ebook img

A classical one-way function to confound quantum adversaries PDF

0.17 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A classical one-way function to confound quantum adversaries

A classical one-way function to confound quantum adversaries CristopherMoore AlexanderRussell [email protected] [email protected] UniversityofNewMexico UniversityofConnecticut and theSantaFe Institute 7 Umesh Vazirani 0 0 [email protected] 2 U. C. Berkeley n a February 1,2008 J 9 1 Abstract 2 v The promise of quantumcomputationand its consequencesfor complexity-theoreticcryptography 5 motivatesan immediate search for cryptosystemswhich can be implementedwith currenttechnology, 1 butwhichremainsecureeveninthepresenceofquantumcomputers.Inspiredbyrecentnegativeresults 1 1 pertaining to the nonabelian hidden subgroup problem, we present here a classical algebraic function 0 f (M)ofamatrixM whichwebelieveisaone-wayfunctionsecureagainstquantumattacks. Specifi- V 7 cally,invertingf reducesnaturallytosolvingahiddensubgroupproblemoverthegenerallineargroup V 0 (whichisatleastashardasthehiddensubgroupproblemoverthesymmetricgroup). We alsodemon- / h strateareductionfromGraphIsomorphismtotheproblemofinvertingf ;unlikeGraphIsomorphism, V p however,thefunctionf israndomself-reducibleandthereforeuniformlyhard. - V t Theseresultssuggestthat, unlikeShor’salgorithmforthediscretelogarithm—whichis, sofar,the n onlysuccessfulquantumattackonaclassicalone-wayfunction—quantumattacksbasedonthehidden a u subgroupproblemareunlikelytowork. WealsoshowthatreconstructinganyentryofM,orthetrace q ofM,withnonnegligibleadvantageisessentiallyashardasinvertingf . Finally,f canbeefficiently V V : computedandthenumberofoutputbitsislessthan1+ǫtimesthenumberofinputbitsforanyǫ>0. v i X r a 1 1 Introduction Whenaquantumcomputerisfinallybuilt,perhapsitsmostimportantpracticalimpactwillbeonmodern cryptography,thanks to Shor’s celebrated quantum algorithmsfor factoring and discrete logs [Sho97] (and a sequence of followup results). Quantum cryptography provides a partial recourse, though its scope is limited by “no-go” theorems such as the impossibility of quantum bit commitment, as well as extravagant physical infrastructure requirements. A plausible route to a more acceptable antidote wassuggestedinaresultcontemporaneouswithShor’spaper,showingthatquantumcomputersrequire exponential time to invert a random permutation in a black box model [BBBV97]. Since a random permutation is a standard abstraction for a one-way function, this result suggested the possibility of creatingclassicalcryptographythatisresistanttoquantumcryptanalysis. Thepracticalchallengeisto design a functionf : Σn Σm thatcan be computedveryefficientlyby a classicalcomputer,while → providingcredibleevidencethatinversionisdifficultevenwithaquantumcomputer.Itisalsodesirable thatf benonexpansive,i.e.,thatmnotbemuchlargerthann. Thisisthegoalofthispaper. Our task is facilitated by new insights obtained over the last few years into the limits of quantum algorithmsforthenon-abelianhiddensubgroupproblem(HSP).Aseriesofnegativeresults[HRTS00, GSVV01, MRS05] culminating in Hallgren, et al. [HMR+06] shows that for sufficiently non-abelian groups the HSP is hard for quantum computers in the sense that any quantum algorithm using the coset state framework requires exponential time unless it makes highly entangled measurements of Ω(log G)registers. Veryfewalgorithmicmodelsforhighly-entangledmeasurementsareknown;one | | ofthefewproposalsforcarryingoutsuchmeasurementsefficientlyisa“quantumsieve,”developedby Kuperberg[K05] for the HSP on the dihedralgroup. However, a recentresult of Moore, Russell, and S´niady[MRS06]showsthatnosuchapproachyieldsanefficientalgorithmoverthesymmetricgroups. Infact,forthecasesrelevanttoGraphIsomorphism,algorithmsofthisformcannotevendomuchbet- ter than the best known classical algorithms. This forms the basis of our main assumption about the limitationsofquantumalgorithms. Ourfunction,whichwedenotef ,isparametrizedbyalistofvectorsV =v ,v ,...,v ;wewill V 1 2 m choose each v independentlyand uniformlyat randomfromFn, where q is some small prime. Then i q givenM GL (F ),thatis,aninvertiblen nmatrixoverF ,wedefinef (M)asthecollection n q q V ∈ × MV = Mv v V . { | ∈ } However, f returns this collection as an unordered set (say, sorted in lexicographicorder). In other V words, we know that each w f (M) is Mv for some v V, but we do not know with what V ∈ ∈ permutationthevsandwscorrespond. InSection2,weshowthatf isone-to-onewithhighprobabilityinV whenevermisslightlylarger V thann, say m = n+O(ln2n). Also, clearlyf canbecomputedveryefficiently,in timeM(n), the V timeto multiplytwon nmatrices. Asa functionoftheinputlengthk = n2, thetimeisessentially × M(k). InSection3,wepointoutthatthenaturalreductionofinvertingf toahiddensubgroup(orhidden p V shift)problemresultsinhiddensubgroupproblemsonthegenerallineargroupGL .Thisgroupcontains n thesymmetricgroupS asasubgroup,anditsHSPappearsresistanttoallknownquantumtechniques. n Moreover,wereducetheGraphIsomorphismproblemtotheproblemofinvertingf . Thisimpliesthat V noquantumattackanalogoustoShor’salgorithmforthediscretelogarithmcansucceed,unlessthereis anefficientquantumalgorithmforGraphIsomorphism. WestressthatunlikeGraphIsomorphism,forwhichthereisnoknownwaytogeneratehardrandom instances, invertingf is uniformlyhardbecause of the followingsimple observation: forany matrix V A, we have f (AM) = Af (M). By choosing A randomly, this allows us to map a fixed instance V V f (M)toarandomonewiththesameV. Itfollowsthat,foranyfixedV,iff canbeinvertedoneven V V a 1/poly(n) fraction of matrices M, then there is a probabilistic algorithm that inverts it on arbitrary inputs M. A similar though more complicated assertion can be made about uniform hardness with respecttochoiceofV (seeSection4). 1 Moreover,we show in Section 4 that reconstructingpartialinformationaboutf−1(x) is almost as V hardasinvertingf . Specifically,assumingthatf isaone-wayfunction,weshowthatanyentryofM V V ishardtorecoverinanybasis,thoughthisrequiresaquasipolynomialhardnessassumptiononf . We V observe,also,thattrM,thetraceofM,ishardtorecoverevenundertypicalsuper-polynomialhardness assumptions. It remains an open question whether we can embed a trapdoor in f or a suitable modification. V We should point out that there are some classical cryptosystems that are not known to be breakable by a quantum computer—lattice-based cryptosystems such as the Ajtai-Dwork [AD97] cryptosystem and theirsubsequentimprovementsdueto Regev [Reg04a], andthe McEliece cryptosystem[McE78]. Indeed, Regev’s improvement in the efficiency of lattice-based cryptosystems is based on a quantum reduction—thus the increased efficiency is predicated on resistance of the cryptosystem to quantum attacks! Evidenceofquantumintractibilityforthiscryptosystemcomesfromtherelationshipbetween findingshortvectorsandthedihedralhiddensubgroupproblem[Reg04b].Inparticular,eventhoughsin- gleregisterFouriersamplingisinformation-theoreticallysufficienttoreconstructthehiddensubgroup, theclassicalreconstructionproblemisashardasSubsetSum. Ontheotherhand,quantumreconstruc- tionisnotruledout,andKuperberg’squantumsieve[K05]provideswhatmaybethoughtofasamildly subexponentialquantumreconstructionalgorithm. The evidencefor quantumintractibility forthe one-wayfunctionproposedhereis stronger: single registerFouriersamplingisprovablyinsufficient,highly-entangledmeasurementsonpolynomiallymany registers is necessary, and no Kuperberg-like approach can yield an efficient algorithm. The design of efficientcryptographicprimitivesresistant to quantumattack is a pressing practicalproblemwhose solutioncanhaveanenormousimpactonthepracticeofcryptographylongbeforeaquantumcomputer is physically realized. A program to create such primitives must necessarily rely on insights into the limits of quantum algorithms, and this paper exploresconsequencesof the strongest such insights we haveaboutthelimitsofquantumalgorithms. Notation. As above, we let F = F denotethe finite field with q elements, q a fixed prime. We let q GL (F )(abbreviatedGL whenthecontextisclear)denotethecollectionofinvertiblen nmatrices n q n overF . SimilarlyEnd =End (F )denotesthesetofalln nmatrices. IfM End a×ndV Fn, q n n q × ∈ n ⊂ q weletMV denotethecollection Mv v V . { | ∈ } 2 The function is one-to-one Ourfirsttheoremshowsthatwhenmisslightlylargerthann,thenf isaone-to-onefunctionwithhigh V probability. Wehavemadeonlydesultoryattemptstooptimizetherateatwhichδ = m nmustgrow − forthetheoremtohold. Theorem1. There isaconstantA suchthatifm = n+δ where δ Aln2n, thenf isone-to-one V ≥ withhighprobabilityinV. Proof. IftherearetwomatricesM,M′ suchthatMV = M′V,thenKV = V whereK = M−1M′. Inotherwords,thereisapermutationπ S suchthatKv = v foralli. Wewillshowthatwith m i π(i) ∈ highprobabilityK = istheonlymatrixwiththisproperty,andthereforethatM =M′. 1 Letuscallaparticularpermutationπ S consistentifthereisaK suchthatKv = v forall m i π(i) ∈ i,andletCons bethisevent.Wewillshowthat π Pr Cons =o(1) . π   π6=1 _   i.e.,withhighprobabilitytheonlyconsistentpermutationistheidentityπ =1. 2 Givena fixedπ, we determinean orderon V as follows. First, we sortthecyclesofπ in orderof increasinglength,startingwiththefixedpoints. Webreaktiesbyassigningeachcycleanindexequalto thesmallestisuchthatv appearsinitandputtingcycleswiththesmallestindexfirst. Then,werotate i eachcyclesothatthev withsmallestiinthatcyclecomesfirst. Thedetailshereareirrelevant;allthat i matters is that each π determines an order on V with the propertiesthat the vectors correspondingto fixedpointscomefirst,andthatgroupsofvectorscorrespondingtocyclesofπarecontiguous. NowfixaconstantC, andletL consistofthefirstn+δ ClnnvectorsinV accordingtothis π order.LetSpans betheeventthatL spanstheentirespaceFn−. Thentheunionboundgives π π q Pr Cons Pr[Cons Spans ]+Pr Spans  π≤ π| π " π# π6=1 π6=1 π _ X _   ToboundtheconditionalprobabilityPr[Cons Spans ],notethatifL spanstheentirespace,then π| π π K is determined by the images of the vectors in L . Therefore, if all the vectors in L are fixed by π π K, thenK = andπ = 1. Onthe otherhand,we havesortedV so thatthe fixedvectorscomefirst, 1 so ifπ = 1 noneofthetheClnnvectorsoutsideL canbefixed. We exposethesevectorsin sorted π 6 order. For each v / L which is not the first in its cycle, the probabilitythat v is the image under i π i ∈ K of its predecessor vπ−1(i) is q−n since vi is uniformlyrandom. These eventsare independentand each of these cycles is of length at least 2, so the probability that Kv = v for all v / L is at i π(i) i ∈ mostq−(C/2)nlnn. Summingoverall(n+δ)!permutationsπ andassumingforsimplicitythatδ n ≤ (aconditionwhichwecaneasilyremove),theconditionalprobabilitythatanyπ = 1isconsistentisat 6 most (2n)!q−(C/2)nlnn =nO(1)(2/e)2nn(2−(C/2)lnq)n whichiso(1)if C 4/lnq . (1) ≥ NowweboundtheprobabilitythatSpans failstoholdforanyπ byprovingthatwithhighproba- π bilityV containsnosubsetsLofsizen+δ Clnnwhichdonotspantheentirespace. ByMarkov’s − inequality,theprobabilitythatagivensuchLdoesnotspanthespaceisatmosttheexpectednumberof nonzerovectorsuwhichareperpendiculartoallv L. Sincethev V areuniformlyrandom,forany ∈ ∈ fixedutheinnerproductu viszerowithprobability1/q. Thusthisexpectationis · (qn 1)/qn+δ−Clnn <q−δ+Clnn =nO(1)n−(Alnq)lnn − whereweusedδ =Aln2n. Thenumberofsubsetsofsizen+δ Clnnis − n+δ <(2n)Clnn =nO(1)nClnn Clnn (cid:18) (cid:19) wherewe againassume forsimplicitythatδ n. So, bythe unionbound,the probabilitythata non- ≤ spanningsubsetofsizen+δ ClnnisatmostnO(1)n(C−Alnq)lnnwhichiso(1)if − A>C/lnq . (2) Inordertosatisfy(1)and(2),weset,say,C =4/lnqandA=5/ln2q. Thenwithhighprobability, the identity permutation 1 is the only consistent one. Finally, note that V spans the entire space with overwhelmingprobability;andinthiscase,ifKv=vforallvinV,thenK mustbetheidentity. 3 3 Evidence for immunity against hidden subgroup attacks In this section we relate the hardness of our function to several fundamental problems in the area of quantumcomputation. Ourprincipalhardnessresult,suggestingthatf canresistthequantumattacks V whichShorappliedsodramaticallytofactoringanddiscretelog,showsthatGraphIsomorphismcanbe reducedtotheproblemofinvertingf . Ourcurrentbelief,basedonaseriesofnegativeresults,isthat V GraphIsomorphism,andmoregenerallytheHSPongroupslikeS andGL whichhaveexponentially n n high-dimensionalrepresentations,ishardforquantumcomputers.Ifthisbeliefiscorrect,thenf cannot V be efficientlyinvertedbysuchmethods. We observe,also, thatinvertingf canbe reducedto natural V hiddenshiftandhiddensubgroupproblemsonthegroupGL . n Webeginbyreducingtheproblemofinvertingf totheHiddenShiftProblemonthegroupGL . V n GivenagroupG,aninstanceofaHiddenShiftproblemconsistsoftwofunctionsf ,f :G S,with 1 2 → thepromisethatf (g)=f (gs)forsomeshifts G. Now,givenV andf (M)=MV,wecandefine 2 1 V two functionsf ,f : GL S where S is th∈e set of unorderedlists of vectorsin Fn. Namely, we 1 2 n → q define f (N)=NV andf (N)=Nf (M)=NMV . 1 2 V Thenf (N)=f (N)andf (N)=f (NM)=f (NM),andM isthehiddenshift. 1 V 2 V 1 Now,givenaHiddenShiftProblemonagroupGwherethefunctionsf ,f areone-to-one,wecan 1 2 reduceittoaHiddenSubgroupProblemonalargergroup,namelythewreathproductG Z .Thisgroup 2 isthesemidirectproduct(G G)⋊Z ,whereweextendG Gwithaninvolutionwhic≀hexchangesthe 2 × × twocopiesofG. Wedenoteitselements(g ,g ,z),wherethosewithz = 0formthenormalsubgroup 1 2 whichfixesthetwocopiesofG,andthosewithz =1formitsnontrivialcosetwhichexchangesthem. RecallthataninstanceoftheHiddenSubgroupProblemconsistsofafunctionf : G S withthe → promise that, for some subgroup H, f(x) = f(y) if and only if x = yh for some h H. Given a HiddenShiftProblemwithfunctionsf ,f :G S,definethefollowingfunctionf :G∈ Z S2: 1 2 2 → ≀ → f(g ,g ,0)=(f (g ),f (g )) 1 2 1 1 2 2 f(g ,g ,1)=(f (g ),f (g )) 1 2 2 2 1 1 Now suppose that f (g) = f (gs) and let α be the involution (s−1,s,1). If multiplication in G Z 2 1 2 ≀ is defined so that (g ,g ,0) α = (g s,g s−1,1), then f’s hidden subgroup is the order-2 subgroup 1 2 2 1 · H = 1,α . (Indeed,thecanonicalreductionofGraphIsomorphismtotheHiddenSubgroupProblem over S{ Z} is exactly of this type, where α = (π−1,π,1) exchanges the two graphs and π is the n 2 isomorph≀ismbetweenthem.) Finally,wepointoutthatGL containsacopyofGL Z : namely,the 2n n 2 ≀ subgroupconsistingofmatricesoftheform g 0 0 g 1 or 1 0 g g 0 2 2 (cid:18) (cid:19) (cid:18) (cid:19) whereg ,g GL .Thustheproblemofinvertingf reducestotheHiddenShiftandHiddenSubgroup 1 2 n V ∈ ProblemsinGL andGL respectively. n 2n Now, we give a reduction from Graph Isomorphism to the problem of inverting f . Specifically, V we reduce the decision problem of telling whether two graphs G ,G are isomorphic to the decision 1 2 problem of telling, given V and W, whether there is a matrix M such that MV = W, and hence whether W is in the image of f . The same constructionreducesthe promise problemof findingthe V isomorphismbetweentwoisomorphicgraphstotheproblemoffindingM =f−1(W). V The reduction is quite simple. Given a graph G with n vertices and m edges, V will consist of 1 n+mvectorsinFn. Weidentifyeachvertexuwithabasisvectoru,whichweincludeinV,andfor q eachedge(u,v)weincludethevectoru+v. WeconstructW fromG similarly. 2 ClearlyG = G ifandonlyifMV = W forsomepermutationmatrixM. Firstweshowthat,if 1 ∼ 2 q 3,anyM suchthatMV =W isnecessarilyapermutationmatrix. Toseethis,notethatsinceeach ≥ vertexofG getsmappedtoavertexoranedgeofG ,eachcolumnofM iszeroexceptforoneortwo 1 2 4 1s. ButinFnwithq 3,thesumoftwosuchvectorshasatleasttwononzerocomponents,sonoedge q ≥ ofG canbemappedtoavertexofG . ItfollowsthateveryvertexofG ismappedtoavertexofG , 1 2 1 2 soM isapermutationmatrix. Inthecaseq =2,itispossiblethatM isnotapermutationmatrix,andthatsomeverticesgetmapped toedgesandviceversa.However,M’sexistencestillimpliesthatG andG areisomorphic,andallows 1 2 ustoeasilydeterminetheisomorphismπ betweenthem. LetuscallavertexofG “green”or“red”if 1 itismappedtoavertexoranedge,respectively,andconsideravertexw ofG . SinceM−1wiseither 2 avertexoranedge,eitherthereisagreenvertexusuchthatMu = w, orthereisaredvertexuwith a uniquegreen neighborv such that Mu = w+Mv and so M(u+v) = w. In either case, define π(u)=w;sinceπisone-to-one,itfollowsthateveryredvertexhasauniquegreenneighbor. Itremainstocheckthatπ isanisomorphism. DenotethesetofedgesofG andG asE andE 1 2 1 2 respectively,andsupposethat(u,v) E . Ifuandv aregreen,thenM(u+v) = π(u)+π(v). Ifu 1 ∈ isredandvisitsuniquegreenneighbor,thenMu=π(u)+π(v). Finally,ifuandvarebothred,they musthavethesamegreenneighbortsinceotherwiseM(u+v)wouldbethesumoffourbasisvectors; thenM(u+v)=π(u)+π(v)+2π(t)=π(u)+π(v). Ineachcase,sinceπ(u)+π(v) W wehave ∈ (π(u),π(v)) E ,andthiscompletestheproof. 2 ∈ 4 Uniformity of hardness, amplification, and hard-core predicates Self-reducibility anduniformhardness. AswepointedoutintheIntroduction,ourfunctionhas asimplesymmetrywhichcausesittobeself-reduciblefromtheworstcasetotherandomcase: forany fixed V, we havef (AM) = Af (M). Itfollowsby standardamplificationthat, foranyfixed V, if V V f canbeinvertedonevena1/poly(n)fractionofmatricesM thenitcanbeinvertedwithprobability V 1 e−poly(n) onanyparticularM. − WecandefineuniformhardnesswithrespecttoV usinganotherobvioussymmetry, f (M)=f (MB) . BV V Let us say that V V′ if there is a B GL such that V′ = BV. This is clearly an equivalence n ∼ ∈ relation; we will call the equivalence class containing V its orbit, and denote it [V]. Then a similar argumentshowsthatinvertingf isuniformlyhardwithineachorbit: namely,iff canbeinvertedon V V evena1/poly(n)fractionofmatricesM andvectorsV′ [V]thenitcanbeinvertedwithprobability ∈ 1 e−poly(n) onanyparticularM andV′ [V]. − ∈ Apriori,evenifitishardtoinvertf ,onemighthopetorecoverpartialinformationaboutM from V itsimagef (M),suchasitstraceorasingleentryinsomebasis. Inthissection,weshowthatthisis V essentiallyashardasrecoveringallofM. Therefore,underreasonablehardnessassumptionsregarding f ,thesegoalsarealsoimpossibleforquantumcomputerstocarryoutefficiently. V Hard-core predicates. Ahard-corepredicateisanefficientdescriptionofabitofinformationthat is concealed by a given one-way function. Specifically, if f : D R is a family of one-way n n n { → } functions,thenans(n)-hard-corepredicateisapolynomialtimecomputablefamilyoffunctions b : n { D 0,1 sothatforanyalgorithmArunningintimes(n),forsufficientlylargen, n →{ }} 1 1 Pr [A(f (w))=b (w)] . n n (cid:12)fn,w − 2(cid:12)≤ s(n) (cid:12) (cid:12) Ourgoalhereistoshowthate(cid:12)veryindividualentryofM is(cid:12)a hard-corebitin anybasis; inparticular, (cid:12) (cid:12) recoveringanyentryofM isashardasinvertingf . WealsopointoutthatrecoveringthetraceofM V isashardasinvertingf . V Webeginbyformalizingthenotionsofhardnesswerequireforthefunctionf . V 5 Assumption1(t(n)-hardness). Foreachn 1,letm = m(n) = (1+ǫ)nforsomeconstantǫ > 0, let M be a uniformly random element of GL≥(F), and let V be a collection of m independentlyand n uniformlyselectedelementsofFn. ThenforallquantumalgorithmsArunningintimet(n), 1 Pr[A(M(V),V)=M]= . V,M t(n) Wedevotetheremainderofthissectiontoshowingthefollowingtwotheorems. Theorem2. Iff isquasipolynomiallyhard(thatis,t(n)-hardforeveryt(n) = 2logO(1)n)thenevery V entryofM (inanybasis)isaquasipolynomiallyhard-corepredicate. Theorem 3. If f is polynomially hard (that is, t(n)-hard for every t(n) = nO(1)) then the trace V tr:GL (F) Fisapolynomiallyhard-corepredicate. n → 4.1 The bilinearpredicate: every matrix entry is hard Giventwobasisvectorsaandb, thecorrespondingmatrixelementcanbewrittenasaninnerproduct a,Mb . Wewillshowthatiff isquasipolynomiallyhard,thenthisfunctionisahard-corepredicate V fhorf fioranyfixednonzeroa,b Fn. Specifically,givenanalgorithmP runningintime2logO(1)nfor V ∈ which Pr P(f (M),V)= a,Mb 1/2+ǫ with ǫ=2−logO(1)n , V V,M h i ≥ we show how to inve(cid:2)rt f on a 2−logO(1)n frac(cid:3)tion of its inputs M, which would contradicting the V assumptionthatf isquasipolynomiallyhard. V To simplify the exposition, we will fix q to be 2 in this section, and write F = F . We rely on 2 theGoldreich-Levintheorem[GL89];forlargerprimeq,werelyonitsgeneralizationtoarbitraryfinite fieldsbyGoldreich,Rubinfeld,andSudan[GRS95]. Initially,wewishtofocusattentiononcertain“good”choicesofV,wherethealgorithmP isagood predictorfor a,Mb . Recallthat[V]denotestheorbitofV undermultiplicationbyelementsofGL . n h i DefineanelementV tobe“good”if 1 ǫ Pr P(fV′(M),V′)= a,Mb + . (3) V′∈[V],M h i ≥ 2 2 (cid:2) (cid:3) Itiseasytoshowthatatleastanǫ/2fractionofV mustbegoodinthissense;wefixaspecificsuchV fortheremainderoftheproof,andshowhowtoinvertthefunctionf inthiscase. V WefirstshowhowtouseP toimplementanalgorithmforanyfixedM,whichtakesasinputx,y Fn (and(f (M),V)) andoutputs x,My correctlyon1/2+ǫ/2fractionofx,y. First notethatfo∈r V h i twomatricesA,B GL ,thepair(f (AMB−1),BV)=(AMV,BV)canbecomputedefficiently n BV ∈ from (f (M),V) = (MV,V) by left-multiplying MV and V by A and B respectively. Defining V T(A,B)=P(f (AMB−1),BV),wemaythenrewrite(3)intermsofT(, ): BV · · 1 ǫ Pr [T(A,B)= a,AMB−1b ] + . (4) A,B∈GLn(F) h i ≥ 2 2 Finally,forapairofvectorsx,y Fn,definet(x,y)=T(A,B),whereAandBarerandomelements ofGL (F)forwhichAta = xan∈dB−1b = y,sothat a,AMB−1b = x,My . Rewriting(4),we n h i h i conclude: 1 ǫ Pr [t(x,y)= x,My ] + . (5) x,y∈Fn h i ≥ 2 2 Let us call a vector x Fn ℓ-good if Pry∈Fn[t(x,y) = x,My ] 1/2+ ǫ/4. If follows that a ∈ h i ≥ uniformlyselectedxisℓ-goodwithprobabilityatleastǫ/4.Note,furthermore,thatifxisafixedℓ-good element of Fn, then the Goldreich-Levin construction [GL89] can be used to determine x,My for h i 6 ally Fn (intimepolynomialinnandǫ−1). Inparticular,thisdeterminesanentirerowofM when ∈ expressedinabasiscontainingx. WeconsidernowafamilyG,consistingof2logmvectorsselectedindependentlyanduniformlyin Fn. We say that G is ℓ-good if this is true of each of its elements, a favorable eventthat occurs with probabilityatleast(ǫ/4)log2m. Furthermore,theprobabilitythatGcontainsalinearlydependentsetof vectorsisnomorethan2log(m) 2−n+2logm =2−Ω(n). (Thiscanbeseenbyselectingtheelementsof · Ginorderandboundingtheunlikelyeventthatanelementfallsintothespanofthepreviouslychosen vectors.)Thus Pr[Gisℓ-good Gisindependent] (ǫ/4)2logm+e−Ω(n) . ∧ ≥ Now,foreachg G,applicationoftheGoldreich-Levinconstructiontoeachcomponentofg (recon- ∈ structing g,My forally)determines g,Mv foreachv V andg G. Therefore,inthiscasewe h i h i ∈ ∈ canreconstruct2logm“generalizedrows”ofM. Observethatif theelementsofV (andhenceW = M(V))areconsideredtobeselectedindepen- dentlyanduniformlyatrandom,andindependentlyofG,thentheprobabilitythattwoelementsw and w′ ofW havethepropertythat g,w = g,w′ forallg Gis2−2logm. LetΠ : Fn F2logm G h i h i ∈ → denotetheprojectionontothespacespannedbythevectorsinG. Inparticular,thisinformationwould appeartodeterminethebijectionb : V W effectedbytheactionofM onV. Thisintuitiveargu- M → mentismisleading,aswritten,sincethenotionofℓ-gooddependsonV (andsoonW)viathearbitrary predictingalgorithmP. Instead,ourgoalbelowwillbetoshowthatthetotalnumberofpermutationsof thesetW underwhichΠ isinvariantissmallenoughthatwecanexhaustivelysearchthemtouncover G thebijectionb andhencethelinearoperatorM. M Consider random(andindependent)selection of G, V, and M (so thatW = M(V) is also deter- mined)withnoextraconditioningexceptthatGbelinearlyindependent. LetI denotethecollection G ofpermutationsφ : M M withthepropertythatΠ w = Π φ(w), forallw W. We willshow G G → ∈ belowthatE [I ] = O(√m). ThenMarkov’sinequalitywill allowustoboundtheprobability V,M,G G | | that I exceedsǫO(logn). ToroundouttheproofwewillshowthatthechancethatV isgoodandthat G | | G is l-good is much higher than this failure probability, thereby concluding that there is a significant chancethatV isgood,Gisl-goodandthat I =ǫO(logn). G Astheelementsofwareselectedindepe|nde|ntly(anduniformly)inFn,eachΠ wisanindependent, G uniformelementofF|G|. Fixingapermutationφ,letλ ,λ ,...bethelengthsofitscycles,arrangedin 1 2 nonincreasingorder. TheprobabilitythattheelementsofM ineachofthesecyclesaremappedtothe sameelementunderΠ isnomorethan (2−|G|)λi−1 = (m−2)τ(φ),whereτ(φ) = (λ 1) G i i i i− isalsotheminimumnumberoftranspositionsrequiredtowriteφ. Q Q P Thisquantityisboundedbythelemmabelow.Itsproofusesthemachineryofexponentialgenerating functions,andisrelegatedtoAppendixA. Lemma4. Let0<z <1/k;then e−k q (z)= zt(π) =O(√k) . (6) k (1 zk)1/z πX∈Sk − In lightof this bound, the expectationof I , the numberof φ underwhich π is invariant,is no G G | | morethan 1 τ(φ) e−m =O(√m) . m2 (1 1/m)m2 φX∈Sm(cid:18) (cid:19) − As ln(1 x)=x+x2/2+x3/3+...,wehave − − e−m (1 1/m)−m2 =exp( m+m2[1/m+(1/m)2/2+O(1/m3)])=O(1) . · − − ThusE[I ]=O(√m). G | | 7 Puttingthepiecestogether,withM,V,andGselectedasabove, ǫ ǫ 2logm ǫ 1+2logm Pr [(V isgood) (Gisbothℓ-goodandlinearlyindependent)] . V,M,G ∧ ≥ 2 · 4 ≥ 4 (cid:16) (cid:17) (cid:16) (cid:17) AsE [I ]=O(√m),byMarkov’sinequalitythereisaconstantcsothat V,M,G G | | 1 ǫ 1+2logm Pr I c√m(4/ǫ)2logm . G V,M,G | |≥ ≤ 2 · 4 (cid:2) (cid:3) (cid:20)(cid:16) (cid:17) (cid:21) Thus,withprobabilityatleast(1/2)(ǫ/4)(1+2logm),V isgood,Gisℓ-good,andthereare(4/ǫ)O(logn) permutations of W that fix Π . These permutations determine a set of no more than (4/ǫ)O(logn) G mappingsbetweenV andW consistentwith M; these can be exhaustivelysearchedin time poly(n) · (ǫ/4)O(logn),whichisquasipolynomialwhenǫ−1is. We conclude this section with a proof that, even if ǫ−1 is only polynomial in n, hardness with respect to quasipolynomial time is the most we can hope for in the case of the bilinear predicate (in absence offurtherinformationaboutthe preimage). First, choosea subspaceS ofFn with dimension dimS = log n. NowconsideranoracleP(a,b)definedasfollows. IfeitheraorbisorthogonaltoS, 2 thenP(a,b) = a,Mb , butifneitherofthemisorthogonaltoS, thenP(a,b)isuniforminF. Since a uniformvectorhin Fniis orthogonalto S with probability1/n, it followsthat P(a,b) is correctwith probability1/2+ǫwhereǫ>1/n. NowchooseabasisforFn,andletS bethesubspacegeneratedbythefirstdimSbasisvectors.Itis clearthatthisoraclegivesusnoinformationwhateverregardingthematrixelementsinthedimS dimS × minor at the upper left-hand corner of M. Therefore, we are forced to try all possible values for the elementsofthisminorbyexhaustivesearch,andthistakes2(dimS)2 =2log2ntime. 4.2 The trace predicate TheproofthatthetracepredicateishardisadirectconsequenceoftheGoldreich-Levintheorem[GL89] anditsgeneralizationtoarbitraryfinitefieldsbyGoldreich,Rubinfeld,andSudan[GRS95].Specifically, considerthetracetr : GL (F) F. Supposenowthatthereisapolynomial-timequantumalgorithm n → P sothatforM selecteduniformlyatrandominGL andV acollectionofmindependentanduniform n vectorsofFn, 1 Pr P(f (M),V)=tr(M) +ǫ , V V,M ≥ 2 (cid:2) (cid:3) whereǫ=n−O(1). Itfollowsthatforatleastanǫ/2fractionoftheV,whenselectedasabove,wehave 1 ǫ Pr P(f (M),V)=tr(M) + . V M ≥ 2 2 (cid:2) (cid:3) Weshowhowtoinvertf forsuch“good”V;astheseoccurwithprobabilityǫ/2,thiswouldcontradict V theassumptionthatf ispolynomiallyhard.FortheremainderoftheproofwefixaspecificV satisfying V thetheequationabove. Again note that for any matrix N GL , the collection f (NM) = NMV can be computed n V ∈ in polynomialtime from f (M), simply by left-multiplyingthe collection f (M) = MV by N. In V V particular, given f (M), the function T : GL (F) F given by T(N) = P(f (NM),V) can be V n V → computedinpolynomialtimeandhasthepropertythat 1 Pr T(N)=tr(NM) +ǫ . (7) N ≥ 2 (cid:2) (cid:3) Now,forafixedmatrixC,thefunctionℓ :M tr(CM)isalinearfunctionand,moreover,alllinear C 7→ combinationsoftheentriesofM canbewritteninthisway.Inlightofthis,notethatiftheguarantee(7) 8 could be arranged with the matrix C being selected uniformly at random from the collection of all matrices (rather than the invertible ones), we could immediately apply the Goldreich-Levin [GL89] construction at this point to recover M. This “oracle” T can, however, be extended to an oracle T˜ defined on the family of all matrices C by simply assigning random values to the singular matrices C GL ,inwhichcasewithconstantprobability(overtheselectionofrandomvaluesforthisoracle), n 6∈ 1 Pr T(N)=tr(NM) +α (n)ǫ , (8) p N ≥ 2 (cid:2) (cid:3) where n−1 ∞ 1 1 α (n)= 1 1 .2711 p − pn−i ≥ − 2i ≈ i=0(cid:18) (cid:19) i=0(cid:18) (cid:19) Y Y is the probability that a random n n matrix over F is invertible. In this case, when p = 2 the p × Goldreich-Levintheoremcanbeapplieddirectly: Theorem5([GL89]). Letg :Fn2 →F2beafunctionsothatforsomeh∈Fn2,Prx∈Fn2 [g(x)=hx,hi]≥ 1 +ǫandletc 0. Thenthereisarandomizedalgorithmrunningintimepoly(n,ǫ−1)(andmakingno 2 ≥ morethanpoly(n,ǫ−1)black-boxqueriestog)thatdetermineshwithprobability1 1/nc. − When q > 2, one has to apply the generalization of [GL89] to arbitrary finite fields by Goldreich, Rubinfeld,andSudan[GRS95]. References [AD97] Miklo´sAjtaiandCynthiaDwork.Apublic-keycryptosystemwithworst-case/average-case equivalence. In ACM, editor, Proceedings of the 29th annual ACM Symposium on the TheoryofComputing,pages284–293,NewYork,NY,USA,1997.ACMPress. [BBBV97] Charles Bennett, Ethan Bernstein, Gilles Brassard and Umesh Vazirani. Strengths and Weaknesses of Quantum Computation. SIAM Journal on Computing, 26(5):1510–1523, October1997. [GL89] O.GoldreichandL.A.Levin. Ahard-corepredicateforallone-wayfunctions. InACM, editor, Proceedings of the twenty-first annualACM Symposium on Theory of Computing, Seattle, Washington, May 15–17, 1989, pages 25–32, New York, NY, USA, 1989. ACM Press. ACMorderno.508890. [GRS95] O.Goldreich,R.Rubinfeld,M.Sudan.Learningpolynomialswithqueries:thehighlynoisy case. InProceedingsofthe36thAnnualSymposiumonFoundationsofComputerScience, pages294–303,Milwaukee,WI,October,1995. [GSVV01] MichelangeloGrigni,LeonardSchulman,MonicaVazirani,andUmeshVazirani. Quantum mechanicalalgorithmsforthenonabelianhiddensubgroupproblem. InACM,editor,Pro- ceedingsofthe33rdAnnualACMSymposiumonTheoryofComputing,pages68–74,New York,NY,USA,2001.ACMPress. [HMR+06] Sean Hallgren, Cristopher Moore, Martin Ro¨tteler, Alexander Russell, and Pranab Sen. Limitationsofquantumcosetstatesforgraphisomorphism. InACM,editor,Proceedings ofthe38thAnnualACMSymposiumonTheoryofComputing,pages604–617,NewYork, NY,USA,2006.ACMPress. [HRTS00] SeanHallgren,AlexanderRussell,andAmnonTa-Shma. Normalsubgroupreconstruction andquantumcomputationusinggrouprepresentations. InACM,editor,Proceedingsofthe 32nd annualACM Symposium on Theory of Computing, pages 627–635, New York, NY, USA,2000.ACMPress. 9

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.