# Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

## Presentation on theme: "Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard."— Presentation transcript:

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard

Question Suppose the sequence 666 appears in the digits of  both in the 100 th place and in the 1000000 th place. Suppose an archeologist finds a mathematical proof by Archimedes that 666 appears in . Is it possible to recover the place in  Archimedes knew about?

Our Results Under reasonable assumptions we obtain: Non-interactive WI proof system for NP (in the plain model) First non-interactive proof with secrecy property Non-interactive Commitment Scheme Under incomparable assumptions to [BM]

Our Assumptions Assumption A: 9 L s.t. L 2 Dtime(2 cn ) for some c L  Ntime(2  n ) / 2  n for some  >0 A natural strengthening of EXP * NP NcNc NN NN Thm 1: Assumption A + TDP ) non-interactive WI Thm 2: Assumption A + OWF ) non-interactive commit. In paper: prove Thm 2 under weaker, uniform, assumption. (Uses [GST03])

Derandomization: a brief overview* A paradigm that attempts to transform: Probabilistic algorithms => deterministic algorithms. (P  BPP  EXP  NEXP). Probabilistic protocols => deterministic protocols. (NP  AM  EXP  NEXP). We don ’ t know how to separate BPP and NEXP. Can derandomize BPP and AM under natural complexity theoretic assumptions. * Thanks to Ronen Shaltiel for these slides

Hardness versus Randomness Initiated by [BM,Yao,Shamir]. Assumption: hard functions exist. Conclusion: Derandomization. A lot of works: [BM82,Y82,HILL,NW88,BFNW93, I95,IW97,IW98,KvM99,STV99,ISW99,MV99, ISW00,SU01,U02,TV02,GST03]

Hardness versus Randomness Assumption: hard functions exist. Conclusion: Derandomization.

Hardness versus Randomness Assumption: hard functions exist. Exists pseudo-random generator Conclusion: Derandomization.

Pseudo-random generators A pseudo-random generator (PRG) is an algorithm that stretches a short string of truly random bits into a long string of pseudo-random bits. pseudo-random bits PRG seed Pseudo-random bits are indistinguishable from truly random bits for feasible algorithms. Consider also generators with O(log n) length seed. ??????????????

Pseudo-random generators with O(log n) length seed. Polynomial-sized algorithm can identify pseudo- random strings as follows: Given a long string, enumerate all seeds and check that PRG(seed)=long string. Can distinguish between random strings and pseudo- random strings. Assuming distinguisher can enumerate all seeds. The Nisan-Wigderson setup: distinguisher can not enumerate all seeds. Example: Seed length = 5logn and generator fools circuits of size n 3. PRG can also run in time n 5 Sufficient for derandomization!!

State of the art in this direction Thm [NW88, …,IW97]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L  Size(2  n ) for some  >0 Then BPP=P.

Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. Merlin Arthur “xL”“xL” toss coins message I accept

Arthur-Merlin Games [BM] Completeness: If the statement is true then Arthur accepts. Soundness: If the statement is false then Pr[Arthur accepts]< ½. The class AM: All languages L which have an Arthur-Merlin protocol. Contains many interesting problems not known to be in NP. (e.g. graph nonisomorphism)

The big question: Does AM=NP? In other words: Can every Arthur-Merlin protocol be replaced with one in which Arthur is deterministic? Note that such a protocol is an NP proof.

Pseudo-random generators for nondeterministic circuits Nondeterministic algorithm can identify pseudo-random strings as follows: Given a long string, guess a short seed and check that PRG(seed)=long string. Assuming the circuit can run the PRG!! In NW setup circuit cannot run the PRG!!. For example: The PRG runs in time n 5 and fools (nondeterministic) circuits of size n 3.

State of the art in this direction Thm [AK,MV,KvM,SU]: If 9 L s.t. L 2 Dtime(2 cn ) for some c L  Nsize(2  n ) for some  >0 (i.e., if Assumption A holds) Then AM=NP.

PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random message message I accept Hardwire input

PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. Merlin Arthur “xL”“xL” random input Nondeterministic guess I accept input Nondeterministic guess Hardwire input

PRG ’ s for nondeterministic circuits derandomize AM We can model the AM protocol as a nondeterministic circuit which gets the random coins as input. We can use pseudo-random bits instead of truly random bits. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Nondeterministic guess input Hardwire input

PRG ’ s for nondeterministic circuits derandomize AM We have AM protocol w/ deterministic (not probabilistic) Arthur: He sends all pseudo-random strings and Merlin replies on each one. Protocol is sound : otherwise we have a nondeterministic distinguisher. Merlin Arthur “xL”“xL” pseudo-random input Nondeterministic guess I accept Our main observation: If original protocol was WI then new “ protocol ” is also WI!

Proof of Thm 1: Thm [DN]: 9 TDP ) 9 AM protocol that is WI for NP Combining this w/ [SU] and observation we get Thm 1: TDP + Assumption A ) 9 Noninteractive WI for NP

Proving Thm 2 Use same technique to derandomize Naor ’ s commitment scheme (which is also of “ AM ” type).

That ’ s it …

Similar presentations