Goldreich's One-Way Function Candidate and Myopic Backtracking Algorithms

Goldreich (ECCC 2000) proposed a candidate one-way function construction which is parameterized by the choice of a small predicate (over d = O(1) variables) and of a bipartite expanding graph of right-degree d. The function is computed by labeling the n vertices on the left with the bits of the input, labeling each of the n vertices on the right with the value of the predicate applied to the neighbors, and outputting the n-bit string of labels of the vertices on the right. Inverting Goldreich’s one-way function is equivalent to finding solutions to a certain constraint satisfaction problem (which easily reduces to SAT) having a “planted solution,” and so the use of SAT solvers constitutes a natural class of attacks. We perform an experimental analysis using MiniSat, which is one of the best publicly available algorithms for SAT. Our experiment shows that the running time required to invert the function grows exponentially with the length of the input, and that such an attack becomes infeasible already with small input length (a few hundred bits). Motivated by these encouraging experiments, we initiate a rigorous study of the limitations of back-tracking based SAT solvers as attacks against Goldreich’s function. Results by Alekhnovich, Hirsch and Itsykson imply that Goldreich’s function is secure against “myopic” backtracking algorithms (an interesting subclass) if the 3-ary parity predicate P (x1, x2, x3) = x1 ⊕ x2 ⊕ x3 is used. One must, however, use non-linear predicates in the construction, which otherwise succumbs to a trivial attack via Gaussian elimination. We generalized the work of Alekhnovich et al. to handle a more general class of predicates, and we present a lower bound for the construction that uses the predicate Pd(x1, . . . , xd) := x1⊕x2⊕· · ·⊕xd−2⊕(xd−1∧xd) and a random graph. Work supported by the National Science Foundation under grant No. CCF-0729137 and by the National Sciences and Engineering Research Council of Canada under a PGS award. Work supported by the National Science Foundation under grant No. CCF0729137. Work done at U.C. Berkeley, supported by an NSF SUPERB fellowship. † Work supported by the National Science Foundation under grant No. CCF-0729137 and by the BSF under grant 2002246. O. Reingold (Ed.): TCC 2009, LNCS 5444, pp. 521–538, 2009. c © International Association for Cryptologic Research 2009