6.5 (Random Walk Lemma): Let G be a regular graph having an adjacency matrix for which the ratio of the absolute values of the first and second

2.6 ∗ Efficient Amplification of One-Way Functions

Lemma 2. 6.5 (Random Walk Lemma): Let G be a regular graph having an adjacency matrix for which the ratio of the absolute values of the first and second

eigenvalues is smaller than 1

2. Let S be a subset of measure µ of the graph’s

vertices. Then a random walk of length t on G will hit S with probability at least 1−(1−0.5·µ)t_.

Proof Idea: Because it is of little relevance to the topic of this book, we provide only a rough idea of what is involved in this proof. The proof refers to the stochastic matrix obtained from the adjacency matrix ofG by division with G’s degree, and it views probability distributions over the graph’s vertex set as linear combinations of the (orthogonal) eigenvectors of this matrix. The ratio of eigenvalues in the new matrix is as in the adjacency matrix ofG. Furthermore, the largest eigenvalue is 1, and the eigenvector associated with it is the uniform distribution.

Going step-by-step along the random walk, we bound from above the probability mass assigned to random walks that do not pass through the setS. At each step, the component of the current distribution that is in the direction of the first eigenvector loses a factorµof its weight (where this loss is due to the fraction of the paths that enterSin the current step). Using the bound on the second eigenvalue, it can be shown that in each step theL2-norm of the other components is

decreased by a factor of 2 (so that the residual distribution is “pushed” toward the direction of the first eigenvector). Intuitively, the eventpassing through the set S acts as a sieve on the residual distribution, but this sieve is effective only when the residual distribution is close to uniform, which is being preserved by the next random step on the expander.

17_{That is, we let} _E

def

= {(u, v) : (f(u), v)∈E} and denote N(S)def= {v∈V:∃u∈Ss.t. (u, v)∈E}

and Nf(S)

def

= {v∈V:∃u∈Ss.t. (u, v)∈Ef}. Then Nf(S)= {v∈V:∃f(u)∈f(S) s.t. (f(u), v)∈E} =

N(f(S)), wheref(S)def= {f(u) :u∈S}. Using the 1-1 property off, we have|f(S)| = |S|, and the claim follows (i.e., ifGhas expansion factorc, then so doesGf).

18_{Below, a random walk of length}_t_{means a sequence of}_t_{vertices generated as follows. First, a start vertex}

is selected uniformly in the vertex set. Fori=2, . . . ,t, theith vertex is selected uniformly among the neighbors of thei−1 vertex. We stress that if a vertex has a self-loop, then it is considered a neighbor of itself.

COMPUTATIONAL DIFFICULTY

Next we provide a (sketch of a) formal analysis that closely follows the fore- going intuition. Unfortunately, this simple analysis only establishes a weaker bound than the one claimed. This weaker bound does not suffice for our purposes, since it is meaningful only forµ≥ 1

4 (whereas we also need to relate to much

smaller values ofµ, specifically, 1/µ, being poly-logarithmic in the size of the graph).

Proof sketch for a weaker bound: Let us denote by M the stochastic matrix representing a random step on the graphG=(V,E), and letρ denote a bound on the absolute value of the second largest eigenvalue ofM(where the largest eigenvalue is 1). LetPbe a 0-1 “sieving matrix” that has 1-entries only on its diagonal and furthermore only in entries (i,i) that correspond toi∈S. We represent (residual) probability distributions, overV, by vectors. For such a vectorv,, the vector M,vrepresents the distribution obtained from the distribution,vby taking one random step on the graphG, andPv,is the (residual) distribution obtained from,vby setting to zero all entries that correspond to vertices inS. We represent the uniform distribution overVby the vector

π (in which each entry equals 1/|V|) and observe that Mπ, = ,π(since the uniform distribution is the eigenvector associated with the eigenvalue 1).

One key observation is that the probability that a randomt-step walk does not pass throughSequals the sum of the elements of the (non-negative) vector (P M)t−1Pπ, =

(P M)tπ,. Since the vector (P M)tπ, is non-negative, we can evaluate itsL1-norm in- stead, which in turn is bounded from above by√|V| · -(P M)t_π_,_-_{, where}_-·-_denotes the Euclidean norm (i.e.,L2-norm). Later, we shall prove that for every vector,zit holds that-P M,z- ≤((1−µ)+ρ2₎1/2_{· -,}_z_-_{, and we obtain}

-(P M)tπ,- ≤ (1−µ)+ρ2t/2· -,π- = (1−µ)+ρ2t/2· !

|V| · 1 |V|2 It follows that the probability that a randomt-step walk does not pass throughS is at most(1−µ)+ρ2t/2, which forµ≥2ρ2(e.g.,µ≥1/2 andρ≤1/2) yields an upper bound of (1−0.5·µ)t/2.

In order to prove that-P M,z- ≤((1−µ)+ρ2)1/2· -,z-, we write,z= ,z1+ ,z2such that,z1is the component of,zthat is in the direction of the first eigenvector (i.e.,π,), and

z2is the component that is orthogonal to it. UsingMπ, = ,π,-Pπ,- =

√

1−µ· -,π-,

-M,z2- ≤ρ· -,z2-, and-P,v- ≤ -,v-(for everyv,), we have

-P M(,z1+ ,z2)- ≤ -P M,z1- + -P M,z2-

≤"1−µ· -,z1- +ρ· -,z2-

≤"(1−µ)+ρ2_·"_-,_z

1-2+ -,z2-2

=(1−µ)+ρ21/2· -,z1+ ,z2-

where the last inequality uses the Cauchy-Schwarz inequality (i.e., _iai·bi ≤

ia2i 1/2

·ibi2 1/2

), and the last equality uses the fact that ,z1 and ,z2 are orthogonal.

We comment that the lower bound claimed in the lemma can be generalized to 1−(1−µ+µ·ρ)t, whereρis an upper bound on the eigenvalue ratio.

2.6.∗∗EFFICIENT AMPLIFICATION OF ONE-WAY FUNCTIONS

The Algorithmics.The second lemma (stated next) is analogous to the essence of the proof of Theorem 2.3.2 (i.e., the simple amplification). However, there are two key differences between the two proofs:

1. In the proof of Theorem 2.3.2, we used a trivial combinatorial statement regarding the number of k-sequences over{0,1}n _{that each has an element in some set} _S _{(i.e., the} probability that such a uniformly chosen k-sequence has no element in the set S is (1−2−n· |S|)k). Here we use a generic hypothesis regarding the relationship between the density ofSand the fraction ofk-sequences of a certain type that pass through it. That is, here we consider onlyk-sequences that result from ak-step walk on a fixed regular graph.

2. More importantly, the proof of Theorem 2.3.2 refers to inverting the original function f

on a sequence of (independently distributed) instances, whereas here we refer to inverting successive applications of f (interleaved withgσ-moves) on a single instance (and the sequence in question is the one of intermediate results).

Thus the proof that follows is more complex than the proof of Theorem 2.3.2. The following lemma will be used, withβ(n+k(n) log₂d)=1−(1−0.5·α(n))k(n)/_{, as}

provided by the earlier combinatorial argument.

Lemma 2.6.6 (Reducibility Lemma): Let d,{Gn=({0,1}n,En)}, f :{0,1}∗

→ {0,1}∗, k:N→N, and Fkbe as in Construction 2.6.3.

r

Let Gf,n def =({0,1}n_,_E f,n), where Ef,n def = {(u, v) : (f(u), v)∈ En}.

r

_Let_{α, α}_{, β}_:_N_→_[0_,_1]_{, and k} _:_N_→_N_{be such that}_β₍_n₊_k₍_n_{) log}

2d)> α(n)

andα(n)≥α(n)+2−n_.

Suppose that Gf_,nsatisfies the followingrandom-path property:

In document Foundations of Cryptography Vol 1, Basic Tools pdf (Page 104-106)