Game 2 A second issue concerns the size of a problem instance. Consider the following sequence of games parameterized by the
3.4 Hard-Core Bits from Any OWF
3.4.2 A General Hard-core Predicate from Any OWF
In other words,rdecides which bits of xto take parity on.
3.4. Hard-Core Bits from Any OWF 87
.Theorem87.3 Let f be a OWF (OWP) and define function g(x,r) = (f(x),r)where|x| = |r|. Then g is a OWF (OWP) and h(x,r) = hx,riis a hardcore predicate for f .
3.4.3 *Proof of Theorem87.3
Proof.We show that ifA, giveng(x,r)can computeh(x,r)with probability non-negligibly better than 1/2, then there exists a p.p.t. adversary B that inverts f. More precisely, we use Ato construct a machine B that on inputy = f(x) recovers x with non-negligible probability, which contradicts the one-wayness of f. The proof is fairly involved. To provide intuition, we first consider two simplified cases.
Oversimplified case: assume A always computes h(x,r) cor- rectly. (Note that this is oversimplified as we only know that Acomputesh(x,r)with probability non-negligibly better than 1/2.) In this case the following simple procedure recoversx: B on inputylets xi =A(y,ei)whereei =00..010.. is annbit string with the only 1 being in position i, and outputs x1,x2, . . . ,xn. This clearly works, since by definition hx,eii = xi and by our assumptionA(f(x),r) =hx,ri.
Less simplified case: assume A computes h(x,r) with proba- bility 34 +e(n) where e(n) = poly(n)1 . In this case, the above algorithm of simply querying Awith y,ei no longer work for two reasons:
1. Amight not work for ally’s,
2. even ifApredictsh(x,r)with high probabiliy for a given y, but a randomr, it might still fail on the particularr =ei. To get around the first problem, we show that for a reasonable fraction ofx’s,Adoes work with high probability. We first define the “good set” of instances
S=
x | Pr[r ← {0, 1}n:A(f(x),r) =h(x,r)]> 3 4+ e
2
Let us first argue that Pr[x∈ S] ≥ e2. Suppose, for the sake of contradiction, that it is not. Then we have
Pr[x,r← {0, 1}n: A(f(x),r) =h(x,r)]
≤(Pr[x∈S]ã1)
+ (Pr[x ∈/S]ãPr[A(f(x),r) =h(x,r)|x∈/S])
<e 2
+
(1−e/2)ã 3
4 +e 2
< 3 4+e
which contradicts our assumption. The second term on the third line of the derivation follows because by definition of S, when x6∈S, then Asucceeds with probability less than 34 +e/2.
The second problem is more subtle. To get around it, we
“obfuscate” the queriesy,ei and rely on the linearity of the inner product operation. The following simple fact is useful.
.Fact88.4 ha,b⊕ci=ha,bi ⊕ ha,cimod2 Proof.
ha,b⊕ci= Σai(bi+ci) =Σaibi+Σaici
= ha,bi+ha,ci mod 2
Now, rather than asking Ato recoverhx,eii, we instead pick a random stringrand askAto recover hx,riandhx,r+e1i, and compute the XOR of the answers. If Acorrectly answers both queries, then thei’th bit of x can be recovered. More precisely, B(y)proceeds as follows:
algorithm 88.5: B(y) m←poly(1/e) fori=1, 2, . . . ,ndo
forj=1, 2, . . . ,mdo Pick randomr ← {0, 1}n Setr0 ←ei⊕r
Compute a guess gi,j forxi asA(y,r)⊕ A(y,r0) end for
3.4. Hard-Core Bits from Any OWF 89
xi ←majority(gi,1, . . . ,gi,m) end for
Output x1, . . . ,xn.
Note that for a “good” x(i.e., x∈S) it holds that:
• with probability at most 14 −e2,A(y,r)6=h(x,r)
• with probability at most 14 −e2,A(y,r0)6= h(x,r)
It follows by the union bound that with probability at least 12+e both answers ofAare correct. Sincehy,ri ⊕ hy,r0i=hy,r⊕r0i= hy,eii, each guess gi is correct with probability 12 +e. Since algorithmB attemptspoly(1/e)independent guesses and finally take a majority vote, it follows using the Chernoff Bound that every bit is xi computed by B is correct with high probability.
Thus, for a non-negligible fraction ofx’s,B inverts f, which is a contradiction.
The general case. We proceed to the most general case. Here, we simply assume thatA, given randomy= f(x)and randomr computesh(x,r)with probability 12+e(wheree= poly(n)1 ). As before, define the set of good cases as
S=
x|Pr[A(f(x),r) =h(x,r)]> 1 2 +e
2
It again follows that Pr[x∈S]≥ e2. To constructB, let us first as- sume thatBcan call a subroutineCthat on input f(x), produces samples
(b1=hx,r1i,r1), . . . ,(bm =hx,rmi,rm)
where r1, . . . ,rm are independent and random. Consider the following procedure B(y):
algorithm 89.6:B(y)for theGeneral case m←poly(1/e)
fori=1, 2, . . . ,n do
(b1,r1), . . . ,(bm,rm)←C(y) forj=1, 2, . . . ,mdo
Letr0j =ei⊕rj
Computegi,j =bj⊕ A(y,r0) end for
Letxi ←majority(g1, . . . ,gm) end for
Output x1, . . . ,xn.
Given an x∈ S, it follows that each guess gi,j is correct with probability 12+ e2 = 12 +e0. We can now again apply the the Chernoff bound to show that xi is wrong with probability ≤ 2−e02m. Thus, as long as m>> 1
e02, we can recover allxi. The only problem is thatB uses the magical subroutineC.
Thus, it remains to show how C can be implemented. As an intermediate step, suppose thatCwere to produce samples (b1,r1), . . . ,(bn,rn) that were only pairwise independent (instead of being completely independent). It follows by the Pairwise- Independent Sampling inequality that each xi is wrong with probability at most 1−4e4me0202 ≤ 1
me02. By union bound, any of the xi is wrong with probability at mostn/me02 which is less than1/2 whenm≥ 2n
e02. Thus, if we could get2n/e02 pairwise independent samples, we would be done. So, where can we get them from?
A simple approach to generating these samples would be to pick r1, . . . ,rm at random and guess b1, . . . ,bm randomly. However, bi would be correct only with probability 2−m. A better idea is to pick log(m)sampless1, . . . ,slog(m) and guessb01, . . . ,blog(m)0 ; here the guess is correct with probability 1/m. Now, gener- ater1,r2, . . . ,rm−1as all possible sums (modulo2) of subsets of s1, . . . ,slog(m), andb1,b2, . . . ,bm as the corresponding subsets of b0i. That is,
ri = ∑
j∈Ii
sj j∈ I iffij=1 bi = ∑
j∈Ii
b0j
It is not hard to show that theseri are pairwise independent samples (show this!). Yet with probability 1/m, all guesses for b01, . . . ,b0log(m)are correct, which means thatb1, . . . ,bm−1 are also correct.
Thus, for a fraction of e0 ofx0 it holds that with probability
1/m, the algorithm B inverts f with probability 1/2. That is, B