probabilistic polynomial-time Turing machine with one-way function

Question

Suppose that there exists a function $:\{0,1\}^ → \{0,1\}^$ such that, is computable in polynomial time; and the following task cannot be computed in polynomial time (that is, there are $ ∈ \{0,1\}^$, for which, it cannot be computed efficiently): Given $ = ()$, find any $\hat{}∈ \{0,1\}^$ such that $(\hat{}) = .$

Define the language, $$ = \{(, ) | ∃\hat{} ∈ \{0,1\}^ \text{ such that } (\hat{}) = \text{ and } \hat{} < \}.$$ The comparison $<$ is with respect to the integers of which $\hat{}, $ are the respective binary representations (in general, $$ is viewed as a map from integers to integers).

Assume that $ ∈ \texttt{BPP}$. I am interested this question: is there exists a probabilistic polynomial-time $\texttt{TM}$, denoted M, such that:

1. Given $ = ()$, it (always) finds some $∈ \{0,1\}^$ such that $(\hat{}) = $? and
2. It's expected running time is polynomial in $?$

Remark: We do not care what happens if there is no preimage for $$ (i.e., if there exists no $\hat{}∈ \{0,1\}^$ such that $(\hat{}) = $). We do not need to analyze our algorithm for these cases.

A language $$ is in the class BPP if there exists a probabilistic polynomial- time TM, denoted N, such that: for every $ ∈ \{0,1\}^∗:$ $$ ∈ ⇒ Pr[() = 1] ≥ 2 /3$$ $$ ∉ ⇒ Pr[() = 1] ≤ 1 /3.$$

Answer 1

We can use binary search along with the $\mathsf{BPP}$ amplification theorem which states that a language $L$ is in the class $\mathsf{BPP}$ if for any polynomial $q(n)$, there exists a polynomial time algorithm $M(\cdot; \cdot)$ such that for all $x \in \{0, 1\}^n$,

• if $x \in L$, then $\underset{r}{\mathsf{Pr}}[M(x; r) = 1] \geq 1- \frac{1}{2^{q(n)}}$
• if $x \notin L$, then $\underset{r}{\mathsf{Pr}}[M(x; r) = 1] \leq \frac{1}{2^{q(n)}}$

Following a similar approach to the one in this post, let's assume that $L \in \mathsf{BPP}$ and let $A$ be a $\mathsf{BPP}$ algorithm for $L$ that satisfies the above probability with $q(n) = 2n$. We will design a probabilistic algorithm $B$ that inverts $f$ and has an expected polynomial running time in $n$ for invertible $y$. However, if $y$ does not have any preimage, the algorithm's runtime will be exponential in $n$.

The description of $B$ is as follows.

1. First, check whether $f(2^n−1)=y$ (i.e., whether the largest n-bit integer is a preimage). If true, return $2^n−1$.

2. Otherwise, check if $A(y,2^n−1)=1$. If this succeeds, use binary search to find $x$.

3. If the check fails or binary search doesn't succeed in finding a preimage, go over all $x \in \{0,1\}^n$ and checks and returns if $f(x) = y$.

Since step 2 uses the algorithm $A$, which is a $\mathsf{BPP}$ algorithm, there is a chance $A$ might give an incorrect answer. Nevertheless, in step 3, if $y$ has a preimage, $B$ will eventually return it.

Now, let's analyze the expected running time of $B$ for an input $y$ that has a preimage:

$$\text{Expected-Time}[B] = \mathsf{Pr}[A \text{ gives the right answers}]\cdot O(n) + \mathsf{Pr}[A \text{ gives at least one wrong answer}]\cdot 2^n$$

Next, we calculate the probability that step 2 will return a preimage. Since $A$ is invoked at most $2n$ times in step 2, $B$ succeeds in finding the preimage in step 2 if all invocations of $A$ give the correct answer. This occurs with high probability, $(1- \frac{1}{2^{2n}})^{2n}$, which we trivially bound by 1.

The probability that step 2 fails to find a preimage is $1-(1- \frac{1}{2^{2n}})^{2n}$. We bound the term $(1-(1- \frac{1}{2^{2n}})^{2n}) 2^n$ as follows.

$$\begin{align} (1-(1- \frac{1}{2^{2n}})^{2n}) 2^n &= (1-(1 + \sum_{i=1}^{2n} {2n \choose i} \cdot (\frac{-1}{2^{2n}})^i)) 2^n\\ &= - \sum_{i=1}^{2n}\frac{-1^i \cdot {2n \choose i}}{2^{2ni - n}}\\ &\leq \sum_{i=1}^{2n}\frac{{2n \choose i}}{2^{2ni - n}}\\ &\leq \sum_{i=1}^{2n}\frac{(2n)^i}{2^{2ni - n}}\\ &\leq \sum_{i=1}^{2n}\frac{(2n)^i}{2^{ni}}\\ &\leq \sum_{i=1}^{2n}(\frac{2n}{2^{n}})^i \leq 2n \end{align}$$

Using these bounds, we conclude:

$$\text{Expected-Time}[B] = 1\cdot O(n) + 2n \leq O(n)$$