Goldreich’s One-Way Function Candidate and Drunken Backtracking Algorithms

One-way functions are easy to compute but hard to invert; their existence is the foundational assumption for modern cryptography. Oded Goldreich’s 2000 paper “Candidate One-Way Functions Based on Expander Graphs” [6] proposes a candidate one-way function construction based on any small fixed predicate over d variables and a bipartite expander graph of right-degree d. The function is calculated by taking an n-bit input as the values of the vertices on the left, and then calculating each of the n output bits on the right by applying the predicate to its neighbors. Inverting Goldreich’s one-way function can be expressed as constraints on input bits by the value of each output bit, and so can easily be reduced to a SAT instance. Most modern SAT solvers are based on backtracking algorithms. Results by Alekhnovich, Hirsch and Itsykson imply that Goldreich’s function is secure against “myopic” backtracking algorithms (an interesting subclass) if the 3-ary parity predicate P (x1, x2, x3) = x1 ⊕ x2 ⊕ x3 is used. Cook, Etesami, Miller and Trevisan extended their work to show the function is also secure against myopic backtracking algorithms of higher degree linear functions and against predicates of the form Pd(x1, . . . , xd) := x1 ⊕ x2 ⊕ · · · ⊕ xd−2 ⊕ (xd−1 ∧ xd) on random graphs. Alekhnovich et al. also show how to construct satisfiable SAT instances secure against “drunken” backtracking algorithms from unsatisfiable SAT instances. The contribution of this work is to show Goldreich’s function is secure against “drunken” backtracking algorithms for linear predicates and predicates of the form Pd(x1, . . . , xd) := x1⊕x2⊕· · ·⊕xd−2⊕(xd−1∧ xd) on random graphs.