On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

Slides:



Advertisements
Similar presentations
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Advertisements

On Black-Box Separations in Cryptography
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Coin Tossing With A Man In The Middle Boaz Barak.
Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Complexity Theory Lecture 6
Average-case Complexity Luca Trevisan UC Berkeley.
Are lower bounds hard to prove? Michal Koucký Institute of Mathematics, Prague.
Extracting Randomness David Zuckerman University of Texas at Austin.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS151 Complexity Theory Lecture 8 April 22, 2004.
Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.
Better Pseudorandom Generators from Milder Pseudorandom Restrictions Raghu Meka (IAS) Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford),
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Time vs Randomness a GITCS presentation February 13, 2012.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
Complexity and Cryptography
Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
CS151 Complexity Theory Lecture 8 April 22, 2015.
Hardness amplification proofs require majority Emanuele Viola Columbia University Work done at Harvard, IAS, and Columbia Joint work with Ronen Shaltiel.
The Power of Randomness in Computation 呂及人中研院資訊所.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Polynomials Emanuele Viola Columbia University work partially done at IAS and Harvard University December 2007.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
Pseudorandom Bits for Constant-Depth Circuits with Few Arbitrary Symmetric Gates Emanuele Viola Harvard University June 2005.
List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.
Hardness amplification proofs require majority Emanuele Viola Columbia University Work also done at Harvard and IAS Joint work with Ronen Shaltiel University.
Pseudo-random generators Talk for Amnon ’ s seminar.
Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.
Comparing Notions of Full Derandomization Lance Fortnow NEC Research Institute With thanks to Dieter van Melkebeek.
Technion Haifa Research Labs Israel Institute of Technology Underapproximation for Model-Checking Based on Random Cryptographic Constructions Arie Matsliah.
The Power of Negations in Cryptography
Umans Complexity Theory Lecturess Lecture 11: Randomness Extractors.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Umans Complexity Theory Lectures Lecture 9b: Pseudo-Random Generators (PRGs) for BPP: - Hardness vs. randomness - Nisan-Wigderson (NW) Pseudo- Random Generator.
Pseudo-randomness. Randomized complexity classes model: probabilistic Turing Machine –deterministic TM with additional read-only tape containing “coin.
Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.
The Exact Round Complexity of Secure Computation
Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Derandomization & Cryptography
Randomness and Computation
Pseudorandomness when the odds are against you
Pseudo-derandomizing learning and approximation
Conditional Computational Entropy
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
CSE838 Lecture notes copy right: Moon Jung Chung
Non-Malleable Extractors New tools and improved constructions
On the Efficiency of 2 Generic Cryptographic Constructions
Indistinguishability by adaptive procedures with advice, and lower bounds on hardness amplification proofs Aryeh Grinberg, U. Haifa Ronen.
Emanuele Viola Harvard University June 2005
Impossibility of SNARGs
On Derandomizing Algorithms that Err Extremely Rarely
Emanuele Viola Harvard University October 2005
Pseudorandomness: New Results and Applications
Presentation transcript:

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan

Outline Motivation Motivation Our Results Our Results Proof Ideas Proof Ideas

Motivation

Fundamental Primitives One-way function (OWF): One-way function (OWF): –easy to compute, hard to invert Pseudo-random generator (PRG): Pseudo-random generator (PRG): –stretch a random seed into a long random looking string

Relationship weak OWF weak OWF strong OWF [Yao] strong OWF [Yao] PRG [HILL] PRG [HILL] –in polynomial time –in lower complexity classes?

Hardness Amplification OWF f has hardness : poly-time M OWF f has hardness : poly-time M Pr x [M fails to invert f(x)] >. 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

Question 1 Worst-case OWF Strong OWF? Worst-case OWF Strong OWF? ??? 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

Weak OWF Strong OWF [Yao] f f [Yao] f f f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) good: simple, parallel good: simple, parallel bad: not security-preserving (blow up input size) bad: not security-preserving (blow up input size)

Weak OWP Strong OWP [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x)))

[GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x))) good: security-preserving good: security-preserving bad: complex, sequential bad: complex, sequential walk on expander Weak OWP Strong OWP

Question 2 Weak OWF Strong OWF: Weak OWF Strong OWF: security preserving + parallel (low complexity)? Weak OWF AC 0 strong OWF AC 0 : security preserving ? Weak OWF AC 0 strong OWF AC 0 : security preserving ? constant-depth poly-size circuits

Bigger Question Low-complexity Crypto? Low-complexity Crypto? Crypto. constructions / reductions in low complexity classes? Theory vs. practice Theory vs. practice

Attempt on Question 2 Derandomize [Yao]? Derandomize [Yao]? f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? f (x) = (f(x 1 ),f(x 2 ),…,f(x k )) –[IW] some success w.r.t. hardness of computing functions (BPP vs. P) k independent inputs

No success for OWF … Impossible task? Impossible task? Aim: hardness amplification is a high complexity task Aim: hardness amplification is a high complexity task What if strong OWF f AC 0 ? What if strong OWF f AC 0 ? hard. amp.: ignore f, compute f directly …

Black-Box Hardness Amplification

(Strongly) Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box could be unbounded

Weakly Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box

Complexity Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box hardness A MP high complexity

Previous Work

Lin-Trevisan-Wee B.B. hardness t B.B. hardness t with A MP making s queries t = O(s). t = O(s).

Our Results

Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t n O(1) when n n O(1) & s 2 n O(1). t n O(1) when n n O(1) & s 2 n O(1). n: new input length n: init. input length PH NP P constant-depth circuits of size s

Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t log O(1) n when n=O(n) & s n O(1). t log O(1) n when n=O(n) & s n O(1). security preserving AC 0 n: new input length n: init. input length

Result (II) Weakly B.B. hardness t, Weakly B.B. hardness t, with A MP realized in AC 0 & t > (n/n) log O(1) n A MP must embed a OWF with hardness t A MP must embed a OWF with hardness t

Parallel Query Model

Model [Vio] on input z: [Vio] A MP f on input z: –generates circuit C AC 0 (s) and non-adaptive queries x 1, …,x k –calls the oracle: (y 1, …,y k )=(f(x 1 ), …,f(x k )) –outputs (z) = C(y 1, …,y k ) –outputs A MP f (z) = C(y 1, …,y k )

Proof Ideas

Weakness of AC 0 circuits W.h.p. after a random restriction, W.h.p. after a random restriction, C AC ** * w.p. 1 w.p. (1- )/2 0 w.p. (1- )/2. each bit independentlyreceived {

Weakness of AC 0 circuits W.h.p. after a random restriction, any C AC 0 becomes biased W.h.p. after a random restriction, any C AC 0 becomes biased C AC 0 0, **1 C(Y ) is the same for most Y

B.B. Hard. Amp. z, (z) = C(f(x 1 ), …,f(x k )) AC 0 z, A MP f (z) = C(f(x 1 ), …,f(x k )) AC 0 Hardness t Hardness t Show: large t contradiction Show: large t contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find –f: with hardness –f: with hardness –: with hardness < t –A MP f : with hardness < t

Hardness Hardness W.h.p. a random function f is hard, W.h.p. a random function f is hard, even after a random restriction, if rate of * is high [Vio]. *1*1*00 …… 100*01* *01*11* 10*0*01 f (0 n ). f (1 n ) against inverter with poly queries

kills A MP f kills A MP f [Vio] z, w.h.p. after a random, [Vio] z, w.h.p. after a random, (z) = C(f (x 1 ), …,f (x k )) AC 0 A MP f (z) = C(f (x 1 ), …,f (x k )) AC 0 is same for most f, if rate of * is low. W.h.p. over W.h.p. over, M A MP f for most f A =M breaks A MP f for most f D EC A inverts f well for most f.

New Random Restriction Rate of * is low, but for a significant # of x, f (x) has enough *. Rate of * is low, but for a significant # of x, f (x) has enough *. is a (weak) OWF f is a (weak) OWF *1*1*00 …… *01*11* f (0 n ). f (1 n )

Proof of Result (I) a restriction s.t. for most f, a restriction s.t. for most f, is hard to invert f is hard to invert kills kills A MP f some A inverts A MP f well D EC A inverts f well t in AC(s): large t, small s t in AC 0 (s): large t, small s

Proof of Result (II) Derandomize Proof of Result (I) Derandomize Proof of Result (I)

Other Result: PRG from OWF

Result (III) B.B. PRG from OWF B.B. PRG from OWF P RG f : {0,1} r {0,1} m AC 0 (s) m-r o (r) when s 2 m o(1). sublinear stretch improving [Vio]: s m O(1).

Conclusion & Questions

High-Complexity Tasks Hard OWF harder OWF Hard OWF harder OWF OWF PRG of long stretch OWF PRG of long stretch

Relation among Primitives –lower complexity? TDP TDFPKE PIROT KAOWF BC PRG … ZK

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.