Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Hardness of Learning Problems over Burnside Groups of Exponent 3
Document related concepts
Transcript
Hardness of Learning Problems over Burnside Groups of Exponent 3
Abstract
In this work we investigate the hardness of a computational problem introduced in the
recent work of Baumslag et al. in [5, 6]. In particular, we study the Bn -LHN problem, which is
a generalized version of the learning with errors (LWE) problem, instantiated with a particular
family of non-abelian groups (free Burnside groups of exponent 3). In our main result, we
demonstrate a random self-reducibility property for Bn -LHN. Along the way, we also prove a
sequence of lemmas regarding homomorphisms of free Burnside groups of exponent 3 that may
be of independent interest.
Keywords. Random self-reducibility. Learning with errors. Post-quantum cryptography. Non-commutative
cryptography. Burnside groups.
1
Introduction
Motivation & Background. Recently, Baumslag et al. [5, 6] proposed a generalization of the
learning parity with noise (LPN) [2, 19, 9] and learning with errors (LWE) [24, 23, 20, 3] problems
to an abstract class of group-theoretic learning problems. The work of [5, 6] showed that this
generalized problem, termed learning homomorphisms with noise (LHN), suffices for a number of
basic cryptographic primitives (e.g., symmetric encryption). Besides capturing LPN and LWE as
special cases, it also allows instantiations based on non-abelian groups. This generalization opens
up new terrain for the discovery of computationally hard problems of cryptographic import based on
combinatorial group theory. Such advancements would not only diversify the set of cryptographic
intractability assumptions, but would do so along a direction in which quantum computing is not
known to bring substantial improvements over classical computing.
The specific combinatorial instantiation studied in [5, 6] is based on a class of finite groups known
as free Burnside groups. Burnside groups are in some sense the “most general” groups for which
every element has a finite order dividing some constant n; for prime n, they can be thought of as a
generalization of elementary abelian groups resulting from forgoing commutativity. While a number
of cryptographic aspects of the learning Burnside homomorphisms with noise problem (Bn -LHN for
short) were addressed in [5] several important matters were left open; perhaps the most prominent
being the question of complexity reductions (e.g., worst-case to average-case reductions). Our work
makes progress in this direction by showing a random self-reducibility property for Bn -LHN.
Random self-reducibility. Since any practical implementation of a cryptographic scheme must
include an algorithm which generates hard problem instances, it is desirable that such instances
do not take much effort to find. One notion that in some sense captures this idea is that of
random self-reducibility (cf. e.g., [12]). Roughly speaking, a random self-reducibility property
makes an assertion about the average-case hardness of a computational problem. In particular, it
says that solving the problem on a random instance is not any easier than solving the problem on an
arbitrary instance. Hence, if a computational problem satisfies random self-reducibility, it is a trivial
matter to sample “good” instances: a random instance will suffice. Furthermore, as noted e.g.,
in [12], computational problems enjoying random self-reducibility have found several applications
1
in cryptography and complexity theory, including interactive proof systems [15], program checkers
[10], instance-hiding schemes [1, 7, 8] and complexity lower bounds [4].
Indeed, random self-reducibility is one of the hallmarks of intractability assumptions that have
withstood the test of time. Notable examples include the RSA problem [25]; the discrete logarithm problem and the Diffie-Hellman problem [11]; the quadratic residuosity assumption [14]; the
composite residuosity assumption [22]; and the learning with errors (LWE) problem [24]. As it
turns out, however, random self-reducibility properties come in several shapes. For example, the
type of random self-reducibility enjoyed by the LWE is, in a sense, the strongest, in that the secret
key itself can be randomized: given instances relative to a secret s, new instances relative to a
uniformly random secret s0 can be constructed in a way that solutions to the latter yield solutions
to the former. This is a more complete form of random self-reducibility than what is known for
many number-theoretic assumptions, like RSA, where it is possible to randomize individual instances based on a given private key, but for which there is no apparent way to re-randomize the
key itself. More concretely, given an instance c = me mod n, one can compute a new instance
c0 = cre mod n = (mr)e mod n, whose solution (together with knowledge of r) yields a solution
for c, yet there is no apparent way to find a connected instance relative to a different modulus
n0 6= n. We stress that the reduction shown in our work is of the LWE type: the worst-case to
average-case reduction applies to the secret keys.
Our Contributions. In this paper, we make progress towards understanding the computational
hardness of learning Burnside homomorphisms with noise. In particular, we establish a random
self-reducibility property for Bn -LHN, by showing that learning under uniform surjective secret
homomorphisms is no easier than learning under an arbitrary one. Along the way, we prove a
number of technical lemmas regarding homomorphisms of free Burnside groups of exponent 3 that
allow one to deduce various properties of these groups and their morphisms from the analogous
properties of their abelianized counterparts. Finally, we present a limited form of a search-todecision reduction for Bn -LHN.
Organization. Section 2 briefly reviews basic notions from group-theory, while Section 3 provides
some background on free Burnside groups of exponent 3. The learning Burnside homomorphisms
with noise (Bn -LHN) problem is defined in Section 4. Section 5 presents the random self-reducibility
result for Bn -LHN. Section 6 looks into the relationship between the search and decision versions
of Bn -LHN, and Section 7 concludes.
2
Background: Group Theory
Free groups. If X is a subset of a group G, let X −1 = {x−1 | x ∈ X}. An expression w of the
form a1 . . . an (n ≥ 0, ai ∈ X ∪ X −1 ) is termed a word or an X-word. Such an X-word is said
to be reduced if n > 0 and no subword ai ai+1 takes either of the forms xx−1 or x−1 x. If F is
a group and X is a subset of F such that X generates F and every reduced X-word is different
from 1F , then one says that F is a free group, freely generated by the set X, and refers to X
as a free set of generators of F , and writes F as F (X). A key property of a free group F freely
generated by a set X is that for every group H, every mapping θ from X into H can be extended
uniquely to a homomorphism θ∗ from F into H. If θ∗ is a surjection, and if K is the kernel of θ∗ ,
then the quotient group F/K is isomorphic to H. If R is a subset of F , then in the event that K
is generated by all of the conjugates1 of the elements of R, we express this by writing H = hX; Ri
and term the pair hX; Ri a presentation of H (notice that the mapping θ is usually implicit).
Commutators. In non-abelian groups, the commutator of two group elements a, b, denoted
[a, b], is defined as [a, b] = a−1 b−1 ab. Starting with the generators x1 , . . . , xn of the group as the
1
For any two group elements a, b, the conjugate of a by b, denoted ab , is defined as the element b−1 ab.
2
recursive basis, one obtains an ordered sequence of formal commutators by combining two formal
commutators a, b into the formal commutator [a, b]. The weight of a formal commutator is defined
by assigning weight 1 to the generators, and defining the weight of [a, b] as the sum of the weights
of a and b. The weight imposes a partial order on formal commutators, which is typically made
total by assuming an arbitrary ordering among formal commutators of any given weight greater
than 1, and by adopting the lexicographical order among the generators.
Commutators and conjugates obey several useful identities; for the purpose of this paper, we
will be interested in the following identities, which embody a limited form of distributivity:
(ab)c = ac bc
(ab )c = abc
[a, cb] = [a, b][a, c]b
[ac, b] = [a, b]c [c, b]
[ac, bd] = [a, bd]c [c, bd] = [a, d]c [a, b]dc [c, d][c, b]d
(1)
Commutator subgroups. If G is a group, then the commutator subgroup [G, G] (also known
as the first derived group of G) is the subgroup of G generated by elements of the form [a, b] where
a, b ∈ G. The commutator subgroup of G is a normal subgroup of G, i.e., it is closed under
conjugation by arbitrary elements of G. More generally, if A and B are normal subgroups of G,
then [A, B] is the (normal) subgroup of G generated by elements of the form [a, b] where a ∈ A
and b ∈ B. Thus, we can define a sequence of derived groups of G = γ1 (G), γ2 (G) = [G, G],
γ3 (G) = [[G, G], G], and recursively, γs+1 (G) = [γs (G), G]. This sequence of normal subgroups
G = γ1 (G) γ2 (G) . . . γs (G) . . . is called the lower central series for G. A nilpotent group
is one whose lower central series terminates in the trivial subgroup after finitely many steps.
The notion of lower central series in a sense captures the intuition that higher-order commutators
“matter less” than lower-order ones. For our purposes, this is exemplified by the following:
Proposition 2.1 Let G be a group and let γs (G) be the s-th derived subgroup in its lower central
series. If c, d ∈ γs (G), then for any a, b ∈ G, it holds that [ac, bd] = [a, b] mod γs+1 (G).
Proof:
From Equation 1, [ac, bd] = [a, d]c [a, b]dc [c, d][c, b]d . Since c, d ∈ γs (G), then [a, d]c , [c, d]
d
and [c, b] are all in γs+1 (G), and thus [ac, bd] = [a, b]dc mod γs+1 (G). Letting e = dc, we have
e ∈ γs+1 (G), and thus:
[ac, bd] = [a, b]dc = [a, b]e = e−1 [a, b]e = [a, b] mod γs+1 (G).
In light of this, for nilpotent groups Eq. (1) can be refined into almost full-fledged distributivity:
Corollary 2.2 Let G be a nilpotent group of class nc ( i.e., γnc +1 (G) = 1). Then multiplication
inside commutators of weight nc distributes, i.e., for any a1 , b1 , . . . , anc , bnc ∈ G, it holds that:
[a1 · b1 , a2 , . . . , anc ] = [a1 , a2 , . . . , anc ] · [b1 , a2 , . . . , anc ]
[a1 , a2 · b2 , . . . , anc ] = [a1 , a2 , . . . , anc ] · [a1 , b2 , . . . , anc ]
...
[a1 , a2 , . . . , anc · bnc ] = [a1 , a2 , . . . , anc ] · [a1 , a2 , . . . , bnc ]
Abelianization. For a group G, the quotient G/[G, G] is called the abelianization of G: It is
an abelian group obtained by introducing in G new relations to ensure that all elements commute.
The canonical epimorphism ρG : G → G/[G, G] that takes g ∈ G into its coset g[G, G] in G/[G, G]
is usually referred to as the projection onto the abelianization of G. When there is no risk of
confusion, we drop the subscript and denote the projection onto the abelianization simply by ρ.
3
It is a basic fact from category theory that ρ is universal for homomorphisms from G into
abelian groups: that is, if A is any abelian group, then any homomorphism θ : G → A splits as
θ = θ0 ◦ ρ, for a unique homomorphism θ0 : G/[G, G] → A. If G and H are groups, and φ : G → H
is a homomorphism, then using the above construction on θ = ρH ◦ φ yields a homomorphism
φ : G/[G, G] → H/[H, H] so that the following diagram commutes:
φ
G
- H
ρH
ρG
?
?
φ
G/[G, G] - H/[H, H]
We refer to φ as the abelianization of the homomorphism φ.
3
Brief Background on Burnside Groups
For a positive integer k, consider the class of groups for which all elements x satisfy xk = 1. Such
a group is said to be of exponent k. We will be interested in a certain family of such groups called
the free Burnside groups of exponent k, which are in some sense the “largest.” The free Burnside
groups are uniquely determined by two parameters: the number of generators n, and the exponent
k. We will denote these groups by B(n, k):
Definition 3.1 (Free Burnside group) For any n, k ≥ 0, the Burnside group of exponent k
with n generators is defined as
B(n, k) = h{x1 , . . . , xn }; {wk | for all words w over x1 , . . . , xn }i.
Since we are interested in average-case hardness, it is important that B(n, k) be finite, else
even basic issues regarding the probability distribution become unclear. The question of whether
B(n, k) is finite or not is known as the bounded Burnside problem. For sufficiently large k, B(n, k)
is generally infinite [18]. For small exponents, it is known that k ∈ {2, 3, 4, 6} yields finite groups
for all n. (We remark that with the exception of k = 2, for which B(n, k) = Fn2 is abelian, these are
non-trivial results.) For other small values of k (most notably, k = 5), the question remains open.
To ensure finiteness, our current knowledge of Burnside groups would require k to be in the
set {2, 3, 4, 6}; however, following the work of [5], we will focus on k = 3. The main reasons are
as follows: k = 2 would give the more familiar (and already studied) case B(n, k) = Fn2 ; it is
convenient for k to be prime (hence eliminating k = 4 and k = 6); and perhaps most importantly,
the structure of B(n, 3) is much better understood in comparison to than that of k = 4, 6. Hence,
in what follows we will deal only with B(n, 3) and denote it simply by Bn for brevity.
Next, we review some important facts about Bn (see [17, 16] for a fuller account).
Bn is free. In the category of groups of exponent 3, Bn is a free object on the set of generators
{x1 , . . . , xn }. That is, if G is any group such that g 3 = 1 for all g ∈ G, then for any set map
f : {x1 , . . . , xn } → G, there exists a unique homomorphism f : Bn → G such that f (xi ) = f (xi )
for every i ∈ [n]. In other words, to define a homomorphism from Bn to G we need only define the
function on {x1 , . . . , xn }. Any such assignment will extend uniquely to a group homomorphism.
Normal form of Bn . Although Bn is non-abelian, an interesting consequence of the order law
w3 = 1 for w ∈ Bn is that Bn has a simple normal form: Each Bn -element can be written uniquely
as an ordered sequence of (a subset of) generators (or their inverses2 ), appearing in lexicographical
4
order, followed by (a subset of) the commutators of weight 2 (or their inverses), and finally by (a
subset of) the commutators of weight 3 (or their inverses):
xα1 1 · · · xαi i · · · xαnn [x1 , x2 ]β1,2 · · · [xi , xj ]βi,j · · · [xn−1 , xn ]βn−1,n [x1 , x2 , x3 ]γ1,2,3
n
Y
Y
Y
· · · [xi , xj , xk ]γi,j,k · · · [xn−2 , xn−1 , xn ]γn−2,n−1,n =
xαi i
[xi , xj ]βi,j
[xi , xj , xk ]γi,j,k
i=1
i<j
i<j<k
where αi , βi,j , γi,j,k ∈ F3 for all 1 ≤ i < j < k ≤ n, and [xi , xj , xk ] = [[xi , xj ], xk ].
n
n
Order of Bn . From the above normal form, it follows that Bn has exactly 3n+( 2 )+( 3 ) elements.
Abelianization of Bn . It is also clear from the normal form that the abelianization Bn /[Bn , Bn ]
of Bn is isomorphic to Fn3 , and that the abelianization map ρ is efficiently computable, as it amounts
to taking a prefix of the exponent list from the normal form:
ρ:
n
Y
i=1
xαi i
Y
Y
[xi , xj ]βi,j
[xi , xj , xk ]γi,j,k ∈ Bn 7→ (α1 , α2 , . . . , αn ) ∈ Fn3 .
i<j
i<j<k
Center of Bn . The center, Z(Bn ) = {g ∈ Bn | [g, h] = 1, ∀h ∈ Bn } is the subgroup [[Bn , Bn ], Bn ]
generated by all commutators of weight 3. This follows in part from the fact that Bn is nilpotent
of nilpotency class 3, and thus all commutators of weight 4 are the identity in Bn .
r
r
Homomorphisms from B to B . There are 3n(r+(2)+(3)) homomorphisms from B → B . This
n
r
n
r
follows immediately from the order of Br and from the fact that Bn is a free object in the category
of groups of exponent 3 with generating set of size n.
4
Learning Burnside Homomorphisms with Noise
In this section, we review a group-theoretic learning problem introduced in [5], under the name of
learning Burnside homomorphisms with noise (Bn -LHN).
4.1
The Bn -LHN Problem
.
.
For a security parameter n > 0, the Bn -LHN setting consists of the groups Gn = Bn and Pn = Br ,
where 2 ≤ r.3 Let Φn be the uniform distribution over the set of homomorphisms from Bn to Br :
.
Φn = U(hom(Bn , Br )). At a high level, the Bn -LHN problem is to distinguish random Gn × Pn
$
pairs from random preimage/“noisy” image pairs under a hidden random homomorphism ϕ ← Φn .
Definition 4.1 (LHN-Decision Problem) For a (Bn , Br )-homomorphism ϕ, define the distribu$
n
tion AΨ
ϕ on Bn × Br whose samples are preimage/distorted image pairs (a, b) where a ← U(Bn )
$
$
n
and b = ϕ(a)e for e ← Ψn . The LHN-decision problem is to distinguish AΨ
ϕ , for ϕ ← Φn , from
the uniform distribution U(Bn × Br ).
The definition above is parameterized over several distributions—most notably over the error
n
distribution Ψn on Br , which determines the “noise” in the distorted image in an AΨ
ϕ -sample. The
choice of Ψn employed in [5] amounts to taking a randomly ordered product of a random subset of
the generators and their inverses. More precisely, the probability mass function of Ψn is defined as:
"
#
r
Y
i
∀e ∈ Br ,
Pr $ [E = e] = Pr $ r $
e=
xvσ(i)
(2)
E ←Ψn
v←F3 ,σ ←Sr
i=1
Note that x−1 = x2 in Bn , as Bn has exponent 3.
For the cryptographic applications described in [5], it was required that r ≤ 4 so that a certain computational
problem in Br remained reasonable in practice. We do not need any such restrictions here.
2
3
5
where the xi ’s are the generators of Br , the vi ’s are the components of v, and Sr denotes the
symmetric group on r letters.
Observe that under abelianization, this error distribution maps to the uniform distribution:
$
the abelianization map takes a sample E ← Ψn to a sample v = (v1 , . . . , vr ) from U(Fr3 ). Hence,
U(Fr3 )
n of preimage/distorted image pairs becomes A
the abelianization of the distribution AΨ
ϕ
ρ(ϕ) ,
n
r
which coincides with the uniform distribution on U(F3 × F3 ). This observation gives evidence
that under this choice of Ψn , the Bn -LHN problem is in fact independent from LPN/LWE (with
p = 3). In particular, the approach of applying abelianization to the distributions is of no use
for distinguishing Bn -LHN instances from uniform instances as the abelianized distributions are
identical. This argument is illustrated in Figure 1.
n
AΨ
ϕ
U(Bn × Br )
≈
PPT
ρ
U(Fr )
Aρ(ϕ)3
ρ
?
?
= U(Fn3 ) × U(Fr3 )
≡
U(Fn3 × Fr3 )
Figure 1: Failure of the naı̈ve attempt to reduce Bn -LHN to LPN/LWE (with p = 3). The top row
represents the Bn -LHN assumption; the bottom row shows the result of abelianization. Since the bottom
two distributions are identical, this approach is of no use for distinguishing Bn -LHN instances from uniform.
.
As a final remark, observe that Φn = U(hom(Bn , Br )) is efficiently sampleable. Indeed, since
Bn is a relatively free group, (cf. Section 3) any mapping of the n generators of Bn to elements of
Br uniquely extends to a homomorphism.
5
Random Self-Reducibility of Bn -LHN
In this section, we establish random self-reducibility of the learning Burnside homomorphisms with
noise problem: Learning under uniform secret homomorphisms is no easier than learning under an
arbitrary one (Theorem 5.10).
5.1
Proof Outline
We start with a general observation regarding the LHN problem over arbitrary groups Gn , Pn
(Lemma 5.1), which immediately yields a partial key-randomization property for LHN in general.
We then show that this randomization is in fact complete for the specific case of Bn -LHN if we
restrict the Bn -LHN secret key to be surjective. This essentially follows from proving that any
two epimorphisms from Bn to Br can be converted into each other via automorphisms of Bn
(Lemma 5.6). At the core of this transitivity argument is a “transferance” property of (Bn , Br )epimorphisms (Lemma 5.5) that characterizes them as precisely those maps whose abelianization
is an (Fn3 , Fr3 )-epimorphism. This in turn follows from a standard fact about nilpotent groups
by which a generating set for the derived group can be lifted to a generating set for the entire
group ([21, p. 350]; see also Lemma 5.2). Since surjections account for an overwhelming fraction of
(Bn , Br )-homomorphisms (Lemma 5.8), restricting the instances to be surjections does not change
the computational character of the problem, and the random self-reducibility argument of Bn -LHN
follows (Theorem 5.10).
6
5.2
Technical Remarks
Abelianization does not suffice. Many of our results involve relating properties of the abelianization back to properties of the corresponding groups and maps of Burnside groups. This raises
a natural question of whether, modulo passing to the abelianization, our results boil down to a
simple adaptation of the corresponding results for the abelian case. To dispel this idea, below we
briefly review the abelian case, and highlight fundamental elements of that argument which do not
extend to the non-abelian case.
One of the primary tools used in the reduction for the abelian case [24] was that the sets
of homomorphisms formed abelian groups (under point-wise addition). Thus, simple algorithmic
tricks, like adding a uniformly random group element, correspond to a full randomization of the
underlying homomorphism since every group acts transitively on itself by translation.
Unfortunately, in the non-abelian setting, we are not afforded the luxury of a group operation on
the hom-sets (indeed, hom(Bn , Bn ) is only a monoid under composition). Thus it is not surprising
that new techniques and methods are required to augment the limited randomization attainable
via homomorphism composition.
The complications of randomization via endomorphisms. In light of the “randomization
trick” outlined above (which we discuss in more detail in Section 5.3), one may be led towards carrying out the reduction directly, by working with a random homomorphism τ from Bn → Bn . Algorithmically, given a preimage/distorted ϕ-image pair (a, b), one would obtain a preimage/distorted
ϕ0 -image pair (a0 , b0 ) by setting a0 = τ −1 (a) and b0 = b, where ϕ0 = ϕ ◦ τ . Indeed, a random choice
of τ would ensure that the resulting ϕ0 is distributed uniformly among the homomorphisms whose
image is contained in Im(ϕ). Such a proof, however, would require developing algorithmic solutions
to the following two problems:
1. Given τ ∈ End(Bn ) and a ∈ Bn , determine whether or not a ∈ Im(τ ).
2. Given τ ∈ End(Bn ) and a ∈ Im(τ ), sample U(τ −1 ({a})).
Although these problems are straightforward for the abelian setting, in the non-abelian case,
they may not have a resolution at all, let alone an efficient one. In particular, passing to the
abelianization does not suffice in general: for example, in the case of perfect groups, i.e., a group
G such that [G, G] = G, the abelianization is trivial, and thus yields no information regarding the
original problem.
As it turns out, both of the above problems do have algorithmic solutions for Burnside groups.
However, establishing these results requires essentially the same machinery and effort as developed
in the lemmas and proofs that follow in Section 5.3. The approach we take avoids these complications, and produces cleaner and somewhat more modular mathematical results, which may be of
independent interest.
5.3
Proof Details
n
Lemma 5.1 Let a, b = ϕ(a) · e ∈ Gn × Pn be an instanceof LHN sampled according to AΨ
ϕ ,
0
and α be a permutation on Gn . It holds that (a , b) = α(a), b ∈ Gn × Pn is sampled according to
n
AΨ
.
ϕ◦α−1
Proof:
We have (a0 = α(a), b) = α(a), ϕ(a) · e = α(a), ϕ ◦ α−1 (α(a)) · e = a0 , ϕ ◦ α−1 (a0 ) · e .
Lemma 5.2 (adapted from [21]) Let G be a nilpotent group of class nc ( i.e., γnc +1 (G) = 1),
generated by x1 , . . . , xn . Let y1 , . . . , ym generate G modulo γs (G), s ≤ nc . Then, y1 , . . . , ym generate
G modulo γs+1 (G).
7
For completeness, a version of the proof is reported in Appendix A.
Repeated applications of Lemma 5.2 directly yield the following:
Corollary 5.3 Let G be a nilpotent group, and let y1 , . . . , ym generate G modulo the commutator
subgroup [G, G]. Then y1 , . . . , ym generate G.
Instantiating Corollary 5.3 for Burnside groups (which have nilpotency class 3) we obtain:
Corollary 5.4 Let ρ : Br → Fr3 denote the projection onto the abelianization. Let {y1 , . . . , ym } ⊂
Br . Then {y1 , . . . , ym } generates Br if and only if {ρ(y1 ), . . . , ρ(ym )} generates Fr3 .
Proof:
The ‘only if ’ part is straightforward. As for the ‘if ’ part, observe that since Fr3 is
isomorphic to Br /[Br , Br ], assuming that {ρ(y1 ), . . . , ρ(ym )} generates Fr3 amounts to stating that
y1 , . . . , ym generate Br modulo [Br , Br ], and thus by Corollary 5.3 they generate Br tout court. We now prove that (Fn3 , Fr3 )-epimorphisms correspond precisely to (Bn , Br )-epimorphisms:
Lemma 5.5 Let ϕ ∈ hom(Bn , Br ), and let ϕ ∈ hom(Fn3 , Fr3 ) be the corresponding map on the
abelianization. Then ϕ is surjective if and only if ϕ is surjective.
Proof:
Consider the following commutative diagram:
Bn
ϕ Br
ρ
ρ
?
Fn3
(3)
ϕ - ?
Fr3
(=⇒) If ϕ ∈ Epi(Bn , Br ), then a diagram chase around (3) shows that ϕ is also surjective.
(⇐=) Now suppose that ϕ is surjective. Let {x1 , . . . , xn } be the generators for Bn , and let
{y1 , . . . , yn } ⊆ Br be their ϕ-image: yi = ϕ(xi ), for i ∈ [n]. Proving surjectivity of ϕ amounts
to proving that {y1 , . . . , yn } generates Br , which by Corollary 5.4 is equivalent to proving that
their abelianization {ρ(y1 ), . . . , ρ(yn )} generates Fr3 . Letting ti = ρ(yi ) = (ρ ◦ ϕ)(xi ), i ∈ [n],
the thesis thus amounts to showing that {t1 , . . . , tn } generates Fn3 , i.e., that ρ ◦ ϕ is surjective.
The statement now follows observing that surjectivity of ρ ◦ ϕ is a consequence of the assumed
surjectivity of ϕ and of the commutativity of (3). Remarks. Lemma 5.5 is central to Lemma 5.6’s argument that the randomization from Lemma 5.1
is a complete random self-reduction. In fact, Lemma 5.5 has also computational significance, as it
enables an easy surjectivity test for a (Bn , Br )-homomorphism ϕ: Simply check that the rank of
the corresponding map of linear spaces in the abelianization equals the dimension of the range.
Next, we show that the automorphism group of Bn , Aut(Bn ), acts transitively on Epi(Bn , Br )
by composition on the right, and thus the construction from Lemma 5.1 provides a random selfreduction for the case of Bn -LHN.
Lemma 5.6 Aut(Bn ) acts transitively on Epi(Bn , Br ) by composition on the right. That is, for
any ϕ, ϕ∗ ∈ Epi(Bn , Br ), there exists α ∈ Aut(Bn ) such that ϕ∗ = ϕ ◦ α.
8
Proof:
Let ϕ∗ ∈ Epi(Bn , Br ) denote the “target” surjection, and let ϕ ∈ Epi(Bn , Br ) be an
arbitrary surjection. We would like to find α ∈ Aut(Bn ) such that ϕ∗ = ϕ ◦ α. In other words, we
wish to define a bijective map α so that the following diagram commutes:
ϕ∗ Br
Bn
α
1Br
?
Bn
(4)
ϕ - ?
Br
Let x1 , . . . , xn be free generators of Bn . To define α, it suffices to define α(xi ) for each i ∈ [n].
To derive suitable α(xi ) values such that α as a whole is bijective, it is convenient to study the
abelianization of all the groups and maps in (4), which results in the following diagram:
ϕ∗
Bn
- Br
1B
ρ
-
Bn
r
α
ρ
ϕ
- Br
ρ
ρ
ϕ∗ -
?
Fn
3
(5)
?
Fr3
r
1F 3
α
ϕ
-
-
?
Fn
3
?
- Fr3
In this diagram, the vertical maps ρ denote the projections onto the abelianization. Let us first
restrict attention to the abelianization. Note that to find an appropriate map α, the rank theorem,
together with the freeness of Fn3 will suffice. One may simply decompose Fn3 (twice) as ker(ϕ∗ ) ⊕ I ∗
and ker(ϕ) ⊕ I, where I ∗ , I are of the same dimension, as are ker(ϕ∗ ) and ker(ϕ). Now by freeness,
one can construct the desired α as a sum of the following two maps. The first
map takes I ∗ → I,
and is defined by mapping a basis {ei } for I ∗ to preimages yi ∈ ϕ−1 ( ϕ∗ (ei ) ) ∩ I. The other map
is an arbitrary isomorphism from ker(ϕ∗ ) → ker(ϕ). By construction, ϕ ◦ α = ϕ∗ , and since both
maps are bijective, α is an Fn3 -automorphism.
We now need to lift α to the Burnside groups in a way that makes the top square of (5) also
commute. Let us start with an arbitrary lift of α, which we will denote by β. Tracing the diagram
along both paths from the occurrence of Bn on the upper-left corner to the occurrence of Br on the
lower-right corner, we see that commutativity of the diagram must hold up to commutators, since
the analogous equations stand in the abelianization. In particular, for each of the generators xi of
Bn , we have ϕ(β(xi )) = ϕ∗ (xi )ci , where ci ∈ [Br , Br ].
Note also that ϕ surjectively maps [Bn , Bn ] → [Br , Br ], and thus we may find di ∈ [Bn , Bn ]
such that ϕ(di ) = ci . Define the desired α by setting α(xi ) = β(xi )d−1
i . Since di ∈ [Bn , Bn ], the
abelianization of α is the same as that of β, i.e., α. By Corollary 5.3, surjectivity of α implies
surjectivity of α, and hence α is indeed an isomorphism. By construction, we have ϕ(α(xi )) =
−1
∗
−1 = ϕ∗ (x ), which completes the proof. ϕ(β(xi )d−1
i
i ) = ϕ(β(xi )) · ϕ(di ) = ϕ (xi )ci · ϕ(di )
We now turn to show that for a transitive group action on a set S, applying the action of a
random group element will induce the uniform distribution on S. Naively, since there are in general
9
many group elements that may perform the same permutation of S, one might worry that some
permutations will wind up more likely as others, leaving the resulting distribution different than
uniform. However, a straightforward counting argument shows otherwise:
Lemma 5.7 Let G be a finite group, and S a set on which G acts transitively. Let s ∈ S be an
$
arbitrary element, and consider the distribution As on S whose samples are g · s where g ← U(G).
Then As = U(S).
Proof:
Let t ∈ S be an arbitrary element. We wish to compute Pr [As = t]; that is, the
$
probability that g · s = t, over the uniform choice of g ← G. Recall that the stabilizer of s ∈ S
(denoted by stab(s)) is the subgroup of G defined by stab(s) = {g ∈ G | g · s = s}. Note that the
number of choices of g ∈ G such that g · s = t is given by |stab(s)| since g · s = g 0 · s ⇐⇒ g 0 −1 g ∈
stab(s), which states that g, g 0 are in the same coset modulo stab(s).4 Recall that:
[G : stab(t)] = |G · t| = |S|
with the last equality following from the transitivity of the action. Hence, |stab(t)| = |G|/|S|, and
Pr [As = t] =
|G| 1
1
·
=
|S| |G|
|S|
which completes the proof. The last required ingredient for the main random self-reducibility result is to show that constraining the sampling of Bn -LHN instances to Epi(Bn , Br ) does not alter the computational characteristics of the Bn -LHN assumption.
Lemma 5.8 As the security parameter n grows, the probability of sampling a Bn -LHN instance ϕ
that is not surjective is negligible in n.
Proof:
By Lemma 5.5, a homomorphism ϕ ∈ hom(Bn , Br ) is surjective if and only if its
corresponding “abelianized” map ϕ ∈ hom(Fn3 , Fr3 ) is surjective. Furthermore, any two ϕ, ϕ0 ∈
hom(Fn3 , Fr3 ) are associated (via abelianization) to the same number of (Bn , Br )-homomorphisms.
Hence, to compute the fraction of hom(Bn , Br ) which is not surjective, we need only compute
the fraction of hom(Fn3 , Fr3 ) which is not surjective. A crude upper bound that suffices for our
purposes can be obtained via the union bound: We estimate the probability that a randomly
selected ϕ ∈ hom(Fn3 , Fr3 ) is not surjective by bounding the probability that its image is contained
$
in some r − 1 dimensional subspace V of Fr3 . Specifically, for ϕ ← hom(Fn3 , Fr3 ) and any subspace
V ⊂ Fr3 such that dim(V ) = r − 1, denote with EV the event that Im(ϕ) ⊂ V . Then we have
Pr [ϕ 6∈ Epi(Fn3 , Fr3 )] = Pr
[
V ⊂ Fr3
dim(V ) = r − 1
EV
$
where the probability is over ϕ ← hom(Fn3 , Fr3 ), and the union on the right hand side is over all
subspaces of dimension r − 1. Since each (r − 1)-dimensional subspace corresponds uniquely (up to
r
sign) to a non-trivial linear equation over the basis of Fr3 , we see that there are 3 2−1 such subspaces.
Furthermore, the image of each of the n generators of Fn3 satisfies the linear equation of the subspace
with a 1/3 chance, and hence Pr [EV ] = 31n for each V . By the union bound we then have
Pr
[
V ⊂ Fr3
dim(V ) = r − 1
4
3r − 1
1
EV ≤
< · 3r−n
2 · 3n
2
This argument requires the existence of at least one g such that g · s = t; we are given such a g by transitivity.
10
which is negligible in n as long as the gap between r and n is superlogarithmic (e.g., if r is a
constant fraction of n). We remark that in fact r is bounded by a small constant in the formulation
of the Bn -LHN assumption (cf. Definition 4.1, as well as the definition in [5]). An immediate consequence of the above lemma is that, with notation as in Section 4, modifying
the distribution of instances Φn so that it only sampled surjective homomorphisms results in an
instance distribution statistically close to the uniform distribution U(hom(Bn , Br )):
Corollary 5.9 The computational hardness of the Bn -LHN problem under uniform unconstrained
homomorphisms vs. uniform epimorphisms are information theoretically equivalent.
Proof: Let ∆(·, ·) denote the statistical distance (also known as total variation distance) between
any two distributions. For any Xn ⊂ Sn , it holds that
∆(U(Xn ), U(Sn )) =
|Sn \ Xn |
|Sn |
where U(Xn ) is considered a distribution on Sn by assigning probability 0 to all elements in Sn \Xn .
Hence, whenever ν(n) = |Sn \ Xn | / |Sn | is negligible in n (as in our case), then the ensemble of
distributions U(Xn ) is statistically close to U(Sn ).
Finally, we remark that Lemma 5.5 gives rise to a an efficient test for surjectivity, so that the
modified distribution of instances remains efficiently sampleable (via rejection sampling). Putting all pieces together, we are now ready to establish random self-reducibility of Bn -LHN:
Theorem 5.10 (Bn -LHN Random Self-Reducibility) With notation as in Definition 4.1, any
efficient algorithm to solve the Bn -LHN-decision problem on a random homomorphism sampled from
U(hom(Bn , Br )), can be used to solve the Bn -LHN-decision problem on all but a negligible fraction
of (Bn , Br )-homorphisms.
Proof: By Lemma 5.8), surjections comprise an overwhelming fraction of hom(Bn , Br ), and thus
it suffices to show that the statement holds for an arbitrary surjection. So consider an arbitrary
surjection, ϕ ∈ Epi(Bn , Br ), and suppose we are given a distribution R which is either U(Bn × Br )
$
n
or AΨ
ϕ . Let α ← Aut(Bn ) (which can be sampled efficiently in light of Lemma 5.5). Leveraging
the construction in Lemma 5.1, we may derive a new distribution R0 whose samples are (α(a), b)
$
where (a, b) ← R. If R = U, then R0 = U as well, since α is a bijection. Otherwise, by
0
−1
n
Lemma 5.1, R0 = AΨ
ϕ0 , where ϕ = ϕ ◦ α . Moreover, by Lemma 5.6 and Lemma 5.7, we see that
ϕ0 is distributed according to U(Epi(Bn , Br )), which is statistically close to U(hom(Bn , Br )) by
Corollary 5.9. It follows that any efficient algorithm to solve the Bn -LHN-decision problem on a
random homomorphism can be used to solve the Bn -LHN-decision problem on all but a negligible
fraction of (Bn , Br )-homorphisms. 6
A Weak Decision-to-Search Equivalence
In this part, we investigate the relation between Bn -LHN and LHN-Decision. Proposition 6.1 proves
$
that an oracle for LHN-Decision allows to predict the results of ϕ(x), for arbitrary x ← Bn , slightly
better than guessing randomly. We first observe the following.
n
Proposition 6.1 Let q be the cardinality5 of Br . Let also A be an algorithm distinguishing AΨ
ϕ
from U(Bn × Br ) in time t with advantage at least , i.e., A is an algorithm solving LHN-Decision.
$
Finally, let x ← Bn . There exists an algorithm B working in poly(q, t) such that:
1+
Pr
,
$
Ψn B a, b, x = ϕ(x) ≥
(a,b)←Aϕ
q
5
We recall that the size of Br is independent of the security parameter. Thus, enumerating all elements of Br
takes O(1) time.
11
Proof:
We can assume without loss of generality that the success probability of A is greater on
n than on U(B × B ), i.e., it holds that:
AΨ
n
r
ϕ
A(a, b) = 1 ≥ .
Pr
$
$
Ψn A(a, b) = 1 − Pr
(a,b)←Aϕ
Let Pr1 = Pr
$
n
(a,b)←AΨ
ϕ
(a,b)←U(Bn ×Br )
A(a, b) = 1 , and Pr2 = Pr
$
(a,b)←U(Bn ×Br )
$
A(a, b) = 1 .
$
n
Algorithm B works as follows. It samples
← AΨ
ϕ , a guess h ← U(Br ) for the value of
(a, b)
0
0
ϕ(x), and invokes algorithm A on x · a, h · b = (a , b ). Finally, B returns h if A returns 1 and any
value of Br \ {h} otherwise.
Suppose h = ϕ(x), then h · ϕ(a) = ϕ(x · a). It follows that (a0 , b0 ) = x · a, h · ϕ(a) · e is sampled
n
according to AΨ
ϕ . Hence:
0 0
Pr
= 1 = Pr1 .
$
Ψn B a, b, x = ϕ(x) = Pr 0 0 $
Ψn A a , b
(a,b)←Aϕ
(a ,b )←Aϕ
Assume now that h 6= ϕ(x). In this case, (a0 , b0 ) = x · a, h · ϕ(a) · e is distributed according to
U(Bn × Br ). Thus:
0
0
Pr 0 0 $
B(a , b ) = 0
(a ,b )←U(Bn ×Br )
1 − Pr2
Pr
B
a,
b,
x
=
ϕ(x)
=
=
.
$
n
(a,b)←AΨ
ϕ
q−1
(q − 1)
As a consequence:
1
(1 − Pr2 )
Pr1 − Pr2 + 1
+1
Pr
B
p,
b,
x
=
ϕ(x)
=
Pr
+
(q
−
1)
=
≥
.
1
$
n
(p,b)←AΨ
ϕ
q
q−1
q
q
In the high advantage case (i.e., the distinguisher is perfect), we get:
n
Corollary 6.2 (“Weak” Decision-to-Search) Let q be the cardinality of Br . If AΨ
ϕ and U(Bn ×
Br ) are perfectly distinguishable, i.e., there exists a distinguisher A working in time t accepting with
n
probability exponentially close to 1 elements from AΨ
ϕ and rejecting with probability exponentially
close to 1 elements from U(Bn × Br ), then there is an algorithm C working in poly(t, q) such that:
Pr
ϕ(y)
=
b
with probability exponentially close to 1.
$
$
Ψn
(a,b)←Aϕ ,y ←C(a,b)
Proof:
The algorithm C to consider is exactly the algorithm described in the proof of Prop. 6.1.
We emphasize that the general case (arbitrary advantage) remains an open problem. Interestingly enough, this reduces to generalize the famous Goldreich-Levin Theorem [13] to non-abelian
groups. The obstacle on the proofs seems to be the impossibility – due to non-commutativity – to
sufficiently amplify the success probability of Proposition 6.1.
7
Conclusions and Future Work
In this work, we take steps towards understanding the computational hardness of the Bn -LHN
problem put forth in [5]. With a minor modification to the problem formulation (which results
in an instance distribution statistically close to the original), we demonstrate a strong random
self-reducibility property, giving evidence that the Bn -LHN problem is difficult in the average case.
Future work includes continued efforts to assess the hardness of the Bn -LHN problem—either
via explicit algorithms that demonstrate upper bounds on its complexity, or via further reductions
to other computational problems. In particular, one interesting open problem is to fully reduce the
search version of Bn -LHN to the corresponding decision version.
12
References
[1] Martı́n Abadi, Joan Feigenbaum, and Joe Kilian. On hiding information from an oracle. J. Comput.
Syst. Sci., 39(1):21–50, 1989.
[2] D. Angluin and P. Laird. Learning from noisy examples. Machine Learning, 2(4):343–370, 1988.
[3] Sanjeev Arora and Rong Ge. New algorithms for learning in presence of errors. Manuscript, 2011.
[4] László Babai. Random oracles separate pspace from the polynomial-time hierarchy. Inf. Process. Lett.,
26(1):51–53, 1987.
[5] G. Baumslag, N. Fazio, A. R. Nicolosi, V. Shpilrain, and W.E. Skeith III. Generalized learning problems
and applications to non-commutative cryptography. In International Conference on Provable Security—
ProvSec ’11 (to appear). Springer, 2011. LNCS.
[6] Gilbert Baumslag, Nelly Fazio, Antonio R. Nicolosi, Vladimir Shpilrain, and William E. Skeith III.
Generalized learning problems and applications to non-commutative cryptography. Cryptology ePrint
Archive, Report 2011/357, 2011. Full version of [5]. Available at http://eprint.iacr.org/2011/357.
[7] Donald Beaver and Joan Feigenbaum. Hiding instances in multioracle queries. In STACS, pages 37–48,
1990.
[8] Donald Beaver, Joan Feigenbaum, Joe Kilian, and Phillip Rogaway. Security with low communication
overhead. In CRYPTO, pages 62–76, 1990.
[9] A. Blum, A. Kalai, and H. Wasserman. Noise-tolerant learning, the parity problem, and the statistical
query model. J. ACM, 50:2003, 2003.
[10] Manuel Blum and Sampath Kannan. Designing programs that check their work. In STOC, pages 86–97,
1989.
[11] W. Diffie and M.E. Hellman. New directions in cryptography. IEEE Transactions on Information
Theory, IT-22(6):644–654, 1976.
[12] Joan Feigenbaum and Lance Fortnow. On the random-self-reducibility of complete sets. In Structure
in Complexity Theory Conference, pages 124–132, 1991.
[13] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions. In STOC, pages
25–32, 1989.
[14] S. Goldwasser and S. Micali. Probabilistic encryption. JCSS, 28(2):270–299, 1984.
[15] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM
Journal on computing, 18(1):186–208, 1989.
[16] N. Gupta. On groups in which every element has finite order. Amer. Math. Month., 96:297–308, 1989.
[17] M. Hall. The Theory of Groups. Macmillan Company, New York, 1959.
[18] Sergei V. Ivanov. The free Burnside groups of sufficiently large exponents. Internat. J. Algebra Comput.,
4(1-2):ii+308, 1994.
[19] M. Kearns. Efficient noise-tolerant learning from statistical queries. In Journal of the ACM, pages
392–401. ACM Press, 1993.
[20] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over
rings. In EUROCRYPT, pages 1–23, 2010.
[21] W. Magnus, A. Karrass, and D. Solitar. Combinatorial group theory: presentations of groups in terms
of generators and relations. Interscience Publishers, 1966.
[22] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT, pages 223–238, 1999.
[23] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract.
In STOC, pages 333–342, 2009.
[24] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC, pages
84–93. ACM Press, 2005.
[25] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key
cryptosystems. Communications of the ACM, 21:120–126, 1978.
13
A
Proof of Lemma 5.2
Lemma 5.2 (adapted from [21]) Let G be a nilpotent group of class nc ( i.e., γnc +1 (G) = 1),
generated by x1 , . . . , xn . Let y1 , . . . , ym generate G modulo γs (G), s ≤ nc . Then, y1 , . . . , ym generate
G modulo γs+1 (G).
Proof:
Consider any generator xi of G. Since the yj ’s generate G modulo γs (G), there exist
words wi over the yj ’s and elements ci ∈ γs (G) such that:
xi = wi (y1 , . . . , ym ) · ci
(6)
Each ci is itself the product of basic commutators of weight s in the generators x1 , . . . , xn , and thus
there exist index sets Ti ⊆ ns such that:
Y
ci =
[xt1 , . . . , xts ]
(7)
(t1 ,...,ts )∈Ti
Plugging Equation 6 into Equation 7 we get:
Y
ci =
[wt1 (y1 , . . . , ym ) · ct1 , . . . , wts (y1 , . . . , ym ) · cts ]
(8)
(t1 ,...,ts )∈Ti
By Proposition 2.1, if we look at Equation 8 modulo γs+1 (G), we can drop the occurrences of ctl ’s
on the RHS of (8):
Y
[wt1 (y1 , . . . , ym ), . . . , wts (y1 , . . . , ym )] mod γs+1 (G)
(9)
ci =
(t1 ,...,ts )∈Ti
By Corollary 2.2, each basic commutators of weight s in the RHS of (9) then distributes into a
product of commutators of weight s in y1 , . . . , ym . Thus, modulo γs+1 (G), each ci is a product of
commutators of weight s in y1 , . . . , ym , i.e., there exist index sets Ui ⊆ m
s such that:
ci =
Y
[yu1 , . . . , yus ]
mod γs+1 (G)
(10)
(u1 ,...,us )∈Ui
Hence, each ci lies in the subgroup of G generated by y1 , . . . , ym , modulo γs+1 (G). Combining this
fact with Equation 6 again, we get that all generators xi ’s are also in the subgroup of G generated
by y1 , . . . , ym , modulo γs+1 (G), and the lemma follows. 14
