1 / 23

Impagliazzo’s Worlds in Arithmetic Complexity: A Progress Report

Impagliazzo’s Worlds in Arithmetic Complexity: A Progress Report. Scott Aaronson and Andrew Drucker MIT. 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH rBQP). Why Arithmetize Russell’s Worlds?. R , C , F p : Funhouse mirrors of complexity theory .

benecia
Download Presentation

Impagliazzo’s Worlds in Arithmetic Complexity: A Progress Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impagliazzo’s Worlds in Arithmetic Complexity:A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK(FROM COWS NOT TREATED WITH rBQP)

  2. Why Arithmetize Russell’s Worlds? R, C, Fp: Funhouse mirrors of complexity theory Permanent vs. Determinant, PCNPC: “Warmups” to P vs. NP? Some of our motivation came from Mulmuley’s GCT program But who cares about crypto in the arithmetic model?  As it happens, much of current crypto is based on arithmetic over finite fields  Challenge: Arithmetic Natural Proofs. Explain why it’s so hard to prove circuit lower bounds for the Permanent  “Lifting” to larger fields gives new insights about worst-case / average-case equivalence

  3. On the Menu Today 1. Equivalence of Complexity Questions In The Boolean and Small Finite Field Worlds 2. Over Large Finite Fields F, “NPP/poly OWFs Exist” (Heuristica=Pessiland=Minicrypt) 3. Natural Proofs for Arithmetic Circuits: A Challenge and Concrete Proposal

  4. Arithmetic Computation Over A Finite Field F • Allowed operations: • Add, subtract, multiply, or divide any two F-elements • Create and recognize the 0 and 1 elements ( equality testing, branching, Boolean side-computation) • Sample a random F-element (in randomized models) • Hardwire F-elements (in nonuniform models) Not allowed: Directly access bit representations of F-elements In this talk, |F| will be finite, prime, possibly dependent on n “Deep reason” for finiteness: In cryptography, it’s nice to have a uniform distribution over F-elements

  5. Three Regimes of Arithmetic Complexity |F|≤poly(n) Trivially the same as Boolean computation |F|≤2poly(n) No stronger than Boolean computation. Maybe weaker, since can’t see bit representations of input F-elements. Same as Boolean computation if input is conveniently Boolean |F|>>2poly(n) Incomparable with Boolean computation (a P machine can’t even store F-elements). Algebraic geometry becomes relevant, since polynomials have degree <<|F|

  6. Related Models Blum-Shub-Smale: Uniform, defined for a fixed field F (such as R, C, GF2)Equality tests allowed; version over R allows comparisons Algebraic computation trees: Basically, nonuniform version of [BSS] Arithmetic circuits, straight-line programs, Valiant’s VP and VNP: No divisions or equality tests allowed Our results for |F|≤2poly(n) will extend to the straight-line model

  7. Given {p(n)}n1 a list of primes… PF/poly = Class of languages such that for some polynomial size bound s and every n, there exists an Fp(n)-circuit Cn of size s(n) such that for all xL  Cn(x)0 NPF/poly = The same, except we substitute xL  w{-1,1}poly(n) such that Cn(x,w)0 Can define uniform versions with more sweat Why are the NP witnesses Boolean? For p(n)≤2poly(n), it doesn’t matter For p(n)>2poly(n), allowing F-witnesses would trivialize PFNPF! (Consider, e.g., quadratic residuosity)

  8. Arithmetic Cryptography When |F|≤2poly(n) B/B (Boolean/Boolean) OWF: Ordinary one-way function A/A (Arithmetic/Arithmetic) OWF: Family of functions computable in PF/poly, such that for all PF/poly adversaries Cn, A/B (Arithmetic/Boolean) OWF: Same, except now the adversary is P/poly (i.e. has Boolean access to fn(x)) B/B, A/A, and A/B pseudorandom generators and pseudorandom functions can be defined similarly

  9. Equivalence Theorem: Assuming |F|≤2poly(n), [HILL] [GGM] B/B OWFs B/B PRGs B/B PRFs Obvious Obvious This work This work This work Obvious Obvious Obvious A/B OWFs A/B PRGs A/B PRFs Obvious Obvious Obvious This work This work This work A/A OWFs A/A PRGs A/A PRFs

  10. The Boneh-Lipton Problem:A Bridge Between the Boolean and Arithmetic Worlds Problem: Recover x, given (x+a1)q,…,(x+ak)q and a1,…,ak Suppose this problem is easy. Then for all p≤2poly(n), the Boolean and Fp worlds are polynomially equivalent Alas, best known classical algorithm to recover x takes time [BL96]

  11. Intuition: We Win Either Way Two possibilities: (1) BL is easy to invert  Boolean and F computation are equivalent  OWFs exist in one world iff they exist in the other (2) BL is hard to invert  BL itself is an OWF, in both the Boolean and F worlds Difficulties: What if BL is only slightly hard? Or easy to invert on some input lengths but not others?

  12. Lemma: For all xy in F, Proof: (x+ai)q-(y+ai)q is a degree-q, nonzero polynomial in ai, so it has at most q=(p-1)/2 roots. Implication: (x+a1)q,…,(x+ak)qinformation-theoretically determine x with high probability over a1,…,ak, provided k>>log(p)

  13. Easy Direction: B/B OWF  A/B OWF Let f be a Boolean OWF. Then as our arithmetic OWF, we can take Clearly, any inverter for F yields an inverter for f.

  14. Other Direction: A/A OWF  A/B OWF Let g be an OWF secure against arithmetic adversaries. Here’s an OWF secure against Boolean adversaries: Let G’ be a good Boolean inverter for G Here’s a good arithmetic inverter for g(x): first generate a1,…,ak randomly (remembering their Boolean descriptions), then compute G(x,a1,…,ak) and run G’ on it Key fact: G(x,a1,…,ak)=G(y,a1,…,ak)  g(x)=g(y) with high probability over a1,…,ak, provided k>>log(p). In which case, G’ can only invert G by finding a preimage of g(x)

  15. Argument for Pseudorandom Generators Let f be a B/B PRG. As our A/B PRG, we can take where Om(x) is the omelettization of a Boolean string x: its conversion to F-elements in a standard way Likewise, let g:FF2 be an A/A PRG. By a standard hybrid argument, we can “stretch” g to produce g1,…,gm:FF, so that (g1(x),…,gm(x)) looks random. Here’s our A/B PRG: Similar arguments show that B/B or A/A pseudorandom functions imply A/B pseudorandom functions

  16. Collapse Theorem: Assuming |F|>2poly(n), NPF PF/polyNPFis hard on average   F-OWFs In other words: Hard-on-average NPF problems with planted (Boolean) solutions More interesting notion of OWF when |F|>2poly(n) Algorithmica Heuristica Heuristiminipessicrypt Pessiland Minicrypt Cryptomania

  17. Major Challenge for Complexity Theory: Explain why current techniques fail to show PermanentAlgP/poly First approach: Extend algebrization[AW08] to low-degree oracles queried by arithmetic circuits. Construct A such that Alg#PA=AlgPA Second approach: Natural Proofs [RR97] for arithmetic complexity. Show that arithmetic circuit lower bounds based on rank, partial derivatives, etc. can’t possibly work, since they would distinguish random functions f:FnF from pseudorandom ones What’s needed: Pseudorandom function families computable by arithmetic circuits over finite fields

  18. Arithmetic Pseudorandom Functions • Our results show that, if ordinary OWFs exist, then one can construct a family of functions fs:FnF that are • computable by poly-size arithmetic circuits, • indistinguishable from random functions(even by Boolean circuits) Problem solved! Problem:Permanent is a low-degree polynomial!Any plausible lower bound proof would use that fact • Real Challenge of Arithmetic Natural Proofs: Find a family of degree-d polynomials ps:FnF that are • computable by poly-size arithmetic circuits, • indistinguishable from random degree-d polynomials

  19. Pseudorandom Low-Degree Polynomials: How to Construct Them? Generic construction of PRF[Goldreich-Goldwasser-Micali] Doesn’t work (blows up degree) Number-theoretic PRF[Naor-Reingold] Doesn’t work (uses bit operations to parallelize) Hardness of learning small-depth arithmetic circuits[Klivans-Sherstov] Doesn’t work (requires specific input distribution) Other constructions based on lattices/LWE ???

  20. Candidate for Low-Degree Arithmetic PRF where the Lij’s are independent, random linear functions Conjecture: Using oracle access to p, no polynomial-size arithmetic circuit over the finite field F can distinguish g:FnF from a uniformly random, homogeneous polynomial of degree d, with non-negligible bias. Note: it’s easy to distinguish g from a random function!

  21. Conclusions One can give sensible definitions of Heuristica, Pessiland, and Minicrypt over a finite field F When |F|≤2poly(n), these worlds perfectly mirror their Boolean counterparts—even if F-computation is weaker than Boolean Natural Proofs are no less fearsome in F-land But when |F|>2poly(n), Heuristica=Pessiland=Minicrypt Note: Both of these results explain why the other doesn’t generalize to all F! From this perspective, the distinction between PNP, NP hard on average, and existence of OWFs (if indeed there is one) seems like an “artifact of small field size.”

  22. Open Problems Construct pseudorandom low-degree polynomials p:FnF, ideally based on a known assumption Convincing Natural Proofs story for why PermanentAlgP/poly is hard OWF  PRG  PRF when |F|>2poly(n)? NP-completeness theory for large F Cryptomania: PKC, CRHFs, IBE, homomorphic encryption (?!), etc. in the arithmetic world Arithmetic circuits based on non-classical physics? Model proposed by [van Dam]

  23. Handwaving Idea What one would expect: Schwartz-Zippel! Lemma: Let C:FnF be a PF/poly circuit of size s. Then {xFn : C(x)=0} belongs to the Boolean closure of ≤2s algebraic varieties of degree ≤2s each Canonical NPF-Complete Problem: Given x=(x1,…,xn)Fn, which we take to encode a (pure) arithmetic circuit Cx:FmF , does there exist a Boolean input w{-1,1}m such that Cx(w)0?(Get rid of equality tests using encoding tricks) Take a PF/poly circuit A that solves this problem for most x, and correct it to one that works for all x Theorem: CIRCUITSATF is NPF-complete.

More Related