Draft:Fiat-Naor Algorithm

Submission declined on 23 April 2024 by Stuartyeates (talk). This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are: in-depth (not just passing mentions about the subject) reliable secondary independent of the subject Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia. This needs to start with a compressible explanation of what black-box function inversion is. An explanation grounded not in abstract math but in real-world problems. Then explain the work of Hellman and further work. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by Stuartyeates 20 days ago. Last edited by Stuartyeates 20 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

Fiat-Naor algorithm^[1][2] is an algorithm proposed by Amos Fiat and Moni Naor for black-box function inversion with preprocessing. In this problem, a computationally unbounded preprocessing algorithm is given a function ${\displaystyle f:[N]\to [N]}$ and outputs an advice of ${\displaystyle S}$ bits. Given the advice and the black-box access to ${\displaystyle f}$, an online algorithm is asked to invert ${\displaystyle f}$ at some point ${\displaystyle y}$ in time ${\displaystyle T}$. The goal is to obtain the best tradeoff between ${\displaystyle S}$ and ${\displaystyle T}$. Fiat-Naor algorithm works for every ${\displaystyle S}$ and ${\displaystyle T}$ satisfying ${\displaystyle S^{3}T={\tilde {\Omega }}(N^{3})}$ (where the ${\displaystyle {\tilde {\Omega }}}$-notation hides a poly-logarithmic factor). This is essentially the best known tradeoff for this problem so far.

Problem Description

The task of black-box function inversion with preprocessing is as follows. In the preprocessing stage, a computationally unbounded preprocessing algorithm ${\displaystyle {\mathcal {P}}}$ is given a function ${\displaystyle f:[N]\to [N]}$, where ${\displaystyle [N]}$ denotes the set ${\displaystyle \{1,2,\dotsc ,N\}}$, and outputs an advice ${\displaystyle \sigma }$ of ${\displaystyle S}$ bits. In the online stage, an online algorithm ${\displaystyle {\mathcal {A}}}$ is given the black-box access to ${\displaystyle f}$, the advice ${\displaystyle \sigma }$, and some point ${\displaystyle y}$ in the image of ${\displaystyle f}$ and is asked to find ${\displaystyle x}$ such that ${\displaystyle f(x)=y}$ in time ${\displaystyle T}$. Black-box access to ${\displaystyle f}$ allows ${\displaystyle {\mathcal {A}}}$ to query any ${\displaystyle z\in [N]}$ and obtain ${\displaystyle w=f(z)}$.

Naive Solutions

There are two naive solutions.

• ${\displaystyle {\mathcal {P}}}$ does nothing. ${\displaystyle {\mathcal {A}}}$ makes different queries to ${\displaystyle f}$ until it finds an ${\displaystyle x}$ such that ${\displaystyle f(x)=y}$. This gives us ${\displaystyle S=\Theta (1)}$ and ${\displaystyle T=\Theta (N)}$.
• ${\displaystyle {\mathcal {P}}}$ outputs a look-up table that stores every ${\displaystyle y}$ in the image of ${\displaystyle f}$ with a preimage. ${\displaystyle {\mathcal {A}}}$ just searches in the table. This gives us ${\displaystyle S=\Theta (N)}$ and ${\displaystyle T={\tilde {\Theta }}(1)}$.

Combining two solutions we get an algorithm working for every ${\displaystyle S+T={\tilde {\Theta }}(N)}$ in general.

Inverting Random Functions

Martin Hellman^[3] was the first who studied inverting functions with preprocessing. His algorithm, later made rigorous by Fiat and Naor,^[1] can invert a random function ${\displaystyle f}$ with high probability over the choice of ${\displaystyle f}$ for every ${\displaystyle S}$ and ${\displaystyle T}$ satisfying ${\displaystyle S^{2}T={\tilde {\Omega }}(N^{2})}$. However, it does not work with arbitrary functions.

Lower Bound

Andrew Yao^[4] proved a lower bound of ${\displaystyle ST={\tilde {\Omega }}(N)}$ for function inversion.

Algorithm Description

Fiat-Naor algorithm inverts arbitrary function ${\displaystyle f}$ at any image with probability ${\displaystyle 1-O(1/N)}$ over the randomness of preprocessing algorithm ${\displaystyle {\mathcal {P}}}$. The algorithm works as follows.

• Preprocessing algorithm ${\displaystyle {\mathcal {P}}(f)}$: Uniformly choose ${\displaystyle z_{1},\dotsc ,z_{l}}$ from ${\displaystyle [N]}$ and store ${\displaystyle (z_{1},f(z_{1})),\dotsc ,(z_{l},f(z_{l}))}$ in a look-up table ${\displaystyle L}$. Define ${\displaystyle D=\{x\in [N]:f(x)\neq f(z_{1}),\dotsc ,f(z_{l})\}}$. Let ${\displaystyle t=\lceil |D|\log N/l\rceil }$ and ${\displaystyle J=\lceil 2N\log N/|D|\rceil }$. Choose ${\displaystyle g_{1},\dotsc ,g_{r}:[N]\times [J]\to [N]}$ from a hash function family ${\displaystyle G}$. Run subroutine ${\displaystyle {\mathcal {P}}'}$ given ${\displaystyle D,J,t,g_{i}}$ for ${\displaystyle i=1,\dotsc ,r}$ to obtain ${\displaystyle C_{1},\dotsc ,C_{r}}$. The advice ${\displaystyle \sigma }$ contains ${\displaystyle L,|D|,g_{1},C_{1},\dotsc ,g_{r},C_{r}}$.
  • Subroutine ${\displaystyle {\mathcal {P}}'(D,J,t,g)}$: Define function ${\displaystyle g^{*}:[N]\to D}$ as ${\displaystyle g^{*}(x)=g(x,j)}$ where ${\displaystyle j}$ is the smallest number in ${\displaystyle [J]}$ such that ${\displaystyle g(x,j)\in D}$. Let function ${\displaystyle h=g^{*}\circ f}$. Uniformly choose ${\displaystyle w_{1},\dotsc ,w_{m}}$ from ${\displaystyle D}$. Store ${\displaystyle (w_{1},h^{t}(w_{1}))\dotsc ,(w_{m},h^{t}(w_{m}))}$ in a look-up table ${\displaystyle C}$. Here ${\displaystyle h^{t}(w)}$ denotes the result of iteratively evaluating ${\displaystyle h}$ for ${\displaystyle t}$ times starting from ${\displaystyle w}$.

• Online algorithm ${\displaystyle {\mathcal {A}}^{f}(\sigma ,y)}$: Search in the look-up table ${\displaystyle L}$ for an entry in the form of ${\displaystyle (z,y)}$. If such an entry exists, output ${\displaystyle z}$. Otherwise, calculate ${\displaystyle t}$ and ${\displaystyle J}$ from ${\displaystyle |D|}$ as in ${\displaystyle {\mathcal {P}}}$. Run subroutine ${\displaystyle {\mathcal {A}}'}$ given ${\displaystyle L,J,t,g_{i},C_{i},y}$ for ${\displaystyle i=1,\dotsc ,r}$. If a solution is found in the subroutine, output it.
  • Subroutine ${\displaystyle {\mathcal {A}}'^{f}(L,J,t,g,C,y)}$: Define ${\displaystyle g^{*}}$ and ${\displaystyle h}$ as in ${\displaystyle {\mathcal {P}}'}$. Note that evaluating ${\displaystyle g^{*}}$ requires checking whether ${\displaystyle g(x,j)\in D}$. ${\displaystyle {\mathcal {A}}'}$ can do so by checking if ${\displaystyle f(g(x,j))}$ is stored as an image in ${\displaystyle L}$. Starting from ${\displaystyle f(g(y))}$, iteratively evaluate ${\displaystyle h}$ for ${\displaystyle t}$ steps. In each step, if reaching some ${\displaystyle h^{t}(w_{i})}$ stored in ${\displaystyle C}$, immediately jump to the corresponding ${\displaystyle w_{i}}$. If reaching ${\displaystyle f(g(y))}$ again, output the immediate predecessor.

Parameters

The algorithm takes a space parameter ${\displaystyle {\tilde {S}}}$ and a time parameter ${\displaystyle {\tilde {T}}}$, which will be different from the actual space ${\displaystyle S}$ and ${\displaystyle T}$ by some poly-logarithmic factor in ${\displaystyle N}$, respectively. ${\displaystyle {\tilde {S}}}$ and ${\displaystyle {\tilde {T}}}$ decide other parameters as follows, where notation ${\displaystyle \approx }$ hides constant factors.

• ${\displaystyle l\approx {\tilde {S}}\log N}$
• ${\displaystyle m\approx N/{\tilde {T}}}$
• ${\displaystyle r\approx {\tilde {S}}{\tilde {T}}\log N/N}$

${\displaystyle G}$ is required to be a family of ${\displaystyle k}$-wise independent hash functions for some ${\displaystyle k\approx N/{\tilde {S}}}$, each with a ${\displaystyle {\tilde {O}}(1)}$-space description. Functions ${\displaystyle g_{1},\dotsc ,g_{r}}$ are chosen in some way such that they are pairwise independent, and the evaluation of these function takes amortized ${\displaystyle {\tilde {O}}(1)}$ time. Fiat and Naor gave such a construction, in which these functions are not fully independent to achieve the amortized ${\displaystyle {\tilde {O}}(1)}$ time.

Explanation

Subroutines: Hellman's Algorithm

The subroutines in Fiat-Naor algorithm is built on Hellman's algorithm for inverting random function.^[3]

The main idea of preprocessing is to build ${\displaystyle m}$ chains of length ${\displaystyle t}$ in the form of ${\displaystyle w,f(w),f^{2}(w),\dotsc ,f^{t}(w)}$ and store the starting point ${\displaystyle w}$ and ending point ${\displaystyle f^{t}(w)}$ in a loop-up table ${\displaystyle C}$ as the advice. On input ${\displaystyle y}$, the online algorithm iteratively evaluate ${\displaystyle f}$. In each step, if it reaches an endpoint ${\displaystyle f^{t}(w)}$ of some chain, it immediately jump back to the starting point ${\displaystyle w}$. If ${\displaystyle y}$ is covered by some chain (not as a starting point), then the algorithm will reach ${\displaystyle y}$ again in ${\displaystyle t}$ step and find the preimage, which is the immediate predecessor of ${\displaystyle y}$ is this chain.

Probability analysis shows that with ${\displaystyle mt^{2}=O(N)}$, we can ensure that there are few enough collisions in ${\displaystyle m}$ chains with randomly chosen starting points, so that these chains cover ${\displaystyle \Theta (mt)}$ distinct values. This allows inverting ${\displaystyle f}$ at a ${\displaystyle \Theta (mt/N)}$-fraction of points.

It remains to amplify the success probability. For this purpose, the above algorithm is not directly applied to ${\displaystyle f}$, but to ${\displaystyle h=g\circ f}$ re-randomized by a random function ${\displaystyle g}$. Then by repeating ${\displaystyle r\approx N\log N/mt}$ times with independently chosen ${\displaystyle g_{1},\dotsc ,g_{r}}$, every possible input ${\displaystyle y}$ is covered at least once with probability ${\displaystyle 1-O(1/N)}$. Hellman's algorithm uses space ${\displaystyle S={\tilde {O}}(rm)={\tilde {O}}(N/t)}$ and ${\displaystyle T={\tilde {O}}(rt)={\tilde {O}}(N/m)}$ (where ${\displaystyle {\tilde {O}}}$-notation hides poly-logarithmic factors in ${\displaystyle N}$), so ${\displaystyle S^{2}T={\tilde {\Omega }}(N^{2})}$ is sufficient to let ${\displaystyle mt^{2}=O(N)}$.

Since a random function ${\displaystyle g}$ is unlikely to have a succinct description, Hellman suggested heauristically using some function family ${\displaystyle G}$. Fiat and Naor made this argument rigorous with their construction of ${\displaystyle G}$. They also showed that in general, for every function ${\displaystyle f}$ where every image has at most ${\displaystyle N/q}$ preimages, Hellman's algorithm works if ${\displaystyle mt^{2}\approx q}$ and thus for every ${\displaystyle S}$ and ${\displaystyle T}$ satisfying ${\displaystyle S^{2}T={\tilde {\Omega }}(qN^{2})}$.

Handle Images with Many Preimages

Hellman's algorithm does not obtain a good tradeoff when there are some elements with many preimages, which makes ${\displaystyle q}$ big. This case has to be handled to invert arbitrary functions.

The look-up table ${\displaystyle L}$ is exactly for this purpose. It contains random elements and their images. These images can be inverted by searching in ${\displaystyle L}$. It remains to handle images not included in ${\displaystyle L}$, that is function ${\displaystyle f}$ over the remaining domain ${\displaystyle D=\{x\in [N]:f(x)\neq f(z_{1}),\dotsc ,f(z_{l})\}}$. Since ${\displaystyle l\approx {\tilde {S}}\log N}$, with probability ${\displaystyle 1-O(1/N)}$, every image of ${\displaystyle f}$ with more than ${\displaystyle N/{\tilde {S}}}$ preimages are contained in ${\displaystyle L}$. Therefore, the remaining images have relatively few preiamges and can be inverted using Hellman's algorithm.

To apply Hellman's algorithm over a partial domain ${\displaystyle D}$, we use a function ${\displaystyle g*:[N]\to D}$ to re-randomize ${\displaystyle f}$. Then function ${\displaystyle h=g^{*}\circ f}$ becomes a function inside ${\displaystyle D}$. Note that hashing to arbitrary subset ${\displaystyle D}$ is difficult. For this reason, ${\displaystyle g^{*}}$ is designed as ${\displaystyle g^{*}(x)=g(x,j)}$ where ${\displaystyle j}$ is the smallest number in ${\displaystyle [J]}$ such that ${\displaystyle g(x,j)\in D}$. The online algorithm has to query ${\displaystyle f(g(x,j))}$ to check whether ${\displaystyle g(x,j)\in D}$, so it makes at most ${\displaystyle J}$ more queries to evaluate ${\displaystyle h}$.

Since every image of ${\displaystyle D}$ has at most ${\displaystyle {\tilde {S}}}$, setting ${\displaystyle mt^{2}=O({\tilde {S}})}$ can guarantee that ${\displaystyle \Theta (mt)}$ elements of ${\displaystyle D}$ are covered in each subroutine. Thus ${\displaystyle r\approx {\tilde {S}}{\tilde {T}}\log N/N\approx |D|\log N/mt}$ repetitions can amplify the success probability for every image to ${\displaystyle 1-O(1/N)}$. The actual space and time are ${\displaystyle S=O(l+rm)={\tilde {O}}({\tilde {S}})}$ and ${\displaystyle T={\tilde {O}}(rtJ)={\tilde {O}}({\tilde {T}})}$. By setting ${\displaystyle S^{3}T={\tilde {\Omega }}(N^{3})}$, it is guaranteed that

$${\displaystyle mt^{2}\approx N/{\tilde {T}}\cdot (|D|\log N/l)^{2}\approx N/{\tilde {T}}\cdot (|D|/{\tilde {S}})^{2}<N^{3}/({\tilde {T}}{\tilde {S}}^{2})={\tilde {O}}(S).}$$

Applications

The line of research in function inversion has developed practical tools for cryptanalysis, such as Rainbow table.^[5] Because of the generality of function inversion, Fiat-Naor algorithm can be applied to other data structure problems such as string searching^[6] and 3SUM-Indexing.^[7][8] It is also applied to computational complexity to beat some conjectured lower bounds.^[9][10]

References

1. Fiat, Amos; Naor, Moni (1991-01-03). "Rigorous time/Space tradeoffs for inverting functions". Proceedings of the twenty-third annual ACM symposium on Theory of computing - STOC '91. New York, NY, USA: Association for Computing Machinery. pp. 534–541. doi:10.1145/103418.103473. ISBN 978-0-89791-397-3.
2. Fiat, Amos; Naor, Moni (January 2000). "Rigorous Time/Space Trade-offs for Inverting Functions". SIAM Journal on Computing. 29 (3): 790–803. doi:10.1137/S0097539795280512. ISSN 0097-5397.
3. Hellman, M. (July 1980). "A cryptanalytic time-memory trade-off". IEEE Transactions on Information Theory. 26 (4): 401–406. doi:10.1109/TIT.1980.1056220. ISSN 0018-9448.
4. Yao, A. C.-C. (1990-04-01). "Coherent functions and program checkers". Proceedings of the twenty-second annual ACM symposium on Theory of computing - STOC '90. New York, NY, USA: Association for Computing Machinery. pp. 84–94. doi:10.1145/100216.100226. ISBN 978-0-89791-361-4.
5. Oechslin, Philippe (2003). "Making a Faster Cryptanalytic Time-Memory Trade-Off". In Boneh, Dan (ed.). Advances in Cryptology - CRYPTO 2003. Lecture Notes in Computer Science. Vol. 2729. Berlin, Heidelberg: Springer. pp. 617–630. doi:10.1007/978-3-540-45146-4_36. ISBN 978-3-540-45146-4.
6. Corrigan-Gibbs, Henry; Kogan, Dmitry (2019). "The Function-Inversion Problem: Barriers and Opportunities". In Hofheinz, Dennis; Rosen, Alon (eds.). Theory of Cryptography. Lecture Notes in Computer Science. Vol. 11891. Cham: Springer International Publishing. pp. 393–421. doi:10.1007/978-3-030-36030-6_16. ISBN 978-3-030-36030-6.
7. Golovnev, Alexander; Guo, Siyao; Horel, Thibaut; Park, Sunoo; Vaikuntanathan, Vinod (2020-06-22). "Data structures meet cryptography: 3SUM with preprocessing". Proceedings of the 52nd Annual ACM SIGACT Symposium on Theory of Computing. STOC 2020. New York, NY, USA: Association for Computing Machinery. pp. 294–307. doi:10.1145/3357713.3384342. hdl:1721.1/137337.3. ISBN 978-1-4503-6979-4.
8. Kopelowitz, Tsvi; Porat, Ely (2019-07-25), The Strong 3SUM-INDEXING Conjecture is False, arXiv:1907.11206
9. Mazor, Noam; Pass, Rafael (2024). "The Non-Uniform Perebor Conjecture for Time-Bounded Kolmogorov Complexity Is False". Venkatesan Guruswami. Schloss Dagstuhl – Leibniz-Zentrum für Informatik: 20 pages, 864706 bytes. doi:10.4230/LIPICS.ITCS.2024.80. ISSN 1868-8969. {{cite journal}}: Cite journal requires |journal= (help)
10. Hirahara, Shuichi; Ilango, Rahul; Williams, Ryan (2023-11-15), Beating Brute Force for Compression Problems, retrieved 2024-04-22