Complexity and Cryptography Haya Shulman CGC Colloquium

Complexity Theory Determines complexity (power and limitations) of well defined tasks Defines resources required to solve computational problems E.g. time, space, randomness, interaction Classifies problems according to their difficulty Defines relations between computational phenomena

Complexity Theory Provided a way of dividing computational world into complexity classes Evidence implying that these complexity classes are distinct Complexity Class is a fundamental notion of complexity theory Practical: relationship between computational classes and real computational problems

Complexity Class A model of computation A resource or a set thereof Turing machine A resource or a set thereof E.g. time, memory A complexity bound for each resource Complexity considers the worst case performance Lower bounds are stated asymptotically Constant factors are irrelevant, and only the order of the lower bound is considered (linear, poly, exponential,…)

Deterministic vs. Non-Deterministic Turing Machine

Turing Machine Was invented by Alan Turing in 1936 Turing machine is an abstract model of computation Embodies any computer program Turing machine is composed of a "tape“, head and the program, i.e. a list of transitions

Turing Machine vs. Computers If a computer can compute an algorithm then so can a Turing machine Can a computer compute an algorithm if a Turing machine can? No computer is as powerful as a Turing machine A computer is restricted while a Turing machine can do all that is theoretically possible given unlimited resources, e.g. time, memory

Deterministic Turing Machine Deterministic machines model real computations Transition function for a given state and symbol under the tape head, specifies: The symbol to be written to the tape The direction to move the head The state of the finite control Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7

Non-Deterministic Turing Machine The state and tape symbol do not uniquely specify the computation The machine "branches" into many copies, each follows one possible transition If any branch of the tree halts with an accept condition, then the machine accepts the input Given A on the tape in state 5, write B on the tape move the head right, and switch to state 7 or write A, move left and stay in state 5

Deterministic vs. Non-Deterministic Turing Machine NDTM has a computation tree, while a DTM has a single computation path Is NDTM more powerful than DTM? Any language recognized by an NDTM can also be recognized by a DTM DTM simulates each branch of NDTM Makes multiple copies of states when multiple transitions are possible How long to simulate? P vs. NP

P vs. NP Deterministic Non-Deterministic Polynomial Time

P vs. NP Is finding solutions to problems harder than verifying their correctness? P represents Efficiently solvable tasks Sets of assertions that can be efficiently verified from scratch NP represents Tasks for which solutions can be efficiently checked Sets of assertions that can be efficiently verified with the help of adequate proofs

P vs. NP Complexity theory is concerned with manipulation of information A solution to a computational problem is a different representation of the information A representation in which the answer is explicit rather than implicit The problem contains all necessary information Process the information in order to supply the answer E.g. the answer to “is a given Boolean formula satisfiable” is implicit in the formula itself and the task is to make the answer explicit

Complexity Classes P, NP, NPC

Definitions A language is a set of strings Decision problem: E.g. Primes={2,3,5,7,11,13,17,19…} Decision problem: Given some string determine if it is in the set Given i, is i  Primes? Primes  P

P Complexity Class The class of all languages that can be recognised by a deterministic polynomial time machine A language L is in P if there exists a TM M and a polynomial p(), s.t. M(x) halts in at most p(|x|) steps M(x)=1 iff x in L

P Associated with Efficient Computation Showing that a problem not in P, implies that solution by a DTM is impossible Reductions: given efficient f() and p(), h=f•p efficient Poly time is a boundary between feasible and infeasible Given a polynomial algorithm apply mathematical and algorithmic techniques to improve All models of sequential computation yield the same class P The notions of polynomial time for all models of sequential computation yeild the same class The class P captures the true notion of the problems that are computable in polynomial time by sequential machines

NP Complexity Class LNP if L’ P and p(∙), s.t. for every x, x L iff w, s.t. |w|≤p(|x|) and (x,w) L’ Definition by means of DTM, which verifies correctness of solutions When x L, w is the positive solution to the problem represented by x, or a proof that x L Class of problems, s.t. DTM: Given solution, test for validity efficiently NDTM: Guess a solution and test for validity NDTM has infinitely many parallel processors

NP Complexity Class L is set of composite numbers DTM: NDTM: Given the proof, verify its correctness Given proof that x is composite, i.e. x1≥2 and x2 ≥ 2, check if x1x2=x NDTM: Try all possible solutions at once, and identify the solution in polynomial time On input x the machine branches to write down guesses for x1 and x2 Then deterministically multiplies to test if x1x2=x There exists an accepting computation path iff x is composite

Complexity Failed to establish lower bounds on resources Showed that many problems computationally equivalent All of them have efficient algorithms or all of them do not E.g. failed to determine complexity of finding satisfying assignment of boolean formula (SAT) or 3COL In contrast, established that these problems are computationally equivalent

NP Complete Complexity Class Identifies a set of problems that are as hard as NP If Any of those problems is easy to solve, then so are all problems in NP Demonstrating NP-Completeness of a task is a central tool in indicating hardness of problems Showing that a problem is NPC provides evidence to its intractability

NP Complete Complexity Class A problem is NP Complete if It is in NP Every NP problem is reduced to it in polynomial time L NPC if L NP For every L’ NP, L’ ≤P L

Reducibility Language L1 is polynomial-time reducible to language L2 L1 ≤P L2 If there exists a polynomial-time computable function f: {0, 1}* → {0, 1}* such that for all x  {0, 1}* x  L1 iff f(x)  L2 Significance: If L2  P and L1 ≤P L2, then L1  P also

Reduction Cook’s theorem: Every decision problem in the class NP reduces to the Boolean satisfiability problem SAT

SAT The first decision problem proved to be NP-complete Boolean satisfiability problem (SAT) is a decision problem Its instance is a Boolean expression with only AND, OR, NOT, variables, and parentheses Is there some assignment of TRUE and FALSE values to the variables that will make the entire expression true Any problem that can be reduced to SAT in polynomial time is in NPC

SAT Non-Deterministic algorithm: Deterministic algorithm Guess an assignment of the variables Check if this is a satisfying assignment Deterministic algorithm Given an assignment, check if satisfying Time for n variables: Guess an assignment of the variables O(n) Check if this is a satisfying assignment O(n) Total time: O(n) The satisfiability problem is an NP Complete Problem

Theorem: NP-Completeness If any NP-complete problem is polynomial-time solvable, then P = NP! If L  NPC and we can find a DTM accepting L in polynomial time (so that L  P ), then P = NP All the problems in NP would have polynomial deterministic solutions! Equivalently, if any problem in NP is not polynomial-time solvable, then no NP-complete problem is polynomial-time solvable If we prove that we cannot solve an NP-Complete problem in Deterministic Polynomial Time, then we know: P ≠ NP

Proof: NP-Completeness Let L  P and L  NPC For any L′ NP, L′≤P L By definition of NP-completeness Therefore, L′ P

P, NP, NPC Complexity Hierarchy SAT  Primes

Cryptography and Complexity Basing cryptography on complexity theoretic assumptions Randomness Interaction

Cryptography and Complexity Complexity Theory Study the resources required to solve computational tasks time, space(memory) Understanding relations between complexity phenomena Provides new perspective on various concepts Cryptography Specify security requirements of systems Use the computational infeasibility of problems to obtain security Almost any cryptographic task requires using this idea Key idea in cryptography: Use the computational infeasibility of problems in order to obtain security These disciplines are connected!

Cryptography Study of systems that are easy to use, but hard to abuse Crypto systems involve Secrets Randomness Interaction Complexity gap Between proper usage by legitimate parties and infeasibility of causing systems deviate from prescribed functionality

Cryptography is Based on Complexity Theoretic Assumptions Transformations of simple primitives, e.g. One Way Functions into complex constructions, e.g. encryption schemes Intractability of NPC problems is based on hardest instances But, some problems are easy on average Breaking crypto-system must be hard for almost all instances and not just some of them For cryptography, use average case complexity analysis

Pseudo-Random Generators (PRG) Randomness Pseudo-Random Generators (PRG)

Randomness and Intractability Complexity defines objects as equivalent if they cannot be told apart by efficient observer Coin toss is random if it is infeasible to predict the outcome A distribution is random if it is infeasible to distinguish from uniform distribution Randomness is expandable Random strings can be expanded into longer pseudo random strings

Randomness and Intractability Pseudo-randomness refers to intractability i.e. infeasibility of distinguishing pseudo-random strings from uniformly distributed strings The assumption of One Way Functions implies the existence of pseudo-random generators Stretch short random seeds into long pseudo-random strings Existence of PRGs is equivalent to the existence of OWFs

Derandomisation Goal Idea Security? Real random bits are difficult to obtain, use less randomness Idea Replace random strings with pseudo-random Security? Depends on the power of the distinguisher For restricted distinguisher, probability to distinguish is ½ For an unbounded distinguisher, probability to distinguish is 1

Generating Computational Randomness random seed Pseudo-Random Generator Pseudo-random string Insecure against computationally unbounded distinguisher Secure against computationally bounded distinguisher

Pseudo-Random Generator PRG is a polynomial time deterministic function whose output is indistinguishable from random by any efficient distinguisher Appear indistinguishable to any Efficient Observer random seed PRG Pseudo-random string truly random string

PRG and P vs. NP Theorem: Proof sketch: If P=NP there are no PRGs Let G be a PRG and let D be a distinguisher, s.t. on input y it accepts iff there is an x s.t. G(x)=y D  NP - can guess x’ and check if G(x’)=y Since P=NP, D is efficient Accepts all strings except those output by G G is not PRG

Information vs. Knowledge Interactive Proofs Zero Knowledge Proofs

Knowledge and Secrecy A result of hard computation Not a knowledge if can be efficiently computed by anyone Zero Knowledge Interaction Interactions in which no knowledge is gained Assert correctness of data provided beforehand Motivation for interaction is gaining knowledge Showing a possession of a secret to other party without revealing the secret Knowledge is something one party has and the other does not and cannot feasibly obtain “Knowledge is a secret”

What is a gain of knowledge? Defined with respect to computational ability Bob gains knowledge after interacting with Alice if: After the interaction Bob can easily compute something that was infeasible for him before

Recall: The complexity class NP The languages in NP are those whose members all have short certificates of membership, which can be easily verified NP can be characterized as the set of languages for which an efficient procedure exists to check if a string belongs to that language Given a string x from a language L and a certificate w it is easy to check if x belongs to L

Proof Systems and NP We can view this as follows: There is an unbounded prover The prover has to convince the verifier that the input is indeed a member of the language It sends the verifier a short (polynomial) certificate The verifier is bounded The verification of the certificate cannot take more than polynomial time

Interactive Proof System Interactive proofs is a generalisation of the concept of a proof system It is obtained by adding two more properties Interaction between the parties (interaction adds power) Letting the verifier toss coins (randomisation) Why? An Interactive Proof System is a two-party game between a verifier and a prover that interact on a common input for a polynomial amount of time Eventually the verifier accepts (x  L) or rejects the input otherwise

Properties of an Interactive Proof System Prover and verifier interact with each other Two Turing machines, sharing a common tape The unbounded prover has to convince the bounded (polynomial) verifier Correctness: Soundness - I’ll not believe a false statement For a false assertion no proof strategy exists Completeness - I’ll believe all true statements For a true assertion there is a convincing proof strategy Proofs are defined by their verification procedure Verification is typically simple - proving is typically hard IP = class of languages that have interactive proofs

Example: IP for SAT Check the membership of a given boolean formula: =(xyz’)(x’y’)z’ The prover must convince the verifier this formula is satisfiable It sends an assignment, which supposedly satisfies the formula x=0, y=1, z=0 It is not difficult for the prover to find such, if such exists; why? The prover is unbounded

Example: IP for SAT The verifier checks the truth value of the formula under the assignment it received Finds out whether the prover was right This takes polynomial time

Zero Knowledge Proof System (P,V) is ZKIP, if It is complete and sound It is zero knowledge The verifier does not learn anything except the truth of the statement For every verifier interacting with a prover, there is a simulator This simulator does not have access to the interactive prover Yet, it can simulate the interaction between P and V Hence, V did not gain any knowledge from P Since the same output could have been generated without any access to P

Questions? Thank you.