Linear Programming Relaxations for Goldreich's Generators over Non-Binary Alphabets

TL;DR

This paper analyzes the effectiveness of linear programming relaxations in breaking non-binary Goldreich's generators, establishing a precise threshold for when such attacks can recover input variables based on generator parameters.

Contribution

It extends the analysis of Goldreich's generator to non-binary alphabets and derives a tight threshold for LP relaxation success using combinatorial stopping set structures.

Findings

LP relaxation can recover linearly many variables above the threshold

LP relaxation fails to recover a fraction of variables below the threshold

The threshold depends on generator parameters and known input variables

Abstract

Goldreich suggested candidates of one-way functions and pseudorandom generators included in $\mathsf{NC}^0$. It is known that randomly generated Goldreich's generator using $(r-1)$-wise independent predicates with $n$ input variables and $m=C n^{r/2}$ output variables is not pseudorandom generator with high probability for sufficiently large constant $C$. Most of the previous works assume that the alphabet is binary and use techniques available only for the binary alphabet. In this paper, we deal with non-binary generalization of Goldreich's generator and derives the tight threshold for linear programming relaxation attack using local marginal polytope for randomly generated Goldreich's generators. We assume that $u(n)\in \omega(1)\cap o(n)$ input variables are known. In that case, we show that when $r\ge 3$, there is an exact threshold $\mu_\mathrm{c}(k,r):=\binom{k}{r}^{-1}\frac{(r-2)^{r-2}}{r(r-1)^{r-1}}$ such that for $m=\mu\frac{n^{r-1}}{u(n)^{r-2}}$, the LP relaxation can determine linearly many input variables of Goldreich's generator if $\mu>\mu_\mathrm{c}(k,r)$, and that the LP relaxation cannot determine $\frac1{r-2} u(n)$ input variables of Goldreich's generator if $\mu<\mu_\mathrm{c}(k,r)$. This paper uses characterization of LP solutions by combinatorial structures called stopping sets on a bipartite graph, which is related to a simple algorithm called peeling algorithm.