Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard

Question Suppose the sequence 666 appears in the digits of  both in the 100th place and in the 1000000th place. Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in . Is it possible to recover the place in  Archimedes knew about?

Our Results Under reasonable assumptions we obtain: Non-interactive WI proof system for NP (in the plain model) First non-interactive proof with secrecy property Non-interactive Commitment Scheme Under incomparable assumptions to [BM]

Our Assumptions Assumption A: 9 L s.t. L 2 Dtime(2cn ) for some c L  Ntime(2 n)/ 2 n for some >0 Nc N N In paper: prove Thm 2 under weaker, uniform, assumption. (Uses [GST03]) A natural strengthening of EXP * NP Thm 1: Assumption A + TDP ) non-interactive WI Thm 2: Assumption A + OWF ) non-interactive commit.

Derandomization: a brief overview* A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P  BPP  EXP  NEXP). Probabilistic protocols => deterministic protocols. (NP  AM  EXP  NEXP). We don’t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions. * Thanks to Ronen Shaltiel for these slides

Hardness versus Randomness Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]

Hardness versus Randomness Assumption: hard functions exist. Conclusion: Derandomization.

Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.

Pseudo-random generators A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. Consider also generators with O(log n) length seed. ??????????????

Pseudo-random generators with O(log n) length seed. Polynomial-sized algorithm can identify pseudo-random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string. Can distinguish between random strings and pseudo-random strings. Assuming distinguisher can enumerate all seeds. The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n3. PRG can also run in time n5 Sufficient for derandomization!!

State of the art in this direction Thm [NW88,…,IW97]: If 9 L s.t. L 2 Dtime(2cn) for some c L  Size(2 n) for some >0 Then BPP=P.

Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]<½. “xL” Merlin Arthur toss coins message message I accept

Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]<½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)

The big question: Does AM=NP? In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.

Pseudo-random generators for nondeterministic circuits Nondeterministic algorithm can identify pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string. Assuming the circuit can run the PRG!! In NW setup circuit cannot run the PRG!!. For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.

State of the art in this direction Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2cn) for some c L  Nsize(2 n) for some >0 (i.e., if Assumption A holds) Then AM=NP.

PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. “xL” Merlin Hardwire input Arthur random message message I accept

PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. “xL” Merlin Hardwire input Arthur Nondeterministic guess input random input Nondeterministic guess I accept

PRG’s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. “xL” Merlin Hardwire input Arthur Nondeterministic guess input pseudo-random input Nondeterministic guess I accept

PRG’s for nondeterministic circuits derandomize AM We have AM protocol w/ deterministic (not probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one. Protocol is sound : otherwise we have a nondeterministic distinguisher. “xL” Merlin Arthur Our main observation: If original protocol was WI then new “protocol” is also WI! pseudo-random input Nondeterministic guess I accept

Proof of Thm 1: Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP Combining this w/ [SU] and observation we get Thm 1: TDP + Assumption A ) 9 Noninteractive WI for NP

Proving Thm 2 Use same technique to derandomize Naor’s commitment scheme (which is also of “AM” type).

That’s it…