CRYPTOGRAPHY AND NP-HARDNESS Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016

What these talks are about Apply insights from computational complexity to understand the nature of cryptographic hardness Such insights have not (yet) led to attacks on real cryptosystems… …but it hopefully explains why things do get broken sometimes

How hard is it to break encryption? AliceBob The quick brown fox jumped over the lazy dog The quick brown fox jumped over the lazy dog! Eve

How hard is it to break encryption? AliceBob ciphertext c message m key k Eve wants to find k, m so that Alice(k, m) = c Can do if she is given enough time!

NP problems Problems whose solutions are easy to verify...may or may not be easy to find! 99925x y z = x y z = x y z = x y z = Example 1: EQUATIONS x = y = z = 2464

NP problems p ∙ q = Example 2: FACTORING p = q = p, q > 1

NP problems Example 3: SUBSET-SUM x x x x x x x x x x x x x x x x x x x x 20 = x 1, … x 20 = 0 or 1 x =

NP-complete problems SUBSET-SUM is NP-complete If SUBSET-SUM can be solved efficiently, so can all NP problems… … including FACTORING SUBSET-SUM is no easier than FACTORING Is it harder?

Different kinds of hardness It is generally believed that FACTORING is “easier” than SUBSET-SUM. Evidence #1: Quantum computers can factor efficiently… …but not known to help for SUBSET-SUM

Refutation 99925x y z = x y z = x y z = x y z = Prove that there is no solution! Proof: Run EQUATIONS algorithm and verify that whatever it outputs is not a solution.

Refutation p ∙ q = p, q > Claim: Now there is no solution! Proof: The number is a prime Can be confirmed using the algorithm of Agrawal, Kayal, and Saxena

Refutation x x x x x x x x x x x x x x x x x x x x 20 = Nobody knows how to refute in general! x 1, … x 20 = 0 or 1

NP-completeness and refutation It is believed NP-complete problems do not have short refutations* * If they did, the “polynomial hierarchy collapses,” etc. …but FACTORING, and other problems used for crypto hardness, do In this sense, breaking current cryptosystems is easier than solving NP-complete problems theorem

SOME ELEMENTS OF CRYPTOGRAPHY

One-way functions f(p, q) = p∙q easy hard One-way functions are necessary for (most of) cryptography.

Cryptographic security Rabin’s public key encryption SK = (p, q) PK = n = p∙q Enc PK (m) = m 2 mod n Dec SK (c) = … Security claim: If I can recover m from PK and Enc PK (m), then I can factor n.

A bit of algebra The map x → (x mod p, x mod q) is a bijection from Z n * to Z p * × Z q * Example: p = 5, q = x mod p x mod q

Reduction If I can recover m from PK and Enc PK (m), then I can factor n. If I can recover m from n and c = m 2 mod n, then I can factor n. Proof: On input n, You choose random m* and ask me to recover message from c = m* 2 mod n I tell you some m You output p = gcd(m* – m, n) and q = n/p

Analysis Claim: With probability ½, p and q are the factors of n Proof by example p = 5, q = 3, n = 15 Suppose you chose m* = 7, so m* 2 mod n = 4 m 2 mod n = 4 has four solutions m = 2, 7, 8, If I say m = 2 or 13, m* – m has a factor of n

Analysis Claim: With probability ½, p and q are the factors of n Proof (continued) But what if I had said m = 7 or 8? You chose m* at random and I only see m* 2 I only know m* 2 = 4 mod 15 So for me m* is equally likely to be 2, 7, 8, 15 I am “forced” to choose a good m* w/p ½

HARDNESS OF ONE-WAY FUNCTIONS

The setup Suppose I believe my function f is one-way. How do I “prove” it? Want a hard problem X and a reduction R R can use an (imaginary) inverter I If I inverts f, R I solves X

Maybe hard but not too hard YES instances of X have short proofs, and NO instances of X have short refutations. If such R exists for a one-way permutation f, then X cannot be too hard: For instance, X cannot be SUBSET-SUM because it does not have short refutations* * Unless NP = coNP

One-way permutations A one-way permutation is a one-way function that is also a bijection. Example: f(x) = g x g generator of group G x ∈ {0, …, |G|  1}

Simulating reduction by a proof system SUBSET-SUMI reduction x x x x x x x x x x x x 12 = invert f at b 1 a1a1... Verifier Prover Verifier:On input eqn, simulate reduction. Prover:Provide query/answer pairs b 1, a 1,..., b t, a t Verifier: If f(a 1 ) = b 1 and... and f(a t ) = b t, and consistent output answer of reduction x = otherwise declare “prover is cheating!”

From a proof system to a proof invert f at b 1 a1a1... Verifier Prover invert f at b t atat b 1, a 1,..., b t, a t eqn The sequence b 1, a 1,..., b t, a t is a short proof that: eqn  has a solution, provided that it does, but also eqn  does not have a solution if it doesn’t!

A trick question Where did we use that f is a permutation? How realistic is our model of the reduction? The “right” question to ask: XI reduction x invert f at b 1 a1a1... The reduction may be randomized

Emulating randomized reductions b 1, a 1,..., b t, a t Verifier Prover (reduction R ? ) (inverter I ) Who should provide the randomness r ? Answer: The verifier Correctness of randomized reductions: Given an inversion oracle I for f For most r, R I (x; r) solves x

Emulating randomized reductions b 1, a 1,..., b t, a t Verifier Prover (reduction R ? ) (inverter I ) randomness r Verifier is randomized, proof system is interactive

Permutations vs. functions Where did we use that f is a permutation? Correctness of randomized reductions: Given an inversion oracle I for f For most r, R I (x; r) solves x Verifier and prover should agree on I before r is chosen When f is a permutation, I is unique

Two-to-one functions f: {0, 1} n → {0, 1} n-1 is 2-to-1 if for every y, |f -1 (y)| = 2 choice of r choice of I R I (x; r) solves x b 1, a 1,..., b t, a t Verifier Prover r If for every i, f(b i ) = a i output answer of reduction, otherwise “prover is cheating!” Such an f has 2 2 possible inversion oracles n-1

Proof system for 2-1 functions Prover and verifier agree to emulate inversion oracle that answers with lexicographically smaller inverse b 1, a 1, a 1 ’..., b t, a t, a t ’ Verifier Prover r output answer of reduction otherwise “prover is cheating!” If for every i, f(a i ) = f(a i ’) = b i and a i < a i ’ with transcript b 1, a 1,..., b t, a t choice of r choice of I R I (x; r) solves x

Theme Cryptographic reductions can sometimes be emulated by proof systems Verifier plays role of reduction Prover plays role of adversary (e.g. inverter) Can both prove and refute instances of X provided prover is “forced” to play unique advrersary

K-to-one functions Say f is K -to-1 if for every y, |f -1 (y)| = K Complexity of proof system grows linearly in K When say K = 2 n/2 this is exponential in n Can we do better?

INTERACTIVE PROOFS

Graph isomorphism is isomorphic to Claim: Proof:

Graph non-isomorphism is not isomorphic to Claim: Interactive proof: G0G0 G1G1 Verifier: Choose random bit b, permutation  Send graph G =  (G b ) Prover: Answer with b’ Verifier:If b’ = b, declare “probably not isomorphic”

Graph non-isomorphism Analysis: If G 0, G 1 not isomorphic, then prover knows for sure that G came from G b, so he can answer b If G 0, G 1 isomorphic, then G is equally likely to have come from G 0 / G 1, so he can guess b with prob 1/2 Is there a classical proof system for graph non-isomorphism? Now almost, but I made this slide in 2014.

Interactive proofs Given a promise problem L = (L YES, L NO ) VerifierProver x  ∈ L YES  L NO randomized efficient unbounded q1q1 a2a2 q R-1 aRaR... YES/NO Completeness: If x ∈  L YES, Pr[V P (x) = YES] ≥ 1/8 Soundness: If x ∈  L NO, Pr[V P* (x) = YES] < 1/16 for every P*

Normal form for interactive proofs The class AM consists of those decision problems that have constant round interactive proofs Such proofs have a normal form a(x, r) Verifier Prover public randomness r There is a compiler for converting protocols into this form; we’ll do an example instead.

The set size lower bound protocol Input: A set C ⊆ {0, 1} n (specified by a circuit) A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < S/8 Verifier: Interactive proof: Send a random 2-universal hash function h: {0, 1} n → {0, 1} r where 2S ≤ 2 r < 4S Prover: Send x (and a proof that x ∈ C ) Verifier: Accept if x ∈ C and h(x) = 0.

The set size lower bound protocol Input: A set C ⊆ {0, 1} n A size estimate 0 < S < 2 n L YES : |C| ≥ S L NO : |C| < (1 –  )S An error parameter  > 0 Running time of verifier is linear in |C|/  Proof: Run original protocol on (C k, S k ), k = 3/ 

Graph non-isomorphism via set size Given G 0, G 1 we want a proof of non-isomorphism For simplicity we’ll assume G 0, G 1 have no automorphisms C = {  (G b ):  is a permutation, b is a bit } G 0, G 1 are isomorphic |C| = n! G 0, G 1 are not isomorphic |C| = 2∙n! Reduction to set size lower bound:

AM ≈ NP a(x, r) Verifier Prover public randomness r If we replace r by the output of a suitable pseudo- random generator, proof can be derandomized Under a plausible assumption in complexity theory, AM = NP.

BACK TO CRYPTOGRAPHY

Hardness of regular one-way functions Say f: {0, 1} n → {0, 1} n - k is 2 k -to- 1 Suppose we have a reduction R ? that, given an inverter I for f, solves L Verifier will emulate reduction Prover will emulate random inverter I Given a query b, return each a s.t. f(a) = b with probability 2 -k independently of previous queries and answers

Hardness of regular one-way functions b1b1 a 1 = I(b 1 )... Verifier Prover btbt a t = I(b t ) x ∈  L Pr r, I [R I (x; r) accepts] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) accepts] < 1/3 |{(r, a 1, …, a t ) valid and accepting}| ≥ (2/3) 2 |r| + kt |{(r, a 1, …, a t ) valid and accepting}| < (1/3) 2 |r| + kt

Hardness of regular one-way functions y1y1 x 1 = I(y 1 )... Verifier Prover ytyt x t = I(y t ) x∈∉ Lx∈∉ L x ∈  L Pr r, I [R I (x; r) rejects] ≥ 2/3 x ∉  L Pr r, I [R I (x; r) rejects] < 1/3 |{(r, x 1, …, x t ) valid and rejecting}| ≥ (2/3) 2 |r| + kt |{(r, x 1, …, x t ) valid and rejecting}| < (1/3) 2 |r| + kt