Advertisement

The Function-Inversion Problem: Barriers and Opportunities

  • Henry Corrigan-Gibbs
  • Dmitry KoganEmail author
Conference paper
  • 160 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11891)

Abstract

The task of function inversion is central to cryptanalysis: breaking block ciphers, forging signatures, and cracking password hashes are all special cases of the function-inversion problem. In 1980, Hellman showed that it is possible to invert a random function \(f{:}\,[N] \rightarrow [N]\) in time \(T = \widetilde{O}(N^{2/3})\) given only \(S = \widetilde{O}(N^{2/3})\) bits of precomputed advice about f. Hellman’s algorithm is the basis for the popular “Rainbow Tables” technique (Oechslin 2003), which achieves the same asymptotic cost and is widely used in practical cryptanalysis.

Is Hellman’s method the best possible algorithm for inverting functions with preprocessed advice? The best known lower bound, due to Yao (1990), shows that \(ST = \widetilde{\Omega }(N)\), which still admits the possibility of an \(S = T = \widetilde{O}(N^{1/2})\) attack. There remains a long-standing and vexing gap between Hellman’s \(N^{2/3}\) upper bound and Yao’s \(N^{1/2}\) lower bound. Understanding the feasibility of an \(S = T = N^{1/2}\) algorithm is cryptanalytically relevant since such an algorithm could perform a key-recovery attack on AES-128 in time \(2^{64}\) using a precomputed table of size \(2^{64}\).

For the past 29 years, there has been no progress either in improving Hellman’s algorithm or in strengthening Yao’s lower bound. In this work, we connect function inversion to problems in other areas of theory to (1) explain why progress may be difficult and (2) explore possible ways forward.

Our results are as follows:
  • We show that any improvement on Yao’s lower bound on function-inversion algorithms will imply new lower bounds on depth-two circuits with arbitrary gates. Further, we show that proving strong lower bounds on non-adaptive function-inversion algorithms would imply breakthrough circuit lower bounds on linear-size log-depth circuits.

  • We take first steps towards the study of the injective function-inversion problem, which has manifold cryptographic applications. In particular, we show that improved algorithms for breaking PRGs with preprocessing would give improved algorithms for inverting injective functions with preprocessing.

  • Finally, we show that function inversion is closely related to well-studied problems in communication complexity and data structures. Through these connections we immediately obtain the best known algorithms for problems in these domains.

Notes

Acknowledgments

We would like to thank Dan Boneh for encouraging us to investigate whether Hellman’s method can be improved and for his continued advice as we undertook this project. Iftach Haitner gave us meaningful guidance on our research process early on and, along with Ronen Shaltiel, suggested many possible approaches towards proving new lower bounds. Joshua Brakensiek, Joshua Brody, Clément Canonne, Andrew Drucker, Michael Kim, Peter Bro Miltersen, Ilya Mironov, Omer Reingold, Avishay Tal, Li-Yang Tan, and David Wu made a number of suggestions that improved the presentation of our results. Finally, we would like to thank the anonymous TCC reviewers for their many constructive comments. This work was supported by CISPA, DARPA, NSF, ONR, and the Simons Foundation.

References

  1. 1.
    Abusalah, H., Alwen, J., Cohen, B., Khilko, D., Pietrzak, K., Reyzin, L.: Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 357–379. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_13CrossRefGoogle Scholar
  2. 2.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple construction of almost k-wise independent random variables. Random Struct. Algorithms 3(3), 289–304 (1992).  https://doi.org/10.1002/rsa.3240030308MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Babai, L., Hayes, T.P., Kimmel, P.G.: The cost of the missing bit: communication complexity with help. Combinatorica 21(4), 455–488 (2001).  https://doi.org/10.1007/s004930100009MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Barbay, J., He, M., Munro, J.I., Satti, S.R.: Succinct indexes for strings, binary relations and multilabeled trees. ACM Trans. Algorithms 7(4), 52:1–52:27 (2011).  https://doi.org/10.1145/2000807.2000820MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006).  https://doi.org/10.1007/11818175_1CrossRefGoogle Scholar
  6. 6.
    Beigel, R., Tarui, J.: On ACC. Comput. Complex. 4, 350–366 (1994).  https://doi.org/10.1007/BF01263423MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44448-3_1CrossRefGoogle Scholar
  8. 8.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44706-7_1CrossRefGoogle Scholar
  9. 9.
    Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: ITCS (2016).  https://doi.org/10.1145/2840728.2840761
  10. 10.
    Brody, J.: The maximum communication complexity of multi-party pointer jumping. In: CCC (2009).  https://doi.org/10.1109/CCC.2009.30
  11. 11.
    Brody, J., Chakrabarti, A.: Sublinear communication protocols for multi-party pointer jumping and a related lower bound. In: STACS (2008).  https://doi.org/10.4230/LIPIcs.STACS.2008.1341
  12. 12.
    Brody, J., Dziembowski, S., Faust, S., Pietrzak, K.: Position-based cryptography and multiparty communication complexity. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 56–81. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_3CrossRefzbMATHGoogle Scholar
  13. 13.
    Brody, J., Larsen, K.G.: Adapt or die: polynomial lower bounds for non-adaptive dynamic data structures. Theory Comput. 11(19), 471–489 (2015).  https://doi.org/10.4086/toc.2015.v011a019MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Brody, J., Sanchez, M.: Dependent random graphs and multi-party pointer jumping. In: APPROX/RANDOM (2015).  https://doi.org/10.4230/LIPIcs.APPROX-RANDOM.2015.606
  15. 15.
    Chandra, A.K., Furst, M.L., Lipton, R.J.: Multi-party protocols. In: STOC (1983).  https://doi.org/10.1145/800061.808737CrossRefGoogle Scholar
  16. 16.
    Cherukhin, D.Y.: Lower bounds for the complexity of Boolean circuits of finite depth with arbitrary elements. Discret. Math. Appl. 23(4), 39–47 (2011).  https://doi.org/10.1515/dma.2011.031MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Clark, D.R., Munro, J.I.: Efficient suffix trees on secondary storage. In: SODA (1996)Google Scholar
  18. 18.
    Coretti, S., Dodis, Y., Guo, S.: Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 693–721. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96884-1_23CrossRefzbMATHGoogle Scholar
  19. 19.
    Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-78381-9_9CrossRefGoogle Scholar
  20. 20.
    Damm, C., Jukna, S., Sgall, J.: Some bounds on multiparty communication complexity of pointer jumping. Comput. Complex. 7(2), 109–127 (1998).  https://doi.org/10.1007/PL00001595MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_35CrossRefGoogle Scholar
  22. 22.
    Demaine, E.D., López-Ortiz, A.: A linear lower bound on index size for text retrieval. J. Algorithms 48(1), 2–15 (2003).  https://doi.org/10.1016/S0196-6774(03)00043-9MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_16CrossRefGoogle Scholar
  24. 24.
    Dodis, Y., Steinberger, J.: Message authentication codes from unpredictable block ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_16CrossRefGoogle Scholar
  25. 25.
    Drucker, A.: Limitations of lower-bound methods for the wire complexity of Boolean operators. In: CCC (2012).  https://doi.org/10.1109/CCC.2012.39
  26. 26.
    Dvir, Z., Golovnev, A., Weinstein, O.: Static data structure lower bounds imply rigidity. In: STOC (2019).  https://doi.org/10.1145/3313276.3316348
  27. 27.
    Fiat, A., Naor, M.: Rigorous time/space tradeoffs for inverting functions. In: STOC (1991).  https://doi.org/10.1145/103418.103473
  28. 28.
    Fiat, A., Naor, M.: Rigorous time/space trade-offs for inverting functions. SIAM J. Comput. 29(3), 790–803 (1999).  https://doi.org/10.1137/S0097539795280512MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Gál, A., Miltersen, P.B.: The cell probe complexity of succinct data structures. In: ICALP (2003).  https://doi.org/10.1007/3-540-45061-0_28CrossRefGoogle Scholar
  30. 30.
    Gál, A., Miltersen, P.B.: The cell probe complexity of succinct data structures. Theoret. Comput. Sci. 379(3), 405–417 (2007).  https://doi.org/10.1016/j.tcs.2007.02.047MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Geary, R.F., Raman, R., Raman, V.: Succinct ordinal trees with level-ancestor queries. ACM Trans. Algorithms 2(4), 510–534 (2006).  https://doi.org/10.1145/1198513.1198516MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005).  https://doi.org/10.1137/S0097539704443276MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS (2000).  https://doi.org/10.1109/SFCS.2000.892119
  34. 34.
    Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs. In: STOC (1987).  https://doi.org/10.1145/28395.28416
  35. 35.
    Goldreich, O.: Foundations of Cryptography, vol. 1. Cambridge University Press, New York (2006)zbMATHGoogle Scholar
  36. 36.
    Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993).  https://doi.org/10.1137/0222069MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: STOC (1989).  https://doi.org/10.1145/73007.73010
  38. 38.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996).  https://doi.org/10.1145/233551.233553MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Golovnev, A., Guo, S., Horel, T., Park, S., Vaikuntanathan, V.: 3SUM with preprocessing: algorithms, lower bounds and cryptographic applications. arXiv:1907.08355 [cs.DS] (2019). http://arxiv.org/abs/1907.08355
  40. 40.
    Golynski, A.: Stronger lower bounds for text searching and polynomial evaluation (2007). https://cs.uwaterloo.ca/research/tr/2007/CS-2007-25.pdf
  41. 41.
    Golynski, A.: Cell probe lower bounds for succinct data structures. In: SODA (2009).  https://doi.org/10.1137/1.9781611973068.69
  42. 42.
    Goyal, N., Saks, M.: A parallel search game. Random Struct. Algorithms 27(2), 227–234 (2005).  https://doi.org/10.1002/rsa.20068MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Grossi, R., Orlandi, A., Raman, R.: Optimal trade-offs for succinct string indexes. In: ICALP (2010).  https://doi.org/10.1007/978-3-642-14165-2_57CrossRefGoogle Scholar
  44. 44.
    Haitner, I., Mazor, N., Oshman, R., Reingold, O., Yehudayoff, A.: On the communication complexity of key-agreement protocols. In: ITCS (2019).  https://doi.org/10.4230/LIPIcs.ITCS.2019.40
  45. 45.
    He, M., Munro, J.I., Satti, S.R.: Succinct ordinal trees based on tree covering. ACM Trans. Algorithms 8(4), 42:1–42:32 (2012).  https://doi.org/10.1145/2344422.2344432MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980).  https://doi.org/10.1109/TIT.1980.1056220MathSciNetCrossRefzbMATHGoogle Scholar
  47. 47.
    Håstad, J., Goldmann, M.: On the power of small-depth threshold circuits. Comput. Complex. 1, 113–129 (1991).  https://doi.org/10.1007/BF01272517MathSciNetCrossRefzbMATHGoogle Scholar
  48. 48.
    Impagliazzo, R.: Relativized separations of worst-case and average-case complexities for NP. In: CCC (2011).  https://doi.org/10.1109/CCC.2011.34
  49. 49.
    Jacobson, G.: Space-efficient static trees and graphs. In: FOCS (1989).  https://doi.org/10.1109/SFCS.1989.63533
  50. 50.
    Jukna, S.: Boolean Function Complexity. Algorithms and Combinatorics, vol. 27. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-24508-4CrossRefzbMATHGoogle Scholar
  51. 51.
    Jukna, S., Schnitger, G.: Min-rank conjecture for log-depth circuits. J. Comput.Syst. Sci. 77(6), 1023–1038 (2011).  https://doi.org/10.1016/j.jcss.2009.09.003MathSciNetCrossRefzbMATHGoogle Scholar
  52. 52.
    Kopelowitz, T., Porat, E.: The strong 3SUM-INDEXING conjecture is false. arXiv:1907.11206 [cs.DS] (2019). http://arxiv.org/abs/1907.11206
  53. 53.
    Kushilevitz, E., Nisan, N.: Communication Complexity. Cambridge University Press, New York (1997)zbMATHGoogle Scholar
  54. 54.
    Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound!. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96881-0_18CrossRefGoogle Scholar
  55. 55.
    Levin, L.A.: One-way functions and pseudorandom generators. Combinatorica 7(4), 357–363 (1987).  https://doi.org/10.1007/BF02579323MathSciNetCrossRefzbMATHGoogle Scholar
  56. 56.
    Liang, H.: Optimal collapsing protocol for multiparty pointer jumping. Theory Comput. Syst. 54(1), 13–23 (2014).  https://doi.org/10.1007/s00224-013-9476-xMathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Miltersen, P.B.: On the cell probe complexity of polynomial evaluation. Theoret. Comput. Sci. 143(1), 167–174 (1995).  https://doi.org/10.1016/0304-3975(95)80032-5MathSciNetCrossRefzbMATHGoogle Scholar
  58. 58.
    Munro, J.I., Raman, R., Raman, V., Rao, S.S.: Succinct representations of permutations and functions. Theoret. Comput. Sci. 438, 74–88 (2012).  https://doi.org/10.1016/j.tcs.2012.03.005MathSciNetCrossRefzbMATHGoogle Scholar
  59. 59.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: CCS (2005).  https://doi.org/10.1145/1102120.1102168
  60. 60.
    Nayebi, A., Aaronson, S., Belovs, A., Trevisan, L.: Quantum lower bound for inverting a permutation with advice. Quantum Inf. Comput. 15(11–12), 901–913 (2015)MathSciNetGoogle Scholar
  61. 61.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_36CrossRefGoogle Scholar
  62. 62.
    Ostrovsky, R.: Efficient computation on oblivious RAMs. In: STOC (1990).  https://doi.org/10.1145/100216.100289
  63. 63.
    Pudlák, P., Rödl, V., Sgall, J.: Boolean circuits, tensor ranks, and communication complexity. SIAM J. Comput. 26(3), 605–633 (1997).  https://doi.org/10.1137/S0097539794264809MathSciNetCrossRefzbMATHGoogle Scholar
  64. 64.
    Sadakane, K., Grossi, R.: Squeezing succinct data structures into entropy bounds. In: SODA (2006).  https://doi.org/10.1145/1109557.1109693
  65. 65.
    Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_12CrossRefGoogle Scholar
  66. 66.
    Valiant, L.G.: Graph-theoretic arguments in low-level complexity. In: Gruska, J. (ed.) MFCS 1977. LNCS, vol. 53, pp. 162–176. Springer, Heidelberg (1977).  https://doi.org/10.1007/3-540-08353-7_135CrossRefGoogle Scholar
  67. 67.
    Valiant, L.G.: Why is Boolean complexity theory difficult. In: London Mathematical Society Lecture Note Series, vol. 169, pp. 84–94 (1992).  https://doi.org/10.1017/cbo9780511526633.008
  68. 68.
    Viola, E.: On the power of small-depth computation. Found. Trends Theoret. Comput. Sci. 5(1), 1–72 (2009).  https://doi.org/10.1561/0400000033MathSciNetCrossRefzbMATHGoogle Scholar
  69. 69.
    Viola, E.: Lower bounds for data structures with space close to maximum imply circuit lower bounds. Electronic Colloquium on Computational Complexity (ECCC), Report 2018/186 (2018)Google Scholar
  70. 70.
    Viola, E., Wigderson, A.: One-way multiparty communication lower bound for pointer jumping with applications. Combinatorica 29(6), 719–743 (2009).  https://doi.org/10.1007/s00493-009-2667-zMathSciNetCrossRefzbMATHGoogle Scholar
  71. 71.
    Wee, H.: On obfuscating point functions. In: STOC (2005).  https://doi.org/10.1145/1060590.1060669
  72. 72.
    Weiss, M., Wichs, D.: Is there an oblivious RAM lower bound for online reads? Cryptology ePrint Archive, Report 2018/619 (2018)Google Scholar
  73. 73.
    Weiss, M., Wichs, D.: Is there an oblivious RAM lower bound for online reads? In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 603–635. Springer, Cham (2018).  https://doi.org/10.1007/978-3-030-03810-6_22CrossRefGoogle Scholar
  74. 74.
    Yao, A.C.: Some complexity questions related to distributive computing (preliminary report). In: STOC (1979).  https://doi.org/10.1145/800135.804414
  75. 75.
    Yao, A.C.: Should tables be sorted? J. ACM 28(3), 615–628 (1981).  https://doi.org/10.1145/322261.322274MathSciNetCrossRefzbMATHGoogle Scholar
  76. 76.
    Yao, A.C.: Theory and applications of trapdoor functions. In: FOCS (1982).  https://doi.org/10.1109/SFCS.1982.45
  77. 77.
    Yao, A.C.: Coherent functions and program checkers (extended abstract). In: STOC (1990).  https://doi.org/10.1145/100216.100226
  78. 78.
    Yao, A.C.: On ACC and threshold circuits. In: FOCS (1990).  https://doi.org/10.1109/FSCS.1990.89583

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA

Personalised recommendations