Generic case complexity and One-Way functions

Generic Case Complexit y and One-W a y F unctions Alex D. My asnik o v Abstract The goal of this pap er is to introduce ideas and metho dology of the generic ca se complexity to cryptogr aph y communit y . This relatively new appr o ac h allows one to analyze the b eha vior of an algor ithm on “most” inputs in a simple and intuitiv e fashion which has so me practical adv antages ov er clas s ical methods based o n a veraging. W e present an alternative definit ion of one-wa y function using the concepts of generic case complexity and show its equiv alence to the standard definition. In addition we de mo nstrate the convenience of the new appr o ac h by g iving a short pr oof that extending adversaries to a la rger class o f partia l alg orithms with er rors do es not c hang e the s tr ength of the security assumption. 1 In tro duction Generic case complexit y has originated ab out a decade ago in com binatorial group theory [10, 2]. This area h a s long computational traditions with man y fun d amen tal p roblems b eing algorithmic in nature. It h as b een shown that most computational prob lems in infinite group theory are r ec u r siv ely undecidable. Ho w eve r, it wa s also observed that decision algorithms, sometimes v ery naiv e ones, exist for many inputs eve n if a problem is undecidable in general. Generic co mp le xity was suggested as a w a y of analyzing the b eha vior of u ndecidable problems. The main qu esti on wa s to describ e the complexit y of a problem on a generic input or on a set wh ic h conta ins most of the inputs. The idea w as to separate sets of inputs wh er e alg orithms w ork f rom the “bad” on es. It happ ened that quite often inp uts on which alg orithms fail to pr o vide an answ er are small. In computer science, aroun d 1980s, the same kin d of argument s pr eceded the dev elop- men t of the av erage case complexit y . More recen tly , h euristic classes of algorithms were in tro duced [1]. Adv o cates of generic complexit y approac h argue (see discussions in [5]) that it is sim- pler, in tuitiv e and more general then t h e av erage case co mp lexity . The connectio n b et we en the tw o areas has b een stu died and it is kn o wn that there are pr oblems whic h are hard on a v erage, but generically easy . It turns out ho wev er, that if an algorithm is easy on a verag e it is also easy generically . The relation b et w een generic complexit y and h euristic complexit y is less explored. It w as sh own [5] that the class of generic algorithms and er r orless heuristic algo r ith m s are equiv alent. It seems that generic complexity has some adv antag e as the area h as significan tly pr og ressed in recen t y ears. F or example th e completeness theory for generic complexit y has b een deve lop ed. Here w e li st some results in generic complexity . As we mentio n ed ab o ve, the f ou n da- tions w ere built in group theory . In particular it has b een sh o wn that the famous w ord and conjugacy p roblems in finitely presented groups can b e decided in lin ear time on a generic set of inputs, although these pr ob lems are undecidable in general [10]. 1 In the scop e of the classical complexit y r esu lts, the most imp ortant is the existence of p olynomial red uctio ns for generic co mp lexit y . Using these reductions it has b een shown that there exist generically NP-complete problems, for example boun ded v ersions of the halting and P ost corresp ondence problems are g enerically NP-complete [5]. Another in ter- esting result sho ws that the halting problem for a mo del of a T uring mac h ine with one-w a y infinite ta p e is linearly decidable on a generic set of inputs [9]. I t is n ot kno wn whether the resu lt holds for an arbitrary T u ring mac hine, but it was shown that th e set on which the problems is decidable cannot b e s tr o n gl y generic [13]. In [11] authors describ e a particular pr ocedure which allo ws one giv en an und eci d ab le problem to construct a problem undecidable on every generic set of inputs. This generic amplification shows that generically hard (undecidable) p roblems exist. It was also su gg ested that generic complexit y might b e useful f or cryptographic app lic a- tions, p artic u larly for testing securit y assumptions of cryptographic primitiv es. In tuitiv ely , w e wo uld lik e a cryptographic primitive to b e hard to break on most inputs wh ic h seems lik e a straigh tforwa rd application of the ideas of generic complexity . T he main goal of this paper is to introdu ce ideas a n d metho dology of generic complexit y to cry p tog raphy comm unity . W e present alt ern a tive definitions of one-w a y functions based on the concept of generic complexit y . These new definitions all ow one to consider, in a natural w a y , one-wa y fun cti on can- didates coming from un decidable problems. W e show that an y such “generic” one-w ay function can b e us ed to pro duce a classical one. T herefore, an y new generic one-w a y fun c- tion comes along with new classical one. F urthermore, to our opinion these n ew d efinitions are more intuitiv e and are easier to wo rk with. In deed, the new s ec ur it y assumption is just a more pr eci se formalizati on of the original notion, due to Diffie and Hellman [4], in a sense, it separates the probabilit y on the inp uts f rom the probabilit y on the oracle c hoices - whic h makes considerations easier. As an illustration, w e giv e a sh ort pro of that extending adv ersaries to a larger class of partial algorithms with errors d oes not change the strength of the security assumption. In the su bsequen t pap er we are going to discuss some p oten tial generic one-w a y fun c- tions that are related to undecidable pr o b le ms in algebra. 1.1 Generic complexity notations In this section w e give a brief ov erview of the basic notions and definitions used in generic complexit y . F or more detaile d introd uction to the sub ject and latest results w e refer to [5]. Let I b e a set of inputs. In this pap er w e consider traditio n al b inary representati on of inputs and s et I = { 0 , 1 } ∗ . With eac h inpu t we asso ciat e a size function | · | : I → N whic h is the length of a s tr ing from I . First we d efine a str atific ation of in puts. In general a stratifica tion of the set I is an ascending sequence of subsets whose un io n is equal to I . In the pap er w e will use the spherical stratification on strings w hic h w e define next. Definition 1.1 (Spherical Stratificatio n) . Let I = { 0 , 1 } ∗ b e a set of inputs. Define a sphere of r adius n b y I n = { x | x ∈ I , | x | = n } . Then the s equence I 0 , I 1 , I 2 , . . . is a spherical s trat ification of I . Note that sets I i are fin ite and ∪ ∞ i =0 I i = I . 2 There are other commonly used stratificatio ns a v ailable. F or example one can stratify set I using balls B n of inpu ts of radius n , where B n is a set of inp uts w ith lengths at most n . Definition 1.2. Let I = { 0 , 1 } ∗ and I n ⊂ I b e a sphere of r adius n . Let µ n b e a prob ab ility distribution on the sp here I n . The collection { µ 0 , µ 1 , µ 2 , . . . } of all distributions is called an ensemble of spheric al distributions over I and denoted by { µ n } . In the pap er w e will b e mostly concerned with the ensemble of uniform spherical distributions { u n } o ver I . F or a set R ⊆ I we define u n ( R ) = | R ∩ I n | | I n | , where | X | is the cardinalit y of a set X . Next we define an asymptotic densit y of a set in I . Definition 1.3 (Asymptotic De ns it y) . Let µ = { µ n } b e an ensemble of sp h erica l distri- butions o ve r a set I . A set of inputs R ⊆ I is sai d to ha ve asymptotic density ρ ( R ) = α if lim n →∞ µ n ( R ∩ I n ) = α. A set R is calle d g e neric with resp ect to µ if it s asymptotic densit y is 1 and it is ca lled ne gligib le if the asymp tot ic densit y is 0. Definition 1.4. Let R ⊆ I and the asymptotic density ρ ( R ) exists. The fun ct ion δ R ( n ) = µ n ( R ∩ I n ) is called th e density function for R . A practical measure of the “large ness” of a set often corresp onds to a rate w ith wh ic h the limit in Definition 1.3 conv erges. The con ve rgence can b e naturally d escribed by obtaining upp er bou n ds on the densit y function of a set. One particular t yp e of set s of in terest are sets w h ic h ha ve sup erp olynomial con vergence rates. Definition 1.5. Let R ⊆ I and δ R ( n ) is the density fun cti on of R . W e sa y that R has asymptotic density ρ ( R ) with sup erp olynomial co nv ergence if | ρ ( R ) − δ R ( n ) | < 1 p ( n ) for ev ery p olynomial p ( n ) and all sufficient ly large n . Definition 1.6 (Strongly Generic/Negl igible) . A generic s et with sup erp olynomial con- v ergence is called str ongly generic and its complemen t is called a strongly negligible set. 1.2 One-W ay functions Existence of one-wa y fu nctio n s is one of th e most basic and imp ortan t assumptions in cryptograph y . In fact existence of one-wa y functions is a minimal assump tio n required for constructing other cryptographic primitiv es such as pseud orandom n u mb er generators, encryption and signature sc h emes. Diffie and Hellman [4] defin e on e-wa y fu nctio n s: 3 “a function f is a on e-wa y function if, for an y argument x in the domain of f , it is easy to compute the corresp onding v alue f ( x ), ye t, for almost all y in the range of f , it is computationally inf ea sible to solv e the equation y = f ( x ) for an y suitable argument x .” There are t wo key p oin ts in the defin iti on ab o ve: “for almost all” and “computationally infeasible”. A lot of atten tion is still concentrate d on the dev elopmen t and understand ing of these tw o notions and their consequ ence s from the practical p oin t of view. It is w ell acce pted now that one-wa y fu nctio ns cannot b e d efined u sing deterministic w orst-case complexit y classes like P and N P , and rand omized computation is the default mo del for cryptographic p urp oses. A common argumen t for the necessary conditions for one-w a y functions to e xist pro- ceeds as follo ws [3]. Sup pose we hav e a cryp to graph ic scheme. Legitimate parties should b e a b le to d ecode the secret efficientl y , whic h means that there exist a p ol yn omia l-time v erifiable witness to the deco ding and th e problem of breaking a cryptographic scheme is in NP . F or a cry p tog raph ic sc heme to b e consid er ed sec ur e there should b e no practical algorithm to b reak the encryption. Therefore, if a secure cryptographic sc heme exists then NP 6⊆ BPP . Wh ether BPP con tains NP is an open problem. Note that NP 6⊆ BPP implies that P 6 = NP . The NP 6⊆ BPP condition is a necessary , but not s u fficien t condition for a secure cryptographic sc heme to exist. O bserv e that the p robabilit y distribu tio n in the defin iti on of the class BPP is take n o ve r the inte rn al state s of a probabilistic machine only . Th e condition wh ich b ounds a w ay the probabilit y of an error must hold for all inpu ts. In this sense BPP is analogues to P and is still reflects the b eha vior of a pr oblem on the worst case inputs bu t with resp ect to the rand omize d algorithms. The positive answer to the problem NP 6∈ BPP ma y ha ve n o practical implications for cryptograph y , un less there are problems which b elong in NP \ BPP and are hard on a significan tly large fractio n of inpu ts. Sp eaking in te rm s of generic complexity , a problem ma y b e considered hard if there is no efficien t algorithm wh ic h solv es the prob lem on any but strongly n eg ligible set of inputs. In cryp to graphy the existence of m a ny useful primitives lik e secur e symmetric encryp- tion, pseu d orandom n u mb er generators and d ig ital signature sc hemes is reduced to the existence of the one-wa y functions whic h w e defin e next. In general there are t wo notions of one-w a y fun ctio ns a strong and a wea ker one. Let Pr ( x,σ ) denote the probabilit y tak en u niformly o v er all pairs ( x, σ ) ∈ I n × Σ, where I n is the set of all in puts of length n and Σ = { 0 , 1 } t ( n ) is the space of internal coin flips of a probabilistic algorithm whose run ning time is b ounded b y some p olynomial t ( n ). Similarly we define Pr σ as the uniform probab ility tak en ov er Σ only . One of the most commonly accepted definitions of a one-w a y function (strong one-w a y function) is the follo wing. Definition 1.7 (Strong One-W ay fun ct ion [3]) . A fu nctio n f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called strongly one-wa y if the f ol lowing t wo conditions hold: 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on an input x algorithm A ′ outputs f ( x ); 2. Hard to inv ert: F or ev ery probabilistic p olynomial-time algorithm A , every p ositi ve p olynomial p , and all sufficien tly large n : Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] < 1 p ( n ) , 4 where U n is a r a n dom v ariable uniform ly d istributed o ve r { 0 , 1 } n and the p robabilit y is tak en o ve r all input strings from { 0 , 1 } n and inte r n al states of A . Here and in the rest of the article p olynomial-time algorithm means an algorithm that alw a ys halts after a p olynomial (in the length of the input) num b er of steps. Note that in addition to an inpu t in the range of f the algorithm A is give n the auxiliary inp u t 1 n whic h has the same length as the desired output o f A . This is done to protect from the situ ations when the fu nctio n f drastically r educes the length of its in put (for example | f ( x ) | = log 2 ( | x | )). Obviously no algo r ith m can inv ert su c h f u nction f in p olynomial n umb er of steps in terms of | x | . 2 Generic definitions of one-w a y functions 2.1 Definition restr icted to PPT adv ersary In Definition 1.7 the p erforman ce of an algorithm A is a v eraged o ver all inputs which results in complicated pr ob ab ility space. W e w ould like to app ly ideas of generic complexit y and consider the p erformance of an adve rsary on eac h inp ut s ep a r ately . Note that a n ai ve random sampling will guess an in v erse of a fun cti on f on the inp ut of length n with probabilit y 1 / 2 n . An algorithm with negligible pr obabilit y of the correct answ er cannot b e amplified and, therefore, cannot b e considered practica l. A reasonable in ve r s io n algorithm sh ould ha v e noticeable p robabilit y of s ucce ss. T o b e more precise th e probabilit y that an algorithm A inv erts f ( x ) Pr[ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ))] > 1 n c for an y p ositiv e constan t c . T o mak e a one-wa y fun cti on secure w e m ust limit the num b er of inputs on which adv ersary succeeds to a small set. W e formalize these argument s in the follo wing definition of a generically strong one-w a y fun ction. Definition 2.1 (Genericall y Strong On e- W ay function) . Let u = { u n } b e an ensemble of uniform sph erica l d istr ibutions o v er { 0 , 1 } ∗ . A fun ction f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called g e neric al ly str ong one-way if the follo wing t w o conditions hold: 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on inp ut x algorithm A ′ outputs f ( x ); 2. Hard to in ve r t almost all inp u ts: F or eve ry probabilistic p olynomial-t ime algorithm A , all constant s c > 0, every p ositiv e p olynomial p and all sufficiently large n : u n  { x ∈ I n | P r[ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ))] > n − c }  < 1 p ( n ) , where the p r obabilit y is take n o ver inte rn al states of the algorithm A . Similarly we can define a generically wea k one-w a y fu nctio n . Definition 2.2 (Generical ly W eak O ne-W ay fun cti on) . Let u = { u n } b e an ensem ble of uniform sph erica l d istr ibutions o v er { 0 , 1 } ∗ . A function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called generic al ly we ak one-way if the follo w ing t w o conditions hold: 5 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on inp ut x algorithm A ′ outputs f ( x ); 2. Hard to inv ert on a large enough set of inp uts: F or e very probabilistic p olynomial- time algorithm A , ev ery constant c > 0 there exists a p olynomial p ( n ) such that for all sufficientl y large n : u n  { x ∈ I n | P r[ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ))] < n − c }  ≥ 1 p ( n ) , where the p r obabilit y is take n o ver inte rn al states of the algorithm A . The follo wing lemmas sho w that definitions 2.1 and 1.7 are equiv alen t. W e giv e equiv- alence results for strong one-wa y functions. S imila r results hold for the weak notion as w ell (see App endix for the detailed pro of ). W e use standard redu ction argumen t whic h pro ceeds by s h o win g that if there exists an algorithms which violates the conditions of the fi rst definition then w e can construct an algorithm whic h will violate conditions of the second one. Lemma 2.3. L et f : { 0 , 1 } ∗ → { 0 , 1 } ∗ and su pp ose ther e is a pr ob abilistic p olynomial time algorithm A such that for some c onstants c > 0 and d > 0 and infinitely many n u n  { x ∈ I n | P r σ [ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ))] > n − c }  > 1 n d . Then ther e exists a pr ob abilistic p olynomial-time algorithm A ′ such that for infinitely many n Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] > 1 n d +1 . Pr o of. First of all observe th at since we can compute f , we can also c heck whether an algorithm indeed return s an inv erse of f ( x ) or not. By defin iti on, f − 1 ( y ) = { x | y = f ( x ) } therefore if f ( A ( f ( x ))) = f ( x ) then A ( f ( x )) is an inv erse of f ( x ). No w construct an alg orithm A ′ as follo ws. Rep eat algo rithm A on a giv en input x unt il a witness for the inv erse problem (i.e. the inv erse itself ) is obtained. Let S n =  x ∈ I n | Pr σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ n − c  . F or th e algorithm A ′ to b e practical on the set S n w e need to show that for eve ry x ∈ S n w e can obtain an inv erse with high p robabilit y u s ing only p olynomially man y rep etitions of A , i.e. Pr σ [ A ′ k ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ 1 − ǫ, (1) where k = p ( n ) and ǫ < 1 n m for an y m > 0. Let y i b e the outpu t of the i th run of the algo rithm A on an inp u t x ∈ S n and let X i , i = 1 , . . . , k b e random v ariables such that X i = 1 if y i ∈ f − 1 ( f ( x )) and X i = 0 otherwise. X i are m utually ind epen d en t and E[ X i ] = Pr[ X i = 1] ≥ 1 n c . W e also define X o i , i = 1 , . . . , k to b e random v ariables s u c h that X o i = 0 if y i ∈ f − 1 ( f ( x )) and X o i = 1 if i th run of A fails. X o i are also mutually indep endent and E[ X o i ] = 1 − Pr[ X i = 1] ≥ 1 − 1 n c . Note for A ′ to prod uce an answ er only one of y i s n eeds to b e a witness, therefore to sho w (1 ) we need to sho w that Pr " k X i =1 X i ≥ 1 # = Pr " k X i =1 X o i ≤ k − 1 # ≥ 1 − ǫ 6 whic h is equiv alent to showing Pr " k X i =1 X o i > k − 1 # ≤ ǫ. Using Chernoff b oun d we ha v e Pr " k X i =1 X o i − k ·  1 − 1 n c  ≥ δ · k ·  1 − 1 n c  # = (2) = Pr " k X i =1 X o i ≥ k ·  1 − 1 n c  · ( δ + 1) # ≤ 2 − δ 2 2 k . (3) Substituting δ = ( k − n c ) / ( k ( n c − 1)) in to (3) we obtain Pr " k X i =1 X o i ≥ k − 1 # ≤ 2 − 1 2 · “ k − n c k ( n c − 1) ” 2 k = 2 − ( k − n c ) 2 2 k ( n c − 1) 2 . Let k = n 3 c , then 2 − ( k − n c ) 2 2 k ( n c − 1) 2 < 2 − 1 2 ( n +2) and we ha ve Pr " k X i =1 X o i ≥ k − 1 # < 2 − 1 2 ( n +2) . Therefore we obtained Pr σ [ A ′ k ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ 1 − ǫ, where ǫ = 2 − 1 2 ( n +2) . Note that a similar result can b e obtained without using th e Chernoff b ound, ho wev er , it allo ws us to obtain a tigh ter b ound on the num b er of rep etitions of the algorithm A . T aking the sum ov er all x ∈ S n w e obtain X x ∈ S n Pr σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ X x ∈ S n (1 − ǫ ) = | S n | (1 − ǫ ) . Note that u n ( S n ) = | S n | | I n | ≥ 1 n d . Therefore | S n | ≥ | I n | n d = 2 n n d . It follo ws X x ∈ S n Pr σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ | S n | (1 − ǫ ) ≥ 2 n n d (1 − ǫ ) . (4) Next we sho w that Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 n d − ǫ . Define A ′ ( x, σ ) = 1 if the computation of A ′ corresp onding to oracle σ inv erts f ( x ) and A ′ ( x, σ ) = 0 otherwise. 7 No w we ha ve Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] = X ∀ ( x,σ ) A ′ ( x, σ ) p ( x, σ ) , where p ( x, σ ) is the joint probabilit y mass fun ct ion. Note that x and σ are indep enden t from eac h other, th erefore X ∀ ( x,σ ) A ′ ( x, σ ) p ( x, σ ) = X x ∈ I n X σ ∈{ 0 , 1 } t ( n ) A ′ ( x, σ ) p ( x ) p ( σ ) = 1 2 n X x ∈ I n X σ ∈{ 0 , 1 } t ( n ) A ′ ( x, σ ) p ( σ ) = 1 2 n X x ∈ I n Pr σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] . F rom (4) and the equation ab o v e w e ha v e Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] = 1 2 n X x ∈ I n Pr σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] ≥ 1 2 n X x ∈ S n Pr σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] = 1 n d (1 − ǫ ) . No w let d ′ = d + 1. It is easy to see that 1 /n d (1 − ǫ ) > 1 /n d ′ for n ≥ 2. Therefore we ha ve Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 n d (1 − ǫ ) > 1 n d +1 .  The implication holds in the the opp osite direction as w ell. Lemma 2.4. L et f : { 0 , 1 } ∗ → { 0 , 1 } ∗ and su pp ose ther e is a pr ob abilistic p olynomial time algorithm A such that for some p olynomial p ( n ) a nd infinitely many n Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 p ( n ) . Then ther e exists a pr ob abilistic p olynomial-time algorithm A ′ such that for every c > 0 and infinitely many n u n  { x ∈ I n | P r σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] > n − c }  ≥ 1 2 p ( n ) . Pr o of. First w e sho w that u n  { x ∈ I n | P r σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] > 1 / 2 p ( n ) }  ≥ 1 2 p ( n ) . (5) The pro of follo ws directly fr om the follo win g a v eraging argument: 8 Claim 2.5. Let a 1 , . . . , a N ∈ [0 , 1] and ρ ≥ 0 suc h that 1 N P N i =1 a i ≥ ρ and let k = # { a i | a i > ρ/ 2 } . Then k N ≥ ρ 2 . Observe th at Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] = 1 2 n X x ∈ I n Pr σ  A ( f ( x )) ∈ f − 1 ( f ( x ))  ≥ 1 p ( n ) . If w e set a i = Pr σ  A ( f ( x i )) ∈ f − 1 ( f ( x i ))  , x i ∈ I n , N = 2 n , ρ = 1 /p ( n ) and k = # { x ∈ I n | Pr σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] > 1 / 2 p ( n ) } then it follo ws from the claim ab o v e that k 2 n ≥ 1 2 p ( n ) and u n  { x ∈ I n | P r σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] > 1 / 2 p ( n ) }  ≥ 1 2 p ( n ) . No w observe th at for an y c > 0 th er e exists a probabilistic p olynomial-time algorithm A ′ suc h that # { x ∈ I n | P r σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] > n − c } ≥ k. (6) Indeed, in the case w hen n − c ≥ 1 / 2 p ( n ) the claim f ollo ws directly . I n the second case when n − c < 1 / 2 p ( n ) we can use the probabilistic err or reduction an d construct an algorithm A ′ suc h that (6) holds. Therefore there exists a p olynomial-time algorithm A ′ suc h that u n  { x ∈ I n | P r σ [ A ′ ( f ( x )) ∈ f − 1 ( f ( x ))] > n − c }  ≥ 1 2 p ( n ) .  The follo win g result demonstrates the connection b et w een the secur it y assumption and asymptotic prop erties of the input sets. Prop osition 2.6. A p olynomial- time computable function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is strongly one wa y if and only if ev ery probabilistic p olynomial-time alg orithm A fails to in v ert f on all but s trongly negligible sets of inpu ts with resp ect to an ensem ble of un iform sp herical distributions o ver { 0 , 1 } ∗ . Pr o of. Supp ose f is strongly one-w a y and sup pose th er e exists an algorithm A whic h in ve r ts f on a set S whic h is not strongly negligible. Then there exists a p olynomial p ( n ) suc h that u n ( { x ∈ I n | P r σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] > n − c } ) = u n ( S ∩ I n ) = δ s ( n ) > 1 p ( n ) . Therefore f is not strongly one-wa y by Definition 2.1. No w, su pp ose f is not one-wa y . Then there exists an algorithm A such that u n ( { x ∈ I n | Pr σ [ A ( f ( x )) ∈ f − 1 ( f ( x ))] > n − c } ) > 1 p ( n ) for some p olynomial p , whic h con tradicts the prop osition assumption.  9 2.2 Generic definition with a more general adv ersary The most inte resting question is w hether th e generic ap p roac h ma y giv e us new, more general security assump tio n s . Note that the p olynomial b ound on the adversary is not necessary . Th e only condition that a successful adv ersary needs to satisfy is to ha v e an algorithm w hic h terminates in p olynomial time and w ith correct ans wer on a n on -n eg ligible set of in p uts. Sup p ose we would like to make a security statemen t whic h holds against a m uch stronger adve rsary , i.e. a partial p r obabilistic heuristic algorithm whic h may output incorrect answers. Although an adv ersary al gorithm ma y not terminate on some inp uts, it would still b e a threat if it succeeds on a relativ ely large set of inp uts. Definition 2.7 (P artial algorithm with er r ors) . Let I b e the set of in puts. W e sa y that an algorithm A is a p artia l algorithm with errors if it is corr ect on a subset X ⊆ I of inputs and on the set I − X it either do es not stop or stops with an incorrect answ er. T o mak e a formal s tatement we need a notion of ac hiev emen t r ati o of an adv ersary whic h is similar to the notions giv en in [6, 8]. Definition 2.8 (Ac hieveme nt ratio) . Let f : { 0 , 1 } ∗ → { 0 , 1 } ∗ b e a function and let A b e a partial p robabilistic algorithm with errors. The ac h ie vemen t ratio of A on an instance f ( x ) is d efined as R A ,f ( x ) = T A ,f ( x ) /δ A ,f ( x ) , where T A ,f ( x ) is the time requir ed for A to terminate on the in put f ( x ) and δ A ,f ( x ) = Pr σ [ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ) , 1 n )] . Ac hiev ement ratio allo ws one to consider a larger class of algorithms whose run ning time may n ot b e b ounded by a p olynomial. In order for an adv ersary to ha ve a p olynomial ac hiev ement ratio on a giv en input x , it has to h a ve both: th e p olynomial ru nning time and a noticeable probabilit y of inv erting f ( x ). The follo wing definition is an attempt to giv e an intuitiv e notion of a generalized practical security assumption for a one-w a y fu n ctio n. Definition 2.9. Let u = { u n } b e an ensem ble of un if orm spherical distrib utions o v er { 0 , 1 } ∗ . A function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called str on gly one- wa y if the follo wing t wo condi- tions hold: 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on inp ut x algorithm A ′ outputs f ( x ); 2. Hard to in v ert: F or ev ery partial probabilistic algorithm with errors A , all constan ts c > 0, ev ery p ositive p olynomial p and all s u fficien tly large n : u n ( { x ∈ I n | R A ,f ( x ) ≤ n c } ) < 1 p ( n ) . The question is wh et h er or not this defi nitio n giv es us an y adv an tage ov er the defin itio ns giv en earlier. The follo wing a r gu m en t sa ys that if we allo w only a polynomial num b er of steps for an adversary on a success then, in fact, this definition is equ iv alen t to the one whic h is limited to th e PPT adve rsary . The main id ea is that since the suc c ess of an adv ersary on an input x means that it has to terminate in p olynomial n um b er of steps, th en w e d o not r eally care if adv ersary is a 10 partial algorithm or not. If w e h a ve a su cc essfu l partial algorithm then we can construct a PPT algorithm by allo wing it to run for p olynomial n umber of steps and this p olynomial- time algorithm w ill b e as successful as the p artial one. Let GSPP T and GSP AR T b e the classes of one wa y fun ct ions whic h satisfy conditions of Definition 2.1 and Definition 2.9 resp ectiv ely . Prop osition 2.10. A function f ∈ GS PPT if and only if f ∈ GSP AR T. Pr o of. First we sh o w that f ∈ GSP AR T imp lie s f ∈ GSPPT. T he p r oof is by con tradiction. Let f : { 0 , 1 } ∗ → { 0 , 1 } ∗ and assu me th at f ∈ GS P ART , but f 6∈ GS P P T , then there exists a PPT algorithm A , a c onstant c > 0, a p olynomial p ( n ) suc h that for infinitely many n u n ( { x | δ A,f ( x ) > n − c } ) ≥ 1 p ( n ) . Note that a PPT algorithm A is also a partial probab ilistic algorithm suc h that T A,f ( x ) ≤ q ( n ), for some p ositiv e p olynomial q for all x . Therefore, u n ( { x | δ A,f ( x ) > n − c } ) ≥ 1 p ( n ) u n ( { x | δ A,f ( x ) /T A,f ( x ) > n − c /T A,f ( x ) } ) ≥ 1 p ( n ) u n ( { x | T A,f ( x ) /δ A,f ( x ) < n c T A,f ( x ) } ) ≥ 1 p ( n ) u n ( { x | R A,f ( x ) < n c T A,f ( x ) } ) ≥ 1 p ( n ) u n ( { x | R A,f ( x ) ≤ n d } ) ≥ 1 p ( n ) , where d is c hosen such that n d ≥ q ( n ) · n c . Th is is a contradict ion to the condition f ∈ GS P ART . The p roof in the opp osite direction uses a similar argumen t. Sup p ose that f ∈ GSPPT but f 6∈ GSP AR T . In other words w e s u pp ose there exists a partial probabilistic algorithm B such that for some p olynomial p ( n ) and infinitely many n u n ( { x ∈ I n | R B , f ( x ) ≤ n c } ) ≥ 1 p ( n ) . Define A to b e an algorithm w hic h on a give n inpu t x ∈ I n runs B for n c steps. Let S = { x | R B , f ( x ) ≤ n c } . First observ e that by the conjecture for all x ∈ S δ B , f ( x ) ≥ T B , f ( x ) n c ≥ 1 n c . Ob viously , δ A ,f ( x ) = δ B , f ( x ) for all x su ch that T B , f ( x ) ≤ n c . T h erefore, since δ B , f ( x ) ∈ [0 , 1] we ha ve δ A ,f ( x ) = δ B , f ( x ) for all x s uc h that T B , f ( x ) ≤ δ B , f ( x ) · n c , i.e. for all x ∈ S . Hence we ha v e δ A ,f ( x ) ≥ 1 n c for all x ∈ S and u n  { x ∈ I n | δ A ,f ( x ) ≥ n − c }  ≥ u n ( S ) ≥ 1 p ( n ) . 11 Therefore, a probabilistic p olynomial time algorithm A in v erts f on a not str ongl y negligible set whic h con tradicts our assumption that f is one-w a y with resp ect to Defin iti on 2.1.  Note that the pro of is simp le and quite compact. Using the equiv alence lemmas 2.3 and 2.4 w e can conclude that th e Definition 2.9 is equiv alent to Definition 1.7 w hic h is based on the av eraging argumen t. It seems that obtaining the same result would b e a more difficult task when working with the av erage t yp e definitions dir ec tly . Similarly one can defin e a w eak er v ariation of a one-wa y fun ction with a p artia l adv er- sary . Definition 2.11. Let u = { u n } b e an ensemble of uniform sp h erica l distributions o ve r { 0 , 1 } ∗ . A fun cti on f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called w eakly one-w ay if the follo wing t w o conditions hold: 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on inp ut x algorithm A ′ outputs f ( x ); 2. Hard to inv ert on non-negligible set: F or every partial algorithm A and ev ery con- stan t c > 0, th er e exists a p olynomial p ( x ) suc h that for all su fficie ntly large n u n ( { x ∈ I n | R A ,f ( x ) > n c } ) ≥ 1 p ( n ) . The equiv alence result for we ak one-w a y functions holds as w ell. Let GWPPT b e the class of generically wea k one-w a y fun cti ons and GWP AR T b e the class of one wa y functions satisfying Definition 2.11. Prop osition 2.12. A function f ∈ GWPPT if and only if f ∈ GWP AR T. Pr o of. The pro of is similar to the pro of of Prop osition 2.10. Supp ose that f ∈ GW P AR T but f 6∈ GW P P T . T h en there exists a PP T algorithm B and constan t c > 0 suc h that for all p olynomials p ( n ) u n ( { x | δ B , f ( x ) < n − c } ) < 1 p ( n ) The probabilistic p olynomial time algorithm B is a probabilistic partial algorithm suc h that its time T B , f ( x ) ≤ q ( n ) for some p ositiv e p olynomial q and all x . Therefore, there exists a probabilistic partial algorithm B suc h that for all p ositiv e p olynomials p : 1 p ( n ) > u n ( { x | δ B , f ( x ) < n − c } ) = u n ( { x | T B , f ( x ) δ B , f ( x ) < T B , f ( x ) n − c } ) = u n ( { x | T B , f ( x ) /δ B , f ( x ) ≥ T B , f ( x ) n c } ) = u n ( { x | R B , f ( x ) ≥ T B , f ( x ) n c } ) ≥ u n ( { x | R B , f ( x ) ≥ n d , ∀ d > 0 } ) 12 Whic h con tradicts the assumption that f ∈ GW P ART . No w note th at if f is not we akly one-w a y in terms of Definition 2.11 then there exists a partial algorithm B su ch that for some constan t c > 0 and ev ery p olynomial poly ( n ) u n ( { x ∈ I n | R B , f ( x ) ≤ n c } ) ≥ 1 − 1 pol y ( n ) . Define a probab ilistic p olynomial-time algo r ith m A wh ic h run s B for n c steps. Using the equalities from Prop osition 2.10 w e obtain u n  { x ∈ I n | δ A ,f ( x ) ≥ n − c }  ≥ u n ( { x ∈ I n | R B , f ( x ) ≤ n c } ) ≥ 1 − 1 pol y ( n ) . Therefore, u n  { x ∈ I n | δ A ,f ( x ) < n − c }  < 1 pol y ( n ) for an y p olynomial poly ( n ). Therefore, f is not w eakly one w a y with resp ec t to a PPT algorithm A .  One of the imp ortant results ab out one-wa y functions is the so-cal led amplification theorem wh ic h states that ha ving a weak one-w ay f unction w e can alw a ys construct a strong one. Equ iv alences sho wn ab o v e allo w us to mak e a similar statemen t for generic one-w a y fun ct ion. Theorem 2.13 (Amplification) . Generic al ly we ak one-way functions e xist if and on ly if generic al ly str ong o ne- wa y functions exist. Pr o of. The pro of is a corollary of the equiv alence Lemmas 2.3, 2.4, 2.10, 2.12 and the classical amplification theorem.  3 Conclusion The defi nitio n based on generic case complexit y m et h o dology has significant adv an tage in the fact that the probabilities o ve r inpu ts and internal states of the algorithm are tak en separately . The definition is v ery in tuitive and easy to understand. In fact it ma y b e seen as a direct formalization of the d efinition b y Diffie and Hellman whic h w e quote in th e in tro duction. Op erating with simpler probabilit y spaces and considering inp u ts sep arat ely ma y ha v e some practical implications. The w ork in this dir ec tion s ta rted very recen tly and the p oten tial of generic approac h has b een littl e realized. It would b e in teresting to see if generic complexit y can b e us ed to simp lify defin itio ns of cryptographic primitive s and reducibilit y arguments. Ap plica tions of generic case complexit y analysis of th e security of particular one-w a y fu nctio n candidates is also could b e of great interest. 13 References [1] A.Bogdano v and L.T revisan, Aver age-Case Complexity , No w Pub lishers Inc, 2006. [2] A.V.Boro vik, A.G.Miasnik o v and V.N.Remeslenniko v. Multiplic ative me asur es on fr e e gr oups , I nternat. J. Algebra C omp., 13 no. 6 (200 3), 705-731. [3] O .Goldreich, F oundations of crypto gr aphy , Cambridge Univ ersit y Pr ess, 20 01. [4] W.Diffie and M.Hellman, New Dir e ctions in Crypto gr aphy , IEEE T ransactions on Information Th eo ry , V. IT-22, no. 6 (1976 ), 644–654. [5] R.Gilman, A.G.Miasnik o v, A.D. Mya sn ik ov and A. Ush a ko v. Generic c omplexity of algorithmic pr oblems , Pr eprin t, 2007. [6] O .Goldreich and L.Levin, A har d-c or e pr e dic ate for al l one-way fu nctions , Pro- ceedings of the t we nt y -fi rst ann ual A CM symp osium on Theory of compu ting, (1989 ), 2 5 – 32. [7] S . Goldwa sser and S. Micali. Pr ob abilistic Encryptio n , JCSS, 28, 2 (1984), 270– 299. [8] J . Hastad, R. Imp ag liazzo, L. Levin and M. Luby , Construction of Pseudor andom Gener ator fr om any One-Way F unction, Man uscript, 1993. [9] J .D.Hamkins, A.G.Miasnik ov. The halting pr oblem is de cidable on a set of asymptot ic pr ob ability one. Notre Dame J. F orm al Logic V olume 47, Num b er 4 (2006) , 515- 524. [10] I.Kap o vic h , A.G.M iasniko v, P .Sc hupp, V.Shpilrain, Generic-c ase c omplexity, de- cision pr oblems in gr oup the ory and r andom walks, J. Algebra 264 (2003), 665- 694. [11] A. Miasnik o v, A. Rybalo v, On Generic al ly Unde cidable Pr oblems , Pr eprin t, 2007. [12] C. Papadimitriou, Computation Complexity , (1994 ), Addison-W esley . [13] A.Rybalo v. On the Str ongly Generic Unde cidability of the Halting Pr oblem . Theor. Compu t. Sci. 377(1 -3) (2 007), 268-270 A Pro of of equiv alence for the definitions of the W eak One- W a y functions The follo wing is the classical defin iti on of a we ak one-wa y fun ct ion. Definition A.1 (W eak One-W ay function) . A function f : { 0 , 1 } ∗ → { 0 , 1 } ∗ is called w eakly one-wa y if the follo wing t wo conditions hold: 1. Easy to compu te: there exists a d et ermin istic p olynomial-time algo rith m A ′ suc h that on an input x algorithm A ′ outputs f ( x ); 14 2. Slightl y hard to in v ert: There exists a p olynomial p such that for every PPT A and all sufficientl y large n : Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] ≥ 1 p ( n ) , where U n is a r a n dom v ariable uniform ly d istributed o ve r { 0 , 1 } n and the p robabilit y is tak en o ve r all input strings from { 0 , 1 } n and inte r n al states of A . Prop osition A.2. Definitions A.1 and 2.2 are equiv alen t. The follo wing t wo lemmas giv e the pro of. Denote δ A ,f ( x ) = Pr[ A ( f ( x ) , 1 n ) ∈ f − 1 ( f ( x ))] and ¯ δ A ,f ( x ) = Pr[ A ( f ( x ) , 1 n ) 6∈ f − 1 ( f ( x ))] . Ob viously δ A ,f ( x ) = 1 − ¯ δ A ,f ( x ) . Lemma A.3 (Generic implies Classic) . Supp ose ther e exists a PPT algorithm A such tha t for some (e q uivalently al l) c > 0 , al l p olynomials p and infinitely many n u n  { x ∈ I n | δ A ,f ( x ) < n − c }  < 1 p ( n ) then ther e exists a PPT algorithm A ′ such that for al l p olynomials q ( n ) and infinitely many n Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] < 1 q ( n ) . Pr o of. Observe th at u n ( { x | δ A ,f ( x ) ≥ n − c } ) ≥ 1 − 1 p ( n ) . Let S n = { x | δ A ,f ( x ) ≥ n − c } Then u n ( S n ) = | S n | 2 n ≥ 1 − 1 p ( n ) Ho w eve r, X x ∈ S n δ A ,f ( x ) ≥ X x ∈ S n n − c = | S n | n − c and we obtai n 1 2 n X x ∈ S n δ A ,f ( x ) ≥ | S n | 2 n n − c ≥ n − c  1 − 1 p ( n )  = p ( n ) − 1 n c p ( n ) > 1 n c p ( n ) F rom the pro of of the equiv alence for the case of strong one w a y fun ctio ns we kn o w that Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 2 n X x ∈ S n δ A ,f ( x ) . 15 Therefore Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 n c p ( n ) Again, from the pro of of th e strong version w e kno w that by r epeating the algorithm A p olynomially many times w e can obtain an algorithm A ′ suc h that Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) ∈ f − 1 ( f ( U n ))] ≥ 1 − ǫ where ǫ < 1 /q ( n ) for an y p ositiv e p olynomial q ( n ). Then Pr ( x,σ ) [ A ′ ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] < 1 − (1 − ǫ ) = ǫ < 1 q ( n ) for all p olynomials q ( n ).  Lemma A.4 (Classic implies Generic) . Supp ose ther e exists a PPT algorithm A such tha t for al l p olynomial s p and infinitely many n Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] < 1 p ( n ) . then ther e exists a PPT algorithm A ′ such that for some (e quivalently al l) c > 0 , al l p olynomials p ( n ) and infinitely many n u n  { x ∈ I n | δ A ′ ,f ( x ) < n − c }  < 1 p ( n ) Pr o of. Let S n = { x | ¯ δ A ,f ( x ) ≥ n − d } Observe th at n d · Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] < 1 p ( n ) for all p ositiv e p olynomials p ( n ). Pr o of. Supp ose that it is not. Th en there exists a p olynomial p ′ ( n ) su ch that n d · Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] ≥ 1 p ′ ( n ) and Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] ≥ 1 p ′ ( n ) n d whic h con tradicts the condition of the lemma. No w u sing the same argument as in the previous pro ofs we can sho w that Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] = 1 2 n X x ∈ I n ¯ δ A ,f ( x ) ≥ 1 2 n X x ∈ S n ¯ δ A ,f ( x ) 16 Therefore, for every p ( n ) 1 p ( n ) > n d · Pr ( x,σ ) [ A ( f ( U n ) , 1 n ) 6∈ f − 1 ( f ( U n ))] ≥ n d 2 n X x ∈ S n ¯ δ A ,f ( x ) ≥ n d 2 n X x ∈ S n n − d = n d · | S n | 2 n · n − d = u n ( S n ) . Note that S n = { x | 1 − ¯ δ A ,f ( x ) < 1 − n − d }} = { x | δ A ,f ( x ) < 1 − n − d }} . Using amplification we can construct a PPT algorithm A ′ whic h rep eats A p olynomi- ally many times and such that S n =  x | δ A ′ ,f ( x ) < 1 2 n  Therefore, there exists a P P T algorithm A ′ suc h that for eve ry p olynomial p ( n ) u n  x | δ A ′ ,f ( x ) < 1 2 n  < 1 p ( n ) .  17