Papers by Matthias Krause
Information and Computation, 2005
OBDDs with a fixed variable ordering are used successfully as data structure in experiments with ... more OBDDs with a fixed variable ordering are used successfully as data structure in experiments with learning heuristics based on examples. In this paper, it is shown that, for some functions, it is necessary to develop an algorithm to learn also a good OBDD variable ordering. There are functions with the following properties. They have OBDDs of linear size for optimal variable orderings. But for all but a small fraction of all variable orderings one needs large size to represent a list of randomly chosen examples. These properties are shown for simple functions like the multiplexer and the inner product.
Lecture Notes in Computer Science, 2011
We present new techniques for deriving preimage resistance bounds for block cipher based double-b... more We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three "classical" double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's scheme, we show that an adversary must make at least 2 2n−5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 2 2n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2 n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2 2n .
On the Computational Power of Boolean
Complexity of Boolean Functions, 12.03. - 17.03.2006
Dagstuhl Seminars, 2006
Strengthening the E0 Keystream Generator against Correlation Attacks and Algebraic Attacks
Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class... more Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication [2] being their most prominent example. E0 consists of 4 driving devices, a finite state machine (FSM) C with a 4 bit state, an output function f and a memory update function δ. At each clock, one keystream bit zt is produced from the output Xt ∈ {0, 1}4 of the driving devices and the current state Ct ∈ {0, 1}4 of the FSM according to zt = f(Ct, Xt), and the state of the FSM is updated to Ct+1 := δ(Ct, Xt). So far, the best publicly known attacks against combiners with memory are correlation attacks [4] and algebraic attacks [1]. Correlation attacks exploit linear equations L(Xt, . . . , Xt+r−1, zt, . . . , zt+r−1) = 0 that are true with some probability 12 + λ with λ 6= 0. Algebraic attacks use valid nonlinear equations of preferably low degree to describe the secret key by a system of equations. We show how to avert a special class of correlation attacks [3] that is currently the most effective against E0 and introduce a general design principle which guarantees that all valid equations have a degree not smaller than a certain lower bound. Combining these results, we construct a slightly modified version of E0 with significantly improved resistance against correlation attacks and algebraic attacks.
Separating the Eraser Turing Machine Classes L
Improved Cryptanalysis of the Self-Shrinking Generator
Lecture Notes in Computer Science, 2001
We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtrackin... more We propose a new attack on the self-shrinking generator [8]. The attack is based on a backtracking algorithm and will reconstruct the key from a short sequence of known keystream bits. We give both mathematical and empirical evidence for the effectiveness of this attack. The algorithm takes at most O(20.694L) steps, where L is the key length. Thus, our attack
Lecture Notes in Computer Science, 2001
A set F of Boolean functions is called a pseudorandom function generator (PRFG) if communicating ... more A set F of Boolean functions is called a pseudorandom function generator (PRFG) if communicating with a randomly chosen secret function from F cannot be efficiently distinguished from communicating with a truly random function. We ask for the minimal hardware complexity of a PRFG. This question is motivated by design aspects of secure secret key cryptosystems. These should be efficient in hardware, but often are required to behave like PRFGs. By constructing efficient distinguishing schemes we show for a wide range of basic nonuniform complexity classes (including T C 0 2), that they do not contain PRFGs. On the other hand we show that the PRFG proposed by Naor and Reingold in [24] consists of T C 0 4-functions. The question if T C 0 3-functions can form PRFGs remains as an interesting open problem. We further discuss relations of our results to previous work on cryptographic limitations of learning and Natural Proofs.
Design Principles for Combiners with Memory
Lecture Notes in Computer Science, 2005
Separating ⊕L from L, NL, co-NL and AL (=P) for Oblivious turing machines of linear access time
Lecture Notes in Computer Science, 1990
We present a new lower bound argument for oblivious parity-branching programs which allows to pro... more We present a new lower bound argument for oblivious parity-branching programs which allows to prove exponential lower bounds on the width if the length is restricted to be linear or at most o(n · log(n)). This solves an open problem because "Cut & Paste" arguments which provided bounds of the same quality in the case of determinism, nondeterminism, and co-nondeterminism [AM86] [KMW89] do not work in the case of parity-acceptation. Our technique is applicable to some well-known decision problems such as the graph-accessibility-problem of directed graphs, and the word problems of free groups of finite rank. Using well-known results on the simulation of logspace-bounded Turing machines by sequences of branching programs we give at least the complete separation of the complexity classes L, NL, co-NL, L, and AL=P for oblivious Turing machines of linear access time.
Circuit Complexity
Combinational circuits or shortly circuits are a model of the lowest level of computer hardware w... more Combinational circuits or shortly circuits are a model of the lowest level of computer hardware which is of interest from the point of view of computer science. Circuit complexity has a longer history than complexity theory. Complexity measures like circuit size and depth model sequential time, hardware cost, parallel time, and even storage space. This chapter contains an overview on the research area called complexity of boolean functions. The complexity measures of circuits are discussed and compared with other complexity measures. As an example, the design of efficient circuits is discussed for arithmetic functions. The limits of known lower-bound techniques are discussed. Exponential lower bounds can be proved for monotone circuits and some constant-depth unbounded-fan-in circuits, but even the case of threshold circuits of depth 3 is open. The frontier between solved and open problems is marked out.
Variation ranks of communication matrices and lower bounds for depth-two circuits having nearly symmetric gates with unbounded fan-in
Mathematical Systems Theory, 1995
ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates ... more ABSTRACT An exponential lower bound for depth-two circuits with arbitrary nearly symmetric gates in the bottom level and with a MOD(m)-gate in the top level is proved. This solves a problem posed by Smolensky in 1990 [17]. The method uses what we call the variation rank of communication matrices. A variant of this method is used for deriving lower bounds for the size of depth-two circuits having a threshold gate at the top. This generalizes a result due to Hajnal et al. [7].
Branching programs provide lower bounds on the areas of multilective deterministic and nondeterministic VLSI-circuits
Information and Computation, 1992
Information and Computation, 1991
We present a new method for proving lower bounds on the complexity of branching programs and cons... more We present a new method for proving lower bounds on the complexity of branching programs and consider k-times-only branching programs. While exponential and nearly exponential lower bounds on the complexity of one-timeonly branching programs were proved for many problems, there are still missing methods of proving lower bounds for k-times-only programs (k > 1). We prove exponential lower bounds for k-times-only branching programs which have the additional restriction that the input bits are read k times, yet blockwise and in each block in the same order. This is done both for the algebraic decision problem POLYzd (n E N prime, d<n) whether a given mapping g: IF, + F, is a polynomial over F, of degree at most d, and for the corresponding monotone problem over quadratic Boolean matrices. As a consequence we obtain a sharp bound of order @(n 'log(n)) on the communication complexity of POLY:,, (SE (0, i)).
Information and Computation, 1991
Input oblivious decision graphs of linear length are considered. Among other concerns the computa... more Input oblivious decision graphs of linear length are considered. Among other concerns the computational complexity of three graph accessibility problems and the word problem of the free group are investigated. Several exponential lower bounds are proved.
Computational Complexity, 1998
We i n v estigate the computational power of threshold AND circuits versus threshold XOR circuits... more We i n v estigate the computational power of threshold AND circuits versus threshold XOR circuits. In contrast to the observation that small weight threshold AND circuits can be simulated by small weight threshold XOR circuit, we present a function with small size unbounded weight threshold AND circuits for which all threshold XOR circuits have exponentially many nodes. This answers the basic question of separating subsets of the hypercube by h ypersurfaces induced by sparse real polynomials. We prove our main result by a new lower bound argument for threshold circuits. Finally we show that unbounded weight threshold gates cannot simulate alternation: There are AC 0;3-functions which need exponential size threshold AND circuits.
On computing boolean functions by sparse real polynomials
Foundations of Computer Science, 1995 …, 1995
... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial ... more ... For proving Theorem 1 let us fix a boolean function f : (0,l)" - (0,1) and a polynomial p of length d which realizes f with advantage E over (0, l), where d, 6-l E We construct a polynomial p' of length d' realizing f with advantage 5 over (1,-1}, where d' E (nE-l)O(l). This, obviously ...
Proceedings of the twenty-sixth annual ACM …, 1994
We investigate the computational power of depth-2 circuits consisting of MOD' gates at the bottom... more We investigate the computational power of depth-2 circuits consisting of MOD' gates at the bottom and a threshold gate with arbitrary weights at the top (for short, threshold-MOD' circuits) and circuits with two levels of MOD gates (MODp-MOD4 circuits). In particular, we will show the following results: (i) For all prime numbers p and integers q,r, it holds that if p divides r but not q then all threshold-MOD4 circuits for MOD' have exponentially many nodes. (ii) For all integers r, all problems computable by depth-2 {AND,OR,NOT} circuits of polynomial size have threshold-MOD' circuits with polynomially many edges. (iii) There is a problem computable by depth 3 {AND, OR, NOT} circuits of linear size and constant bottom fan-in which for all r needs threshold-MOD' circuits with exponentially many nodes.
Algebraic Attacks against Linear RFID Authentication Protocols}
The limited computational resources available on RFID tags imply a need for specially designed au... more The limited computational resources available on RFID tags imply a need for specially designed authentication protocols. The light weight authentication protocol $extsf{HB}^+$ proposed by Juels and Weis seems currently secure for several RFID applications, but is too slow for many practical settings. As a possible alternative, authentication protocols based on choosing random elements from $L$ secret linear $n$-dimensional subspaces of $GF(2)^{n+k}$ (so called linear $(n,k,L)$-protocols), have been considered. We show that to a certain extent, these protocols are vulnerable to algebraic attacks. Particularly, our approach allows to break Cicho'{n}, Klonowski and Kutyl owski's $ extsf{CKK}^2$-protocol, a special linear $(n,k,2)$-protocol, for practically recommended parameters in less than a second on a standard PC. Moreover, we show that even unrestricted $(n,k,L)$-protocols can be efficiently broken if $L$ is too small.
Lecture Notes in Computer Science, 2003
Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI-128 and... more Recently, algebraic attacks were proposed to attack several cryptosystems, e.g. AES, LILI-128 and Toyocrypt. This paper extends the use of algebraic attacks to combiners with memory. A (k, l)-combiner consists of k parallel linear feedback shift registers (LFSRs), and the nonlinear filtering is done via a finite automaton with k input bits and l memory bits. It is shown that for (k, l)-combiners, nontrivial canceling relations of degree at most k(l+1)/2 exist. This makes algebraic attacks possible. Also, a general method is presented to check for such relations with an even lower degree. This allows to show the invulnerability of certain (k, l)-combiners against this kind of algebraic attacks. On the other hand, this can also be used as a tool to find improved algebraic attacks. Inspired by this method, the E0 keystream generator from the Bluetooth standard is analyzed. As it turns out, a secret key can be recovered by solving a system of linear equations with 2 23.07 unknowns. To our knowledge, this is the best published attack on the E0 keystream generator yet.
Uploads
Papers by Matthias Krause