Interleaved group products

Abstract

Let G be the special linear group SL(2,q). We show that if (a1,…,at) and (b1,…,bt) are sampled uniformly from large subsets A and B of Gt then their interleaved product a1 b1 a2 b2 ·s at bt is nearly uniform over G. This extends a result of the first author, which corresponds to the independent case where A and B are product sets. We obtain a number of other results. For example, we show that if X is a probability distribution on Gm such that any two coordinates are uniform in G2, then a pointwise product of s independent copies of X is nearly uniform in Gm, where s depends on m only. Extensions to other groups are also discussed. We obtain closely related results in communication complexity, which is the setting where some of these questions were first asked by Miles and Viola. For example, suppose party Ai of k parties A1,…,Ak receives on its forehead a t-tuple (ai1,…,ait) of elements from G. The parties are promised that the interleaved product a11… ak1a12… ak2… a1t… akt is equal either to the identity e or to some other fixed element g∈ G, and their goal is to determine which of the two the product is equal to. We show that for all fixed k and all sufficiently large t the communication is (t |G|), which is tight. Even for k=2 the previous best lower bound was (t). As an application, we establish the security of the leakage-resilient circuits studied by Miles and Viola in the "only computation leaks" model.