Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

Published byStephanie McIntosh Modified over 11 years ago

Similar presentations

Presentation on theme: "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."— Presentation transcript:

1 On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan

2 Outline Motivation Motivation Our Results Our Results Proof Ideas Proof Ideas

3 Motivation

4 Fundamental Primitives One-way function (OWF): One-way function (OWF): –easy to compute, hard to invert Pseudo-random generator (PRG): Pseudo-random generator (PRG): –stretch a random seed into a long random looking string

5 Relationship weak OWF weak OWF strong OWF [Yao] strong OWF [Yao] PRG [HILL] PRG [HILL] –in polynomial time –in lower complexity classes?

6 Hardness Amplification OWF f has hardness : poly-time M OWF f has hardness : poly-time M Pr x [M fails to invert f(x)] >. 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

7 Question 1 Worst-case OWF Strong OWF? Worst-case OWF Strong OWF? ??? 1-n - (1) strong OWF n -O(1) weak OWF 2 -n worst-case OWF

8 Weak OWF Strong OWF [Yao] f f [Yao] f f f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) good: simple, parallel good: simple, parallel bad: not security-preserving (blow up input size) bad: not security-preserving (blow up input size)

9 Weak OWP Strong OWP [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x)))

10 [GILVZ] f f [GILVZ] f f f (x, w 1,…,w k ) = f(w k (…(f(w 1 (f(x))) good: security-preserving good: security-preserving bad: complex, sequential bad: complex, sequential walk on expander Weak OWP Strong OWP

11 Question 2 Weak OWF Strong OWF: Weak OWF Strong OWF: security preserving + parallel (low complexity)? Weak OWF AC 0 strong OWF AC 0 : security preserving ? Weak OWF AC 0 strong OWF AC 0 : security preserving ? constant-depth poly-size circuits

12 Bigger Question Low-complexity Crypto? Low-complexity Crypto? Crypto. constructions / reductions in low complexity classes? Theory vs. practice Theory vs. practice

13 Attempt on Question 2 Derandomize [Yao]? Derandomize [Yao]? f (x 1,x 2,…,x k ) = (f(x 1 ),f(x 2 ),…,f(x k )) Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? Generate x 1,x 2,…,x k in some pseudo- random way from a short seed x? f (x) = (f(x 1 ),f(x 2 ),…,f(x k )) –[IW] some success w.r.t. hardness of computing functions (BPP vs. P) k independent inputs

14 No success for OWF … Impossible task? Impossible task? Aim: hardness amplification is a high complexity task Aim: hardness amplification is a high complexity task What if strong OWF f AC 0 ? What if strong OWF f AC 0 ? hard. amp.: ignore f, compute f directly …

15 Black-Box Hardness Amplification

16 (Strongly) Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box could be unbounded

17 Weakly Black Box Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box

18 Complexity Transformation: Transformation: hard f harder f = hard f harder f = A MP f uses f as a black box A MP uses f as a black box Hardness proof: Hardness proof: A breaks f D EC A breaks f D EC uses A as a black box hardness A MP high complexity

19 Previous Work

20 Lin-Trevisan-Wee B.B. hardness t B.B. hardness t with A MP making s queries t = O(s). t = O(s).

21 Our Results

22 Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t n O(1) when n n O(1) & s 2 n O(1). t n O(1) when n n O(1) & s 2 n O(1). n: new input length n: init. input length PH NP P constant-depth circuits of size s

23 Result (I) B.B. hardness t, with B.B. hardness t, with A MP realized in AC 0 (s) t (n/n) log O(1) s t (n/n) log O(1) s t log O(1) n when n=O(n) & s n O(1). t log O(1) n when n=O(n) & s n O(1). security preserving AC 0 n: new input length n: init. input length

24 Result (II) Weakly B.B. hardness t, Weakly B.B. hardness t, with A MP realized in AC 0 & t > (n/n) log O(1) n A MP must embed a OWF with hardness t A MP must embed a OWF with hardness t

25 Parallel Query Model

26 Model [Vio] on input z: [Vio] A MP f on input z: –generates circuit C AC 0 (s) and non-adaptive queries x 1, …,x k –calls the oracle: (y 1, …,y k )=(f(x 1 ), …,f(x k )) –outputs (z) = C(y 1, …,y k ) –outputs A MP f (z) = C(y 1, …,y k )

27 Proof Ideas

28 Weakness of AC 0 circuits W.h.p. after a random restriction, W.h.p. after a random restriction, C AC 0 100 1** * w.p. 1 w.p. (1- )/2 0 w.p. (1- )/2. each bit independentlyreceived {

29 Weakness of AC 0 circuits W.h.p. after a random restriction, any C AC 0 becomes biased W.h.p. after a random restriction, any C AC 0 becomes biased C AC 0 0, 1 100 **1 C(Y ) is the same for most Y

30 B.B. Hard. Amp. z, (z) = C(f(x 1 ), …,f(x k )) AC 0 z, A MP f (z) = C(f(x 1 ), …,f(x k )) AC 0 Hardness t Hardness t Show: large t contradiction Show: large t contradiction Strategy: (follow closely [Vio]) find Strategy: (follow closely [Vio]) find –f: with hardness –f: with hardness –: with hardness < t –A MP f : with hardness < t

31 Hardness Hardness W.h.p. a random function f is hard, W.h.p. a random function f is hard, even after a random restriction, if rate of * is high [Vio]. *1*1*00 …… 100*01* *01*11* 10*0*01 f (0 n ). f (1 n ) against inverter with poly queries

32 kills A MP f kills A MP f [Vio] z, w.h.p. after a random, [Vio] z, w.h.p. after a random, (z) = C(f (x 1 ), …,f (x k )) AC 0 A MP f (z) = C(f (x 1 ), …,f (x k )) AC 0 is same for most f, if rate of * is low. W.h.p. over W.h.p. over, M A MP f for most f A =M breaks A MP f for most f D EC A inverts f well for most f.

33 New Random Restriction Rate of * is low, but for a significant # of x, f (x) has enough *. Rate of * is low, but for a significant # of x, f (x) has enough *. is a (weak) OWF f is a (weak) OWF *1*1*00 …… 1001010 *01*11* 1010101 f (0 n ). f (1 n )

34 Proof of Result (I) a restriction s.t. for most f, a restriction s.t. for most f, is hard to invert f is hard to invert kills kills A MP f some A inverts A MP f well D EC A inverts f well t in AC(s): large t, small s t in AC 0 (s): large t, small s

35 Proof of Result (II) Derandomize Proof of Result (I) Derandomize Proof of Result (I)

36 Other Result: PRG from OWF

37 Result (III) B.B. PRG from OWF B.B. PRG from OWF P RG f : {0,1} r {0,1} m AC 0 (s) m-r o (r) when s 2 m o(1). sublinear stretch improving [Vio]: s m O(1).

38 Conclusion & Questions

39 High-Complexity Tasks Hard OWF harder OWF Hard OWF harder OWF OWF PRG of long stretch OWF PRG of long stretch

40 Relation among Primitives –lower complexity? TDP TDFPKE PIROT KAOWF BC PRG … ZK

Download ppt "On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan."

Similar presentations

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
On Black-Box Separations in Cryptography

On Black-Box Separations in Cryptography
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :

Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.

Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Average-case Complexity Luca Trevisan UC Berkeley.

Average-case Complexity Luca Trevisan UC Berkeley.
Are lower bounds hard to prove? Michal Koucký Institute of Mathematics, Prague.

Are lower bounds hard to prove? Michal Koucký Institute of Mathematics, Prague.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Similar presentations

Ads by Google