TY - GEN
T1 - Lower bounds on the time/memory tradeoff of function inversion
AU - Chawin, Dror
AU - Haitner, Iftach
AU - Mazor, Noam
N1 - Publisher Copyright: © International Association for Cryptologic Research 2020.
PY - 2020
Y1 - 2020
N2 - We study time/memory tradeoffs of function inversion: an algorithm, i.e., an inverter, equipped with an s-bit advice on a randomly chosen function (Formula Presented) and using q oracle queries to f, tries to invert a randomly chosen output y of f, i.e., to find (Formula Presented). Much progress was done regarding adaptive function inversion—the inverter is allowed to make adaptive oracle queries. Hellman [IEEE transactions on Information Theory ’80] presented an adaptive inverter that inverts with high probability a random f. Fiat and Naor [SICOMP ’00] proved that for any s, q with s3 q = n3 (ignoring low-order terms), an s-advice, q-query variant of Hellman’s algorithm inverts a constant fraction of the image points of any function. Yao [STOC ’90] proved a lower bound of sq≥ n for this problem. Closing the gap between the above lower and upper bounds is a long-standing open question. Very little is known of the non-adaptive variant of the question—the inverter chooses its queries in advance. The only known upper bounds, i.e., inverters, are the trivial ones (with s+q= n), and the only lower bound is the above bound of Yao. In a recent work, Corrigan-Gibbs and Kogan [TCC ’19] partially justified the difficulty of finding lower bounds on non-adaptive inverters, showing that a lower bound on the time/memory tradeoff of non-adaptive inverters implies a lower bound on low-depth Boolean circuits. Bounds that, for a strong enough choice of parameters, are notoriously hard to prove. We make progress on the above intriguing question, both for the adaptive and the non-adaptive case, proving the following lower bounds on restricted families of inverters: Linear-advice (adaptive inverter).If the advice string is a linear function of f (e.g., A× f, for some matrix A, viewing f as a vector in [n]n), then (Formula Presented). The bound generalizes to the case where the advice string of f1 + f2, i.e., the coordinate-wise addition of the truth tables of f1 and f2, can be computed from the description of f1 and f2 by a low communication protocol.Affine non-adaptive decoders.If the non-adaptive inverter has an affine decoder—it outputs a linear function, determined by the advice string and the element to invert, of the query answers—then (Formula Presented) (regardless of q).Affine non-adaptive decision trees.If the non-adaptive inversion algorithm is a d-depth affine decision tree—it outputs the evaluation of a decision tree whose nodes compute a linear function of the answers to the queries—and q < cn for some universal c>0, then (Formula Presented).
AB - We study time/memory tradeoffs of function inversion: an algorithm, i.e., an inverter, equipped with an s-bit advice on a randomly chosen function (Formula Presented) and using q oracle queries to f, tries to invert a randomly chosen output y of f, i.e., to find (Formula Presented). Much progress was done regarding adaptive function inversion—the inverter is allowed to make adaptive oracle queries. Hellman [IEEE transactions on Information Theory ’80] presented an adaptive inverter that inverts with high probability a random f. Fiat and Naor [SICOMP ’00] proved that for any s, q with s3 q = n3 (ignoring low-order terms), an s-advice, q-query variant of Hellman’s algorithm inverts a constant fraction of the image points of any function. Yao [STOC ’90] proved a lower bound of sq≥ n for this problem. Closing the gap between the above lower and upper bounds is a long-standing open question. Very little is known of the non-adaptive variant of the question—the inverter chooses its queries in advance. The only known upper bounds, i.e., inverters, are the trivial ones (with s+q= n), and the only lower bound is the above bound of Yao. In a recent work, Corrigan-Gibbs and Kogan [TCC ’19] partially justified the difficulty of finding lower bounds on non-adaptive inverters, showing that a lower bound on the time/memory tradeoff of non-adaptive inverters implies a lower bound on low-depth Boolean circuits. Bounds that, for a strong enough choice of parameters, are notoriously hard to prove. We make progress on the above intriguing question, both for the adaptive and the non-adaptive case, proving the following lower bounds on restricted families of inverters: Linear-advice (adaptive inverter).If the advice string is a linear function of f (e.g., A× f, for some matrix A, viewing f as a vector in [n]n), then (Formula Presented). The bound generalizes to the case where the advice string of f1 + f2, i.e., the coordinate-wise addition of the truth tables of f1 and f2, can be computed from the description of f1 and f2 by a low communication protocol.Affine non-adaptive decoders.If the non-adaptive inverter has an affine decoder—it outputs a linear function, determined by the advice string and the element to invert, of the query answers—then (Formula Presented) (regardless of q).Affine non-adaptive decision trees.If the non-adaptive inversion algorithm is a d-depth affine decision tree—it outputs the evaluation of a decision tree whose nodes compute a linear function of the answers to the queries—and q < cn for some universal c>0, then (Formula Presented).
KW - Function inverters
KW - Random functions
KW - Time/memory tradeoff
UR - http://www.scopus.com/inward/record.url?scp=85098237084&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-64381-2_11
DO - 10.1007/978-3-030-64381-2_11
M3 - منشور من مؤتمر
SN - 9783030643805
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 305
EP - 334
BT - Theory of Cryptography - 18th International Conference, TCC 2020, Proceedings
A2 - Pass, Rafael
A2 - Pietrzak, Krzysztof
PB - Springer Science and Business Media Deutschland GmbH
T2 - 18th International Conference on Theory of Cryptography, TCCC 2020
Y2 - 16 November 2020 through 19 November 2020
ER -