Adi Akavia Shafi Goldwasser Muli Safra A Unifying Approach for Proving Hardcore Predicates Using List Decoding Adi Akavia Shafi Goldwasser Muli Safra
Guessing P(x), when given f(x) Hard Core Predicate One-way function: easy to compute, but hard to invert P is hard core of f if predicting P implies inverting f Proving P hardcore of f by reduction: Guessing P(x), when given f(x) for non-neg fraction of x’s Inversion Algorithm f(x) x f(z) Magic Box P(z) w.p ½ +
Examples “One-Way” Functions: Predicates: RSA(x) = xe mod N Exp(x) = gx mod p Predicates: halfN(x) = 1 iff x<N/2 Least significant bit: lsb(x) = 1 iff x is even [BM,ACGS, GL,N,HN,FS,VV,Kali…] N N
Goldreich-Levin Predicate GL(x.r) = i xiri Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r. “Proof”: Hadamard code Hadx(j)=GL(x,j). Code Access given f(x), and a magic-box predicting GL, access a w close to Hadx f(x) Code Access j Hadx(j) w.p ½ + ’ f(z).r Magic Box GL(x.r) w.p ½ +
Goldreich-Levin Predicate GL(x.r) = i xiri Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r. “Proof”: Hadamard code Hadx(j)=GL(x,j). Code Access given f(x), and a magic-box predicting GL, access a w close to Hadx List Decoding given a word close to Hadx, find x Inversion Algorithm Code Access Hadx(j) w.p ½ + ’ j Magic Box f(z).r GL(x.r) w.p ½ + f(x) f(x) x w (close to Hadx) Code Access List Decoding
List Decoding Approach [GL,Im,Su] Thm: If there exists a code C={Cx} with Code Access (with respect to f,P): Given f(x), and a magic-box that predicts P, we can access w which is close to Cx An efficient List Decoding algorithm for C (with few random queries) Then P is hard core of f Proof: Inversion Algorithm Code Access f(x) w x List Decoding
List Decoding Approach for Natural OWFs List decoding approach is elegant, but is it usefull ? Can it be utilized to prove hardcore predicates for natural OWFs? YES! We use the list-decoding approach to show hardcore predicates for the natural OWFs: Exp - half and others RSA - half,lsb, and others ECL - half and others
Main Tool – Fourier Analysis over ZN (and not {0,1}n) Main Tool – Fourier Analysis over ZN Identifying functions and vectors (a1,a2,…,aN-1) g(i)=ai g (g(0), g(1),…, g(N-1)) Standard basis: ex = (0,…,1,…,0) Characters basis: Let be a primitive Nth root of unity. Then the characters basis is where 1 2 3 7 6 5 4
Concentrated Functions Fourier representation where is the Fourier coefficient, and its weight is Def: the restriction of g to is Def: f is a concentrated functions if >0, of poly(log(N)/) size s.t.
Concentrated Functions - Examples Not Boolean! Any character is concentrated. half is concentrated. Note, half is imaginary sign of 1 : characters weight …-5 -3 -1 1 3 5… + - 1 2 3 7 6 5 4
Agreement and Concentration Notation: -Heavy(g)={characters of weight for g}. Prop: Let P be concentrated, and let B s.t. (P,B)≤½-, then for =poly(log N/) -Heavy(P) -Heavy(B) Proof: Legend: highly agrees Concentrated weight Fourier coefficients
Learning Heavy coefficients: New Algorithm for Learning Heavy Fourier Coefficients of functions over ZN Learning Heavy coefficients: Input: query access to g, threshold Output: -Heavy(g) Kushilevitz & Mansour: g is over {0,1}n Our work: g is over ZN Other Applications: Approximating concentrated functions
Codes & Fourier We think of a code C={Cx} {1,-1}N as a collection of functions Cx:ZN{1,-1} (where Cx(j) is the jth entry of Cx) and consider their Fourier representation…
Concentrated Codes Def: C is a concentrated code if every Cx is a concentrated functions Example: Binary Hadamard Code Hadamard = {Hadx = (-1)<x,j>}x Prop: Hadamard is concentrated Proof: Hadx = x List Decoding: Input: w Output: 2-Heavy(w) characters Weights of Hadx x
Main Theorem Main Thm: Let f be a function, and let CP={Cx} be a code which is Concentrated, Recoverable, namely, given a character , and a threshold , one can efficiently find all x s.t. -Heavy(Cx), with code access with respect to f and P. Then P is hard core of f. Proof: (1)+(2) imply that C is list decodable.
Concentration + Recovery List Decodable list decoding algorithm: Input: w Output: Find -Heavy(w), Return all y s.t. -Heavy(w) -Heavy(Cy) Since Cx is concentrated, and w highly agrees with Cx, then: -Heavy(w) -Heavy(Cx)
Segment Predicates Def: Let P be a balanced predicate. Then P is a basic t-segment predicate if P(x+1)P(x) for at most t x's. P is a t-segment predicate if P(x)=P'(x/a) for P' a basic t-segment predicate, and (a,N)=1. When t=poly(log N), we say that P is a segment predicate. N
Examples halfN(x) = 1 iff x<N/2 this is a basic 2-segment predicate Least significant bit: lsb(x) = 1 iff x is even When N is odd, this is a 2-segment predicate, since lsb(x) = halfN(x/2) N N
Segment Predicate Theorem Theorem (segment predicate): Let P be a segment predicate. Define a code: CP={Cx}, by Cx(j) = P(jx mod N) Then, if there is code access to CP with respect to f,P, then P is hard core of f. Proof: By Main Theorem it suffice to show that CP is concentrated and recoverable.
CP is Concentrated Claim 1: A basic t-segment predicate P is concentrated on low characters. Proof: P = i Ii (sum of t intervals) Ii is concentrated on low characters. N ZN I characters Fourier coefficients of I
Interval I is Concentrated on Low Characters. Low characters – don’t mix. High characters – mix well. 1 2 3 7 6 5 4 1 2 3 7 6 5 4
CP is Concentrated – Cont. Claim 2: if g(y) = f(y/a) then Since P is a segment predicate, there is a basic segment predicate P’ such that P(y)=P’(y/a) Now, Cx(j) = P(jx) = P’(jx/a), so P’ concentrated implies Cx concentrated.
CP is Recoverable By Claims 1,2: If is a heavy character of Cx, then = x /a, where is a low character. Therefore, the algorithm that returns all x such that = x /a, where is a low character is a recovery algorithm.
CP is concentrates, recoverable, and with access algorithm, thus, any segment predicate P is hard core of f.
Hard Core Segment Predicate Corollary: Every segment predicate is hard core of RSA, Exp and ECL. Proof: It remains to show code access for CP w.r. to RSA,Exp,ECL. Since Cx(j)=P(jx), we return the answer of the magic box on “f(jx)”: RSA(jx) = xe je mod N,. Exp(jx) = (gx)j mod p, ECL(jx) = j (xQ),
Comments on the Code Access Algorithms RSA: magic box is defined only for jxZN*. Nonetheless, ZN\ZN* is negligible, thus we have good code-access. Exp: When gx is a generator, the code-access algorithm succeeds with same probability as the magic box.
Comments on Segment Predicates lsb is not a segment predicate of Exp, since Exp‘s domain is Zp-1 and p-1 is even. A natural extension of halfN is: bj(x) = halfN(x/2j). This is a 2-segment predicate, when N is odd. Non-balanced segment predicates: must be non negligibly far from any constant function.
Comments on Codes list decoding other concentrated recoverable codes? Example of concentrated code which is NOT recoverable: Reed-Solomon code.
Comments ??? Previous works manipulate f(x) to reveal information on x (e.g. square root extraction in Exp, or division by 2e in RSA). We only need access f(jx) ??????
END
Learning…
Learning Heavy Fourier Coefficients Learning Heavy coefficients: Input: query access to f, threshold Output: -Heavy(f) Motivation: Approximating concentrated functions Application in list decoding and hard core predicates Related Work: Kushilevitz & Mansour
Binary Search
Multi-Target Binary Search
First Try Parseval-identity Can’t query f|low , f|high … Fourier coefficient of f ||f|low||22 Can’t query f|low , f|high … Parseval-identity ||f|high||22
Convolution with Interval
Convolution with Interval Fact: Therefore High characters: Let g = f -a, then Use Avgg,I.
Computing Chernoff
Second Try ||Avgf,I||22 is only APPROXIMATELY ||f|low||22 Fourier coefficients of f ||Avgf,I||22 ||Avgf,I||22 is only APPROXIMATELY ||f|low||22 ||Avgg,I||22
Fourier coefficients of f Blindfolded Search ||Avgf,I||22 Fourier coefficients of f ? ? ? ||Avgg,I||22