On Derandomizing Yao’s Weak-to-Strong OWF Construction

Abstract

The celebrated result of Yao (Yao, FOCS’82) shows that concatenating \(n\cdot p(n)\) copies of a weak one-way function (OWF) f, which can be inverted with probability \(1-\tfrac{1}{p(n)}\), suffices to construct a strong OWF g, showing that weak and strong OWFs are black-box equivalent. This direct product theorem for hardness amplification of OWFs has been very influential. However, the construction of Yao is not security-preserving, i.e., the input to g needs to be much larger than the input to f. Understanding whether a larger input is inherent is a long-standing open question.

In this work, we explore necessary features of constructions which achieve short input length by proving the following: for any direct product construction of a strong OWF g from a weak OWF f, which can be inverted with probability \(1-\tfrac{1}{p(n)}\), the input size of g must grow as \(\varOmega (p(n))\). By direct product construction, we refer to any construction with the following structure: the construction g executes some arbitrary pre-processing function (independent of f) on its input, obtaining a vector \((y_1, \cdots , y_l)\), and outputs \(f(y_1), \cdots , f(y_l)\). Note that Yao’s construction is obtained by setting the pre-processing to be the identity. Our result generalizes to functions g with post-processing, as long as the post-processing function is not too lossy. Thus, in essence, any weak-to-strong OWF hardness amplification must either (1) be very far from security-preserving, (2) use adaptivity, or (3) must be very far from a direct-product structure (in the sense of having a very lossy post-processing of the outputs of f).

On a technical level, we use ideas from lower bounds for secret-sharing to prove the impossibility of derandomizing Yao in a black-box way. Our results are in line with Goldreich, Impagliazzo, Levin, Venkatesan, and Zuckerman (FOCS 1990) who derandomize Yao’s construction for regular weak OWFs by evaluating the OWF along a random walk on an expander graph—the construction is adaptive, since it alternates steps on the expander graph with evaluations of the weak OWF.

Appendices

A Additional Lemmas and Proofs

Lemma 23

(Averaging Argument). Let \(A_n\) and \(B_n\) be probability distributions that depend on natural number n (e.g. uniform distribution over \(\{0,1\}^n\)). For convenience, we write \(A := A_n, B:= B_n\). Let \(E(\cdot ,\cdot )\) be any event.

If , where \(c>0\) constant, then there exist constants \( d,d' > 0\) s.t.

The proof is standard, we defer it to the full version.

Lemma 24

(Small Entropy w.h.p.). If then

where .

The proof is a direct application of Markov bound, we defer it to the full version.

Lemma 25

(Predictable Inputs). If

then

Proof

Since \(4n< \mathbf {p}(m)\), we get that

(19)

Let \(S_{h,e}\subseteq \{0,1\}^m\) be defined as

where we define below. Using (19) and the definition of conditional Shannon entropy, we get that

where \(\log \) is the base-2 logarithm and

$$p_e(s') := \mathsf {pre}(s')_{\pi \left( \frac{l}{\mathbf {p}(m)}+1\right) },... , \mathsf {pre}(s')_{\pi \left( l\right) }$$

and

$$\begin{aligned} p_h(s'):=\mathsf {pre}(s')_{\pi \left( 1\right) },\dots ,\mathsf {pre}(s')_{\pi \left( \frac{l}{\mathbf {p}(m)}\right) }. \end{aligned}$$

Now

which proves the statement.    \(\square \)

B Proof of Theorem 18 (\(\mathsf {F}\) is a weak OWF)

In order to prove Theorem 18, we need to show that \(\mathsf {F}\) is weak OWF with inversion probability \(1-1/2\mathbf {c}\mathbf {p}(m)\) with all but small constant probability. Namely, we need to show that for all polynomials \(\mathbf {p}\), for all poly-query \(\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}\), for all adversaries \(\mathcal {R}\) making polynomially many (in \(m\)) queries to the oracles \(\mathsf {F},\mathsf {PSPACE},\mathsf {INV},\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}\),

(20)

where \(\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\) is defined as

Proof

Fix \(\mathbf {p}\), \(\mathcal {R}\) and \(\mathcal {A}\). Since \(\mathcal {A}\) and \(\mathcal {R}\) both make polynomially many queries to the same oracles, \(\mathcal {R}\) can simply simulate \(\mathcal {A}\). Thus, w.l.o.g., we can assume that \(\mathcal {R}\) only makes queries to \(\mathsf {F}\), \(\mathsf {PSPACE}\) and \(\mathsf {INV}\). Additionally, we consider \(\mathcal {R}\) to be a computationally unbounded algorithm so that w.l.o.g., we can assume that it does not make queries to the \(\mathsf {PSPACE}\) oracle.

Let q be a polynomial such that adversary \(\mathcal {R}\) makes exactly \(q(m)\) queries to the oracle \(\mathsf {F}\) and an arbitrary number of queries to \(\mathsf {INV}\). Since we let the adversary \(\mathcal {R}\) make an arbitrary number of queries to \(\mathsf {INV}\), that is, the adversary can be assumed to know the \(\mathsf {EASY}_\mathsf {in}^m\) and \(\mathsf {EASY}_\mathsf {out}^m\) and how \(\mathsf {F}\) maps \(\mathsf {EASY}_\mathsf {in}^m\) to \(\mathsf {EASY}_\mathsf {out}^m\) completely. This only makes the adversary stronger. Importantly, using \(\mathsf {INV}\) does not give the adversary any information on \(\mathsf {F}\) on the hard values (only the fact that the values are hard).

Denote the preimages to \(\mathsf {F}\) queries by \(x_1,...,x_{q(m)}\) and the adversary’s guess for the pre-image of its input y by \(x_{q(m)+1}\).

Next, we apply an averaging argument. Consider the random variable

$$\begin{aligned} \mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}} \end{aligned}$$

which maps to the probability that

$$\begin{aligned} \mathcal {R}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV},\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}} \end{aligned}$$

inverts \(\mathsf {F}\) over the randomness of \(\mathcal {R}\), \(\mathcal {A}\) and sampling x. Then, by the previous analysis, the expected value \(\mu \) of \(\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\) is at most \(1-\epsilon \) for \(\epsilon :=\frac{1}{2\mathbf {p}(m)}\). Using Markov inequality on \(1-\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\), we obtain that

for any c.    \(\square \)