Goldreich's One-Way Function Candidate and Myopic Backtracking Algorithms

  • Authors:
  • James Cook;Omid Etesami;Rachel Miller;Luca Trevisan

  • Affiliations:
  • Computer Science Division, U.C. Berkeley,;Computer Science Division, U.C. Berkeley,;University of Virginia,;Computer Science Division, U.C. Berkeley,

  • Venue:
  • TCC '09 Proceedings of the 6th Theory of Cryptography Conference on Theory of Cryptography
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

Goldreich (ECCC 2000) proposed a candidate one-way function construction which is parameterized by the choice of a small predicate (over d = O (1) variables) and of a bipartite expanding graph of right-degree d . The function is computed by labeling the n vertices on the left with the bits of the input, labeling each of the n vertices on the right with the value of the predicate applied to the neighbors, and outputting the n -bit string of labels of the vertices on the right. Inverting Goldreich's one-way function is equivalent to finding solutions to a certain constraint satisfaction problem (which easily reduces to SAT) having a "planted solution," and so the use of SAT solvers constitutes a natural class of attacks. We perform an experimental analysis using MiniSat, which is one of the best publicly available algorithms for SAT. Our experiment shows that the running time required to invert the function grows exponentially with the length of the input, and that such an attack becomes infeasible already with small input length (a few hundred bits). Motivated by these encouraging experiments, we initiate a rigorous study of the limitations of back-tracking based SAT solvers as attacks against Goldreich's function. Results by Alekhnovich, Hirsch and Itsykson imply that Goldreich's function is secure against "myopic" backtracking algorithms (an interesting subclass) if the 3-ary parity predicate P (x 1 ,x 2 ,x 3 ) = x 1 *** x 2 *** x 3 is used. One must, however, use non-linear predicates in the construction, which otherwise succumbs to a trivial attack via Gaussian elimination. We generalized the work of Alekhnovich et al. to handle a more general class of predicates, and we present a lower bound for the construction that uses the predicate P d (x 1 ,...,x d ) : = x 1 *** x 2 *** *** *** x d *** 2 *** (x d *** 1 *** x d ) and a random graph.