Download presentation

Presentation is loading. Please wait.

Published byWeston Temby Modified over 2 years ago

1
Eric Allender Rutgers University Zero Knowledge and Circuit Minimization Joint work with Bireswar Das (IIT Gandinagar, DIMACS) MFCS, Budapest, August 26, 2014

2
Eric Allender: Zero Knowledge and Circuit Minimization < 2 >< 2 > The Cook-Levin Theorem Arguably the most important theorem in theoretical computer science. …but what were they thinking? SAT is NP-Complete

3
Eric Allender: Zero Knowledge and Circuit Minimization < 3 >< 3 > What they were thinking: The STOC deadline is nearly here…

4
Eric Allender: Zero Knowledge and Circuit Minimization < 4 >< 4 > What they were thinking: Looks like I wont be able to prove a Graph Isomorphism result in time… So I’ll just submit this.

5
Eric Allender: Zero Knowledge and Circuit Minimization < 5 >< 5 > What they were thinking: I refuse to publish a partial result! I need to be able to say something about the Minimum Circuit Size Problem…

6
Eric Allender: Zero Knowledge and Circuit Minimization < 6 >< 6 > What they were thinking: …and Graph Isomorphism too! [Pemmaraju, Skiena]

7
Eric Allender: Zero Knowledge and Circuit Minimization < 7 >< 7 > What they were thinking: …and Graph Isomorphism too! Leonid, Publish it!

8
Eric Allender: Zero Knowledge and Circuit Minimization < 8 >< 8 > What they were thinking: OK…But only the 2-page version!

9
Eric Allender: Zero Knowledge and Circuit Minimization < 9 >< 9 > NP-Intermediate Problems Thus, as long as there has been a theory of NP-completeness, there have been two prominent candidates for “NP-Intermediate” status: in NP, but neither complete nor in P: – Graph Isomorphism (GI) – The Minimum Circuit Size Problem (MCSP) After 4 decades, they still cling to this status. …but is there any relationship between these problems?

10
Eric Allender: Zero Knowledge and Circuit Minimization Graph Isomorphism GI = {(G,H) : the vertices of G can be permuted, to yield H}

11
Eric Allender: Zero Knowledge and Circuit Minimization MCSP MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. Why was Levin so interested in MCSP? In the USSR in the 70’s (and before) there was great interest in problems requiring “perebor”, or “brute-force search”. For various reasons, MCSP was a focal point of this interest.

12
Eric Allender: Zero Knowledge and Circuit Minimization MCSP MCSP = {(x,i) : x is the truth table of a function with a circuit of size at most i}. Why was Levin so interested in MCSP? Yablonski [1959] proved a result that – to him and his students – meant “MCSP requires perebor”. (This would imply P < NP.) By the late 1960’s Yablonski “attained influential positions [dealing with] coordination and control of math…a time of rapid degradation of the moral climate within the Soviet math community” [Trakhtenbrot].

13
Eric Allender: Zero Knowledge and Circuit Minimization GI and MCSP This historical digression has established: The questions of the complexity of GI and MCSP are as old as the theory of computational complexity (or perhaps even older). No relationship between the complexity of these problems had been established. Let’s take care of that right now.

14
Eric Allender: Zero Knowledge and Circuit Minimization Today’s Goal Theorem 1: GI reduces to MCSP. More precisely: GI є RP MCSP. Theorem 2: More generally: Every problem with a Statistical Zero Knowledge Proof reduces to MCSP. That is: SZK is contained in BPP MCSP. We’ll follow a well-established path: All reductions to MCSP seem to make use of pseudorandom generators. [Kabanets, Cai] [A,Buhrman,Koucky,van Melkebeek, Ronneburger]

15
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators For any efficient “test” T, Prob[T accepts a random string of length n] ≈ Prob[T accepts a pseudorandom string of length n] PseudoRandom bits b 1,b 2,… seed G

16
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: Given a cryptographically- secure one-way function f, we can build a secure pseudorandom generator G f. PseudoRandom bits b 1,b 2,… seed GfGf

17
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If G f is not secure, then f is easy to invert. PseudoRandom bits b 1,b 2,… seed GfGf

18
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by G f, then there is a probabilistic poly-time N such that Prob x [f(N T (f(x))) = f(x)] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfGf

19
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators [HILL]: If T is a test that accepts half of the strings of length n, but accepts none of the strings output by G f i, then there is a probabilistic poly-time N such that Prob x [f i (N T (i,f i (x))) = x] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfiGfi

20
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. PseudoRandom bits b 1,b 2,… seed GfiGfi

21
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). PseudoRandom bits b 1,b 2,… seed GfiGfi

22
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. PseudoRandom bits b 1,b 2,… seed GfiGfi

23
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators The output of G f i has small time-bounded K-complexity. KT(x) ≈ Circuit.size(x). Most x require very large circuits. MCSP gives us a great test T to distinguish random and pseudorandom strings. PseudoRandom bits b 1,b 2,… seed GfiGfi

24
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. PseudoRandom bits b 1,b 2,… seed GfiGfi

25
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators Specifically, the set T = {x | Circuit.Size(x) >√|x|} is computable relative to MCSP and breaks all pseudorandom generators. Thus Prob x [f i (N MCSP (i,f i (x))) = f(x)] > 1/poly. PseudoRandom bits b 1,b 2,… seed GfiGfi

26
Eric Allender: Zero Knowledge and Circuit Minimization Pseudorandom Generators This idea was used before, to show: Factoring is in ZPP MCSP Discrete Log is in BPP MCSP Closest Vector Problem is in BPP MCSP PseudoRandom bits b 1,b 2,… seed GfiGfi We suspect that these are crypto-secure.

27
Eric Allender: Zero Knowledge and Circuit Minimization Reducing GI to MCSP The main idea of the reduction is to follow this same approach, using a function that has never seemed like a good candidate for a one- way function.

28
Eric Allender: Zero Knowledge and Circuit Minimization Our Indexed Family of Functions Given graph H and permutation π, let f H (π) = π(H). To find out if G and H are isomorphic: – Pick a random permutation π. – Run N MCSP (H, π(G)) and obtain output β. – Accept if π(G) = β(H). If G and H are isomorphic, this accepts with probability 1/poly(n). QED!

29
Eric Allender: Zero Knowledge and Circuit Minimization Zero Knowledge The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof.

30
Eric Allender: Zero Knowledge and Circuit Minimization Zero Knowledge The Graph Isomorphism problem was one of the first few problems known to have a Zero Knowledge Interactive Proof. NPcoNP SZK GI MCSP

31
Eric Allender: Zero Knowledge and Circuit Minimization Some facts about SZK SZK is contained in NP/poly ∩ coNP/poly. There are complete problems for SZK. …but in order to introduce these complete problems, we need to talk about “promise problems”.

32
Eric Allender: Zero Knowledge and Circuit Minimization Promise Problems Ordinary decision problems. Yes No

33
Eric Allender: Zero Knowledge and Circuit Minimization Promise Problems Ordinary decision problems. Yes No Promise Problems. YesDon’t Care No

34
Eric Allender: Zero Knowledge and Circuit Minimization Statistical Difference The “standard” complete promise problem for SZK is Statistical Difference (SD). The inputs to SD are pairs of circuits (C,D); we view the circuits as representing probability distributions, where Prob C (y) is the probability, over x chosen uniformly at random, that C(x)=y. The Yes Instances of SD are (C,D) such that these probability distributions are quite close. The No Instances of SD are (C,D) where the distributions are far apart.

35
Eric Allender: Zero Knowledge and Circuit Minimization Image Intersection Density We will actually use a restricted version of SD, called Image Intersection Density (IID). The Yes instances look the same as in SD. The No instances are pairs (C,D) such that, with probability exponentially close to 1 (over randomly chosen x) C(x) is not in the image of D. IID was shown by [Ben-Or, Gutfreund] to be complete for a subclass of SZK, which was subsequently shown to coincide with SZK [Chailloux, Ciodan, Kerenidis, Vadhan].

36
Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y. On Yes instances, we expect K/poly acceptances,

37
Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y. On Yes instances, we expect K/poly acceptances, on No instances we expect K/2 n.

38
Eric Allender: Zero Knowledge and Circuit Minimization Reducing SZK to MCSP For any circuit C, let F C (x) = C(x). These are the “one-way functions” that we’ll try to invert, with MCSP as an oracle. Given a pair (C,D), repeat the following K times: – Pick x at random, and compute y=C(x). – Run N MCSP (D, y) and obtain output z. – Accept if D(z) = y. On Yes instances, we expect K/poly acceptances, on No instances we expect K/2 n. QED

39
Eric Allender: Zero Knowledge and Circuit Minimization How hard is MCSP?

40
Eric Allender: Zero Knowledge and Circuit Minimization How hard is MCSP? [Kabanets, Cai] showed that if MCSP were NP-complete under “natural” ≤ m reductions, then BPP=P. This is not evidence against being NP- complete, but it is evidence that it might be hard to prove. Vinodchandran considered SNCMP (like MCSP but for “strong nondeterministic circuits”); it will be a breakthrough if GI reduces to SNCMP under “natural” reductions. …but our argument provides an RP-reduction!

41
Eric Allender: Zero Knowledge and Circuit Minimization Open Questions Is GI in ZPP MCSP ? …or in P MCSP ? …or is MCSP NP-hard, perhaps under P/poly reductions? – Note in this regard, that the “Minimum QBF Circuit Size Problem” is complete for PSPACE under P/poly reductions, and analogous results hold for other classes.

42
Eric Allender: Zero Knowledge and Circuit Minimization Open Questions Or is there a promise problem related to MCSP that is complete for SZK? Consider the promise problem that has: – Yes instances: {x | Circuit.Size(x) >√|x|} – No instances: {x | Circuit.Size(x) <|x| 1/4 } Can this problem be in SZK? Or in some other “nearby” class?

43
Eric Allender: Zero Knowledge and Circuit Minimization Thank you!

Similar presentations

OK

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on bluetooth hacking tools Ppt on save environment drawings Ppt on life cycle of a butterfly Ppt on effects of social networking sites Ppt on service marketing 7 p's Ppt on new zealand culture and lifestyle Ppt on water conservation in industries Ppt on computer malwares anti-malware Ppt on non biodegradable waste definition Ppt on e procurement