Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Power of Negations in Cryptography

Published byThomasine Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "The Power of Negations in Cryptography"— Presentation transcript:

1 The Power of Negations in Cryptography
Siyao Guo New York University Tal Malkin Columbia University Igor C. Oliveira Columbia University Alon Rosen IDC Herzilya

2 How simple can cryptography be?
Cryptography in restricted/simple models constant depth circuits [AIK06] linear size circuits [IKOS08] Philosophy behind this line of research Positive results: extreme efficiency (cryptography) Negative results: lower bounds for the model (complexity) Simple models: fun to play (me)

3 Monotone Cryptography? [GI12]
[GI12] Can OWFs and PRGs be computable by monotone circuits? Normal circuits: {AND, OR, NOT} OWFs, PRGs (assume OWFs exit) Monotone circuits: {AND, OR, NOT} “Monotone world”: a fundamental gap between OWFs and PRGs; “hardness-vs-pseudorandomness” paradigm fails

4 Our Question [GI12] Can OWFs and PRGs be computable by monotone circuits? How about other primitives? How about circuits with few negations?

5 The Mystery of Negations
[Juk12] The main difficulty in proving nontrivial lower bounds on the size of circuits using AND, OR and NOT is the presence of NOT gates—we already know how to prove even exponential lower bounds for monotone functions if no NOT gates are allowed. The effect of such gates on circuit size remains to a large extent a mystery. [Mark58] Any Boolean function can be computed by a Boolean circuit with at most log(n)+1 negations.

6 Our Results # of negations 1 w(1) log n Ω(log n)
1 w(1) log n (monotone function) (any function [Mar58]) One Way Functions  [GI12] ? (Open) One Way Permutations X Small Bias Generators X ? (Open) Pseudorandom Generators X [GI12] ? (Open) Weak Pseudorandom Functions X [BLL98] ? (Open) Ω(log n) (tight up to O(1) mult term) Hard-core bits X X Extractors log n – O(1) (tight up to O(1) add term) Pseudorandom Functions X Error Correcting Codes X Cryptography except OWF is non-monotone Many primitives are highly non-monotone

7 Cryptography is non-monotone (OWF v.s OWP)

8  Monotone OWFs [GI12] [GI12] OWFs exist => monotone OWFs exist
- Middle slice of any OWF is a monotone weak OWF - (Standard) Monotone weak OWF => monotone OWF Middle slice of OWF f:{0,1}n->{0,1}n is defined as f’(x) = 1n if |x| > n/2 f’(x) = f(x) if |x| = n/2 f’(x) = 0n if |x| < n/2 [GI12] size(C(f’)) = poly(n) size(C(f)) Can we show OWPs exist => monotone OWPs exist? - This transformation doesn’t preserve the structure

9 X Monotone OWPs Thm1: If f: {0,1}n -> {0,1}n is a monotone permutation, then a permutation π: [n] -> [n], s.t. f(x1, … , xn)= xπ(1) , … , xπ(n). An efficient inverting algorithm for y = f(x): Compute π’ = π-1: for i in [n], if f(ei) = ej , then set π’(j)=i (ei = 0i-110n-i) Given y1,.., yn, output yπ’(1), …, yπ’(n) Two Proofs for Theorem 1 Combinatorial proof : only relies on monotonicity Analytic proof: simple and easy to extend to regular OWFs

10 A Powerful Tool For monotone functions f, g: {0,1}n -> {0,1}
FKG’s inequality: (monotone functions are positively correlated) Talagrand’s inequality: (the correlation can be lower bounded) where (C > 0 is a fixed constant)

11 Proof of Theorem 1 For any two output functions fj , fk by Talagrand’s inequality fj, fk depend on disjoint input coordinates f1,...,fn depend on disjoint coordinates Each one depends on and equals to exactly 1 input coordinate f is a permutation of input coordinates = 1/4 = 1/2 = 1/2 => = 0

12 Many Primitives are highly non-monotone

13 Tool Box Talagrand’s inequality fails for 1 negation
Structure results for function with negations Markov ‘s theorem Decomposition theorem Selection tree

14 Tool 1: Markov’s Theorem
Chain X: (x1, …, xl) where xi <= xi+1 x , … , xl f(x1) , … , f(xl) a(f, X): alternating number of X respect to f number of values flipping along the chain [Mar58] f with t negations => maxX a(f, X) = O(2t)

15 Pseudorandom Functions (PRFs)
Thm 3: If F {0,1}s x {0,1}n -> {0,1} is (poly(n), 1/3)-secure PRFs, then F requires logn –O(1) negations. Distinguishier: fixed an arbitrary chain, e.g. X= (x0, x1, …, xn) where xi = 1i0n-i if a(f, X) >= n/4, outputs 1 otherwise 0. Analysis: Random functions: E[a(f,X)] = n/2 a(f, X)>= n/4 w.h.p F with t = logn – ω(1): a(f, X) < O(2t) = o(n).

16 Tool 2: Decomposition [BCO+14] If f can be computable by t negations, then f(x) = h(g1(x), … , gT(x)) where gi is monotone, T = O(2t), h is XOR or its negation. A bound on total influence I(f) Large influence requires many negations

17 Applications in Cryptography
Lower bounds for primitives requiring large influences [GR00] Hardcore bits require large influence [BG13] Extractors require large influence Extractors and hardcore bits require Ω(log n) negations More application? Checking results use influence as a “black box” Monotone setting Low depth circuits setting

18 Tool 3: Selection Tree … x m m(x)=0 m0 m1 m0(x)=1 m01 m00 m10 m11
f(x)=m010(x) Binary tree of depth t for f with t negations Each node contains a monotone function

19 Error-Correcting Codes (ECCs)
[BKS06]: If E: {0,1}n -> {0,1}m is a monotone ECC, then E has relative distance r <= 1/n. Thm 4: If E: {0,1}n -> {0,1}m is an ECC with relative distance r, then E requires t negations, t>= logn – log(1/r), i.e., r <= 2t/n ECC with r=O(1) requires logn – O(1) negations (optimal up to additive term)

20 Proof Idea of [BKS06] Consider a (monotone) chain and the encoding
E is monotone implies E(X) forms a (monotone) chain |X| = n+1 thus r <= 1/n

21 Proof of Theorem 4 … Chain X = (x1, …, xn) m m(xi+1)=…=m(xn)=1
m(x1)=…=m(xi)=0 X0 = (x1, …, xi) X1= (xi+1, …, xn) m0 m1 X01 m01 m00 m10 m11 X010 m000 m001 m010 m010 m111 |X010|>= n/2t Binary tree of depth t for E with t negations Each node contains a monotone function E(X010) = m010(X010) forms a chain

22 Summary Cryptography is non-monotone except OWF
Talangrand’s inequality OWPs, SBGs, PRGs, (weak) PRFs Many primitives are highly non-monotone Alternating PRFs Xor of monotones (low influence) HCBs, EXTs Selection ECCs

23 Open Problems Negation complexity of OWPs, PRGs
Is there a OWP/PRG computable by 1 negation? 1 negation at the bottom cannot compute OWPs/PRGs Negation complexity of weak PRFs Is there a weak PRF computable by 1 negation? PRFs: require logn –O(1) negations O(1) negations at the bottom cannot compute weak PRFs Negation complexity of parallel cryptography Markov’s theorem fails for constant depth circuits AC0 Prove Ω(n) lower bounds for primitives in AC0? Explain why we need many negations in efficient construction

24 Thanks

Download ppt "The Power of Negations in Cryptography"

Similar presentations

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions............

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.

Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Gillat Kol joint work with Ran Raz Locally Testable Codes Analogues to the Unique Games Conjecture Do Not Exist.

Gillat Kol joint work with Ran Raz Locally Testable Codes Analogues to the Unique Games Conjecture Do Not Exist.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Introductions for the “Weizmann Distinguished Lectures Day” by Oded Goldreich.

Introductions for the “Weizmann Distinguished Lectures Day” by Oded Goldreich.
Yi Wu (CMU) Joint work with Parikshit Gopalan (MSR SVC) Ryan O’Donnell (CMU) David Zuckerman (UT Austin) Pseudorandom Generators for Halfspaces TexPoint.

Yi Wu (CMU) Joint work with Parikshit Gopalan (MSR SVC) Ryan O’Donnell (CMU) David Zuckerman (UT Austin) Pseudorandom Generators for Halfspaces TexPoint.
Graph Sparsifiers by Edge-Connectivity and Random Spanning Trees Nick Harvey University of Waterloo Department of Combinatorics and Optimization Joint.

Graph Sparsifiers by Edge-Connectivity and Random Spanning Trees Nick Harvey University of Waterloo Department of Combinatorics and Optimization Joint.
CS151 Complexity Theory Lecture 5 April 13, 2015.

CS151 Complexity Theory Lecture 5 April 13, 2015.
CS151 Complexity Theory Lecture 5 April 13, 2004.

CS151 Complexity Theory Lecture 5 April 13, 2004.
On the Hardness of Graph Isomorphism Jacobo Tor á n SIAM J. Comput. Vol 33, p1093-1108, 2004. Presenter: Qingwu Yang April, 2006.

On the Hardness of Graph Isomorphism Jacobo Tor á n SIAM J. Comput. Vol 33, p , Presenter: Qingwu Yang April, 2006.
Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.

Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.

Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.
Linear-time encodable and decodable error-correcting codes Daniel A. Spielman Presented by Tian Sang Jed Liu 2003 March 3rd.

Linear-time encodable and decodable error-correcting codes Daniel A. Spielman Presented by Tian Sang Jed Liu 2003 March 3rd.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.

Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.

Similar presentations

Ads by Google