Download presentation

Presentation is loading. Please wait.

Published byMustafa Decoursey Modified over 2 years ago

1
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard

2
Question Suppose the sequence 666 appears in the digits of both in the 100 th place and in the th place. Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in . Is it possible to recover the place in Archimedes knew about?

3
Our Results Under reasonable assumptions we obtain: Non-interactive WI proof system for NP (in the plain model) First non-interactive proof with secrecy property Non-interactive Commitment Scheme Under incomparable assumptions to [BM]

4
Our Assumptions Assumption A: 9 L s.t. L 2 Dtime(2 cn ) for some c L Ntime(2 n ) / 2 n for some >0 A natural strengthening of EXP * NP NcNc NN NN Thm 1: Assumption A + TDP ) non-interactive WI Thm 2: Assumption A + OWF ) non-interactive commit. In paper: prove Thm 2 under weaker, uniform, assumption. (Uses [GST03])

5
Derandomization: a brief overview* A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P BPP EXP NEXP). Probabilistic protocols => deterministic protocols. (NP AM EXP NEXP). We don ’ t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions. * Thanks to Ronen Shaltiel for these slides

6
Hardness versus Randomness Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]

7
Hardness versus Randomness Assumption: hard functions exist. Conclusion: Derandomization.

8
Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.

9
Pseudo-random generators A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. Consider also generators with O(log n) length seed. ??????????????

10
Pseudo-random generators with O(log n) length seed. Polynomial-sized algorithm can identify pseudo- random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string. Can distinguish between random strings and pseudo- random strings. Assuming distinguisher can enumerate all seeds. The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n 3. PRG can also run in time n 5 Sufficient for derandomization!!

11
State of the art in this direction Thm [NW88, …,IW97]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L Size(2 n ) for some >0 Then BPP=P.

12
Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur “xL”“xL” toss coins message I accept

13
Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)

14
The big question: Does AM=NP? In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.

15
Pseudo-random generators for nondeterministic circuits Nondeterministic algorithm can identify pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string. Assuming the circuit can run the PRG!! In NW setup circuit cannot run the PRG!!. For example: The PRG runs in time n 5 and fools (nondeterministic) circuits of size n 3.

16
State of the art in this direction Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L Nsize(2 n ) for some >0 (i.e., if Assumption A holds) Then AM=NP.

17
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random message message I accept Hardwire input

18
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random input Nondeterministic guess I accept input Nondeterministic guess Hardwire input

19
PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Nondeterministic guess input Hardwire input

20
PRG ’ s for nondeterministic circuits derandomize AM We have AM protocol w/ deterministic (not probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one. Protocol is sound : otherwise we have a nondeterministic distinguisher. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Our main observation: If original protocol was WI then new “ protocol ” is also WI!

21
Proof of Thm 1: Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP Combining this w/ [SU] and observation we get Thm 1: TDP + Assumption A ) 9 Noninteractive WI for NP

22
Proving Thm 2 Use same technique to derandomize Naor ’ s commitment scheme (which is also of “ AM ” type).

23
That ’ s it …

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google