11

A Unifying Approach for A Unifying Approach for Proving Hardcore Proving Hardcore

PredicatesPredicatesUsing List DecodingUsing List Decoding

Adi AkaviaAdi AkaviaShafi Goldwasser Shafi Goldwasser

Muli SafraMuli Safra

22

Hard Core PredicateHard Core Predicate One-way functionOne-way function: :

easy to compute, but hard to inverteasy to compute, but hard to invert

PP is is hard corehard core of of ff if if predicting predicting PP implies inverting implies inverting ff

Proving Proving PP hardcore of hardcore of ff by reduction: by reduction:

Guessing P(x), when given f(x)

Inversion Algorithm

Magic Boxf(z) P(z)

w.p ½ +

xf(x)

for non-neg fraction of x’s

33

Examples Examples

““One-Way” Functions:One-Way” Functions: RSARSA(x) = x(x) = xee mod N mod N ExpExp(x) = g(x) = gxx mod p mod p

Predicates:Predicates: halfhalfNN(x) = 1(x) = 1 iff iff x<N/2x<N/2

Least significant bit:Least significant bit:lsblsb(x) = 1(x) = 1 iff iff xx is even is even

[BM,ACGS, GL,N,HN,FS,VV,Kali…][BM,ACGS, GL,N,HN,FS,VV,Kali…]

0 N

0 N

44

GLGL(x.r) = (x.r) = i xiri ThmThm[GL]: [GL]: OWF OWF ff, , GLGL is a hard core is a hard core

predicate of predicate of f’(x.r)=f(x).rf’(x.r)=f(x).r.. ““Proof”Proof”: :

Hadamard codeHadamard code HadHadxx(j)=GL(x,j)(j)=GL(x,j).. Code AccessCode Access given given f(x)f(x), and a magic-box , and a magic-box

predicting predicting GLGL, access a , access a ww close to close to HadHadxx

Code AccessHadx(j) w.p ½ + ’

j

Goldreich-Levin PredicateGoldreich-Levin Predicate

Magic Boxf(z).r GL(x.r)

w.p ½ +

f(x)

55

Inversion Algorithm

GLGL(x.r) = (x.r) = i xiri ThmThm[GL]: [GL]: OWF OWF ff, , GLGL is a hard core is a hard core

predicate of predicate of f’(x.r)=f(x).rf’(x.r)=f(x).r.. ““Proof”Proof”: :

Hadamard codeHadamard code HadHadxx(j)=GL(x,j)(j)=GL(x,j).. Code AccessCode Access given given f(x)f(x), and a magic-box , and a magic-box

predicting predicting GLGL, access a , access a ww close to close to HadHadxx

List DecodingList Decoding given a word close to given a word close to HadHadxx, find , find xx

Goldreich-Levin PredicateGoldreich-Levin Predicate

Code AccessHadx(j) w.p ½ + ’

j

Magic Boxf(z).r GL(x.r)

w.p ½ +

f(x)

Code Accessf(x) ww

(close(closeto to HadHadxx))

xList Decoding

66

List Decoding Approach List Decoding Approach [GL,Im,Su] [GL,Im,Su]

ThmThm: If there exists a code : If there exists a code C={CC={Cxx}} with with Code AccessCode Access (with respect to (with respect to f,Pf,P): ):

Given Given f(x)f(x), and a magic-box that predicts , and a magic-box that predicts PP, , we can access we can access ww which is close to which is close to CCxx

An efficient An efficient List DecodingList Decoding algorithm for algorithm for CC (with few random queries)(with few random queries)

Then Then PP is hard core of is hard core of ff Proof:Proof:

Inversion AlgorithmCode Access

f(x) ww xList Decoding

77

List Decoding Approach for List Decoding Approach for Natural OWFsNatural OWFs

List decoding approach is elegant, but is it List decoding approach is elegant, but is it usefullusefull ? ?

Can it be utilized to prove hardcore Can it be utilized to prove hardcore predicates for predicates for natural OWFsnatural OWFs? ?

YES! YES! We use the list-decoding approach to show We use the list-decoding approach to show hardcore predicates for the natural OWFs:hardcore predicates for the natural OWFs: ExpExp - - half half and othersand others RSARSA - - halfhalf,,lsb, lsb, and othersand others ECLECL - - half half and othersand others

88

Main Tool – Main Tool – Fourier Analysis over Fourier Analysis over ZZNN

Identifying functions and vectorsIdentifying functions and vectors (a(a11,a,a22,…,a,…,aN-1N-1) ) g(i)=a g(i)=aii

g g (g(0), g(1),…, g(N-1)) (g(0), g(1),…, g(N-1)) Standard basis: Standard basis: eexx = (0,…,1,…,0) = (0,…,1,…,0)

Characters basis:Characters basis: Let Let be a primitive be a primitive NNthth root of unity. root of unity. Then the Then the characters basis characters basis is is

where where

(and not

{0,1}n)

x(x) x(x)

N

N

12

3

76

504

99

Concentrated FunctionsConcentrated Functions

Fourier representationFourier representationwherewhere is the is the Fourier Fourier coefficientcoefficient, and its , and its weight weight isis

DefDef: the : the restriction restriction of of gg to to is is

DefDef: : ff is a is a concentrated functions concentrated functions if if >0>0, , of of poly(log(N)/poly(log(N)/) ) size s.t.size s.t.

g g( )

g g( )

g( ) g, g( ) g,

|g g( )

|g g( )

2

| 2g g

2

| 2g g

2g( )

2g( )

1010

Concentrated Functions - Concentrated Functions - ExamplesExamples

Any character Any character is concentrated. is concentrated.

halfhalf is concentrated. is concentrated. Note, Note, half half is imaginary sign of is imaginary sign of 11 : :

Not Boolean!

++

+

--

-

12

3

76

504 +-

characters

weight

…-5 -3 -1 1 3 5…

1111

Agreement and Agreement and ConcentrationConcentration

NotationNotation: : -Heavy(g)-Heavy(g)={characters of weight={characters of weight for for gg}. }.

PropProp: Let : Let PP be concentrated, and let be concentrated, and let BB s.t. s.t. (P,B)≤½-(P,B)≤½-, then for , then for =poly(log N/=poly(log N/))

-Heavy(P) -Heavy(P) -Heavy(B) -Heavy(B) Proof:Proof:

Fourier coefficients

weight Legend:

highly agrees

Concentrated

1212

New Algorithm for Learning Heavy New Algorithm for Learning Heavy Fourier Coefficients of functions over Fourier Coefficients of functions over

ZZNN

Learning Heavy coefficientsLearning Heavy coefficients:: InputInput: query access to : query access to gg, threshold , threshold OutputOutput: : -Heavy(g)-Heavy(g)

Kushilevitz & Mansour: Kushilevitz & Mansour: g g is over is over {0,1}{0,1}nn

Our work: Our work: g g is over is over ZZNN

Other ApplicationsOther Applications: : Approximating concentrated functionsApproximating concentrated functions

1313

Codes & FourierCodes & Fourier We think of a code We think of a code

C={CC={Cxx} } {1,-1} {1,-1}NN as a collection of functions as a collection of functions

CCxx:Z:ZNN{1,-1}{1,-1} (where (where CCxx(j) (j) is the is the jjthth entry of entry of CCxx))

and consider their Fourier representation…and consider their Fourier representation…

1414

Concentrated CodesConcentrated Codes

DefDef: : CC is a is a concentrated code concentrated code if if every every CCxx is a concentrated functionsis a concentrated functions

Example: Binary Hadamard CodeExample: Binary Hadamard Code Hadamard = {HadHadamard = {Hadx x = (-1)= (-1)<x,j><x,j>}}xx

PropProp: Hadamard is concentrated: Hadamard is concentrated Proof: Proof: HadHadxx = = xx

List DecodingList Decoding::Input: Input: wwOutput: Output: 22-Heavy(w)-Heavy(w) characters

Weights of Hadx

x

1515

Main TheoremMain Theorem

Main ThmMain Thm: Let : Let ff be a function, and let be a function, and let CCPP={C={Cxx}} be a code which is be a code which is

1.1. ConcentratedConcentrated,,2.2. RecoverableRecoverable, namely, given a character , namely, given a character

, and a threshold , and a threshold ,, one can efficiently one can efficiently find all find all xx s.t. s.t. -Heavy(C-Heavy(Cxx)), ,

3.3. with with code accesscode access with respect to with respect to ff and and PP..

Then Then PP is hard core of is hard core of ff.. ProofProof: :

(1)+(2) imply that (1)+(2) imply that CC is list decodable. is list decodable.

1717

Segment PredicatesSegment Predicates

DefDef: : Let Let PP be a balanced predicate. Then be a balanced predicate. Then PP is a is a basic t-segment predicatebasic t-segment predicate if if

P(x+1)P(x+1)P(x)P(x) for at most for at most tt xx's.'s.

PP is a is a tt-segment predicate -segment predicate if if P(x)=P'(x/a)P(x)=P'(x/a)

for for P'P' a basic a basic tt-segment predicate, -segment predicate, and and (a,N)=1(a,N)=1..

When When t=poly(log N)t=poly(log N), we say that , we say that PP is a is a segment predicatesegment predicate..

0 N

1818

ExamplesExamples

halfhalfNN(x) = 1(x) = 1 iff iff x<N/2x<N/2

this is a basic this is a basic 22-segment predicate-segment predicate Least significant bit:Least significant bit:

lsb(x) = 1lsb(x) = 1 iff iff xx is even is even

When When NN is odd, is odd, this is a this is a 22-segment predicate, since-segment predicate, sincelsb(x) = halflsb(x) = halfNN(x/2)(x/2)

0 N

0 N

1919

Segment Predicate TheoremSegment Predicate Theorem Theorem (segment predicate)Theorem (segment predicate)::

Let Let PP be a segment predicate. be a segment predicate. Define a code: Define a code: CCPP={C={Cxx}}, by , by

CCxx(j) = P(jx mod N)(j) = P(jx mod N)Then, Then, if there is if there is code accesscode access to to CCPP with with respect to respect to f,Pf,P, , then then PP is hard core of is hard core of ff..

ProofProof: By Main Theorem it suffice to : By Main Theorem it suffice to show that show that CCPP is concentrated and is concentrated and recoverable.recoverable.

2020

CCPP is Concentrated is Concentrated

Claim 1Claim 1: A basic : A basic tt-segment predicate -segment predicate PP is concentrated on low characters. is concentrated on low characters.

ProofProof::

P = P = ii IIi i (sum of (sum of tt intervals) intervals) IIii is concentrated on low characters. is concentrated on low characters.

0 N

characters

Fourier coefficients of I

ZN

I

2222

CCPP is Concentrated – Cont. is Concentrated – Cont.

Claim 2Claim 2: if : if g(y) = f(y/a)g(y) = f(y/a) then then

Since Since PP is a segment predicate, there is a segment predicate, there is a basic segment predicate is a basic segment predicate P’P’ such such that that P(y)=P’(y/a)P(y)=P’(y/a)

Now, Now, CCxx(j) = P(jx) = P’(jx/a)(j) = P(jx) = P’(jx/a), so , so P’P’ concentrated implies concentrated implies CCxx concentrated.concentrated.

g( ) f( a)

2323

CCPP is Recoverable is Recoverable

By Claims 1,2: By Claims 1,2: If If is a heavy character of is a heavy character of CCxx, , then then = x = x /a/a, where , where is a low is a low character.character.

Therefore, the algorithm that returns Therefore, the algorithm that returns all all xx such that such that = x = x /a/a, where , where is a low character is a low characteris a recovery algorithm.is a recovery algorithm.

2424

CCPP is concentrates, recoverable, and is concentrates, recoverable, and with access algorithm, with access algorithm, thus, any segment predicate thus, any segment predicate PP is is hard core of hard core of ff..

2525

Hard Core Segment Hard Core Segment Predicate Predicate

CorollaryCorollary: Every segment predicate is : Every segment predicate is hard core of hard core of RSARSA, , ExpExp and and ECLECL..

ProofProof: : It remains to show code access for It remains to show code access for CCPP w.r. to w.r. to RSARSA,,ExpExp,,ECLECL. . Since Since CCxx(j)=P(jx)(j)=P(jx), we return the , we return the answer of the magic box on “answer of the magic box on “f(jx)f(jx)”:”: RSA(jx) = RSA(jx) = xxee j jee mod N mod N,.,. Exp(jx) = (Exp(jx) = (ggxx))jj mod p mod p, , ECL(jx) = j (ECL(jx) = j (xQxQ)), ,

2626

Comments Comments on the Code Access Algorithmson the Code Access Algorithms RSA: RSA: magic box is defined only for magic box is defined only for

jxjxZZNN**. Nonetheless, . Nonetheless, ZZNN\Z\ZNN** is is negligible, negligible, thus we have good code-access.thus we have good code-access.

Exp:Exp: When When ggxx is a generator, the is a generator, the code-access algorithm succeeds with code-access algorithm succeeds with same probability as the magic box.same probability as the magic box.

2727

CommentsComments on Segment Predicates on Segment Predicates

lsblsb is not a segment predicate of is not a segment predicate of ExpExp, since , since ExpExp‘s domain is ‘s domain is ZZp-1p-1 and and p-1p-1 is even. is even.

A natural extension of A natural extension of halfhalfNN is: is: bbjj(x) = half(x) = halfNN(x/2(x/2jj)). .

This is a This is a 22-segment predicate, when -segment predicate, when NN is odd. is odd.

Non-balanced segment predicates: must be Non-balanced segment predicates: must be non negligibly far from any constant function.non negligibly far from any constant function.

2828

Comments on CodesComments on Codes

list decoding other concentrated list decoding other concentrated recoverable codes?recoverable codes?

Example of concentrated code which Example of concentrated code which is NOT recoverable: Reed-Solomon is NOT recoverable: Reed-Solomon code.code.

3030

ENDEND

3131

Learning…Learning…

3232

Learning Heavy Fourier Learning Heavy Fourier CoefficientsCoefficients

Learning Heavy coefficientsLearning Heavy coefficients:: InputInput: query access to : query access to ff, threshold , threshold OutputOutput: : -Heavy(f)-Heavy(f)

MotivationMotivation:: Approximating concentrated functionsApproximating concentrated functions Application in list decoding and hard Application in list decoding and hard

core predicatescore predicates Related WorkRelated Work: Kushilevitz & Mansour: Kushilevitz & Mansour

3333

Binary SearchBinary Search

3434

Multi-Target Multi-Target Binary SearchBinary Search

3535

First TryFirst TryFourier

coefficient of f

||f|low||22

||f|high||22

Parseval-Parseval-identityidentity2 2

2f ( ) f 1

2 2

2f ( ) f 1

Can’t query f|low , f|high …

3636

Convolution with IntervalConvolution with Interval

Interval: Interval:

Convolution: Convolution:

Convolution with Interval:Convolution with Interval:

1/ I y II (y)

0 o/ w

y

g h(x) g(y)h(x y)

yf ,IAvg (x) I f (x) f(x y)

3737

Convolution with IntervalConvolution with Interval

Fact:Fact:

Therefore Therefore

High characters:High characters: Let Let g = f g = f -a-a, then , then Use Use AvgAvgg,Ig,I..

g h( ) g( )h( )

22

f ,I |low2 2Avg f

22

f ,I |low2 2Avg f

g( ) f( a)

3838

ComputingComputing

Chernoff

2

f ,I 2Avg

2

f ,I 2Avg

yf ,IAvg (x) f(x y)

2 2

xf ,I f ,I2Avg Avg (x)

3939

Second TrySecond TryFourier

coefficient

s of f||Avgf,I||22

||Avgg,I||22

||Avg||Avgf,If,I||||2222 is only APPROXIMATELY is only APPROXIMATELY ||f||f|low|low||||22

22

4040

BlindfoldedBlindfolded SearchSearch

??

??

??

Fourier coefficient

s of f

||Avgf,I||22

||Avgg,I||22