1. Adi Akavia Shafi Goldwasser Muli Safra
A Unifying Approach for Proving Hardcore Predicates Using List Decoding
Adi Akavia Shafi Goldwasser Muli Safra

2. Guessing P(x), when given f(x)
Hard Core Predicate
One-way function: easy to compute, but hard to invert
P is hard core of f if predicting P implies inverting f
Proving P hardcore of f by reduction:
Guessing P(x), when given f(x)
for non-neg fraction of x’s
Inversion Algorithm
f(x) x
f(z)
Magic Box
P(z) w.p ½ +

3. Examples “One-Way” Functions: Predicates:
RSA(x) = xe mod N
Exp(x) = gx mod p
Predicates:
halfN(x) = 1 iff x<N/2
Least significant bit: lsb(x) = 1 iff x is even
[BM,ACGS, GL,N,HN,FS,VV,Kali…] N N

4. Goldreich-Levin Predicate
GL(x.r) = i xiri
Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r.
“Proof”:
Hadamard code Hadx(j)=GL(x,j).
Code Access given f(x), and a magic-box predicting GL, access a w close to Hadx
f(x)
Code Access j
Hadx(j) w.p ½ + ’
f(z).r
Magic Box
GL(x.r)
w.p ½ +

5. Goldreich-Levin Predicate
GL(x.r) = i xiri
Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r.
“Proof”:
Hadamard code Hadx(j)=GL(x,j).
Code Access given f(x), and a magic-box predicting GL, access a w close to Hadx
List Decoding given a word close to Hadx, find x
Inversion Algorithm
Code Access
Hadx(j) w.p ½ + ’ j
Magic Box
f(z).r
GL(x.r)
w.p ½ +
f(x)
f(x) x
w (close to Hadx)
Code Access
List Decoding

6. List Decoding Approach [GL,Im,Su]
Thm: If there exists a code C={Cx} with
Code Access (with respect to f,P): Given f(x), and a magic-box that predicts P, we can access w which is close to Cx
An efficient List Decoding algorithm for C (with few random queries)
Then P is hard core of f
Proof:
Inversion Algorithm
Code Access
f(x) w x
List Decoding

7. List Decoding Approach for Natural OWFs
List decoding approach is elegant, but is it usefull ?
Can it be utilized to prove hardcore predicates for natural OWFs?
YES! We use the list-decoding approach to show hardcore predicates for the natural OWFs:
Exp - half and others
RSA - half,lsb, and others
ECL - half and others

8. Main Tool – Fourier Analysis over ZN
(and not {0,1}n)
Main Tool – Fourier Analysis over ZN
Identifying functions and vectors
(a1,a2,…,aN-1)  g(i)=ai
g  (g(0), g(1),…, g(N-1))
Standard basis: ex = (0,…,1,…,0)
Characters basis:
Let  be a primitive Nth root of unity.
Then the characters basis is where 1 2 3 7 6 5 4

9. Concentrated Functions
Fourier representation where is the Fourier coefficient, and its weight is
Def: the restriction of g to  is
Def: f is a concentrated functions if >0,  of poly(log(N)/) size s.t.

10. Concentrated Functions - Examples
Not Boolean!
Any character  is concentrated.
half is concentrated. Note, half is imaginary sign of 1 :
characters
weight
… … + - 1 2 3 7 6 5 4

11. Agreement and Concentration
Notation: -Heavy(g)={characters of weight for g}.
Prop: Let P be concentrated, and let B s.t. (P,B)≤½-, then for =poly(log N/) -Heavy(P)  -Heavy(B)  
Proof:
Legend:
highly agrees
Concentrated
weight
Fourier
coefficients

12. Learning Heavy coefficients:
New Algorithm for Learning Heavy Fourier Coefficients of functions over ZN
Learning Heavy coefficients:
Input: query access to g, threshold 
Output: -Heavy(g)
Kushilevitz & Mansour: g is over {0,1}n
Our work: g is over ZN
Other Applications: Approximating concentrated functions

13. Codes & Fourier
We think of a code C={Cx}  {1,-1}N as a collection of functions Cx:ZN{1,-1} (where Cx(j) is the jth entry of Cx) and consider their Fourier representation…

14. Concentrated Codes
Def: C is a concentrated code if every Cx is a concentrated functions
Example: Binary Hadamard Code Hadamard = {Hadx = (-1)<x,j>}x
Prop: Hadamard is concentrated
Proof: Hadx = x
List Decoding: Input: w Output: 2-Heavy(w)
characters
Weights of Hadx x

15. Main Theorem
Main Thm: Let f be a function, and let CP={Cx} be a code which is
Concentrated,
Recoverable, namely, given a character , and a threshold , one can efficiently find all x s.t. -Heavy(Cx),
with code access with respect to f and P.
Then P is hard core of f.
Proof: (1)+(2) imply that C is list decodable.

16. Concentration + Recovery  List Decodable
list decoding algorithm:
Input: w
Output:
Find -Heavy(w),
Return all y s.t. -Heavy(w)  -Heavy(Cy)  
Since Cx is concentrated, and w highly agrees with Cx, then: -Heavy(w)  -Heavy(Cx)  

17. Segment Predicates Def: Let P be a balanced predicate. Then
P is a basic t-segment predicate if P(x+1)P(x) for at most t x's.
P is a t-segment predicate if P(x)=P'(x/a) for P' a basic t-segment predicate, and (a,N)=1.
When t=poly(log N), we say that P is a segment predicate. N

18. Examples halfN(x) = 1 iff x<N/2 this is a basic 2-segment predicate
Least significant bit: lsb(x) = 1 iff x is even When N is odd, this is a 2-segment predicate, since lsb(x) = halfN(x/2) N N

19. Segment Predicate Theorem
Theorem (segment predicate): Let P be a segment predicate. Define a code: CP={Cx}, by Cx(j) = P(jx mod N) Then, if there is code access to CP with respect to f,P, then P is hard core of f.
Proof: By Main Theorem it suffice to show that CP is concentrated and recoverable.

20. CP is Concentrated
Claim 1: A basic t-segment predicate P is concentrated on low characters.
Proof:
P = i Ii (sum of t intervals)
Ii is concentrated on low characters. N ZN I
characters
Fourier coefficients of I

21. Interval I is Concentrated on Low Characters.
Low characters – don’t mix.
High characters – mix well. 1 2 3 7 6 5 4 1 2 3 7 6 5 4

22. CP is Concentrated – Cont.
Claim 2: if g(y) = f(y/a) then
Since P is a segment predicate, there is a basic segment predicate P’ such that P(y)=P’(y/a)
Now, Cx(j) = P(jx) = P’(jx/a), so P’ concentrated implies Cx concentrated.

23. CP is Recoverable
By Claims 1,2: If  is a heavy character of Cx, then  = x /a, where  is a low character.
Therefore, the algorithm that returns all x such that  = x /a, where  is a low character is a recovery algorithm.

24. CP is concentrates, recoverable, and with access algorithm, thus, any segment predicate P is hard core of f.

25. Hard Core Segment Predicate
Corollary: Every segment predicate is hard core of RSA, Exp and ECL.
Proof: It remains to show code access for CP w.r. to RSA,Exp,ECL. Since Cx(j)=P(jx), we return the answer of the magic box on “f(jx)”:
RSA(jx) = xe je mod N,.
Exp(jx) = (gx)j mod p,
ECL(jx) = j (xQ),

26. Comments on the Code Access Algorithms
RSA: magic box is defined only for jxZN*. Nonetheless, ZN\ZN* is negligible, thus we have good code-access.
Exp: When gx is a generator, the code-access algorithm succeeds with same probability as the magic box.

27. Comments on Segment Predicates
lsb is not a segment predicate of Exp, since Exp‘s domain is Zp-1 and p-1 is even.
A natural extension of halfN is: bj(x) = halfN(x/2j). This is a 2-segment predicate, when N is odd.
Non-balanced segment predicates: must be non negligibly far from any constant function.

28. Comments on Codes list decoding other concentrated recoverable codes?
Example of concentrated code which is NOT recoverable: Reed-Solomon code.

29. Comments ???
Previous works manipulate f(x) to reveal information on x (e.g. square root extraction in Exp, or division by 2e in RSA). We only need access f(jx) ??????

30. END

31. Learning…

32. Learning Heavy Fourier Coefficients
Learning Heavy coefficients:
Input: query access to f, threshold 
Output: -Heavy(f)
Motivation:
Approximating concentrated functions
Application in list decoding and hard core predicates
Related Work: Kushilevitz & Mansour

33. Binary Search

34. Multi-Target Binary Search

35. First Try Parseval-identity Can’t query f|low , f|high …
Fourier coefficient of f
||f|low||22
Can’t query f|low , f|high …
Parseval-identity
||f|high||22

36. Convolution with Interval

37. Convolution with Interval
Fact:
Therefore
High characters:
Let g = f -a, then
Use Avgg,I.

38. Computing
Chernoff

39. Second Try ||Avgf,I||22 is only APPROXIMATELY ||f|low||22
Fourier coefficients of f
||Avgf,I||22
||Avgf,I||22 is only APPROXIMATELY ||f|low||22
||Avgg,I||22

40. Fourier coefficients of f
Blindfolded Search
||Avgf,I||22
Fourier coefficients of f ? ? ?
||Avgg,I||22