1 / 37

A Unifying Approach for Proving Hardcore Predicates Using List Decoding

A Unifying Approach for Proving Hardcore Predicates Using List Decoding. Adi Akavia Shafi Goldwasser Muli Safra. f(z). f(x). P(z) w.p ½ + . x. Hard Core Predicate. One-way function : easy to compute, but hard to invert P is hard core of f if predicting P implies inverting f

kalea
Download Presentation

A Unifying Approach for Proving Hardcore Predicates Using List Decoding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Unifying Approach for Proving Hardcore PredicatesUsing List Decoding Adi AkaviaShafi Goldwasser Muli Safra

  2. f(z) f(x) P(z) w.p ½ + x Hard Core Predicate • One-way function: easy to compute, but hard to invert • P is hard coreof f if predicting P implies inverting f • Proving P hardcore of f by reduction: Guessing P(x), when given f(x) for non-neg fraction of x’s Inversion Algorithm Magic Box

  3. Examples • “One-Way” Functions: • RSA(x) = xe mod N • Exp(x) = gx mod p • Predicates: • halfN(x) = 1 iff x<N/2 • Least significant bit:lsb(x) = 1 iff x is even • [BM,ACGS, GL,N,HN,FS,VV,Kali…] N 0 N 0

  4. j f(z).r Hadx(j) w.p ½ + ’ GL(x.r) w.p ½ + Goldreich-Levin Predicate GL(x.r) = i xiri • Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r. • “Proof”: • Hadamard codeHadx(j)=GL(x,j). • Code Accessgiven f(x), and a magic-box predicting GL, access a w close to Hadx Code Access f(x) Magic Box

  5. j f(z).r f(x) w(closeto Hadx) Hadx(j) w.p ½ + ’ GL(x.r) w.p ½ + x Code Access f(x) Magic Box Goldreich-Levin Predicate GL(x.r) = i xiri • Thm[GL]: OWF f, GL is a hard core predicate of f’(x.r)=f(x).r. • “Proof”: • Hadamard codeHadx(j)=GL(x,j). • Code Accessgiven f(x), and a magic-box predicting GL, access a w close to Hadx • List Decodinggiven a word close to Hadx, find x Inversion Algorithm Code Access List Decoding

  6. f(x) w x Inversion Algorithm List Decoding Code Access List Decoding Approach [GL,Im,Su] • Thm: If there exists a code C={Cx} with • Code Access (with respect to f,P): Given f(x), and a magic-box that predicts P, we can access w which is close to Cx • An efficient List Decoding algorithm for C(with few random queries) Then P is hard core of f • Proof:

  7. List Decoding Approach for Natural OWFs • List decoding approach is elegant, but is it usefull ? • Can it be utilized to prove hardcore predicates for natural OWFs? • YES! We use the list-decoding approach to show hardcore predicates for the natural OWFs: • Exp - half and others • RSA - half,lsb, and others • ECL - half and others

  8. (and not {0,1}n) 2 1 3 4 0 5 7 6 Main Tool – Fourier Analysis over ZN • Identifying functions and vectors • (a1,a2,…,aN-1)  g(i)=ai • g  (g(0), g(1),…, g(N-1)) • Standard basis: ex = (0,…,1,…,0) • Characters basis: • Let be a primitive Nth root of unity. • Then the characters basis is where

  9. Concentrated Functions • Fourier representationwhere is the Fourier coefficient, and its weight is • Def: the restriction of g to  is • Def: f is a concentrated functions if >0,  of poly(log(N)/) size s.t.

  10. + weight + + 2 1 3 - 4 0 + 5 7 - - 6 characters - …-5 -3 -1 1 3 5… Concentrated Functions - Examples Not Boolean! • Any character  is concentrated. • half is concentrated. Note, half is imaginary sign of 1 :

  11. Legend: Concentrated highly agrees Agreement and Concentration • Notation: -Heavy(g)={characters of weight for g}. • Prop: Let P be concentrated, and let B s.t. (P,B)≤½-, then for =poly(log N/)-Heavy(P)  -Heavy(B)  • Proof: weight Fourier coefficients

  12. New Algorithm for Learning Heavy Fourier Coefficients of functions over ZN • Learning Heavy coefficients: • Input: query access to g, threshold  • Output: -Heavy(g) • Kushilevitz & Mansour: g is over {0,1}n • Our work: g is over ZN • Other Applications: Approximating concentrated functions

  13. Codes & Fourier • We think of a code C={Cx}  {1,-1}Nas a collection of functions Cx:ZN{1,-1}(where Cx(j) is the jth entry of Cx)and consider their Fourier representation…

  14. Weights of Hadx characters x Concentrated Codes • Def: C is a concentrated code if every Cxis a concentrated functions • Example: Binary Hadamard CodeHadamard = {Hadx = (-1)<x,j>}x • Prop: Hadamard is concentrated • Proof: Hadx =x • List Decoding:Input: wOutput: 2-Heavy(w)

  15. Main Theorem • Main Thm: Let f be a function, and let CP={Cx} be a code which is • Concentrated, • Recoverable, namely, given a character , and a threshold , one can efficiently find all x s.t. -Heavy(Cx), • with code access with respect to f and P. Then P is hard core of f. • Proof: (1)+(2) imply that C is list decodable.

  16. Segment Predicates • Def: Let P be a balanced predicate. Then • P is a basic t-segment predicate if P(x+1)P(x) for at most tx's. • P is a t-segment predicate if P(x)=P'(x/a)for P' a basic t-segment predicate, and (a,N)=1. • When t=poly(log N), we say that P is a segment predicate. N 0

  17. Examples • halfN(x) = 1 iff x<N/2this is a basic 2-segment predicate • Least significant bit:lsb(x) = 1 iff x is evenWhen N is odd, this is a 2-segment predicate, sincelsb(x) = halfN(x/2) N 0 N 0

  18. Segment Predicate Theorem • Theorem (segment predicate):Let P be a segment predicate. Define a code: CP={Cx}, by Cx(j) = P(jx mod N)Then, if there is code access to CP with respect to f,P, then P is hard core of f. • Proof: By Main Theorem it suffice to show that CP is concentrated and recoverable.

  19. Fourier coefficients of I I characters ZN CP is Concentrated • Claim 1: A basic t-segment predicate P is concentrated on low characters. • Proof: • P = i Ii (sum of t intervals) • Ii is concentrated on low characters. N 0

  20. CP is Concentrated – Cont. • Claim 2: if g(y) = f(y/a) then • Since P is a segment predicate, there is a basic segment predicate P’ such that P(y)=P’(y/a) • Now, Cx(j) = P(jx) = P’(jx/a), so P’ concentrated implies Cx concentrated.

  21. CP is Recoverable • By Claims 1,2:If  is a heavy character of Cx, then  = x /a, where  is a low character. • Therefore, the algorithm that returns all x such that  = x /a, where  is a low characteris a recovery algorithm.

  22. CP is concentrates, recoverable, and with access algorithm, thus, any segment predicate P is hard core of f.

  23. Hard Core Segment Predicate • Corollary: Every segment predicate is hard core of RSA, Exp and ECL. • Proof: It remains to show code access for CP w.r. to RSA,Exp,ECL. Since Cx(j)=P(jx), we return the answer of the magic box on “f(jx)”: • RSA(jx) = xe je mod N,. • Exp(jx) = (gx)j mod p, • ECL(jx) = j (xQ),

  24. Comments on the Code Access Algorithms • RSA: magic box is defined only for jxZN*. Nonetheless, ZN\ZN* is negligible, thus we have good code-access. • Exp: When gx is a generator, the code-access algorithm succeeds with same probability as the magic box.

  25. Comments on Segment Predicates • lsb is not a segment predicate of Exp, since Exp‘s domain is Zp-1 and p-1 is even. • A natural extension of halfN is: bj(x) = halfN(x/2j). This is a 2-segment predicate, when N is odd. • Non-balanced segment predicates: must be non negligibly far from any constant function.

  26. Comments on Codes • list decoding other concentrated recoverable codes? • Example of concentrated code which is NOT recoverable: Reed-Solomon code.

  27. END

  28. Learning…

  29. Learning Heavy Fourier Coefficients • Learning Heavy coefficients: • Input: query access to f, threshold  • Output: -Heavy(f) • Motivation: • Approximating concentrated functions • Application in list decoding and hard core predicates • Related Work: Kushilevitz & Mansour

  30. Binary Search

  31. Multi-Target Binary Search

  32. First Try Fourier coefficient of f Parseval-identity ||f|low||22 Can’t query f|low , f|high … ||f|high||22

  33. Convolution with Interval • Interval: • Convolution: • Convolution with Interval:

  34. Convolution with Interval • Fact: • Therefore • High characters: • Let g = f -a, then • Use Avgg,I.

  35. Computing Chernoff

  36. Second Try Fourier coefficients of f ||Avgf,I||22 ||Avgf,I||22 is only APPROXIMATELY ||f|low||22 ||Avgg,I||22

  37. BlindfoldedSearch ||Avgf,I||22 Fourier coefficients of f ? ? ? ||Avgg,I||22

More Related