Presentation is loading. Please wait.

Presentation is loading. Please wait.

Derandomization & Cryptography

Published byThomasina Wiggins Modified over 6 years ago

Similar presentations

Presentation on theme: "Derandomization & Cryptography"— Presentation transcript:

1 Derandomization & Cryptography
Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard

2 Question Suppose the sequence 666 appears in the digits of  both in the 100th place and in the th place. Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in . Is it possible to recover the place in  Archimedes knew about?

3 Our Results Under reasonable assumptions we obtain:
Non-interactive WI proof system for NP (in the plain model) First non-interactive proof with secrecy property Non-interactive Commitment Scheme Under incomparable assumptions to [BM]

4 Our Assumptions Assumption A: 9 L s.t. L 2 Dtime(2cn ) for some c
L  Ntime(2 n)/ 2 n for some >0 Nc N N In paper: prove Thm 2 under weaker, uniform, assumption. (Uses [GST03]) A natural strengthening of EXP * NP Thm 1: Assumption A + TDP ) non-interactive WI Thm 2: Assumption A + OWF ) non-interactive commit.

5 Derandomization: a brief overview*
A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P  BPP  EXP  NEXP). Probabilistic protocols => deterministic protocols. (NP  AM  EXP  NEXP). We don’t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions. * Thanks to Ronen Shaltiel for these slides

6 Hardness versus Randomness
Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]

7 Hardness versus Randomness
Assumption: hard functions exist. Conclusion: Derandomization.

8 Hardness versus Randomness
Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.

9 Pseudo-random generators
A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. Consider also generators with O(log n) length seed. ??????????????

10 Pseudo-random generators with O(log n) length seed.
Polynomial-sized algorithm can identify pseudo-random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string. Can distinguish between random strings and pseudo-random strings. Assuming distinguisher can enumerate all seeds. The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n3. PRG can also run in time n5 Sufficient for derandomization!!

11 State of the art in this direction
Thm [NW88,…,IW97]: If 9 L s.t. L 2 Dtime(2cn) for some c L  Size(2 n) for some >0 Then BPP=P.

12 Arthur-Merlin Games [BM]
Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]<½. “xL” Merlin Arthur toss coins message message I accept

13 Arthur-Merlin Games [BM]
Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]<½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)

14 The big question: Does AM=NP?
In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.

15 Pseudo-random generators for nondeterministic circuits
Nondeterministic algorithm can identify pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string. Assuming the circuit can run the PRG!! In NW setup circuit cannot run the PRG!!. For example: The PRG runs in time n5 and fools (nondeterministic) circuits of size n3.

16 State of the art in this direction
Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2cn) for some c L  Nsize(2 n) for some >0 (i.e., if Assumption A holds) Then AM=NP.

17 PRG’s for nondeterministic circuits derandomize AM
We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. “xL” Merlin Hardwire input Arthur random message message I accept

18 PRG’s for nondeterministic circuits derandomize AM
We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. “xL” Merlin Hardwire input Arthur Nondeterministic guess input random input Nondeterministic guess I accept

19 PRG’s for nondeterministic circuits derandomize AM
We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. “xL” Merlin Hardwire input Arthur Nondeterministic guess input pseudo-random input Nondeterministic guess I accept

20 PRG’s for nondeterministic circuits derandomize AM
We have AM protocol w/ deterministic (not probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one. Protocol is sound : otherwise we have a nondeterministic distinguisher. “xL” Merlin Arthur Our main observation: If original protocol was WI then new “protocol” is also WI! pseudo-random input Nondeterministic guess I accept

21 Proof of Thm 1: Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP
Combining this w/ [SU] and observation we get Thm 1: TDP + Assumption A ) 9 Noninteractive WI for NP

22 Proving Thm 2 Use same technique to derandomize Naor’s commitment scheme (which is also of “AM” type).

23 That’s it…

Download ppt "Derandomization & Cryptography"

Similar presentations

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.

Low-End Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Ronen Shaltiel, University of Haifa Chris Umans, Caltech.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.

Quantum Information and the PCP Theorem Ran Raz Weizmann Institute.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.

Complexity Theory Lecture 9 Lecturer: Moni Naor. Recap Last week: –Toda’s Theorem: PH  P #P. –Program checking and hardness on the average of the permanent.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Lecture 16: Relativization Umans Complexity Theory Lecturess.

Lecture 16: Relativization Umans Complexity Theory Lecturess.
Pseudorandomness for Approximate Counting and Sampling Ronen Shaltiel University of Haifa Chris Umans Caltech.

Pseudorandomness for Approximate Counting and Sampling Ronen Shaltiel University of Haifa Chris Umans Caltech.
Theory of Computing Lecture 16 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 16 MAS 714 Hartmut Klauck.
Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.

Dana Moshkovitz. Back to NP L  NP iff members have short, efficiently checkable, certificates of membership. Is  satisfiable?  x 1 = truex 11 = true.
Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.

Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.

Similar presentations

Ads by Google