The Goldreich-Levin Algorithm - Cryptography. Lecture Notes from CS276, Spring Luca Trevisan St

so no algorithm can be guaranteed to find x given an arbitrary function H such that P[H(r) =hx, ri] = 34, because x need not be uniquely defined byH.

We can, however, prove the following:

Lemma 44 (Goldreich-Levin Algorithm) Suppose we have access to a function H : {0,1}n_{→ {}₀_,₁_} _{such that, for some unknown}_x_{, we have}

r∈{0,1}n[H(r) =hx, ri]≥ 1

2+ (9.7)

where x_{∈ {}0,1_}n _{is an unknown string, and}_>₀ _{is given.}

Then there is an algorithmGLthat runs in timeO(n2−4_log_n_{), makes} _O₍_n−4_log_n₎_oracle

queries into H, and outputs a set L_{⊆ {}0,1_}n _{such that} _|_L_|₌_O₍−2₎ _{and with probability}

at least 1/2, x∈L.

The Goldreich-Levin algorithmGL has other interpretations (an algorithm that learns the Fourier coefficients ofH, an algorithm that decodes the Hadamard code is sub-linear time) and various applications outside cryptography.

The Goldreich-Levin Theorem is an easy consequence of Lemma 44. Let A0 take inputy and then run the algorithm of Lemma 44 with H(r) =A(y, r), yielding a listL. A0 then checks if f(x) =y for any x_∈L, and outputs it if one is found.

From the assumption that P

x,r[A(f(x), r) =hx, ri]≥

1 2 +

it follows by Markov’s inequality (See Lemma 9 in the last lecture) that P x P r[A(f(x), r) =hx, ri]≥ 1 2+ 2 ≥ ₂

Let us call an xsuch that _Pr[A(f(x), r) =hx, ri]≥ 1₂ +₂ a goodx. If we pick x at random

and givef(x) to the above algorithm, there is a probability at least/2 thatx is good and, if so, there is a probability at least 1/2 thatxis in the list. Therefore, there is a probability at least /4 that the algorithm inverts f(), where the probability is over the choices of x and over the internal randomness of the algorithm.

9.5 The Goldreich-Levin Algorithm

In this section we prove Lemma 44.

We are given an oracle H() such that H(r) =_hx, r_i for an 1/2 + fraction of the r. Our goal will be to use H() to simulate an oracle that has agreement 7/8 with _hx, r_i, so that

we can use the algorithm of Lemma ?? the previous section to find x. We perform this “reduction” by “guessing” the value ofhx, r_i at a few points.

We first choosekrandom pointsr1. . . rk ∈ {0,1}n wherek=O(1/2).For the moment, let

us suppose that we have “magically” obtained the values hx, r1i, . . . ,hx, rki. Then define

H0(r) as the majority value of:

H(r+rj)− hx, rji j= 1,2, . . . , k (9.8)

For eachj, the above expression equals_hx, r_iwith probability at least 1

2+(over the choices

of rj) and by choosingk=O(1/2) we can ensure that

r,r1,...,rk

H0(r) =_hx, r_i

≥ 31₃₂. (9.9)

from which it follows that P r1,...,rk P r H0(r) =hx, ri ≥ 7₈ ≥ 3₄. (9.10)

Consider the following algorithm.

function GL-First-Attempt pick r1, . . . , rk∈ {0,1}n wherek=O(1/2) for allb1, . . . , bk∈ {0,1} do define H_b0₁_...b k(r) as majority of: H(r+rj)−bj apply Algorithm GLW toH_b0 1...bt

add result to list end for

return list end function

The idea behind this program is that we do not in fact know the values hx, rji, but we

can “guess” them by considering all choices for the bitsbj.IfH(r) agrees withhx, ri for at

least a 1/2 +fraction of thers, then there is a probability at least 3/4 that in one of the iteration we invoke algorithm GLW with a simulated oracle that has agreement 7/8 with hx, ri. Therefore, the final list contains x with probability at least 3/4−1/n >1/2. The obvious problem with this algorithm is that its running time is exponential in k = O(1/2_{) and the resulting list may also be exponentially larger than the} _O₍₁_/2_{) bound}

promised by the Lemma.

To overcome these problems, consider the following similar algorithm.

function GL

pick r1, . . . , rt∈ {0,1}n where t= logO(1/2)

definerS :=Pj∈Srj for each non-emptyS ⊆ {1, . . . , t}

for allb1, . . . , bt∈ {0,1}do

9.5. THE GOLDREICH-LEVIN ALGORITHM 61

define H_b0

1...bt(r) as majority over non-emptyS ⊆ {1, . . . , t}of H(r+rS)−bS

run Algorithm GLW with oracleH_b0₁_...b_t

add result to list end for

return list end function

Let us now see why this algorithm works. First we define, for any nonemptyS⊆ {1, . . . , t}, rS =

j∈Srj. Then, since r1, . . . , rt ∈ {0,1}n are random, it follows that for anyS 6= T,

rS and rT are independent and uniformly distributed. Now consider anx such that hx, ri

and H(r) agree on a 1₂ + fraction of the values of r. Then for the choice of {bj} where

bj =hx, rji for all j, we have that

bS =hx, rSi

for every non-empty S. In such a case, for every S and every r, there is a probability at least 1

2 +, over the choices of therj that

H(r+rS)−bS =hx, ri ,

and these events are pair-wise independent. Note the following simple lemma.

Lemma 45 Let R1, . . . , Rk be a set of pairwise independent0−1 random variables, each

of which is 1 with probability at least 1₂ +. Then _P[P

iRi≥k/2]≥1− 1 42_k.

Proof: LetR=R1+· · ·+Rt. The variance of a 0/1 random variable is at most 1/4, and,

because of pairwise independence, Var[R] =Var[R1+. . .+Rk] =P_iVar[Rk]≤k/4.

We then have P[R≤k/2]≤P[|R−E[R]| ≥k]≤ Var[R] 2_k2 ≤ 1 42_k

Lemma 45 allows us to upper-bound the probability that the majority operation used to compute H0 gives the wrong answer. Combining this with our earlier observation that the {rS}are pairwise independent, we see that choosingt= log(128/2) suffices to ensure that

b1...bt(r) and hx, rihave agreement at least 7/8 with probability at least 3/4. Thus we can use AlgorithmA7

8 to obtain xwith high probability. Choosing t as above ensures that the list generated is of length at most 2t_{= 128}_/2 _{and the running time is then}_O₍_n2−4_log_n₎

with O(n−4_log_n_{) oracle accesses, due to the} _O₍₁_/2_{) iterations of Algorithm GLW, that}

makesO(nlogn) oracle accesses, and to the fact that one evaluation ofH0() requiresO(1/2₎

In document Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University (Page 66-69)