CRYPTOGRAPHY AND NP-HARDNESS
description
Transcript of CRYPTOGRAPHY AND NP-HARDNESS
CRYPTOGRAPHY AND NP-HARDNESS
Andrej BogdanovChinese University of Hong Kong
Bertinoro Summer School | July 2014
f(p, q) = p∙qeasy
hard?
P ≠ NP
One-way functions and NP
“Invert a one-way function” is an NP problem
One-way functions are necessary for crypto:
So if P = NP, there is no crypto
If P ≠ NP is there crypto?(Can crypto be based on NP-hardness?)
As hard as possible…
One-way functions are NP-hard to invert.
“Theorem”
“Proof:”f(f, a) = (f, f(a))
If algorithm I inverts f, then I(f, true) solves SAT
Worst-case versus average-case
Solve SAT:
Invert a one-way function:
For every satisfiable f, A(f) outputs a satisfying assignment
For a (noticeable) fraction of inputs x, I(f(x)) is a preimage for f(x)
x
f(x)
One-way permutations
One-way functions are NP-hard to invert.
Fake Theorem
Real TheoremOne-way permutations are not NP-hard to invert, unless NP = coNP.
NP and coNP
Verifier Prover
(x1 ∨ x2) ∧ (x1 ∨ x3) ∧ (x1 ∨ x2 ∨ x3) ∧ (x1 ∨ x3)
T, T, FOK!
NP:Honest prover can certify true instances.No cheating prover can certify false instances.
has a satisfying assignment.
NP and coNP
Verifier RefuterT, T, FOK!
coNP:Honest refuter can refute false instances.No cheating one can refute true instances.
(x1 ∨ x2) ∧ (x1 ∨ x3) ∧ (x1 ∨ x2 ∨ x3) ∧ (x1 ∨ x3)has no satisfying assignment.
NP and coNP
Is NP = coNP?
“f is satisfiable” has efficient proofs,but no reason to believe it has efficient refutations.
SAT ∈ NP, but most likely SAT ∉ coNP
... and so NP ≠ coNP
What does it mean?
Suppose some permutation f is NP-hard to invert. What does this mean?
SAT Ireduction
f invert f at 762193
One-way permutations are not NP-hard to invert, unless NP = coNP.
168321
invert f at 111111111111f ∈/∉ L
L
x
x
Simulating reduction by a proof system
L Ireduction
x invert f at y1
x1. . .
Verifier Prover
Verifier: On input f, simulate reduction.Prover: Provide query/answer pairs y1, x1, ..., yt, xt
Verifier: If f(x1) = y1 and ... and f(xt) = yt , and consistentoutput answer of reduction,
otherwise declare “prover is cheating!”
From a proof system to a proof
invert f at y1
x1
. . .
Verifier Prover
invert f at yt
xt
y1, x1, ..., yt, xt
x ∈/∉ L
This is an NP proof system for Land also an NP proof system for Lso L is both in NP and in coNP.
Conclusion
If one-way permutations are “L-hard” to invert, then L is both in NP and in coNP.
In particular, if L is SAT, we conclude SAT is in coNP, so NP = coNP.
Next: Variations of this theme, but alwaysVerifier emulates reduction
Prover emulates inversion oracle
A trick question
Where did we use that f is a permutation?
How realistic is our model of the reduction?
The “right” question to ask:
L Ireduction
x invert f at y1
x1. . .
The reduction may be randomized
An example
Fix a cyclic group with generator g and look at f(x) = gx
Worst-case to average-case reduction:If y = f(x) can be inverted for 1% of x, then it can be inverted for all x
Proof:
Repeat until y = f(x).^Choose random r and compute x s.t. x + r = I(y∙gr)
^^On input y,
Emulating randomized reductions
y1, x1, ..., yt, xtVerifier Prover(reduction R?) (inverter I)x ∈/∉ L
Who should provide the randomness r? Answer: The verifier
Correctness of randomized reductions:Given an inversion oracle I for f
For most r, RI(x; r) = L(x)
Emulating randomized reductions
y1, x1, ..., yt, xt
Verifier Prover(reduction R?) (inverter I)x ∈/∉ L
randomness r
Verifier is randomized, proof system is interactive
If one-way permutations are L-hard to invert wrt randomized reductions, then L ∈ AM ∩ coAM.
Permutations vs. functions
Where did we use that f is a permutation?Correctness of randomized
reductions:Given an inversion oracle I for fFor most r, RI(x; r) = L(x)
Verifier and prover should agree on inversion oracle before r is chosenWhen f is a permutation, I is unique
Two-to-one functions
f: {0, 1}n → {0, 1}n-1 is 2-to-1 if for every y, |f-1(y)| = 2
choi
ce o
f r
choice of I
RI(x; r) = L(x)
y1, x1, ..., yt, xtVerifier Proverr
If for every i, f(yi) = xi
output answer of reduction,otherwise “prover is cheating!”
Such an f has 22 possible inversion oraclesn-1
Proof system for 2-1 functions
Prover and verifier agree to emulate inversion oracle that answers with lexicographically smaller inverse
y1, x1, x1’ ..., yt, xt, xt’Verifier Proverr
output answer of reduction
otherwise “prover is cheating!”
If for every i, f(xi) = f(xi’) = yi and xi < xi’
with transcript y1, x1, ..., yt, xt ch
oice
of r
choice of I
RI(x; r) = L(x)
K-to-one functions
Say f is K-to-1 if for every y, |f-1(y)| = K
Complexity of proof system grows linearly in K When say K = 2n/2 this is exponential in n
Can we do better?
INTERACTIVE PROOFS
Graph isomorphism
is isomorphic to
Claim:
Proof:
Graph non-isomorphism
is not isomorphic to
Claim:
Interactive proof:G0
G1
Verifier:Choose random bit b, permutation pSend graph G = p(Gb)
Prover: Answer with b’Verifier:If b’ = b, declare “probably not isomorphic”
Graph non-isomorphism
Analysis:If G0, G1 not isomorphic, then prover knows for surethat G came from Gb, so he can answer b If G0, G1 isomorphic, then G is equally likely to have come from G0 /G1, so he can guess b with prob 1/2
Is there a classical proof system for graph non-isomorphism?
Interactive proofs
Given a promise problem L = (LYES, LNO)
Verifier Proverx ∈ LYES ∪ LNO randomized
efficientunboundedq1
a2
qR-1aR
. . .
YES/NO
Completeness:If x ∈ LYES, Pr[VP(x) = YES] ≥ 0.6Soundness: If x ∈ LNO, Pr[VP*(x) = YES] < 0.4
for every P*
Normal form for interactive proofs
The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form
a(x, r)Verifier Proverpublic randomness r
There is a compiler for converting protocols into this form; we’ll do an example instead.
The set size lower bound protocol
Input:
A set C ⊆ {0, 1}n (specified by a circuit) A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < S/8
Verifier:
Interactive proof:Send a random 2-universal hash functionh: {0, 1}n → {0, 1}r where 2S ≤ 2r < 4S
Prover: Send x (and a proof that x ∈ C) Verifier:
Accept if x ∈ C and h(x) = 0.
The set size lower bound protocol
Input:
A set C ⊆ {0, 1}n
A size estimate 0 < S < 2n
LYES: |C| ≥ S
LNO: |C| < (1 – e)S
An error parameter e > 0
Running time of verifier is linear in |C|/e
Proof:
Run original protocol on (Ck, Sk), k = 3/e
Graph non-isomorphism via set size
Given G0, G1 we want a proof of non-isomorphism For simplicity we’ll assume G0, G1 have no automorphisms
C = {p(Gb): p is a permutation, b is a bit}
G0, G1 are isomorphic |C| = n!
G0, G1 are not isomorphic |C| = 2∙n!
Reduction to set size lower bound:
AM ≈ NP
a(x, r)Verifier Proverpublic randomness r
If we replace r by the output of a suitable pseudo-random generator, proof can be derandomizedUnder a plausible assumption in complexity theory, AM = NP.
BACK TO CRYPTOGRAPHY
Hardness of regular one-way functions
Say f: {0, 1}n → {0, 1}n - k is 2k-to-1Suppose we have a reduction R? that, given an inverter I for f, solves L
Verifier will emulate reduction
Prover will emulate random inverter IGiven a query y, return each x s.t. f(x) = y with probability 2-k independently of previous queries and answers
Hardness of regular one-way functions
y1
x1 = I(y1)
. . .
Verifier Prover
yt
xt = I(yt)x ∈/∉ L
x ∈ L Prr, I[RI (x; r) accepts] ≥ 2/3
x ∉ L Prr, I[RI (x; r) accepts] < 1/3
|{(r, x1, …, xt) valid and accepting}| ≥ (2/3) 2|r| + kt
|{(r, x1, …, xt) valid and accepting}| < (1/3) 2|r| + kt
Hardness of regular one-way functions
y1
x1 = I(y1)
. . .
Verifier Prover
yt
xt = I(yt)x ∈/∉ L
x ∈ L Prr, I[RI (x; r) rejects] ≥ 2/3
x ∉ L Prr, I[RI (x; r) rejects] < 1/3
|{(r, x1, …, xt) valid and rejecting}| ≥ (2/3) 2|r| + kt
|{(r, x1, …, xt) valid and rejecting}| < (1/3) 2|r| + kt
General one-way functions
If one-way functions are L-hard to invert wrt non-adaptive reductions, then L ∈ AM ∩ coAM.A non-adaptive reduction can query the inverter many times, but all queries made at the same timeExampleWorst-case to average-case for matrix multiply
Injective one-way functions
As a model example we’ll look at injective one-way functions f: {0, 1}n → {0, 1}m where m = n + 1
QuestionWhat goes wrong if we apply the proof system for permutations?
Injective one-way functions
To begin, we’ll assume that the marginal distribution of every query is uniform over {0, 1}m That is, each of the queries y1, …, yt is uniformly distributed, but they can be arbitrarily correlatedProof system will emulate inverter I that returns unique inverse when one exists, ⟘when not
Statistics of coin tosses
Toss k coins, each heads with probability p
Pr[more than (p + e)k heads] < exp(-e2k/2)
E[number of heads] = pk
Pr[fewer than (p - e)k heads] < exp(-e2k/2)
Proof system for uniform queries
Idea: Use query statistics to hold prover in check
y11 y12 … y1t y21 y22 … y2t
yk1 yk2 … ykt
r1
r2
rk
. . .
. . .
In every column, we expect to see k/2 queries that have an inverse.Moreover, this number will be within (½ ± e)k with probability 1 - 2exp(-e2k/2)
Run the reduction independently many times
Proof system for uniform queries
Union bound over columns:Every column will contain (½ ± e)k invertible entries with probability 1 – 2t exp(-e2k/2)
y11 y12 … y1t y21 y22 … y2t
yk1 yk2 … ykt
. . .
For e = 1/(10t), k = O(t2
log t), w/p 90% whole table has tk/2 ± k/9 invertible entriesThis is fewer than one “error”
per row
Proof system for uniform queries
Verifier:
Send k random seeds for reductionProver: For every query yij, send inverse xij
or ⟘Verifier:
If
Interactive proof:
1. f(xij) = yij for every xij
≠ ⟘2. At least tk/2 - k/9 of the xij’s
≠ ⟘For every i, emulate reduction assuming transcript is ri; yi1, xi1, ..., yik, xik Output majority of answers
Analysis of proof system
1. f(xij) = yij for every xij
≠ ⟘2. At least tk/2 - k/9 of the xij’s
≠ ⟘By statistics, honest prover can meet his quota of inverses with high probability
Honest prover analysis:
Analysis of proof system
1. f(xij) = yij for every xij
≠ ⟘2. At least tk/2 - k/9 of the xij’s
≠ ⟘Cheating prover is required to provide ptk - k/9 inversesBy statistics, table has at most tk/2 + k/9 invertible entries whpSo prover cannot cheat on more than 2/9 of rowsThis is unlikely to affect majority of reduction runs
Conclusion
If one-way functions are L-hard to invert wrt non-adaptive reductions with uniform marginal query distribution, then L ∈ AM ∩ coAM.QuestionWhere did we use uniformity of marginals?
Answers1. All queries are identically distributed2. To calculate the expected fraction of inverses
easy✓
Smooth distributions
Smooth distributionsDistribution Y is K-smooth if its probability density function is uniformly bounded by K
Namely, for every y in {0, 1}m, PrY ~ Y[Y = y] ≤ K 2-m
Idea: Use the prover to learn it
In general, the verifier may not know the probability that a reduction query is invertible
Abstracting the problem
Verifier does not know Y (beyond it being K-smooth), but can sample from Y Verifier wants to learn pY = PrY ~ Y [y has inverse] Verifier: Generate many independent samples from Y and ask which are invertibleIf prover is honest, verifier can estimate pY as the fraction of invertible samples
Inverting smoothly distributed queries
Given a sample Y ~ Y generated by the verifier, determine (with confidence) if Y has an inverse Idea: Leverage similarity between Y and the Uniform distributionExample:
U = uniform over {0, 1, 2, ..., 999}Y = uniform over {0, 3, 6, ..., 999}
11 samples from U, one from Y. Which one?778 882 63 78 752 158 685 718 657 222 874780
Inverting smoothly distributed queries
Verifier: Generate one sample y from Yand q samples u1, ..., uq from UShuffle them randomly and send to prover.Prover: Send an inverse or for every ⟘sample.Verifier: If at least (½ – e)q of the inverses are correct, accept the prover’s answer for y.
Inverting smoothly distributed queries
Intuition of analysisBy statistics, honest prover can pass requirementCheating prover can lie on at most 2eq U-queriesCheating prover cannot tell a U-query from a Y-query with advantage more than K so the chances it slips an undetected lie on
the Y-query is at most 2eq/K Complexity is polynomial in K and 1/confidence
HISTOGRAMS
Histograms
A histogram of distribution Y maps probabilities p in [0, 1] to number of outcomes with probability p
Example: 3 tosses of a 1/3-biased coin
1/272/27
4/27
8/27
For distributions over {0, 1}m, a histogram may require description length exponential in m
Approximate histograms
An e-(approximate) histogram assigns to every bin the number of outcomes in that probability range
Partition the interval [0, 1] into bins of the form[(1 - e)i, (1 - e)i-1)
For distributions described by a sampler S, size of such histogram is polynomial in |S| and 1/e
Learning histograms
Input:
A distribution Y (specified by a sampler) A histogram h
HISTYES: h is the e-histogram of Y HISTN
O: h is far from the e-histogram of Y
An accuracy parameter e > 0
HIST ∈ AM [Haitner, Mahmoody, and Xiao]
Learning histograms
Verifier: Check ∑hi = 2m
Generate q samples from Y
≳ h0l-1q are l-1-heavy ≳ (h0l-1 + h1l-2)q are l-2-heavy
etc.
Ask prover to show:
and ∑hi l-i ≥ 1
l-5
l-4
l-3
l-2
l-1
1
h0
h1
l = 1 – eh2
h4
h∞
0
Why cheating provers fail
Verifier: Check ∑hi = 2m
Generate q samples from Y
≳ h0l-1q are l-1-heavy ≳ (h0l-1 + h1l-2)q are l-2-heavy
etc.
Ask prover to show:
and ∑hi l-i ≥ 1
l-5
l-4
l-3
l-2
l-1
1
h0h1h4
h∞
0
h2
Why cheating provers fail
Verifier: Check ∑hi = 2m
Generate q samples from Y
≳ h0l-1q are l-1-heavy ≳ (h0l-1 + h1l-2)q are l-2-heavy
etc.
Ask prover to show:
and ∑hi l-i ≥ 1
l-5
l-4
l-3
l-2
l-1
1
h0h1h4
h∞
0
h2
Learning pY via histograms
Prover: For each bin i, make aclaim for number ni of invertible ys in binVerifier: Check ∑ni 2-m ≥ ½Generate q samples from Y; ask for proofs ≳ n0l-1q are l-1-heavy with inverse
≳ (n0l-1 + n1l-2)q are l-2-heavy with inverse etc. Output pY = n0 + n1l-1 + ... .^
[Holenstein and Künzler]
l-5
l-4
l-3
l-2
l-1
10
n0n4
n2n∞
ARBITRARY QUERIES
Heavy queries
Call a sample y ~ Y K-heavy if PrY ~ Y[Y = y] > K 2-m
f(U)Y
K
y ∈ {0, 1}n
Pry ~ U[ y is K-heavy ] ≤ 1/KPry ~ f(U) [ y is K-heavy ] ≤ 2/K = 1% for K =
200
Irrelevance of heavy queries
Since only 1% of f’s outputs are heavy, it doesn’t matter what the inverter does on them
Prover and verifier agree to emulate inverter that
If y is in image of f, outputs unique inverse xIf not, outputs (no inverse)⟘
If y is heavy, outputs HOtherwise,
The proof system
r1 y11 y12 … y1t r2 y21 y22 … y2t
rk yk1 yk2 … ykt
. . .
. . .
Verifier Prover
Verifier can hold prover in check if she knowspH = Pry ~ Y [ y is K-heavy ]
pX = Pry ~ Y [ y is invertible and not K-heavy ]
x11 ⟘ … x1t x21 x22 … H
xk1 H … ⟘
. . .
Probabilities from the histogram
l-2
l-1
1K2-m2-m
pH = Pry ~ Y [ y is K-heavy ]
pX = Pry ~ Y [ y is invertible and not K-heavy ]
The proof system
Verifier:
Verify historgams. Calculate pX and pH
Prover:Send queries for k reduction runs
Prover: Send histogram claims for Y andinvertible samples
Answer each query with H, xij, or ⟘Verifier:
Check ≳ pXkt answers are xij and correct Check ≳ pHkt answers are H
Prover: Prove queries answered by H are K-heavy
Summary
We saw how to rule out NP-hardness* of inverting
Regular one-way functions(more generally, range-computable functions) General one-way functions, but only under non-adaptive reductions
One-way permutations