Abstract
We study the black-box function inversion problem, which is the problem of finding \(x \in [N]\) such that \(f(x) = y\), given as input some challenge point y in the image of a function \(f : [N] \rightarrow [N]\), using T oracle queries to f and preprocessed advice \(\sigma \in \{0,1\}^S\) depending on f. We prove a number of new results about this problem, as follows.
-
1.
We show an algorithm that works for any T and S satisfying
$$ T S^2 \cdot \max \{S,T\} = \widetilde{\varTheta }(N^3) \; . $$In the important setting when \(S < T\), this improves on the celebrated algorithm of Fiat and Naor [STOC, 1991], which requires \(T S^3 \gtrsim N^3\). E.g., Fiat and Naor’s algorithm is only non-trivial for \(S \gg N^{2/3}\), while our algorithm gives a non-trivial tradeoff for any \(S \gg N^{1/2}\). (Our algorithm and analysis are quite simple. As a consequence of this, we also give a self-contained and simple proof of Fiat and Naor’s original result, with certain optimizations left out for simplicity.)
-
2.
We observe that there is a very simple non-adaptive algorithm (i.e., an algorithm whose ith query \(x_i\) is chosen based entirely on \(\sigma \) and y, and not on the \(f(x_1),\ldots , f(x_{i-1})\)) that improves slightly on the trivial algorithm. It works for any T and S satisfying \( S = \varTheta (N \log (N/T))\), for example, \(T = N /\mathrm {poly\,log}(N)\), \(S = \varTheta (N/\log \log N)\). This answers a question due to Corrigan-Gibbs and Kogan [TCC, 2019], who asked whether non-trivial non-adaptive algorithms exist; namely, algorithms that work with parameters T and S satisfying \(T + S/\log N < o(N)\). We also observe that our non-adaptive algorithm is what we call a guess-and-check algorithm, that is, it is non-adaptive and its final output is always one of the oracle queries \(x_1,\ldots , x_T\).
For guess-and-check algorithms, we prove a matching lower bound, therefore completely characterizing the achievable parameters (S, T) for this natural class of algorithms. (Corrigan-Gibbs and Kogan showed that any such lower bound for arbitrary non-adaptive algorithms would imply new circuit lower bounds.)
-
3.
We show equivalence between function inversion and a natural decision version of the problem in both the worst case and the average case, and similarly for functions \(f : [N] \rightarrow [M]\) with different ranges. Some of these equivalence results are deferred to the full version [ECCC, 2022].
All of the above results are most naturally described in a model with shared randomness (i.e., random coins shared between the preprocessing algorithm and the online algorithm). However, as an additional contribution, we show (using a technique from communication complexity due to Newman [IPL, 1991]) how to generically convert any algorithm that uses shared randomness into one that does not.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
However, a big part of the reason that advice is considered to be expensive is because memory is often considered to be more expensive than computing time. Unfortunately, though our algorithm can use much less than T bits of advice, our online algorithm still must use roughly T bits of space. So, though we do show an algorithm that uses less advice, we do not show an algorithm that uses less space.
- 2.
Admittedly, this simplicity is partially (though not entirely) due to the fact that we chose not to optimize for parameters other than S and T, while Fiat and Naor were quite careful to optimize, e.g., the actual running time and space of both the query algorithm and the preprocessing algorithm. See Sect. 1.4 for more discussion.
- 3.
In fact, we also missed this algorithm. An earlier version of this paper described a much more complicated algorithm that achieves the same parameters. We are very grateful to the anonymous CRYPTO reviewer who reviewed that version and discovered the simple algorithm.
- 4.
At first, this statement might sound trivial, since we started with an algorithm that works with shared randomness r, and we seem to have converted into an algorithm with more shared randomness. The difference, however, is in the order of quantifiers. In the shared randomness model, we ask that for any function f with high probability over the randomness r, the algorithm inverts f. Here, we show that with high probability over the random strings \(r_1,\ldots , r_k\), for every function f there exists i such that the algorithm inverts f with randomness \(r_i\).
- 5.
We are oversimplifying quite a bit here and leaving out many important details. Perhaps most importantly, we are assuming here for simplicity that the DFI oracle always outputs the correct answer, while Corrigan-Gibbs and Kogan worked with a much weaker DFI oracle. They were also careful to keep the domain of the functions \(f_i\) the same as the domain of the function f, while we are not concerned with this.
- 6.
Indeed, this is the whole purpose of this rather subtle construction of g (which is only a slight variant of the construction in Fiat and Naor [12])—to provide \(\mathcal {P}'\) and \(\mathcal {A}'\) with access to a shared random function from [N] to D without requiring \(\mathcal {A}'\) to make too many queries. Notice that this is non-trivial because the set D is not known to \(\mathcal {A}'\) and might not have a succinct description. (\(\mathcal {A}'\) instead only knows the image \(\widehat{L}\) of \([N] - D\) under f.).
- 7.
The requirement of uniqueness substantially simplifies the analysis. However, it is possible to use a weaker condition.
- 8.
We remark that the result for injective functions is very similar to [8, Theorem 8]. We simply include it for completeness.
- 9.
One could reduce the latter probability of failure to 0 with an adaptive reduction, but we prefer to keep the reduction non-adaptive with a small probability of error.
References
Alon, N., Bruck, J., Naor, J., Naor, M., Roth, R.M.: Construction of asymptotically good low-rate error-correcting codes through pseudo-random graphs. IEEE Trans. Inf. Theory 38(2), 509–516 (1992)
Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: CRYPTO (2006)
Chawin, D., Haitner, I., Mazor, N.: Lower bounds on the time/memory tradeoff of function inversion. In: TCC (2020)
Chung, K.M., Guo, S., Liu, Q., Qian, L.: Tight quantum time-space tradeoffs for function inversion. In: FOCS (2020)
Chung, K.M., Liao, T.N., Qian, L.: Lower bounds for function inversion with quantum advice. In: ITC (2020)
Coretti, S., Dodis, Y., Guo, S.: Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In: CRYPTO (2018)
Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Eurocrypt (2018)
Corrigan-Gibbs, H., Kogan, D.: The function-inversion problem: barriers and opportunities. In: TCC (2019)
De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: CRYPTO (2010)
Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: EUROCRYPT (2017)
Dvořák, P., Koucký, M., Král, K., Slívová, V.: Data structures lower bounds and popular conjectures. In: ESA (2021)
Fiat, A., Naor, M.: Rigorous time/space tradeoffs for inverting functions. In: STOC (1991)
Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS (2000)
Golovnev, A., Guo, S., Horel, T., Park, S., Vaikuntanathan, V.: Data structures meet cryptography: 3SUM with preprocessing. In: STOC (2020)
Golovnev, A., Guo, S., Peters, S., Stephens-Davidowitz, N.: Revisiting time-space tradeoffs for function inversion (2022). https://eccc.weizmann.ac.il/report/2022/145/
Gravin, N., Guo, S., Kwok, T.C., Lu, P.: Concentration bounds for almost \(k\)-wise independence with applications to non-uniform security. In: SODA (2021)
Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)
Justesen, J.: Class of constructive asymptotically good algebraic codes. IEEE Trans. Inf. Theory 18(5), 652–656 (1972)
MacWilliams, F.J., Sloane, N.J.A.: The theory of error-correcting codes. Elsevier (1977)
Mitzenmacher, M., Upfal, E.: Probability and computing: Randomization and probabilistic techniques in algorithms and data analysis. Cambridge University Press (2017)
Mulmuley, K., Vazirani, U.V., Vazirani, V.V.: Matching is as easy as matrix inversion. In: STOC (1987)
Nayebi, A., Aaronson, S., Belovs, A., Trevisan, L.: Quantum lower bound for inverting a permutation with advice. Quantum Inf. Comput. 15(11–12), 901–913 (2015)
Newman, I.: Private vs. common random bits in communication complexity. Inf. Process. Lett. 39(2), 67–71 (1991)
Rao, A., Yehudayoff, A.: Communication Complexity and Applications. Cambridge University Press (2020)
Spielman, D.A.: Linear-time encodable and decodable error-correcting codes. In: STOC (1995)
Ta-Shma, N.: A simple proof of the isolation lemma (2015). https://eccc.weizmann.ac.il//report/2015/080/
Unruh, D.: Random oracles and auxiliary input. In: CRYPTO (2007)
Valiant, L.G., Vazirani, V.V.: NP is as easy as detecting unique solutions. In: STOC (1985)
Wee, H.: On obfuscating point functions. In: STOC (2005)
Yao, A.C.C.: Coherent functions and program checkers. In: STOC (1990)
Acknowledgements
Siyao Guo was supported by National Natural Science Foundation of China Grant No. 62102260, Shanghai Municipal Education Commission (SMEC) Grant No. 0920000169, NYTP Grant No. 20121201 and NYU Shanghai Boost Fund. Spencer Peters and Noah Stephens-Davidowitz were supported in part by the NSF under Grant No. CCF-2122230. We are indebted to all reviewers of this paper, but we would like to acknowledge specifically the anonymous CRYPTO reviewer who pointed out the existence of the very simple non-adaptive algorithm.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Golovnev, A., Guo, S., Peters, S., Stephens-Davidowitz, N. (2023). Revisiting Time-Space Tradeoffs for Function Inversion. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14082. Springer, Cham. https://doi.org/10.1007/978-3-031-38545-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-38545-2_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38544-5
Online ISBN: 978-3-031-38545-2
eBook Packages: Computer ScienceComputer Science (R0)
