use the specific structure of the problem—specifically, the set $\lbrace x:B^{\prime }(x) \gt 0\rbrace$ being small and admitting a nice algebraic structure (namely, $B^{\prime }(x)=0$ whenever $\bigoplus _{i=1}^k x_i \ne 0_m$ ).

Combination of the two bounds completes the proof.

3.4.2 Transformation to Real-valued Functions.

Lemma 3.9.

Let ${B}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\binom{[r]}{k}}$ be an algorithm that outputs either a k-tuple R with $\bigoplus _{i \in R} x_i = 0_m$ , or a failure string. Let $K \mathrel {\mathop :}=\lbrace 1,\ldots , k\rbrace$ and define ${B^{\prime }}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {[0,1]}$ by

$\begin{equation} B^{\prime }(x) = {\mathbb {E}}_{\begin{array}{c}P \sim S_r \\ \bar{T} \sim GL_m(\mathbb {F}_2)\end{array}}\left[ \mathbb {1}\lbrace B(\bar{T}(P(x))) = P(K)\rbrace \right], \end{equation}$

(4)

where $P \sim S_r$ is a uniformly random permutation, and $\bar{T} \sim GL_m(\mathbb {F}_2)$ is a uniformly random invertible linear map. The expectation in Equation (4) is taken also over B’s randomness. Then,

$\begin{equation} \bigoplus _{i \in K} x_i \ne 0 \ \Rightarrow \ B^{\prime }(x) = 0, \end{equation}$

(5)

$\begin{equation} {\mathbb {E}}_x[B^{\prime }(x)] \le 1/\binom{r}{k}, \end{equation}$

(6)

and if $(x,y)$ has an $(m,r,t)$ -distribution and $P,Q \sim S_r$ are independent, then

$\begin{equation} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))] = \binom{r}{k} {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{equation}$

(7)

Remark 3.10.

We note that while the obfuscation algorithm uses a full-rank shrinking transformation T from $\mathbb {F}_2^{m+t}$ to $\mathbb {F}_2^m$ , this transformation does not appear explicitly in Lemma 3.9. Instead, it appears implicitly via the assumption that $(x,y)$ has an $(m,r,t)$ -distribution (made just before Equation (7)) and plays a central role in the proof of Equation (7).

Proof.

To show Equation (5) note that if $\bigoplus _{i \in K} x_i \ne 0,$ then B cannot output $P(K)$ on the input $\bar{T}(P(x))$ , by our assumption on B, and $\bar{T}$ being invertible. Hence, $B^{\prime }(x) = 0$ in such a case.

To verify Equation (6), denote $x^{\prime } = \bar{T}(P(x))$ and observe that when $x \sim \lbrace 0,1\rbrace ^{r \times m}$ , we have $x^{\prime } \sim \lbrace 0,1\rbrace ^{r \times m}$ independently of P. Hence, by interchanging order of summation,

$\begin{align*} {\mathbb {E}}_{x}[B^{\prime }(x)] &= {\mathbb {E}}_{P,\bar{T}}[{\mathbb {E}}_{x}[\mathbb {1}\lbrace B(\bar{T}(P(x))) = P(K)\rbrace ]] = {\mathbb {E}}_{P,\bar{T}}[{\mathbb {E}}_{x^{\prime }}[\mathbb {1}\lbrace B(x^{\prime }) = P(K)\rbrace ]] \\ &= {\mathbb {E}}_{x^{\prime }}[{\mathbb {E}}_{P}[\mathbb {1}\lbrace B(x^{\prime }) = P(K)\rbrace ]] \le 1/\binom{r}{k}, \end{align*}$

where the latter inequality holds, because for any fixed $x^{\prime }$ , $P(K)$ attains the value of $B(x^{\prime })$ with probability at most $1/\binom{r}{k}$ .

To prove Equation (7), we reason about ${\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]$ . Observe that for any $K^{\prime } \subseteq [r]$ with $|K^{\prime }| = k$ , the function $B^{\prime }_{K^{\prime }}$ defined by $B^{\prime }_{K^{\prime }}(x) = {\mathbb {E}}_{P,\bar{T}}[\mathbb {1}\lbrace B(\bar{T}(P(x))) = P(K^{\prime })\rbrace ]$ satisfies

$\begin{equation} {\mathbb {E}}_{x,y}[B^{\prime }_{K^{\prime }}(x) B^{\prime }_{K^{\prime }}(y)] = {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{equation}$

(8)

Indeed, let $R \in S_r$ be such that $R(K) = K^{\prime }$ . As $(R(x), R(y))$ has the same distribution as $(x, y)$ , we have

$\begin{equation*} \begin{aligned}\mathbb {E}_{x,y}[B^{\prime }_{K^{\prime }} & (x) B^{\prime }_{K^{\prime }}(y)] = \mathbb {E}_{x,y}[B^{\prime }_{K^{\prime }}(R(x)) B^{\prime }_{K^{\prime }}(R(y))] \\ & = {\mathbb {E}}_{x,y}\big [{\mathbb {E}}_{P^{\prime }, \bar{T}^{\prime }}[\mathbb {1}\lbrace B(\bar{T}^{\prime }(P^{\prime }R(x)))=P^{\prime }(K^{\prime })\rbrace ] {\mathbb {E}}_{P^{\prime \prime }, \bar{T}^{\prime \prime }}[\mathbb {1}\lbrace B(\bar{T}^{\prime \prime }(P^{\prime \prime }R(y)))=P^{\prime \prime }(K^{\prime })\rbrace ]\big ] \\ & = {\mathbb {E}}_{x,y}\big [{\mathbb {E}}_{P^{\prime }, \bar{T}^{\prime }}[\mathbb {1}\lbrace B(\bar{T}^{\prime }(P^{\prime }(x)))=P^{\prime }R^{-1}(K^{\prime })\rbrace ] {\mathbb {E}}_{P^{\prime \prime }, \bar{T}^{\prime \prime }}[\mathbb {1}\lbrace B(\bar{T}^{\prime \prime }(P^{\prime \prime }(y)))=P^{\prime \prime }R^{-1}(K^{\prime })\rbrace ]\big ] \\ & = {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{aligned} \end{equation*}$

Notice that if $(x,y)$ has an $(m,r,t)$ -distribution, and $\bar{T}^{\prime },\bar{T}^{\prime \prime } \sim GL_m(\mathbb {F}_2)$ are uniformly random invertible linear maps independent of all other variables, then $(\bar{T}^{\prime }(x), \bar{T}^{\prime \prime }(y))$ has an $(m,r,t)$ -distribution as well. We verify Equation (7):

$\begin{equation*} \begin{aligned}\Pr _{x,y,P,Q} \big [P^{-1}(B(P(x))) & = Q^{-1}(B(Q(y)))\big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y,P,Q}\big [\mathbb {1}\lbrace P^{-1}(B(P(x)))=K^{\prime }\rbrace \mathbb {1}\lbrace Q^{-1}(B(Q(y)))=K^{\prime }\rbrace \big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y,P,Q,\bar{T}^{\prime }, \bar{T}^{\prime \prime }}\big [\mathbb {1}\lbrace P^{-1}(B(P(\bar{T}^{\prime }(x))))=K^{\prime }\rbrace \mathbb {1}\lbrace Q^{-1}(B(Q(\bar{T}^{\prime \prime }(y))))=K^{\prime }\rbrace \big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y}\big [B^{\prime }_{K^{\prime }}(x) B^{\prime }_{K^{\prime }}(y)\big ] \\ &= \binom{r}{k} {\mathbb {E}}_{x,y} \big [ B^{\prime }(x) B^{\prime }(y) \big ], \end{aligned} \end{equation*}$

where the penultimate equality holds, since P (respectively Q) commutes with $\bar{T}^{\prime }$ (respectively, $\bar{T}^{\prime \prime }$ ), and the ultimate equality uses Equation (8). □

3.4.3 Obfuscation Hides Everything but Aligned XORs.

We begin with the standard definition of the Fourier-Walsh expansion of functions on the discrete cube, adapted to our setting.

Definition 3.11 (Fourier Expansion).

Given $S \subseteq [r] \times [m]$ , define ${\chi _{S}}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\left\lbrace -1,1\right\rbrace }$ by $\chi _S(x) = (-1)^{\sum _{(i, j) \in S} x_{i,j}}$ . The set $\lbrace \chi _S\rbrace _{S \subseteq [r]\times [m]}$ is an orthonormal basis for the set of functions $\left\lbrace f\,\middle |\, {f}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\mathbb {R}}\right\rbrace$ , with respect to the standard inner product $\langle f,g \rangle = {\mathbb {E}}_{x\sim \left\lbrace 0,1\right\rbrace ^{r\times m}}[f(x)g(x)]$ . Hence, each ${f}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\mathbb {R}}$ can be decomposed to

$\begin{equation*} f = \sum _{S \subseteq [r] \times [m]} \widehat{f}(S) \chi _S, \end{equation*}$

where $\widehat{f}(S) = \langle f,\chi _S \rangle$ , and in particular, $\widehat{f}(\emptyset) = \mathbb {E}[f]$ .

Definition 3.12 (Cartesian Decomposition).

Given $S \subseteq [r] \times [m]$ , we call S a Cartesian product if there exist $U \subseteq [r]$ and $V \subseteq [m]$ such that $S = U \times V$ .

The Fourier expansion allows decomposing any function ${f}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\mathbb {R}}$ into Cartesian and non-Cartesian parts:

$\begin{equation*} f = f^{C} + f^{\perp } = \left(\sum _{S\text{ Cartesian product}} \widehat{f}(S) \chi _S \right) + \left(\sum _{S\text{ non Cartesian product}} \widehat{f}(S) \chi _S\right), \end{equation*}$

where $\langle f^{C}, f^{\perp } \rangle = 0$ .

Definition 3.13 (Cartesian Functions).

A function ${f}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\mathbb {R}}$ is called a Cartesian function if $f=f^C$ .

Lemma 3.14.

Let ${f}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\mathbb {R}}$ . Suppose $(x, y)$ has an $(m,r,t)$ -distribution. Then

$\begin{equation*} \text{Cov}(f(x), f(y)) \le 2^{-t} \left\Vert {f^{C}}\right\Vert _2^2 + 2^{-2t} \left\Vert {f^{\perp }}\right\Vert _2^2. \end{equation*}$

Recall that the goal of the obfuscation process is to reduce the correlation between different obfuscations of the same input z (which correspond to different iterations of Algorithm 3.5 described above) to $O_k(1) \cdot 2^{-2t}$ . In this respect, the lemma asserts that the obfuscation hides the non-Cartesian part, which corresponds to everything except for aligned XORs (that is, expressions of the form $\bigoplus _{i \in I} \bigoplus _{j \in J} x_{i,j}$ ).

Proof.

Write $f = \sum _{S} \widehat{f}(S) \chi _S$ . We have

$\begin{equation} \begin{aligned}\text{Cov}(f(x), f(y)) &= {\mathbb {E}}_{(x,y)}\left[\left(\sum _{S} \widehat{f}(S) \chi _S(x)\right) \left(\sum _{S^{\prime }} \widehat{f}(S^{\prime }) \chi _{S^{\prime }}(y)\right)\right] - {\mathbb {E}}[f]^2 \\ & = {\mathbb {E}}\left[\sum _{S, S^{\prime }} \widehat{f}(S) \widehat{f}(S^{\prime }) \chi _S(x) \chi _{S^{\prime }}(y) \right] - {\mathbb {E}}[f]^2 \\ & \le \sum _{S} \widehat{f}(S)^2 \left(\sum _{S^{\prime }} \big |{\mathbb {E}}\big [ \chi _S(x) \chi _{S^{\prime }}(y) \big ] \big | \right) - \widehat{f}(\emptyset)^2, \end{aligned} \end{equation}$

(9)

where the last step uses the inequality $\widehat{f}(S) \widehat{f}(S^{\prime }) \le (\widehat{f}(S)^2+\widehat{f}(S^{\prime })^2)/2$ , applied for all $S,S^{\prime }$ .

In order to analyze ${\mathbb {E}}\big [ \chi _S(x) \chi _{S^{\prime }}(y) \big ]$ , let us recall how $(x,y)$ is distributed according to Definition 3.7. We draw a uniformly random $z\sim \mathbb {F}_2^{r\times (m+t)}$ and two uniformly random rank-m linear maps ${T_1, T_2}:{\mathbb {F}_2^{m+t}} \rightarrow {\mathbb {F}_2^m}$ and define $(x, y) = (T_1(z), T_2(z))$ .

Observe that there exist linear maps $T^{\ast }_1, T^{\ast }_2: (\mathbb {F}_2^{m})^{\ast } \rightarrow (\mathbb {F}_2^{m+t})^{\ast }$ such that for each $S=(S_1,\ldots ,S_r) \subseteq [r] \times [m]$ , we have

$\begin{equation*} \chi _S(x)=\chi _S(T_1(z))=\chi _{T^{\ast }_1 S}(z) \qquad \mbox{and} \qquad \chi _S(y)=\chi _S(T_2(z))=\chi _{T^{\ast }_2 S}(z), \end{equation*}$

where the $S_i$ ’s are regarded as elements of $(\mathbb {F}_2^{m})^{\ast } \cong \mathbb {F}_2^{m}$ .

Formally, consider the dual linear maps $T^{\ast }_1, T^{\ast }_2: (\mathbb {F}_2^{m})^{\ast } \rightarrow (\mathbb {F}_2^{m+t})^{\ast }$ , defined by

$\begin{equation*} T^{\ast }_l(f)(a) \mathrel {\mathop :}=f(T_l(a)),\qquad l=1,2 \end{equation*}$

where ${f}:{\mathbb {F}_2^m} \rightarrow {\mathbb {F}_2}$ is a linear functional, and $a \in \mathbb {F}_2^{m+t}$ is a vector. (Matrix-wise, the representing matrix of $T^{\ast }_l$ according to the (dual) standard basis is the transpose of the representing matrix of $T_l$ in the standard basis.) Note that each $S \subseteq [r] \times [m]$ naturally corresponds to an r-tuple of linear functionals $(S_1, \ldots , S_r)$ , where $S_i(b)=\bigoplus _{j=1}^{m} (b_j \cdot \mathbb {1}\lbrace (i,j) \in S\rbrace)$ for any $b \in \mathbb {F}_2^m$ . Thus, we may slightly abuse notation and write $S=(S_1,\ldots ,S_r)$ and, subsequently, define $T^{\ast }_l(S) = (T^{\ast }_l(S_1), \ldots , T^{\ast }_l(S_r))$ and regard its outputs as elements of $[r] \times [m+t]$ .

Since for each $S=(S_1,\ldots ,S_r)$ , we have $\chi _S(x)=\chi _S(T_1(x))=\chi _{T^{\ast }_1 S}(z)$ and $\chi _{S^{\prime }}(y)=\chi _{T^{\ast }_2 S^{\prime }}(z)$ as was written above, and since ${\mathbb {E}}[\chi _{A}(z) \chi _{B}(z)] = \mathbb {1}\lbrace A=B\rbrace$ , we can write Equation (9) as

$\begin{align*} \text{Cov}(f(x), f(y)) &\le \sum _{S} \widehat{f}(S)^2 \left(\sum _{S^{\prime }} \left|{\mathbb {E}}_{T_1,T_2}{\mathbb {E}}_{z} \left[ \chi _{T^{\ast }_1 S}(z) \chi _{T^{\ast }_2 S^{\prime }}(z) \right] \right| \right) - \widehat{f}(\emptyset)^2 \\ &\le \sum _{S} \widehat{f}(S)^2 \left(\sum _{S^{\prime }} \Pr \left[T_1^{\ast }(S) = T_2^{\ast }(S^{\prime })\right] \right) - \widehat{f}(\emptyset)^2. \end{align*}$

Noting that $T_2^{\ast }$ is injective (as $T_2$ is of full rank, and duality preserves rank), we conclude

$\begin{equation*} \text{Cov}(f(x), f(y)) \le \sum _{S \ne \emptyset } \widehat{f}(S)^2 \Pr \left[T_1^{\ast }(S) \in \mathrm{Im}(T_2^{\ast })\right] = \sum _{S \ne \emptyset } \widehat{f}(S)^2 \Pr \left[ \bigwedge _{i=1}^r \left[T_1^{\ast }(S_i) \in \mathrm{Im}(T_2^{\ast })\right]\right]. \end{equation*}$

To see that $\Pr [T_1^{\ast }(S) \in \mathrm{Im}(T_2^{\ast })] \le 2^{-t}$ for all $S \ne \emptyset$ , choose a nonempty row $S_i$ in S, and observe that the probability $\Pr [T_1^{\ast }(S_i) \in \mathrm{Im}(T_2^{\ast })]$ is the same as the probability that a specific non-zero vector in $\mathbb {F}_2^{m+t}$ is inside a random subspace of $\mathbb {F}_2^{m+t}$ of dimension m. This probability is $\frac{2^m-1}{2^{m+t}-1} \le 2^{-t}$ .

We furthermore claim that $\Pr [T_1^{\ast }(S) \in \mathrm{Im}(T_2^{\ast })] \le 2^{-2t}$ whenever S is not a Cartesian product. Indeed, if we choose two different nonempty “rows” $S_i$ , $S_j$ of S (which is possible, as S is not a Cartesian product), then the probability $\Pr [T_1^{\ast }(S) \in \mathrm{Im}(T_2^{\ast })]$ is upper bounded by the probability that both $T_1^{\ast }(S_i) \in \mathrm{Im}(T_2^{\ast })$ and $T_1^{\ast }(S_j) \in \mathrm{Im}(T_2^{\ast })$ . Since $T_1^{\ast }(S_i)$ , $T_1^{\ast }(S_j)$ are distinct, the aforementioned probability is $\frac{2^m-1}{2^{m+t}-1} \cdot \frac{2^m-2}{2^{m+t}-2} \le 2^{-2t}$ . Overall,

$\begin{equation*} \begin{aligned}\text{Cov}(f(x), f(y)) &\le 2^{-t} \sum _{S\text{ Cartesian}} \widehat{f}(S)^2 + 2^{-2t} \sum _{S\text{ not Cartesian}} \widehat{f}(S)^2 \\ & = 2^{-t} \left\Vert {f^{C}}\right\Vert _2^2 + 2^{-2t} \left\Vert {f^{\perp }}\right\Vert _2^2, \end{aligned} \end{equation*}$

where the ultimate equality uses Parseval’s identity. This completes the proof. □

3.4.4 Aligned XORs Do Not Reveal Much.

Lemma 3.15.

Let ${B^{\prime }}:{\left\lbrace 0,1\right\rbrace ^{r\times m}} \rightarrow {\left[0,1\right]}$ have ${\mathbb {E}}_x[B^{\prime }(x)]=\mu$ . Suppose $B^{\prime }(x)=0$ whenever $\bigoplus _{i=1}^{k} x_i \ne 0_m$ ( $k \gt 0$ ). Then

$\begin{equation*} \left\Vert {(B^{\prime })^C}\right\Vert _2^2 \le 2^m \mu ^2 + 2^{1-m} \mu . \end{equation*}$

Proof.

Write $f(x) = \mathbb {1}\lbrace \bigoplus _{i=1}^k x_i = 0\rbrace$ and $B^{\prime }(x) = f(x) \cdot g(x)$ , where $g(x)$ does not depend on $x_1$ . This is possible, since we may restrict our attention to those x with $\bigoplus _{i=1}^k x_i = 0$ ( $B^{\prime }$ and f are zero elsewhere), and for such values of x, the value of $x_1$ can be inferred from $x_2,\ldots , x_k$ .

Consider the expansion $B^{\prime } = \sum _{S \subseteq [r]\times [m]} \alpha _S \chi _S$ . One can easily verify that the Fourier expansion of f is

$\begin{equation*} f = \sum _{U} \beta _U \chi _U, \qquad \mbox{where} \qquad \beta _U = {\left\lbrace \begin{array}{ll} 2^{-m}, & \qquad U=[k] \times U^{\prime }, U^{\prime } \subseteq [m] \\ 0, & \qquad otherwise. \end{array}\right.} \end{equation*}$

Denote the Fourier expansion of g by $g = \sum _{V \subseteq ([r]\setminus \lbrace 1\rbrace) \times [m]} \gamma _V \chi _V$ .

Since $B^{\prime }=f \cdot g$ , for any S, we have $\alpha _S = \sum _{U \triangle V = S} \beta _U \gamma _V$ . We claim that for any S, this sum consists of a single term, that is, $\alpha _S = \beta _{U_0} \gamma _{V_0}$ for some unique pair $(U_0,V_0)$ with $S = U_0 \triangle V_0$ . To see this, assume $U \triangle V=S$ and $\beta _U, \gamma _V \ne 0$ . Since g does not depend on $x_1$ , V does not contain elements of the form $(1, i)$ . Hence, given S, we may decode U as $U = [k] \times U^{\prime }$ , where $U^{\prime } = \lbrace i: (1,i) \in S\rbrace$ (recall U is Cartesian, as otherwise $\beta _U=0$ ). Since we unambiguously determine U, we uniquely determine $V = S \triangle U$ .

Let us now compute $\left\Vert {(B^{\prime })^C}\right\Vert _2^2 = \sum _{S\text{ Cartesian}} \alpha _S ^ 2$ . Write each $\alpha _S$ as $\beta _U \gamma _V$ . We split the total contribution of the terms $\alpha _S^2 = (\beta _U \gamma _V)^2$ to $\sum \alpha _S^2$ into two cases, depending on V.

Case 1: $V = \emptyset$ . Observe that

$\begin{equation*} \gamma _V = {\mathbb {E}}[g] = 2^m \mu . \end{equation*}$

To see this, fix a value $x_2^0,x_3^0,\ldots ,x_r^0$ and let $x_1^0$ be such that $\bigoplus _{i=1}^k x_i^0 = 0_m$ . Since g does not depend on $x_1$ , then for any $x_1$ , we have

$\begin{equation*} g\left(x_1,x_2^0,\ldots ,x_r^0\right)=g \left(x_1^0,x_2^0,\ldots ,x_r^0\right)=B^{\prime }\left(x_1^0,x_2^0,\ldots ,x_r^0\right). \end{equation*}$

However, $B^{\prime }(x_1,x_2^0,\ldots ,x_r^0)=0$ for any $x_1 \ne x_1^0$ (as $B^{\prime }(x)=0$ for every x s.t. $\bigoplus _{i=1}^k x_i \ne 0_m$ ). Hence, each value x with $B^{\prime }(x) \ne 0$ corresponds to exactly $2^m$ values $x^{\prime }$ s.t. $g(x^{\prime })=B(x)$ , obtained from x by changing only the first coordinate. Consequently, ${\mathbb {E}}[g]=2^m \mu$ .

Thus, the total contribution of terms with $V=\emptyset$ is at most

$\begin{equation*} \sum _U \beta _U^2 \cdot \gamma _V^2 = 2^m \mu ^2, \end{equation*}$

using the fact that $\sum _U \beta _U^2 = {\mathbb {E}}[f^2] = {\mathbb {E}}[f] = 2^{-m}$ by Parseval’s identity.

Case 2: $V \ne \emptyset$ . We claim that in this case, for any V, there are at most two U’s for which $V \triangle U$ is Cartesian. Indeed, let $i \in [r]$ be such that $V_i \mathrel {\mathop :}=V \cap (\lbrace i\rbrace \times [m]) \ne \emptyset$ . Note that $V \cap (\lbrace 1\rbrace \times [m]) = \emptyset$ . Hence, if $U = ([k] \times U^{\prime }) \ne \emptyset$ , then $(V \triangle U) \cap (\lbrace 1\rbrace \times [m]) = U^{\prime }$ . However,

$\begin{equation*} (V \triangle U) \cap (\lbrace i\rbrace \times [m]) = {\left\lbrace \begin{array}{ll} V_i \triangle U^{\prime }, &\qquad i \le k, \\ V_i, &\qquad i\gt k. \end{array}\right.} \end{equation*}$

As $V \triangle U$ is Cartesian, we have $(V \triangle U) \cap (\lbrace i\rbrace \times [m]) = (V \triangle U) \cap (\lbrace 1\rbrace \times [m]) = U^{\prime }$ . As $V_i \ne \emptyset$ , this is possible only if $i\gt k$ and $V_i=U^{\prime }$ , that is, $U=[k] \times V_i$ . In addition, $U=\emptyset$ is possible if V is Cartesian.

Thus, the total contribution of terms $\alpha _S^2 = (\beta _U \gamma _V)^2$ with $V \ne \emptyset$ , is at most (recall $|\beta _U| \le 2^{-m}$ )

$\begin{equation*} 2 \cdot (2^{-m})^2 \sum _V \gamma _V^2 = 2^{1-2m} {\mathbb {E}}[g^2] \le 2^{1-2m} {\mathbb {E}}[g] =2^{1-m} \mu . \end{equation*}$

We conclude

$\begin{equation*} \left\Vert {(B^{\prime })^C}\right\Vert _2^2 = \sum _{S\text{ Cartesian}} \alpha _S^2 \le 2^m \mu ^2 + 2^{1-m}\mu . \end{equation*}$

This completes the proof. □

3.4.5 Wrapping up the Proof of the Obfuscation Lemma.

Proof of Lemma 3.8

Combining Lemmas 3.14 and 3.15 and using ${\mathbb {E}}[B^{\prime }]\le 1/\binom{r}{k}$ , we get

$\begin{equation*} \text{Cov}(B^{\prime }(x), B^{\prime }(y)) \le 2^{-2t} / \binom{r}{k} + 2^{-t} \cdot 2^{m} / \binom{r}{k}^2 + 2^{-t} \cdot 2^{1-m}/ \binom{r}{k} . \end{equation*}$

Using Lemma 3.9, we deduce

$\begin{equation*} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))] = \binom{r}{k} {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)] \le 2^{-2t} + \frac{2^{m-t}}{\binom{r}{k}} + 2^{-t+1-m}. \end{equation*}$

This completes the proof. □

4 Hardness of Dense K-SUM

In this section, we prove Theorem 1.5. The precise formulation of the theorem is as follows:

Theorem 4.1 (Sparse to Dense k-SUM Reduction)

Let $M,N$ be integers such that $\sqrt {N} \le M \le N$ . Assume there is an algorithm for $(k,M, N^{1/k})$ -SUM with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k, N, N^{1/k})$ -SUM with success probability at least $\frac{\beta ^{4}}{(\log M)^2 \cdot k^{O(k)}}$ and expected running time at most $N/M \cdot (\mathcal {T}+ \tilde{O}_k(N^{1/k}))$ .

The proof is based on the modular k-SUM problem, which we call k-MSUM.

Definition 4.2 (Average-case k-MSUM Problem)

In the $(k,N,r)$ -MSUM problem, the input consists of r elements $z_1,\ldots ,z_r$ , each chosen independently and uniformly at random from $\mathbb {Z}_{N}$ . The goal is to find a k-tuple $K = \lbrace i_1,\ldots ,i_k\rbrace$ , such that $\sum _{j \in K} z_j \bmod N = 0$ .

Informally, the proof consists of three stages.

(1)

Reduction to k-MSUM. In Section 4.1, we show that for obtaining the reduction from the $(k,N,N^{1/k})$ -SUM problem to the $(k,M,N^{1/k})$ -SUM problem (i.e., proving Theorem 4.1), it is sufficient to devise a reduction from $(k,pq,r=(pq)^{1/k})$ -MSUM to $(k,p,r)$ -MSUM for a pair of primes $p,q$ that satisfy $pq \approx N$ and $p \approx M$ .

(2)

Obfuscation process. In Section 4.2, we introduce an obfuscation process that transforms r-tuples of vectors in $\mathbb {Z}_{pq}$ to r-tuples of vectors in $\mathbb {Z}_p$ , similarly to the reduction for the k-XOR problem presented in Section 3. Specifically, we show that it is sufficient to prove an obfuscation lemma, which asserts that the outputs of the $(k,p,r)$ -MSUM oracle are sufficiently independent when it is applied to the “obfuscated” inputs.

(3)

Proof of the obfuscation lemma. In Section 4.3, we prove the obfuscation lemma by employing techniques from discrete Fourier analysis and combinatorics. It is the most involved part of the proof of the main theorem.

4.1 Reduction to Modular k-SUM and Proof of Theorem 4.1

The main ingredient in the proof of Theorem 4.1 is the following lemma, which provides reduction from k-MSUM modulo pq to k-MSUM modulo p for prime numbers $p,q$ with $p \gt q$ :

Lemma 4.3 (Main k-MSUM Reduction)

Let $p,q,r$ be positive integers such that $p \gt q$ are prime numbers and $pq \le \binom{r}{k}$ . Assume there is an algorithm for $(k,p,r)$ -MSUM with success probability $\beta$ and expected running time $\mathcal {T}$ .

Then, there is an algorithm for $(k, pq, r)$ -MSUM with success probability

$\begin{equation*} \Omega \left(\left(\frac{\beta ^{2} \cdot pq }{k \log (q) \cdot \binom{r}{k}} \right) ^ 2\right) \end{equation*}$

and expected running time at most $q \cdot (\mathcal {T}+ \tilde{O}(r))$ .

In this subsection, we prove that Lemma 4.3 implies Theorem 4.1. The (more complex) proof of Lemma 4.3 spans the following subsections.

The derivation of Theorem 4.1 from Lemma 4.3 relies on two additional reductions.

Lemma 4.4 (Simple Reduction).

Let $r,r^{\prime }$ be positive integers such that $r \ge r^{\prime }$ . Assume there is an algorithm for $(k,N, r)$ -SUM (respectively, MSUM) with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k, N, r^{\prime })$ -SUM (respectively, MSUM) with success probability at least $\frac{\beta }{(2r/r^{\prime })^k}$ and expected running time at most $\mathcal {T} + \tilde{O}_k(r)$ .

The proof of this lemma is essentially the same as the proof of the analogous Lemma 3.3 for k-XOR, and we omit it.

Lemma 4.5. (k-SUM to k-MSUM Reduction)

Let $M,N$ be positive integers such that $M \le 2N+1$ . Assume there is an algorithm for $(k,M,r)$ -MSUM with success probability $\beta$ and expected running time $\mathcal {T}$ . Then, there is an algorithm for $(k,N,r)$ -SUM with success probability $\Omega (\frac{\beta }{k(8N \cdot k/M)^k})$ and expected running time at most $\mathcal {T} + \tilde{O}_k(r)$ .

Proof.

Denote $r^{\prime } = \lceil r \cdot M/4N \rceil$ . Given an algorithm for $(k,M,r)$ -MSUM with success probability $\beta$ and running time $\mathcal {T}$ , by Lemma 4.4, there is an algorithm B for $(k,M,r^{\prime })$ -MSUM with success probability at least $\frac{\beta }{(8N/M)^k}$ and expected running time at most $\mathcal {T} + \tilde{O}_k(r)$ . We use B to devise an algorithm A for $(k,N,r)$ -SUM.

We first assume that M is odd. On input that consists of r integers $z_1,\ldots ,z_r$ uniform in $\lbrace -N,\ldots ,N\rbrace$ , A performs the following steps:

(1)

Discard all $z_i$ such that $z_i \notin \lbrace -(M-1)/2, \ldots ,(M-1)/2\rbrace$ . Denote the number of remaining elements by $r_1$ . If $r_1 \lt r^{\prime }$ , then return failure. Otherwise, take the first $r^{\prime }$ remaining elements and denote them by $u_1,\ldots ,u_{r^{\prime }}$ .

(2)

Define the mapping $u_i \mapsto y_i$ (onto $\mathbb {Z}_{M}$ ) by $y_i = u_i \bmod M$ . Note that $y_1,\ldots ,y_{r^{\prime }}$ is a $(k,M,r^{\prime })$ -MSUM instance.

(3)

Pick k elements $v^{\prime }_1,\ldots ,v^{\prime }_k$ in $\mathbb {Z}_M$ uniformly at random, conditioned on $\sum _{j \in [k]} v^{\prime }_j \bmod M = 0$ . Then, for each $i \in [r^{\prime }]$ , pick $j \in [k]$ uniformly at random and define $v_i = v^{\prime }_j$ and $x_i = y_i + v_i \bmod M$ .

(4)

Run B on the input $x_1,\ldots ,x_{r^{\prime }}$ and assume it returns a k-tuple $K^{\prime }$ such that $\sum _{i \in K^{\prime }} x_{i} \bmod M = 0$ . Trace $K^{\prime }$ back to the corresponding k-tuple K for $z_1,\ldots ,z_r$ and if $\sum _{i \in K} z_{i} = 0$ , return K. Otherwise, return failure.

Note that we do not run B directly on $y_1,\ldots ,y_{r^{\prime }}$ , since it may be malicious and return k-tuples that sum to 0 modulo M, but never give a k-SUM over the integers for $z_1,\ldots ,z_r$ .

Analysis. Clearly, the algorithm returns a correct output if it succeeds and its complexity is as claimed. To analyze the success probability, we consider the following events:

(1)

$r_1 \ge r^{\prime }$ .

(2)

B returns a k-tuple $K^{\prime }$ such that $\sum _{i \in K^{\prime }} x_{i} \bmod M = 0$ .

(3)

$\lbrace v_i\rbrace _{i \in K^{\prime }} = \lbrace v^{\prime }_j\rbrace _{j \in [k]}$ (as possible multi-sets). Note that this implies $\sum _{i \in K^{\prime }} v_{i} \bmod M = \sum _{j \in [k]} v^{\prime }_j \bmod M = 0$ and therefore,

$\begin{equation*} \sum _{i \in K^{\prime }} u_{i} \bmod M = \sum _{i \in K^{\prime }} y_{i} \bmod M = \sum _{i \in K^{\prime }} (x_{i} - v_i) \bmod M = 0. \end{equation*}$

(4)

$\sum _{i \in K^{\prime }} u_{i} = 0$ .

Observe that if the fourth event occurs, then $\sum _{i \in K} z_{i} = \sum _{i \in K^{\prime }} u_{i} = 0$ and A succeeds. In the following, we lower bound the probability of these events.

First, ${\mathbb {E}}[r_1] = r \cdot M/(2N + 1)$ and a simple tail bound gives $\Pr [r_1 \ge r^{\prime }] \ge 1/4$ for r sufficiently large (i.e., larger than some constant value). Conditioned on the first event, the second event occurs with probability at least $\frac{\beta }{(8N/M)^k}$ . The third event occurs with probability at least $1/(k!) \gt k^{-k}$ . Note that, since $v_1,\ldots ,v_{r^{\prime }}$ are picked independently of $y_1,\ldots ,y_{r^{\prime }}$ , then the third event is independent of the second. Thus, the first three events occur with probability $\Omega \left(\frac{\beta }{(8N \cdot k/M)^k}\right)$ .

Finally, recall that $v^{\prime }_1,\ldots ,v^{\prime }_k$ are picked uniformly at random from $\mathbb {Z}_M$ , conditioned on $\sum _{j \in [k]} v^{\prime }_j \bmod M = 0$ . Thus, conditioning on $\sum _{i \in K^{\prime }} x_{i} \bmod M = 0$ , and on the event that $\lbrace v_i\rbrace _{i \in K^{\prime }} = \lbrace v^{\prime }_j\rbrace _{j \in [k]}$ (but not on the individual values of each $v^{\prime }_{j}$ ), the k-tuple $\lbrace u_{i}\rbrace _{i \in K^{\prime }}$ is uniformly distributed in $\lbrace -(M-1)/2, \ldots ,(M-1)/2\rbrace ^k$ , conditioned on $\sum _{i \in K^{\prime }} u_{i} \bmod M = 0$ . Given this distribution of $\lbrace u_{i}\rbrace _{i \in K^{\prime }}$ , it remains to lower bound the probability that $\sum _{i \in K^{\prime }} u_{i} = 0$ by $1/k$ .

Write $U = \sum _{i \in K^{\prime }} u_{i}$ as a sum of k uniform integers in $\lbrace -(M-1)/2, \ldots ,(M-1)/2\rbrace$ . Note that for any t,

$\begin{align} \begin{split} \Pr [U = t] \le & \Pr [U = t+1] \quad \text{if} \quad t+1 \le {\mathbb {E}}[U], \\ \Pr [U = t] \ge & \Pr [U = t+1] \quad \text{if} \quad t \ge {\mathbb {E}}[U].\end{split} \end{align}$

(10)

To see this, observe that the function $t \mapsto \Pr [U = t]$ is log-concave, as a convolution of (discrete) log-concave functions (see for example Reference [3, Proposition 10(vii)]) and is symmetric around $t = {\mathbb {E}}[U]$ .

Since in our case ${\mathbb {E}}[U] = 0$ , then for any t, we have $\Pr [U = 0] \ge \Pr [U = t]$ . Hence,

$\begin{align*} \Pr \left[ U=0\,\middle |\, U \bmod M = 0 \right] = & \frac{\Pr [U = 0]}{\Pr [U \bmod M = 0]} \ge \frac{\Pr [U = t]}{\Pr [U \bmod M = 0]} \\ \ge & \Pr \left[ U=t\,\middle |\, U \bmod M = 0 \right]. \end{align*}$

As $U \in \lbrace -k(M-1)/2, \ldots ,k(M-1)/2\rbrace$ , given that $U \bmod M = 0$ , U can only attain k possible values, implying that $\Pr \left[ U=0\,\middle |\, U \bmod M = 0 \right] \ge 1/k$ .

Finally, if M is even, then we change the algorithm to remove $z_i \notin \lbrace -M/2, \ldots ,M/2 - 1\rbrace$ . The analysis is similar, but we have ${\mathbb {E}}[U] = -k/2$ . Nevertheless, the final result is unchanged, since $\Pr [U = 0] \ge \Pr [U = t]$ for every t such that $t \bmod M = 0$ (assuming M is larger than k; we indeed may assume $M \ge k$ , as otherwise $(k,N,r)$ -SUM can be solved with the poor probability $1/N^k$ by searching for k zeros in the input). □

We now derive Theorem 4.1 from Lemmas 4.3–4.5.

Proof of Theorem 4.1.

Let $M,N$ be such that $\sqrt {N} \le M \le N$ . Our goal is to devise an algorithm for $(k, N, N^{1/k})$ -SUM, given an algorithm B for $(k, M, N^{1/k})$ -SUM with success probability $\beta$ and expected running time $\mathcal {T}$ .

Clearly, B can be applied to solve $(k,M,N^{1/k} \cdot 2k)$ -SUM with the same success probability and complexity.

Let p be a prime number that satisfies $M \le p \lt 2M$ .³ By Lemma 4.4, based on B, there is an algorithm $B_1$ for $(k,(p-1)/2,N^{1/k} \cdot 2k)$ -SUM with success probability at least $\beta _1 = \frac{\beta }{k^{O(k)}}$ and expected running time at most $\mathcal {T} + \tilde{O}_k(N^{1/k})$ . $B_1$ immediately gives an algorithm for $(k,p,N^{1/k} \cdot 2k)$ -MSUM with the same parameters (as a K-tuple that sums to 0 over the integers sums to zero $\bmod$ p).

Let q be a prime number such that $N/2p \le q \lt N/p$ . Note that we have

$\begin{equation*} pq \lt N \lt \binom{N^{1/k} \cdot 2k}{k} \lt N \cdot k^k \qquad \mbox{and} \qquad q \lt N/p \le N/M \le M \le p. \end{equation*}$

Hence, we can apply Lemma 4.3 based on $B_1$ to deduce that there is an algorithm $B_2$ for $(k,pq,N^{1/k} \cdot 2k)$ -MSUM with success probability at least

$\begin{equation*} \beta _2 = \Omega \left(\frac{\beta _1^{4} (pq)^2}{k^2 \log (q)^2 \binom{N^{1/k}\cdot 2k}{k}^2}\right) \ge \frac{\beta ^{4}}{(\log M)^2 \cdot k^{O(k)}} \end{equation*}$

and expected running time at most $q \cdot (\mathcal {T}+ \tilde{O}_k(N^{1/k})) \le N/M \cdot (\mathcal {T}+ \tilde{O}_k(N^{1/k}))$ .

Noting that $N/2 \le pq \le N$ , we invoke Lemma 4.5 based on $B_2$ and conclude that there is an algorithm $B_3$ for $(k,N,N^{1/k} \cdot 2k)$ -SUM with success probability at least $\beta _3 = \frac{\beta _2}{k^{O(k)}} = \frac{\beta ^{4}}{(\log M)^2 \cdot k^{O(k)}}$ and expected running time at most $N/M \cdot (\mathcal {T}+ \tilde{O}_k(N^{1/k}))$ .

Finally, we apply Lemma 4.4 based on $B_3$ and deduce that there is an algorithm for $(k,N,N^{1/k})$ -SUM with success probability at least $\frac{\beta _3}{k^{O(k)}} = \frac{\beta ^{4}}{(\log M)^2 \cdot k^{O(k)}}$ and expected running time at most $N/M \cdot (\mathcal {T}+ \tilde{O}_k(N^{1/k}))$ . □

4.2 The Obfuscation Process

Our goal in the rest of this section is to prove Lemma 4.3. The proof strategy is similar to the proof of Lemma 3.2 in the k-XOR case presented in Section 3. Namely, we devise an algorithm that receives r vectors in $\mathbb {Z}_{pq}$ , denoted by $z_1,\ldots ,z_r$ , and randomly obfuscates them, returning r vectors in $\mathbb {Z}_p$ , denoted by $y_1,\ldots ,y_r$ . The main properties of the obfuscation are that a solution to the k-MSUM y-problem gives rise to a solution of the k-MSUM z-problem with a good probability (i.e., $\approx 1/q$ ) and that the applications of the oracle are sufficiently independent to yield a solution of the z-problem with the desired probability.

In this subsection, we present the obfuscation algorithm, state the main obfuscation lemma, which asserts that our algorithm achieves its goals, and derive Lemma 4.3 from the obfuscation lemma. The proof of the obfuscation lemma is presented in the next subsection.

4.2.1 The Obfuscation Algorithm and the Obfuscation Lemma.

Let $p,q,r$ be positive integers such that $p,q$ are prime numbers, $p \ge q$ , and $pq \le \binom{r}{k}$ . Let B be an algorithm for $(k,p,r)$ -MSUM. Let L be a parameter to be specified below. We define the algorithm A for $(k,pq,r)$ -MSUM, which receives as an input an r-tuple $(z_1,\ldots ,z_r) \in \mathbb {Z}_{pq}^r$ of elements in $\mathbb {Z}_{pq}$ , as follows:

Algorithm 4.6.

$\phantom{}$

(1)

Repeat L times:

(2)

Draw uniformly random invertible $\alpha \sim \mathbb {Z}_{p\cdot q}^\ast$ and $\gamma \sim \mathbb {Z}_p^\ast$ and a uniformly random permutation $P \in S_r$ .

(3)

Let $y_{i} = \gamma \cdot \lfloor (\alpha \cdot z_{P(i)} \,\%\,pq) / q \rceil \,\%\,p$ for all $i \in [r]$ .

(4)

Feed B with $(y_1, \ldots , y_r)$ . In case it outputs a k-tuple K with $\sum _{i \in K} y_i \% p = 0$ , test whether $\mathcal {K}=$ $P(K)$ satisfies $\sum _{i \in \mathcal {K}} z_{i} \% pq = 0$ , and if it does—output the k-tuple $\mathcal {K}$ . Otherwise, continue.

The obfuscation lemma in the arithmetic case is as follows:

Lemma 4.7.

Let $p,q,r$ be positive integers such that $p \ge q$ are prime numbers and $pq \le \binom{r}{k}$ .

Let $(z_1,\ldots ,z_r) \in \mathbb {Z}_{pq}^r$ be chosen uniformly at random. Let the r-tuples $(y_1^{(1)},\ldots , y_r^{(1)}) \in \mathbb {Z}_{p}^r$ and $(y_1^{(2)},\ldots ,y_r^{(2)}) \in \mathbb {Z}_{p}^r$ be obtained from it by the procedure described above (in two out of the L iterations). Let $\mathcal {K}_1, \mathcal {K}_2$ be the two corresponding $\mathcal {K}$ ’s obtained in the process. Then,

$\begin{equation} \Pr [\mathcal {K}_1 = \mathcal {K}_2] \le O(\log (q) / q^2), \end{equation}$

(11)

where the probability is taken over $z,y^{(1)}, y^{(2)}$ , and B’s randomness.

Note that cases where at least one of $\mathcal {K}_1,\mathcal {K}_2$ is not obtained (that is, when in at least one of the two iterations, Algorithm B fails to find a solution to the $(k,p,r)$ -MSUM problem) are not counted as equality between $\mathcal {K}_1$ and $\mathcal {K}_2$ .

4.2.2 Proof of the Main Reduction Lemma.

We now deduce Lemma 4.3 from the obfuscation lemma (Lemma 4.7).

Proof of Lemma 4.3.

As in the corresponding proof of Lemma 3.2 for k-XOR, we analyze a tweaked version of the algorithm (with the same success probability) in which all L iterations are performed. For any $1 \le l \le L$ , let $\mathcal {K}_l$ be the $\mathcal {K}$ obtained in the l’s iteration ( $\mathcal {K}_l$ exists only when B succeeds, i.e., with probability $\beta$ ). Denote by $S_l$ the event that $\mathcal {K}_l$ admits a solution to the $(k, pq, r)$ -MSUM problem. We claim that for all $l=1,\ldots ,L$ ,

$\begin{equation*} \Pr [ S_{l} ] \ge \beta \cdot \Omega \left(1/ \left(\sqrt {k} q \right)\right). \end{equation*}$

Indeed, $S_l$ occurs if the B oracle succeeds, and in addition, $\sum _{i \in \mathcal {K}} z_i \,\%\,pq = 0$ holds, given that $\sum _{i \in K} y_i \,\%\,p = 0$ .

The probability of the first event is $\beta$ , as $y_1, \ldots , y_r$ are uniformly and independently distributed in $\mathbb {Z}_{p}$ . (Indeed, conditioning on the variables $\alpha , P$ (but not on $z_{P(i)}$ ), the variables $\widetilde{y}_i = \lfloor (\alpha \cdot z_{P(i)} \,\%\,pq) / q \rceil \,\%\,p$ are uniformly and independently distributed in $\mathbb {Z}_{p}$ , and so are $y_i=\gamma \cdot \widetilde{y}_i$ .)

To see that the probability of the second event is $\Omega (1/(\sqrt {k} q))$ , notice that $\alpha z_{P(i)} \,\%\,pq = (q\gamma ^{-1} y_i + \sigma _i) \,\%\,pq$ , with $\sigma _i \in \lbrace (1-q)/2, \ldots , (q-1)/2\rbrace$ . Conditioning on $\alpha , \gamma , P, y_i$ (and not on $z_{P(i)}$ ), $\sigma _i$ is uniformly distributed in this set. Observe that given $\sum _{i \in K} y_{i} \,\%\,p = 0$ , the event $\sum _{i \in K} \alpha z_{P(i)} \,\%\,pq = 0$ is equivalent to $\sum _{i \in K} \sigma _i \,\%\,pq = 0$ . The probability of this latter event is $\Omega (1/(\sqrt {k} q))$ , for example by Equation (10) and Chebyshev’s inequality with the standard deviation of $\sum _{i \in K} \sigma _i$ equal to $\Theta (\sqrt {k} q)$ .

Define the random variables

Similarly to the proof of Lemma 3.2 in Section 3.3, it is easy to verify that (tweaked) Algorithm 4.6 succeeds to solve the $(k, pq, r)$ -MSUM problem with probability at least

$\begin{equation*} \Pr [Z \gt 0] \ge \frac{{\mathbb {E}}[Z]^2}{{\mathbb {E}}[Z^2]}. \end{equation*}$

To bound ${\mathbb {E}}[Z]$ from below, note that

Using $\Pr [S_l] \ge \beta \cdot \Omega (1/(\sqrt {k} q))$ and Lemma 4.7, we get

$\begin{equation*} {\mathbb {E}}[Z] \ge L\cdot \Omega (\beta / (\sqrt {k} q)) - \binom{L}{2} O(\log (q) / q^2). \end{equation*}$

We choose $L= c \cdot \beta q / (\sqrt {k} \log (q))$ for a sufficiently small constant c, and obtain

$\begin{equation*} {\mathbb {E}}[Z]\ge \Omega \left(\frac{\beta ^2}{k\log (q)}\right). \end{equation*}$

To bound ${\mathbb {E}}[Z^2]$ from above, note that similarly to the proof of Lemma 3.2, we have

$\begin{equation*} {\mathbb {E}}[Z^2] \le \frac{2}{(pq)^2} \binom{r}{k}^2. \end{equation*}$

Therefore, (tweaked) Algorithm 4.6 succeeds with probability at least

$\begin{equation*} \Pr [Z \gt 0] \ge \Omega (\beta ^4) \cdot \left(\frac{pq}{\binom{r}{k} k \log (q) }\right)^2. \end{equation*}$

The running time of the algorithm is

$\begin{equation*} L \cdot (\mathcal {T}+ \tilde{O}(r)) \le q \cdot (\mathcal {T}+ \tilde{O}(r)). \end{equation*}$

This completes the proof of the lemma. □

4.3 Proof of the Obfuscation Lemma

In this section, we prove Lemma 4.7. We start by introducing a distribution that models two independent outputs of the obfuscation process, and restate the obfuscation lemma.

Definition 4.8.

Let $p, q$ be prime numbers. We say that a pair of random variables $(x^{(1)},x^{(2)})$ , each taking values in $\mathbb {Z}_{p}^r$ , has a $(p,q,r)$ -arithmetic-distribution, if there exist random variables $z,\, \alpha ^{(j)},\, \gamma ^{(j)}$ , $j=1,2$ , with:

(1)

$z,\, \alpha ^{(1)},\, \alpha ^{(2)},\, \gamma ^{(1)},\, \gamma ^{(2)}$ are independent random variables.

(2)

$z\sim \mathbb {Z}_{p\cdot q}^r$ is uniformly distributed.

(3)

$\alpha ^{(j)} \sim \mathbb {Z}_{p\cdot q}^{\ast }$ is a uniformly random invertible element of $\mathbb {Z}_{p\cdot q}$ .

(4)

$\gamma ^{(j)} \sim \mathbb {Z}_{p}^{\ast }$ is a uniformly random nonzero residue modulo p.

(5)

For all $i=1\ldots r$ , $j=1,2$ , we have

$\begin{equation*} x^{(j)}_i = \gamma ^{(j)} \cdot \lfloor \alpha ^{(j)} \cdot z_i / q \rceil \,\%\,p. \end{equation*}$

Lemma 4.9.

Let B be an algorithm that receives as input a list of r integers in $\mathbb {Z}_{p}$ and outputs the indices of $k\gt 0$ numbers among them whose SUM is 0 (modulo p). If $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution with $p \ge q$ , and $P,Q\sim S_r$ are two uniformly random and independent permutations, then

$\begin{equation} \Pr \left[P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))\right] \le O \left(\frac{\log (q)}{q^2} + \frac{p}{q\binom{r}{k}} \right), \end{equation}$

(12)

where the probability is taken over B’s randomness, $x,y$ and $P,Q$ (the event on the left-hand side is contained in the event that both executions $B(P(x))$ , $B(Q(y))$ succeed).

Notice that Lemma 4.7 immediately follows from Lemma 4.9 (compare Equation (11) with Equation (12)).

4.3.1 Proof Outline.

The proof of Lemma 4.9 uses techniques from discrete Fourier analysis and combinatorial techniques. Technically, the proof is more complicated than for k-XOR, since the k-SUM analog of Lemma 3.14 does not hold. Instead, it is replaced by the sequence of Lemmas 4.16–4.21. The proof consists of three steps presented in the order of appearance in the article.

(1)

Transformation to real-valued functions. Similarly to the k-XOR obfuscation, we show that instead of analyzing the obfuscation on a tuple-valued function, it is sufficient to analyze its action on the simpler class of real-valued functions. We utilize the fact that our obfuscation randomly permutes the input vectors, so any oracle $B:\mathbb {Z}_{p}^r \rightarrow {\binom{[r]}{k}}$ must, informally, treat all candidate output k-tuples in the same way. Hence, it suffices to analyze the modified, real-valued oracle $B^{\prime }:\mathbb {Z}_{p}^r \rightarrow [0,1]$ , which essentially indicates the probability that B outputs the specific k-tuple $K \mathrel {\mathop :}=\lbrace 1,\ldots ,k\rbrace$ when applied on its input. Specifically, our task is reduced to showing that

$\begin{equation} {\mathbb {E}}[B^{\prime }(x) B^{\prime }(y)] \le O\left(\frac{\log (q)}{q^2} + \frac{p}{q\binom{r}{k}} \right) / r^k, \end{equation}$

(13)

where $x,y$ are two independent obfuscations of a common, random, $z \in \mathbb {Z}_{pq}^r$ .

(2)

Representing the correlation in terms of the Fourier expansion. To prove Equation (13), we consider the Fourier expansion of $B^{\prime }$ , namely,

$\begin{equation*} B^{\prime }=\sum _{S \in \mathbb {Z}_{p}^r} \widehat{B}^{\prime }(S) \chi _S, \qquad \mathrm{where} \qquad \chi _S(v) = \exp \left(\frac{2\pi i}{p}\langle S,v \rangle \right), \qquad \widehat{B^{\prime }}(S) \in \mathbb {C}. \end{equation*}$

It turns out that the correlation between two obfuscations (which appear in different iterations of Algorithm A described above) is a weighted sum of the squared Fourier coefficients $\widehat{B}^{\prime }(S)^2$ :

$\begin{equation} \mathrm{Cov}(B^{\prime }(x),B^{\prime }(y))=\sum _{S \ne 0} (p-1)M_{p,q,r}(S)\widehat{B}^{\prime }(S)^2, \end{equation}$

(14)

where $M_{p,q,r}(S)$ roughly serve as the “weight” for $\widehat{B}^{\prime }(S)^2$ and are defined as $M_{p,q,r}(S) = {\mathbb {E}}[\chi _S(x) \overline{\chi _S(y)}]$ .

(3)

Bounding the correlation using discrete Fourier analysis. We bound the correlation, the right-hand side of Equation (14), in two steps:

(a)

Partitioning into 2-dimensional subspaces. We use the structure of solutions to the k-SUM problem to show that it is sufficient to bound $\sum _{S \in U} M_{p,q,r}(S)$ over two-dimensional subspaces $U = \lbrace a S_1 + b S_2:a,b \in \mathbb {Z}_{p}\rbrace \subseteq \mathbb {Z}_p^r$ of a certain kind.

(b)

Bounding $\sum _S M_{p,q,r}(S)$ over 2-dimensional subspaces. We bound $\sum _{S \in U} M_{p,q,r}(S)$ over two-dimensional subspaces U using a combinatorial approach. Specifically, we represent this sum as the bias introduced in an event, caused by the dependence between $x,y$ . We show that this bias is related to a Littlewood-Offord-type problem [26]. Specifically, in Lemma 4.18, we relate $M_{p,q,r}(S)$ to the probability $\Pr [\langle S, u\rangle = 0]$ for a random vector $u \in \mathbb {Z}_p^r$ . This probability concerns the event where the sum of random variables $\langle S, u\rangle = \sum _i S_i u_i$ equals 0. Bounding this type of probability is common in Littlewood-Offord theory. To this end, we use a classical antichain argument (see Reference [17]) along with simple number theoretic estimates.

4.3.2 Transformation to Real-valued Functions.

Lemma 4.10.

Let ${B}:{\mathbb {Z}_p^{r}} \rightarrow {\binom{[r]}{k}}$ be an algorithm that outputs either a k-tuple R with $\sum _{i \in R} x_i \% p = 0$ or a failure message. Let $K \mathrel {\mathop :}=\lbrace 1,\ldots , k\rbrace$ and define ${B^{\prime }}:{\mathbb {Z}_p^{r}} \rightarrow {[0,1]}$ by

$\begin{equation} B^{\prime }(x) = \Pr _{P,\gamma }[B(P(\gamma \cdot x))=P(\lbrace 1,2,\ldots ,k\rbrace)], \end{equation}$

(15)

where $P \sim S_r$ is a uniformly random permutation, and $\gamma \sim \mathbb {Z}_{p}^*$ is a uniformly random invertible element of $\mathbb {Z}_p$ . Then,

$\begin{equation} \sum _{i \in K} x_i \ne 0 \ \Rightarrow \ B^{\prime }(x) = 0, \end{equation}$

(16)

$\begin{equation} \mu \mathrel {\mathop :}={\mathbb {E}}_x[B^{\prime }(x)] \le 1/\binom{r}{k}, \end{equation}$

(17)

and if $(x,y)$ has a $(p,q,r)$ -arithmetic distribution and $P,Q \sim S_r$ are independent, then

$\begin{equation} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))] = \binom{r}{k} {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{equation}$

(18)

We note that the probability in Equation (15) is also taken over B’s randomness. The proof of the lemma is similar to the proof of Lemma 3.9.

Proof.

To show Equation (16) note that if $\sum _{i \in K} x_i \ne 0,$ then B cannot output $P(K)$ on the input $P(\gamma \cdot x)$ , by our assumption on B, and $\gamma$ being invertible. Hence, $B^{\prime }(x) = 0$ in such a case.

To verify Equation (17), denote $x^{\prime } = P(\gamma \cdot x)$ and observe that when $x \sim \mathbb {Z}_{p}^r$ , we have $x^{\prime } \sim \mathbb {Z}_{p}^r$ independently of P. Hence, by interchanging order of summation,

$\begin{align*} {\mathbb {E}}_{x}[B^{\prime }(x)] &= {\mathbb {E}}_{P,\gamma }[{\mathbb {E}}_{x}[\mathbb {1}\lbrace B(P(\gamma \cdot x)) = P(K)\rbrace ]] = {\mathbb {E}}_{P,\gamma }[{\mathbb {E}}_{x^{\prime }}[\mathbb {1}\lbrace B(x^{\prime }) = P(K)\rbrace ]] \\ &= {\mathbb {E}}_{x^{\prime }}[{\mathbb {E}}_{P}[\mathbb {1}\lbrace B(x^{\prime }) = P(K)\rbrace ]] \le 1/\binom{r}{k}, \end{align*}$

where the latter inequality holds, because for any fixed $x^{\prime }$ , $P(K)$ attains the value of $B(x^{\prime })$ with probability at most $1/\binom{r}{k}$ .

To prove Equation (18), we reason about ${\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]$ . Observe that for any $K^{\prime } \subseteq [r]$ with $|K^{\prime }| = k$ , the function $B^{\prime }_{K^{\prime }}$ defined by $B^{\prime }_{K^{\prime }}(x) = {\mathbb {E}}_{P,\gamma }[\mathbb {1}\lbrace B(P(\gamma \cdot x)) = P(K^{\prime })\rbrace ]$ satisfies

$\begin{equation} {\mathbb {E}}_{x,y}[B^{\prime }_{K^{\prime }}(x) B^{\prime }_{K^{\prime }}(y)] = {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{equation}$

(19)

Indeed, let $R \in S_r$ be such that $R(K) = K^{\prime }$ . As $(R(x), R(y))$ has the same distribution as $(x, y)$ , we have

$\begin{equation*} \begin{aligned}\mathbb {E}_{x,y}[B^{\prime }_{K^{\prime }}&(x) B^{\prime }_{K^{\prime }}(y)] = \mathbb {E}_{x,y}[B^{\prime }_{K^{\prime }}(R(x)) B^{\prime }_{K^{\prime }}(R(y))] \\ &= {\mathbb {E}}_{x,y}\big [{\mathbb {E}}_{P^{\prime }, \gamma ^{\prime }}[\mathbb {1}\lbrace B(P^{\prime }R(\gamma ^{\prime } \cdot x)) = P^{\prime }(K^{\prime })\rbrace ] {\mathbb {E}}_{P^{\prime \prime }, \gamma ^{\prime \prime }}[\mathbb {1}\lbrace B(P^{\prime \prime }R(\gamma ^{\prime \prime } \cdot y))=P^{\prime \prime }(K^{\prime })\rbrace ]\big ] \\ &= {\mathbb {E}}_{x,y}\big [{\mathbb {E}}_{P^{\prime },\gamma ^{\prime }}[\mathbb {1}\lbrace B(P^{\prime }(\gamma ^{\prime } \cdot x))= P^{\prime }R^{-1}(K^{\prime })\rbrace ] {\mathbb {E}}_{P^{\prime \prime }, \gamma ^{\prime \prime }}[\mathbb {1}\lbrace B(P^{\prime \prime }(\gamma \cdot y))=P^{\prime \prime }R^{-1}(K^{\prime })\rbrace ]\big ] \\ &= {\mathbb {E}}_{x,y}[B^{\prime }(x) B^{\prime }(y)]. \end{aligned} \end{equation*}$

Notice that if $(x,y)$ has a $(p,q,r)$ -arithmetic distribution, and $\gamma ^{\prime },\gamma ^{\prime \prime } \sim \mathbb {Z}_{p}^*$ are uniformly random invertible elements of $\mathbb {Z}_p$ independent of all other variables, then $(\gamma ^{\prime } \cdot x, \gamma ^{\prime \prime } \cdot y)$ has a $(p,q,r)$ -arithmetic distribution as well. We verify Equation (18):

$\begin{equation*} \begin{aligned}\Pr _{x,y,P,Q} \big [P^{-1}(B(P(x))) & = Q^{-1}(B(Q(y)))\big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y,P,Q}\big [\mathbb {1}\lbrace P^{-1}(B(P(x)))=K^{\prime }\rbrace \mathbb {1}\lbrace Q^{-1}(B(Q(y)))=K^{\prime }\rbrace \big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y,P,Q,\gamma ^{\prime },\gamma ^{\prime \prime }}\big [\mathbb {1}\lbrace P^{-1}(B(P(\gamma ^{\prime } \cdot x)))=K^{\prime }\rbrace \mathbb {1}\lbrace Q^{-1}(B(Q(\gamma ^{\prime \prime } \cdot y)))=K^{\prime }\rbrace \big ] \\ &= \sum _{K^{\prime }} {\mathbb {E}}_{x,y}\big [B^{\prime }_{K^{\prime }}(x) B^{\prime }_{K^{\prime }}(y)\big ] \\ &= \binom{r}{k} {\mathbb {E}}_{x,y} \big [ B^{\prime }(x) B^{\prime }(y) \big ], \end{aligned} \end{equation*}$

where the ultimate equality uses Equation (19). □

Due to the structure of the k-SUM problem, the function $B^{\prime }$ has several properties that will be crucially used in the sequel. Before stating these properties, let us introduce Fourier expansion over $\mathbb {Z}_p$ .

Definition 4.11 (Fourier Expansion).

Given $S \in \mathbb {Z}_{p}^r$ , define ${\chi _{S}}:{\mathbb {Z}_{p}^r} \rightarrow {\mathbb {C}}$ by $\chi _S(x) = e_p(\langle S, x\rangle)$ , where

$\begin{equation*} e_p(a) \mathrel {\mathop :}=\exp \left(\frac{2\pi i a}{p}\right). \end{equation*}$

The set $\lbrace \chi _S\rbrace _{S \in \mathbb {Z}_{p}^r}$ is an orthonormal basis for the set of functions $\left\lbrace f\,\middle |\, {f}:{\mathbb {Z}_{p}^r} \rightarrow {\mathbb {C}}\right\rbrace$ with respect to the standard inner product $\langle f,g \rangle = {\mathbb {E}}_{x\sim \mathbb {Z}_{p}^r}[f(x) \overline{g(x)}]$ . Hence, each ${f}:{\mathbb {Z}_{p}^r} \rightarrow {\mathbb {C}}$ can uniquely be decomposed as

$\begin{equation*} f = \sum _{S \in \mathbb {Z}_{p}^r} \widehat{f}(S) \chi _S, \qquad \mathrm{with} \qquad \widehat{f}(S) \in \mathbb {C}. \end{equation*}$

Claim 4.12.

Let $B^{\prime }$ be defined as in Lemma 4.10. Then:

(1)

For any $x \in \mathbb {Z}_p^r$ and any $\gamma \in \mathbb {Z}_p^*$ , we have $B^{\prime }(x)=B^{\prime }(\gamma \cdot x)$ .

(2)

$B^{\prime }$ can be written in the form $B^{\prime }(x)=I_k(x) \cdot g(x)$ , where $I_k(x)=\mathbb {1}\lbrace \sum _{i=1}^k x_i = 0\rbrace$ .

(3)

Let $S^{\prime } \in \mathbb {Z}_p^r$ be defined by $S^{\prime }_j =\mathbb {1}\lbrace j \in [k]\rbrace$ . For any $S \in \mathbb {Z}_p^r$ , we have $\widehat{B^{\prime }}(S) = \widehat{B^{\prime }}(S+S^{\prime })$ .

Proof.

The first assertion holds trivially by the definition of $B^{\prime }$ . The second holds, since $B(x) = 0$ whenever $I_k(x) = 0$ , with $I_k(x) = \mathbb {1}\lbrace \sum _{i=1}^{k} x_i = 0 \rbrace$ . Finally, the third holds as the Fourier expansion of $I_k$ is given by $I_k = \frac{1}{p}\sum _{\nu \in \mathbb {Z}_p} \chi _{\nu \cdot S^{\prime }}$ with $S^{\prime }_j = \mathbb {1}\lbrace j \in [k]\rbrace$ . □

Following Claim 4.12, we shall study and exploit properties of functions $f:\mathbb {Z}_p^r \rightarrow [0,1]$ that satisfy $f(\gamma x)=f(x)$ and $\widehat{f}(S+S^{\prime }) = \widehat{f}(S)$ for $S^{\prime }$ as defined in Claim 4.12 and all $x,\gamma ,S$ .

4.3.3 Representing the Correlation in Terms of the Fourier Expansion.

In this subsection, we present a sequence of lemmas that shall be used in our proof. These lemmas allow us to represent the correlation between different obfuscations in terms of the Fourier expansion and will be helpful in bounding the correlation using discrete Fourier analysis in the following subsections. Note that all inner products from now on are between elements of $\mathbb {Z}_p^r$ , and consequently, their results lie in $\mathbb {Z}_p$ .

An alternative representation of the obfuscation. In our proof, we shall frequently use the following alternative view of the obfuscation:

Claim 4.13.

A pair $(x,y)$ taking a $(p,q,r)$ -arithmetic-distribution may be sampled by drawing $x \sim \mathbb {Z}_p^r$ uniformly at random, choosing $v \sim \lbrace (1-q)/2, (3-q)/2, \ldots , (q-1)/2 \rbrace ^r$ uniformly, along with $\alpha \sim \mathbb {Z}_{p\cdot q}^{\ast }$ and $\gamma , \gamma ^{\prime } \sim \mathbb {Z}_{p}^{\ast }$ , and setting

$\begin{equation*} \forall i \in [r] :\quad y_i = (\gamma x_i + \gamma ^{\prime } \lfloor \alpha v_i / q \rceil) \,\%\,p. \end{equation*}$

Proof.

Assume $(x,y)$ has a $(p,q,r)$ -arithmetic distribution, that is, $x_i = \gamma _1 \cdot \lfloor \alpha _1 \cdot z_i / q \rceil \% p$ and $y_i = \gamma _2 \cdot \lfloor \alpha _2 \cdot z_i / q \rceil \% p$ , where $z,\alpha _1,\alpha _2,\gamma _1,\gamma _2$ are as in Definition 4.8. Write $\alpha _1 z_i \% (pq) = q (\gamma _1^{-1} x_i \% p) + v_i$ with $v_i \in \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ . Note that, under the fixing of any (invertible) $\gamma _1, \alpha _1$ , each pair of $(x_i, v_i) \in \mathbb {Z}_p \times \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ arises from exactly one $z_i \in \mathbb {Z}_{pq}$ . Since $z_i$ is uniformly distributed and independent of $\gamma _i, \alpha _i$ , we see that $x_i, v_i$ are uniformly distributed (as stated in the claim) and independent of each other and of $\gamma _i, \alpha _i$ .

Finally,

$\begin{equation*} y_i = \gamma _2 \cdot \lfloor \alpha _2 \cdot \alpha _1^{-1} (q (\gamma _1^{-1} x_i \% p) + v_i) / q \rceil \% p, \end{equation*}$

meaning that

$\begin{equation*} y_i = ((\gamma _2 \alpha _2 \alpha _1^{-1} \gamma _1^{-1} \% p) x_i + \gamma _2 \lfloor \alpha _2 \alpha _1^{-1} v_i / q \rceil) \% p. \end{equation*}$

Denoting $\gamma \mathrel {\mathop :}=(\gamma _2 \alpha _2 \alpha _1^{-1} \gamma _1^{-1} \% p)$ , $\gamma ^{\prime } \mathrel {\mathop :}=\gamma _2$ and $\alpha \mathrel {\mathop :}=\alpha _2 \alpha _1^{-1}$ , we have $y_i = (\gamma x_i + \gamma ^{\prime } \lfloor \alpha v_i / q \rceil) \,\%\,p$ . Note that $\gamma , \gamma ^{\prime }, \alpha$ have the asserted distribution and are independent of $x, v$ . □

A quantity representing the contribution of $\widehat{B}^{\prime }(S)$ to the correlation. We now formally introduce the notion $M_{p,q,r}(S)$ that will play a central role in the proof. The relevance of the notion to the correlation we study is shown in Lemma 4.16 below.

Definition 4.14.

Let $S \in \mathbb {Z}_{p}^r$ , and let $(x,y)$ be a pair that has a $(p,q,r)$ -arithmetic distribution. Define the magnitude of S as (the real number)

$\begin{equation*} M_{p,q,r}(S) \mathrel {\mathop :}={\mathbb {E}}[\chi _S(x) \overline{\chi _S(y)}]. \end{equation*}$

Lemma 4.15 (Orthogonality).

Let $S, S^{\prime } \in \mathbb {Z}_{p}^r$ , and assume $(x,y)$ has a $(p,q,r)$ -arithmetic distribution. If $S^{\prime } = \gamma ^{\prime } S$ with $\gamma ^{\prime } \in \mathbb {Z}_p^\ast$ , then we have

$\begin{equation} {\mathbb {E}}[\chi _S(x) \overline{\chi _{S^{\prime }}(y)}] = M_{p,q,r}(S). \end{equation}$

(20)

Otherwise (if $S^{\prime } \ne \gamma ^{\prime } S$ for all $\gamma ^{\prime } \in \mathbb {Z}_p^\ast$ ),

$\begin{equation} {\mathbb {E}}[\chi _S(x) \overline{\chi _{S^{\prime }}(y)}] = 0. \end{equation}$

(21)

Proof.

To verify Equation (20), assume $S^{\prime } = \gamma ^{\prime } S$ with $\gamma ^{\prime } \in \mathbb {Z}_p^\ast$ . Note that by Definition 4.8, if $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution, then $(x, \gamma ^{\prime -1} y)$ admits a $(p,q,r)$ -arithmetic-distribution as well. Hence,

$\begin{equation*} {\mathbb {E}}[\chi _S(x) \overline{\chi _{S^{\prime }}(y)}] = {\mathbb {E}}[\chi _S(x) \overline{\chi _{S^{\prime }}(\gamma ^{\prime -1} y)}] = {\mathbb {E}}[\chi _S(x) \overline{\chi _{S}(y)}] = M_{p,q,r}(S). \end{equation*}$

To verify Equation (21), recall that Claim 4.13 shows that $x \sim \mathbb {Z}_p^r$ and $y_i = \gamma x_i + \gamma ^{\prime } u_i$ , where $\gamma , \gamma ^{\prime } \sim \mathbb {Z}_p^\ast$ , and u is independent of x (its distribution is irrelevant for the current proof). Condition on the values of $\gamma , \gamma ^{\prime }, u$ , so

$\begin{equation*} {\mathbb {E}}[\chi _S(x) \overline{\chi _{S^{\prime }}(y)}] = {\mathbb {E}}_{\gamma , \gamma ^{\prime }, u} [ {\mathbb {E}}_{x} \left[ e_p (\langle S, x \rangle - \langle S^{\prime }, y \rangle)\,\middle |\, \gamma , \gamma ^{\prime }, u \right] ]. \end{equation*}$

Notice that given $\gamma , \gamma ^{\prime },$ and u, the expression $\langle S, x \rangle - \langle S^{\prime }, y \rangle$ is linear in x and is non-constant (for all $\gamma , \gamma ^{\prime }, u$ ), since $S, S^{\prime }$ are non-proportional. Hence, ${\mathbb {E}}[e_p (\langle S, x \rangle - \langle S^{\prime }, y \rangle)] = 0$ , since $x \sim \mathbb {Z}_p^r$ , and the expected value of $e_p(x^{\prime })$ when $x^{\prime } \sim \mathbb {Z}_p$ is uniformly distributed is 0. □

Given two vectors $S, S^{\prime } \in \mathbb {Z}_p^r$ and two scalars $\alpha , \beta \in \mathbb {Z}_p$ , we denote by $\alpha S + \beta S^{\prime } \in \mathbb {Z}_p^r$ the vector $S^{\prime \prime }$ having for all $i \in [r]$ ,

$\begin{equation*} S^{\prime \prime }_i = \left(\alpha S_i + \beta S^{\prime }_i \right) \,\%\,p. \end{equation*}$

Representing the correlation in terms of $M_{p,q,r}$ and the Fourier expansion. The following lemma shows how $M_{p,q,r}$ can be used to estimate the correlation $\text{Cov}(B^{\prime }(x), B^{\prime }(y))$ we aim at bounding, thus establishing Equation (14).

Lemma 4.16.

Let ${f}:{\mathbb {Z}_{p}^r} \rightarrow {\mathbb {C}}$ have $f(\gamma x) = f(x)$ for all $x \in \mathbb {Z}_{p}^r$ , and $\gamma \in \mathbb {Z}_p^\ast$ . Suppose $(x, y)$ has a $(p,q,r)$ -arithmetic-distribution. Then

$\begin{equation*} \text{Cov}(f(x), f(y)) = \sum _{\begin{array}{c}S \in \mathbb {Z}_{p}^r \\ S \ne 0_r\end{array}} (p-1) M_{p,q,r}(S) \widehat{f}(S)^2. \end{equation*}$

Proof.

Using the expansion $f(x) = \sum _{S \in \mathbb {Z}_p^r} \widehat{f}(S) \chi _S(x)$ , we find

$\begin{equation*} \text{Cov}(f(x), f(y)) = {\mathbb {E}}_{x,y} [ (f(x) - \widehat{f}(0)) \overline{(f(y) - \widehat{f}(0))}] = \sum _{S,S^{\prime } \in \mathbb {Z}_p^r \setminus \lbrace 0_r\rbrace } \widehat{f}(S) \widehat{f}(S^{\prime }) {\mathbb {E}}_{x,y}[\chi _S(x) \overline{\chi _{S^{\prime }}(y)}]. \end{equation*}$

By comparing coefficients, the assumption that $f(\gamma x) = f(x)$ (for all x) implies $\widehat{f}(S) = \widehat{f}(\gamma S)$ . Combining with Lemma 4.15, we get

$\begin{equation*} \text{Cov}(f(x), f(y)) = \sum _{S \ne 0_r} \sum _{\gamma \in \mathbb {Z}_p^\ast } \widehat{f}(S) \widehat{f}(\gamma S) M_{p,q,r}(S) = (p-1) \sum _{S \ne 0_r} \widehat{f}(S)^2 M_{p,q,r}(S). \end{equation*}$

□

Bounding $M_{p,q,r}(S)$ . The following two lemmas allow us to bound $M_{p,q,r}(S)$ :

Lemma 4.17.

Suppose $(x, y)$ has a $(p,q,r)$ -arithmetic-distribution. For any $r \in \mathbb {N}$ , any primes $p,q \gt 0$ , and any non-zero $S \in \mathbb {Z}_p^r$ , we have

$\begin{equation} M_{p,q,r}(S) = \frac{p^2 \Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ] - 1}{(p-1)^2}. \end{equation}$

(22)

Proof.

Assume $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution, and let $S \in \mathbb {Z}_p^r$ be any vector. We show

$\begin{equation} \begin{aligned}M_{p,q,r}(S) &= 1 \cdot \Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ] \\ &\phantom{=} - \frac{1}{p-1} \Pr [\langle S, x\rangle = 0 \text{ XOR } \langle S, y\rangle = 0] \\ &\phantom{=} + \frac{1}{(p-1)^2} \Pr [\langle S, x\rangle \ne 0 \wedge \langle S, y\rangle \ne 0], \\ \end{aligned} \end{equation}$

(23)

where $(\langle S, x\rangle = 0 \text{ XOR } \langle S, y\rangle = 0)$ denotes the event that exactly one of $\langle S,x \rangle =0$ , $\langle S,y \rangle = 0$ holds. To verify Equation (23), note that if $(x,y)$ has a $(p,q,r)$ -arithmetic distribution, then so does $(\gamma _1 x, \gamma _2 y)$ , for any $\gamma _1,\gamma _2 \in \mathbb {Z}_p^*$ . Hence,

$\begin{equation*} \begin{aligned}{\mathbb {E}}_{x,y}[ \chi _S(x) \overline{\chi _S(y)} ] &= {\mathbb {E}}_{x,y}[e_p (\langle S, x\rangle - \langle S, y\rangle)] \\ & = {\mathbb {E}}_{x,y}[e_p (\gamma _1 \cdot \langle S, x\rangle - \gamma _2 \cdot \langle S, y\rangle)]. \end{aligned} \end{equation*}$

Letting $\gamma _1, \gamma _2$ be uniformly distributed in $\mathbb {Z}_p^{\ast }$ (independently of $(x,y)$ ), one can verify that for any fixed $x,y$ , we have

$\begin{equation} \begin{gathered}{\mathbb {E}}_{\gamma _1, \gamma _2}[e_p (\gamma _1 \cdot \langle S, x\rangle - \gamma _2 \cdot \langle S, y\rangle)] = {\mathbb {E}}_{\gamma _1}[e_p (\gamma _1 \cdot \langle S, x\rangle)] {\mathbb {E}}_{\gamma _2} [e_p(\gamma _2 \cdot \langle S, y\rangle)] \\ = \Big (\mathbb {1}\lbrace \langle S, x\rangle = 0\rbrace - \frac{\mathbb {1}\lbrace \langle S, x\rangle \ne 0 \rbrace }{p-1}\Big) \cdot \Big (\mathbb {1}\lbrace \langle S, y\rangle = 0\rbrace - \frac{\mathbb {1}\lbrace \langle S, y\rangle \ne 0 \rbrace }{p-1}\Big). \end{gathered} \end{equation}$

(24)

Equation (23) then follows by averaging Equation (24) over $(x,y)$ .

Denote the three probabilities in Equation (23) by $A,B,C$ , that is:

$\begin{equation*} \begin{aligned}A &\mathrel {\mathop :}=\Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ], \\ B &\mathrel {\mathop :}=\Pr [\langle S, x\rangle = 0 \text{ XOR } \langle S, y\rangle = 0], \\ C &\mathrel {\mathop :}=\Pr [\langle S, x\rangle \ne 0 \wedge \langle S, y\rangle \ne 0]. \end{aligned} \end{equation*}$

Note that $A+B+C=1$ , and that for any $S\ne 0$ , we have $2A+B = 2\cdot \Pr [\langle S,x\rangle = 0] = 2/p$ , since each of $x,y$ is uniformly distributed in $\mathbb {Z}_p^r$ . Substituting into Equation (23) and simplifying, we obtain

$\begin{equation*} M_{p,q,r}(S) = \frac{p^2 \Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ] - 1}{(p-1)^2}, \end{equation*}$

as asserted. □

Lemma 4.18.

Let $r \in \mathbb {N}$ , let $p \ge q \gt 0$ be prime numbers, and let $S \in \mathbb {Z}_p^r$ be a nonzero vector. If $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution, then

$\begin{equation} \Pr _{x,y}[\langle S, x \rangle = \langle S, y \rangle = 0] \le O(1 / (pq) + 1/p^2) \le O(1/(pq)). \end{equation}$

(25)

Proof.

Recall the distribution of $x,y$ given by Claim 4.13, namely, $y_i = (\gamma x_i + \gamma ^{\prime } u_i) \,\%\,p$ with $u_i = \lfloor \alpha v_i / q \rceil \,\%\,p$ , where $x,v,\gamma , \gamma ^{\prime }, \alpha$ are independent random variables. By the independence of $x, u$ , we get

$\begin{equation} \Pr _{x,y}[\langle S, x \rangle = \langle S, y \rangle = 0] = \Pr _{x}[\langle S, x \rangle = 0] \Pr _{u}[\langle S, u \rangle = 0]. \end{equation}$

(26)

Since x is uniformly random and S is nonzero, $\Pr _{x}[\langle S, x \rangle = 0] = 1/p$ . It thus remains to show

$\begin{equation} \Pr _{u}[\langle S, u \rangle = 0] \le O(1 / q + 1 / p). \end{equation}$

(27)

To prove Equation (27), we note that it is a Littlewood-Offord-type statement: The entries $u_i$ are independent random variables, and $\langle S, u \rangle$ is their weighted sum, and we are concerned with the probability it attains a specific value.

We tackle the problem by using a standard antichain argument. Roughly, choose an i with $S_i \ne 0$ , and condition on the values of $u_j$ for all $j \ne i$ . Then, there is at most one value of $u_i$ that would make $\langle S, u \rangle = S_i u_i + \sum _{j: j \ne i} S_j u_j \,\%\,p = 0$ . Recall $u_i = \lfloor \alpha v_i / q \rceil \,\%\,p$ , where $v_i$ is uniformly distributed in $\lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ . Hence, assuming that the map $v_i \mapsto u_i$ is injective, we have that $\langle S, u \rangle = 0$ with probability $\le 1/q$ , as required. This last assumption is not strictly correct, however, it can be corrected as follows:

Depending on $\alpha$ and on $\lbrace u_j:j \ne i\rbrace$ , we let $Z = \lbrace \tau \in \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace :(S_i \lfloor \alpha \tau / q \rceil + \sum _{j: j \ne i} S_j u_j) \,\%\,p = 0 \rbrace$ , and note that according to the above discussion, $\Pr [\langle S,u \rangle = 0] = {\mathbb {E}}[|Z|]/q$ . Hence, Equation (27) is reduced to showing that ${\mathbb {E}}[|Z|] \le O(1 + q/p)$ . Write $Z = \lbrace \tau _1, \ldots , \tau _k\rbrace$ with $\tau _1 \lt \ldots \lt \tau _k$ , and $Z^{\prime } = \lbrace \tau _2 - \tau _1, \tau _3 - \tau _1, \ldots , \tau _k - \tau _1\rbrace$ . Note that $|Z| = |Z^{\prime }| + 1$ and that every $\sigma \in Z^{\prime }$ satisfies $\alpha \sigma \in pq\mathbb {Z}+ (-q,q)$ (i.e., the residue $(\alpha \sigma) \,\%\,(pq)$ is either smaller than q or larger than $pq-q$ ). Hence,

$\begin{equation*} {\mathbb {E}}[|Z|] \le 1 + {\mathbb {E}}[|Z^{\prime }|] \le 1 + {\mathbb {E}}_{\alpha }\left[ \sum _{\sigma = 1}^{q-1} \mathbb {1}\lbrace \alpha \sigma \in pq\mathbb {Z}+ (-q,q) \rbrace \right] = O(1 + q/p), \end{equation*}$

where the last bound follows, since for any fixed $\sigma$ , $\alpha \sigma \,\%\,(pq)$ is uniformly distributed in $\mathbb {Z}_{pq}^{\ast }$ (recall $\sigma \lt q\le p$ ), and the probability it is in $pq\mathbb {Z}+ (-q,q)$ is $O(1/p)$ . □

Lemmas 4.17 and 4.18 yield the following corollary, which upper bounds $M_{p,q,r}(S)$ :

Corollary 4.19.

Let $r \in \mathbb {N}$ , let $p \ge q \gt 0$ be prime numbers, and let $S \in \mathbb {Z}_p^r$ be a nonzero vector. Then

$\begin{equation*} |M_{p,q,r}(S)| \le O(1/(pq)). \end{equation*}$

Proof.

By Equation (22), we have

$\begin{equation*} M_{p,q,r}(S) = \frac{p^2 \Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ] - 1}{(p-1)^2}. \end{equation*}$

By Equation (25), we have

$\begin{equation*} \Pr [\langle S, x\rangle = \langle S, y\rangle = 0 ] \le O(1/(pq)). \end{equation*}$

These two estimates yield the desirable $|M_{p,q,r}(S)| = O(1/(pq)+1/p^2) = O(1/(pq)).$ □

4.3.4 Partitioning into 2-dimensional Subspaces.

While Corollary 4.19, in conjunction with Lemma 4.16, allows us bounding $\text{Cov}(B^{\prime }(x), B^{\prime }(y))$ from above (which is the main task we are tackling), the obtained upper bound is not sufficiently tight for our purposes. To achieve a stronger bound, we use the special structure of $B^{\prime }$ observed in Claim 4.12—namely, that it satisfies $B^{\prime }(x)=B^{\prime }(\gamma x)$ for all $\gamma \in \mathbb {Z}_p^\ast$ , and that its Fourier expansion satisfies $\widehat{B^{\prime }}(S) = \widehat{B^{\prime }}(S+S^{\prime })$ for all S and the specific $S^{\prime }$ defined in Claim 4.12—to show that it is sufficient to bound the sums $\sum _{S \in U} M_{p,q,r}(S)$ over certain 2-dimensional subspaces U.

Lemma 4.20.

Let $r \in \mathbb {N}$ , and let $p \ge q$ be prime numbers. Let ${f}:{\mathbb {Z}_p^r} \rightarrow {\left[0,1\right]}$ satisfy $f(x) = f(\gamma x)$ for all $x \in \mathbb {Z}_p^r$ and $\gamma \in \mathbb {Z}_p^\ast$ . Furthermore, assume there exists a particular nonzero vector $S^{\prime } \in \mathbb {Z}_p^r$ such that $\widehat{f}(S+S^{\prime }) = \widehat{f}(S)$ for all $S \in \mathbb {Z}_p^r$ .

Let C be a constant such that for all S satisfying $\forall \nu \in \mathbb {Z}_p :S \ne \nu S^{\prime }$ ,

$\begin{equation*} \sum _{\begin{array}{c}\eta \in \mathbb {Z}_{p}^{\ast } \\ \nu \in \mathbb {Z}_p\end{array}} M_{p,q,r}(\eta S + \nu S^{\prime }) \le C. \end{equation*}$

If $\mu = {\mathbb {E}}[f]$ , and $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution, then

$\begin{equation*} \text{Cov}(f(x), f(y)) \le O\left(\frac{p}{q} \mu ^2 + \frac{C}{p} \mu \right). \end{equation*}$

Proof.

By Lemma 4.16, we have

$\begin{equation*} \text{Cov}(f(x), f(y)) = (p-1) \sum _{S \ne 0_r} M_{p,q,r}(S) \widehat{f}(S)^2 . \end{equation*}$

There are two kinds of contributions to the right-hand side, corresponding to elements S with $S = \nu S^{\prime }$ and to other elements.

Case 1: The contribution of each S with $S = \nu S^{\prime }$ for $\nu \in \mathbb {Z}_p^\ast$ , is $M_{p,q,r}(S^{\prime }) \cdot \widehat{f}(S^{\prime })^2$ . (Recall that by Lemma 4.15, for such an S, we have $M_{p,q,r}(S^{\prime })=M_{p,q,r}(S)$ , and, since $f(x)=f(\gamma x)$ , we have $\widehat{f}(S)=\widehat{f}(S^{\prime })$ .) We note that $|\widehat{f}(S)| = |{\mathbb {E}}_x[f(x) \overline{\chi _S(x)}]| \le {\mathbb {E}}|f(x)| = \mu$ . Using the bound on $M_{p,q,r}(S)$ from Corollary 4.19, and the fact that there are only $p-1$ such S’s, we get that the total contribution in this case is

$\begin{equation*} (p-1)\sum _{S=\nu S^{\prime }}M_{p,q,r}(S) \widehat{f}(S)^2 \le (p-1)^2 M_{p,q,r}(S^{\prime }) \mu ^2 \le p^2 O(1/(pq)) \mu ^2 \le O\left(\frac{p}{q} \mu ^2 \right). \end{equation*}$

Case 2: The contribution of elements S with $S \ne \nu S^{\prime }$ for all $\nu \in \mathbb {Z}_p^\ast$ (we denote this family of elements by $\mathcal {S}$ ) can be analyzed using the assumption that $\widehat{f}(S+ \nu S^{\prime }) = \widehat{f}(S)$ for all $\nu \in \mathbb {Z}_p$ . It follows that

$\begin{equation*} (p-1)\sum _{S \in \mathcal {S}} M_{p,q,r}(S) \widehat{f}(S)^2 = \frac{p-1}{p(p-1)} \sum _{S \in \mathcal {S}} \widehat{f}(S)^2 \cdot \sum _{\begin{array}{c}\eta \in \mathbb {Z}_p^\ast \\ \nu \in \mathbb {Z}_p\end{array}} M_{p,q,r}(\eta S + \nu S^{\prime }) \le \frac{C \mu }{p}. \end{equation*}$

Here, the first equality holds, since each summand on the left-hand side appears $p(p-1)$ times on the right-hand side. The final inequality is obtained by the assumption regarding C and the estimate $\sum _S \widehat{f}(S)^2 = {\mathbb {E}}[f^2] \le \mu$ .

Overall: Combining the above two contributions, we get

$\begin{equation*} \text{Cov}(f(x), f(y)) \le O\left(\frac{p}{q} \right) \mu ^2 + \frac{C}{p}\mu , \end{equation*}$

as asserted. □

4.3.5 Bounding $\sum _S M_{p,q,r}(S)$ Over 2-dimensional Subspaces.

In this subsection, we present the most complex step of the proof—bounding $\sum _{S \in \mathcal {U}} M_{p,q,r}(S)$ over 2-dimensional subspaces $\mathcal {U}$ , which will allow us to complete the proof in conjunction with Lemma 4.20. The proof is quite technical. Its core element is the representation of a sub-problem as a Littlewood-Offord type problem and the use of an antichain technique for handling it.

Lemma 4.21.

Let $S, S^{\prime } \in \mathbb {Z}_{p}^r$ be nonzero vectors with $S \ne \nu S^{\prime }$ for all $\nu \in \mathbb {Z}_p^\ast$ . Suppose $q \le p$ , then

$\begin{equation} \left| \sum _{\begin{array}{c}\mu \in \mathbb {Z}_{p}^{\ast } \\ \nu \in \mathbb {Z}_p\end{array}} M_{p,q,r}(\mu S + \nu S^{\prime }) \right| \le O(p/q^2 + \log (q)/q + 1/p) \le O(p\log (q) / q^2). \end{equation}$

(28)

Proof.

$\phantom{}$

Step 1. We express the left-hand side of Equation (28), using Lemma 4.17 (with $T = \mu S + \nu S^{\prime }$ ), as

$\begin{equation} D\mathrel {\mathop :}=\sum _{\begin{array}{c}\mu \in \mathbb {Z}_{p}^{\ast } \\ \nu \in \mathbb {Z}_p\end{array}} M_{p,q,r}(\mu S + \nu S^{\prime }) = \frac{p^2}{(p-1)^2} \sum _{\begin{array}{c}\mu \in \mathbb {Z}_{p}^{\ast } \\ \nu \in \mathbb {Z}_p\end{array}} \Pr [\langle \mu S + \nu S^{\prime }, x\rangle = \langle \mu S + \nu S^{\prime }, y\rangle = 0 ] - \frac{p}{p-1}, \end{equation}$

(29)

where the probability is taken over pairs $(x, y)$ distributed according to a $(p,q,r)$ -arithmetic-distribution. Adding and subtracting all pairs of the form $(\mu , \nu) = (0, \nu)$ to the sum in Equation (29), we get

$\begin{equation*} \frac{(p-1)^2}{p^2}D = \sum _{\begin{array}{c}\mu , \nu \in \mathbb {Z}_p \\ (\mu , \nu) \ne (0,0)\end{array}} \Pr [\langle \mu S + \nu S^{\prime }, x\rangle = \langle \mu S + \nu S^{\prime }, y\rangle = 0 ] - (p-1)\Pr _{x,y}[\langle S^{\prime }, x \rangle = \langle S^{\prime }, y \rangle = 0] - \frac{p-1}{p}. \end{equation*}$

Note that given $x,y$ , the number of solutions $(\mu ,\nu)$ of the equation system $(\langle \mu S + \nu S^{\prime },x \rangle = 0) \wedge (\langle \mu S + \nu S^{\prime },y \rangle = 0)$ is equal to the number of solutions of the system $(\mu \langle S,x \rangle + \nu \langle S,y \rangle = 0) \wedge (\mu \langle S^{\prime },x \rangle + \nu \langle S^{\prime },y \rangle = 0)$ . Indeed, they are equal to the sizes of the left kernel and the right kernel of the matrix

$\begin{equation*} \begin{pmatrix} \langle S, x \rangle & \langle S, y \rangle \\ \langle S^{\prime }, x \rangle & \langle S^{\prime }, y \rangle \\ \end{pmatrix}, \end{equation*}$

which are known to be equal. The latter linear system may succinctly be written as $\mu V(x)+\nu V(y)=0$ where

$\begin{equation*} V(x) \mathrel {\mathop :}=\begin{pmatrix} \langle S, x \rangle \\ \langle S^{\prime }, x \rangle \\ \end{pmatrix} \in \mathbb {Z}_p^2, \qquad V(y) \mathrel {\mathop :}=\begin{pmatrix} \langle S, y \rangle \\ \langle S^{\prime }, y \rangle \\ \end{pmatrix} \in \mathbb {Z}_p^2. \end{equation*}$

Using this equality, we obtain

$\begin{equation*} \frac{(p-1)^2}{p^2}D = \sum _{\begin{array}{c}\mu , \nu \in \mathbb {Z}_p \\ (\mu , \nu) \ne (0,0)\end{array}} \Pr _{x,y}[ \mu V(x) + \nu V(y) = 0 ] - (p-1)\Pr _{x,y}[\langle S^{\prime }, x \rangle = \langle S^{\prime }, y \rangle = 0] - \frac{p-1}{p}. \end{equation*}$

Note that Equation (28) is equivalent to $D \le O(p/q^2 + \log (q)/q + 1/p)$ , which follows from the bounds:

$\begin{equation} \Pr _{x,y}\big [\langle S^{\prime }, x \rangle = \langle S^{\prime }, y \rangle = 0 \big ] \le O(1 / (pq) + 1/p^2), \end{equation}$

(30)

$\begin{equation} \left| \sum _{\begin{array}{c}\mu , \nu \in \mathbb {Z}_p \\ (\mu , \nu) \ne (0,0)\end{array}} \Pr _{x,y}[ \mu V(x) + \nu V(y) = 0 ] - \frac{p-1}{p} \right| \le O(p/q^2 + \log (q) / q + 1/p). \end{equation}$

(31)

As Equation (30) follows from Lemma 4.18, we are left with the task of verifying Equation (31).

Step 2. We verify Equation (31). Note that $\frac{p^2-1}{p^2} - \frac{p-1}{p} \lt 1/p$ , thus Equation (31) follows from

$\begin{equation} \left| \sum _{(\mu , \nu) \ne (0,0)} \Pr _{x,y}[ \mu V(x) + \nu V(y) = 0 ] - \frac{p^2-1}{p^2} \right| \le O(p/q^2 + \log (q) / q + 1/p). \end{equation}$

(32)

In case of either $\mu = 0$ or $\nu = 0$ , we have $\Pr _{x,y}[ \mu V(x) + \nu V(y) = 0 ] = 1/p^2$ , since both $x,y$ are uniformly distributed in $\mathbb {Z}_p^r$ and $S, S^{\prime }$ are linearly independent vectors. We must hence verify

$\begin{equation} \left| \sum _{\mu \in \mathbb {Z}_p^{\ast }} \Pr _{x,y}[ \mu V(x) = V(y) ] - \frac{p-1}{p^2} \right| \le O(1/q^2 + \log (q) / (pq) + 1/p^2). \end{equation}$

(33)

We now reason about the left-hand side of Equation (33). Specifically, we consider the three sums

$\begin{equation*} Q_1 \mathrel {\mathop :}=\sum _{\mu \in \mathbb {Z}_p^{\ast }} \Pr _{x,y} \Big [ \mu V(x) = V(y) \,\wedge \, \Big (\lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace = \lbrace 0\rbrace \Big) \Big ], \end{equation*}$

$\begin{equation*} Q_2 \mathrel {\mathop :}=\sum _{\mu \in \mathbb {Z}_p^{\ast }} \Pr _{x,y} \Big [ \mu V(x) = V(y) \,\wedge \, \Big (0 \in \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace \ne \lbrace 0\rbrace \Big) \Big ], \end{equation*}$

$\begin{equation*} Q_3 \mathrel {\mathop :}=\sum _{\mu \in \mathbb {Z}_p^{\ast }} \Pr _{x,y} \Big [ \mu V(x) = V(y) \,\wedge \, \Big (0 \notin \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace \Big) \Big ], \end{equation*}$

and show the following estimates, which together imply Equation (33):

$\begin{equation} |Q_1| \le O(1/(pq) + 1/p^2), \end{equation}$

(34)

$\begin{equation} Q_2 = 0, \end{equation}$

(35)

$\begin{equation} \Big |Q_3 - \frac{p-1}{p^2} \Big | \le O(1/q^2 + \log (q) / (pq) + 1/p^2). \end{equation}$

(36)

To obtain Equation (35), notice that if one of $\langle S, x\rangle , \langle S, y\rangle$ is zero, and the other is not, then there cannot be a $\mu \in \mathbb {Z}_p^{\ast }$ , which is the quotient of them.

Step 3. We prove Equation (34). First, we observe

$\begin{equation*} Q_1 \le \Pr _{x,y}\big [\lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace = \lbrace 0\rbrace \big ] + (p-2)\Pr _{x,y}\big [V(x)=V(y)=0\big ]. \end{equation*}$

This is because upon fixing $x,y$ , whenever $\langle S^{\prime }, x \rangle \ne 0$ or $\langle S^{\prime }, y \rangle \ne 0$ , there is at most one value of $\mu \in \mathbb {Z}_{p}^\ast$ for which $\mu V(x) = V(y)$ . Lemma 4.18 implies

$\begin{equation*} \Pr _{x,y}\big [\lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace = \lbrace 0\rbrace \big ] \le O(1/(pq) + 1/p^2). \end{equation*}$

Hence, it remains to show

$\begin{equation} \Pr _{x,y}\big [V(x)=V(y)=0\big ] \le O(1/(p^2q) + 1/p^3). \end{equation}$

(37)

Since $x\sim \mathbb {Z}_{p}^r$ is uniformly distributed, and $S, S^{\prime }$ are two independent vectors, then we have $\Pr [V(x) = 0] = 1/p^2$ . Moreover, similarly to the reasoning in Lemma 4.18 (Equation (26) in particular),

$\begin{equation*} \Pr \left[ V(y) = 0\,\middle |\, V(x)=0 \right] = \Pr [\langle S, u\rangle = \langle S^{\prime }, u\rangle = 0], \end{equation*}$

where $u = \lfloor \alpha v_i / q \rceil$ with $\alpha \sim \mathbb {Z}_{pq}^\ast$ and $v_i \sim \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ are uniformly distributed. But, according to Equation (27), we have

$\begin{equation*} \Pr [\langle S, u\rangle = \langle S^{\prime }, u\rangle = 0] \le \Pr [\langle S, u\rangle = 0] \le O(1/p+1/q), \end{equation*}$

which, together with $\Pr [V(x)=0]=1/p^2$ implies Equation (37).

Step 4. We prove Equation (36). Recall, again, that $x,y$ are sampled by taking $x\sim \mathbb {Z}_p^r$ uniformly at random, and setting $y_i = (\gamma x_i + \gamma ^{\prime } u_i) \,\%\,p$ with $\gamma ^{\prime }, \gamma \sim \mathbb {Z}_p^\ast$ and $u_i = \lfloor \alpha \cdot v_i \rceil$ , with $\alpha \sim \mathbb {Z}_{pq}^\ast$ and $v_i \sim \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ . We further decompose $Q_3$ into two parts, $Q_3 = Q_4 + Q_5$ , according to whether $\gamma \langle S, x \rangle = \langle S, y \rangle$ or not:

$\begin{equation*} Q_4 = \sum _{\mu \in \mathbb {Z}_p^{\ast }} \Pr _{x,y} \Big [ \mu V(x) = V(y) \,\wedge \, \mu \ne \gamma \,\wedge \, 0 \notin \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace \Big ], \end{equation*}$

$\begin{equation*} Q_5 = \Pr _{x,y} \Big [ \gamma V(x) = V(y) \,\wedge \, 0 \notin \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace \Big ], \end{equation*}$

and define the auxiliary probabilities

$\begin{equation*} \begin{aligned}\beta &= \Pr \big [\gamma \langle S, x \rangle = \langle S, y \rangle \,\wedge \, \big (0 \notin \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace \big) \big ], \\ \eta &= \Pr [0 \notin \lbrace \langle S, x \rangle , \langle S, y \rangle \rbrace ]. \end{aligned} \end{equation*}$

We make four claims:

—

Simplifying $Q_4$ : $Q_4 = (\eta - \beta)/p$ ,

—

Upper bounding $\beta$ : $\beta \le O(1/p + 1/q)$ ,

—

Lower bounding $\eta$ : $\eta \ge 1-2/p$ ,

—

Upper bounding $Q_5$ : $Q_5 \le O(1/q^2 + \log (q)/(pq))$ .

Since $Q_3 = Q_4 + Q_5$ , these claims clearly imply Equation (36).

Lower bounding $\eta$ . Recall that both x and y are uniformly distributed in $\mathbb {Z}_p^r$ , and so $\langle S, x \rangle$ and $\langle S, y \rangle$ are uniformly distributed in $\mathbb {Z}_p$ . Thus, by a union bound, we have $\eta \ge 1-2/p$ , as asserted.

Upper bounding $\beta$ . Recall that $y_i = (\gamma x_i + \gamma ^{\prime } u_i) \,\%\,p$ , and hence the event that $\gamma \langle S, x \rangle = \langle S, y \rangle$ is exactly the event that $\langle S, u \rangle = 0$ . The probability of this latter event may be upper bounded by $O(1/p+1/q)$ using Equation (27). Hence,

$\begin{equation*} \beta \le \Pr [\langle S, u \rangle = 0] \le O(1/p+1/q), \end{equation*}$

as asserted.

Simplifying $Q_4$ . As an appetizer, note that if we would replace in $Q_4$ the requirement of $\mu V(x) = V(y)$ by $\mu \langle S, x\rangle = \langle S, y\rangle$ , and call the result $Q_4^{\prime }$ , then we would get $Q_4^{\prime } + \beta = \eta$ . All that is left to prove Equation (1) is to show that $p Q_4 = Q_4^{\prime }$ .

Observe that we may assume that

$\begin{equation} \exists \ell \in [r]: S_\ell = 0 \wedge S^{\prime }_\ell \ne 0. \end{equation}$

(38)

To reduce to this case, we choose any $\ell$ with $S^{\prime }_\ell \ne 0$ and replace S by $S - \frac{S_\ell }{S^{\prime }_\ell } S^{\prime }$ , which is also nonzero. (Note that the sum on the left-hand side of Equation (28) does not change by this replacement.)

We condition on the values of $\gamma , u, \gamma ^{\prime }$ and $\lbrace x_j : j \ne \ell \rbrace$ (i.e., on the $\sigma$ -algebra generated by these variables). The only information that is missing in the probability space is $x_\ell$ —it is uniformly distributed under the current conditioning. While the contribution to $Q_4^{\prime }$ is fixed under the current conditioning (as we assumed $S_\ell =0$ ), we claim there exists exactly one value of $x_\ell$ that would contribute to the probability expressed by $Q_4$ . To see this, let $\mu$ be the unique element of $\mathbb {Z}_p^\ast$ that has $\mu \langle S, x \rangle = \langle S, y \rangle$ . To have $\mu V(x) = V(y)$ , we must also have $\mu \langle S^{\prime }, x \rangle = \langle S^{\prime }, y \rangle$ . Under our conditioning, this latter equation is a linear equation in $x_\ell$ with the linear coefficient $(\mu - \gamma)S^{\prime }_\ell$ (recall how $y_\ell$ depends on $x_\ell$ ) and some constant coefficient that is deterministic under our conditioning. This equation has a unique solution in $x_\ell$ . Since $x_\ell$ has a uniform distribution, we have $Q_4 = Q_4^{\prime } / p = (\eta -\beta)/ p$ , as asserted.

Step 5. Last, we upper bound $Q_5$ . Recall

$\begin{equation*} V(y) = \begin{pmatrix} \langle S, y \rangle \\ \langle S^{\prime }, y \rangle \\ \end{pmatrix} = \gamma \begin{pmatrix} \langle S, x \rangle \\ \langle S^{\prime }, x \rangle \\ \end{pmatrix} + \gamma ^{\prime } \begin{pmatrix} \langle S, u \rangle \\ \langle S^{\prime }, u \rangle \\ \end{pmatrix}. \end{equation*}$

Hence, the event $\gamma V(x) = V(y)$ is simply $\lbrace \langle S, u \rangle = 0 \, \wedge \, \langle S^{\prime }, u \rangle = 0\rbrace$ , implying

$\begin{equation*} Q_5 \le \Pr _u[ \langle S, u \rangle = 0 \, \wedge \, \langle S^{\prime }, u \rangle = 0 ]. \end{equation*}$

We use an argument similar to the argument we had in Lemma 4.18 (specifically, Equation (27)) to upper bound this last quantity. Let $l \in [r]$ be any coordinate with $S_l \ne 0$ , and let $\ell$ be a coordinate with $S^{\prime }_\ell \ne 0$ while $S_\ell = 0$ , whose existence we assumed (see Equation (38)). Recall $u_j = \lfloor \alpha v_j/ q\rceil$ . Condition on any specific values for $\alpha , \lbrace u_j : j \notin \lbrace l,\ell \rbrace \rbrace$ . Similarly to Step 4, we can upper bound the probability that $\langle S, u \rangle = 0$ by the probability that $u_l$ turns out to be just the right value that would make $\langle S, u \rangle = 0$ true. This probability is upper bounded by $\frac{1}{q}$ times the maximal number of elements $v^{\prime \prime } \in \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace$ that map to the same $u^{\prime \prime }$ under $u^{\prime \prime } = \lfloor \alpha v^{\prime \prime } / q\rceil \,\%\,p$ . Using the same reasoning as in Lemma 4.18, we see that this probability is upper bounded by $(|Z_\alpha |+1) / q$ , where

$\begin{equation*} Z_\alpha = \lbrace \sigma \in \lbrace (1-q)/2, \ldots , (q-1)/2 \rbrace : (\alpha \sigma) \in pq \mathbb {Z}+ (-q, q) \rbrace . \end{equation*}$

Under the described conditioning, $\langle S, u \rangle$ is determined by $u_l$ , and by further conditioning on the value of $u_l$ , $\langle S^{\prime }, u \rangle$ is determined by $u_\ell$ . Thus, the event that both these quantities are equal zero has probability

$\begin{equation} \Pr [\langle S, u\rangle = 0 \wedge \langle S^{\prime }, u\rangle = 0] \le (|Z_\alpha | + 1)^2 / q^2. \end{equation}$

(39)

Our task of upper bounding $Q_5$ is hence reduced to understanding the second moment of $|Z_\alpha |$ . For any fixed $\alpha$ ,

$\begin{equation*} \begin{aligned}|Z_\alpha |^2 &= \sum _{\sigma _1=(1-q)/2}^{(q-1)/2} \sum _{\sigma _2 = (1-q)/2}^{(q-1)/2} \mathbb {1}\big \lbrace \lbrace \sigma _1 \cdot \alpha , \sigma _2 \cdot \alpha \rbrace \subseteq pq\mathbb {Z}+ (-q, q) \big \rbrace \\ &\le 4\sum _{\sigma _1=0}^{q-1} \sum _{\sigma _2 = 0}^{q-1} \mathbb {1}\big \lbrace \lbrace \sigma _1 \cdot \alpha , \sigma _2 \cdot \alpha \rbrace \subseteq pq\mathbb {Z}+ (-q, q) \big \rbrace . \end{aligned} \end{equation*}$

Denote $\tau _j^{\prime } \mathrel {\mathop :}=(\sigma _j \cdot \alpha \,\%\,pq)$ , then we have $\tau _1^{\prime } \cdot \sigma _2 \,\%\,(pq) = \tau _2^{\prime } \cdot \sigma _1 \,\%\,(pq)$ . Using the assumption $q \le p$ , we may leverage this equation into an equation over the integers (i.e., not involving a modulus) in the following way:

Let $\tau _j \mathrel {\mathop :}=\min \lbrace \tau _j^{\prime }, pq - \tau _j^{\prime }\rbrace$ , so the above equation reads either $\tau _1 \cdot \sigma _2 \,\%\,(pq) = \tau _2 \cdot \sigma _1 \,\%\,(pq)$ or $\tau _1 \cdot \sigma _2 \,\%\,(pq) = -\tau _2 \cdot \sigma _1 \,\%\,(pq)$ . Observe that $\tau _j \le q$ , and hence, $\tau _1 \sigma _2, \tau _2 \sigma _1 \le q^2 \le pq$ . Therefore, over the integers, we must have

$\begin{equation} \tau _1 \cdot \sigma _2 = \tau _2 \cdot \sigma _1 \qquad \mbox{ or } \qquad \tau _1 \cdot \sigma _2 + \tau _2 \cdot \sigma _1 = pq. \end{equation}$

(40)

To bound from above the expectation of $|Z_\alpha |^2$ over the $|\mathbb {Z}_{pq}^\ast |=\phi (pq)$ possible values of $\alpha$ , we note that $\alpha$ can be recovered uniquely from $\sigma _1,\tau ^{\prime }_1$ , as $\alpha = \tau ^{\prime }_1 \cdot \sigma _1^{-1} \,\%\,pq$ . Thus, any given quadruple $(\sigma _1,\sigma _2,\tau _1,\tau _2)$ corresponds to at most two different values of $\alpha$ , and so, when we sum over all values of $\alpha$ , each solution of each of the equations in (40) is counted at most twice.

Therefore, we have

$\begin{equation} {\mathbb {E}}_{\alpha }[|Z_\alpha |^2] \le \frac{4 \cdot 2}{\phi (pq)} \Big (\# \lbrace (a,b,c,d) : ab = cd \rbrace + \# \lbrace (a,b,c,d) : ab + cd = pq \rbrace \Big), \end{equation}$

(41)

where $a,b,c,d$ take values in $\lbrace 0,1,\ldots , q-1\rbrace$ .

We bound the number of such quadruples $(a,b,c,d)$ by the following simple number-theoretic lemma, whose proof is given below:

Lemma 4.22.

Let $q,N \gt 0$ be positive integers. Define

$\begin{equation*} \begin{aligned}P &= \left\lbrace (a, b, c, d)\,\middle |\, ab+cd = N\right\rbrace \subseteq \lbrace 0,1,\ldots , q-1\rbrace ^4, \\ Q &= \left\lbrace (a, b, c, d)\,\middle |\, ab=cd\right\rbrace \subseteq \lbrace 0,1,\ldots , q-1\rbrace ^4. \end{aligned} \end{equation*}$

Then, $|P| \le O(q^2 \log (q))$ and $|Q| \le O(q^2 \log (q))$ . □

By Lemma 4.22, the number of these quadruples $(a,b,c,d)$ is $O(q^2 \log (q))$ . Combining Equation (39) and Equation (41) with Lemma 4.22, we arrive at

$\begin{equation*} Q_5 \le O\left(\frac{1}{q^2} \cdot \left(1 + \frac{q^2 \log (q)}{pq} \right)\right) \le O\left(\frac{1}{q^2} + \frac{\log (q)}{pq}\right), \end{equation*}$

concluding the proof of Lemma 4.21.

Summary of the proof of Lemma 4.21. We parsed the left-hand side of Equation (28) and interpreted it as the bias introduced in an event, ( $V(x)$ is proportional to $V(y)$ ) caused by dependence between $x,y\sim \mathbb {Z}_p^r$ . The core of the argument upper bounds this bias by posing the problem as a Littlewood-Offord-type problem and using an antichain argument along with simple number theoretic estimates.

Proof of Lemma 4.22.

First, notice that we may consider, in both cases, $a,b,c,d \gt 0$ , as there are only $O(q^2)$ quadruples with $0 \in \lbrace a,b,c,d\rbrace$ and either $ab=cd$ or $ab+cd = N$ . Indeed, regarding $ab=cd$ , we must have 0 on both sides, which implies that there are only $O(q^2)$ possible pairs. Regarding $ab+cd=N$ , if $a=0$ , then $b,c$ have $q^2$ options, and they determine d, totaling in $\le O(q^2)$ pairs. We call the analogs of $P,Q$ , with the quadruples containing 0 removed, $P^{\prime }, Q^{\prime }$ , respectively.

Second, we count $|P^{\prime }|$ . Fixing $a,c$ , we see that $b,d$ must satisfy the linear equation $ab + cd = N$ . The different solutions $(b,d)$ for this equation differ by integral multiples of the vector $(c/\gcd (a,c), -a/\gcd (a,c))$ . Since both $b,d$ are integers in $[1,q)$ , the number of such solutions is at most $q \gcd (a,c) / \max (a,c)$ . Denoting $g = \gcd (a,c)$ , we arrive at

$\begin{equation*} |P^{\prime }| \le \sum _{g=1}^{q} \sum _{g | a} \sum _{g|c} \frac{q g}{\max (a,c)} \le \sum _{g=1}^{q} \sum _{g|c} \frac{2c}{g} \cdot \frac{q g}{c} \le \sum _{g=1}^{q} \sum _{g| c} 2q \le \sum _{g=1}^{q} 2q^2/g = O(q^2 \log (q)), \end{equation*}$

as required.

Last, bounding $|Q^{\prime }|$ is done likewise, this time considering the equation $ab-cd = 0$ . □

We note that the $\log (q)$ factor in the bound $O(\frac{1}{q^2} + \frac{\log (q)}{pq})$ of Lemma 4.22 is the reason for the logarithmic loss in Theorem 4.1. Unfortunately, one can show that the assertion of Lemma 4.22 is tight up to a constant factor, at least regarding the size of Q.

4.3.6 Wrapping up the Proof of the Obfuscation Lemma.

Proof of Lemma 4.7.

Recall that we assume an algorithm ${B}:{\mathbb {Z}_p^r} \rightarrow {\binom{[r]}{k}}$ that always reports a k-tuple of its input numbers whose sum is 0 modulo p (and is allowed to report failure). Using B, we define the obfuscation algorithm ${A}:{\mathbb {Z}_{pq}^r} \rightarrow {\binom{[r]}{k}}$ (Algorithm 4.6), which reports a k-tuple of its input numbers whose sum is 0 modulo pq. We further define ${B^{\prime }}:{\mathbb {Z}_p^r} \rightarrow {[0,1]}$ by

$\begin{equation*} B^{\prime }(x) = \Pr _{P,\gamma }[B(P(\gamma \cdot x)) = P(\lbrace 1,2,\ldots , k\rbrace)], \end{equation*}$

where $P \sim S_r$ and $\gamma \sim \mathbb {Z}_p^\ast$ , and the probability is taken also over B’s internal randomness. By Lemma 4.10, we have

$\begin{equation*} \sum _{i = 1}^{k} x_i \ne 0 \quad \Rightarrow \quad B^{\prime }(x) = 0, \end{equation*}$

and

$\begin{equation} \mu \mathrel {\mathop :}={\mathbb {E}}[B^{\prime }(x)] \le 1/\binom{r}{k}, \end{equation}$

(42)

and if $(x,y)$ has a $(p,q,r)$ -arithmetic-distribution, then

$\begin{equation} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(y)))] = \binom{r}{k} {\mathbb {E}}_{x,y} [B^{\prime }(x) B^{\prime }(y)]. \end{equation}$

(43)

Furthermore, by Claim 4.12, $B^{\prime }(x) = B^{\prime }(\gamma x)$ for all $\gamma \in \mathbb {Z}_p^\ast$ and $\widehat{B^{\prime }}(S+S^{\prime }) = \widehat{B^{\prime }}(S)$ for all S, with $S^{\prime }$ as defined in Claim 4.12.

Hence, we may apply Lemma 4.20 with

$\begin{equation*} C = O(p\log (q) /q^2), \end{equation*}$

as provided by Lemma 4.21 (notice that we assume $p \ge q$ ), to conclude that

$\begin{equation*} \text{Cov}(B^{\prime }(x), B^{\prime }(y)) \le O\left(\frac{p}{q} \mu ^2 + \frac{C}{p}\mu \right) = O\left(\frac{p}{q} \mu ^2 + \frac{\log (q)}{q^2} \mu \right). \end{equation*}$

Notice that as both $x,y$ are uniformly distributed in $\mathbb {Z}_p^r$ , we have

$\begin{equation*} {\mathbb {E}}[B^{\prime }(x) B^{\prime }(y)] = \mu ^2 + \text{Cov}(B^{\prime }(x), B^{\prime }(y)). \end{equation*}$

Combining these estimates with Equations (42) and (43), we obtain

$\begin{equation*} \Pr [P^{-1}(B(P(x))) = Q^{-1}(B(Q(x)))] \le O\left(\frac{p}{q\binom{r}{k}} + \frac{\log (q)}{q^2} \right), \end{equation*}$

completing the proof. □

Acknowledgments

The authors thank Alon Rosen and Prashant Vasudevan for helpful comments on a previous version of this article.

Footnotes

Another variant of the k-SUM problem asks, given k lists of $r/k$ numbers, find k numbers—one from each list—whose SUM is zero. The two problems are equivalent, up to $O_k(1)$ factors.

We note that variants of the k-tree algorithm were presented earlier, starting with Camion and Patarin [12], as is stipulated in Reference [36, full version].

Such a prime can clearly be found efficiently, since by a quantitative version of the prime number theorem, the number of primes between M and 2M is $\Omega (M/\log M)$ . Therefore, one may pick such a prime by random sampling and using a standard primarily test algorithm.

A Wagner’s K-Tree Algorithm

In this Appendix, we sketch the details of Wagner’s k-tree algorithm for solving the k-XOR problem and its generalization published in Reference [30]. The variant for solving k-SUM is similar. For more details, we refer the reader to the original publications [30, 36].

A.1 The 4-XOR Algorithm

We begin by describing the algorithm applied to a 4-list variant of 4-XOR. In this problem, the input consists of 4 lists $\lbrace x^{(j)}\rbrace _{j=1}^{4}$ , where each $x^{(j)} \in \lbrace 0,1\rbrace ^{2^{n/3} \times n}$ is chosen uniformly at random. The goal is to find 4 vectors, one from each list, whose XOR is $0_n$ , namely, output a 4-tuple $\lbrace i_j\rbrace _{j=1}^{4}$ , where $i_j \in [2^{n/3}]$ such that $\bigoplus _{j=1}^{4} x^{(j)}_{i_j} = 0_n$ . It is easy to see the 4-list variant is equivalent to the single-list variant (Definition 1.3) up to $O(1)$ factors in success probability and complexity.

The k-tree algorithm for $k=4$ is described below.

(1)

Sort the lists $\lbrace x^{(j)}\rbrace _{j=1}^{4}$ .

(2)

By a linear scan, find all pairs $(x^{(1)}_{i_1},x^{(2)}_{i_2})$ such that the $n/3$ most significant bits of $x^{(1)}_{i_1} \oplus x^{(2)}_{i_2}$ are zero. Store all values $x^{(1)}_{i_1} \oplus x^{(2)}_{i_2}$ in a new sorted list $y^{(1)}$ along with the corresponding pair $(x^{(1)}_{i_1},x^{(2)}_{i_2})$ .

(3)

Apply the previous step to $x^{(3)}$ and $x^{(4)}$ and build the sorted list $y^{(2)}$ .

(4)

Find a pair $(y^{(1)}_{j_1},y^{(2)}_{j_2})$ such that $y^{(1)}_{j_1} \oplus y^{(2)}_{j_2} = 0_n$ . Trace $(y^{(1)}_{j_1},y^{(2)}_{j_2})$ back to a solution to 4-XOR problem and output it.

To analyze the algorithm, note that the expected size of $y^{(1)}$ and $y^{(2)}$ is $2^{n/3}$ (as a pair $(x^{(1)}_{i_1},x^{(2)}_{i_2})$ is added to $y^{(1)}$ with probability $2^{-n/3}$ ). Therefore, the algorithm runs in expected time $\tilde{O}(2^{n/3})$ . Moreover, on average, there is a single 4-XOR solution to be found in the last step, since any 4-tuple $\lbrace x^{(j)}_{i_j}\rbrace _{j=1}^{4}$ satisfies the $4n/3$ bit constraints imposed by the algorithm with probability $2^{-4n/3}$ (and there are $2^{4n/3}$ such 4-tuples). Based on tail bounds, one can show that the algorithm succeeds with constant probability. We refer the reader to Reference [30] for a rigorous analysis.

A.2 Generalizations

We briefly summarize two important generalizations of the 4-XOR algorithm.

A.2.1 The Full k-tree Algorithm [36].

The first generalization applies to larger k that is a power of 2. The input consists of k lists, each containing $2^{n/(\log k + 1)}$ vectors of n bits. The algorithm merges the k lists in pairs in a tree-like structure with $\log k + 1$ levels. The merging maintains the property that the vectors in all $k/2^{\ell }$ lists in level $\ell \in \lbrace 0,1,\ldots ,\log k -1\rbrace$ have zero $\ell \cdot n/(\log k + 1)$ most significant bits. The final 2-list merge at level $\log k - 1$ zeroes the remaining $2n/(\log k + 1)$ bits, giving a k-XOR solution at the last level with high probability.

When k is not a power of 2, the k-XOR problem can be easily reduced to a $k^{\prime }$ -XOR problem where $k^{\prime }$ is the largest power of 2 that is smaller than k.

A.2.2 The Extended k-tree Algorithm [30].

This generalization applies when the input lists contain less than $2^{n/(\log k + 1)}$ vectors (i.e., the input is less dense) and the k-tree algorithm is not directly applicable. The extended algorithm gives a tradeoff between the size of the inputs lists and the time complexity.

Specifically, for 4-XOR, when the input lists are of size r for $2^{n/4} \le r \le 2^{n/3}$ , we change the second step to find all pairs $(x^{(1)}_{i_1},x^{(2)}_{i_2})$ such that the $4 \log r - n$ most significant bits of $x^{(1)}_{i_1} \oplus x^{(2)}_{i_2}$ are equal to $0_{4 \log r - 1}$ (we also change the third step similarly). Therefore, the expected size of $y^{(1)}$ and $y^{(2)}$ becomes $2^{n}/r^2$ , and the expected complexity of the algorithm is $\tilde{O}(2^{n}/r^2)$ . Finally, on average, there is a single 4-XOR solution to be found in the last step, since there are $4 \log r$ bit constraints imposed by the algorithm on $r^4$ 4-tuples (once again, a tail bound is required to rigorously compute the success probability).

References

[1]

Amir Abboud and Virginia Vassilevska Williams. 2014. Popular conjectures imply strong lower bounds for dynamic problems. In FOCS. IEEE Computer Society, 434–443. DOI:

Digital Library

Google Scholar

[2]

Amir Abboud, Virginia Vassilevska Williams, and Oren Weimann. 2014. Consequences of faster alignment of sequences. In ICALP(Lecture Notes in Computer Science, Vol. 8572), Javier Esparza, Pierre Fraigniaud, Thore Husfeldt, and Elias Koutsoupias (Eds.). Springer, 39–51. DOI:

Crossref

Google Scholar

[3]

Mark Yuying An. 1996. Log-concave Probability Distributions: Theory and Statistical Testing. Game Theory and Information. University Library of Munich, Germany. Retrieved from https://EconPapers.repec.org/RePEc:wpa:wuwpga:9611002

Google Scholar

[4]

Boris Aronov and Sariel Har-Peled. 2008. On approximating the depth and related problems. SIAM J. Comput. 38, 3 (2008), 899–921. DOI:

Digital Library

Google Scholar

[5]

Marshall Ball, Alon Rosen, Manuel Sabin, and Prashant Nalini Vasudevan. 2018. Proofs of work from worst-case assumptions. In CRYPTO(Lecture Notes in Computer Science, Vol. 10991), Hovav Shacham and Alexandra Boldyreva (Eds.). Springer, 789–819. DOI:

Digital Library

Google Scholar

[6]

Anja Becker, Antoine Joux, Alexander May, and Alexander Meurer. 2012. Decoding random binary linear codes in $2^{n/20}$ : How 1 + 1 = 0 improves information set decoding. In EUROCRYPT(Lecture Notes in Computer Science, Vol. 7237), David Pointcheval and Thomas Johansson (Eds.). Springer, 520–536. DOI:

Digital Library

Google Scholar

[7]

Fabrice Benhamouda, Tancrède Lepoint, Julian Loss, Michele Orrù, and Mariana Raykova. 2021. On the (in)security of ROS. In EUROCRYPT(Lecture Notes in Computer Science, Vol. 12696), Anne Canteaut and François-Xavier Standaert (Eds.). Springer, 33–53. DOI:

Digital Library

Google Scholar

[8]

Avrim Blum, Adam Kalai, and Hal Wasserman. 2003. Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50, 4 (2003), 506–519. DOI:

Digital Library

Google Scholar

[9]

Stéphane Boucheron, Gábor Lugosi, and Pascal Massart. 2013. Concentration Inequalities—A Nonasymptotic Theory of Independence. Oxford University Press. DOI:

Crossref

Google Scholar

[10]

Charles Bouillaguet, Claire Delaplace, and Pierre-Alain Fouque. 2018. Revisiting and improving algorithms for the 3XOR problem. IACR Trans. Symmetric Cryptol. 2018, 1 (2018), 254–276. DOI:

Crossref

Google Scholar

[11]

Zvika Brakerski, Noah Stephens-Davidowitz, and Vinod Vaikuntanathan. 2021. On the hardness of average-case k-SUM. In APPROX/RANDOM(LIPIcs, Vol. 207), Mary Wootters and Laura Sanità (Eds.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 29:1–29:19. DOI:

Crossref

Google Scholar

[12]

Paul Camion and Jacques Patarin. 1991. The knapsack hash function proposed at Crypto’89 can be broken. In EUROCRYPT(Lecture Notes in Computer Science, Vol. 547), Donald W. Davies (Ed.). Springer, 39–53. DOI:

Crossref

Google Scholar

[13]

Akshay Degwekar, Vinod Vaikuntanathan, and Prashant Nalini Vasudevan. 2016. Fine-grained cryptography. In CRYPTO(Lecture Notes in Computer Science, Vol. 9816), Matthew Robshaw and Jonathan Katz (Eds.). Springer, 533–562. DOI:

Digital Library

Google Scholar

[14]

Itai Dinur. 2019. An algorithmic framework for the generalized birthday problem. Des. Codes Cryptogr. 87, 8 (2019), 1897–1926. DOI:

Digital Library

Google Scholar

[15]

Yevgeniy Dodis, Dmitry Khovratovich, Nicky Mouha, and Mridul Nandi. 2021. T $_5$ : Hashing five inputs with three compression calls. In ITC(LIPIcs, Vol. 199), Stefano Tessaro (Ed.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 24:1–24:23. DOI:

Crossref

Google Scholar

[16]

Orr Dunkelman, Nathan Keller, and Adi Shamir. 2015. Slidex attacks on the Even-Mansour encryption scheme. J. Cryptol. 28, 1 (2015), 1–28. DOI:

Digital Library

Google Scholar

[17]

Paul Erdős. 1945. On a lemma of Littlewood and Offord. Bull. Amer. Math. Soc. 5, 12 (1945), 898–902.

Crossref

Google Scholar

[18]

Anka Gajentaan and Mark H. Overmars. 1995. On a class of ${O}(n^2)$ problems in computational geometry. Comput. Geom. 5 (1995), 165–185. DOI:

Digital Library

Google Scholar

[19]

Alexander Golovnev, Siyao Guo, Thibaut Horel, Sunoo Park, and Vinod Vaikuntanathan. 2020. Data structures meet cryptography: 3SUM with preprocessing. In STOC, Konstantin Makarychev, Yury Makarychev, Madhur Tulsiani, Gautam Kamath, and Julia Chuzhoy (Eds.). ACM, 294–307. DOI:

Digital Library

Google Scholar

[20]

Nick Howgrave-Graham and Antoine Joux. 2010. New generic algorithms for hard knapsacks. In EUROCRYPT(Lecture Notes in Computer Science, Vol. 6110), Henri Gilbert (Ed.). Springer, 235–256. DOI:

Digital Library

Google Scholar

[21]

Russell Impagliazzo, Leonid A. Levin, and Michael Luby. 1989. Pseudo-random generation from one-way functions (extended abstracts). In STOC, David S. Johnson (Ed.). ACM, 12–24. DOI:

Digital Library

Google Scholar

[22]

Zahra Jafargholi and Emanuele Viola. 201A6. 3SUM, 3XOR, triangles. Algorithmica 74, 1 (201A6), 326–343. DOI:

Digital Library

Google Scholar

[23]

Antoin Joux. 2009. Algorithmic Cryptanalysis. CRC Press.

Crossref

Google Scholar

[24]

Rio LaVigne, Andrea Lincoln, and Virginia Vassilevska Williams. 2019. Public-key cryptography in the fine-grained setting. In CRYPTO(Lecture Notes in Computer Science, Vol. 11694), Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer, 605–635. DOI:

Digital Library

Google Scholar

[25]

Gaëtan Leurent and Ferdinand Sibleyras. 2019. Low-memory attacks against two-round even-mansour using the 3-XOR problem. In CRYPTO(Lecture Notes in Computer Science, Vol. 11693), Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer, 210–235. DOI:

Digital Library

Google Scholar

[26]

John Edensor Littlewood and A. Cyril Offord. 1943. On the number of real roots of a random algebraic equation (III). Rec. Math. (Mat. Sbornik). Nouvelle Série 54, 12 (1943), 277–286.

Google Scholar

[27]

Yi Lu and Serge Vaudenay. 2004. Faster correlation attack on bluetooth keystream generator E0. In CRYPTO(Lecture Notes in Computer Science, Vol. 3152), Matthew K. Franklin (Ed.). Springer, 407–425. DOI:

Crossref

Google Scholar

[28]

Vadim Lyubashevsky. 2005. The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem. In APPROX/RANDOM(Lecture Notes in Computer Science, Vol. 3624), Chandra Chekuri, Klaus Jansen, José D. P. Rolim, and Luca Trevisan (Eds.). Springer, 378–389. DOI:

Digital Library

Google Scholar

[29]

Florian Mendel, Norbert Pramstaller, Christian Rechberger, Marcin Kontak, and Janusz Szmidt. 2008. Cryptanalysis of the GOST hash function. In CRYPTO(Lecture Notes in Computer Science, Vol. 5157), David A. Wagner (Ed.). Springer, 162–178. DOI:

Digital Library

Google Scholar

[30]

Lorenz Minder and Alistair Sinclair. 2012. The extended k-tree algorithm. J. Cryptol. 25, 2 (2012), 349–382. DOI:

Digital Library

Google Scholar

[31]

Jesper Nederlof and Karol Wegrzycki. 2021. Improving Schroeppel and Shamir’s algorithm for subset sum via orthogonal vectors. In STOC, Samir Khuller and Virginia Vassilevska Williams (Eds.). ACM, 1670–1683. DOI:

Digital Library

Google Scholar

[32]

Ivica Nikolic and Yu Sasaki. 2015. Refinements of the k-tree algorithm for the generalized birthday problem. In ASIACRYPT(Lecture Notes in Computer Science, Vol. 9453), Tetsu Iwata and Jung Hee Cheon (Eds.). Springer, 683–703. DOI:

Digital Library

Google Scholar

[33]

Mihai Patrascu. 2010. Towards polynomial lower bounds for dynamic problems. In STOC, Leonard J. Schulman (Ed.). ACM, 603–610. DOI:

Digital Library

Google Scholar

[34]

Seth Pettie. 2015. Higher lower bounds from the 3sum conjecture. In Proceedings of the Fine-grained Complexity and Algorithm Design Workshop at the Simons Institute.

Google Scholar

[35]

Virginia Vasillevska-Williams. 2019. On some fine-grained questions in algorithms and complexity. In Proceedings of the International Congress of Mathematicians (ICM’19). 3447–3487.

Crossref

Google Scholar

[36]

David A. Wagner. 2002. A generalized birthday problem. In CRYPTO(Lecture Notes in Computer Science, Vol. 2442), Moti Yung (Ed.). Springer, 288–303. DOI:

Crossref

Google Scholar

[37]

Virginia Vassilevska Williams and Ryan Williams. 2013. Finding, minimizing, and counting weighted subgraphs. SIAM J. Comput. 42, 3 (2013), 831–854. DOI:

Digital Library

Google Scholar

Index Terms

Fine-grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
    2. Mathematical foundations of cryptography

Recommendations

Kernelization Lower Bounds Through Colors and IDs

In parameterized complexity, each problem instance comes with a parameter k, and a parameterized problem is said to admit a polynomial kernel if there are polynomial time preprocessing rules that reduce the input instance to an instance with size ...
Read More
Tight bounds for online vector bin packing
STOC '13: Proceedings of the forty-fifth annual ACM symposium on Theory of Computing

In the d-dimensional bin packing problem (VBP), one is given vectors x₁,x₂, ... ,x_n ∈ R^d and the goal is to find a partition into a minimum number of feasible sets: {1,2 ... ,n} = ∪_i^s B_i. A set B_i is feasible if ∑_{j ∈ B_i} x_j ≤ 1, where 1 denotes the all 1'...
Read More
Tight Bounds on Subexponential Time Approximation of Set Cover and Related Problems
Approximation and Online Algorithms
Abstract
We show that Set-Cover on instances with N elements cannot be approximated within $(1 - γ) ln N$ -factor in time exp( $N^{γ - δ})$ , for any $0 < γ < 1$ and any $δ > 0$ , assuming the Exponential Time Hypothesis. This essentially matches the best upper bound known by Cygan, ... $^{}$
$\overset{}{}^{}$
Read More

Comments

Information & Contributors

Information

Published In

Journal of the ACM Volume 71, Issue 3

June 2024

323 pages

ISSN:0004-5411

EISSN:1557-735X

DOI:10.1145/3613558

Editor:
Venkatesan Guruswami
University of California, Berkeley, United States

Issue’s Table of Contents

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2024

Online AM: 17 March 2024

Accepted: 23 January 2024

Revised: 18 July 2022

Received: 18 July 2022

Published in JACM Volume 71, Issue 3

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Israel Science Foundation
European Research Council
BIU Center for Research in Applied Cryptography and Cyber Security
Israel National Cyber Bureau
Israel Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
128
Total Downloads

Downloads (Last 12 months)128
Downloads (Last 6 weeks)93

Other Metrics

View Author Metrics

Citations

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

1 Introduction

1.1 Background

1.2 Our Results

1.3 Our Methods

1.4 Related Work

1.5 Additional Application and Open Problems

2 Notations and Conventions

3 Hardness of Dense K-XOR

3.1 Overview of the Main Reduction Lemma

3.2 The Obfuscation Algorithm

3.3 Proof of the Main Reduction Lemma

3.4 Proof of the Obfuscation Lemma

3.4.1 Proof Outline.

3.4.2 Transformation to Real-valued Functions.

3.4.3 Obfuscation Hides Everything but Aligned XORs.

3.4.4 Aligned XORs Do Not Reveal Much.

3.4.5 Wrapping up the Proof of the Obfuscation Lemma.

4 Hardness of Dense K-SUM

4.1 Reduction to Modular k-SUM and Proof of Theorem 4.1

4.2 The Obfuscation Process

4.2.1 The Obfuscation Algorithm and the Obfuscation Lemma.

4.2.2 Proof of the Main Reduction Lemma.

4.3 Proof of the Obfuscation Lemma

4.3.1 Proof Outline.

4.3.2 Transformation to Real-valued Functions.

4.3.3 Representing the Correlation in Terms of the Fourier Expansion.

4.3.4 Partitioning into 2-dimensional Subspaces.

4.3.5 Bounding \(\sum _S M_{p,q,r}(S)\) Over 2-dimensional Subspaces.

4.3.6 Wrapping up the Proof of the Obfuscation Lemma.

Acknowledgments

Footnotes

A Wagner’s K-Tree Algorithm

A.1 The 4-XOR Algorithm

A.2 Generalizations

A.2.1 The Full k-tree Algorithm [36].

A.2.2 The Extended k-tree Algorithm [30].

References

Index Terms

Recommendations

Kernelization Lower Bounds Through Colors and IDs

Tight bounds for online vector bin packing

Tight Bounds on Subexponential Time Approximation of Set Cover and Related Problems

Comments

Information

Published In

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations