1 / 67

CRYPTOGRAPHY AND NP-HARDNESS

Andrej Bogdanov Chinese University of Hong Kong. CRYPTOGRAPHY AND NP-HARDNESS. Bertinoro Summer School | July 2014. easy. f ( p , q ) = p ∙ q. hard?. P ≠ NP. One-way functions and NP. One-way functions are necessary for crypto:. “Invert a one-way function” is an NP problem.

adli
Download Presentation

CRYPTOGRAPHY AND NP-HARDNESS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Andrej Bogdanov Chinese University of Hong Kong CRYPTOGRAPHY AND NP-HARDNESS Bertinoro Summer School | July 2014

  2. easy f(p, q) = p∙q hard? P ≠ NP

  3. One-way functions and NP One-way functions are necessary for crypto: “Invert a one-way function” is an NP problem So if P = NP, there is no crypto If P ≠ NP is there crypto? (Can crypto be based on NP-hardness?)

  4. As hard as possible… “Theorem” One-way functions are NP-hard to invert. “Proof:” f(f, a) = (f, f(a)) If algorithm I inverts f, then I(f, true) solves SAT

  5. Worst-case versus average-case Solve SAT: For everysatisfiablef, A(f) outputs a satisfying assignment x Invert a one-way function: f(x) For a (noticeable) fraction of inputs x, I(f(x)) is a preimage for f(x)

  6. One-way permutations Fake Theorem One-way functions are NP-hard to invert. Real Theorem One-way permutations are not NP-hard to invert, unless NP = coNP.

  7. NP and coNP (x1∨x2) ∧ (x1∨x3) ∧ (x1∨x2∨x3) ∧ (x1∨x3) has a satisfying assignment. T, T, F Verifier Prover OK! NP: Honest prover can certify true instances. No cheating prover can certify false instances.

  8. NP and coNP (x1∨x2) ∧ (x1∨x3) ∧ (x1∨x2∨x3) ∧ (x1∨x3) has no satisfying assignment. T, T, F Verifier Refuter OK! coNP: Honest refuter can refute false instances. No cheating one can refute true instances.

  9. NP and coNP Is NP = coNP? “f is satisfiable” has efficient proofs, but no reason to believe it has efficient refutations. SAT ∈ NP, but most likely SAT ∉coNP ... and so NP ≠ coNP

  10. What does it mean? One-way permutations are not NP-hard to invert, unless NP = coNP. Suppose some permutation fis NP-hard to invert. What does this mean? reduction L SAT I x f invert f at 762193 168321 invert f at 111111 111111 x f ∈/∉L

  11. Simulating reduction by a proof system Prover Verifier reduction L I x invert f at y1 x1 . . . Verifier: On input f, simulate reduction. Prover: Provide query/answer pairs y1, x1, ..., yt, xt Verifier: If f(x1) = y1and ... andf(xt) = yt, and consistent • output answer of reduction, • otherwise declare “prover is cheating!”

  12. From a proof system to a proof invert f at y1 Prover Verifier x1 . . . invert f at yt xt x∈/∉L • y1, x1, ..., yt, xt This is an NP proof system for L and also an NP proof system for L so L is both in NP and in coNP.

  13. Conclusion If one-way permutations are “L-hard” to invert, then L is both in NP and in coNP. In particular, if L is SAT, we conclude SAT is in coNP, so NP = coNP. Next: Variations of this theme, but always Verifier emulates reductionProver emulates inversion oracle

  14. A trick question Where did we use that f is a permutation? The “right” question to ask: How realistic is our model of the reduction? reduction L I x invert fat y1 x1 . . . The reduction may be randomized

  15. An example Fix a cyclic group with generator g and look at f(x) = gx Worst-case to average-case reduction: If y = f(x) can be inverted for 1% of x, then it can be inverted for all x Proof: On input y, ^ ^ Choose random r and compute xs.t.x + r = I(y∙gr) ^ Repeat until y = f(x).

  16. Emulating randomized reductions Prover Verifier (inverter I) (reduction R?) x∈/∉L Who should provide the randomness r? Answer: The verifier • y1, x1, ..., yt, xt Correctness of randomized reductions: Given an inversion oracle I for f For mostr, RI(x; r) = L(x)

  17. Emulating randomized reductions Prover Verifier randomness r (inverter I) (reduction R?) x∈/∉L Verifier is randomized, proof system is interactive • y1, x1, ..., yt, xt If one-way permutations are L-hard to invert wrtrandomized reductions, then L∈AM ∩ coAM.

  18. Permutations vs. functions Where did we use that f is a permutation? Correctness of randomized reductions: Given an inversion oracle I for f For mostr, RI(x; r) = L(x) Verifier and prover should agree on inversion oracle beforer is chosen When f is a permutation, I is unique

  19. Two-to-one functions f:{0, 1}n → {0, 1}n-1 is 2-to-1 if for every y, |f-1(y)| = 2 Such an f has 22 possible inversion oracles n-1 choice of I r Prover Verifier • y1, x1, ..., yt, xt If for every i, f(yi) = xi choice of r • output answer of reduction, • RI(x; r) = L(x) • otherwise “prover is cheating!”

  20. Proof system for 2-1 functions Prover and verifier agree to emulate inversion oracle that answers with lexicographically smaller inverse r Prover Verifier choice of I If for every i, • y1, x1, x1’ ..., yt, xt,xt’ • f(xi) = f(xi’) = yiand xi < xi’ choice of r • output answer of reduction • RI(x; r) = L(x) with transcript y1, x1, ..., yt, xt • otherwise “prover is cheating!”

  21. K-to-one functions Say f is K-to-1 if for every y, |f-1(y)| = K Complexity of proof system grows linearly in K When say K = 2n/2this is exponential in n Can we do better?

  22. INTERACTIVE PROOFS

  23. Graph isomorphism Claim: is isomorphic to Proof:

  24. Graph non-isomorphism Claim: is not isomorphic to G1 G0 Interactive proof: Verifier: Choose random bit b, permutation p Send graph G = p(Gb) Prover: Answer with b’ Verifier: If b’ = b, declare “probably not isomorphic”

  25. Graph non-isomorphism Analysis: If G0, G1 not isomorphic, then prover knows for sure that G came from Gb, so he can answer b If G0, G1isomorphic, then G is equally likely to have come from G0 /G1, so he can guess b with prob1/2 Is there a classical proof system for graph non-isomorphism?

  26. Interactive proofs Given a promise problemL = (LYES, LNO) Verifier x∈LYES∪LNO Prover q1 unbounded randomizedefficient a2 . . . qR-1 aR YES/NO Completeness: If x∈ LYES, Pr[VP(x) = YES] ≥ 0.6 Soundness: If x∈ LNO, Pr[VP*(x) = YES] < 0.4 for every P*

  27. Normal form for interactive proofs The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form • public randomness r Prover Verifier • a(x, r) There is a compiler for converting protocols into this form; we’ll do an example instead.

  28. The set size lower bound protocol Input: A set C ⊆ {0, 1}n(specified by a circuit) A size estimate 0 < S <2n LYES: |C| ≥ S LNO: |C| < S/8 Interactive proof: Verifier: Send a random 2-universal hash functionh: {0, 1}n → {0, 1}r where 2S ≤ 2r < 4S Prover: Send x (and a proof that x∈C) Verifier: Accept if x ∈C and h(x) = 0.

  29. The set size lower bound protocol Input: A set C ⊆ {0, 1}n A size estimate 0 < S <2n An error parametere > 0 LYES: |C| ≥ S LNO: |C| < (1 – e)S Running time of verifier is linear in |C|/e Proof: Run original protocol on (Ck, Sk), k = 3/e

  30. Graph non-isomorphism via set size Given G0, G1 we want a proof of non-isomorphism For simplicity we’ll assume G0, G1have no automorphisms Reduction to set size lower bound: C = {p(Gb): pis a permutation, bis a bit} |C| = n! G0, G1 are isomorphic |C| = 2∙n! G0, G1 are not isomorphic

  31. AM ≈ NP • public randomness r Prover Verifier • a(x, r) If we replace r by the output of a suitable pseudo-random generator, proof can be derandomized Under a plausible assumption in complexity theory, AM = NP.

  32. BACK TO CRYPTOGRAPHY

  33. Hardness of regular one-way functions • Say f:{0, 1}n → {0, 1}n - k is 2k-to-1 • Suppose we have a reduction R? that, given an inverter I for f, solves L • Verifier will emulate reduction • Prover will emulate random inverter I • Given a query y, return each xs.t.f(x) = y with probability 2-k • independently of previous queries and answers

  34. Hardness of regular one-way functions y1 Prover Verifier x1 = I(y1) . . . yt x∈/∉L xt= I(yt) Prr, I[RI(x; r) accepts] ≥ 2/3 x ∈ L |{(r, x1, …, xt) valid and accepting}| ≥ (2/3) 2|r| + kt Prr, I[RI(x; r) accepts] < 1/3 x ∉L |{(r, x1, …, xt) valid and accepting}| < (1/3) 2|r| + kt

  35. Hardness of regular one-way functions y1 Prover Verifier x1 = I(y1) . . . yt x∈/∉L xt= I(yt) Prr, I[RI(x; r) rejects] ≥ 2/3 x ∈ L |{(r, x1, …, xt) valid and rejecting}| ≥ (2/3) 2|r| + kt Prr, I[RI(x; r) rejects] < 1/3 x ∉L |{(r, x1, …, xt) valid and rejecting}| < (1/3) 2|r| + kt

  36. General one-way functions If one-way functions are L-hard to invert wrtnon-adaptive reductions, then L∈AM ∩ coAM. A non-adaptive reduction can query the inverter many times, but all queries made at the same time Example Worst-case to average-case for matrix multiply

  37. Injective one-way functions As a model example we’ll look at injective one-way functions f:{0, 1}n → {0, 1}mwhere m =n + 1 Question What goes wrong if we apply the proof system for permutations?

  38. Injective one-way functions To begin, we’ll assume that the marginal distribution of every query is uniform over {0, 1}m That is, each of the queries y1, …, ytis uniformly distributed, but they can be arbitrarily correlated Proof system will emulate inverter I that returns unique inverse when one exists, ⟘ when not

  39. Statistics of coin tosses Toss k coins, each heads with probability p E[number of heads] =pk Pr[more than (p + e)k heads] <exp(-e2k/2) Pr[fewer than (p-e)k heads] <exp(-e2k/2)

  40. Proof system for uniform queries Idea: Use query statistics to hold prover in check • Run the reduction independently many times In every column, we expect to see k/2 queries that have an inverse. r1 y11y12 … y1t r2 y21y22 … y2t . . . . . . Moreover, this number will be within (½± e)k with probability 1 - 2exp(-e2k/2) rk yk1yk2 … ykt

  41. Proof system for uniform queries Union bound over columns: • Every column will contain (½± e)k invertible entries with probability y11y12 … y1t y21y22 … y2t • 1 – 2texp(-e2k/2) . . . yk1yk2 … ykt For e = 1/(10t), k = O(t2 log t), w/p 90% whole table has tk/2 ± k/9invertible entries This is fewer than one “error” per row

  42. Proof system for uniform queries Interactive proof: Verifier: Send k random seeds for reduction Prover: For every query yij, send inverse xijor ⟘ Verifier: If 1. f(xij) = yij for every xij≠⟘ 2. At least tk/2 -k/9 of the xij’s≠ ⟘ For every i, emulate reduction assuming transcript is ri; yi1, xi1, ..., yik, xik Output majority of answers

  43. Analysis of proof system 1. f(xij) = yij for every xij≠⟘ 2. At least tk/2 -k/9 of the xij’s≠ ⟘ Honest prover analysis: By statistics, honest prover can meet his quota of inverses with high probability

  44. Analysis of proof system 1. f(xij) = yij for every xij≠⟘ 2. At least tk/2 -k/9 of the xij’s≠ ⟘ Cheating proveris required to provide ptk-k/9 inverses By statistics, table has at most tk/2 + k/9 invertible entries whp So prover cannot cheat on more than 2/9 of rows This is unlikely to affect majority of reduction runs

  45. Conclusion If one-way functions are L-hard to invert wrtnon-adaptivereductions with uniform marginal query distribution, then L∈AM ∩ coAM. Question Where did we use uniformity of marginals? Answers ✓ 1. All queries are identically distributed easy 2. To calculate the expected fraction of inverses

  46. Smooth distributions In general, the verifier may not know the probability that a reduction query is invertible Idea: Use the prover to learn it Smooth distributions Distribution Y is K-smooth if its probability density function is uniformly bounded by K Namely, for every y in{0, 1}m, PrY ~ Y[Y = y] ≤K 2-m

  47. Abstracting the problem Verifier does not know Y (beyond it being K-smooth), but can sample from Y Verifier wants to learnpY= PrY ~ Y [yhas inverse] Verifier: Generate many independent samples from Y and ask which are invertible If prover is honest, verifier can estimate pY as the fraction of invertible samples

  48. Inverting smoothly distributed queries Given a sample Y ~ Y generated by the verifier, determine (with confidence) if Y has an inverse Idea: Leverage similarity betweenY and the Uniform distribution Example: U= uniform over {0, 1, 2, ..., 999} Y= uniform over {0, 3, 6, ..., 999} 11 samples from U, one from Y. Which one? 778 882 63 78 752 158 685 718 657 222 874 780

More Related